Skip to content

Commit

Permalink
SGX distribution scripts (#201)
Browse files Browse the repository at this point in the history
- Moved dist to dist/ledger
- Added dist/sgx with setup and run scripts
- New SGX distribution building script (build-dist-sgx)
- Added and updated distribution documentation for both Leger and SGX
- Additional HSM2DongleSGX unit tests for the onboarding operation
  • Loading branch information
amendelzon authored Sep 25, 2024
1 parent 0b951ed commit 3004408
Show file tree
Hide file tree
Showing 22 changed files with 420 additions and 9 deletions.
2 changes: 1 addition & 1 deletion build-dist-ledger
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ fi
echo -e "\e[32mBuilding into \e[93m$DEST_DIR\e[32m with checkpoint \e[93m$CHECKPOINT\e[32m, minimum difficulty \e[93m$DIFFICULTY\e[32m, network \e[93m$NETWORK\e[32m and UI iteration \e[93m$UI_ITERATION\e[32m...\e[0m"
echo -e "\e[33mCopying files and creating directories...\e[0m"
rm -rf $DEST_DIR
cp -Rf $ROOT_DIR/dist $DEST_DIR
cp -Rf $ROOT_DIR/dist/ledger $DEST_DIR

rm -rf $FIRMWARE_DIR
mkdir -p $FIRMWARE_DIR
Expand Down
58 changes: 58 additions & 0 deletions build-dist-sgx
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
#!/bin/bash

pushd $(dirname $0) > /dev/null
ROOT_DIR=$(pwd)

if [[ $# -lt 4 ]]; then
echo "Usage: $0 <destination path> <checkpoint> <minimum difficulty> <network>"
exit 1
fi

# Check docker images exist
CHECK_IMAGE=$ROOT_DIR/docker/check-image

for img in hsm:sgx hsm:mware hsm:packer; do
DOCKER_IMAGE=$img
source $CHECK_IMAGE
done

DEST_DIR=$1
CHECKPOINT=$2
DIFFICULTY=$3
NETWORK=$4
HSM_DIR=$DEST_DIR/hsm
BIN_DIR=$DEST_DIR/bin
SCRIPTS_DIR=$DEST_DIR/scripts

if [[ -e $DEST_DIR ]]; then
echo -e "\e[31mDestination directory $DEST_DIR exists"
exit 1
fi

echo -e "\e[32mBuilding into \e[93m$DEST_DIR\e[32m with checkpoint \e[93m$CHECKPOINT\e[32m, minimum difficulty \e[93m$DIFFICULTY\e[32m, network \e[93m$NETWORK\e[32m and UI iteration \e[93m$UI_ITERATION\e[32m...\e[0m"
echo -e "\e[33mCopying files and creating directories...\e[0m"
rm -rf $DEST_DIR
cp -Rf $ROOT_DIR/dist/sgx $DEST_DIR

rm -rf $BIN_DIR
mkdir -p $BIN_DIR

echo
echo -e "\e[33mBuilding middleware...\e[0m"
$ROOT_DIR/middleware/build/dist_sgx
cp $ROOT_DIR/middleware/bin/adm_sgx.tgz $BIN_DIR
cp $ROOT_DIR/middleware/bin/manager_sgx.tgz $BIN_DIR
echo

echo -e "\e[33mBuilding SGX apps...\e[0m"
# TODO: decide what to do with the enclave signing key
#(randomizing seems like a reasonable option
# since we don't actually need it in our current scheme)
$ROOT_DIR/firmware/build/build-sgx $CHECKPOINT $DIFFICULTY $NETWORK > /dev/null
cp $ROOT_DIR/firmware/src/sgx/bin/hsmsgx $HSM_DIR/
cp $ROOT_DIR/firmware/src/sgx/bin/hsmsgx_enclave.signed $HSM_DIR/

echo
echo -e "\e[32mBuild complete.\e[0m"

popd > /dev/null
1 change: 1 addition & 0 deletions dist/.gitignore → dist/ledger/.gitignore
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
bin
firmware
export
public-keys.txt
public-keys.json
pin.txt
Expand Down
File renamed without changes.
2 changes: 1 addition & 1 deletion dist/README-cli.md → dist/ledger/README-cli.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# powHSM Setup and onboarding
# powHSM for Ledger Nano S Setup and onboarding

## Prerequisites

Expand Down
8 changes: 4 additions & 4 deletions dist/README.md → dist/ledger/README.md
Original file line number Diff line number Diff line change
@@ -1,25 +1,25 @@
# powHSM distribution
# powHSM for Ledger Nano S distribution

This document describes the artifacts provided to build a distributable version of the powHSM software for Ledger Nano S. This distributable version includes both Ledger apps and middleware binaries, as well as scripts for both setting up and onboarding a brand new Ledger Nano S; and also for upgrading an existing Ledger Nano S with powHSM to a newer Signer version.

