-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: Docker set-p + basic signing key management
- Loading branch information
1 parent
2cbcbd9
commit 2df262f
Showing
9 changed files
with
861 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,100 @@ | ||
ARG UBUNTU_IMAGE=ubuntu:20.04 | ||
FROM ${UBUNTU_IMAGE} | ||
|
||
# ARGs cannot be grouped since each FROM in a Dockerfile initiates a new build | ||
# stage, resulting in the loss of ARG values from earlier stages. | ||
ARG UBUNTU_CODENAME=focal | ||
|
||
# Base Gramine setup | ||
RUN apt-get update && \ | ||
DEBIAN_FRONTEND=noninteractive apt-get install -y curl gnupg2 binutils | ||
|
||
RUN curl -fsSLo /usr/share/keyrings/gramine-keyring.gpg https://packages.gramineproject.io/gramine-keyring.gpg && \ | ||
echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/gramine-keyring.gpg] https://packages.gramineproject.io/ '${UBUNTU_CODENAME}' main' > /etc/apt/sources.list.d/gramine.list | ||
|
||
RUN curl -fsSLo /usr/share/keyrings/intel-sgx-deb.key https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key && \ | ||
echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx-deb.key] https://download.01.org/intel-sgx/sgx_repo/ubuntu '${UBUNTU_CODENAME}' main' > /etc/apt/sources.list.d/intel-sgx.list | ||
|
||
# Install Gramine and dependencies | ||
RUN apt-get update && \ | ||
DEBIAN_FRONTEND=noninteractive apt-get install -y gramine \ | ||
sgx-aesm-service \ | ||
libsgx-aesm-launch-plugin \ | ||
libsgx-aesm-epid-plugin \ | ||
libsgx-aesm-quote-ex-plugin \ | ||
libsgx-aesm-ecdsa-plugin \ | ||
libsgx-dcap-quote-verify \ | ||
psmisc \ | ||
git \ | ||
make \ | ||
cmake \ | ||
python3.8-dev \ | ||
python3-numpy \ | ||
python3-scipy \ | ||
libffi-dev \ | ||
libssl-dev \ | ||
ca-certificates \ | ||
pkg-config \ | ||
wget \ | ||
software-properties-common \ | ||
clang \ | ||
llvm && \ | ||
apt-get clean && \ | ||
rm -rf /var/lib/apt/lists/* | ||
|
||
# Set Clang as the default compiler | ||
ENV CC=clang | ||
ENV CXX=clang++ | ||
|
||
# Install Azure DCAP client | ||
RUN wget -qO- https://packages.microsoft.com/keys/microsoft.asc | apt-key add - && \ | ||
DEBIAN_FRONTEND=noninteractive add-apt-repository "deb [arch=amd64] https://packages.microsoft.com/ubuntu/20.04/prod focal main" && \ | ||
apt-get update && \ | ||
DEBIAN_FRONTEND=noninteractive apt-get install -y az-dcap-client && \ | ||
apt-get clean && \ | ||
rm -rf /var/lib/apt/lists/* | ||
|
||
# Install Rust | ||
RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y | ||
ENV PATH="/root/.cargo/bin:${PATH}" | ||
|
||
# Clone only the sgx-mvp directory | ||
WORKDIR /app | ||
RUN git clone --depth 1 --sparse https://github.com/ntls-io/trusted-compute-MVP.git && \ | ||
cd trusted-compute-MVP && \ | ||
git sparse-checkout set sgx-mvp | ||
|
||
# Create necessary library directory | ||
RUN mkdir -p /lib/x86_64-pc-linux-gnu && \ | ||
ln -s /lib/x86_64-linux-gnu/* /lib/x86_64-pc-linux-gnu/ | ||
|
||
RUN mkdir -p /var/run/aesmd/ | ||
|
||
# Build the MVP with temporarily mounted key | ||
RUN --mount=type=secret,id=enclave_key,target=/app/trusted-compute-MVP/keys/enclave-key.pem \ | ||
cd /app/trusted-compute-MVP/sgx-mvp && \ | ||
