PoET SGX Enclave Configuration File

This configuration file specifies configuration settings for a PoET SGX enclave.

If the config directory contains a file named poet_enclave_sgx.toml, the configuration settings are applied when the component starts. Specifying a command-line option will override the setting in the configuration file.

Note

By default, the config directory is /etc/sawtooth/. See Path Configuration File for more information.

An example configuration file is in the sawtooth-core repository at /sawtooth-core/consensus/poet/sgx/packaging/poet_enclave_sgx.toml.example. To create a PoET SGX enclave configuration file, download this example file to the config directory and name it poet_enclave_sgx.toml. Set the ownership and permissions to owner root, group sawtooth, and permissions 640. Then edit the file to change the example configuration options as necessary for your system.

Note

See Using Sawtooth with PoET-SGX for an example of changing settings in poet_enclave_sgx.toml when configuring Sawtooth with the SGX implementation of PoET.

The poet_enclave_sgx.toml configuration file has the following options:

  • spid = ‘string

    Specifies the Service Provider ID (SPID), which is linked to the key pair used to authenticate with the attestation service. Default: none. The SPID value is a 32-digit hex string tied to the enclave implementation; for example:

    spid = 'DEADBEEF00000000DEADBEEF00000000'
    
  • ias_url = ‘URL

    Specifies the URL of the Intel Attestation Service (IAS) server. Default: none. Note that the URL shown in poet_enclave_sgx.toml.example is an example server for debug enclaves only:

    ias_url = 'https://test-as.sgx.trustedservices.intel.com:443'
    
  • spid_cert_file = ‘/full/path/to/certificate.pem

    Identifies the PEM-encoded certificate file that was submitted to Intel in order to obtain a SPID. Default: none. Specify the full path to the certificate file. This pem file can be created from cert.crt and cert.key files with this command:

    $ cat cert.crt cert.key > cert.pem
    

    Or from cert.pfx file with following command:

    $ openssl pkcs12 -in cert.pfx -out cert.pem -nodes