A modern Linux kernel (starting 5.11) supports SGX out of the box. If your workload runs inside of virtual machines, then starting with Linux kernel 5.13, KVM supports SGX inside of virtual machines.
In other words, there is no modification of the system software needed.
You can run vanilla Kubernetes software - there is no need to customize Kubernetes. We maintain a SGX Plugin that permits your application to use SGX from within containers. This SGX plugin can be installed via
For older Linux Kernels (deprecated)
We recommend to use Alpine Linux for container images using SCONE and and Ubuntu 20.04 LTS or Ubuntu 18.04 LTS for the hosts that run these container images. To ensure that your Ubuntu host has all software installed to run SCONE containers, you can just run:
curl -fssl https://raw.githubusercontent.com/scontain/install_dependencies/master/install-host-prerequisites.sh | bash
This script will check if the required components are already installed and installs only the components that have not yet been installed.
You can run SCONE-based application on baremetal servers as well as inside of VMs. Applications need access to an driver and the applications need to be linked either dynamically during load time or during compile time with the SCONE Runtime Encryption Library. In this way, the application will be executed inside of an enclave:
Containers are the default way to deploy SCONE-based applications. The application is linked with the SCONE Runtime Encryption Library (dynamically or statically). The Application needs to have access to the SGX driver:
We recommend to deploy SCONE-based applications in Kubernetes clusters with the help of helm:
You can customize the SCONE installation based on your needs. Depending on how you want to use SCONE, you could instead install software components on a per need basis:
Running on a VM: Running you applications on a virtual machine, you need to install the Intel SGX driver on the VM and you have to ensure that your hypervisor supports SGX: You might want to install a patched version of KVM. Alternatively, you can use commercial hypervisor like HyperV.
Ensure that your CPU runs the newest microcode by updating the CPU microcode.