deployments: update SGX configuration

mythi · mythi · commit 90aeca48c580 · 2023-01-12T09:41:17.000+02:00
Signed-off-by: Mikko Ylinen &lt;mikko.ylinen@intel.com&gt;
diff --git a/deployments/sgx_aesmd/base/sgx_default_qcnl.conf b/deployments/sgx_aesmd/base/sgx_default_qcnl.conf
@@ -1,2 +1,17 @@
-PCCS_URL=https://localhost:8081/sgx/certification/v3/
-USE_SECURE_CERT=FALSE
+{
+  // *** ATTENTION : This file is in JSON format so the keys are case sensitive. Don't change them.
+
+  // This sample is a typical config file for a development environment which has a local PCCS setup
+  // QPL will get PCK certificates as well as quote verification collateral from the local PCCS service
+  // The PCCS service uses self-signed certificates
+  // You should choose the correct PCCS API version. "3.1" will return CRL in raw DER format
+  // It is recommended to use "3.1" for DCAP 1.12 release and later
+
+  //PCCS server address
+  "pccs_url": "https://localhost:8081/sgx/certification/v4/",
+
+  // To accept insecure HTTPS certificate, set this option to false
+  "use_secure_cert": false,
+
+  "pccs_api_version": "3.1"
+}
diff --git a/deployments/sgx_enclave_apps/base/intelsgx-job.yaml b/deployments/sgx_enclave_apps/base/intelsgx-job.yaml
@@ -21,8 +21,6 @@ spec:
           securityContext:
             readOnlyRootFilesystem: true
             allowPrivilegeEscalation: false
-            capabilities:
-              add: ["IPC_LOCK"]
           resources:
             limits:
               sgx.intel.com/epc: "512Ki"
diff --git a/deployments/sgx_enclave_apps/overlays/sgx_ecdsa_inproc_quote/sgx_default_qcnl.conf b/deployments/sgx_enclave_apps/overlays/sgx_ecdsa_inproc_quote/sgx_default_qcnl.conf
@@ -1,2 +1,17 @@
-PCCS_URL=https://localhost:8081/sgx/certification/v3/
-USE_SECURE_CERT=FALSE
+{
+  // *** ATTENTION : This file is in JSON format so the keys are case sensitive. Don't change them.
+
+  // This sample is a typical config file for a development environment which has a local PCCS setup
+  // QPL will get PCK certificates as well as quote verification collateral from the local PCCS service
+  // The PCCS service uses self-signed certificates
+  // You should choose the correct PCCS API version. "3.1" will return CRL in raw DER format
+  // It is recommended to use "3.1" for DCAP 1.12 release and later
+
+  //PCCS server address
+  "pccs_url": "https://localhost:8081/sgx/certification/v4/",
+
+  // To accept insecure HTTPS certificate, set this option to false
+  "use_secure_cert": false,
+
+  "pccs_api_version": "3.1"
+}
