deployments: update SGX configuration

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
2025-06-03 03:59:37 +00:00 · 2023-01-12 09:41:17 +02:00 · 2023-01-12 09:41:17 +02:00 · 90aeca48c5
commit 90aeca48c5
parent 5de9b50f9e
3 changed files with 34 additions and 6 deletions
--- a/deployments/sgx_aesmd/base/sgx_default_qcnl.conf
+++ b/deployments/sgx_aesmd/base/sgx_default_qcnl.conf
@ -1,2 +1,17 @@
-PCCS_URL=https://localhost:8081/sgx/certification/v3/
-USE_SECURE_CERT=FALSE
+{
+  // *** ATTENTION : This file is in JSON format so the keys are case sensitive. Don't change them.
+
+  // This sample is a typical config file for a development environment which has a local PCCS setup
+  // QPL will get PCK certificates as well as quote verification collateral from the local PCCS service
+  // The PCCS service uses self-signed certificates
+  // You should choose the correct PCCS API version. "3.1" will return CRL in raw DER format
+  // It is recommended to use "3.1" for DCAP 1.12 release and later
+
+  //PCCS server address
+  "pccs_url": "https://localhost:8081/sgx/certification/v4/",
+
+  // To accept insecure HTTPS certificate, set this option to false
+  "use_secure_cert": false,
+
+  "pccs_api_version": "3.1"
+}
--- a/deployments/sgx_enclave_apps/base/intelsgx-job.yaml
+++ b/deployments/sgx_enclave_apps/base/intelsgx-job.yaml
@ -21,8 +21,6 @@ spec:
          securityContext:
            readOnlyRootFilesystem: true
            allowPrivilegeEscalation: false
-            capabilities:
-              add: ["IPC_LOCK"]
          resources:
            limits:
              sgx.intel.com/epc: "512Ki"
--- a/deployments/sgx_enclave_apps/overlays/sgx_ecdsa_inproc_quote/sgx_default_qcnl.conf
+++ b/deployments/sgx_enclave_apps/overlays/sgx_ecdsa_inproc_quote/sgx_default_qcnl.conf
@ -1,2 +1,17 @@
-PCCS_URL=https://localhost:8081/sgx/certification/v3/
-USE_SECURE_CERT=FALSE
+{
+  // *** ATTENTION : This file is in JSON format so the keys are case sensitive. Don't change them.
+
+  // This sample is a typical config file for a development environment which has a local PCCS setup
+  // QPL will get PCK certificates as well as quote verification collateral from the local PCCS service
+  // The PCCS service uses self-signed certificates
+  // You should choose the correct PCCS API version. "3.1" will return CRL in raw DER format
+  // It is recommended to use "3.1" for DCAP 1.12 release and later
+
+  //PCCS server address
+  "pccs_url": "https://localhost:8081/sgx/certification/v4/",
+
+  // To accept insecure HTTPS certificate, set this option to false
+  "use_secure_cert": false,
+
+  "pccs_api_version": "3.1"
+}