github.com/muhammedhassanm/blockchain@v0.0.0-20200120143007-697261defd4d/sawtooth-core-master/docs/source/sysadmin_guide/configure_sgx.rst (about) 1 ************************************************** 2 Using Sawtooth with the SGX Implementation of PoET 3 ************************************************** 4 5 .. note:: 6 7 These instructions have been tested on Ubuntu 16.04 only. 8 9 Prerequisites 10 ============= 11 12 .. _bios-update: 13 14 BIOS Update 15 ----------- 16 17 .. Important:: 18 19 You may need to update your BIOS with a security fix before running 20 Hyperledger Sawtooth with PoET. Affected versions and instructions for 21 updating can be found on 22 `Intel's website <https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00076&languageid=en-fr>`_. 23 If you're running an affected version, you must update the BIOS 24 to ensure that these installation instructions work correctly. 25 26 You can verify the BIOS version after the machine has booted by running: 27 28 .. code-block:: console 29 30 $ sudo lshw| grep -A5 *-firmware 31 *-firmware 32 description: BIOS 33 vendor: Intel Corp. 34 physical id: 0 35 version: BNKBL357.86A.0050.2017.0816.2002 36 date: 08/16/2017 37 38 .. _install-sgx: 39 40 Install SGX/PSW 41 =============== 42 43 Install the prerequisites for SGX/PSW: 44 45 .. code-block:: console 46 47 $ sudo apt-get update && 48 sudo apt-get install -q -y \ 49 alien \ 50 autoconf \ 51 automake \ 52 build-essential \ 53 cmake \ 54 libcurl4-openssl-dev \ 55 libprotobuf-dev \ 56 libssl-dev \ 57 libtool \ 58 libxml2-dev \ 59 ocaml \ 60 pkg-config \ 61 protobuf-compiler \ 62 python \ 63 unzip \ 64 uuid-dev \ 65 wget 66 67 Download and install the SGX driver: 68 69 .. code-block:: console 70 71 $ mkdir ~/sgx && cd ~/sgx 72 $ wget https://download.01.org/intel-sgx/linux-2.0/sgx_linux_x64_driver_eb61a95.bin 73 $ chmod +x sgx_linux_x64_driver_eb61a95.bin 74 $ sudo ./sgx_linux_x64_driver_eb61a95.bin 75 76 Download and install the Intel Capability Licensing Client. This is presently 77 available only as an .rpm, so you must convert it to a .deb package with 78 alien: 79 80 .. code-block:: console 81 82 $ wget http://registrationcenter-download.intel.com/akdlm/irc_nas/11414/iclsClient-1.45.449.12-1.x86_64.rpm 83 $ sudo alien --scripts iclsClient-1.45.449.12-1.x86_64.rpm 84 $ sudo dpkg -i iclsclient_1.45.449.12-2_amd64.deb 85 86 Download and install the Dynamic Application Loader Host Interface (JHI): 87 88 .. code-block:: console 89 90 $ wget https://github.com/01org/dynamic-application-loader-host-interface/archive/master.zip -O jhi-master.zip 91 $ unzip jhi-master.zip && cd dynamic-application-loader-host-interface-master 92 $ cmake . 93 $ make 94 $ sudo make install 95 $ sudo systemctl enable jhi 96 97 Download and install the Intel SGX Platform Software (PSW): 98 99 .. code-block:: console 100 101 $ cd ~/sgx 102 $ wget https://download.01.org/intel-sgx/linux-2.0/sgx_linux_ubuntu16.04.1_x64_psw_2.0.100.40950.bin 103 $ chmod +x sgx_linux_ubuntu16.04.1_x64_psw_2.0.100.40950.bin 104 $ sudo ./sgx_linux_ubuntu16.04.1_x64_psw_2.0.100.40950.bin 105 106 Check to make sure the kernel module is loaded: 107 108 .. code-block:: console 109 110 $ lsmod | grep sgx 111 isgx 36864 2 112 113 If the output does not show the isgx module, make sure that 114 SGX is set to "Enabled" in the BIOS. 115 116 If you're still having trouble, the SGX software may need to be reinstalled: 117 118 .. code-block:: console 119 120 $ sudo /opt/intel/sgxpsw/uninstall.sh 121 $ cd ~/sgx 122 $ sudo ./sgx_linux_x64_driver_eb61a95.bin 123 $ sudo ./sgx_linux_ubuntu16.04.1_x64_psw_2.0.100.40950.bin 124 125 After ensuring that the SGX kernel module is loaded, go to the next section 126 to install and configure Sawtooth. 127 128 129 Configuring Sawtooth to Use SGX 130 =============================== 131 132 Install Sawtooth 133 ---------------- 134 135 .. code-block:: console 136 137 $ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 8AA7AF1F1091A5FD 138 $ sudo add-apt-repository 'deb [arch=amd64] http://repo.sawtooth.me/ubuntu/1.0/stable xenial universe' 139 $ sudo apt-get update 140 $ sudo apt-get install -y -q \ 141 sawtooth \ 142 python3-sawtooth-poet-sgx 143 144 Certificate File 145 ---------------- 146 147 The configuration process requires an SGX certificate file in PEM format 148 (.pem), which you will need before continuing. 