sgx: add documentation

This commit documents the SGX building blocks for Kubernetes and how to deploy them in the cluster. Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
2025-06-03 03:59:37 +00:00 · 2020-10-23 15:56:00 +03:00 · 2020-10-23 15:56:00 +03:00 · 0f6eefee23
commit 0f6eefee23
parent a8105befe0
2 changed files with 188 additions and 11 deletions
--- a/README.md
+++ b/README.md
@ -18,6 +18,7 @@ Table of Contents
        * [CRI-O prestart hook](#cri-o-prestart-hook)
    * [QAT device plugin](#qat-device-plugin)
    * [VPU device plugin](#vpu-device-plugin)
+    * [SGX device plugin](#sgx-device-plugin)
 * [Device Plugins Operator](#device-plugins-operator)
 * [Demos](#demos)
 * [Developers](#developers)
@ -114,6 +115,49 @@ the card has:
 The demo subdirectory includes details of a OpenVINO deployment and use of the VPU plugin.
 Sources can be found in [openvino-demo](demo/ubuntu-demo-openvino)

+### SGX device plugin
+
+The [SGX device plugin](cmd/sgx_plugin/README.md) allows workloads to use Intel SGX on
+platforms with SGX Flexible Launch Control enabled, e.g.,:
+
+- 3rd Generation Intel® Xeon® Scalable Platform, code-named “Ice Lake”
+- Intel® Xeon® E3
+- Intel® NUC Kit NUC7CJYH
+
+The SGX plugin comes in three parts.
+
+- the [SGX device plugin](#sgx-device-plugin)
+- the [SGX admission webhook](#sgx-admission-webhook)
+- the [SGX EPC memory registration](#sgx-epc-memory-registration)
+
+Brief overviews of the sub-components are given below.
+
+#### SGX Device plugin
+
+The [SGX device plugin](cmd/sgx_plugin/README.md) is responsible for discovering and reporting SGX
+device nodes to `kubelet`.
+
+Containers requesting SGX resources in the cluster should not use the device plugins resources directly.
+
+#### SGX Admission webhook
+
+The SGX admission webhook is responsible for performing Pod mutations based on the `sgx.intel.com/quote-provider`
+pod annotation set by the user. The purpose of the webhook is to hide the details of setting the necessary
+device resources and volume mounts for using SGX remote attestation in the cluster. Furthermore,
+the SGX admission webhook is responsible for writing a pod/sandbox `sgx.intel.com/total_epc` annotation that
+is used by Kata Containers to dynamically adjust its virtualized SGX encrypted page cache (EPC) bank(s) size.
+
+The SGX admission webhook is implemented as part of [Intel Device Plugin Operator](cmd/operator/README.md).
+
+#### SGX EPC memory registration
+
+The SGX EPC memory available on each node is registered as a Kubernetes extended resource using
+node-feature-discovery (NFD). A custom NFD source hook is installed as part of [SGX device plugin](cmd/sgx_plugin/README.md)
+operator deployment and NFD is configured to register the SGX EPC memory extended resource reported by the hook.
+
+Containers requesting SGX EPC resources in the cluster use `sgx.intel.com/epc` resource which is of
+type [memory](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#meaning-of-memory).
+
 ## Device Plugins Operator

 Currently the operator has limited support for the QAT, GPU, FPGA and SGX device plugins:
--- a/cmd/sgx_plugin/README.md
+++ b/cmd/sgx_plugin/README.md
@ -5,23 +5,38 @@ Contents
 * [Introduction](#introduction)
 * [Installation](#installation)
    * [Prerequisites](#prerequisites)
-    * [Getting the source code:](#getting-the-source-code)
+    * [Pre-built images](#pre-built-images)
+    * [Getting the source code](#getting-the-source-code)
    * [Verify node kubelet config](#verify-node-kubelet-config)
    * [Deploying as a DaemonSet](#deploying-as-a-daemonset)
        * [Build the plugin image](#build-the-plugin-image)
        * [Deploy the DaemonSet](#deploy-the-daemonset)
-        * [Verify SGX device plugin is registered on master:](#verify-sgx-device-plugin-is-registered-on-master)
+        * [Verify SGX device plugin is registered on master](#verify-sgx-device-plugin-is-registered-on-master)
    * [Deploying by hand](#deploying-by-hand)
        * [Build SGX device plugin](#build-sgx-device-plugin)
        * [Deploy SGX plugin](#deploy-sgx-plugin)
+    * [SGX device plugin demos](#sgx-device-plugin-demos)
+        * [SGX ECDSA Remote Attestation](#sgx-ecdsa-remote-attestation)
+            * [Remote Attestation Prerequisites](#remote-attestation-prerequisites)
+            * [Build the images](#build-the-image)
+            * [Deploy the pod](#deploy-the-pod)

