Launch the service on Bare Metal
This document describes steps required to host the Silent Network node on Bare Metal hardware. Audience of this documents are DevOps, or software engineers, preferably with basic knowledge of Docker and the Shell.
The hardware needs to meet several criteria. We provide the Operator software in a form of simple Docker image.
The current software is meant for TESTNET launch, the MAINNET ready software will be announced soon. Also note there is no way to migrate data from TESTNET to MAINNET.
Prerequisites
The CPU must support Intel SGX (Software Guard Extensions)
Example CPU: Intel(R) Xeon(R) Gold 5412U
The whole platform must be up to date. Use most recent CPU models, update to newest BIOS and other firmware. Otherwise software will not launch. Look at Platform provisioning for more information
The host operating system: Ubuntu 22.04 (Jammy)
Intel libraries in use are officially supported on Ubuntu: https://download.01.org/intel-sgx/sgx_repo/ubuntu/dists/
Please check the SGX features your CPU has. The simplest way is to use sgx-detect
Example output:
β ~ sudo ./sgx-detect
Detecting SGX, this may take a minute...
β SGX instruction set
β CPU support
β CPU configuration
β Enclave attributes
β Enclave Page Cache
SGX features
β SGX2 β EXINFO β ENCLV β OVERSUB β KSS
Total EPC size: 92.2MiB
β Flexible launch control
β CPU support
β CPU configuration
β Able to launch production mode enclave
β SGX system software
β SGX kernel device (/dev/sgx_enclave)
β libsgx_enclave_common
β AESM service
β Able to launch enclaves
β Debug mode
β Production mode
β Production mode (Intel whitelisted)
You're all set to start running SGX programs!
It's important to have all green ticks in
SGX Instruction set,Flexible launch control, SGX system software.FromSGX featuresimportant are:SGX2, EXINFOThe operator software needs to be tied to that particular CPU die. Once you run it on a machine, it needs to be always the same machine hereafter. Restarting the container on another SGX-enabled CPU will cause the generation of different
MRSIGNERandMRENCLAVEKeys resulting in different encryption keys. That will disallow the enclave to unseal the state, that was stored while using the previous CPU. Making the software not-operable.The host machine needs to have installed container runtime, like Docker
The software uses a disk as a persistent storage. The minimum size required is 64 GB. The storage should be exclusive to this software. No other service should use it. The storage should be persistent, i.e., data should stay after the power cycle.
The storage should be periodically baked up, so it will be possible to rollback to last valid state in case of database write failure, disk write failure, or some unexpected software bug
Minimal RAM is 16GB
You need to provide static IP, or the URL that will point to the Operator software
The running service requires a high bandwidth of the external network interface.
The system date and time must be valid, synchronized by NTP (Ubuntu by default has it enabled)
Platform provisioning
The Operator software does remote attestation when the Aggregator service connects to it. The attestation procedure involves external infrastructure (including Intel's web services). The platform on which the Operator service will be run must first be correctly configured.
For those interested in more details, refer to official Intel's documentation. However, it's not mandatory for the setup process to be completed.
Install PCK ID Retrieval tool and others
Add Debian repo (command for Ubuntu Jammy):
Install required packages:
Make changes in
/opt/intel/sgx-pck-id-retrieval-tool/network_setting.conf
Change the PCCS_URL to match our caching service:
Set USE_SECURE_CERT to true:
Uncomment user_token and set it to given value:
Provision this host
Call the command to provision the host. It will fill up the cache database of PCCS. Needed to be done only once.
The valid output of this command looks like this:
This command will create pckid_retrieval.csv please do not remove it.
Set aesmd config
Edit /etc/aesmd.conf . Uncomment and set default quote type:
Set QCNL config
The qcnl config is json like file describing the network configuration that is used during attestation. In particular, contains the URL to the PCCS service, and other parameters.
Download this file:
And put it under /etc/sgx_default_qcnl.conf
Do not change this file in any way! Make sure it's sha256 sum is:
1ad7f16fd1335229a81ed98a84b24e80df46614c95a2431b949c94a94d037b96
Restart the aesmd service:
Check if platform is free from known hardware vulnerabilities
Put get_tcb_info.pyscript on SGX machine aside to pckid_retrieval.csv (file generated by PCKIDRetrievalTool from Platform provisioning section) and execute it
The script will output JSON to the console. Find if tcbStatus property is set to UpToDate anywhere in that JSON. Example:
If JSON does not contain UpToDate value, It means HW contains unfixable bugs. The current hardware cannot be used to run the software. Please use other hardware.
Run the service
There are several services to run,sgx-secret-vault, operator-sgx, postgres.
We provide sample docker-compose file to launch them together.
Download the operator directory on your sgx-enabled machine:
Extract the operatordirectory,
The structure of the directory is following:
Setup environment variables that are required to run the container
To launch the compose, file silent-network-operator.env contains env variables used to configure the services. Most of them are predefined, please set ORIG_IDto name of your organization, it will be used in for example in Grafana dashboards.
For security reasons change DB_PASS from default operator_password
Apply that change also in config/init-user-db.sql file.
Run docker containers
Once you have all envs set up, run the containers:
Pass us your Github username to grant access to the container registry
Create GitHub Personal Access Token (with read: packages scope) and login Docker to the registry
From the
operatordirectory run the compose:
The startup can take a while. Eventually, the logs from the service should appear:
You should be able to reach the service by calling a simple command:
It should respond with details of running software.
If you want to shut down the services, use following command:
The storage
Once you launch the services, they will keep the state on the storage, in dband sgx-secret-vaultdirectories.
The content of dband sgx-secret-vault directories should be periodically backed up, so it should be possible to recover to previous state in case of database write failure, hardware failure or software bug.
Wrapping up
Make the service to be externally available. Provide to us:
The IP address, or URL, together with the port by which the service is accessible
Response from this command (insecure because certificates are self-signed):
The city where the hosted HW is running
Troubleshooting
Quote verify failed func_verify_quote_result: "0xE019"
func_verify_quote_result: "0xE019"If you receive the error message during startup:
This might happen if:
The PCCS service is down, check it's accessibility by simple curl command:
It should return JSON response with HTTP status 200. If it doesn't, please reach out to the Silence Laboratories team.
The configuration files are invalid:
Make sure the files are mounted to the container:
Has expected sha2 sums as mentioned earlier.
Startup of the container with an error AESM service returned error 30;
AESM service returned error 30;The error:
Make sure all packages mentioned in Platform provisioningwere installed correctly
For further debugging, call
PCKIDRetrievalTool error
The output of the PCKID tool:
Our PCCS server reports:
It means the CPU is not registered, the registration service needs to be installed:
Then call PCKID tool again
for further debugging, read the logs from /var/log/mpa_registration.log
Other issues
In case of any problems with the service, please provide us with the logs from the container: docker logs operator
Last updated