The Intel SGX attestation sample app is a Java application that uses the Intel Trust Authority Attestation Java Client packages to get an attestation token from Intel Trust Authority. The application contains an example SGX enclave. When run, it collects quote from the enclave and sends it to Intel Trust Authority to retrieve a token.
┌────────────────────────────────────────────────┐
│ ┌──────────────────────────────────────┐ │
│ │ Docker Container │ │
│ │ │ │
│ │ ┌──────────────────────────┐ │ │
│ │ │SGX Attestation Sample App│ │ │ ┌────────────────┐
│ │ └──────────────────────────┘ │ │ │ │
│ │ │ │ │ │
│ │ ┌──────────────────────────┐ │◄───┼───────────────►│ INTEL TRUST |
│ │ │ enclave.signed.so │ │ │ │ AUTHORITY |
│ │ └──────────────────────────┘ │ │ │ SERVER |
│ │ │ │ └────────────────┘
│ │ ┌──────────────────────────┐ | |
│ │ | connector-1.0.0.jar | | |
│ │ └──────────────────────────┘ │ │
│ │ │ │
│ │ ┌──────────────────────────┐ │ │
│ │ │ sgx-1.0.0.jar | | |
│ │ └──────────────────────────┘ │ │
│ │ │ │
│ └──────────────────────────────────────┘ │
│ │
│ SGX Host │
└────────────────────────────────────────────────┘
The diagram above depicts the components used in the Intel SGX attestation sample app while running within a Docker container. The Intel SGX sample app can also be run directly on an Intel SGX host, provided that dependencies such as Intel SGX DCAP have been installed.
The SGX Attestation Sample App can be encapsulated in a container, enabling it to be executed in containerized environments.
Follow the steps below for installing both Docker and docker-compose — essential tools for running these applications within Docker containers.
-
Use Docker version 20.10.17 or later. Refer to the guide at https://docs.docker.com/engine/install/ubuntu/ for detailed instructions on Docker installation.
-
Use docker-compose version 1.29.2 or later. Follow the steps outlined at https://docs.docker.com/compose/install/linux/#install-the-plugin-manually for installing docker-compose.
-
Update
MAVEN_PROXY_HOSTandMAVEN_PROXY_PORTif running behind a proxy in .env.
-
After
Dockeranddocker-composeare installed, build the Docker image with the following command.docker-compose --env-file ../.env build
-
After the image is built using the above
docker-compose buildcommand, theSGX Attestation Sample Appcan be run using the following commands.# Creating the sgx_token.env file cat <<EOF | tee sgx_token.env HTTPS_PROXY_HOST=<https-proxy-host> HTTPS_PROXY_PORT=<https-proxy-port> TRUSTAUTHORITY_BASE_URL="https://portal.trustauthority.intel.com" TRUSTAUTHORITY_API_URL="https://api.trustauthority.intel.com" TRUSTAUTHORITY_API_KEY=<trustauthority-attestation-api-key> TRUSTAUTHORITY_REQUEST_ID=<trustauthority-request-id> TRUSTAUTHORITY_POLICY_ID=<trustauthority-policy-id> TOKEN_SIGNING_ALG=<token-signing-alg> POLICY_MUST_MATCH=<true/false> RETRY_MAX=<max-number-of-retries> RETRY_WAIT_TIME=<max-retry-wait-time> LOG_LEVEL=<log-level> SGX_AESM_ADDR=1 EOF # Use docker to run the Intel SGX sample app docker run \ --rm \ --network host \ --device=/dev/sgx_enclave \ --device=/dev/sgx_provision \ --env-file sgx_token.env \ -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket \ -v /dev:/dev \ --group-add $(getent group sgx_prv | cut -d: -f3) \ trust-authority-java-client-sgx-sample-app:v1.0.0
Note
- The proxy setting values for
HTTPS_PROXY_HOSTandHTTPS_PROXY_PORThave to be set by the user based on the system proxy settings. - The example above uses one such proxy settings and this can vary from system to system.
When successful, the token and other information will be displayed.
-
Compile the latest version of
connectorandsgxwith the following command:cd ../../ && \ mvn -X -e clean compile install package -DskipTests && \ cd -
-
Since the SGX attestation sample app requires an enclave to be initialized, run this step to generate a signed enclave.
cd enclave/ && \ make && \ cd -
-
Once the above step is complete and the
enclave.signed.sofile is generated, run the following command to compile theSGX Attestation Sample App.mvn compile
-
These variables must be set in the environment.
export HTTPS_PROXY_HOST=<HTTPS_PROXY_HOST> export HTTPS_PROXY_PORT=<HTTPS_PROXY_PORT> export TRUSTAUTHORITY_BASE_URL="https://portal.trustauthority.intel.com" export TRUSTAUTHORITY_API_URL="https://api.trustauthority.intel.com" export TRUSTAUTHORITY_API_KEY=<TRUSTAUTHORITY_API_KEY> export TRUSTAUTHORITY_REQUEST_ID=<TRUSTAUTHORITY_REQUEST_ID> export TRUSTAUTHORITY_POLICY_ID=<TRUSTAUTHORITY_POLICY_ID> export TOKEN_SIGNING_ALG=<TOKEN_SIGNING_ALG> export POLICY_MUST_MATCH=<true/false> export RETRY_MAX=<MAX_NUMBER_OF_RETRIES> export RETRY_WAIT_TIME=<MAX_RETRY_WAIT_TIME> export LOG_LEVEL=<LOG_LEVEL> export SGX_AESM_ADDR=1
-
After setting the environment variables, run the sample app with the following command.
mvn exec:java -Dexec.mainClass="com.intel.trustauthority.sgxsampleapp.SampleApp"
Note
- The proxy setting values for
HTTPS_PROXY_HOSTandHTTPS_PROXY_PORThave to be set by the user based on the system proxy settings. - The example above uses one such proxy settings and this can vary from system to system.