make SGX=1 RA_TYPE=dcap && \ | ||
rm -f /app/trusted-compute-MVP/keys/enclave-key.pem | ||
|
||
COPY restart_aesm.sh /restart_aesm.sh | ||
|
||
# Expose the server port | ||
EXPOSE 8080 | ||
ENV HOST=127.0.0.1 | ||
ENV PORT=8080 | ||
|
||
# Add socat for port forwarding | ||
RUN apt-get update && \ | ||
DEBIAN_FRONTEND=noninteractive apt-get install -y socat && \ | ||
apt-get clean && \ | ||
rm -rf /var/lib/apt/lists/* | ||
|
||
# Create a startup script to handle port forwarding | ||
RUN echo '#!/bin/bash\n\ | ||
/restart_aesm.sh\n\ | ||
socat TCP-LISTEN:8081,fork TCP:127.0.0.1:8080 & \n\ | ||
gramine-sgx sgx-mvp\n'\ | ||
> /start.sh && chmod +x /start.sh | ||
|
||
ENTRYPOINT ["/bin/sh", "-c"] | ||
CMD ["/start.sh"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
#!/usr/bin/env bash | ||
set -euo pipefail | ||
|
||
usage() { | ||
echo "Usage: build.sh [ubuntu20,ubuntu22]" | ||
exit 1 | ||
} | ||
|
||
if [ $# -ne 1 ]; then | ||
usage | ||
fi | ||
|
||
image="" | ||
codename="" | ||
key_path="../keys/enclave-key.pem" | ||
|
||
case "$1" in | ||
ubuntu20) | ||
image="ubuntu:20.04" | ||
codename="focal" | ||
;; | ||
ubuntu22) | ||
image="ubuntu:22.04" | ||
codename="jammy" | ||
;; | ||
*) | ||
usage | ||
;; | ||
esac | ||
|
||
# Check if key exists | ||
if [ ! -f "$key_path" ]; then | ||
echo "No signing key found at $key_path" | ||
echo "For development:" | ||
echo " gramine-sgx-gen-private-key /keys/enclave-key.pem" | ||
echo "For production:" | ||
echo " Please use your production signing key" | ||
exit 1 | ||
fi | ||
|
||
# Build the image, mounting the key at build time | ||
docker build \ | ||
--build-arg UBUNTU_IMAGE="${image}" \ | ||
--build-arg UBUNTU_CODENAME="${codename}" \ | ||
--secret id=enclave_key,src="$key_path" \ | ||
-t sgx-mvp:stable-"${codename}" \ | ||
. | ||
|
||
echo "Build complete!" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
#!/bin/sh | ||
|
||
set -e | ||
|
||
killall -q aesm_service || true | ||
|
||
AESM_PATH=/opt/intel/sgx-aesm-service/aesm LD_LIBRARY_PATH=/opt/intel/sgx-aesm-service/aesm exec /opt/intel/sgx-aesm-service/aesm/aesm_service --no-syslog |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
# Ignore all files in this directory | ||
* | ||
# Except this file | ||
!.gitignore | ||
!README.md |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
# SGX Signing Keys | ||
|
||
This directory contains the SGX enclave signing key used during the build process. | ||
|
||
## Development Setup | ||
|
||
To generate a development key: | ||
|
||
```bash | ||
cd sgx-mvp | ||
gramine-sgx-gen-private-key keys/enclave-key.pem | ||
chmod 400 keys/enclave-key.pem | ||
``` | ||
|
||
## Production Usage | ||
|
||
For production deployments: | ||
1. Use your organization's production signing key | ||
2. Store the key securely (never commit to version control) | ||
3. Use appropriate key management systems | ||
4. Consider using different keys per environment | ||
|
||
## Security Notes | ||
|
||
- Keys should have restricted permissions (chmod 400) | ||
- Development keys should be generated locally | ||
- Production keys should be managed through secure key management |