diff --git a/sgx-mvp/docker/.gitignore b/sgx-mvp/docker/.gitignore new file mode 100644 index 0000000..fb935f8 --- /dev/null +++ b/sgx-mvp/docker/.gitignore @@ -0,0 +1 @@ +docker-sgx-mvp.sig \ No newline at end of file diff --git a/sgx-mvp/docker/Dockerfile b/sgx-mvp/docker/Dockerfile index e2fc4fc..f917ec0 100644 --- a/sgx-mvp/docker/Dockerfile +++ b/sgx-mvp/docker/Dockerfile @@ -60,8 +60,10 @@ ENV PATH="/root/.cargo/bin:${PATH}" # Clone only the sgx-mvp directory WORKDIR /app -RUN git clone --depth 1 --sparse https://github.com/ntls-io/trusted-compute-MVP.git && \ +RUN git config --global core.sparseCheckout true && \ + git clone --depth 1 --filter=blob:none https://github.com/ntls-io/trusted-compute-MVP.git && \ cd trusted-compute-MVP && \ + git sparse-checkout init --cone && \ git sparse-checkout set sgx-mvp # Create necessary library directory @@ -71,10 +73,20 @@ RUN mkdir -p /lib/x86_64-pc-linux-gnu && \ RUN mkdir -p /var/run/aesmd/ # Build the MVP with temporarily mounted key -RUN --mount=type=secret,id=enclave_key,target=/app/trusted-compute-MVP/keys/enclave-key.pem \ +RUN --mount=type=secret,id=enclave_key,target=/app/trusted-compute-MVP/sgx-mvp/keys/enclave-key.pem \ cd /app/trusted-compute-MVP/sgx-mvp && \ - make SGX=1 RA_TYPE=dcap && \ - rm -f /app/trusted-compute-MVP/keys/enclave-key.pem + make SGX=1 RA_TYPE=dcap + +# Verify signing key cleanup +RUN echo "Verifying key cleanup..." && \ + if [ -f /app/trusted-compute-MVP/sgx-mvp/keys/enclave-key.pem ]; then \ + echo "ERROR: Signing key still present!" && \ + ls -l /app/trusted-compute-MVP/sgx-mvp/keys/enclave-key.pem && \ + exit 1; \ + else \ + echo "SUCCESS: Verified that signing key was properly removed." && \ + ls -la /app/trusted-compute-MVP/sgx-mvp/keys/ || echo "keys directory does not exist (expected)"; \ + fi COPY restart_aesm.sh /restart_aesm.sh @@ -93,8 +105,12 @@ RUN apt-get update && \ RUN echo '#!/bin/bash\n\ /restart_aesm.sh\n\ socat TCP-LISTEN:8081,fork TCP:127.0.0.1:8080 & \n\ +cd /app/trusted-compute-MVP/sgx-mvp && \ gramine-sgx sgx-mvp\n'\ > /start.sh && chmod +x /start.sh +# Set the working directory where the manifest file is located +WORKDIR /app/trusted-compute-MVP/sgx-mvp + ENTRYPOINT ["/bin/sh", "-c"] CMD ["/start.sh"] \ No newline at end of file diff --git a/sgx-mvp/docker/build.sh b/sgx-mvp/docker/build.sh index cf73b51..0d6f73c 100755 --- a/sgx-mvp/docker/build.sh +++ b/sgx-mvp/docker/build.sh @@ -3,6 +3,16 @@ set -euo pipefail usage() { echo "Usage: build.sh [ubuntu20,ubuntu22]" + echo "" + echo "Before building, ensure you have:" + echo "1. Generated your Gramine signing key at /keys/enclave-key.pem" + echo "2. Set proper permissions (chmod 400) on your key" + echo "" + echo "To generate a development key (if you haven't already):" + echo " gramine-sgx-gen-private-key /keys/enclave-key.pem" + echo " chmod 400 /keys/enclave-key.pem" + echo "" + echo "Note: For production deployments, use your production signing key." exit 1 } @@ -31,10 +41,15 @@ esac # Check if key exists if [ ! -f "$key_path" ]; then echo "No signing key found at $key_path" - echo "For development:" + echo "" + echo "For development environments:" echo " gramine-sgx-gen-private-key /keys/enclave-key.pem" - echo "For production:" - echo " Please use your production signing key" + echo " chmod 400 /keys/enclave-key.pem" + echo "" + echo "For production environments:" + echo " Please use your secure production signing key" + echo " Copy it to /keys/enclave-key.pem" + echo " Ensure permissions are set with: chmod 400 /keys/enclave-key.pem" exit 1 fi @@ -46,4 +61,9 @@ docker build \ -t sgx-mvp:stable-"${codename}" \ . +# Extract the sig file using a temporary container +container_id=$(docker create sgx-mvp:stable-"${codename}") +docker cp "$container_id":/app/trusted-compute-MVP/sgx-mvp/sgx-mvp.sig docker-sgx-mvp.sig +docker rm "$container_id" + echo "Build complete!" \ No newline at end of file