-
Notifications
You must be signed in to change notification settings - Fork 18
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Moved dist to dist/ledger - Added dist/sgx with setup and run scripts - New SGX distribution building script (build-dist-sgx) - Added and updated distribution documentation for both Leger and SGX - Additional HSM2DongleSGX unit tests for the onboarding operation
- Loading branch information
1 parent
2487b4e
commit 07859f7
Showing
22 changed files
with
420 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
#!/bin/bash | ||
|
||
pushd $(dirname $0) > /dev/null | ||
ROOT_DIR=$(pwd) | ||
|
||
if [[ $# -lt 4 ]]; then | ||
echo "Usage: $0 <destination path> <checkpoint> <minimum difficulty> <network>" | ||
exit 1 | ||
fi | ||
|
||
# Check docker images exist | ||
CHECK_IMAGE=$ROOT_DIR/docker/check-image | ||
|
||
for img in hsm:sgx hsm:mware hsm:packer; do | ||
DOCKER_IMAGE=$img | ||
source $CHECK_IMAGE | ||
done | ||
|
||
DEST_DIR=$1 | ||
CHECKPOINT=$2 | ||
DIFFICULTY=$3 | ||
NETWORK=$4 | ||
HSM_DIR=$DEST_DIR/hsm | ||
BIN_DIR=$DEST_DIR/bin | ||
SCRIPTS_DIR=$DEST_DIR/scripts | ||
|
||
if [[ -e $DEST_DIR ]]; then | ||
echo -e "\e[31mDestination directory $DEST_DIR exists" | ||
exit 1 | ||
fi | ||
|
||
echo -e "\e[32mBuilding into \e[93m$DEST_DIR\e[32m with checkpoint \e[93m$CHECKPOINT\e[32m, minimum difficulty \e[93m$DIFFICULTY\e[32m, network \e[93m$NETWORK\e[32m and UI iteration \e[93m$UI_ITERATION\e[32m...\e[0m" | ||
echo -e "\e[33mCopying files and creating directories...\e[0m" | ||
rm -rf $DEST_DIR | ||
cp -Rf $ROOT_DIR/dist/sgx $DEST_DIR | ||
|
||
rm -rf $BIN_DIR | ||
mkdir -p $BIN_DIR | ||
|
||
echo | ||
echo -e "\e[33mBuilding middleware...\e[0m" | ||
$ROOT_DIR/middleware/build/dist_sgx | ||
cp $ROOT_DIR/middleware/bin/adm_sgx.tgz $BIN_DIR | ||
cp $ROOT_DIR/middleware/bin/manager_sgx.tgz $BIN_DIR | ||
echo | ||
|
||
echo -e "\e[33mBuilding SGX apps...\e[0m" | ||
# TODO: decide what to do with the enclave signing key | ||
#(randomizing seems like a reasonable option | ||
# since we don't actually need it in our current scheme) | ||
$ROOT_DIR/firmware/build/build-sgx $CHECKPOINT $DIFFICULTY $NETWORK > /dev/null | ||
cp $ROOT_DIR/firmware/src/sgx/bin/hsmsgx $HSM_DIR/ | ||
cp $ROOT_DIR/firmware/src/sgx/bin/hsmsgx_enclave.signed $HSM_DIR/ | ||
|
||
echo | ||
echo -e "\e[32mBuild complete.\e[0m" | ||
|
||
popd > /dev/null |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,6 @@ | ||
bin | ||
firmware | ||
export | ||
public-keys.txt | ||
public-keys.json | ||
pin.txt | ||
|
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
# powHSM Setup and onboarding | ||
# powHSM for Ledger Nano S Setup and onboarding | ||
|
||
## Prerequisites | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
bin | ||
export | ||
hsm/hsmsgx* |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
FROM debian:bookworm-slim | ||
|
||
WORKDIR /hsm2 | ||
|
||
RUN apt-get update && \ | ||
apt-get install -y binutils gnupg2 curl | ||
|
||
# Download and install libssl1.1 from debian main repository | ||
RUN curl -L -o libssl1.1.deb https://ftp.debian.org/debian/pool/main/o/openssl/libssl1.1_1.1.1w-0+deb11u1_amd64.deb && \ | ||
dpkg -i libssl1.1.deb && \ | ||
rm libssl1.1.deb | ||
|
||
# Install SGX runtime dependencies | ||
RUN echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | tee /etc/apt/sources.list.d/intel-sgx.list && \ | ||
curl -fsSL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | apt-key add - && \ | ||
apt-get update && \ | ||
apt-get install -y libsgx-enclave-common |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
# powHSM for SGX Setup and onboarding | ||
|
||
## Prerequisites | ||
|
||
The computer on which the powHSM setup and onboarding is to be executed needs the following installed: | ||
|
||
- Docker | ||
|
||
### Setup | ||
|
||
To setup a brand new powHSM, within the `/path/to/dist` directory, issue: | ||
|
||
``` | ||
