CapsuleManager is an Authorization Management Service, which is designed to manage metadata of user data and authorization information.
If you want to try CapsuleManager quickly, you can use the official Docker image directly.
At present, there are four official images: sim/sgx/tdx/csv, which correspond to Simulation mode, Intel SGX2 mode, Intel TDX mode, and Hygon Csv mode.
```bash
# pull docker image
docker pull secretflow/capsule-manager-sim-ubuntu22.04:latest
# enter docker container
docker run -it --name capsule-manager-sim --net host secretflow/capsule-manager-sim-ubuntu22.04:latest bash
# enable TLS(often skip in simulation mode)
# if you want to use the mTLS, you can refer to the mTLS part
# run service
./capsule_manager --tls_config.enable_tls false
```
Pull and run SGX docker image
# pull docker image
docker pull secretflow/capsule-manager-sgx-ubuntu22.04:latest
# enter docker image
docker run -it --name capsule-manager-sgx --net host \
-v /dev/sgx_enclave:/dev/sgx/enclave \
-v /dev/sgx_provision:/dev/sgx/provision \
--privileged=true \
secretflow/capsule-manager-sgx-ubuntu22.04:latest \
bash
Modify PCCS config
Set real pccs_url
and set use_secure_cert
to false in /etc/sgx_default_qcnl.conf.
Copy /etc/sgx_default_qcnl.conf to occlum instance image
cp /etc/sgx_default_qcnl.conf \
/home/teeapp/occlum/occlum_instance/image/etc/
First, you need to generate a pair of public and private keys for signing Occlum instances. If you do not have one, you can refer to the following command to generate:
openssl genrsa -3 -out private_key.pem 3072
openssl rsa -in private_key.pem -pubout -out public_key.pem
Build occlum with your private key:
occlum build -f --sign-key /path/to/private_key.pem
Run Capsule Manager
By default, --tls_config.enable_tls
is true. You can configure mTLS by referring to Mutual TLS:
occlum run /bin/capsule_manager --tls_config.enable_tls false
Pull and run TDX docker image
# pull docker image
docker pull secretflow/capsule-manager-tdx-ubuntu22.04:latest
# enter docker image
docker run -it --name capsule-manager-tdx --net host \
-v /dev/tdx_guest:/dev/tdx_guest \
--privileged=true \
secretflow/capsule-manager-tdx-ubuntu22.04:latest \
bash
Modify PCCS config
Set real pccs_url
and set use_secure_cert
to false in /etc/sgx_default_qcnl.conf.
Run Capsule Manager
By default, --tls_config.enable_tls
is true. You can configure mTLS by referring to Mutual TLS:
./capsule_manager --tls_config.enable_tls false
Pull and run CSV docker image
# pull docker image
docker pull secretflow/capsule-manager-csv-ubuntu22.04:latest
# enter docker image
docker run -it --name capsule-manager-csv --net host \
-v /dev/csv-guest:/dev/csv-guest \
--privileged=true \
secretflow/capsule-manager-csv-ubuntu22.04:latest \
bash
Run Capsule Manager
By default, tls_config.enable_tls
is true. You can configure mTLS by referring to Mutual TLS:
./capsule_manager --tls_config.enable_tls false
you must generate certificate if you want to use mTLS feature of CapsuleManager
If you want to build from source code, you can refer to the following, which should be noted that the build process does not need to be hardware dependent, but the run process does need to be hardware dependent. So if you need to run the program after build, and you need to mount the device when creating the container, executing the following script will automatically detect the current machine device and mount the device into the container:
# create docker container
./env.sh
# enter docker container
./env.sh enter
Remote Attestation is not enabled for this mode
./script/build -p sim
./target/release/capsule_manager --tls_config.enable_tls false
./script/build -p sgx
Build
./script/build -p tdx
Modify PCCS config
Set real pccs_url
and set use_secure_cert
to false in /etc/sgx_default_qcnl.conf.
Run
./target/release/capsule_manager --tls_config.enable_tls false
Build
./script/build -p csv
Run
./target/release/capsule_manager --tls_config.enable_tls false
Please check CONTRIBUTING.md
This project is licensed under the Apache License