e51a1ea346
Document how to use Intel SGX with Kata. fixes kata-containers/documentation#697 Signed-off-by: Julio Montes <julio.montes@intel.com>
3.4 KiB
Kata Containers with SGX
- Check if SGX is enabled
- Install Host kernel with SGX support
- Install Guest kernel with SGX support
- Run Kata Containers with SGX enabled
Intel® Software Guard Extensions (SGX) is a set of instructions that increases the security of applications code and data, giving them more protections from disclosure or modification.
Note: At the time of writing this document, SGX patches have not landed on the Linux kernel project, so specific versions for guest and host kernels must be installed to enable SGX.
Check if SGX is enabled
Run the following command to check if your host supports SGX.
$ grep -o sgx /proc/cpuinfo
Continue to the following section if the output of the above command is empty, otherwise continue to section Install Guest kernel with SGX support
Install Host kernel with SGX support
The following commands were tested on Fedora 32, they might work on other distros too.
$ git clone --depth=1 https://github.com/intel/kvm-sgx
$ pushd kvm-sgx
$ cp /boot/config-$(uname -r) .config
$ yes "" | make oldconfig
$ # In the following step, enable: INTEL_SGX and INTEL_SGX_VIRTUALIZATION
$ make menuconfig
$ make -j$(($(nproc)-1)) bzImage
$ make -j$(($(nproc)-1)) modules
$ sudo make modules_install
$ sudo make install
$ popd
$ sudo reboot
Notes:
- Run:
mokutil --sb-stateto check whether secure boot is enabled, if so, you will need to sign the kernel.- You'll lose SGX support when a new distro kernel is installed and the system rebooted.
Once you have restarted your system with the new brand Linux Kernel with SGX support, run the following command to make sure it's enabled. If the output is empty, go to the BIOS setup and enable SGX manually.
$ grep -o sgx /proc/cpuinfo
Install Guest kernel with SGX support
Install the guest kernel in the Kata Containers directory, this way it can be used to run Kata Containers.
$ curl -LOk https://github.com/devimc/kvm-sgx/releases/download/v0.0.1/kata-virtiofs-sgx.tar.gz
$ sudo tar -xf kata-virtiofs-sgx.tar.gz -C /usr/share/kata-containers/
$ sudo sed -i 's|kernel =|kernel = "/usr/share/kata-containers/vmlinux-virtiofs-sgx.container"|g' \
/usr/share/defaults/kata-containers/configuration.toml
Run Kata Containers with SGX enabled
Before running a Kata Container make sure that your version of crio or containerd
supports annotations.
For containerd check in /etc/containerd/config.toml that the list of pod_annotations passed
to the sandbox are: ["io.katacontainers.*", "sgx.intel.com/epc"].
sgx.yaml
apiVersion: v1
kind: Pod
metadata:
name: sgx
annotations:
sgx.intel.com/epc: "32Mi"
spec:
terminationGracePeriodSeconds: 0
runtimeClassName: kata
containers:
- name: c1
image: busybox
command:
- sh
stdin: true
tty: true
volumeMounts:
- mountPath: /dev/sgx/
name: test-volume
volumes:
- name: test-volume
hostPath:
path: /dev/sgx/
type: Directory
$ kubectl apply -f sgx.yaml
$ kubectl exec -ti sgx ls /dev/sgx/
enclave provision
The output of the latest command shouldn't be empty, otherwise check your system environment to make sure SGX is fully supported.