加入DEK_FILE_PATH和DEK_SEALED_PATH到配置中

2026-04-17 11:08:26 +08:00
parent 46fa58f6f8
commit 94c049b1e6
6 changed files with 69 additions and 12 deletions
--- a/readme.md
+++ b/readme.md
@@ -40,6 +40,33 @@ cmake ..
 make
 make test
 sudo make install
+
+# 安装DCAP组件
+wget -qO- https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key \
+  | sudo gpg --dearmor -o /usr/share/keyrings/intel-sgx.gpg
+echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] \
+  https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" \
+  | sudo tee /etc/apt/sources.list.d/intel-sgx.list
+sudo apt update
+sudo apt install libsgx-dcap-ql libsgx-dcap-quote-verify \ 
+libsgx-enclave-common libsgx-urts libsgx-dcap-default-qpl \
+sgx-aesm-service
+
+# 安装Open Enclave SDK依赖
+wget -qO- https://packages.microsoft.com/keys/microsoft.asc \
+  | sudo gpg --dearmor -o /usr/share/keyrings/microsoft-oe.gpg
+echo "deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft-oe.gpg] \
+  https://packages.microsoft.com/ubuntu/20.04/prod focal main" \
+  | sudo tee /etc/apt/sources.list.d/openenclave.list
+sudo apt update
+sudo apt install open-enclave
+vim ~/.bashrc
+# vim 打开后，将以下内容插入
+export PKG_CONFIG_PATH=${PKG_CONFIG_PATH}:/opt/openenclave/share/pkgconfig
+export CMAKE_PREFIX_PATH=${CMAKE_PREFIX_PATH}:/opt/openenclave/lib/openenclave/cmake
+export PATH=${PATH}:/opt/openenclave/bin
+export OE_SDK_PATH=/opt/openenclave
+source ~/.bashrc
 ```

 ### 1.2 PostgreSQL安装
@@ -47,13 +74,8 @@ sudo make install
 现版本为PostgreSQL-14.2

 ```shell
-# 下载安装PostgreSQL-14.2
-wget https://ftp.postgresql.org/pub/source/v14.2/postgresql-14.2.tar.gz
-tar -xzvf postgresql-14.2.tar.gz
-
-# 解压本项目EncDB，并放到postgresql-14.2/src/interfaces/libpq路径下
-unzip encryptsql.zip
-cp -r encryptsql/ postgresql-14.2/src/interfaces/libpq/
+# 解压 PG
+tar -xzvf postgresql_final.tar.gz

 # 将pg编译到/usr/local/postgresql路径下
 sudo mkdir /usr/local/postgresql
@@ -118,7 +140,34 @@ sudo head -c 16 /dev/urandom > frag_b
 sudo head -c 16 /dev/urandom > frag_c
 ```

-### 1.3 配置数据库
+### 1.3 订阅 PCS 服务
+登录 PCS 服务官网，在`Manage Subscription` 中查看 API 密钥
+`https://api.portal.trustedservices.intel.com/products#product=liv-intel-software-guard-extensions-provisioning-certification-service` 
+```shell
+  //PCCS server address
+  "pccs_url": "https://api.trustedservices.intel.com/sgx/certification/v4/"
+
+  // To accept insecure HTTPS certificate, set this option to false
+  ,"use_secure_cert": true
+
+  // API key for accessing Intel Trusted Services
+  ,"api_key": "得到的api_key"
+```
+
+### 1.4 配置 Enclave 签名密钥对
+```shell
+sudo mkdir -p /etc/encryptsql/enclave
+# 生成 3072-bit RSA 私钥
+sudo openssl genrsa -3 -out /etc/encryptsql/enclave/sign_enclave_private.pem 3072
+# 从私钥导出公钥
+sudo openssl rsa -in /etc/encryptsql/enclave/sign_enclave_private.pem -pubout \
+  -out /etc/encryptsql/enclave/sign_enclave_public.pem
+# 权限
+sudo chmod 777 /etc/encryptsql/enclave/sign_enclave_private.pem
+sudo chmod 777 /etc/encryptsql/enclave/sign_enclave_public.pem
+```
+
+### 1.5 配置数据库

 ```shell
 cd /usr/local/postgresql
@@ -140,6 +189,7 @@ source ~/.bashrc

 initdb

+# 配置 KeyDistribution 后台接收服务（由 postmaster 启动）
 vim /usr/local/postgresql/data/postgresql.conf
 # vim 打开后，将下面内容加入到尾部
 shared_preload_libraries = 'keydist_receiver'