Component Preparation

Obtain the component packages and digital signature files required for model protection. For details, see the following table.

Digital Signature Verification

To prevent a software package from being maliciously tampered with during transmission or storage, download the corresponding digital signature file for integrity verification when downloading the software package.

After the software package is downloaded, verify its PGP digital signature according to the OpenPGP Signature Verification Guide. If the software package fails the verification, do not use the software package, and contact Huawei technical support.

Before a software package is used in installation or upgrade, its digital signature also needs to be verified according to OpenPGP Signature Verification Guide to ensure that the software package is not tampered with.

For carrier users, visit https://support.huawei.com/carrier/digitalSignatureAction.

For enterprise users, visit https://support.huawei.com/enterprise/en/tool/pgp-verify-TL1000000054.

The software is classified into the commercial edition and community edition. The functions of the two editions are the same except the download permission and use of purpose. The community edition can be downloaded directly without applying for related permissions, but it cannot be used for commercial purpose. To download the commercial edition, you need to apply for related permissions.

**Table 1** Model protection components
Component	Description	Package Name	Level-2 package name	File List	Description	How to Obtain
AI-VAULT	Provides the central key control service, controls the master key and pre-shared key, and encrypts and decrypts working keys. It is deployed on the central server.	Ascend-mindxdl-aivault_{version}_linux-{arch}.zip	Ascend-mindxdl-aivault_{version}_linux-{arch}.tar.gz	ai-vault	AI-VAULT binary file	Link of the commercial edition. On the software version page, select MindX 3.0.0 and download the component packages listed in this table. After decompressing the packages, use ascend-cert in toolbox to verify the CMS and CRL in the ZIP file, for details about how to use the tool, see the MindX Toolbox User Guide. You can integrate the tool into the installation and upgrade processes to perform integrity check.
			Ascend-mindxdl-aivault_{version}_linux-{arch}.tar.gz	lib	Dynamic library file on which AI-VAULT depends
			Ascend-mindxdl-aivault_{version}_linux-arch}.tar.gz.cms	-	CMS certificate verification file
			Ascend-mindxdl-aivault_{version}_linux-{arch}.tar.gz.crl	-	CRL file
AI-GUARD	Provides a CLI for user's Linux hosts.	Ascend-mindxdl-aiguard_{version}_linux-{arch}.zip	Ascend-mindxdl-aiguard_{version}_linux-{arch}.tar.gz	aiguard-{version}-py3-none-linux_{arch}.whl	AI-GUARD installation package
			Ascend-mindxdl-aiguard_{version}_linux-arch}.tar.gz.cms	-	CMS certificate verification file
			Ascend-mindxdl-aiguard_{version}_linux-{arch}.tar.gz.crl	-	CRL file
Crypto_fs	Provides imperceptible encryption and decryption capabilities, executable binary files, and related SO files, which are separately packaged and released on MindX DL.	Ascend-mindxdl-crypto-fs_{version}_linux-{arch}.zip	Ascend-mindxdl-crypto-fs_{version}_linux-{arch}.tar.gz	Crypto_fs	Crypto_fs (CFS) encryption and decryption tool installation package
			Ascend-mindxdl-crypto-fs_{version}_linux-{arch}.tar.gz.cms	-	CMS certificate verification file
			Ascend-mindxdl-crypto-fs_{version}_linux-{arch}..tar.gz.crl	-	CRL file
KMSAgent	Provides the encryption and decryption proxy service, which is built in the driver package and deployed with the driver.	NPU driver package	-	-	-	-

**Table 2** Model protection components
Component	Description	Package Name	Level-2 package name	File List	Description	How to Obtain
AI-VAULT	Provides the central key control service, controls the master key and pre-shared key, and encrypts and decrypts working keys. It is deployed on the central server.	Ascend-mindxdl-aivault_{version}_linux-{arch}.zip	Ascend-mindxdl-aivault_{version}_linux-{arch}.tar.gz	ai-vault	AI-VAULT binary file	Link of the community edition. On the software version page, select the community edition and download the component packages listed in this table. After decompressing the packages, use ascend-cert in toolbox to verify the CMS and CRL in the ZIP file, for details about how to use the tool, see the MindX Toolbox User Guide. You can integrate the tool into the installation and upgrade processes to perform integrity check.
			Ascend-mindxdl-aivault_{version}_linux-{arch}.tar.gz	lib	Dynamic library file on which AI-VAULT depends
			Ascend-mindxdl-aivault_{version}_linux-arch}.tar.gz.cms	-	CMS certificate verification file
			Ascend-mindxdl-aivault_{version}_linux-{arch}.tar.gz.crl	-	CRL file
AI-GUARD	Provides a CLI for user's Linux hosts.	Ascend-mindxdl-aiguard_{version}_linux-{arch}.zip	Ascend-mindxdl-aiguard_{version}_linux-{arch}.tar.gz	aiguard-{version}-py3-none-linux_{arch}.whl	AI-GUARD installation package
			Ascend-mindxdl-aiguard_{version}_linux-arch}.tar.gz.cms	-	CMS certificate verification file
			Ascend-mindxdl-aiguard_{version}_linux-{arch}.tar.gz.crl	-	CRL file
Crypto_fs	Provides imperceptible encryption and decryption capabilities, executable binary files, and related SO files, which are separately packaged and released on MindX DL.	Ascend-mindxdl-crypto-fs_{version}_linux-{arch}.zip	Ascend-mindxdl-crypto-fs_{version}_linux-{arch}.tar.gz	Crypto_fs	Crypto_fs (CFS) encryption and decryption tool installation package
			Ascend-mindxdl-crypto-fs_{version}_linux-{arch}.tar.gz.cms	-	CMS certificate verification file
			Ascend-mindxdl-crypto-fs_{version}_linux-{arch}..tar.gz.crl	-	CRL file
KMSAgent	Provides the encryption and decryption proxy service, which is built in the driver package and deployed with the driver.	NPU driver package	-	-	-	-

Before installing the components, install the following software:

**Table 3** Software environment
Name	Version	Installation Position	How to Obtain
Kubernetes	1.16.x~1.19.x	All nodes	Kubernetes community. Select the latest supported release.
Docker	18.09.x	All nodes	Docker community. For details about the Docker versions, see the Kubernetes requirements. Select the latest bug-fixed version.
OSs	Ubuntu 18.04.1, Ubuntu 18.04.5, Ubuntu 20.04 CentOS 8.2 (not supported by AI-GUARD) KylinOS V10	All nodes	-
haveged	-	User management node	For Ubuntu, run the following installation command: sudo apt install haveged For EulerOS or CentOS 8.2, run the following command: sudo yum install haveged
Ascend AI Processor driver and firmware	Select the firmware version that matches MindX 3.0.0 based on the actual hardware device model. For details, see Version Mapping.	Running node	For details, see the Driver and Firmware Installation and Upgrade Guides of hardware products to obtain the guide of the corresponding version.

After the haveged component is installed, verify that the haveged service is running.

[root@root ~]# systemctl status -l haveged
● haveged.service - Entropy Daemon based on the HAVEGE algorithm
   Loaded: loaded (/usr/lib/systemd/system/haveged.service; enabled; vendor preset: disabled)
   Active: active (running) 
 Main PID: 1124229 (haveged)
    Tasks: 1
   Memory: 3.4M
   CGroup: /system.slice/haveged.service
           └─1124229 /usr/sbin/haveged -w 1024 -v 1 --Foreground

If the service is not automatically started, manually configure and start the haveged software.

[root@root ~]# systemctl enable haveged
[root@root ~]# systemctl start haveged