fix: Fix Docker issues

ntls-io · Nov 28, 2024 · e539562 · e539562
1 parent 45bb6d5
commit e539562
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 7 deletions.
diff --git a/sgx-mvp/docker/.gitignore b/sgx-mvp/docker/.gitignore
@@ -0,0 +1 @@
+docker-sgx-mvp.sig
diff --git a/sgx-mvp/docker/Dockerfile b/sgx-mvp/docker/Dockerfile
@@ -60,8 +60,10 @@ ENV PATH="/root/.cargo/bin:${PATH}"
 
 # Clone only the sgx-mvp directory
 WORKDIR /app
-RUN git clone --depth 1 --sparse https://github.com/ntls-io/trusted-compute-MVP.git && \
+RUN git config --global core.sparseCheckout true && \
+    git clone --depth 1 --filter=blob:none https://github.com/ntls-io/trusted-compute-MVP.git && \
     cd trusted-compute-MVP && \
+    git sparse-checkout init --cone && \
     git sparse-checkout set sgx-mvp
 
 # Create necessary library directory
@@ -71,10 +73,20 @@ RUN mkdir -p /lib/x86_64-pc-linux-gnu && \
 RUN mkdir -p /var/run/aesmd/
 
 # Build the MVP with temporarily mounted key
-RUN --mount=type=secret,id=enclave_key,target=/app/trusted-compute-MVP/keys/enclave-key.pem \
+RUN --mount=type=secret,id=enclave_key,target=/app/trusted-compute-MVP/sgx-mvp/keys/enclave-key.pem \
     cd /app/trusted-compute-MVP/sgx-mvp && \
-    make SGX=1 RA_TYPE=dcap && \
-    rm -f /app/trusted-compute-MVP/keys/enclave-key.pem
+    make SGX=1 RA_TYPE=dcap
+
+# Verify signing key cleanup
+RUN echo "Verifying key cleanup..." && \
+    if [ -f /app/trusted-compute-MVP/sgx-mvp/keys/enclave-key.pem ]; then \
+        echo "ERROR: Signing key still present!" && \
+        ls -l /app/trusted-compute-MVP/sgx-mvp/keys/enclave-key.pem && \
+        exit 1; \
+    else \
+        echo "SUCCESS: Verified that signing key was properly removed." && \
+        ls -la /app/trusted-compute-MVP/sgx-mvp/keys/ || echo "keys directory does not exist (expected)"; \
+    fi
 
 COPY restart_aesm.sh /restart_aesm.sh
 
@@ -93,8 +105,12 @@ RUN apt-get update && \
 RUN echo '#!/bin/bash\n\
 /restart_aesm.sh\n\
 socat TCP-LISTEN:8081,fork TCP:127.0.0.1:8080 & \n\
+cd /app/trusted-compute-MVP/sgx-mvp && \
 gramine-sgx sgx-mvp\n'\
 > /start.sh && chmod +x /start.sh
 
+# Set the working directory where the manifest file is located
+WORKDIR /app/trusted-compute-MVP/sgx-mvp
+
 ENTRYPOINT ["/bin/sh", "-c"]
 CMD ["/start.sh"]
diff --git a/sgx-mvp/docker/build.sh b/sgx-mvp/docker/build.sh
@@ -3,6 +3,16 @@ set -euo pipefail
 
 usage() {
     echo "Usage: build.sh [ubuntu20,ubuntu22]"
+    echo ""
+    echo "Before building, ensure you have:"
+    echo "1. Generated your Gramine signing key at /keys/enclave-key.pem"
+    echo "2. Set proper permissions (chmod 400) on your key"
+    echo ""
+    echo "To generate a development key (if you haven't already):"
+    echo "    gramine-sgx-gen-private-key /keys/enclave-key.pem"
+    echo "    chmod 400 /keys/enclave-key.pem"
+    echo ""
+    echo "Note: For production deployments, use your production signing key."
     exit 1
 }
 
@@ -31,10 +41,15 @@ esac
 # Check if key exists
 if [ ! -f "$key_path" ]; then
     echo "No signing key found at $key_path"
-    echo "For development:"
+    echo ""
+    echo "For development environments:"
     echo "    gramine-sgx-gen-private-key /keys/enclave-key.pem"
-    echo "For production:"
-    echo "    Please use your production signing key"
+    echo "    chmod 400 /keys/enclave-key.pem"
+    echo ""
+    echo "For production environments:"
+    echo "    Please use your secure production signing key"
+    echo "    Copy it to /keys/enclave-key.pem"
+    echo "    Ensure permissions are set with: chmod 400 /keys/enclave-key.pem"
     exit 1
 fi
 
@@ -46,4 +61,9 @@ docker build \
     -t sgx-mvp:stable-"${codename}" \
     .
 
+# Extract the sig file using a temporary container
+container_id=$(docker create sgx-mvp:stable-"${codename}")
+docker cp "$container_id":/app/trusted-compute-MVP/sgx-mvp/sgx-mvp.sig docker-sgx-mvp.sig
+docker rm "$container_id"
+
 echo "Build complete!"