Setting Up pQCee TEE API Server in an Azure VM¶
The pQCee TEE API Server supports Intel SGX-enabled machines provided by Microsoft Azure cloud service.
1. Create an Intel SGX Compatible Azure Virtual Machine¶
The following steps summarises the creation of an Intel SGX compatible Azure Virtual Machine. For more information on creating an Azure VM and connecting to the Azure VM, visit Azure’s documentation.
In the Azure Portal, create a virtual machine, noting the following:
For Region, choose an Intel SGX suitable region. Intel SGX VMs run on specialized hardware in specific regions. For the latest regional availability, look for DCsv2-series or DCsv3/DCdsv3-series in available regions.
For the operating system image, choose Ubuntu Server 22.04 LTS (Confidential VM) - x64 Gen2.
For VM Size, filter by Type and check only Confidential compute. You should see sizes DC(number)s_v2, DC(number)s_v3 and DC(number)ds_v3. Select one from the filtered list.
2. Setting Up the VM¶
Note
External packages and services are installed as part of this setup.
Enarx¶
Enarx is a platform that abstracts the running of workload across confidential-computing platforms such as Intel SGX and AMD-SEV. It allows a user to execute WebAssembly modules, without worrying about the attestation process and other intricacies of the confidential-computing machine.
We developed a fork of the Enarx repository that supports Azure VMs.
Installation of Intel packages and Enarx¶
The following steps installs necessary packages provided by Intel, and installs our fork of Enarx.
SSH into the VM and execute the following script:
# Add the Intel SGX Ubuntu Repo
echo 'deb [signed-by=/etc/apt/keyrings/intel-sgx-keyring.asc arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list
wget https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key
cat intel-sgx-deb.key | sudo tee /etc/apt/keyrings/intel-sgx-keyring.asc > /dev/null
# Install SDK and PSW with DCAP ECDSA-based attestation service
sudo apt update
sudo apt install -y libsgx-dcap-ql
# Install Intel DCAP
sudo apt install -y libsgx-dcap-default-qpl
# Configure Intel DCAP to point to Azure's endpoint
sudo sed -i 's# "pccs_url": "https://localhost:8081/sgx/certification/v4/"# "pccs_url": "https://global.acccache.azure.net/sgx/certification/v4/"#' /etc/sgx_default_qcnl.conf
sudo systemctl restart aesmd
# Install the PCKIDRetrievalTool
wget https://download.01.org/intel-sgx/sgx-dcap/1.22/linux/distro/ubuntu22.04-server/PCKIDRetrievalTool_v1.22.100.3.tar.gz
tar xf PCKIDRetrievalTool_v1.22.100.3.tar.gz
# Install Enarx dependencies.
sudo apt update
sudo apt install -y git curl gcc musl-tools python3-minimal
# Install rust with nightly toolchain
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- --default-toolchain nightly -y
. $HOME/.cargo/env
# Clone Enarx modified for running on Azure, and install Enarx.
git clone https://github.com/pqcee/enarx
cd enarx/
cargo install --locked --bin enarx --path ./
# Create the directory and get Enarx to cache Intel's CRLs
sudo mkdir -p /var/cache/intel-sgx
sudo $(which enarx) platform sgx cache-crl || true
# Cache the Provisioning Certificate Key:
sudo PATH=${HOME}/PCKIDRetrievalTool_v1.22.100.3:$PATH $(which enarx) platform sgx cache-pck
# Cache the TCB:
sudo $(which enarx) platform sgx cache-tcb
# Check that the setup is successful. "Backend: sgx" should be a tick.
enarx platform info
# Install wasm-sdk for Kyber ML-KEM
wget https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-24/wasi-sdk-24.0-x86_64-linux.deb
sudo dpkg -i wasi-sdk-24.0-x86_64-linux.deb
3. Start the server¶
The pQCee TEE API Server toolkit provided to you contains the following files:
A WASM file (pqcee-tee-api-server.wasm)
An Enarx configuration file (Enarx.toml)
Follow the steps below to start the server.
Create the
pqcee-tee-api-serverdirectory in the${HOME}directory of the VM:mkdir -p ${HOME}/pqcee-tee-api-server
Copy
pqcee-tee-api-server.wasmandEnarx.tomlinto the${HOME}/pqcee-tee-api-serverdirectory through the Azure Cloud Shell or with a tool such asscp.Start the server by executing the following command:
cd ${HOME}/pqcee-tee-api-server enarx run --wasmcfgfile Enarx.toml pqcee-tee-api-server.wasm