## Prerequisites

You will need all of the docker images built (see the [quickstart guide](../QUICKSTART.md) for details on this).
You will need all of the docker images built (see the [quickstart guide](../../QUICKSTART.md) for details on this).

## Generating a distribution

To generate a full distribution into a fresh directory, issue:

```
~/repo> ./build-dist <destination path> <checkpoint> <minimum difficulty> <network> <ui_iteration> <ui_authorizers>
~/repo> ./build-dist-ledger <destination path> <checkpoint> <minimum difficulty> <network> <ui_iteration> <ui_authorizers>
```

where `<destination path>` is the target directory (which must not exist); `<checkpoint>`, `<minimum difficulty>` and `<network>` are the build parameters for the signer app; `<ui_iteration>` is the signer version iteration with which the UI must be built; and `<ui_authorizers>` is the basename of the authorizers header file. The script will build the Ledger apps (signer and UI) as well as the required middleware. Then it will output all of the necessary distribution artifacts, including the aforementioned builds, to the destination path given.

For example, to build a distribution with checkpoint `0x00f06dcff26ec8b4d373fbd53ee770e9348d9bd6a247ad4c86e82ceb3c2130ac`, minimum cumulative difficulty of `0x7c50933098`, `testnet` network, signer iteration `43` and authorizers header file `testing`, issue:

```
~/repo> ./build-dist /path/to/output 0x00f06dcff26ec8b4d373fbd53ee770e9348d9bd6a247ad4c86e82ceb3c2130ac 0x7c50933098 testnet 43 testing
~/repo> ./build-dist-ledger /path/to/output 0x00f06dcff26ec8b4d373fbd53ee770e9348d9bd6a247ad4c86e82ceb3c2130ac 0x7c50933098 testnet 43 testing
```

## Using a distribution
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
pushd $(dirname $0)/.. > /dev/null
DIST_DIR=$(pwd)
popd > /dev/null
DOCKER_IMAGE=hsm2:setup
DOCKER_IMAGE=powhsmledger:setup

QUIET=""
echo -e "\e[96mBuilding docker image $DOCKER_IMAGE (this will take a few minutes)..."
Expand Down
2 changes: 1 addition & 1 deletion dist/scripts/setup → dist/ledger/scripts/setup
Original file line number Diff line number Diff line change
Expand Up @@ -160,7 +160,7 @@ function verify_attestation() {
error
}

echo -e "\e[1;32mWelcome to the powHSM Setup for RSK \e[0m"
echo -e "\e[1;32mWelcome to the Ledger Nano S powHSM Setup for RSK \e[0m"
echo
checkForPinFile
checkFirmware
Expand Down
File renamed without changes.
Original file line number Diff line number Diff line change
Expand Up @@ -134,7 +134,7 @@ function verify_attestation() {
error
}

echo -e "\e[1;32mWelcome to the powHSM Upgrade for RSK \e[0m"
echo -e "\e[1;32mWelcome to the Ledger Nano S powHSM Upgrade for RSK \e[0m"
echo -e "\e[1;32mPlease make sure your HSM is onboarded before continuing with the firmware upgrade.\e[0m"
echo
checkFirmware
Expand Down
File renamed without changes.
File renamed without changes.
3 changes: 3 additions & 0 deletions dist/sgx/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
bin
export
hsm/hsmsgx*
17 changes: 17 additions & 0 deletions dist/sgx/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
FROM debian:bookworm-slim

WORKDIR /hsm2

RUN apt-get update && \
apt-get install -y binutils gnupg2 curl

# Download and install libssl1.1 from debian main repository
RUN curl -L -o libssl1.1.deb https://ftp.debian.org/debian/pool/main/o/openssl/libssl1.1_1.1.1w-0+deb11u1_amd64.deb && \
dpkg -i libssl1.1.deb && \
rm libssl1.1.deb

# Install SGX runtime dependencies
RUN echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | tee /etc/apt/sources.list.d/intel-sgx.list && \
curl -fsSL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | apt-key add - && \
apt-get update && \
apt-get install -y libsgx-enclave-common
17 changes: 17 additions & 0 deletions dist/sgx/README-cli.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# powHSM for SGX Setup and onboarding

## Prerequisites

The computer on which the powHSM setup and onboarding is to be executed needs the following installed:

- Docker

### Setup

To setup a brand new powHSM, within the `/path/to/dist` directory, issue:

```
/path/to/dist> ./setup-new-powhsm
```

and follow the instructions.
41 changes: 41 additions & 0 deletions dist/sgx/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
# powHSM for SGX distribution

This document describes the artifacts provided to build a distributable version of the powHSM software for Intel SGX. This distributable version includes both SGX apps and middleware binaries, as well as scripts for setting up and onboarding a brand new installation.