 ## Introduction

-**Note:** The work is still WIP. The SGX device plugin can be tested to run simple enclaves
-but the full e2e deployment (including the SGX remote attestation) is not yet finished. See
-the open issues for details.
+The Intel SGX device plugin and related components allow workloads to use Intel SGX on
+platforms with SGX Flexible Launch Control enabled, e.g.,:

-This Intel SGX device plugin provides support for Intel SGX TEE under Kubernetes.
+- 3rd Generation Intel® Xeon® Scalable Platform, code-named “Ice Lake”
+- Intel® Xeon® E3
+- Intel® NUC Kit NUC7CJYH
+
+The SGX solution comes in three parts:
+
+- the [SGX Device plugin](/README.md#sgx-device-plugin)
+- the [SGX Admission webhook](/README.md#sgx-admission-webhook)
+- the [SGX EPC memory registration](/README.md#sgx-epc-memory-registration)
+
+This README covers setting up all three components.

 ### Modes and Configuration options

@ -37,17 +52,64 @@ the complete list of logging related options.

 ## Installation

-The below sections cover how to obtain, build and install this component.
+The following sections cover how to obtain, build and install the necessary Kubernetes SGX specific
+components.

-The component can be installed either using a DaemonSet or running 'by hand' on each node.
+They can be installed either using a DaemonSet or running 'by hand' on each node.

 ### Prerequisites

 The component has the same basic dependancies as the
 [generic plugin framework dependencies](../../README.md#about).

-The SGX plugin requires Linux Kernel SGX drivers to be available. These drivers
-are currently available via RFC patches on Linux Kernel Mailing List.
+The SGX device plugin requires Linux Kernel SGX drivers to be available. These drivers
+are currently available via [RFC patches on Linux Kernel Mailing List](https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-sgx.git/tag/?h=v39).
+RFC *v39* was used to validate what is written in this document.
+
+The hardware platform must support SGX Flexible Launch Control.
+
+### Pre-built images
+
+[Pre-built images](https://hub.docker.com/u/intel/)
+are available on Docker Hub. These images are automatically built and uploaded
+to the hub from the latest master branch of this repository.
+
+Release tagged images of the components are also available on Docker Hub, tagged with their
+release version numbers in the format `x.y.z`, corresponding to the branches and releases in this
+repository. Thus the easiest way to deploy Intel SGX components in your cluster is to follow the steps
+below.
+
+The deployment YAML files supplied with the components in this repository use the images with the `devel`
+tag by default. If you do not build your own local images, your Kubernetes cluster may pull down
+the devel images from Docker Hub by default.
+
+`<RELEASE_VERSION>` needs to be substituted with the desired release version, e.g. `v0.19.0` or master.
+
+#### Deploy node-feature-discovery
+
+```bash
+$ kubectl apply -k https://github.com/intel/intel-device-plugins-for-kubernetes/deployments/sgx_nfd?ref=<RELEASE_VERSION>
+```
+
+#### Deploy cert-manager
+
+```bash
+$ kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.0.3/cert-manager.yaml
+```
+
+#### Deploy Intel Device plugin operator
+
+```bash
+$ kubectl apply -k https://github.com/intel/intel-device-plugins-for-kubernetes/deployments/operator/default?ref=<RELEASE_VERSION>
+```
+
+**Note:** See the operator [deployment details](/cmd/operator/README.md) for setting it up on systems behind proxies.
+
+#### Deploy SGX device plugin with the operator
+
+```bash
+$ kubectl apply -f https://raw.githubusercontent.com/intel/intel-device-plugins-for-kubernetes/master/deployments/operator/samples/deviceplugin_v1_sgxdeviceplugin.yaml
+```

