Skip to main content
Version: 1.4

Installation and setup

To install MarbleRun into your Kubernetes cluster and manage it, there's a dedicated command-line interface (CLI). The following guides you through the steps of installing the CLI on your machine and the configuration required to verify the Coordinator's attestation reports.

Prerequisites

Make sure the following requirements are met:

  • Your machine is running Linux on an x86-64 CPU
  • You have access to a Kubernetes cluster and kubectl installed and configured

An easy way to get started is to run Kubernetes on your local machine using minikube. Check the prerequisites if you want to set up an SGX-enabled cluster. Another easy way is to use Azure Kubernetes Service (AKS), which offers SGX-enabled nodes.

You can validate your setup by running the following:

kubectl version --short

You should see an output with both a Client Version and a Server Version component. Now your cluster is ready and you can install the MarbleRun CLI.

Install the MarbleRun CLI

CLI executables for different platforms are available at GitHub. The CLI needs an SGX quote provider to verify attestation reports.

The AppImage runs on all x86-64 Linux distributions with glibc v2.29 or higher. It includes the quote provider. Install it with the following commands:

wget https://github.com/edgelesssys/marblerun/releases/latest/download/marblerun-x86_64.AppImage
sudo install marblerun-x86_64.AppImage /usr/local/bin/marblerun

Once installed, verify the CLI is running correctly with the following:

marblerun

You can use the CLI to check if your cluster is configured to run SGX workloads:

marblerun precheck

Configure the quote provider

The CLI uses the quote provider to retrieve collaterals required for verifying attestation reports. Locate its configuration file at /etc/sgx_default_qcnl.conf. If the file doesn't exist or is outdated, download it with the following command:

wget -qO- https://raw.githubusercontent.com/intel/SGXDataCenterAttestationPrimitives/master/QuoteGeneration/qcnl/linux/sgx_default_qcnl.conf | sudo tee /etc/sgx_default_qcnl.conf > /dev/null

You can configure the quote provider to get the collaterals from the Intel PCS, the PCCS of your cloud service provider (CSP), or your own PCCS.

Intel PCS

Using the Intel PCS is the simplest and most generic way to get the collaterals, but it may be slower and less reliable than a PCCS. Configure it by uncommenting the "collateral_service" key:

  ,"collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/"

PCCS of your CSP

If you're running MarbleRun in the cloud, it's recommended to use the PCCS of your CSP. Set the "pccs_url" value to the respective address:

  • Azure: https://global.acccache.azure.net/sgx/certification/v4/

    See the Azure documentation for more information on configuring the quote provider.

  • Alibaba: https://sgx-dcap-server.[Region-ID].aliyuncs.com/sgx/certification/v4/

    See the Alibaba documentation for supported Region-ID values and more information on configuring the quote provider.

Your own PCCS

If you're running MarbleRun on premises and have set up your own PCCS for quote generation, you can also use it for quote verification. Set the "pccs_url" value to the address of your PCCS.

If your PCCS runs with a certificate not signed by a trusted CA, you need to set "use_secure_cert" to false. This instructs the quote provider to accept a self-signed certificate of the PCCS. It doesn't affect the security of the remote attestation process itself.