This topic describes how to use trusted execution environment (TEE) SDK to develop, build, and deploy Intel Software Guard Extensions (SGX) 2.0 applications. In this topic, an application named helloworld
is used as an example. This application generates messages in an enclave on a regular basis and sends the messages to an untrusted buffer. Then, the messages are sent to the terminal.
Prerequisites
An ACK managed cluster for confidential computing is created.
You are connected to an instance that supports confidential computing through SSH or Cloud Assistant.
How Intel SGX works
An Intel SGX 2.0 application consists of two components: an untrusted component and a trusted component.
Untrusted component: The untrusted component is an unencrypted part of the memory. If you store the code and data of an application in this part, the
main()
entry function of the application must also be placed in the untrusted component. In the preceding figure, themain()
andbar()
functions are placed in the untrusted component.Trusted component: The trusted component or enclave is an encrypted part of the memory. This component is created by the CPU, and the data and code in this component can be accessed only by the CPU. In the preceding figure, the
helloworld()
andfoo()
functions are placed in the enclave.
To call a function in the enclave from the untrusted component, the application must perform an enclave call (ECALL). To call a function in the untrusted component from the enclave, the application must perform an outside call (OCALL). ECALLs and OCALLs are declared in Enclave Definition Language (EDL) files.
Sample code and directory tree
In this example, an Intel SGX 2.0 application named helloworld
is deployed. For more information about the source code, visit GitHub. The source code includes the code for application compilation, image building, and application deployment. The following sample code shows the directory tree.
App.hsgx-device-plugin/samples/hello_world/
├── Dockerfile
├── Makefile
├── README.md
└── src
├── App
│ ├── App.cpp
│ └── App.h
├── Enclave
│ ├── Enclave.config.xml
│ ├── Enclave.cpp
│ ├── Enclave.edl
│ ├── Enclave.h
│ ├── Enclave.lds
│ └── Enclave_private.pem
└── Makefile
The following table describes the src
directory and related files.
Directory | Description | File | Description |
App | The App directory contains untrusted code, such as the main() function (the entry function) and code of OCALL functions. | App.cpp | The code in the untrusted component. |
App.h | The header file. | ||
Enclave | The code in the trusted component, including the code of the ECALL function. | Enclave.edl | The EDL file. |
Enclave.lds | The enclave linker script. | ||
Enclave_private.pem | The private key that is used to sign the enclave.so file. | ||
Enclave.config.xml | The enclave configuration file that specifies parameters, such as the stack size and whether to enable debugging. | ||
Enclave.h and Enclave.cpp. | The code that implements the trusted component. |
Step 1: Compile hello_world
Run the following command to install Git:
sudo yum install git
Run the following command to compile the hello_world application:
git clone https://github.com/AliyunContainerService/sgx-device-plugin cd sgx-device-plugin/samples/hello_world SGX_SDK=/opt/alibaba/teesdk/intel/sgxsdk make build
A binary file named hello_world is generated in the root directory of the project.
Run the
./hello_world
command on an instance that supports SGX to run the hello_world application.cd src/ ./hello_world
Expected output:
Wed May 6 06:53:33 2020 Hello world From SGX Enclave! Wed May 6 06:53:34 2020 Hello world From SGX Enclave! ...
The following content describes how to compile the application and shows the directory tree of the compiled code:
Step 2: Build and deploy the helloworld application
We recommend that you build an Alibaba Cloud Linux image, install the latest SGX SDK version, and periodically update the SDK to mitigate potential risks.
Sample Dockerfile
The following sample Dockerfile uses Alibaba Cloud Linux 3:
FROM registry.cn-hangzhou.aliyuncs.com/alinux/alinux3
ARG REGION_ID=cn-hangzhou
RUN yum install -y curl && \
repo_url=https://enclave-${REGION_ID}.oss-${REGION_ID}.aliyuncs.com/repo/alinux/enclave-expr.repo && \
yum install -y yum-utils && \
yum-config-manager --add-repo ${repo_url} && \
yum install -y libsgx-urts libsgx-uae-service # Add more SGX runtime dependencies on demand.
WORKDIR /src
COPY src/hello_world src/enclave.signed.so /src
ENTRYPOINT ["/src/hello_world"]
Procedure
Install Docker.
For more information, see Install and use Docker on a Linux instance.
Run the following command to compile and build a test image.
Replace
${IMAGE_URL}
with the address of the test image.cd sgx-device-plugin/samples/hello_world TARGET_IMAGE=${IMAGE_URL} SGX_SDK=/opt/alibaba/teesdk/intel/sgxsdk make image docker push ${IMAGE_URL}
Run the following command to deploy the
helloworld
application.Replace
${IMAGE_URL}
with the address of the test image that you built in the preceding step.cat <<EOF | kubectl create -f - apiVersion: apps/v1 kind: Deployment metadata: name: helloworld namespace: default spec: replicas: 2 selector: matchLabels: app: helloworld template: metadata: labels: app: helloworld spec: containers: - image: ${IMAGE_URL} imagePullPolicy: Always name: helloworld resources: limits: cpu: 250m memory: 512Mi alibabacloud.com/sgx_epc_MiB: 2 EOF