/path/to/dist> ./setup-new-powhsm | ||
``` | ||
|
||
and follow the instructions. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
# powHSM for SGX distribution | ||
|
||
This document describes the artifacts provided to build a distributable version of the powHSM software for Intel SGX. This distributable version includes both SGX apps and middleware binaries, as well as scripts for setting up and onboarding a brand new installation. | ||
|
||
## Prerequisites | ||
|
||
You will need all of the docker images built (see the [quickstart guide](../QUICKSTART.md) for details on this). | ||
|
||
## Generating a distribution | ||
|
||
To generate a full distribution into a fresh directory, issue: | ||
|
||
``` | ||
~/repo> ./build-dist-sgx <destination path> <checkpoint> <minimum difficulty> <network> | ||
``` | ||
|
||
where `<destination path>` is the target directory (which must not exist); `<checkpoint>`, `<minimum difficulty>` and `<network>` are the build parameters for the SGX enclave application. The script will build the SGX apps (host and enclave) as well as the required middleware. Then it will output all of the necessary distribution artifacts, including the aforementioned builds, to the destination path given. | ||
|
||
For example, to build a distribution with checkpoint `0x00f06dcff26ec8b4d373fbd53ee770e9348d9bd6a247ad4c86e82ceb3c2130ac`, minimum cumulative difficulty of `0x7c50933098` and `testnet` network, issue: | ||
|
||
``` | ||
~/repo> ./build-dist-sgx /path/to/output 0x00f06dcff26ec8b4d373fbd53ee770e9348d9bd6a247ad4c86e82ceb3c2130ac 0x7c50933098 testnet | ||
``` | ||
|
||
## Using a distribution | ||
|
||
### Prerequisites | ||
|
||
The computer on which the distrbution is to be used needs the following installed: | ||
|
||
- Docker | ||
|
||
### Scripts | ||
|
||
As mentioned, a distribution can be used to setup a new device. To setup a brand new installation, within the `/path/to/dist` directory, issue: | ||
|
||
``` | ||
/path/to/dist> ./setup-new-powhsm | ||
``` | ||
|
||
and follow the instructions. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
#!/bin/bash | ||
|
||
BINDIR=$(realpath $(dirname $0)) | ||
WORKDIR=$(realpath $BINDIR/..) | ||
DOCKER_IMAGE=powhsmsgx:runner | ||
|
||
QUIET="" | ||
echo -e "\e[96mBuilding docker image $DOCKER_IMAGE (this will take a few minutes)..." | ||
if [[ "$2" != "-v" ]]; then | ||
QUIET="-q" | ||
echo -e "Run with '-v' if you want to see progress detail\e[94m" | ||
fi | ||
docker build -t $DOCKER_IMAGE $BINDIR $QUIET | ||
echo -e "\e[96mDocker image build done.\e[0m" | ||
echo | ||
|
||
DOCKER_CNT=powhsmsgx-runner | ||
DOCKER_USER="$(id -u):$(id -g)" | ||
PORT=7777 | ||
DOCKER_PORT="$PORT:$PORT" | ||
|
||
docker run -ti --rm --name $DOCKER_CNT --user $DOCKER_USER -v $WORKDIR:/hsm \ | ||
--device=/dev/sgx_enclave:/dev/sgx_enclave \ | ||
--device=/dev/sgx_provision:/dev/sgx_provision \ | ||
-w /hsm -p$DOCKER_PORT $DOCKER_IMAGE \ | ||
bin/hsmsgx ./bin/hsmsgx_enclave.signed -p$PORT -b0.0.0.0 | ||
# TODO: We need to resolve binding so that not everyone can connect to the service! |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
#!/bin/bash | ||
|
||
pushd $(dirname $0)/.. > /dev/null | ||
DIST_DIR=$(pwd) | ||
popd > /dev/null | ||
DOCKER_IMAGE=powhsmsgx:setup | ||
|
||
QUIET="" | ||
echo -e "\e[96mBuilding docker image $DOCKER_IMAGE (this will take a few minutes)..." | ||
if [[ "$2" != "-v" ]]; then | ||
QUIET="-q" | ||
echo -e "Run with '-v' if you want to see progress detail\e[94m" | ||
fi | ||
docker build -t $DOCKER_IMAGE $DIST_DIR $QUIET | ||
echo -e "\e[96mDocker image build done.\e[0m" | ||
echo | ||
|
||
DOCKER_USER="$(id -u):$(id -g)" | ||
|
||
docker run -ti --rm --user $DOCKER_USER \ | ||
--device=/dev/sgx_enclave:/dev/sgx_enclave \ | ||
--device=/dev/sgx_provision:/dev/sgx_provision \ | ||
-v $DIST_DIR:/setup -v /:/fs -w /setup \ | ||
$DOCKER_IMAGE $1 |
Oops, something went wrong.