Setting Up pQCee TEE API Server in an Azure VM
==============================================
The pQCee TEE API Server supports Intel SGX-enabled machines provided by
Microsoft Azure cloud service.

1. Create an Intel SGX Compatible Azure Virtual Machine
-------------------------------------------------------
The following steps summarises the creation of an Intel SGX compatible Azure
Virtual Machine. For more information on creating an Azure VM and connecting
to the Azure VM, visit `Azure's documentation
<https://learn.microsoft.com/en-us/azure/virtual-machines/linux/quick-create-portal?tabs=ubuntu>`_.

In the `Azure Portal <https://portal.azure.com>`_, create a virtual machine,
noting the following:

- For **Region**, choose an Intel SGX suitable region. Intel SGX VMs run on
  specialized hardware in specific regions. For the latest regional
  availability, look for DCsv2-series or DCsv3/DCdsv3-series in `available
  regions
  <https://azure.microsoft.com/global-infrastructure/services/?products=virtual-machines>`_.
- For the operating system image, choose **Ubuntu Server 22.04 LTS
  (Confidential VM) - x64 Gen2**.
- For **VM Size**, filter by **Type** and check only **Confidential compute**.
  You should see sizes **DC(number)s_v2**, **DC(number)s_v3** and
  **DC(number)ds_v3**. Select one from the filtered list.

2. Setting Up the VM
-------------------------------------------
.. note::

   External packages and services are installed as part of this setup.

Enarx
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`Enarx <https://enarx.dev>`_ is a platform that abstracts the running of
workload across confidential-computing platforms such as Intel SGX and AMD-SEV.
It allows a user to execute WebAssembly modules, without worrying about the
attestation process and other intricacies of the confidential-computing
machine.

We developed a `fork <https://github.com/pqcee/enarx>`_ of the Enarx repository
that supports Azure VMs.

Installation of Intel packages and Enarx
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following steps installs necessary packages provided by Intel, and installs
our fork of Enarx.

SSH into the VM and execute the following script:

.. code-block:: bash

   # Add the Intel SGX Ubuntu Repo
   echo 'deb [signed-by=/etc/apt/keyrings/intel-sgx-keyring.asc arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list
   wget https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key
   cat intel-sgx-deb.key | sudo tee /etc/apt/keyrings/intel-sgx-keyring.asc > /dev/null

   # Install SDK and PSW with DCAP ECDSA-based attestation service
   sudo apt update
   sudo apt install -y libsgx-dcap-ql

   # Install Intel DCAP
   sudo apt install -y libsgx-dcap-default-qpl

   # Configure Intel DCAP to point to Azure's endpoint
   sudo sed -i 's#  "pccs_url": "https://localhost:8081/sgx/certification/v4/"#  "pccs_url": "https://global.acccache.azure.net/sgx/certification/v4/"#' /etc/sgx_default_qcnl.conf
   sudo systemctl restart aesmd

   # Install the PCKIDRetrievalTool
   wget https://download.01.org/intel-sgx/sgx-dcap/1.22/linux/distro/ubuntu22.04-server/PCKIDRetrievalTool_v1.22.100.3.tar.gz
   tar xf PCKIDRetrievalTool_v1.22.100.3.tar.gz

   # Install Enarx dependencies.
   sudo apt update
   sudo apt install -y git curl gcc musl-tools python3-minimal

   # Install rust with nightly toolchain
   curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- --default-toolchain nightly -y
   . $HOME/.cargo/env

   # Clone Enarx modified for running on Azure, and install Enarx.
   git clone https://github.com/pqcee/enarx
   cd enarx/
   cargo install --locked --bin enarx --path ./

   # Create the directory and get Enarx to cache Intel's CRLs
   sudo mkdir -p /var/cache/intel-sgx
   sudo $(which enarx) platform sgx cache-crl || true

   # Cache the Provisioning Certificate Key:
   sudo PATH=${HOME}/PCKIDRetrievalTool_v1.22.100.3:$PATH $(which enarx) platform sgx cache-pck

   # Cache the TCB:
   sudo $(which enarx) platform sgx cache-tcb

   # Check that the setup is successful. "Backend: sgx" should be a tick.
   enarx platform info

   # Install wasm-sdk for Kyber ML-KEM
   wget https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-24/wasi-sdk-24.0-x86_64-linux.deb
   sudo dpkg -i wasi-sdk-24.0-x86_64-linux.deb

3. Start the server
------------------------------
The pQCee TEE API Server toolkit provided to you contains the following files:

- A WASM file (pqcee-tee-api-server.wasm)
- An Enarx configuration file (Enarx.toml)

Follow the steps below to start the server.

#. Create the ``pqcee-tee-api-server`` directory in the ``${HOME}`` directory of the VM:

   .. code-block:: bash

      mkdir -p ${HOME}/pqcee-tee-api-server

#. Copy ``pqcee-tee-api-server.wasm`` and ``Enarx.toml`` into the
   ``${HOME}/pqcee-tee-api-server`` directory through the Azure Cloud Shell or with
   a tool such as ``scp``.

#. Start the server by executing the following command:

   .. code-block:: bash

      cd ${HOME}/pqcee-tee-api-server
      enarx run --wasmcfgfile Enarx.toml pqcee-tee-api-server.wasm