Fix use new manifest and binaries

Cosmian · Dec 12, 2023 · c04299f · c04299f
1 parent 78046c9
commit c04299f
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 9 deletions.
diff --git a/mse-memory.py b/mse-memory.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python3
 
-from pathlib import Path
 import sys
+from pathlib import Path
 
 import tomli
 

diff --git a/mse-run.sh b/mse-run.sh
@@ -39,7 +39,7 @@ set_default_variables() {
     FORCE=0
     HOST="0.0.0.0"
     PORT="443"
-    SUBJECT="CN=cosmian.app,O=Cosmian Tech,C=FR,L=Paris,ST=Ile-de-France"
+    SUBJECT="CN=cosmian.io,O=Cosmian Tech,C=FR,L=Paris,ST=Ile-de-France"
 
     # Constant variables
     PACKAGE_DIR="/opt/input" # Location of the src package
@@ -169,10 +169,15 @@ OWNER_GROUP=$(stat -c "%u:%g" "$PACKAGE_CODE_TARBALL")
 if [ ! -f $MANIFEST_SGX ] || [ $FORCE -eq 1 ]; then
     echo "Untar the code..."
     mkdir -p "$APP_DIR"
+    APP_DIR_OWNER_GROUP=$(stat -c "%u:%g" "$APP_DIR")
+
     tar xvf "$PACKAGE_CODE_TARBALL" -C "$APP_DIR" --no-same-owner
-    # We should put the same owner to the untar files to be able to 
-    # remove them outside the docker when computing the MREnclave for instance
-    chown -R "$OWNER_GROUP" "$APP_DIR"
+
+    if [ "$OWNER_GROUP" != "$APP_DIR_OWNER_GROUP" ]; then
+        # We should put the same owner to the untar files to be able to 
+        # remove them outside the docker when computing the MREnclave for instance
+        chown -R "$OWNER_GROUP" "$APP_DIR"
+    fi
 
     # Install dependencies
     # /!\ should not be used to verify MRENCLAVE on client side
@@ -193,7 +198,12 @@ if [ ! -f $MANIFEST_SGX ] || [ $FORCE -eq 1 ]; then
     # Prepare the certificate if necessary
     if [ -f "$PACKAGE_CERT_PATH" ]; then
         cp "$PACKAGE_CERT_PATH" "$CERT_PATH"
-        chown -R "$OWNER_GROUP" "$CERT_PATH"
+
+        CERT_PATH_OWNER_GROUP=$(stat -c "%u:%g" "$CERT_PATH")
+        if [ "$OWNER_GROUP" != "$CERT_PATH_OWNER_GROUP" ]; then
+            chown -R "$OWNER_GROUP" "$CERT_PATH"
+        fi
+
         SSL_APP_MODE="--certificate"
         SSL_APP_MODE_VALUE="$CERT_PATH"
     else
@@ -262,3 +272,4 @@ if [ $DRY_RUN -eq 0 ]; then
     # Start the enclave
     gramine-sgx ./python
 fi
+
diff --git a/python.manifest.template b/python.manifest.template
@@ -3,7 +3,7 @@ libos.entrypoint = "{{ entrypoint }}"
 loader.log_level = "{{ log_level }}"
 
 loader.env.LD_LIBRARY_PATH = "/lib:/usr/lib:{{ arch_libdir }}:/usr/{{ arch_libdir }}"
-loader.env.PYTHONPATH = "/usr/local/lib/python3.8/site-packages"
+loader.env.PYTHONPATH = "/usr/local/lib/python3.10/site-packages"
 loader.env.PYTHONDONTWRITEBYTECODE = "1"
 loader.env.PYTHONPYCACHEPREFIX = "/tmp"
 loader.env.PYTHONUNBUFFERED = "1"
@@ -25,7 +25,7 @@ fs.mounts = [
   { path = "{{ entrypoint }}", uri = "file:{{ entrypoint }}" },
   { path = "{{ python.stdlib }}", uri = "file:{{ python.stdlib }}" },
   { path = "/usr/local/bin/mse-bootstrap", uri = "file:{{ env.get('GRAMINE_VENV', '/usr/local') }}/bin/mse-bootstrap" },
-  { path = "/usr/local/lib/python3.8", uri = "file:{{ env.get('GRAMINE_VENV', '/usr/local') }}/lib/python3.8" },
+  { path = "/usr/local/lib/python3.10", uri = "file:{{ env.get('GRAMINE_VENV', '/usr/local') }}/lib/python3.10" },
   { path = "/tmp", type = "tmpfs" },
   { path = "/opt/input/app", uri = "file:{{ app_dir }}/" },
   { path = "/root", uri = "file:{{ home_dir }}/", type = "encrypted",  key_name = "_sgx_mrenclave" },
@@ -47,7 +47,7 @@ sgx.trusted_files = [
   "file:{{ arch_libdir }}/",
   "file:/usr/{{ arch_libdir }}/",
   "file:{{ python.stdlib }}/",
-  "file:{{ env.get('GRAMINE_VENV', '/usr/local') }}/lib/python3.8/",
+  "file:{{ env.get('GRAMINE_VENV', '/usr/local') }}/lib/python3.10/",
   "file:/etc/localtime",
   "file:/etc/mime.types",
   "file:/usr/share/zoneinfo/UTC",