您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

快速入门:在市场中部署 Azure 机密计算 VMQuickstart: Deploy an Azure Confidential Computing VM in the Marketplace

使用 Azure 市场创建由 Intel SGX 提供支持的虚拟机 (VM),以开始使用 Azure 机密计算。Get started with Azure confidential computing by using the Azure Marketplace to create a virtual machine (VM) backed by Intel SGX. 然后,安装 Open Enclave 软件开发工具包 (OE SDK) 以设置开发环境。You'll then install the Open Enclave Software Development Kit (SDK) to set up your development environment.

如果你想要快速开始部署机密计算虚拟机,建议参考本教程。This tutorial is recommended if you want to quickly start deploying a confidential computing virtual machine. VM 在专用硬件上运行,要求提供特定的配置输入才能按预期方式运行。The VMs are run on specialty hardware and require specific configuration inputs to run as intended. 本快速入门中所述的市场产品/服务通过限制用户输入来简化虚拟机的部署。The marketplace offering described in this quickstart makes it easier to deploy, by restricting user input.

如果你想要采用自定义程度更高的配置部署机密计算虚拟机,请遵循 Azure 门户中的机密计算虚拟机部署步骤If you're interested in deploying a confidential compute virtual machine with more custom configuration, follow the Azure portal Confidential Compute virtual machine deployment steps.

先决条件Prerequisites

如果还没有 Azure 订阅,可以在开始前创建一个帐户If you don't have an Azure subscription, create an account before you begin.

备注

免费试用帐户无法访问本教程中使用的虚拟机。Free trial accounts do not have access to the virtual machines used in this tutorial. 请升级为即用即付订阅。Please upgrade to a Pay-As-You-Go subscription.

登录 AzureSign in to Azure

  1. 登录 Azure 门户Sign in to the Azure portal.

  2. 在顶部的搜索栏中键入“Azure 机密计算” 。At the top, type Azure confidential computing into the search bar.

  3. 在“市场”部分中选择“Azure 机密计算(虚拟机)” 。Select Azure confidential computing (Virtual Machine) in the Marketplace section.

    选择“市场”

  4. 在 Azure 机密计算部署登陆页面上,选择“创建” 。On the Azure confidential compute deployment landing page, select Create.

配置虚拟机Configure your virtual machine

  1. 在“基本信息”选项卡中,选择自己的 订阅资源组In the Basics tab, select your Subscription and Resource Group. 资源组必须是空的,这样才能基于此模板将虚拟机部署到其中。Your resource group must be empty to deploy a virtual machine from this template into it.

  2. 键入或选择以下值:Type or select the following values:

    • 区域:选择合适的 Azure 区域。Region: Select the Azure region that's right for you.

      备注

      机密计算虚拟机仅在特定区域中可用的专用硬件上运行。Confidential compute virtual machines only run on specialized hardware available in specific regions. 有关 DCsv2 系列 VM 的最新可用区域,请参阅可用区域For the latest available regions for DCsv2-Series VMs, see available regions.

    • 选择映像:选择任意映像。Choose Image: Select any image. 若要完成本特定教程,请选择“Ubuntu 18.04 (Gen 2)”。If you would like to complete this specific tutorial, select Ubuntu 18.04 (Gen 2). 否则,你将重定向到下面的相应步骤。Otherwise, you'll be redirected at the appropriate steps below.

    • 在“虚拟机名称”中,为新 VM 输入一个名称 。Virtual machine name, enter a name for your new VM.

    • 身份验证类型:如果你要创建 Linux VM,请选择“SSH 公钥” 。Authentication type: Select SSH public key if you're creating a Linux VM.

      备注

      可以选择使用“SSH 公钥”或“密码”进行身份验证。You have the choice of using an SSH public key or a Password for authentication. SSH 更安全。SSH is more secure. 有关如何生成 SSH 密钥的说明,请参阅在 Linux 和 Mac 上为 Azure 中的 Linux VM 创建 SSH 密钥For instructions on how to generate an SSH key, see Create SSH keys on Linux and Mac for Linux VMs in Azure.

    • 用户名:输入 VM 的管理员名称。Username: Enter the Administrator name for the VM.

    • SSH 公钥:如果适用,请输入你的 RSA 公钥。SSH public key: If applicable, enter your RSA public key.

