This guide is a community collaboration effort to setup on-premise (self-hosted) latest Signal App backend.
Original discussion is in this Forum: Guide - Deploy Signal Server v2.xx + CDS + SGX
Signal™ is a trademark of Quiet Riddle Ventures LLC. The SecureSign projects are not affliated with Signal.org, Signal Messenger LLC, nor Signal Foundation.
Environment assumpted:
- Ubuntu 18.04
- Intel Processor with SGX enabled
- You are able to enable SGX in BIOS
Guide parts:
- Setup SGX Driver
- Setup SGX PSW
- Setup Signal CDS (Contact Discovery Service)
- Setup Signal Server
- Setup Signal Android
- Setup Signal iOS
First, you need to clone linux-sgx-driver
repository to your computer:
git clone https://github.com/intel/linux-sgx-driver.git
Change directory to local repository:
cd linux-sgx-driver
Then you need to use sgx2
branch:
git chekcout sgx2
You can follow guide provided in the repository: Build and Install the Intel(R) SGX Driver
But I will provide example to build and install in Ubuntu 18.04, maybe it will be useful for you to get the general idea.
Check if matching kernel headers are installed:
$ dpkg-query -s linux-headers-$(uname -r)
To install matching headers:
$ sudo apt-get install linux-headers-$(uname -r)
Build the driver from source code:
$ make
To install the Intel(R) SGX driver, enter the following command with root privilege:
$ sudo mkdir -p "/lib/modules/"`uname -r`"/kernel/drivers/intel/sgx"
$ sudo cp isgx.ko "/lib/modules/"`uname -r`"/kernel/drivers/intel/sgx"
$ sudo sh -c "cat /etc/modules | grep -Fxq isgx || echo isgx >> /etc/modules"
$ sudo /sbin/depmod
$ sudo /sbin/modprobe isgx
[You want to contribute? Please submit GitHub issue and Pull Request.]
You can see sample of YML configuration file for Signal CDS: config-signal-cds.yml
spid
is "Service Provider ID" assigned by Intel for you. You can get it by sign-up for an Intel account, and start service subscription in Intel's SGX self-service portal
Then you will need X.590 certificate and RSA private key. You can generate one by using this command:
openssl req -x509 -nodes -newkey rsa:4096 -keyout server.key -out server.crt -days 365
Please check your server.key
file value, is it started with string below:
-----BEGIN PRIVATE KEY-----
If so, we need to convert the key in PKCS#8 format to old PKCS#1, format expected by the CDS program using this command:
openssl rsa -in server.key -out server_new.key
Copy-and-paste value of server.crt
to certificate
field inside YML configuration file. For key
field, you need to copy value from server.key
or server_new.key
which started with string below:
-----BEGIN RSA PRIVATE KEY-----
Then please build your enclave
using this command:
make -C <repository_root>/enclave
It will place a file (your compiled CDS SGX enclave) inside this directory:
services/src/main/resources/enclave/
Your SGX enclave binary file will be named 64-chars long, with ".so" suffix like this:
services/src/main/resources/enclave/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.so
Please copy the 64-chars file name (without the ".so") to mrenclave
field in YML file.
[You want to contribute? Please submit GitHub issue and Pull Request.]
[You want to contribute? Please submit GitHub issue and Pull Request.]
[You want to contribute? Please submit GitHub issue and Pull Request.]