move attestation api dependencies for pdo to separate script, and call that from pdo docker build

Signed-off-by: Bruno Vavala <[email protected]>

Author: bvavala

Diff for: build/common-config.sh

@@ -34,6 +34,12 @@ var_set() {
 	"
 	env_key_sort[$i]="WASM_SRC"; i=$i+1; export WASM_SRC=${env_val[WASM_SRC]};
 
+	env_val[DCAP_PRIMITIVES]="${DCAP_PRIMITIVES:-/tmp/SGXDataCenterAttestationPrimitives}"
+	env_desc[DCAP_PRIMITIVES]="
+	    DCAP_PRIMITIVES points to the source repo of DCAP
+	"
+	env_key_sort[$i]="DCAP_PRIMITIVES"; i=$i+1; export DCAP_PRIMITIVES=${env_val[DCAP_PRIMITIVES]};
+
 	env_val[PDO_MEMORY_CONFIG]="${PDO_MEMORY_CONFIG:-MEDIUM}"
 	env_desc[PDO_MEMORY_CONFIG]="
 		PDO_MEMORY_CONFIG indicates the memory configuration for the

Diff for: common/crypto/attestation-api/CMakeLists.txt

@@ -12,6 +12,10 @@ set(CMAKE_CXX_EXTENSIONS OFF)
 
 INCLUDE(CMakeVariables.txt)
 
+IF (NOT DEFINED ENV{DCAP_PRIMITIVES})
+  MESSAGE(FATAL_ERROR "DCAP_PRIMITIVES variable with source repo path not defined")
+ENDIF()
+
 ###################################################################################################
 # First run cmake in common
 ###################################################################################################
@@ -95,6 +99,7 @@ ADD_CUSTOM_COMMAND(TARGET ${B64ATTESTATION_TO_B64COLLATERAL}
 
 TARGET_INCLUDE_DIRECTORIES(${B64ATTESTATION_TO_B64COLLATERAL} PRIVATE common)
 
+# newer DCAP (1.22) libs need the qal (older, 1.19, don't)
 SET(DCAP_LINK_LIBS ${DCAP_QV_PATH}/appraisal/qal/libdcap_qal.a)
 
 TARGET_LINK_LIBRARIES(${B64ATTESTATION_TO_B64COLLATERAL}

Diff for: common/crypto/attestation-api/docker/container/README.md

@@ -0,0 +1,3 @@
+This directory contains scripts to set up the attestation API dependencies in the docker container.
+
+The scripts are obviously meant to be run before the attestation API build and, possibly, during the docker build.

Diff for: common/crypto/attestation-api/docker/container/setup.sh

@@ -0,0 +1,71 @@
+#!/bin/bash
+# Copyright 2024 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+
+apt-get update
+
+# install quote library, necessary for dcap attestation generation
+# install quote verify library, necessary for attestation conversion and verification
+# (though inside the enclave we use the static libraries of DCAP)
+apt-get install -y \
+    --no-install-recommends \
+    libsgx-dcap-ql-dev \
+    libsgx-dcap-quote-verify-dev
+
+# -----------------------------------------------------------------
+# SGX DCAP Primitives
+# -----------------------------------------------------------------
+apt-get install -y -q \
+    libboost-dev \
+    libboost-system-dev \
+    libboost-thread-dev \
+    protobuf-c-compiler \
+    libprotobuf-c-dev \
+    protobuf-compiler
+
+# Note: libsgx-dcap-default-qpl-dev adds libdcap_quoteprov.so and /usr/include/sgx_default_quote_provider.h
+apt-get install -y \
+    basez \
+    clang \
+    libsgx-dcap-default-qpl \
+    libsgx-dcap-default-qpl-dev \
+    jq
+
+export DCAP=1.22
+
+git clone https://github.com/intel/SGXDataCenterAttestationPrimitives.git ${DCAP_PRIMITIVES} \
+    && cd ${DCAP_PRIMITIVES}/QuoteVerification \
+    && git checkout DCAP_${DCAP} \
+    && git submodule update --init --recursive
+
+cd ${DCAP_PRIMITIVES}/QuoteGeneration \
+    && ./download_prebuilt.sh \
+    && make GEN_STATIC=1
+
+# NOTE: below the build (./release) is run twice. Unfortunately, this is necessary because both builds fails
+# when run separately in a clean environment, but succeed if they run in sequence, and produce the expected result.
+# This issue has been communicated to the developers of the DCAP primitives. 
+cd ${DCAP_PRIMITIVES}/QuoteVerification/QVL/Src
+./release -DBUILD_ENCLAVE=ON -DBUILD_TESTS=OFF || true
+./release -DBUILD_ENCLAVE=ON -DBUILD_ATTESTATION_APP=OFF -DBUILD_TESTS=OFF
+
+# set up the qcnl to connect to the local pccs for dcap verification collateral
+echo '{\n\
+    "pccs_url": "https://localhost:8081/sgx/certification/v4/", \n\
+    "collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/",\n\
+    "use_secure_cert": false\n\
+    }' > /etc/sgx_default_qcnl.conf
+