    • 密码:如果适用,请输入你的身份验证密码。Password: If applicable, enter your password for authentication.

  3. 选择页面底部的“下一步: 虚拟机设置”按钮。Select the Next: Virtual machine settings button at the bottom of your screen.

    重要

    等待页面更新。Wait for the page to update. 不应有消息指出“机密计算 DCsv2 系列 VM 在有限数量的区域中可用。 ”You should not see a message that says "Confidential Computing DCsv2-series VMs are available in a limited number of regions." 如果此消息持续出现,请返回上一页,并选择一个可用的 DCsv2 系列区域。If this message persists, return to the previous page and select an available DCsv2-Series region.

  4. 对于“更改大小”,请在大小选择器中选择具有机密计算功能的 VM 。For change size, choose a VM with confidential compute capabilities in the size selector.

    提示

    你应会看到大小“DC1s_v2”、“DC2s_v2”、“DC4s_V2”和“DC8_v2” 。You should see sizes DC1s_v2, DC2s_v2, DC4s_V2, and DC8_v2. 这是目前仅有的支持机密计算的虚拟机大小。These are the only virtual machine sizes that currently support confidential computing. 了解详细信息Learn more.

  5. 对于“OS 磁盘类型”,请选择一个磁盘类型 。For OS Disk Type, select a disk type.

  6. 对于“虚拟网络”,请新建一个或者从现有资源中选择一个虚拟网络 。For Virtual Network, create a new one or choose from an existing resource.

  7. 对于“子网”,请新建一个或者从现有资源中选择一个子网 。For Subnet, create a new one or choose from an existing resource.

  8. 对于“选择公共入站端口”,请选择“SSH(Linux)/RDP(Windows)” 。For Select public inbound ports, choose SSH(Linux)/RDP(Windows). 在本快速入门中,必须执行此步骤才能连接到 VM 并完成 Open Enclave SDK 配置。In this quickstart, this step is necessary to connect to the VM and complete the Open Enclave SDK configuration.

  9. 对于“启动诊断”,在本快速入门中请将其保持禁用状态 。For Boot Diagnostics, leave it disabled for this quickstart.

  10. 选择“查看 + 创建” 。Select Review + create.

  11. 在“查看 + 创建”窗格中,选择“创建”。 In the Review + create pane, select Create.

备注

如果已部署了 Linux VM,请转到下一部分继续学习本教程。Proceed to the next section and continue with this tutorial if you deployed a Linux VM. 如果部署了 Windows VM,请遵循这些步骤连接到 Windows VM,然后在 Windows 上安装 OE SDKIf you deployed a Windows VM, follow these steps to connect to your Windows VM and then install the OE SDK on Windows.

连接到 Linux VMConnect to the Linux VM

如果已使用 BASH shell,请通过 ssh 命令连接到 Azure VM。If you already use a BASH shell, connect to the Azure VM using the ssh command. 在以下命令中,替换连接到 Linux VM 所需的 VM 用户名和 IP 地址。In the following command, replace the VM user name and IP address to connect to your Linux VM.

ssh azureadmin@40.55.55.555

可以在 Azure 门户中虚拟机的“概览”部分下找到 VM 的公共 IP 地址。You can find the Public IP address of your VM in the Azure portal, under the Overview section of your virtual machine.

Azure 门户中的 IP 地址

如果在 Windows 上运行且没有 BASH shell,请安装 SSH 客户端,例如 PuTTY。If you're running on Windows and don't have a BASH shell, install an SSH client, such as PuTTY.

  1. 下载并安装 PuTTYDownload and install PuTTY.

  2. 运行 PuTTY。Run PuTTY.

  3. 在 PuTTY 配置屏幕上,输入 VM 的公共 IP 地址。On the PuTTY configuration screen, enter your VM's public IP address.

  4. 选择“打开”,并根据提示输入用户名和密码。Select Open and enter your username and password at the prompts.

若要详细了解如何连接到 Linux VM,请参阅使用门户在 Azure 上创建 Linux VMFor more information about connecting to Linux VMs, see Create a Linux VM on Azure using the Portal.