149 150 Instructions for creating your own service provider certificate can be found 151 `here <https://software.intel.com/en-us/articles/how-to-create-self-signed-certificates-for-use-with-intel-sgx-remote-attestation-using>`_. 152 153 After your certificate is created you'll need to register it with the 154 attestation service. 155 `Click here <https://software.intel.com/formfill/sgx-onboarding>`_ for the 156 registration form. 157 158 Configure the Validator to Use SGX PoET 159 --------------------------------------- 160 161 After installing Sawtooth, add config settings so PoET will work properly. 162 163 Create the file ``/etc/sawtooth/poet_enclave_sgx.toml`` 164 with your favorite editor (such as vi): 165 166 .. code-block:: console 167 168 $ sudo vi /etc/sawtooth/poet_enclave_sgx.toml 169 170 Add the following lines, replacing [example] with the spid value provided by 171 Intel: 172 173 .. code-block:: console 174 175 # Service Provider ID. It is linked to the key pair used to authenticate with 176 # the attestation service. 177 178 spid = '[example]' 179 180 # ias_url is the URL of the Intel Attestation Service (IAS) server. 181 182 ias_url = 'https://test-as.sgx.trustedservices.intel.com:443' 183 184 # spid_cert_file is the full path to the PEM-encoded certificate file that was 185 # submitted to Intel in order to obtain a SPID 186 187 spid_cert_file = '/etc/sawtooth/sgx-certificate.pem' 188 189 Next, install the .pem certificate file that you downloaded earlier. 190 Replace [example] in the path below with the path to the certificate file on 191 your local system: 192 193 .. code-block:: console 194 195 $ sudo install -o root -g sawtooth -m 640 \ 196 /[example]/sgx-certificate.pem /etc/sawtooth/sgx-certificate.pem 197 198 Create validator keys: 199 200 .. code-block:: console 201 202 $ sudo sawadm keygen 203 204 .. note:: If you're configuring multiple validators, the steps below are 205 required for the first validator only. For additional validators, you 206 can skip the rest of this procedure. Continue with :ref:`val-config`. 207 208 Become the sawtooth user and change to ``/tmp``. 209 In the following commands, the prompt ``[sawtooth@system]`` shows the commands 210 that must be executed as the sawtooth user. 211 212 .. code-block:: console 213 214 $ sudo -u sawtooth -s 215 [sawtooth@system]$ cd /tmp 216 217 Create a genesis batch: 218 219 .. code-block:: console 220 221 [sawtooth@system]$ sawset genesis --key /etc/sawtooth/keys/validator.priv -o config-genesis.batch 222 223 Create and submit a proposal: 224 225 .. code-block:: console 226 227 [sawtooth@system]$ sawset proposal create -k /etc/sawtooth/keys/validator.priv \ 228 sawtooth.consensus.algorithm=poet \ 229 sawtooth.poet.report_public_key_pem="$(cat /etc/sawtooth/ias_rk_pub.pem)" \ 230 sawtooth.poet.valid_enclave_measurements=$(poet enclave --enclave-module sgx measurement) \ 231 sawtooth.poet.valid_enclave_basenames=$(poet enclave --enclave-module sgx basename) \ 232 sawtooth.poet.enclave_module_name=sawtooth_poet_sgx.poet_enclave_sgx.poet_enclave \ 233 -o config.batch 234 235 When the ``sawset proposal`` command runs, you should see several 236 lines of output showing that the SGX enclave has been initialized: 237 238 .. code-block:: console 239 240 [12:03:58 WARNING poet_enclave] SGX PoET enclave initialized. 241 [12:03:59 WARNING poet_enclave] SGX PoET enclave initialized. 242 243 .. note:: 244 245 There’s quite a bit going on in the previous ``sawset proposal`` command, so 246 let’s take a closer look at what it accomplishes: 247 248 ``sawtooth.consensus.algorithm=poet`` 249 Changes the consensus algorithm to PoET. 250 251 ``sawtooth.poet.report_public_key_pem="$(cat /etc/sawtooth/ias_rk_pub.pem)"`` 252 Adds the public key that the validator registry transaction processor uses 253 to verify attestation reports. 254 255 ``sawtooth.poet.valid_enclave_measurements=$(poet enclave --enclave-module sgx measurement)`` 256 Adds the enclave measurement for your enclave to the blockchain for the 257 validator registry transaction processor to use to check signup information. 