SGX: provide SGX aesmd sample

SGX aesmd (architectural enclave service daemon) can be used for SGX DCAP Quote Generation. This commit adds a sample deployment that by default talks to an Intel reference PCCS (Provisioning Certificate Caching Service). The default config provided is for a "single node" cluster that has PCCS service localhost. Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
2025-06-03 03:59:37 +00:00 · 2020-09-17 21:39:22 +03:00 · 2020-09-17 21:39:22 +03:00 · 0bffaf2f2d
commit 0bffaf2f2d
parent 790bfd0fd2
7 changed files with 83 additions and 0 deletions
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@ -81,6 +81,7 @@ jobs:
          - opae-nlb-demo
          - openssl-qat-engine
          - sgx-sdk-demo
+          - sgx-aesmd-demo
          - ubuntu-demo-opencl
          - ubuntu-demo-openvino
        builder: [buildah, docker]
--- a/demo/sgx-aesmd-demo/Dockerfile
+++ b/demo/sgx-aesmd-demo/Dockerfile
@ -0,0 +1,21 @@
+# This Dockerfile is currently provided as a reference to build aesmd with ECDSA attestation
+# but is not published along with the device plugin container images.
+FROM ubuntu:18.04
+
+RUN apt update && apt install -y curl gnupg \
+    && echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu bionic main' | tee /etc/apt/sources.list.d/intel-sgx.list \
+    && curl -s https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | apt-key add - \
+    && apt update \
+    && apt install -y --no-install-recommends \
+       sgx-aesm-service \
+       libsgx-dcap-ql \
+       libsgx-aesm-ecdsa-plugin \
+       libsgx-aesm-pce-plugin \
+       libsgx-aesm-quote-ex-plugin \
+       libsgx-dcap-default-qpl
+
+RUN echo "/opt/intel/sgx-aesm-service/aesm" | tee /etc/ld.so.conf.d/sgx.conf \
+    && ldconfig
+
+ENV PATH=/opt/intel/sgx-aesm-service/aesm
+ENTRYPOINT ["/opt/intel/sgx-aesm-service/aesm/aesm_service", "--no-daemon"]
--- a/deployments/sgx_aesmd/base/aesmd.conf
+++ b/deployments/sgx_aesmd/base/aesmd.conf
@ -0,0 +1 @@
+default quoting type = ecdsa_256
--- a/deployments/sgx_aesmd/base/intel-sgx-aesmd.yaml
+++ b/deployments/sgx_aesmd/base/intel-sgx-aesmd.yaml
@ -0,0 +1,47 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: intel-sgx-aesmd
+  labels:
+    app: intel-sgx-aesmd
+spec:
+  selector:
+    matchLabels:
+      app: intel-sgx-aesmd
+  template:
+    metadata:
+      labels:
+        app: intel-sgx-aesmd
+      annotations:
+        sgx.intel.com/quote-provider: "aesmd"
+    spec:
+      hostNetwork: true
+      containers:
+      - name: aesmd
+        image: intel/sgx-aesmd-demo:devel
+        securityContext:
+          readOnlyRootFilesystem: true
+        resources:
+          limits:
+            sgx.intel.com/epc: "1Mi"
+        imagePullPolicy: IfNotPresent
+        volumeMounts:
+        - name: aesmdconf
+          mountPath: /etc/aesmd.conf
+          subPath: aesmd.conf
+        - name: qplconf
+          mountPath: /etc/sgx_default_qcnl.conf
+          subPath: sgx_default_qcnl.conf
+      volumes:
+      - name: aesmdconf
+        configMap:
+          name: sgx-attestation-conf
+          items:
+          - key: aesmd.conf
+            path: aesmd.conf
+      - name: qplconf
+        configMap:
+          name: sgx-attestation-conf
+          items:
+          - key: sgx_default_qcnl.conf
+            path: sgx_default_qcnl.conf
--- a/deployments/sgx_aesmd/base/kustomization.yaml
+++ b/deployments/sgx_aesmd/base/kustomization.yaml
@ -0,0 +1,9 @@
+resources:
+- intel-sgx-aesmd.yaml
+generatorOptions:
+  disableNameSuffixHash: true
+configMapGenerator:
+- name: sgx-attestation-conf
+  files:
+  - aesmd.conf
+  - sgx_default_qcnl.conf
--- a/deployments/sgx_aesmd/base/sgx_default_qcnl.conf
+++ b/deployments/sgx_aesmd/base/sgx_default_qcnl.conf
@ -0,0 +1,2 @@
+PCCS_URL=https://localhost:8081/sgx/certification/v2/
+USE_SECURE_CERT=FALSE
--- a/deployments/sgx_aesmd/kustomization.yaml
+++ b/deployments/sgx_aesmd/kustomization.yaml
@ -0,0 +1,2 @@
+bases:
+  - base