备注

如果出现有关不会在注册表中缓存服务器主机密钥的 PuTTY 安全警报,请从以下选项中进行选择。If you see a PuTTY security alert about the server's host key not being cached in the registry, choose from the following options. 如果你信任此主机,请选择“是”将密钥添加到 PuTTy 缓存并继续进行连接。If you trust this host, select Yes to add the key to PuTTy's cache and continue connecting. 如果你只想建立连接一次,而无需将密钥添加到缓存,请选择“否”。If you want to carry on connecting just once, without adding the key to the cache, select No. 如果你不信任此主机,请选择“取消”以放弃连接。If you don't trust this host, select Cancel to abandon the connection.

安装 Open Enclave SDK (OE SDK) Install the Open Enclave SDK (OE SDK)

按照分步说明在运行 Ubuntu 18.04 LTS Gen 2 映像的 DCsv2 系列虚拟机上安装 OE SDKFollow the step-by-step instructions to install the OE SDK on your DCsv2-Series virtual machine running an Ubuntu 18.04 LTS Gen 2 image.

如果虚拟机在 Ubuntu 18.04 LTS Gen 2 上运行,则需要按照适用于 Ubuntu 18.04 的安装说明进行操作。If your virtual machine runs on Ubuntu 18.04 LTS Gen 2, you'll need to follow installation instructions for Ubuntu 18.04.

1.配置 Intel 和 Microsoft APT 存储库1. Configure the Intel and Microsoft APT Repositories

echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu bionic main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list
wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add -

echo "deb http://apt.llvm.org/bionic/ llvm-toolchain-bionic-7 main" | sudo tee /etc/apt/sources.list.d/llvm-toolchain-bionic-7.list
wget -qO - https://apt.llvm.org/llvm-snapshot.gpg.key | sudo apt-key add -

echo "deb [arch=amd64] https://packages.microsoft.com/ubuntu/18.04/prod bionic main" | sudo tee /etc/apt/sources.list.d/msprod.list
wget -qO - https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -

2.安装 Intel SGX DCAP 驱动程序2. Install the Intel SGX DCAP Driver

sudo apt update
sudo apt -y install dkms
wget https://download.01.org/intel-sgx/sgx-dcap/1.4/linux/distro/ubuntuServer18.04/sgx_linux_x64_driver_1.21.bin -O sgx_linux_x64_driver.bin
chmod +x sgx_linux_x64_driver.bin
sudo ./sgx_linux_x64_driver.bin

警告

请使用 Intel SGX 站点中的最新 Intel SGX DCAP 驱动程序。Please use the latest Intel SGX DCAP driver from Intel's SGX site.

3.安装 Intel 和 Open Enclave 包与依赖项3. Install the Intel and Open Enclave packages and dependencies

sudo apt -y install clang-7 libssl-dev gdb libsgx-enclave-common libsgx-enclave-common-dev libprotobuf10 libsgx-dcap-ql libsgx-dcap-ql-dev az-dcap-client open-enclave

备注

此步骤还会安装 az-dcap-client 包,在 Azure 中执行远程认证时需要此包。This step also installs the az-dcap-client package which is necessary for performing remote attestation in Azure.

4.验证 Open Enclave SDK 安装4. Verify the Open Enclave SDK install

参阅 GitHub 上的使用 Open Enclave SDK 来验证和使用已安装的 SDK。See Using the Open Enclave SDK on GitHub for verifying and using the installed SDK.

清理资源Clean up resources

当不再需要时,可以删除资源组、虚拟机和所有相关资源。When no longer needed, you can delete the resource group, virtual machine, and all related resources.

选择虚拟机的资源组,然后选择“删除” 。Select the resource group for the virtual machine, then select Delete. 确认资源组名称,以完成资源删除。Confirm the name of the resource group to finish deleting the resources.

后续步骤Next steps

在本快速入门中,你部署了一个机密计算虚拟机,并安装了 Open Enclave SDK。In this quickstart, you deployed a confidential computing virtual machine, and installed the Open Enclave SDK. 有关 Azure 上的机密计算虚拟机的详细信息,请参阅有关虚拟机的解决方案For more information about confidential computing virtual machines on Azure, see Solutions on Virtual Machines.

继续参阅 GitHub 上的 Open Enclave SDK 示例,了解如何生成机密计算应用程序。Discover how you can build confidential computing applications, by continuing to the Open Enclave SDK samples on GitHub.