Diff for: docker/pdo_services_base.dockerfile

@@ -36,8 +36,6 @@ RUN echo "deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu ${U
     --no-install-recommends \
     libsgx-urts \
     libsgx-uae-service \
-    libsgx-dcap-ql-dev \
-    libsgx-dcap-quote-verify-dev \
  && apt-get clean \
  && rm -rf /var/lib/apt/lists/*
 
@@ -86,50 +84,14 @@ RUN . /opt/intel/sgxsdk/environment \
 
 ENV SGX_SSL="/opt/intel/sgxssl"
 
-
 # -----------------------------------------------------------------
-# SGX DCAP Primitives
+# Install dependencies for Attestation API
 # -----------------------------------------------------------------
-RUN apt-get update
-RUN apt-get install -y -q \
-        libboost-dev \
-        libboost-system-dev \
-        libboost-thread-dev \
-        protobuf-c-compiler \
-        libprotobuf-c-dev \
-        protobuf-compiler
-RUN apt-get install -y \
-        basez \
-        clang \
-        libsgx-dcap-default-qpl \
-        #libsgx-dcap-default-qpl-dev adds libdcap_quoteprov.so and /usr/include/sgx_default_quote_provider.h
-        libsgx-dcap-default-qpl-dev \
-        jq
-
-ARG DCAP=1.22
-ENV DCAP_PRIMITIVES=/tmp/SGXDataCenterAttestationPrimitives
-
-RUN git clone https://github.com/intel/SGXDataCenterAttestationPrimitives.git ${DCAP_PRIMITIVES} \
-    && cd ${DCAP_PRIMITIVES}/QuoteVerification \
-    && git checkout DCAP_${DCAP} \
-    && git submodule update --init --recursive
-
-RUN cd ${DCAP_PRIMITIVES}/QuoteGeneration \
-        && ./download_prebuilt.sh \
-        && make GEN_STATIC=1
-
-# NOTE: below the build (./release) is run twice. Unfortunately, this is necessary because both builds fails
-# when run separately in a clean environment, but succeed if they run in sequence, and produce the expected result.
-# This issue has been communicated to the developers of the DCAP primitives.
-RUN cd ${DCAP_PRIMITIVES}/QuoteVerification/QVL/Src \
-    && ./release -DBUILD_ENCLAVE=ON -DBUILD_TESTS=OFF ; ./release -DBUILD_ENCLAVE=ON -DBUILD_ATTESTATION_APP=OFF -DBUILD_TESTS=OFF
-
-RUN echo '{\n\
-    "pccs_url": "https://localhost:8081/sgx/certification/v4/", \n\
-    "collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/",\n\
-    "use_secure_cert": false\n\
-    }' > /etc/sgx_default_qcnl.conf
 
+# as the pdo repo is not available at this point, we copy the script in the container
+COPY repository/common/crypto/attestation-api/docker/container/setup.sh /tmp
+RUN DCAP_PRIMITIVES=/tmp/SGXDataCenterAttestationPrimitives /tmp/setup.sh
+RUN rm /tmp/setup.sh
 
 # -----------------------------------------------------------------
 # -----------------------------------------------------------------

Diff for: docker/tools/environment.sh

@@ -35,6 +35,7 @@ export PDO_HOME=${PDO_INSTALL_ROOT}/opt/pdo
 export PDO_LEDGER_KEY_ROOT=${PDO_HOME}/keys/ledger
 export PDO_LEDGER_KEY_SKF=${PDO_LEDGER_KEY_ROOT}/pdo_validator.priv
 export WASM_SRC="${PDO_SOURCE_ROOT}/interpreters/wasm-micro-runtime"
+export DCAP_PRIMITIVES=${DCAP_PRIMITIVES:-/tmp/SGXDataCenterAttestationPrimitives}
 
 if [ ${PDO_LEDGER_TYPE,,} = "ccf" ]; then
     export PDO_DEFAULT_SIGCURVE=SECP384R1