tencent cloud

Cloud Virtual Machine

DocumentationCloud Virtual MachineUse CasesOther Practical TutorialsSetting Up a Tencent SGX Confidential Computing Environment

Setting Up a Tencent SGX Confidential Computing Environment

PDF
Focus Mode
Font Size
Last updated: 2026-04-21 11:44:59

Overview

This article introduces how to build a Tencent SGX confidential computing environment in the security-enhanced memory type M6ce instance and use the Intel SGX SDK to verify the SGX feature.

Prerequisites

You have created and logged in to the Security-Enhanced Memory-Optimized M6ce Instance.
For detailed directions on how to create an instance, see Creating Instances via CVM Purchase Page.
For detailed directions on how to log in to an instance, see Logging in to Linux Instance Using Standard Login Method.
CVM requires public network access. You can choose to assign a public IP address when a CVM is created, or configure EIP for it after the CVM is created.
Note:
This article uses an instance running TencentOS Server 3.1(TK4) as an example. Steps may vary slightly depending on your operating system version. Adjust the steps according to your actual situation.

Install Intel SGXSDK

1. Run the following command to check the kernel version.
uname -a
Check whether the kernel version is earlier than 5.4.119-19.0008.
If yes, run the following command to update the kernel:
Warning:
Upgrading the operating system kernel is a complex and high-risk operation that may lead to system instability or compatibility issues. Before proceeding, it is recommended to back up critical data, familiarize yourself with the upgrade process and potential problems, and proceed with caution.
yum update kernel
If no, proceed to the next step.
2. Run the following command to install the required software packages for SGX runtime, where the default installation directory for the SGX AESM service is /opt/intel/sgx-aesm-service.
yum install \\
 libsgx-ae-le libsgx-ae-pce libsgx-ae-qe3 libsgx-ae-qve \\
 libsgx-aesm-ecdsa-plugin libsgx-aesm-launch-plugin libsgx-aesm-pce-plugin libsgx-aesm-quote-ex-plugin \\
 libsgx-dcap-default-qpl libsgx-dcap-default-qpl-devel libsgx-dcap-ql libsgx-dcap-ql-devel \\
 libsgx-dcap-quote-verify libsgx-dcap-quote-verify-devel libsgx-enclave-common libsgx-enclave-common-devel libsgx-epid-devel \\
 libsgx-launch libsgx-launch-devel libsgx-pce-logic libsgx-qe3-logic libsgx-quote-ex libsgx-quote-ex-devel \\
 libsgx-ra-network libsgx-ra-uefi libsgx-uae-service libsgx-urts sgx-ra-service \\
sgx-aesm-service -y
3. Run the following command to install the Intel SGX SDK.
wget https://mia-1251783334.cos.ap-shanghai.myqcloud.com/sgx_linux_x64_sdk_2.23.100.2.bin -O sgx_linux_x64_sdk_2.23.100.2.bin
chmod +x ./sgx_linux_x64_sdk_2.23.100.2.bin
./sgx_linux_x64_sdk_2.23.100.2.bin
Note:
When ./sgx_linux_x64_sdk is executed, select an installation directory. It is recommended not to install in the current directory but to /opt/intel/. At this point, the default installation directory for Intel SGX SDK is /opt/intel/sgxsdk. You can refer to the Intel SGX SDK User Manual to develop SGX applications.
4. After installing SGX runtime and Intel SGX SDK, restart the instance. For details, see Restarting an Instance.
Note:
During the restart period, the instance will be unavailable. Therefore, before restarting, make sure that the CVM has stopped processing service requests.

Configure Tencent Cloud SGX remote attestation service

Tencent Cloud SGX remote attestation service adopts a regional deployment. It is recommended that you access the remote attestation service in the region where the SGX CVM instances are located for the best experience.

Must-Knows

Tencent Cloud SGX remote attestation service is deployed in Beijing, Shanghai, Guangzhou, Nanjing, and Singapore regions.
Even if your SGX CVM instances are not in the above regions, you can still properly use the SGX remote attestation service. Simply choose the nearest service in any deployed region to access it, and requests between regions are interoperable, which does not affect feature availability.
Region
[Region-ID]
Beijing
bj
Shanghai
sh
Guangzhou
gz
Nanjing
nj
Singapore
sg
Intel Ice Lake supports only the remote attestation method based on Intel SGX DCAP rather than Intel EPID.

Tencent Cloud SGX remote attestation service upgrade

According to relevant Intel announcements, Intel will completely stop the service of Intel® SGX PCS API version 2 and version 3 at Beijing time 2026-04-30 23:00. If you are currently still using the SGX remote attestation service, please ensure to upgrade to Intel® SGX PCS API version 4 before this time.

