Minimum Requirements

• 32GB RAM (use 20GB+ swap)

• 512GB SDD

• Ubuntu 22.04 LTS

• CPU compilant with SGX (see Hardware Compliance)

• Motherboard with support for SGX in the BIOS (see Hardware Compliance)

Recommended Requirements

• 64GB RAM

• 1TB NVMe SSD

• Ubuntu 22.04 LTS

• CPU compilant with SGX (see Hardware Compliance)

• Motherboard with support for SGX in the BIOS (see Hardware Compliance)

This is not a comprehensive list of compliant hardware, but rather a guide for what has been verified to work. is often show as SGX compliant, but it does not discriminate against whether SGX is supported via SPS or Intel ME. Only SGX via SPS is supported.

Supported CPUs

The following are confirmed compliant Intel CPUs:

Supported Motherboards

The distinguishing factor of these motherboards is that they support Intel SGX.

Website:

Things to note before setting up on Nforce.

1. Only certain chasis and CPU configuration have SGX enabled.

2. You need to manually communicate with Nforce to give you the right configuration so that SGX works on the BIOS.

Installation Step By Step

1. Getting the Right Configuration

For the purpose of this Guide i selected the HP DL20 G10 Chasis. For the CPU i slected the Intel E2174G (3.8-4.7 Ghz, 4C/8T)

With 32 GB ram, Ubuntu OS 20.04, and 512 GB SSD.

2. Wait for the configuration to be delivered to you.

This takes about 1 day, you may need to make sure they have the servers, if they do not make sure you request only the same configuration or the SGX wont be enabled.

3. Login into their

The SSC portal is only enabled once you finish the payment. Go to your dedicated servers and select the image. Go to remote management and create a session to log into the BIOS via IPMI. You'll need to make sure Hyper Threading is disabled.

4. Install SGX utilities from the Secret Network Documentation

Login with your credentials and proceed with .

Website: phoenixNAP

1. Rent a VPS from them with any of the hardware that shows as working on the Hardware Compliance list.

2. Ensure that Hyperthreading & overclocking/undervolting are disabled in the bios.

3. Install SGX.

4. Continue with the node setup guide starting here.

Alternatively, Eddie from FreshSCRTs is helping users expedite the delivery of their VPS as well as giving some upgrades from phoenixnap. You can pursue that by doing the following.

1. Signup for phoenixnap using this link.

2. Message Eddie your order number on telegram.

Nodes on Secret Network are required to be fully patched, and compliant with network requirements. While this requirement makes running a node and maintaining it harder, it is a necessary tradeoff that needs to be done if the network is to remain open and permissionless.

Part of the registration process on the network will validate the patch level of your platform (Motherboard + CPU). This requires your to have the necessary updates that mitigate known vulnerabilities that might lead to compromise of data protected by SGX.

Let's start with the different components that need to be updated -

• Processor microcode (ucode) - Microcode is a type of low-level computer programming that is used to control the operations of a microprocessor. It is typically stored in the microprocessor itself or in a read-only memory (ROM) chip that is connected to the microprocessor. Microcode is used to define the basic set of instructions that a microprocessor can execute, as well as the operations that it can perform on data. It is usually written in a specialized microcode programming language, and it forms the lowest level of a computer's instruction set architecture.

• SGX Platform Software (PSW) - This software package provides a set of tools and libraries to make use of the Intel SGX instruction set

Updating The PSW

The PSW packages can be updated using your standard operating system install methods. For example, in Linux do this:

# Add Intels's SGX PPA
echo "deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu $DISTRO main" |
   sudo tee /etc/apt/sources.list.d/intel-sgx.list
wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key |
   sudo apt-key add -
sudo apt update

sudo apt install -y libsgx-enclave-common libsgx-aesm-launch-plugin libsgx-aesm-quote-ex-plugin libsgx-urts sgx-aesm-service libsgx-uae-service

Updating the Microcode

Get your microcode file name

While there are a few ways to update the processor microcode, it is important to note that for SGX, the updated microcode must be loaded through the BIOS. That means that upgrading the microcode using early load or late load (installing through the operating system) will not affect the SGX patch level of the platform.

To find out whether the microcode needs to be updated and find the latest version, we must first get the family, model, and stepping of our processor.

To find the stepping, model, and family of your processor, you can use the lscpu command. This command displays detailed information about the CPU architecture.

1. Open a terminal window on your system and type the following command:

lscpu

2. The output of this command will include the stepping, model, and family of your processor, as well as other information about the CPU architecture.

