Skip to main content

Installation Guide

This installation guide is intended to assist with the installation of the Safeheron-SGX-Native-Development-Framework, using version 2.23 of sgx-linux as an example.

Environment Requirements

  • Operating System: Ubuntu 20.04
  • Build Tools: CMake (>=3.19),ninja (>=1.10.0), GCC (>=9.3.0), or Clang
important

Intel CPU that has SGX support Required

Installing Dependencies

important

Ensure you have sudo privileges; otherwise, run the installation as a root user.

$ sudo apt update
$ sudo apt-get -y install dkms wget autoconf build-essential libtool pkg-config automake git vim openssl libssl-dev perl tar unzip ninja-build

Install SGX Driver

important

Before installing sgx driver, you can use the command ls /dev | grep sgx to check whether the system kernel comes with sgx driver. If it does, skip this step.

$ wget https://download.01.org/intel-sgx/sgx-linux/2.23/distro/ubuntu20.04-server/sgx_linux_x64_driver_1.41.bin
$ sudo bash sgx_linux_x64_driver_1.41.bin
$ dmesg | grep sgx

Install SGX SDK

$ wget https://download.01.org/intel-sgx/sgx-linux/2.23/distro/ubuntu20.04-server/sgx_linux_x64_sdk_2.23.100.2.bin
$ (echo -e "no"; echo -e "/opt/intel/") | sudo bash sgx_linux_x64_sdk_2.23.100.2.bin
$ git clone --recurse-submodules -b sgx_2.23 https://github.com/intel/linux-sgx.git 
$ cd linux-sgx/external/protobuf 
$ make -j$(nproc) 
$ mkdir /opt/intel/sgxsdk/include/tprotobuf/google/protobuf/util 
$ cp protobuf_code/src/google/protobuf/util/*.h /opt/intel/sgxsdk/include/tprotobuf/google/protobuf/util/

Install AESM Service & DCAP

$ wget https://download.01.org/intel-sgx/sgx-linux/2.23/distro/ubuntu20.04-server/sgx_debian_local_repo.tgz
$ tar -zxf sgx_debian_local_repo.tgz
$ sudo mv sgx_debian_local_repo /srv/
$ echo "deb [trusted=yes arch=amd64] file:/srv/sgx_debian_local_repo focal main" > /etc/apt/sources.list.d/sgx_debian_local_repo.list
$ apt update 
$ sudo apt-get -y install libsgx-enclave-common-dev libsgx-dcap-ql-dev libsgx-dcap-default-qpl-dev libsgx-dcap-quote-verify-dev libsgx-quote-ex-dev

To ensure successful remote attestation, it is necessary to configure the /etc/sgx_default_qcnl.conf file.

1. For environments utilizing cloud services:

We recommend deploying TEE server on cloud services, as they typically provide a stable and robust environment along with adequate technical support.

PCCS_URL=https://sgx-dcap-server.cn-beijing.aliyuncs.com/sgx/certification/v3/
USE_SECURE_CERT=TRUE
tip

Clear the file first, then set the PCCS_URL value to the address of the PCCS service you are using (for example, if you are using Alibaba Cloud services). If you encounter any issues, please consult your cloud service provider.

{
  "pccs_url": "https://sgx-dcap-server.cn-beijing.aliyuncs.com/sgx/certification/v3/",
  "use_secure_cert": true
}
note

You can also use a JSON structure, but please be mindful of the case sensitivity of keywords.

PCCS_URL=https://global.acccache.azure.net/sgx/certification/v3/
USE_SECURE_CERT=TRUE
COLLATERAL_SERVICE=https://api.trustedservices.intel.com/sgx/certification/v3/
important

Some cloud service PCCS may have expired quote verification collateral (for example, if you are using Microsoft Cloud services). In such cases, you can use Intel PCS or another PCCS to get quote verification collateral.

2. For others:

You can deploy and utilize your own PCCS for remote attestation.

PCCS_URL=https://pccs-server-url:8081/sgx/certification/v3/
USE_SECURE_CERT=TRUE

For information and deployment details regarding PCCS, please refer to quote-verification-attestation-with-intel-sgx-dcap.

Install SGX Mitigation Tools

$ wget https://download.01.org/intel-sgx/sgx-linux/2.23/as.ld.objdump.r4.tar.gz
$ tar -zxf as.ld.objdump.r4.tar.gz
$ sudo cp external/toolset/ubuntu20.04/* /usr/local/bin
$ which ar as ld objcopy objdump ranlib

Install SGX Openssl

$ git clone https://github.com/intel/intel-sgx-ssl.git
$ cd intel-sgx-ssl
$ git checkout lin_2.21_1.1.1u
$ cd openssl_source
$ wget https://www.openssl.org/source/openssl-1.1.1u.tar.gz
$ cd ../Linux
$ make -j$(nproc)
$ sudo make install

Building & Running

Install External Dependencies

This project relies on the following third-party libraries:

  • log4cplus - Logging library
  • mbedtls - Lightweight cryptographic library
  • mpdecimal - High-precision computation library
  • nlohmann - JSON parsing library
  • toml11 - TOML configuration parsing library
  • protobuf - Google's data interchange format
  • safeheron-crypto-suites-cpp - Safeheron cryptographic algorithm library

We provide a script to install all external dependencies automatically. The default installation path for trusted libraries is /opt/safeheron/ssgx, and for other libraries it is /usr/local.

$ git clone https://github.com/Safeheron/ssgx.git
$ cd ssgx
$ sudo bash build_install_external.sh

Build and Install

$ cmake --preset release-ssgx-config                    # Configure the Compilation Process for ssgx
$ cmake --build --preset release-ssgx-build             # Compile ssgx
$ sudo cmake --install release-ssgx-config              # Install ssgx
note

The default installation path for Safeheron-SGX-Native-Development-Framework is /opt/safeheron/ssgx.

Running Tests

cmake --preset release-test-config                      # Configure the Compilation Process for Test Cases
cmake --build --preset release-test-build               # Compile Test Cases
ctest -R "basic_test" --preset release-unit-tests -V    # Run Test Cases