CapsuleManager is an Authorization Management Service, which is designed to manage metadata of user data and authorization information.
If you want to try CapsuleManager quickly, you can use the official Docker image directly.
At present, there are four official images: sim/sgx/tdx/csv, which correspond to Simulation mode, Intel SGX2 mode, Intel TDX mode, and Hygon Csv mode.
```bash
# pull docker image
docker pull secretflow/capsule-manager-sim-ubuntu22.04:latest
# enter docker container
docker run -it --name capsule-manager-sim --net host secretflow/capsule-manager-sim-ubuntu22.04:latest bash
# enable TLS(often skip in simulation mode)
# if you want to use the mTLS, you can refer to the mTLS part
# run service
./capsule_manager --tls_config.enable_tls false
```
Pull and run SGX docker image
# pull docker image
docker pull secretflow/capsule-manager-sgx-ubuntu22.04:latest
# enter docker image
docker run -it --name capsule-manager-sgx --net host \
-v /dev/sgx_enclave:/dev/sgx/enclave \
-v /dev/sgx_provision:/dev/sgx/provision \
--privileged=true \
secretflow/capsule-manager-sgx-ubuntu22.04:latest \
bash
Modify PCCS config
Set real pccs_url
and set use_secure_cert
to false in /etc/sgx_default_qcnl.conf.
Copy /etc/sgx_default_qcnl.conf to occlum instance image
cp /etc/sgx_default_qcnl.conf \
/home/teeapp/occlum/occlum_instance/image/etc/
openssl genrsa -3 -out private_key.pem 3072
openssl rsa -in private_key.pem -pubout -out public_key.pem
occlum build -f --sign-key /path/to/private_key.pem
Run Capsule Manager
By default, --tls_config.enable_tls
is true. You can configure mTLS by referring to Mutual TLS:
occlum run /bin/capsule_manager --tls_config.enable_tls false
Pull and run TDX docker image
# pull docker image
docker pull secretflow/capsule-manager-tdx-ubuntu22.04:latest
# enter docker image
docker run -it --name capsule-manager-tdx --net host \
-v /dev/tdx_guest:/dev/tdx_guest \
--privileged=true \
secretflow/capsule-manager-tdx-ubuntu22.04:latest \
bash
Modify PCCS config
Set real pccs_url
and set use_secure_cert
to false in /etc/sgx_default_qcnl.conf.
Run Capsule Manager
By default, --tls_config.enable_tls
is true. You can configure mTLS by referring to Mutual TLS:
./capsule_manager --tls_config.enable_tls false
Pull and run CSV docker image
# pull docker image
docker pull secretflow/capsule-manager-csv-ubuntu22.04:latest
# enter docker image
docker run -it --name capsule-manager-csv --net host \
-v /dev/csv-guest:/dev/csv-guest \
--privileged=true \
secretflow/capsule-manager-csv-ubuntu22.04:latest \
bash
Run Capsule Manager
By default, tls_config.enable_tls
is true. You can configure mTLS by referring to Mutual TLS:
./capsule_manager --tls_config.enable_tls false
you must generate certificate if you want to use mTLS feature of CapsuleManager
If you want to build from source code, you can refer to the following, which should be noted that the build process does not need to be hardware dependent, but the run process does need to be hardware dependent. So if you need to run the program after build, and you need to mount the device when creating the container, executing the following script will automatically detect the current machine device and mount the device into the container:
# create docker container
./env.sh
# enter docker container
./env.sh enter
Remote Attestation is not enabled for this mode
./script/build -p sim
./target/release/capsule_manager --tls_config.enable_tls false
./script/build -p sgx
Build
./script/build -p tdx
Modify PCCS config
Set real pccs_url
and set use_secure_cert
to false in /etc/sgx_default_qcnl.conf.
Run
./target/release/capsule_manager --tls_config.enable_tls false
./script/build -p csv
./target/release/capsule_manager --tls_config.enable_tls false
Please check CONTRIBUTING.md
This project is licensed under the Apache License
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。