Install SGX
Got problems with using SGX and DCAP attestation in your system? Please ask in the Telegram or Discord for help. For Validators, you can also ask in the SN Validators chat.
Ensure your hardware is Hardware Compliance.
If you're running a local machine and not a cloud-based VM -
Update your BIOS to the latest available version
Go to your BIOS menu
Enable SGX (Set to "YES", it's not enough to set it to "software controlled")
Disable Secure Boot
Disable Hyperthreading
Please use Ubuntu 22.04 LTS If you install SGX on a fresh node to ensure that DCAP will work correctly. Ubuntu 20.04 LTS is not supported by default anymore.
Check latest SGX DCAP driver
Make sure the SGX driver is installed. The following devices should appear:
If your kernel version if 5.11
or higher, then you probably already have the SGX driver installed. Otherwise - please update the kernel version to 5.11
or higher to ensure that these two devices appear.
Also make sure that the user under which the node is supposed to run has privileges to access SGX:
The sgx_prv
should appear.
If it does not - Logout and re-login may be needed, for the change to take effect.
Install the DCAP runtime and AESM service
First, you need to add the Intel repository to APT and install the necessary SGX libraries:
If your system has 5th Gen Intel® Xeon® Scalable Processor(s)
For the DCAP attestation to work, you'll need to register your platform with Intel. This is achieved by the following:
You can check the file /var/log/mpa_registration.log
, to see if the platform is registered successfully.
Configure Quote Provider
The Quote Provider library is needed to provide the data for DCAP attestation.The configuration file for it should can be found here:
/etc/sgx_default_qcnl.conf
Running a baremetal/physical machine
The simplest would be to use the PCCS run by SCRTLabs. Modify the following parameters in the file:
You can set those parameters by the following command:
Running on Cloud VPS providers
For cloud VPS providers, the cloud service providers may provide their own PCCS. Please see their documentation for more infomation.
Note: You'll need to restart the AESMD service each time the configuration is changed
Next, restart your aesmd service for the changes to take effect.
Use check-hw to test the DCAP attestation
Download and run the check-hw tool (included in the Release package). You should see the following:
That would mean all the above steps are ok, and you're good to go.
In case you see some error messages, but at the end the following:
That would mean there's a problem with DCAP attestation.
However the EPID attestation still works. Although you may technically run the node, it's strongly recommended to fix this. The EPID will be phased-out by Intel on April 2025.
To get a more detailed error info, run check-hw --testnet
Last updated