# alinux-confidential

Part of **ALINUX**

# Alibaba Cloud Linux Confidential Computing Console Guide

## Operations Overview

| Operation | Console Entry Point | Prerequisites | Description |
|----------|---------------------|---------------|-------------|
| Run Confidential Container | Console > Elastic Compute Service (ECS) > Instances > Create Instance | - A security-enhanced ECS instance running an Alibaba Cloud Linux image (e.g., ecs.g7t with Alibaba Cloud Linux 3.2104 64-bit (UEFI))<br>- An SGX encrypted computing environment configured on the instance | Deploy confidential containers in Docker using Inclavare Containers and Occlum runtime |

## Step-by-Step Instructions

### Run Confidential Container

**Navigation**: Console > Elastic Compute Service (ECS) > Instances > Create Instance

**Prerequisites**:
- A security-enhanced ECS instance running an Alibaba Cloud Linux image (e.g., ecs.g7t with Alibaba Cloud Linux 3.2104 64-bit (UEFI))
- An SGX encrypted computing environment configured on the instance

1. Log in to the security-enhanced ECS instance  
   - Element: **Log in to the security-enhanced ECS instance** (text_input) — located in the top-right corner  
   - Notes: Ensure you have SSH access or use the Cloud Assistant terminal in the console

2. Install rune using yum install command  
   - Element: **sudo yum install -y rune** (text_input) — main content area  
   - Notes: Use the command matching your Alibaba Cloud Linux version

3. Verify rune installation using which rune command  
   - Element: **which rune** (text_input) — main content area  
   - Notes: Expected output: `/usr/local/bin/rune`

4. Install Occlum software stack using yum install  
   - Element: **sudo yum install -y occlum-pal** (text_input) — main content area  

5. Verify Occlum installation using ls command  
   - Element: **ls /opt/occlum/build/lib** (text_input) — main content area  
   - Notes: Expected output includes `libocclum-pal.so.0.21.0`

6. Add rune to Docker configuration file daemon.json  
   - Element: **sudo tee /etc/docker/daemon.json** (text_input) — main content area  
   - Notes: Include the full JSON configuration block that registers rune as a runtime

7. Restart Docker daemon using systemctl restart docker  
   - Element: **sudo systemctl restart docker** (button) — main content area  
   - Notes: Warning: This shuts down all running containers. Enable Docker’s live restore feature if needed to avoid disruption

8. Verify rune is registered using docker info | grep rune  
   - Element: **sudo docker info | grep rune** (text_input) — main content area  
   - Notes: Expected output includes 'rune' in the list of runtimes

9. Start the Occlum build container using docker run with --privileged flag  
   - Element: **sudo docker run -it --privileged** (text_input) — main content area  
   - Notes: Use only in trusted build environments due to elevated privileges

10. Write the Hello World test program using cat << EOF  
    - Element: **cat << EOF > hello_world.c** (text_input) — main content area  

11. Compile the program using occlum-gcc  
    - Element: **occlum-gcc -o hello_world hello_world.c** (text_input) — main content area  

12. Initialize an Occlum instance using occlum new  
    - Element: **occlum new occlum_instance** (text_input) — main content area  

13. Generate the Occlum FS image and sign the enclave using occlum build  
    - Element: **occlum build --sign-key occlum_key.pem** (text_input) — main content area  
    - Notes: You will be prompted to set a passphrase for the signing key

14. Switch from Debug Enclave to Production Enclave by editing Occlum.json  
    - Element: **sed -i 's/"debuggable": true/"debuggable": false/g' Occlum.json** (text_input) — main content area  

15. Rebuild the enclave after changing debuggable setting  
    - Element: **occlum build --sign-key occlum_key.pem** (text_input) — main content area  

16. Package the application and copy it to work directory  
    - Element: **occlum package occlum_instance.tar.gz && cp occlum_instance.tar.gz /root/rune_workdir** (text_input) — main content area  

17. Exit the Occlum build container  
    - Element: **exit** (text_input) — main content area  

18. Create the confidential container image using docker build  
    - Element: **sudo docker build . -t occlum-app** (text_input) — main content area  

19. Run the confidential container using docker run with --runtime=rune  
    - Element: **sudo docker run -it --rm --runtime=rune** (text_input) — main content area  
    - Notes: Include all required environment variables such as `OCCLUM_LOG_LEVEL` and mount points as needed

## FAQ

Q: Where do I find the option to enable SGX when creating an ECS instance?  
A: SGX support is available only on specific instance families like ecs.g7t. During instance creation, select a security-enhanced instance type and ensure the selected Alibaba Cloud Linux image supports SGX (e.g., Alibaba Cloud Linux 3.2104 64-bit (UEFI)).

Q: Can I modify the enclave debug setting after the container is built?  
A: Yes, but you must edit the `Occlum.json` file and rebuild the enclave using `occlum build`. The change from debuggable=true to false requires re-signing the enclave.

Q: What happens if I skip restarting the Docker daemon after updating daemon.json?  
A: The rune runtime will not be recognized by Docker. Always restart the Docker daemon using `systemctl restart docker` after modifying `daemon.json`.

Q: Do I need special permissions to run confidential containers?  
A: Yes. You must log in as a user with sudo privileges on an SGX-enabled ECS instance. Additionally, the instance must be launched with a compatible Alibaba Cloud Linux image that includes SGX drivers and libraries.

Q: Can I use this setup with other enclave runtimes besides Occlum?  
A: This guide specifically uses Occlum with Inclavare Containers (rune). Other enclave runtimes may require different integration steps and are not covered here.

## Pricing & Billing

### Billing Model
Billing is based on per-instance-hour usage for SGX-enabled instances.

### Price Reference

| Instance Type | Price |
|---------------|-------|
| ecs.g7t | 0.002 / |

### Free Tier
None specified.

### Billing Notes
SGX-enabled instances incur additional charges for secure enclave usage. The listed price applies to the instance runtime; data transfer, storage, and other resources are billed separately.