 ### Getting the source code

@ -142,4 +204,75 @@ I0626 20:33:01.414446  964346 server.go:219] Start server for provision at: /var
 I0626 20:33:01.414640  964346 server.go:219] Start server for enclave at: /var/lib/kubelet/device-plugins/sgx.intel.com-enclave.sock
 I0626 20:33:01.417315  964346 server.go:237] Device plugin for provision registered
 I0626 20:33:01.417748  964346 server.go:237] Device plugin for enclave registered
-```
+```
+
+### SGX device plugin demos
+#### SGX ECDSA Remote Attestation
+
+The SGX remote attestation allows a relying party to verify that the software is running inside an Intel® SGX enclave on a platform
+that has the trusted computing base up to date.
+
+The demo guides to run an SGX DCAP/ECDSA quote generation in on a single-node kubernetes cluster using Intel® reference
+SGX PCK Certificate Cache Service (PCCS) that is configured to service localhost connections.
+
+Read more about [SGX Remote Attestation](https://software.intel.com/content/www/us/en/develop/topics/software-guard-extensions/attestation-services.html).
+
+##### Remote Attestation Prerequisites
+
+For the SGX ECDSA Remote Attestation demo to work, the platform must be correctly registered and a PCCS running.
+
+For documentation to set up Intel® reference PCCS, refer to:
+[Intel® Software Guard Extensions (Intel® SGX) Services](https://api.portal.trustedservices.intel.com/) and
+[Intel® Software Guard Extensions SDK for Linux](https://01.org/intel-software-guard-extensions)
+
+Furthermore, the Kubernetes cluster must be set up according the [instructions above](#pre-built-images).
+
+##### Build the image
+
+The demo uses container images build from Intel® SGX SDK and DCAP releases.
+
+To build the demo images:
+
+```bash
+$ cd ${INTEL_DEVICE_PLUGINS_SRC}
+$ make sgx-aesmd-demo
+...
+Successfully tagged intel/sgx-aesmd-demo:devel
+$ make sgx-sdk-demo
+...
+Successfully tagged intel/sgx-sdk-demo:devel
+```
+
+##### Deploy the pods
+
+The demo runs Intel aesmd (architectural enclaves service daemon) that is responsible
+for generating SGX quotes for workloads. It is deployed with `hostNetwork: true`
+to allow connections to localhost PCCS.
+
+```bash
+$ kubectl apply -k https://github.com/intel/intel-device-plugins-for-kubernetes/deployments/sgx_aesmd?ref=<RELEASE_VERSION>
+$ kubectl get pods
+  NAME                     READY     STATUS    RESTARTS   AGE
+  intel-sgx-aesmd-mrnm8                1/1     Running   0          3h47m
+  sgxdeviceplugin-sample-z5dcq-llwlw   1/1     Running   0          28m
+```
+
+The sample application runs SGX DCAP Quote Generation sample:
+
+```bash
+$ kubectl apply -k https://github.com/intel/intel-device-plugins-for-kubernetes/deployments/sgx_enclave_apps/overlays/sgx_ecdsa_aesmd_quote?ref=<RELEASE_VERSION>
+$ kubectl get pods
+  NAME                                 READY   STATUS      RESTARTS   AGE
+  intel-sgx-aesmd-mrnm8                1/1     Running     0          3h55m
+  ecdsa-quote-intelsgx-demo-job-vtq84  0/1     Completed   0          4s
+  sgxdeviceplugin-sample-z5dcq-llwlw   1/1     Running     0          35m
+$ kubectl logs ecdsa-quote-intelsgx-demo-job-vtq84
+
+  Step1: Call sgx_qe_get_target_info:succeed!
+  Step2: Call create_app_report:succeed!
+  Step3: Call sgx_qe_get_quote_size:succeed!
+  Step4: Call sgx_qe_get_quote:succeed!cert_key_type = 0x5
+```
+
+> **Note**: The deployment example above uses [kustomize](https://github.com/kubernetes-sigs/kustomize)
+> that is available in kubectl since Kubernetes v1.14 release.