Skip to content

Commit

Permalink
feat: Docker set-p + basic signing key management
Browse files Browse the repository at this point in the history
  • Loading branch information
binglekruger committed Nov 28, 2024
1 parent 2cbcbd9 commit 2df262f
Show file tree
Hide file tree
Showing 9 changed files with 861 additions and 1 deletion.
5 changes: 5 additions & 0 deletions docs/installation/sgx-mvp.md
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,11 @@ Before installing the Nautilus MVP, ensure your system meets the following requi

Follow the instructions in the [Gramine Installation Guide](https://gramine.readthedocs.io/en/stable/installation.html#install-gramine-packages-1) under "Install Gramine packages" and [Prepare a signing key](https://gramine.readthedocs.io/en/stable/quickstart.html#prepare-a-signing-key).

```sh
gramine-sgx-gen-private-key keys/enclave-key.pem
chmod 400 keys/enclave-key.pem
```

3. **Rust Environment**

```sh
Expand Down
661 changes: 661 additions & 0 deletions sgx-mvp/LICENSE

Large diffs are not rendered by default.

3 changes: 2 additions & 1 deletion sgx-mvp/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,8 @@ sgx-mvp.manifest.sgx sgx-mvp.sig: sgx_sign
sgx_sign: sgx-mvp.manifest $(SELF_EXE)
gramine-sgx-sign \
--manifest $< \
--output $<.sgx
--output $<.sgx \
--key keys/enclave-key.pem

ifeq ($(SGX),)
GRAMINE = gramine-direct
Expand Down
5 changes: 5 additions & 0 deletions sgx-mvp/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,11 @@ This directory contains all the relevant SGX code for NTC-MVP.

1. Follow the instructions in the [Gramine Installation Guide](https://gramine.readthedocs.io/en/stable/installation.html#install-gramine-packages-1) under "Install Gramine packages" and [Prepare a signing key](https://gramine.readthedocs.io/en/stable/quickstart.html#prepare-a-signing-key).

