feat: Docker set-p + basic signing key management

binglekruger · binglekruger · commit 2df262fe86a0 · 2024-11-28T14:50:18.000Z
diff --git a/docs/installation/sgx-mvp.md b/docs/installation/sgx-mvp.md
@@ -27,6 +27,11 @@ Before installing the Nautilus MVP, ensure your system meets the following requi
 
     Follow the instructions in the [Gramine Installation Guide](https://gramine.readthedocs.io/en/stable/installation.html#install-gramine-packages-1) under "Install Gramine packages" and [Prepare a signing key](https://gramine.readthedocs.io/en/stable/quickstart.html#prepare-a-signing-key).
 
+    ```sh
+    gramine-sgx-gen-private-key keys/enclave-key.pem
+    chmod 400 keys/enclave-key.pem
+    ```
+
 3. **Rust Environment**
 
     ```sh
diff --git a/sgx-mvp/LICENSE b/sgx-mvp/LICENSE
diff --git a/sgx-mvp/Makefile b/sgx-mvp/Makefile
@@ -46,7 +46,8 @@ sgx-mvp.manifest.sgx sgx-mvp.sig: sgx_sign
 sgx_sign: sgx-mvp.manifest $(SELF_EXE)
 	gramine-sgx-sign \
 		--manifest $< \
-		--output $<.sgx
+		--output $<.sgx \
+		--key keys/enclave-key.pem
 
 ifeq ($(SGX),)
 GRAMINE = gramine-direct
diff --git a/sgx-mvp/README.md b/sgx-mvp/README.md
@@ -14,6 +14,11 @@ This directory contains all the relevant SGX code for NTC-MVP.
 
 1. Follow the instructions in the [Gramine Installation Guide](https://gramine.readthedocs.io/en/stable/installation.html#install-gramine-packages-1) under "Install Gramine packages" and [Prepare a signing key](https://gramine.readthedocs.io/en/stable/quickstart.html#prepare-a-signing-key).
 
+```sh
+gramine-sgx-gen-private-key keys/enclave-key.pem
+chmod 400 keys/enclave-key.pem
+```
+
 2. Ensure that Python 3.8 is installed. If necessary, modify the path(s) in the [sgx-mvp.manifest.template](https://github.com/ntls-io/trusted-compute-MVP/blob/main/sgx-mvp/sgx-mvp.manifest.template) to match your setup.
 
