Install SGX powHSM as a systemd service

Work in progress - missing user-defined docker network
rsksmart · Nov 29, 2024 · 7527c08 · 7527c08
1 parent fc5aab6
commit 7527c08
Show file tree

Hide file tree

Showing 6 changed files with 114 additions and 2 deletions.
diff --git a/dist/sgx/hsm/run → dist/sgx/hsm/start b/dist/sgx/hsm/run → dist/sgx/hsm/start
@@ -16,10 +16,13 @@ echo
 
 DOCKER_CNT=powhsmsgx-runner
 DOCKER_USER="$(id -u):$(id -g)"
+HOSTNAME="SGX"
+NETWORK="net_hsm"
 PORT=7777
 DOCKER_PORT="$PORT:$PORT"
 
-docker run -ti --rm --name $DOCKER_CNT --user $DOCKER_USER -v $WORKDIR:/hsm \
+docker run --rm --name $DOCKER_CNT --user $DOCKER_USER -v $WORKDIR:/hsm \
+    --hostname $HOSTNAME --network $NETWORK \
     --device=/dev/sgx_enclave:/dev/sgx_enclave \
     --device=/dev/sgx_provision:/dev/sgx_provision \
     -w /hsm -p$DOCKER_PORT $DOCKER_IMAGE \

diff --git a/dist/sgx/hsm/stop b/dist/sgx/hsm/stop
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+DOCKER_CNT=powhsmsgx-runner
+docker stop $DOCKER_CNT
diff --git a/dist/sgx/scripts/hsmsgx.service b/dist/sgx/scripts/hsmsgx.service
@@ -0,0 +1,19 @@
+[Unit]
+Description=SGX powHSM
+Wants=network.target
+After=syslog.target network-online.target docker.service
+Requires=docker.service
+
+[Service]
+Type=simple
+WorkingDirectory=$HSM_INSTALL_DIR
+User=hsm
+Group=hsm
+ExecStart=$HSM_INSTALL_DIR/bin/start
+ExecStop=$HSM_INSTALL_DIR/bin/stop
+Restart=on-failure
+RestartSec=10
+KillMode=mixed
+
+[Install]
+WantedBy=multi-user.target
diff --git a/dist/sgx/scripts/install_service b/dist/sgx/scripts/install_service
@@ -0,0 +1,52 @@
+#!/bin/bash
+
+# Require superuser
+if ! [ "$(id -u)" == "0" ]; then
+    echo -e "\e[1;31mPlease run with sudo.\e[0m"
+    exit 1
+fi
+
+if [ -z "$1" ]; then
+	echo -e "\e[1;31mUsage: $0 <service-file>\e[0m"
+	exit 1
+fi
+
+SERVICE_UNIT=$(realpath $1)
+if [ ! -f "$SERVICE_UNIT" ]; then
+	echo "\e[1;31mService file not found: $SERVICE_UNIT\e[0m"
+	exit 1
+fi
+
+# Extract the installation directory from the service file
+INSTALL_DIR=$(grep -oP 'WorkingDirectory=\K.*' $SERVICE_UNIT)
+if [ -z "$INSTALL_DIR" ]; then
+	echo -e "\e[1;31mCould not extract installation directory from service file.\e[0m"
+	exit 1
+fi
+
+echo -e "\e[1;32mCreating hsm user and group...\e[0m"
+if ! id -u hsm >/dev/null 2>&1; then
+    useradd -rm -s /bin/bash hsm || exit $?
+	usermod -aG docker hsm || exit $?
+else
+    echo -e "\e[1;33mUser 'hsm' already exists. Skipping user creation.\e[0m"
+fi
+
+echo -e "\e[1;32mCreating net_hsm network...\e[0m"
+docker network rm net_hsm 2> /dev/null
+docker network create net_hsm || exit $?
+
+echo -e "\e[1;32mSetting permisions...\e[0m"
+chown -R root:hsm $INSTALL_DIR || exit $?
+chmod 664 $INSTALL_DIR/*.dat || exit $?
+
+echo -e "\e[1;32mCreating service...\e[0m"
+cp $SERVICE_UNIT /etc/systemd/system/hsmsgx.service
+systemctl daemon-reload || exit $?
+echo -e "\e[1;32mEnabling service...\e[0m"
+systemctl enable hsmsgx.service || exit $?
+echo -e "\e[1;32mEStarting service...\e[0m"
+systemctl start hsmsgx.service || exit $?
+echo -e "\e[1;32mService started.\e[0m"
+echo -e "\e[1;32mTo check the status of the service, run 'systemctl status hsmsgx.service'.\e[0m"
+exit 0
diff --git a/dist/sgx/scripts/setup b/dist/sgx/scripts/setup
@@ -35,6 +35,12 @@ EXPORT_DIR="$ROOT_DIR/export"
 PUBLIC_KEY_FILE="$EXPORT_DIR/public-keys.txt"
 PUBLIC_KEY_FILE_JSON="$EXPORT_DIR/public-keys.json"
 
+# HSM scripts directory
+SCRIPTS_DIR=$ROOT_DIR/scripts
+
+# Directory where the finalized systemd service unit will be saved
+SERVICE_DIR=$ROOT_DIR/service
+
 function checkHsmBinaries() {
     # Check for HSM binary files
     FILES="$HSMBIN_DIR/hsmsgx $HSMBIN_DIR/hsmsgx_enclave.signed"
@@ -96,6 +102,15 @@ function selectInstallationDir() {
     done
 }
 
+function createServiceUnit() {
+    rm -rf $SERVICE_DIR
+    mkdir $SERVICE_DIR
+
+    cp $SCRIPTS_DIR/hsmsgx.service $SERVICE_DIR
+    # Replace the $HSM_INSTALL_DIR token in the script with the actual installation directory
+    sed -i "s|\$HSM_INSTALL_DIR|$INSTALL_DIR|g" $SERVICE_DIR/hsmsgx.service
+}
+
 function installPowHsm() {
     mkdir $REAL_INSTALL_DIR/bin
     cp -R $HSMBIN_DIR/* $REAL_INSTALL_DIR/bin
@@ -134,6 +149,7 @@ checkForPinFile
 checkHsmBinaries
 expandBinaries
 selectInstallationDir
+createServiceUnit
 echo
 echo -e "\e[1;32mInstalling the powHSM...\e[0m"
 installPowHsm

diff --git a/dist/sgx/setup-new-powhsm b/dist/sgx/setup-new-powhsm
@@ -1,3 +1,21 @@
 #!/bin/bash
 
-$(dirname $0)/scripts/run_with_docker ./scripts/setup $1
+# Require superuser, since we need to install a service in the host
+if ! [ "$(id -u)" == "0" ]; then
+    echo -e "\e[1;32mPlease run with sudo.\e[0m"
+    exit 1
+fi
+
+ROOT_DIR=$(realpath $(dirname $0))
+$ROOT_DIR/scripts/run_with_docker ./scripts/setup $1
+if [ $? -ne 0 ]; then
+	echo -e "\e[1;31m Error during the powhsm setup, aborting \e[0m"
+	exit 1
+fi
+
+$ROOT_DIR/scripts/install_service $ROOT_DIR/service/hsmsgx.service
+if [ $? -ne 0 ]; then
+	echo -e "\e[1;31m Error during the powhsm service installation, aborting \e[0m"
+	exit 1
+fi
+echo -e "\e[1;32mHSM SGX setup done.\e[0m"