-
Notifications
You must be signed in to change notification settings - Fork 11
The DCAP Protocol
Intel SGX uses the Data Center Attestation Primitives (DCAP) protocol to prove what code runs in an enclave. DCAP is also known as _ Elliptic Curve Digital Signature Algorithm (ECDSA) Attestation_.
In DCAP, repeated attestation requests are served from a cache rather than forwarded to Intel. A newly installed machine obtains a machine certificate from Intel via the cache, which may then be persisted to disk. All this is automated for you.
To perform attestation using DCAP, Conclave needs a way to gather information about the platform the enclave is
hosted on. This information provides proof from Intel that the system supports SGX and that it is patched and up to
date. A DCAP client is used for this function. It is basically a library named libdcap_quoteprov.so or
libdcap_quoteprov.so.1, which is to be installed in /usr/lib/ or /usr/lib/x86_64-linux-gnu.
You can use one of the three available DCAP clients (also called DCAP plugins) listed below:
- Conclave-Azure bundled client (recommended)
- Intel DCAP client
- Azure DCAP client
To avoid conflicts between DCAP plugins, you must uninstall the plugins that you don't need.
Conclave provides a bundled Azure DCAP plugin, which is the recommended option for Azure virtual machines. You can use this default DCAP plugin for most of your use cases without any mandatory setup.
This plugin will be used only if no other plugin exists in the default libraries under /usr/lib/. The runtime will
use the first .so it finds in the order below:
/usr/lib/x86_64-linux-gnu/libdcap_quoteprov.so.1
/usr/lib/x86_64-linux-gnu/libdcap_quoteprov.so
/usr/lib/libdcap_quoteprov.so.1
/usr/lib/libdcap_quoteprov.so
If you choose Conclave's recommended bundled DCAP plugin, delete or rename any .so in the above locations.
You might also want to set the Azure DCAP client logging level to FATAL as the default setting is quite verbose:
export AZDCAP_DEBUG_LOG_LEVEL=FATALIntel provides a DCAP client as part of the DCAP runtime. You can use this option if you want to run your code on bare-metal machines and don't want to rely on cloud providers.
To use Intel's DCAP plugin, you need to install the DCAP client package. For example, in Ubuntu, you can use the following command:
sudo apt-get install libsgx-dcap-default-qpl
You also need a subscription to use
Intel's DCAP plugin. From release 1.3.1, Conclave supports Intel PCCS (Provisioning certificate caching service). To use Intel PCCS, you may need to uncomment the following line in /etc/sgx_default_qcnl.conf file:
"pccs_api_version": "3.1"
Please also refer to Intel's example and some instructions here.
Microsoft provides an Azure DCAP client, which you can use on Azure virtual machines. Azure's DCAP plugin does not require any subscription to Intel services.
To use an Azure DCAP client, you need to install Microsoft's package list and Azure's DCAP client package. For example, in Ubuntu, you can use the following commands:
wget -qO - https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
echo 'deb [arch=amd64] https://packages.microsoft.com/ubuntu/20.04/prod focal main' | sudo tee /etc/apt/sources.list.d/msprod.list
sudo apt-get install az-dcap-client
If you plan to use a Docker container with DCAP hardware, you must map two different device files like this:
docker run --device /dev/sgx/enclave --device /dev/sgx/provision ...Note
Azure offers a "Confidential Kubernetes" service. At this time, we haven't tested Conclave with that.
After setting up the machine, you can follow the Compiling and running tutorial to run the hello-world sample.
The sample is configured to use DCAP attestation with the following line in Host.java:
enclave.start(new AttestationParameters.DCAP(), ... );DCAP doesn't require specific API keys or parameters, so creating the empty object is sufficient to choose it.