Here is an example of the output you might see:

Architecture:          x86_64
CPU op-mode(s):        32-bit, 64-bit
Byte Order:            Little Endian
CPU(s):                4
On-line CPU(s) list:   0-3
Thread(s) per core:    1
Core(s) per socket:    4
Socket(s):             1
NUMA node(s):          1
Vendor ID:             GenuineIntel
CPU family:            6
Model:                 85
Model name:            Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz
Stepping:              3

In this example, the family, model and stepping of the processor are 6, 85, and 3, respectively.

Next, we take these values and translate them to hex and structure them as follows: <family>-<model>-<stepping>. In this example we get: 06-55-03. This is our microcode file name for our processor.

Find the correct microcode version for your processor

After we have our microcode file name, we use it to find the latest version of our microcode, which is available here: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/blob/main/releasenote.md. Continuing the previous example, the latest version of microcode for 06-55-03 is 0x0100015e

Check your installed microcode version

Now that we know what our microcode should be, we can compare it to our current microcode. Get your current version with:

cat /proc/cpuinfo | grep microcode or dmesg | grep microcode

Get a BIOS that contains the updated Microcode

If your version does not match the latest one, you will need to update your BIOS. To do that, contact your motherboard vendor, or your cloud service provider and download or request the BIOS version that contains the latest microcode for your CPU.

SGX Compliance for VPS options and the Secret Network

This is intended to guide you in selecting SGX-compliant VPS options for the Secret Network.

All cost estimates are based on the following recommendations:

• Processor: E-series rather than E3 (due to age)

• SSD: 512GB+

• RAM: 64GB+

In this section we quickly explain what the verification process for your hardware entails and how it works. Instructions for verification are included in the setup guides!

Terms used:

Attestation Certificate

This is a self-signed X.509 certificate that contains a signed report by Intel, and the SGX enclave. The report contains both a report that the enclave is genuine, a code hash, and a signature of the creator of the enclave.

Seed

this is a parameter that is shared between all enclaves on the network in order to guarantee deterministic calculations. When a node authenticates successfully, the network encrypts the seed and shares it with the node. Protocol internals are described

Background

This section will explain node registration in the Secret Network. If you just care about installation you can just follow the setup guides and ignore this document. If, however, you want to learn more about what's going on behind the scenes here read on.

In order to verify that each node on the Secret Network is running a valid SGX node, we use a process that we call registration. Essentially, it is the process of authenticating with the network.

The process is unique and bound to the node CPU. It needs to be performed for each node, and you cannot migrate registration parameters between nodes. The process essentially creates a binding between the processor and the blockchain node, so that they can work together.

For this reason, the setup will be slightly more complex than what you might be familiar with from other blockchains in the Cosmos ecosystem.

The registration process is made up of three main steps:

1. Enclave verification with Intel Attestation Service - this step creates an attestation certificate that we will use to validate the node

2. On-chain network verification - Broadcast of the attestation certificate to the network. The network will verify that the certificate is signed by Intel, and that the enclave code running is identical to what is currently running on the network. This means that running an enclave that is differs by 1 byte will be impossible.

3. Querying the network for the encrypted seed and starting the node

At the end of this process (if it is successful) the network will output an encrypted seed (unique to this node), which is required for our node to start. After decryption inside the enclave, the result is a seed that is known to all enclaves on the network, and is the source of determinism between all network nodes.

After Initializing the enclave like so:

(or SCRT_ENCLAVE_DIR=/usr/lib secretd init-enclave | grep -Po 'isvEnclaveQuoteStatus":".+?"')

An outtput like this should be generated:

(or isvEnclaveQuoteStatus":"SW_HARDENING_NEEDED")

Where the important fields are isvEnclaveQuoteStatus and advisoryIDs. This is are fields that mark the trust level of our platform. The acceptable values for the isvEnclaveQuoteStatus field are:

• OK

• SW_HARDENING_NEEDED

With the following value accepted for testnet only:

• GROUP_OUT_OF_DATE

For the status CONFIGURATION_AND_SW_HARDENING_NEEDED we perform a deeper inspection of the exact vulnerabilities that remain. The acceptable values for mainnet are:

• "INTEL-SA-00334"

• "INTEL-SA-00219"

Consult with the for more on these values.

If you do not see such an output, look for a file called attestation_cert.der which should have been created in your $HOME directory. You can then use the command secretd parse <path/to/attestation_cert.der> to check the result a successful result should be a 64 byte hex string (e.g. 0x9efe0dc689447514d6514c05d1161cea15c461c62e6d72a2efabcc6b85ed953b.

