BlindAI
Search…
Deploy on Hardware

Hardware requirements

You will need to have an Intel SGX ready device, with SGX+FLC (Flexible Launch Control) support. Read this Intel documentation page to see if your Intel processor supports it.
Please make sure to have the SGX+FLC drivers (preferably with the version 1.41) installed on your system before running the docker image. Check this link to get more information about the drivers.
If you are using an Azure DCXS VM, the drivers are already installed.
If the drivers are named "enclave" and "provision" (or sgx_enclave and sgx_provision), you are good to go!
If the drivers are named "isgx", that means your system is not supported. This driver is for the first generation of SGX, which lacks security features we rely on.
Otherwise, here is a way to install the drivers quickly:
1
wget https://download.01.org/intel-sgx/sgx-linux/2.15.1/distro/ubuntu18.04-server/sgx_linux_x64_driver_1.41.bin
2
chmod +x sgx_linux_x64_driver_1.41.bin
3
./sgx_linux_x64_driver_1.41.bin
Copied!
The binary file contains the drivers signed by Intel, and will proceed to the installation transparently.

Running the server

Please make sure you have Docker installed on your machine.
Generic (Azure DCs v2 / On premise / Other)
Azure DCs v3
A Quote Provisioning Certificate Caching Service (PCCS) is built-in inside the Docker Image in order to generate the DCAP attestation from the enclave. You need to provide an API Key in order for the PCCS server to function. You can get one from Intel here.​
1
docker run -it \
2
-p 50051:50051 \
3
-p 50052:50052 \
4
--device /dev/sgx/enclave \
5
--device /dev/sgx/provision \
6
mithrilsecuritysas/blindai-server:latest /root/start.sh PCCS_API_KEY
Copied!
The PCCS_API_KEY needs to be replaced with your PCCS API Key.
There is no need for a PCCS API Key, just run the following:
1
docker run -it \
2
-v $(pwd)/bin/tls:/root/tls \
3
-p 50051:50051 \
4
-p 50052:50052 \
5
--device /dev/sgx/enclave \
6
--device /dev/sgx/provision \
7
mithrilsecuritysas/blindai-server-dcsv3:latest
Copied!

Get the policy and TLS Certificate

In hardware mode, we are required to pass two files that were generated previously by the server to the client: policy.toml and host_server.pem. Read more about what these files are used for here: Certificate and policy​
You may pull the policy for the latest prebuilt server binary with this command:
1
docker run --rm mithrilsecuritysas/blindai-server:latest cat /root/policy.toml > policy.toml
Copied!
If you wish to use the default built-in TLS certificate, you need to pull the certificate first as well.
1
docker run --rm mithrilsecuritysas/blindai-server:latest cat /root/tls/host_server.pem > host_server.pem
Copied!
Please remember that this certificate is not secure, it is strongly recommended to generate your own certificate.