258 259 ``sawtooth.poet.valid_enclave_basenames=$(poet enclave --enclave-module sgx basename)`` 260 Adds the enclave basename for your enclave to the blockchain for the 261 validator registry transaction processor to use to check signup information. 262 263 ``sawtooth.poet.enclave_module_name`` 264 Specifies the name of the Python module that implements the PoET enclave. 265 In this case, ``sawtooth_poet_sgx.poet_enclave_sgx.poet_enclave`` is the 266 SGX version of the enclave; it includes the Python code as well as the 267 Python extension. 268 269 Create a poet-genesis batch: 270 271 .. code-block:: console 272 273 [sawtooth@system]$ poet registration create -k /etc/sawtooth/keys/validator.priv \ 274 --enclave-module sgx -o poet_genesis.batch 275 Writing key state for PoET public key: 0387a451...9932a998 276 Generating poet_genesis.batch 277 278 Create a genesis block: 279 280 .. code-block:: console 281 282 [sawtooth@system]$ sawadm genesis config-genesis.batch config.batch poet_genesis.batch 283 284 You’ll see some output indicating success: 285 286 .. code-block:: console 287 288 Processing config-genesis.batch... 289 Processing config.batch... 290 Processing poet_genesis.batch... 291 Generating /var/lib/sawtooth/genesis.batch 292 293 Genesis configuration is complete! Log out of the sawtooth account: 294 295 .. code-block:: console 296 297 [sawtooth@system]$ exit 298 $ 299 300 301 .. _val-config: 302 303 Change the Validator Config File 304 -------------------------------- 305 306 You must specify some networking information so that the validator advertises 307 itself properly and knows where to search for peers. 308 Create the file ``/etc/sawtooth/validator.toml``: 309 310 .. code-block:: console 311 312 $ sudo vi /etc/sawtooth/validator.toml 313 314 Add the following content to the file: 315 316 .. code-block:: console 317 318 # 319 # Hyperledger Sawtooth -- Validator Configuration 320 # 321 322 # This file should exist in the defined config directory and allows 323 # validators to be configured without the need for command line options. 324 325 # The following is a possible example. 326 327 # Bind is used to set the network and component endpoints. It should be a list 328 # of strings in the format "option:endpoint", where the options are currently 329 # network and component. 330 bind = [ 331 "network:tcp://eno1:8800", 332 "component:tcp://127.0.0.1:4004" 333 ] 334 335 # The type of peering approach the validator should take. Choices are 'static' 336 # which only attempts to peer with candidates provided with the peers option, 337 # and 'dynamic' which will do topology buildouts. If 'dynamic' is provided, 338 # any static peers will be processed first, prior to the topology buildout 339 # starting. 340 peering = "dynamic" 341 342 # Advertised network endpoint URL. 343 endpoint = "tcp://[external interface]:[port]" 344 345 # Uri(s) to connect to in order to initially connect to the validator network, 346 # in the format tcp://hostname:port. This is not needed in static peering mode 347 # and defaults to None. 348 seeds = ["tcp://[seed address 1]:[port]", 349 "tcp://[seed address 2]:[port]"] 350 351 # A list of peers to attempt to connect to in the format tcp://hostname:port. 352 # It defaults to None. 353 peers = [] 354 355 # The type of scheduler to use. The choices are 'serial' or 'parallel'. 356 scheduler = 'serial' 357 358 # A Curve ZMQ key pair are used to create a secured network based on side-band 359 # sharing of a single network key pair to all participating nodes. 360 # Note if the config file does not exist or these are not set, the network 361 # will default to being insecure. 362 #network_public_key = '' 363 #network_private_key = '' 364 365 Next, locate the ``endpoint`` section in this file. 366 Replace the external interface and port values with either the 367 publicly addressable IP address and port or the NAT values for your validator. 368 369 .. code-block:: console 370 371 endpoint = "tcp://[external interface]:[port]" 372 373 Find the ``seeds`` section in the config file. 374 Replace the seed address and port values with either the 375 publicly addressable IP address and port or the NAT values for the other nodes 376 in your network. 