Trusted Certificate Service (TCS) is a K8s service to protect signing keys using Intel's SGX technology. K8s CSR and cert-manager CR APIs are both supported. TCS also contains integration samples for Istio service mesh and Key Management Reference Application (KMRA).
$ sudo service aesmd status
● aesmd.service - Intel(R) Architectural Enclave Service Manager
Loaded: loaded (/lib/systemd/system/aesmd.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2023-08-31 22:23:29 +08; 26min ago
Main PID: 321422 (aesm_service)
Tasks: 4 (limit: 629145)
Memory: 5.0M
CPU: 958ms
CGroup: /system.slice/aesmd.service
└─321422 /opt/intel/sgx-aesm-service/aesm/aesm_service
Ogos 31 22:23:28 p12sl01igoh groupadd[321085]: group added to /etc/group: name=sgx_prv, GID=1002
Ogos 31 22:23:28 p12sl01igoh groupadd[321085]: group added to /etc/gshadow: name=sgx_prv
Ogos 31 22:23:28 p12sl01igoh groupadd[321085]: new group: name=sgx_prv, GID=1002
Ogos 31 22:23:29 p12sl01igoh usermod[321337]: add 'aesmd' to group 'sgx_prv'
Ogos 31 22:23:29 p12sl01igoh usermod[321337]: add 'aesmd' to shadow group 'sgx_prv'
Ogos 31 22:23:29 p12sl01igoh usermod[321346]: add 'aesmd' to group 'sgx'
Ogos 31 22:23:29 p12sl01igoh usermod[321346]: add 'aesmd' to shadow group 'sgx'
Ogos 31 22:23:29 p12sl01igoh aesm_service[321398]: aesm_service: warning: Turn to daemon. Use "--no-daemon" option to execute in foreground.
Ogos 31 22:23:29 p12sl01igoh systemd[1]: Started Intel(R) Architectural Enclave Service Manager.
Ogos 31 22:23:29 p12sl01igoh aesm_service[321422]: The server sock is 0x560ede43d300
$ is-sgx-available
SGX supported by CPU: true
SGX1 (ECREATE, EENTER, ...): true
SGX2 (EAUG, EACCEPT, EMODPR, ...): true
Flexible Launch Control (IA32_SGXPUBKEYHASH{0..3} MSRs): true
SGX extensions for virtualizers (EINCVIRTCHILD, EDECVIRTCHILD, ESETCONTEXT): false
Extensions for concurrent memory management (ETRACKC, ELDBC, ELDUC, ERDINFO): false
CET enclave attributes support (See Table 37-5 in the SDM): false
Key separation and sharing (KSS) support (CONFIGID, CONFIGSVN, ISVEXTPRODID, ISVFAMILYID report fields): true
Max enclave size (32-bit): 0x80000000
Max enclave size (64-bit): 0x100000000000000
EPC size: 0x1f0ff000
SGX driver loaded: true
AESMD installed: true
SGX PSW/libsgx installed: true
#PF/#GP information in EXINFO in MISC region of SSA supported: true
#CP information in EXINFO in MISC region of SSA supported: false
Trying to deploy tcs-issuer in k8s cluster, but got :
Using in-tree SGX driver with kernel
6.2.0-26-generic
.