Your API server co-signing components must be executed from an SGX-enabled machine with an SGX driver loaded.
This article describes the steps to properly configure a compatible cloud-based or on-premise server for your API Co-Signer in one of the configurations below. Azure is the recommended cloud-based configuration because they offer better RAM and CPU options.
- Setup Option 1: Azure Confidential Compute VM
- Setup Option 2: IBM Cloud Bare Metal server
- Setup Option 3: On-Premise Server
Setup Option 1: Azure Confidential Compute VM
Follow this Microsoft installation guide. Only the “Configure an Intel SGX virtual machine” section is required. The necessary settings are listed below. You don’t need to follow the “Connect to the Linux VM” or “Next Steps” sections.
1. Make sure you have these settings in the “Get Started" section:
-
- Image: Ubuntu 20.04 LTS (Canonical)
- Region: Select your region.
- Under "Advanced" tab: Gen 2
- Size (recommended): Standard_DC4s_v3
Note
Standard_DC4s_v3 isn’t mandatory. Standard_DC4s_v2 also works, but v3 allows for optimized performance and isn’t available out of the box. This requires requesting a quota increase by opening a ticket with the Azure support team. See the official Microsoft documentation for a list of SGX-supported instances.
- Image: Ubuntu 20.04 LTS (Canonical)
2. The final setup window should look like the image below. Depending on your needs or geographic location, you may choose a different Size or Region. The minimum hardware requirements are 16Gib memory and 256GB storage. See the official Microsoft documentation to find which products are available per region.
Setup Option 2: IBM Cloud
1. On the Dashboard Page, select Create Resource.
2. Go to IBM Cloud catalog > Compute > Bare Metal Servers.
3. In the Server Profile section, select View all profiles.
4. Choose Intel Xeon E-2174G CPU:
5. In the Operating system section, select the following options:
- Vendor: Ubuntu
- Version: 18.04 LTS (64 bit)
- RAM (recommended): 32 GB
6. In the Add-ons section, under the Security and business continuity heading, select the Software Guard Extensions toggle.
7. Select Create.
Setup Option 3: On-Premise Server
The requirements for the on-premise server are as follows:
- CPU: Use one of the following:
Processor Name / Number |
Cores |
Max Turbo Frequency |
Base Frequency |
Cache |
TDP |
8 |
3.90 GHz |
2.00 GHz |
16 MB |
35 W |
|
8 |
4.70 GHz |
3.30 GHz |
16 MB |
80 W |
|
4 |
4.90 GHz |
4.00 GHz |
8 MB Intel® Smart Cache |
83 W |
|
8 |
5.00 GHz |
3.70 GHz |
16 MB Intel® Smart Cache |
95 W |
|
8 |
5.00 GHz |
3.40 GHz |
16 MB Intel® Smart Cache |
80 W |
|
6 |
4.90 GHz |
4.00 GHz |
12 MB Intel® Smart Cache |
95 W |
|
6 |
4.90 GHz |
3.80 GHz |
12 MB Intel® Smart Cache |
80 W |
|
6 |
4.70 GHz |
3.70 GHz |
12 MB Intel® Smart Cache |
80 W |
|
4 |
4.70 GHz |
3.80 GHz |
8 MB Intel® Smart Cache |
71 W |
|
6 |
4.70 GHz |
3.80 GHz |
12 MB Intel® Smart Cache |
95 W |
- BIOS:
- Enable Intel SGX (Software Guard Extension)
- Enable DCAP (FLC)
- Disable hyperthreading
- OS: Ubuntu 20.04
- Memory (recommended): 16 GB RAM
- Storage (recommended): 128 GB SSD
- SGX Memory (minimum): 2GB EPC
- CPU (minimum): 4 cores
Once the installation is complete, follow the instructions in the appendix below to verify that SGX is enabled.
Note
Fireblocks also supports on-premise servers installed on OVHcLoud providers.
Appendix A: SGX Enablement Verification
After the installation completes, verify SGX is enabled with the latest microcode and DCAP (FLC) supported:
1. Run the following shell commands:
sudo apt update
sudo apt upgrade
sudo apt install cpuid
cpuid -1 | grep -i sgx
2. Verify that “SGX: Software Guard Extensions supported” is true and “SGX_LC: SGX launch config supported” are both true.