Public Dev: Build CovaClave inside a graphene and SGX layer
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Building CovaClave Locally (SGX and Graphene)

Building CovaClave (COVA Enclave) is an involved process due to complex hardware and software dependencies. In future, we will push the whole recipe as a Dockerfile pipeline to ease the process.

Requirements and Installation Workflow

  1. Must have a computer with 7th+ generation Intel CPU with SGX support. You can find a community maintained list of supported hardwares here: SGX-hardware
  2. Enable SGX in your BIOS
  3. Install Ubuntu 16.04.4 LTS with kernel 4.13.0-45 (or above) (IMPORTANT: Please make sure you have the right kernel as any version below 4.13.0-36 are prone to Meltdown & Spectre)
  4. Test kernel version in terminal uname -r (should show 4.13.0-45 (or above))
  5. Clone SGX-hardware repo and compile the following code to make sure you have SGX supported hardware
# cd /path/to/SGX-hardware
$ gcc test-sgx.c -o test-sgx
$ ./test-sgx

Pre-requisite Setups

  1. Build and install Linux SGX Driver: please make sure to install it in /opt/intel and to source the environment variable
  2. Clone Graphene and build driver first

Makefile and Docker Solution

Instead to make your life easy, you can use our Makefile and run:

# runs build_sgx build_gsgx cova_graphenyx_docker run_cova_graphenyx_docker
make all

To make the process of running CovaClave and CovaCore as easy as possible, we have created a docker file which runs with the setup we mentioned above. As you can see the docker run command is

docker run --privileged --device /dev/isgx --device /dev/mei0 --device /dev/gsgx -d cova-graphenyx

hence please make sure that your /dev/isgx, /dev/gsgx, /dev/mei0 devices exists after build_sgx build_gsgx processes are run.

(Not Recommended) Install without Docker

  1. Build and Install Linux SGX SDK and PSW from source

  2. Test the SGX SDK setup:

# cd /path/to/linux-sgx
$ cd SampleCode/LocalAttestation
$ make clean
$ make
$ ./app
  1. Build and install graphene from source with SGX (i.e. make SGX=1)
  2. IMPORTANT: export the graphene path to your environment variable, by running the following script from the graphene home directory
# cd /path/to/graphene
$ echo "export GRAPHENE_PATH=\"$(pwd)\"" >> ~/.bashrc
$ source ~/.bashrc
  1. Test graphene installation with SGX support
$ cd $GRAPHENE_HOME/LibOS/shim/test/apps/python
$ make clean
$ make SGX=1 # build and sign the tursted files and the enclave
$ make SGX_RUN=1 # create runtime
$ ./python.manifest.sgx scripts/ # prints Hello World

Current CovaClave Setup

While you can find a community maintained list of supported hardwares here at SGX-hardware, in practice finding the right platform to run SGX (and more importantly, Graphene-SGX) smoothly can be challenging. Just for the reference:

  1. We have several Game servers with Intel 8th Generation i7-8700, 64GB Ram, and 2TB SSD to run a clusters of routing and compute nodes.
  2. We are running our staging server with the following hardware: Intel 8th Generation i7-8700 and 16GB Ram
  3. Our local dev setups are on various 8th generation Intel i5 and i7 laptops (we have had more luck with Dell Bios Setup thant the other brands)

Installing CovaClave inside Graphene-SGX OS Layer

Assuming the process above ran smoothly and your tests ran without any issues, you are ready to install CovaClave. You only need to clone this repo and run:

# cd GRAPHENE_PATH inside the docker 
cd $GRAPHENE_HOME/LibOS/shim/test/apps/python
git clone

# copy credentials inside $PWD/core/configs

# create a proper manifest file using the template provided here
make clean && make SGX=1 && make SGX_RUN=1

# Fianlly, run the covacore server 
./python.manifest.sgx cova-core/core/