Project homepage: https://dapsi.ngi.eu/hall-of-fame/cocem/
The code is licenced under the Apache-2 licence. Third-party code used in the project maintains its original licence and all due rights of the copyright holders.
This repository consists of all resources that are used to build a confidential AI prototype, developed within the NGI DAPSI project called CoCEM (COnfidential Computing Enclaves for the Masses). Three main folders below are source code used for implementation:
- ServiceProvider = server repository who owns SGX capable machine
- MLClient = client repository who owns a machine learning model
- DataClient = client repository who owns data for the machine learning model
If you have not installed SGX driver in your platform, please follow either one of these links below:
- https://download.01.org/intel-sgx/sgx-linux/2.11/docs/Intel_SGX_Installation_Guide_Linux_2.11_Open_Source.pdf
- https://github.com/intel/linux-sgx-driver
When you manage to configure the SGX, you can start downloading Occlum and follow its manual installation from the folllowing link: https://github.com/occlum/occlum
Configure SGX Data Center Attestation Primitives (DCAP) components, follow the instruction provided by the link below: https://software.intel.com/content/www/us/en/develop/articles/intel-software-guard-extensions-data-center-attestation-primitives-quick-install-guide.html
Synchronize the guideline in that link with the original DCAP project in the following link: https://github.com/intel/SGXDataCenterAttestationPrimitives
Make sure both sample codes, the Quote Generation and the Quote Verification work successfully.
To build the program, those instances (ServiceProvider, MLClient, and DataClient) should be installed in different Docker containers. Therefore, it will be better to install Occlum software by using Docker container. It is also important to create a new network interface to support communication between two or more docker containers. Follow the following website to configure the interface: https://medium.com/techanic/docker-containers-ipc-using-sockets-part-2-834e8ea00768
- Install ServiceProvider in one Occlum container including the port interface for networking:
docker run --network=interface_name --name server --expose port_number -it --device /dev/sgx occlum/occlum:version-ubuntu_version
- Install MLClient in one Occlum container including the port interface for networking:
docker run --network=interface_name --name ml_client --expose port_number -it --device /dev/sgx occlum/occlum:version-ubuntu_version
- Install DataClient in one Occlum container including the port interface for networking:
docker run --network=interface_name --name data_client --expose port_number -it --device /dev/sgx occlum/occlum:version-ubuntu_version
- To run ServiceProvider:
cd ServiceProvider/ra-mbedtls
make clean
make
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:./lib
./run_ra_mbedtls_on_occlum.sh
- To run MLClient:
cd MLClient/ra-mbedtls
make clean
make
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:./lib
./run_ra_mbedtls_on_linux.sh
- To run DataClient:
cd DataClient/ra-mbedtls
make clean
make
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:./lib
./run_ra_mbedtls_on_linux.sh