## Prerequisites

You will need all of the docker images built (see the [quickstart guide](../QUICKSTART.md) for details on this).

## Generating a distribution

To generate a full distribution into a fresh directory, issue:

```
~/repo> ./build-dist-sgx <destination path> <checkpoint> <minimum difficulty> <network>
```

where `<destination path>` is the target directory (which must not exist); `<checkpoint>`, `<minimum difficulty>` and `<network>` are the build parameters for the SGX enclave application. The script will build the SGX apps (host and enclave) as well as the required middleware. Then it will output all of the necessary distribution artifacts, including the aforementioned builds, to the destination path given.

For example, to build a distribution with checkpoint `0x00f06dcff26ec8b4d373fbd53ee770e9348d9bd6a247ad4c86e82ceb3c2130ac`, minimum cumulative difficulty of `0x7c50933098` and `testnet` network, issue:

```
~/repo> ./build-dist-sgx /path/to/output 0x00f06dcff26ec8b4d373fbd53ee770e9348d9bd6a247ad4c86e82ceb3c2130ac 0x7c50933098 testnet
```

## Using a distribution

### Prerequisites

The computer on which the distrbution is to be used needs the following installed:

- Docker

### Scripts

As mentioned, a distribution can be used to setup a new device. To setup a brand new installation, within the `/path/to/dist` directory, issue:

```
/path/to/dist> ./setup-new-powhsm
```

and follow the instructions.
27 changes: 27 additions & 0 deletions dist/sgx/hsm/run
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
#!/bin/bash

BINDIR=$(realpath $(dirname $0))
WORKDIR=$(realpath $BINDIR/..)
DOCKER_IMAGE=powhsmsgx:runner

QUIET=""
echo -e "\e[96mBuilding docker image $DOCKER_IMAGE (this will take a few minutes)..."
if [[ "$2" != "-v" ]]; then
QUIET="-q"
echo -e "Run with '-v' if you want to see progress detail\e[94m"
fi
docker build -t $DOCKER_IMAGE $BINDIR $QUIET
echo -e "\e[96mDocker image build done.\e[0m"
echo

DOCKER_CNT=powhsmsgx-runner
DOCKER_USER="$(id -u):$(id -g)"
PORT=7777
DOCKER_PORT="$PORT:$PORT"

docker run -ti --rm --name $DOCKER_CNT --user $DOCKER_USER -v $WORKDIR:/hsm \
--device=/dev/sgx_enclave:/dev/sgx_enclave \
--device=/dev/sgx_provision:/dev/sgx_provision \
-w /hsm -p$DOCKER_PORT $DOCKER_IMAGE \
bin/hsmsgx ./bin/hsmsgx_enclave.signed -p$PORT -b0.0.0.0
# TODO: We need to resolve binding so that not everyone can connect to the service!
24 changes: 24 additions & 0 deletions dist/sgx/scripts/run_with_docker
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
#!/bin/bash

pushd $(dirname $0)/.. > /dev/null
DIST_DIR=$(pwd)
popd > /dev/null
DOCKER_IMAGE=powhsmsgx:setup

QUIET=""
echo -e "\e[96mBuilding docker image $DOCKER_IMAGE (this will take a few minutes)..."
if [[ "$2" != "-v" ]]; then
QUIET="-q"
echo -e "Run with '-v' if you want to see progress detail\e[94m"
fi
docker build -t $DOCKER_IMAGE $DIST_DIR $QUIET
echo -e "\e[96mDocker image build done.\e[0m"
echo

DOCKER_USER="$(id -u):$(id -g)"

docker run -ti --rm --user $DOCKER_USER \
--device=/dev/sgx_enclave:/dev/sgx_enclave \
--device=/dev/sgx_provision:/dev/sgx_provision \
-v $DIST_DIR:/setup -v /:/fs -w /setup \
$DOCKER_IMAGE $1
Loading

0 comments on commit 3004408

Please sign in to comment.