We only support Linux environment for now. Ubuntu 16.04/18.04 are prefered. If you want to build in native environment, please have nightly Rust and the latest Intel SGX SDK installed. As of writing, the latest Intel SGX SDK version is 2.6.100, and our testing is based on that. Detailed instructions can be found in our Dockerfile. Or, you can directly build in the docker image. Please refer to our CI configuration for such examples.
In order to fulfill the requirements of SGX remote attestation, you need to first log in to the brand new Intel Trusted API Center and then subscribe to the Linkable version of Intel SGX Attestation Service Utilizing Enhanced Privacy ID (EPID). Then please visit the Intel Trusted Service API portal and check the Manage Subscriptions page for SPID, Primary Key and Secondary Key.
Attention: MesaTEE has switched to IAS API v5.
All of the prerequisites are:
You need to also self-issue a CA certificate so that you can later issue client certificates. Only clients with certificates issued by you can successfully communicate with your MesaTEE deployment.
Examples of the above materials can be found at here (we only included those that we are comfortable to open source though). Among them, MRSIGNER and IAS report signing key, and the self-issued CA certificate should be put in the ra_config section of build.toml; the issued client certificate should be assigned to the client_config section of build.toml; and the IAS SPID and Key should be configured in the ias_client_config section of config.toml.
Moreover, as we described in Mutual Attestation: Why and How, auditors' credentials should be configured in the audited_enclave_config section of build.toml.
After fulfill all requirements specified in build.toml, you can start to build by using cmake.
cmake Waycd <MESATEE_PROJECT_ROOT> mkdir build && cd build cmake -DSGX_SDK=<SGX_SDK_PATH> .. make # Other Useful Make Targets: # print all make targets make help # separately make sgxlib-<module> and sgxapp-<module> # equal to make <module>, e.g. make kms make sgxlib-kms && make sgxapp-kms # print verbose build commands make VERBOSE=1 # run cargo clippy for all targets make clippy # run cargo clippy for a single target make CLP=1 <target_name> # mute cargo make MUTE_CARGO=1
Available cmake options:-DSGX_MODE=<HW|SW, default HW> build in hardware SGX mode or simulation SGX mode-DSGX_SDK=<SGX_SDK_PATH, default /opt/sgxsdk> config path of Intel SGX SDK-DCMAKE_BUILD_TYPE=<RELEASE|DEBUG, default RELEASE> build in debug/release mode-DCMAKE_BUILD_TYPE=DEBUG -DCOV=1 debug with gcov enabled
If SGX_MODE/SGX_SDK are not given on cmake command line, they will be read from
By default, the outcome is targeting a platform with SGX hardware. In order to switch to SGX simulation target, please set -DSGX_MODE=SW when running cmake.
All needed environment variables are auto-generated in <BUILD_DIR>/environment. When manually running the executables, sourcing the corresponding environment script can help set the variables. Below is the description for the environment variables:
SGX_MODE: whether to run with hardware SGX (HW) or in simulation (SW)SGX_SDK: path to the Intel SGX SDKMESATEE_PROJECT_ROOT: MesaTEE project root directoryMESATEE_CFG_DIR: directory containing the runtime configMESATEE_BUILD_CFG_DIR: directory containing the compile time configMESATEE_SOTRAGE_DIR: directory for TDFS data storage, default is /tmpMESATEE_AUDITORS_DIR: directory containing auditors' public keys and endorsement to TEE enclaves (digital signatures)RUST_LOG: logging levelsRUST_BACKTRACE: whether to enable backtrace logging on crash