What to do if this didn't work?

1. Running secretd init-enclave should have created a file called attestation_cert.der. This file contains the attestation report from above.

2. Contact us on the proper channels on scrt.network/discord

3. The details we will need to investigate will include:

   • Hardware specs

   • SGX PSW/driver versions

   • BIOS versions

   • The file attestation_cert.der

Troubleshooting

Output is:

Make sure you have the environment variable SCRT_ENCLAVE_DIR=/usr/lib set before you run secretd.

Output is:

Make sure the directory ~/.sgx_secrets/ is created. If that still doesn't work, try to create /root/.sgx_secrets

Output is:

Make sure the aesmd-service is running systemctl status aesmd.service

Output is:

Please disable hyperthreading and overclocking/undervolting (Turboboost) in your BIOS.

I'm seeing CONFIGURATION_AND_SW_HARDENING_NEEDED in the isvEnclaveQuoteStatus field, but with more advisories than what is allowed

This could mean a number of different things related to the configuration of the machine. Most common are:

• ["INTEL-SA-00161", "INTEL-SA-00233"] - Hyper-threading must be disabled in the BIOS

• ["INTEL-SA-00289"] - Overclocking/undervolting must be disabled by the BIOS (sometimes known as Turboboost)

• ["INTEL-SA-00219"] - Integrated graphics should be disabled in the BIOS - we recommend performing this step if you can, though it isn't required

If you are still having trouble getting rid of INTEL-SA-00219 and INTEL-SA-00289, here are some possible settings to look for outside of the CPU settings:

• Primary Display = 'PCI Express'

• IGPU Multi-Monitor = Disabled

• Onboard VGA = Disabled

I'm seeing SGX_ERROR_DEVICE_BUSY

Most likely you tried reinstalling the driver and rerunning the enclave - restarting should solve the problem

Website:

Leaseweb has been tested and confirmed working by the Secret Network community.

1. Rent a with any of the hardware that shows as working on the

2. Ensure that Hyperthreading/Logical Processors & overclocking/undervolting are disabled in the bios.

3. I

4. Continue with the node setup guide

Websites: or

Selecting a Server

The following are examples of servers:

• Example in the US:

• Global example:

Enabling SGX

1. Navigate to the server's management page

2. Under General Information, ensure SGX is enabled

3. Navigate to the IPMI tab. This will be used to disable overclocking and other necessary settings.

4. Enable Remote KVM

5. Create a DEL hotkey

6. Reset the server, and continue executing the DEL hotkey until you enter the BIOS.

7. Disable Intel Speedstep Technology

8. Under Chipset Configuration:

9. Save and Exit the bios

10. Reset the server again

Website: Microsoft Azure

When renting a compliant bare metal machine from a VPS provider, ensure you do not accept any chassis or CPU substitutes they propose, unless those substitutes are on the Hardware Compliance list.

Microsoft Azure is tested and confirmed working by the Secret Network Community.

To setup a node on Microsoft Azure do the following.

1. Visit the Azure Confidential Compute page here and click "Get Started"

2. Click "Get it now" on the following page and signup for a Microsoft Azure Account.

3. While provisioning your VPS be sure to have at least 500GB of premium SSD storage available.

4. After your confidential compute VM is deployed, continue with the node setup guide starting here.

Website: psychz

Things to note before setting up on Psychz:

1. Only certain CPU's are available with setup

2. You need to manually Open the BIOS and select the configuration.

Installation Step By Step

1. Getting the Right Configuration

Ensure your hardware meets the Hardware Compliance requirements.

2. Wait for the configuration to be delivered to you.

This takes about 1 day, you may need to make sure they have the servers, if they do not make sure you request only the same configuration or the SGX wont be enabled.

Make sure you request them to install the Latest BIOS for the SGX to work

3. Login into their Portal

The Dashboard portal is only enabled once you signup. Go to your device section. Go to IPMI (remote management) and create a session to log into the BIOS, I used the Java to download and connect to the BIOS over the port. You need to make sure Hyper Threading is disabled in the BIOS so that you can get an ok platform message.

4. Install SGX utilities from the Secret Network Documentation

Login with your credentials and proceed with SGX installation.

Website: Vultr

1. Go to their dedicated hosts/ Bare Metal services section and rent a Intel E-2286G Processor (6 cores / 12 threads @ 4.0 GHz)

2. Using the Boot Connection log into the BIOS and Ensure that Hyperthreading & overclocking/undervolting are disabled in the bios.

3. Install SGX.

4. Continue with the node setup guide starting here.