Merge pull request #481 from mythi/sgx-aesmd

SGX remote attestation

.github/workflows/ci.yaml

@@ -81,6 +81,7 @@ jobs:
           - opae-nlb-demo
           - openssl-qat-engine
           - sgx-sdk-demo
+          - sgx-aesmd-demo
           - ubuntu-demo-opencl
           - ubuntu-demo-openvino
         builder: [buildah, docker]

demo/sgx-aesmd-demo/Dockerfile

@@ -0,0 +1,21 @@
+# This Dockerfile is currently provided as a reference to build aesmd with ECDSA attestation
+# but is not published along with the device plugin container images.
+FROM ubuntu:18.04
+
+RUN apt update && apt install -y curl gnupg \
+    && echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu bionic main' | tee /etc/apt/sources.list.d/intel-sgx.list \
+    && curl -s https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | apt-key add - \
+    && apt update \
+    && apt install -y --no-install-recommends \
+       sgx-aesm-service \
+       libsgx-dcap-ql \
+       libsgx-aesm-ecdsa-plugin \
+       libsgx-aesm-pce-plugin \
+       libsgx-aesm-quote-ex-plugin \
+       libsgx-dcap-default-qpl
+
+RUN echo "/opt/intel/sgx-aesm-service/aesm" | tee /etc/ld.so.conf.d/sgx.conf \
+    && ldconfig
+
+ENV PATH=/opt/intel/sgx-aesm-service/aesm
+ENTRYPOINT ["/opt/intel/sgx-aesm-service/aesm/aesm_service", "--no-daemon"]

deployments/operator/samples/deviceplugin_v1_sgxdeviceplugin.yaml

@@ -0,0 +1,9 @@
+apiVersion: deviceplugin.intel.com/v1
+kind: SgxDevicePlugin
+metadata:
+  name: sgxdeviceplugin-sample
+spec:
+  image: intel/intel-sgx-plugin:0.19.0
+  initImage: intel/intel-sgx-initcontainer:0.19.0
+  enclaveLimit: 110
+  provisionLimit: 110

deployments/sgx_aesmd/base/aesmd.conf

@@ -0,0 +1 @@
+default quoting type = ecdsa_256

deployments/sgx_aesmd/base/intel-sgx-aesmd.yaml

@@ -0,0 +1,47 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: intel-sgx-aesmd
+  labels:
+    app: intel-sgx-aesmd
+spec:
+  selector:
+    matchLabels:
+      app: intel-sgx-aesmd
+  template:
+    metadata:
+      labels:
+        app: intel-sgx-aesmd
+      annotations:
+        sgx.intel.com/quote-provider: "aesmd"
+    spec:
+      hostNetwork: true
+      containers:
+      - name: aesmd
+        image: intel/sgx-aesmd-demo:devel
+        securityContext:
+          readOnlyRootFilesystem: true
+        resources:
+          limits:
+            sgx.intel.com/epc: "1Mi"
+        imagePullPolicy: IfNotPresent
+        volumeMounts:
+        - name: aesmdconf
+          mountPath: /etc/aesmd.conf
+          subPath: aesmd.conf
+        - name: qplconf
+          mountPath: /etc/sgx_default_qcnl.conf
+          subPath: sgx_default_qcnl.conf
+      volumes:
+      - name: aesmdconf
+        configMap:
+          name: sgx-attestation-conf
+          items:
+          - key: aesmd.conf
+            path: aesmd.conf
+      - name: qplconf
+        configMap:
+          name: sgx-attestation-conf
+          items:
+          - key: sgx_default_qcnl.conf
+            path: sgx_default_qcnl.conf

deployments/sgx_aesmd/base/kustomization.yaml

@@ -0,0 +1,9 @@
+resources:
+- intel-sgx-aesmd.yaml
+generatorOptions:
+  disableNameSuffixHash: true
+configMapGenerator:
+- name: sgx-attestation-conf
+  files:
+  - aesmd.conf
+  - sgx_default_qcnl.conf

deployments/sgx_aesmd/base/sgx_default_qcnl.conf

@@ -0,0 +1,2 @@
+PCCS_URL=https://localhost:8081/sgx/certification/v2/
+USE_SECURE_CERT=FALSE

deployments/sgx_aesmd/kustomization.yaml

@@ -0,0 +1,2 @@
+bases:
+  - base