Skip to content

sgx: add automated DCAP registration using in-cluster PCCS caching #2121

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

sgx: add automated DCAP registration using in-cluster PCCS caching #2121

wants to merge 1 commit into from

Conversation

mythi
Copy link
Contributor

@mythi mythi commented Aug 27, 2025
edited
Loading

This setup gives an automated "online, multi-platform, PCCS based Indirect Registration" and TDX QGS deployment for Kubernetes based clusters.

Building blocks:

  1. in-cluster PCCS caching service deployment
  2. PCKIDRetrievalTool sidecar and TDX QGS in a single daemonset

Pre-conditions:

Read the basics of Intel TDX remote attestation infrastructure setup and get an Intel PCS API Key. The node(s) have TDX and SGX enabled. The following also assumes that a user has cloned this PR and has a bare-metal cluster available.

Installation:

  1. Deploy SGX device plugin with the "DCAP infrastructure resources" enabled:

kubectl apply -k deployments/sgx_plugin/overlays/dcap-infra-resources

  1. Make the new (unpublished) images available to your cluster:
make sgx-pccs sgx-dcap-infra
docker save intel/sgx-pccs:devel | sudo ctr -n k8s.io i import -
docker save intel/sgx-dcap-infra:devel | sudo ctr -n k8s.io i import -
  1. Deploy PCCS
pushd deployments/sgx_dcap/pccs
<check notes in kustomization.yaml to populate .env.pccs-tokens>
kubectl apply -k .
popd

NB: if a proxy setting is needed, edit pccs.yaml

  1. Deploy platform-registration and TDX QGS
pushd deployments/sgx_dcap/base
<get your USER_TOKEN to .env.pccs-credentials>
kubectl apply -k .
popd

NB: add nodeSelector to filter SGX/TDX enabled nodes if run in a multi-node cluster

  1. Check things are up:
NAME                               READY   STATUS    RESTARTS   AGE
intel-dcap-node-infra-q9zms        2/2     Running   0          17h
intel-dcap-pccs-647568f67d-ftjb2   1/1     Running   0          17h
intel-sgx-plugin-bgfgv             1/1     Running   0          17h

$ kubectl logs -c platform-registration intel-dcap-node-infra-q9zms 
Waiting for the PCCS to be ready ...
PCCS is online, proceeding ...
Calling PCKIDRetrievalTool ...

Intel(R) Software Guard Extensions PCK Cert ID Retrieval Tool Version 1.23.100.0

Registration status has been set to completed status.
the data has been sent to cache server successfully!

The node should have /var/run/tdx-qgs/qgs.socket available for QEMU to connect.

Notes:

PCCS database is stored to a RAM based EmptyDir volume and currently not backed up (a backup mechanism is added later). Keep the PCCS deployment up. If quoting errors occur, full re-install after an SGX Factory Reset might be required.

@mythi
sgx: add automated DCAP registration using in-cluster PCCS caching
65ce152 
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
BFuhry
BFuhry reviewed Aug 29, 2025
View reviewed changes
demo/sgx-dcap-infra/Dockerfile
Comment on lines +9 to +16
WORKDIR /opt/intel

ARG SGX_SDK_URL=https://download.01.org/intel-sgx/sgx-linux/2.26/distro/ubuntu24.04-server/sgx_linux_x64_sdk_2.26.100.0.bin

RUN curl -sSLfO ${SGX_SDK_URL} \
&& export SGX_SDK_INSTALLER=$(basename $SGX_SDK_URL) \
&& chmod +x $SGX_SDK_INSTALLER \
&& echo "yes" | ./$SGX_SDK_INSTALLER \
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All probs to @ScottR-Intel for: sudo ./sgx_linux_x64_sdk_2.26.100.0.bin --prefix /opt/intel

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kad kad Awaiting requested review from kad kad will be requested when the pull request is marked ready for review kad is a code owner

@bart0sh bart0sh Awaiting requested review from bart0sh bart0sh will be requested when the pull request is marked ready for review bart0sh is a code owner

@tkatila tkatila Awaiting requested review from tkatila tkatila will be requested when the pull request is marked ready for review tkatila is a code owner

1 more reviewer

@BFuhry BFuhry BFuhry left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mythi @BFuhry