377 378 .. code-block:: console 379 380 seeds = ["tcp://[seed address 1]:[port]", 381 "tcp://[seed address 2]:[port]"] 382 383 If necessary, change the network bind interface in the ``bind`` section. 384 385 .. code-block:: console 386 387 bind = [ 388 "network:tcp://eno1:8800", 389 "component:tcp://127.0.0.1:4004" 390 ] 391 392 The default network bind interface is "eno1". If this device 393 doesn't exist on your machine, change the ``network`` definition to 394 specify the correct bind interface. 395 396 .. Important:: 397 398 If the bind interface doesn't exist, 399 you may see a ZMQ error in the sawtooth-validator 400 systemd logs when attempting to start the validator, as in this example\: 401 402 .. code-block:: console 403 404 Jun 02 14:50:37 ubuntu validator[15461]: File "/usr/lib/python3.5/threading.py", line 862, in run 405 ... 406 Jun 02 14:50:37 ubuntu validator[15461]: File "zmq/backend/cython/socket.pyx", line 487, in zmq.backend.cython.socket.Socket.bind (zmq/backend/cython/socket.c:5156) 407 Jun 02 14:50:37 ubuntu validator[15461]: File "zmq/backend/cython/checkrc.pxd", line 25, in zmq.backend.cython.checkrc._check_rc (zmq/backend/cython/socket.c:7535) 408 Jun 02 14:50:37 ubuntu validator[15461]: zmq.error.ZMQError: No such device 409 Jun 02 14:50:37 ubuntu systemd[1]: sawtooth-validator.service: Main process exited, code=exited, status=1/FAILURE 410 Jun 02 14:50:37 ubuntu systemd[1]: sawtooth-validator.service: Unit entered failed state. 411 Jun 02 14:50:37 ubuntu systemd[1]: sawtooth-validator.service: Failed with result 'exit-code'. 412 413 Restrict permssions on ``validator.toml`` to protect the network private key. 414 415 .. code-block:: console 416 417 $ sudo chown root:sawtooth /etc/sawtooth/validator.toml 418 $ sudo chown 640 /etc/sawtooth/validator.toml 419 420 Start the Sawtooth Services 421 --------------------------- 422 423 Use these commands to start the Sawtooth services: 424 425 .. code-block:: console 426 427 $ sudo systemctl start sawtooth-rest-api.service 428 $ sudo systemctl start sawtooth-poet-validator-registry-tp.service 429 $ sudo systemctl start sawtooth-validator.service 430 $ sudo systemctl start sawtooth-settings-tp.service 431 $ sudo systemctl start sawtooth-intkey-tp-python.service 432 433 You can follow the logs by running: 434 435 .. code-block:: console 436 437 $ sudo journalctl -f \ 438 -u sawtooth-validator \ 439 -u sawtooth-tp_settings \ 440 -u sawtooth-poet-validator-registry-tp \ 441 -u sawtooth-rest-api \ 442 -u sawtooth-intkey-tp-python 443 444 Additional logging output can be found in ``/var/log/sawtooth/``. 445 446 To verify that the services are running: 447 448 .. code-block:: console 449 450 $ sudo systemctl status sawtooth-rest-api.service 451 $ sudo systemctl status sawtooth-poet-validator-registry-tp.service 452 $ sudo systemctl status sawtooth-validator.service 453 $ sudo systemctl status sawtooth-settings-tp.service 454 $ sudo systemctl status sawtooth-intkey-tp-python.service 455 456 Stop or Restart the Sawtooth Services 457 ------------------------------------- 458 459 If you need to stop or restart the Sawtooth services for any reason, use the 460 following commands: 461 462 Stop Sawtooth services: 463 464 .. code-block:: console 465 466 $ sudo systemctl stop sawtooth-rest-api.service 467 $ sudo systemctl stop sawtooth-poet-validator-registry-tp.service 468 $ sudo systemctl stop sawtooth-validator.service 469 $ sudo systemctl stop sawtooth-settings-tp.service 470 $ sudo systemctl stop sawtooth-intkey-tp-python.service 471 472 Restart Sawtooth services: 473 474 .. code-block:: console 475 476 $ sudo systemctl restart sawtooth-rest-api.service 477 $ sudo systemctl restart sawtooth-poet-validator-registry-tp.service 478 $ sudo systemctl restart sawtooth-validator.service 479 $ sudo systemctl restart sawtooth-settings-tp.service 480 $ sudo systemctl restart sawtooth-intkey-tp-python.service 481 482 .. Licensed under Creative Commons Attribution 4.0 International License 483 .. https://creativecommons.org/licenses/by/4.0/