This is a proof-of-concept project providing support to live migrate VMs that contain SGX enclaves. By default, after migration the enclave most probably won't function properly, because its sealing key has changed and its monotonic counters are gone. This project contains a library and a migration enclave that allow to move enclave persistent state from one physical host to another, maintaining SGX security guarantees.
-
Install SGX SDK:
- Download Intel SGX SDK for Linux
- By default Makefile's expect to have SDK installed in
/opt/intel/sgxsdk. - If the SDK is in a different directory, change
SGX_SDKvariable in Makefiles.
-
Build the 3rd party libraries
- Clone sgx-utils.
- Alternatively, use the
git submodulecommand to clone the libraries intosgx-utilsdirectory.
Generate enclave signing keys:
$ openssl genrsa -3 3072 >migration_enclave/trusted/migration_enclave_private.pem
$ openssl genrsa -3 3072 >sample_app/src/enclave/enclave_private.pemRun make -B all. That will build libraries in sgx-utils,
migration enclave (me_app), and a sample application that
contains a migratable enclave.
Run migration_enclave/me_app --help and sample_app/app --help to
show the list of configurable options and their defaults.
Test the setup with running me_app and sample_app/app -t.