- Ubuntu 20.04 with Linux Kernel ≥ 5.11
- CPU: Intel Xeon E-2288G
- Docker (>= 20.10.21) & Docker-Compose
To establish a TLS channel, we need a CA and generates a client cert for mutual authentication, store them at cert directory.
-
Generate Client private key:
openssl ecparam -genkey -name prime256v1 -out cert/client.key
-
Export the keys to pkcs8 unencrypted format
openssl pkcs8 -topk8 -nocrypt -in cert/client.key -out cert/client.pkcs8
-
Generate Client CSR
openssl req -new -SHA256 -key cert/client.key -nodes -out cert/client.csr
-
Generate Client Cert
openssl x509 -req -extfile <(printf "subjectAltName=DNS:localhost,DNS:www.example.com") -days 3650 -in cert/client.csr -CA cert/ca.crt -CAkey cert/ca.key -CAcreateserial -out cert/client.crt
public.ecr.aws/clique/clique-sibyl-base:2.1.2public.ecr.aws/clique/clique-sibyl-mtls-base:2.1.2public.ecr.aws/clique/clique-sibyl-dcsv2-base:2.1.2public.ecr.aws/clique/clique-sibyl-dcsv2-mtls-base:2.1.2
-
Build Sibyl:
docker build -t sibyl -f Dockerfile.sibyl . -
Build Sibyl with mTLS:
docker build -t sibyl -f Dockerfile.mTLS.sibyl . -
Build DCsv2 Sibyl:
docker build -t sibyl -f Dockerfile.DCsv2.sibyl . -
Build DCsv2 Sibyl with mTLS:
docker build -t sibyl -f Dockerfile.DCsv2.mTLS.sibyl . -
Build DCsv2 custom DCAP service:
docker build -t pccs -f Dockerfile.DCsv2.pccs . -
Deploy Sibyl:
docker compose -f docker-compose.yml up
-
Deploy Sibyl with custom DCAP service:
docker compose -f docker-compose-dcap.yml up
Then Sibyl will run and listen on port 3443.
For Azure VMs, custom DCAP service is only avaiable for DCsv2 and is not supported in DCsv3.
curl -k --location 'https://localhost:3443/query' --key ./cert/client.pkcs8 --cert ./cert/client.crt \
--header 'Content-Type: application/json' \
--data '{
"query_type": "plaid_get_rsa_public_key"
}'