To upgrade to Intel® SGX PCS API version 4, you only need to modify the remote attestation service URL in the /etc/sgx_default_qcnl.conf configuration file by replacing v3 with v4. After saving the changes, re-validate the SGX remote attestation feature. For specific configuration modifications, see the Procedure.


Operation Steps

Please follow the steps below to manually modify the file /etc/sgx_default_qcnl.conf
Note:
After the Intel SGXSDK is installed, the default configuration file for the remote attestation service /etc/sgx_default_qcnl.conf will be automatically generated.
/etc/sgx_default_qcnl.conf belongs to the rpm package libsgx-dcap-default-qpl. Its format supports both toml and JSON file formats. The following section will describe how to configure it in both cases.

If you are using JSON to configure /etc/sgx_default_qcnl.conf: Use the VIM editor to open /etc/sgx_default_qcnl.conf, locate pccs_url, and modify the line to the following content:
"pccs_url": "https://sgx-dcap-server-tc.[Region-ID].tencent.cn/sgx/certification/v4/"
Wherein, replace [Region-ID] according to the region you select. Taking the Beijing region as an example, the modification example is as follows:
"pccs_url": "https://sgx-dcap-server-tc.bj.tencent.cn/sgx/certification/v4/"

If you are using toml to configure /etc/sgx_default_qcnl.conf: use the VIM editor to modify /etc/sgx_default_qcnl.conf to the following content:
# PCCS server address
PCCS_URL=https://sgx-dcap-server-tc.[Region-ID].tencent.cn/sgx/certification/v4/
# To accept insecure HTTPS cert, set this option to FALSE
USE_SECURE_CERT=TRUE
Wherein, replace [Region-ID] according to the region you select. Taking the Beijing region as an example, the modification example is as follows:
# PCCS server address
PCCS_URL=https://sgx-dcap-server-tc.bj.tencent.cn/sgx/certification/v4/
# To accept insecure HTTPS cert, set this option to FALSE
USE_SECURE_CERT=TRUE



Examples of SGX Feature Verification

Example 1. Start an enclave

The Intel SGX SDK provides sample SGX code for verifying SGX features in the default directory of /opt/intel/sgxsdk/SampleCode. The effect of this sample code (SampleEnclave) is to start an enclave to check whether the installed SGX SDK works normally and whether the confidential memory resource of your SGX CVM instance is available.
1. Run the following command to set the environment variables related to the Intel SGX SDK:
source /opt/intel/sgxsdk/environment
2. Run the following command to compile the sample code 
cd /opt/intel/sgxsdk/SampleCode/SampleEnclave && make
3. Run the following command to run the complied executable file:
./app
If the following result is returned, it indicates that the service has been started successfully.




Example 2. Perform remote SGX verification

The Intel SGX code tree provides sample code to verify the SGX remote attestation feature (DCAP). This sample involves generating and verifying quotes, including the quote generator (
1. Run the following command to set the environment variables related to the Intel SGX SDK:
source /opt/intel/sgxsdk/environment
2. Run the following commands in sequence to install Git and download the Intel SGX DCAP code tree:
cd /root && yum install git -y
git clone https://github.com/intel/SGXDataCenterAttestationPrimitives.git
git checkout DCAP_1.20
3. Run the following commands in sequence to compile and run the sample code of the quote generator
3.1 Enter the 
cd /root/SGXDataCenterAttestationPrimitives/SampleCode/QuoteGenerationSample
3.2 Compile 
make
3.3 Run 
./app
4. Run the following command to compile the sample code of the quote verifier 
cd /root/SGXDataCenterAttestationPrimitives/SampleCode/QuoteVerificationSample && make
5. Run the following command to sign the 
sgx_sign sign -key Enclave/Enclave_private_sample.pem -enclave enclave.so -out enclave.signed.so -config Enclave/Enclave.config.xml
sgx_sign sign -key ../QuoteGenerationSample/Enclave/Enclave_private_sample.pem -enclave enclave.so -out enclave.signed.so -config Enclave/Enclave.config.xml # DCAP_1.16 new version path
6. Run the following command to run 
./app
If the result as shown in the following figure is returned, the verification is successful.




Previous Topic: Using RemoteFx to Redirect USB Devices on Windows InstancesNext Topic: Configuring Persistent Memory for an M6p Instance

Help and Support

Was this page helpful?

Help us improve! Rate your documentation experience in 5 mins.

Feedback