```sh
gramine-sgx-gen-private-key keys/enclave-key.pem
chmod 400 keys/enclave-key.pem
```

2. Ensure that Python 3.8 is installed. If necessary, modify the path(s) in the [sgx-mvp.manifest.template](https://github.com/ntls-io/trusted-compute-MVP/blob/main/sgx-mvp/sgx-mvp.manifest.template) to match your setup.

Ensure that you have the necessary Python development package installed:
Expand Down
100 changes: 100 additions & 0 deletions sgx-mvp/docker/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
ARG UBUNTU_IMAGE=ubuntu:20.04
FROM ${UBUNTU_IMAGE}

# ARGs cannot be grouped since each FROM in a Dockerfile initiates a new build
# stage, resulting in the loss of ARG values from earlier stages.
ARG UBUNTU_CODENAME=focal

# Base Gramine setup
RUN apt-get update && \
DEBIAN_FRONTEND=noninteractive apt-get install -y curl gnupg2 binutils

RUN curl -fsSLo /usr/share/keyrings/gramine-keyring.gpg https://packages.gramineproject.io/gramine-keyring.gpg && \
echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/gramine-keyring.gpg] https://packages.gramineproject.io/ '${UBUNTU_CODENAME}' main' > /etc/apt/sources.list.d/gramine.list

RUN curl -fsSLo /usr/share/keyrings/intel-sgx-deb.key https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key && \
echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx-deb.key] https://download.01.org/intel-sgx/sgx_repo/ubuntu '${UBUNTU_CODENAME}' main' > /etc/apt/sources.list.d/intel-sgx.list

# Install Gramine and dependencies
RUN apt-get update && \
DEBIAN_FRONTEND=noninteractive apt-get install -y gramine \
sgx-aesm-service \
libsgx-aesm-launch-plugin \
libsgx-aesm-epid-plugin \
libsgx-aesm-quote-ex-plugin \
libsgx-aesm-ecdsa-plugin \
libsgx-dcap-quote-verify \
psmisc \
git \
make \
cmake \
python3.8-dev \
python3-numpy \
python3-scipy \
libffi-dev \
libssl-dev \
ca-certificates \
pkg-config \
wget \
software-properties-common \
clang \
llvm && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*

# Set Clang as the default compiler
ENV CC=clang
ENV CXX=clang++

# Install Azure DCAP client
RUN wget -qO- https://packages.microsoft.com/keys/microsoft.asc | apt-key add - && \
DEBIAN_FRONTEND=noninteractive add-apt-repository "deb [arch=amd64] https://packages.microsoft.com/ubuntu/20.04/prod focal main" && \
apt-get update && \
DEBIAN_FRONTEND=noninteractive apt-get install -y az-dcap-client && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*

# Install Rust
RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
ENV PATH="/root/.cargo/bin:${PATH}"

# Clone only the sgx-mvp directory
WORKDIR /app
RUN git clone --depth 1 --sparse https://github.com/ntls-io/trusted-compute-MVP.git && \
cd trusted-compute-MVP && \
git sparse-checkout set sgx-mvp

# Create necessary library directory
RUN mkdir -p /lib/x86_64-pc-linux-gnu && \
ln -s /lib/x86_64-linux-gnu/* /lib/x86_64-pc-linux-gnu/

RUN mkdir -p /var/run/aesmd/

# Build the MVP with temporarily mounted key
RUN --mount=type=secret,id=enclave_key,target=/app/trusted-compute-MVP/keys/enclave-key.pem \
cd /app/trusted-compute-MVP/sgx-mvp && \
make SGX=1 RA_TYPE=dcap && \
rm -f /app/trusted-compute-MVP/keys/enclave-key.pem

COPY restart_aesm.sh /restart_aesm.sh

# Expose the server port
EXPOSE 8080
ENV HOST=127.0.0.1
ENV PORT=8080

# Add socat for port forwarding
RUN apt-get update && \
DEBIAN_FRONTEND=noninteractive apt-get install -y socat && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*

# Create a startup script to handle port forwarding
RUN echo '#!/bin/bash\n\
/restart_aesm.sh\n\
socat TCP-LISTEN:8081,fork TCP:127.0.0.1:8080 & \n\
gramine-sgx sgx-mvp\n'\
> /start.sh && chmod +x /start.sh

ENTRYPOINT ["/bin/sh", "-c"]
CMD ["/start.sh"]
49 changes: 49 additions & 0 deletions sgx-mvp/docker/build.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
#!/usr/bin/env bash
set -euo pipefail

usage() {
echo "Usage: build.sh [ubuntu20,ubuntu22]"
exit 1
}

if [ $# -ne 1 ]; then
usage
fi

image=""
codename=""
key_path="../keys/enclave-key.pem"

case "$1" in
ubuntu20)
image="ubuntu:20.04"
codename="focal"
;;
ubuntu22)
image="ubuntu:22.04"
codename="jammy"
;;
*)
usage
;;
esac

# Check if key exists
if [ ! -f "$key_path" ]; then
echo "No signing key found at $key_path"
echo "For development:"
echo " gramine-sgx-gen-private-key /keys/enclave-key.pem"
echo "For production:"
echo " Please use your production signing key"
exit 1
fi

# Build the image, mounting the key at build time
docker build \
--build-arg UBUNTU_IMAGE="${image}" \
--build-arg UBUNTU_CODENAME="${codename}" \
--secret id=enclave_key,src="$key_path" \
-t sgx-mvp:stable-"${codename}" \
.

echo "Build complete!"
7 changes: 7 additions & 0 deletions sgx-mvp/docker/restart_aesm.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
#!/bin/sh

set -e

killall -q aesm_service || true

AESM_PATH=/opt/intel/sgx-aesm-service/aesm LD_LIBRARY_PATH=/opt/intel/sgx-aesm-service/aesm exec /opt/intel/sgx-aesm-service/aesm/aesm_service --no-syslog
5 changes: 5 additions & 0 deletions sgx-mvp/keys/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# Ignore all files in this directory
*
# Except this file
!.gitignore
!README.md
27 changes: 27 additions & 0 deletions sgx-mvp/keys/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# SGX Signing Keys

This directory contains the SGX enclave signing key used during the build process.

## Development Setup

To generate a development key:

```bash
cd sgx-mvp
gramine-sgx-gen-private-key keys/enclave-key.pem
chmod 400 keys/enclave-key.pem
```

## Production Usage

For production deployments:
1. Use your organization's production signing key
2. Store the key securely (never commit to version control)
3. Use appropriate key management systems
4. Consider using different keys per environment

## Security Notes

- Keys should have restricted permissions (chmod 400)
- Development keys should be generated locally
- Production keys should be managed through secure key management

0 comments on commit 2df262f

Please sign in to comment.