     Ensure that you have the necessary Python development package installed:
diff --git a/sgx-mvp/docker/Dockerfile b/sgx-mvp/docker/Dockerfile
@@ -0,0 +1,100 @@
+ARG UBUNTU_IMAGE=ubuntu:20.04
+FROM ${UBUNTU_IMAGE}
+
+# ARGs cannot be grouped since each FROM in a Dockerfile initiates a new build
+# stage, resulting in the loss of ARG values from earlier stages.
+ARG UBUNTU_CODENAME=focal
+
+# Base Gramine setup
+RUN apt-get update && \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y curl gnupg2 binutils
+
+RUN curl -fsSLo /usr/share/keyrings/gramine-keyring.gpg https://packages.gramineproject.io/gramine-keyring.gpg && \
+    echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/gramine-keyring.gpg] https://packages.gramineproject.io/ '${UBUNTU_CODENAME}' main' > /etc/apt/sources.list.d/gramine.list
+
+RUN curl -fsSLo /usr/share/keyrings/intel-sgx-deb.key https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key && \
+    echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx-deb.key] https://download.01.org/intel-sgx/sgx_repo/ubuntu '${UBUNTU_CODENAME}' main' > /etc/apt/sources.list.d/intel-sgx.list
+
+# Install Gramine and dependencies
+RUN apt-get update && \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y gramine \
+    sgx-aesm-service \
+    libsgx-aesm-launch-plugin \
+    libsgx-aesm-epid-plugin \
+    libsgx-aesm-quote-ex-plugin \
+    libsgx-aesm-ecdsa-plugin \
+    libsgx-dcap-quote-verify \
+    psmisc \
+    git \
+    make \
+    cmake \
+    python3.8-dev \
+    python3-numpy \
+    python3-scipy \
+    libffi-dev \
+    libssl-dev \
+    ca-certificates \
+    pkg-config \
+    wget \
+    software-properties-common \
+    clang \
+    llvm && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+# Set Clang as the default compiler
+ENV CC=clang
+ENV CXX=clang++
+
+# Install Azure DCAP client
+RUN wget -qO- https://packages.microsoft.com/keys/microsoft.asc | apt-key add - && \
+    DEBIAN_FRONTEND=noninteractive add-apt-repository "deb [arch=amd64] https://packages.microsoft.com/ubuntu/20.04/prod focal main" && \
+    apt-get update && \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y az-dcap-client && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+# Install Rust
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
+ENV PATH="/root/.cargo/bin:${PATH}"
+
+# Clone only the sgx-mvp directory
+WORKDIR /app
+RUN git clone --depth 1 --sparse https://github.com/ntls-io/trusted-compute-MVP.git && \
+    cd trusted-compute-MVP && \
+    git sparse-checkout set sgx-mvp
+
+# Create necessary library directory
+RUN mkdir -p /lib/x86_64-pc-linux-gnu && \
+    ln -s /lib/x86_64-linux-gnu/* /lib/x86_64-pc-linux-gnu/
+
+RUN mkdir -p /var/run/aesmd/
+
+# Build the MVP with temporarily mounted key
+RUN --mount=type=secret,id=enclave_key,target=/app/trusted-compute-MVP/keys/enclave-key.pem \
+    cd /app/trusted-compute-MVP/sgx-mvp && \
+    make SGX=1 RA_TYPE=dcap && \
+    rm -f /app/trusted-compute-MVP/keys/enclave-key.pem
+
+COPY restart_aesm.sh /restart_aesm.sh
+
+# Expose the server port
+EXPOSE 8080
+ENV HOST=127.0.0.1
+ENV PORT=8080
+
+# Add socat for port forwarding
+RUN apt-get update && \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y socat && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+# Create a startup script to handle port forwarding
+RUN echo '#!/bin/bash\n\
+/restart_aesm.sh\n\
+socat TCP-LISTEN:8081,fork TCP:127.0.0.1:8080 & \n\
+gramine-sgx sgx-mvp\n'\
+> /start.sh && chmod +x /start.sh
+
+ENTRYPOINT ["/bin/sh", "-c"]
+CMD ["/start.sh"]
diff --git a/sgx-mvp/docker/build.sh b/sgx-mvp/docker/build.sh
@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+usage() {
+    echo "Usage: build.sh [ubuntu20,ubuntu22]"
+    exit 1
+}
+
+if [ $# -ne 1 ]; then
+    usage
+fi
+
+image=""
+codename=""
+key_path="../keys/enclave-key.pem"
+
+case "$1" in
+    ubuntu20)
+        image="ubuntu:20.04"
+        codename="focal"
+        ;;
+    ubuntu22)
+        image="ubuntu:22.04"
+        codename="jammy"
+        ;;
+    *)
+        usage
+        ;;
+esac
+
+# Check if key exists
+if [ ! -f "$key_path" ]; then
+    echo "No signing key found at $key_path"
+    echo "For development:"
+    echo "    gramine-sgx-gen-private-key /keys/enclave-key.pem"
+    echo "For production:"
+    echo "    Please use your production signing key"
+    exit 1
+fi
+
+# Build the image, mounting the key at build time
+docker build \
+    --build-arg UBUNTU_IMAGE="${image}" \
+    --build-arg UBUNTU_CODENAME="${codename}" \
+    --secret id=enclave_key,src="$key_path" \
+    -t sgx-mvp:stable-"${codename}" \
+    .
+
+echo "Build complete!"
diff --git a/sgx-mvp/docker/restart_aesm.sh b/sgx-mvp/docker/restart_aesm.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+set -e
+
+killall -q aesm_service || true
+
+AESM_PATH=/opt/intel/sgx-aesm-service/aesm LD_LIBRARY_PATH=/opt/intel/sgx-aesm-service/aesm exec /opt/intel/sgx-aesm-service/aesm/aesm_service --no-syslog
diff --git a/sgx-mvp/keys/.gitignore b/sgx-mvp/keys/.gitignore
@@ -0,0 +1,5 @@
+# Ignore all files in this directory
+*
+# Except this file
+!.gitignore
+!README.md
diff --git a/sgx-mvp/keys/README.md b/sgx-mvp/keys/README.md
@@ -0,0 +1,27 @@
+# SGX Signing Keys
+
+This directory contains the SGX enclave signing key used during the build process.
+
+## Development Setup
+
+To generate a development key:
+
+```bash
+cd sgx-mvp
+gramine-sgx-gen-private-key keys/enclave-key.pem
+chmod 400 keys/enclave-key.pem
+```
+
+## Production Usage
+
+For production deployments:
+1. Use your organization's production signing key
+2. Store the key securely (never commit to version control)
+3. Use appropriate key management systems
+4. Consider using different keys per environment
+
+## Security Notes
+
+- Keys should have restricted permissions (chmod 400)
+- Development keys should be generated locally
+- Production keys should be managed through secure key management
