User's Guide: Enroll a Compute Node (bare metal or VM) - SGX

1.0 Introduction

This article describes how to enroll a compute node using bare metal or VM on a SGX platform.

2.0 Enroll a Compute Node (bare metal or VM) - SGX

2.1 Ubuntu 16.04/Ubuntu 20.04 Node Agent 

Refer to Download Ubuntu Node Agent Installer - SGX to download the Ubuntu Node Agent installer.

Perform the following steps:

  1. Extract the content of the Node-Agent-Installer.tar.gz package and open the folder.
  2. Open the INSTALLER_README.md file containing the steps to enroll the compute node in Fortanix CCM.
    nodeagentinstaller.png
    Figure 1: INSTALLER_README

    The INSTALLER_README.md has the steps to enroll a compute node in Fortanix CCM.

  3. Fortanix supports any SGX capable server nodes.
  4. Ensure that applications on the node are allowed to make local connections to the Node Agent on port 9092.
    WARNING
    Ports do not accept remote connections as a best practice. So, do not allow remote connections to the node agent.

Perform the following steps to enroll Ubuntu 16.04 or Ubuntu 20.04 compute node in Fortanix CCM:

  1. Copy the file installer.sh to VM.
  2. Run the installer.sh using the command:
    sudo bash installer.sh <join-token> --attestation-type=<attestation-type>
NOTE
  • If the attestation type is DCAP, then ensure that you have az-dcap-client installed on your machine. Refer to INSTALLER_README.md file, to install az-dcap-client.
  • It is strongly recommended to use the DCAP attestation while installing the node agent on azure VM.

2.2 CentOS7 Node Agent

  1. Run the following command to install SGX and GSGX driver:
    sudo yum-config-manager --add-repo https://download.fortanix.com/linux/yum/el7/em-agent.repo
    sudo yum-config-manager --enable em-agent
    sudo yum install intel-sgx-kmod kmod-enclave-os-sgx
    
  2. Run the following command to install the podman:
    sudo yum -y install podman
  3. Run the following command to install the aesmd image:
    sudo mkdir -p /var/run/aesmd
    sudo podman run --detach --privileged --restart always --device /dev/sgx --volume /var/run/aesmd:/var/run/aesmd --name aesmd docker.io/fortanix/aesmd:latest
  4. Run the following command to install the em-agent:
    sudo podman run --detach --privileged --volume /dev/sgx:/dev/host/sgx --volume /var/run/aesmd:/var/run/aesmd -e AGENT_MANAGER_AUTH_BASIC_TOKEN= -e ATTESTATION_TYPE=EPID -p 9092:9092 --name em-agent docker.io/fortanix/em-agent

3.0 Generating Join Token

Perform the following steps to generate a join token in Fortanix CCM:

  1. Log in to https://ccm.fortanix.com, click the Infrastructure → Compute Nodes menu item, and clickENROLL NODE on the Compute Nodes page. Enroll-SGX-node.png
    Figure 2: Enroll Compute Node
  2. In the ENROLL COMPUTE NODE window, a Join Token will be generated in the text box for "Get a join token to register an SGX compute node". This Join Token is used by the compute node to authenticate itself.
    NitroJoinToken.png
    Figure 3: Join Token Generated
  3. Click Copy to copy the Join Token. 

4.0 Validating the Enrolled Compute Node

After the compute node is enrolled in Fortanix CCM, you will see it under the Compute Nodes overview table. EnrolledSGXNode.pngFigure 4: Enrolled Node

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful