Develop & Integrate
Explore & DesignDevelop & IntegrateEmbedded Wallet GuidesChangelogCommunityStatusRequest Demo

Install SGX IBM Cloud API Co-signer

Overview

To install an SGX Co-signer in IBM Cloud and connect it to your workspace, follow these steps:

  1. Setup and configure your IBM Cloud environment
    Prepare your IBM Cloud environment by creating and configuring the required resources. Ensure it meets the necessary specifications and security settings.
  2. Add a Co-signer to the workspace using an API user
    Using the Fireblocks Console or APIs, create an API user and use it to add a Co-signer to the workspace.
  3. Install and connect the Co-signer to the workspace
    Download the installation script to the SGX-capable virtual machine and run the script to install the Co-signer. Once installation is complete, the workspace owner approves the new MPC key shares for the API user through the Fireblocks mobile app.

You can now view the Co-signer and its paired API user in your Fireblocks Console. Additionally, you can retrieve information about them using the Co-signer APIs.


Step 1: Setup and configure your IBM Cloud environment

1.1. Allowlist domains

To ensure the Co-signer can be installed and operated successfully, add the following domains to your allowlist:

DomainOwner
mobile-api.fireblocks.ioFireblocks
signurl.fireblocks.ioFireblocks
s3signurl.fireblocks.ioFireblocks
fb-certs.s3.amazonaws.comAWS
fb-cosigner-images.s3.amazonaws.comAWS
fb-customers.s3.amazonaws.comAWS
fb-customers.s3.amazonaws.com/uploadsAWS
download.docker.comDocker
registry.gitlab.comGitLab
cdn.registry.gitlab-static.netGitLab
gitlab.comGitLab
github.comGitHub
download.01.orgIntel SGX Driver
bootstrap.pypa.ioPython Software Foundation
files.pythonhosted.orgPython Software Foundation
pypi.orgPython Software Foundation
pypi.python.orgPython Software Foundation

Fireblocks-owned domains differ based on the specific Fireblocks SaaS environment you are connected to. If you are connected to the European or Swiss SaaS, update your allowlist according to the domains listed in the table below:

Fireblocks SaaSDomains to Allow
Globalmobile-api.fireblocks.io
signurl.fireblocks.io
s3signurl.fireblocks.io
Europeeu2-mobile-api.fireblocks.io
eu2-signurl.fireblocks.io
eu2-s3signurl.fireblocks.io
Swisseu-mobile-api.fireblocks.io
eu-signurl.fireblocks.io
eu-s3signurl.fireblocks.io

Additionally, ensure port access is configured for the following services:

PortService URL
443https://mobile-api.fireblocks.io
443https://s3signurl.fireblocks.io
443https://fb-certs.s3.amazonaws.com
443https://fb-customers.s3.amazonaws.com/uploads/
443https://bootstrap.pypa.io/get-pip.py
443https://download.docker.com/linux
443https://download.01.org/intel-sgx/
5000https://registry.gitlab.com/customer-cosigner

1.2. Create an SGX virtual machine

The minimum hardware requirements for the VM are:

  • RAM: 32GB
  • Storage: 256GB
  • OS:
    • Ubuntu 20.04
    • Latest Linux kernel version
    • Latest Intel microcode (BIOS update)

Complete the following steps to create an SGX-capable VM in IBM Cloud:

  1. On the Dashboard page, select Create Resource.
  1. Go to IBM Cloud catalog > Compute > Bare Metal Servers.
  1. In the Server Profile section, select View all profiles.
  1. Select Intel Xeon E-2174G CPU.
  1. In the Operating System section, select the following options:
    1. Vendor: Ubuntu
    2. Version: 18.04 LTS (64-bit)
    3. RAM (recommended): 32 GB
  1. Select the Software Guard Extensions toggle under Add-ons > Security and Business Continuity.
  1. Lastly, create the VM.

1.3. Verify SGX is enabled on your VM

After creating your virtual machine, confirm that SGX is enabled. The SGX Co-signer requires a server with SGX enabled and the latest patches applied. This verification ensures smooth operation and avoids potential issues.

To verify that SGX is enabled on the VM, run the following commands with root privileges::

 apt update
 apt upgrade
 apt install cpuid
 cpuid -1 | grep -i sgx

Verify the following:

  1. SGX: Software Guard Extensions supported is true
  2. SGX_LC: SGX launch config supported is true

1.4. Additional security recommendations

It is highly recommended to control user and network access to Co-signer's machine. See API Co-signer security checklist and recommended defense and monitoring systems for further information.


Step 2: Add a Co-signer to the workspace using an API user

Follow the instructions to add a new Co-signer to the workspace. Ensure you copy to your clipboard the following items, which you will use during the installation process:

  • The API user's pairing token
  • The download link of the Co-signer's installation script

Step 3: Install and connect the Co-signer to the workspace

Note: You must have root privileges on the Co-signer machine to install the Co-signer. Ensure you are logged in as a root user or use sudo to execute the commands.


3.1. Download the installation script

Using the download link of the SGX Co-signer installation script you copied from the Console, run the curl command to download the package directly to your machine.

Paste the appropriate URL into the following command:

curl -o cosigner "URL"

3.2. Run the installation script

After downloading the installation script, navigate to the directory containing the script and modify the script's permissions to make it executable:

chmod +x cosigner

To install the Co-signer, run: 

./cosigner setup

You will be prompted to enter the Pairing token for the API user, which you retrieve from the Fireblocks Console. This token pairs the API user with the Co-signer.

At this stage, you will have the option to configure the Callback Handler parameters for the API user connecting the Co-signer to the workspace. This feature is optional. You can configure it later through the Console, APIs, or locally from the Co-signer's host machine.

For detailed instructions on setting up your Callback Handler's interface to the Co-signer and implement its logic and code, refer to the Setup API Co-signer Callback Handler section.


The setup process validates the machine's hardware and installs the necessary drivers to support the appropriate SGX version and the SGX Co-signer's executable image. It includes an attestation flow to ensure that the SGX Co-signer's executable runs securely inside an Intel SGX enclave. Additionally, the script installs other required components.

Once the installation is complete, the Co-signer will automatically start running. At the end of the process, the Co-Signer generates a JSON configuration file, which can be used for future configuration updates.


3.3: Approve MPC key shares for the API user

If the API user used to pair with the Co-Signer and connect it to your workspace has an Admin or User role, the workspace owner will receive a notification. This notification will prompt them to approve a new MPC key share request for that API user using the Fireblocks mobile app.

You can now see the Co-signer you installed in the Co-signers tab within the Console's Developer Center. Observe it is online and that the API user is paired to it.


ℹ️

To check the Co-signer's status and observe the logs, see the SGX Co-signer Maintenance article.