EdgelessDB is provided as a Docker image. There are two flavors:
ghcr.io/edgelesssys/edgelessdb-sgx-1gbwith 1 GB of enclave heap memory
ghcr.io/edgelesssys/edgelessdb-sgx-4gbwith 4 GB of enclave heap memory
edgelessdb-sgx-1gb primarily to test EdgelessDB on machines with limited resources. Prefer
edgelessdb-sgx-4gb for production deployments.
A future version of EdgelessDB will have a dynamic heap size.
Prepare the SGX system
Skip this section if you want to run EdgelessDB in simulation mode. You may also skip this section if you are running on an SGX-enabled VM in Azure (DC2 series).
The hardware must support SGX-FLC and it must be enabled in the BIOS. Use the following commands to check:
sudo apt install cpuid
cpuid | grep SGX
This should give you output like the following:
SGX: Software Guard Extensions supported = true
SGX_LC: SGX launch config supported = true
SGX capability (0x12/0):
SGX1 supported = true
SGX: Software Guard Extensions supportedis true if the hardware supports it.
SGX_LC: SGX launch config supportedis true if the hardware also supports FLC.
SGX1 supportedis true if it's enabled in the BIOS.
The SGX driver exposes a device:
If the output is empty, install the driver:
wget https://download.01.org/intel-sgx/latest/linux-latest/distro/ubuntu`lsb_release -rs`-server/sgx_linux_x64_driver_1.41.bin
chmod +x sgx_linux_x64_driver_1.41.bin
On some systems you may need to install the
On Ubuntu 18.04 or 20.04 you can do this by running:
wget -qO- https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add
sudo add-apt-repository "deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu `lsb_release -cs` main"
sudo apt install --no-install-recommends libsgx-enclave-common
Run the Docker image
Run EdgelessDB on an SGX-capable system:
docker run -t \
--name my-edb \
--device /dev/sgx_enclave --device /dev/sgx_provision \
Or try it in simulation mode on any system:
docker run -t \
--name my-edb \
-e OE_SIMULATION=1 \
This exposes two services:
- The MySQL interface served on port 3306
- The HTTP REST API on port 8080
If EdgelessDB is run with one of the commands above, all data is stored inside the docker container in the
/data directory. For a production deployment, consider using one of the data management approaches of Docker. E.g., to mount a directory on the host system, add
-v /my/own/datadir:/data to the command line.
If you're on Azure, remote attestation works out of the box.
Otherwise, you must use a Provisioning Certificate Caching Service (PCCS), which caches attestation data from Intel.
Set up the PCCS
- Register with Intel to get a PCCS API key
- Run the PCCS:
docker run -e APIKEY=<your-API-key> -p 8081:8081 --name pccs -d ghcr.io/edgelesssys/pccs
- Verify that the PCCS is running:You should see a 200 status code.
curl -kv https://localhost:8081/sgx/certification/v3/rootcacrl
Configure EdgelessDB to use the PCCS
-e PCCS_ADDR=<your-pccs-address> to the Docker command line. E.g., if the PCCS runs on the same host, use
-e PCCS_ADDR=172.17.0.1:8081 (the gateway of Docker's default network bridge + the default PCCS port).