| .. | ||
| c_app | ||
| dcap_lib | ||
| dcap.yaml | ||
| README.md | ||
| run_dcap_quote_on_occlum.sh | ||
SGX DCAP Remote Attestation Demo in Rust
This project demonstrates how to do Intel SGX DCAP (Datacenter Attestation
Primitives) remote attestation on Occlum. Occlum provides SGX capabilities to
applications through ioctls on device /dev/sgx.
Prerequisites
-
Platform: Intel SGX enabled platform with DCAP installed. Follow DCAP Quick Install Guide for the detailed installation procedure.
-
Occlum: Compile Occlum on a DCAP-installed platform by invoking
make. The compilation will look for the needed DCAP libraries. The needed libraries includelibsgx_quote_ex, libsgx_quote_ex_sim, libsgx_dcap_tvl, libsgx_dcap_ql and libsgx_dcap_quoteverify.
Run this demo on Occlum
You can run the DCAP quote generation and verification demo, including dcap library build, rust test demo and C test demo on Occlum via
./run_dcap_quote_on_occlum.sh
Preinstalled DCAP package in Ubuntu 18.04 and CentOS 8.1
The DCAP package has been preinstalled in the Occlum official docker images
including Ubuntu 18.04 and CentOS 8.1 since Occlum 0.19.0. The versions of DCAP
package and PCCS should keep the same to avoid incompatibility. The demo is verified
in Occlum 0.23.1 in which the DCAP version is 1.10, so PCCS should also be version 1.10
to work with the preinstalled DCAP package. Remember to configure /etc/sgx_default_qcnl.conf
in the container according to your PCCS setting after running the docker image.
As DCAP 1.10 is not the latest, the demo application running in the container of
the official image will output a warning: WARN: App: Verification completed with Non-terminal result: a002. The a002 of type sgx_ql_qv_result_t in the
warning indicates the quote is good but TCB level of the platform is out of
date.