From c04299fce7ae5435f4d2544467486fd5ab4fdff1 Mon Sep 17 00:00:00 2001 From: grydz Date: Wed, 13 Dec 2023 01:50:36 +0400 Subject: [PATCH] Fix use new manifest and binaries --- mse-memory.py | 2 +- mse-run.sh | 21 ++++++++++++++++----- python.manifest.template | 6 +++--- 3 files changed, 20 insertions(+), 9 deletions(-) diff --git a/mse-memory.py b/mse-memory.py index b1d4f21..2aa5541 100755 --- a/mse-memory.py +++ b/mse-memory.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 -from pathlib import Path import sys +from pathlib import Path import tomli diff --git a/mse-run.sh b/mse-run.sh index 6796bcf..5a81028 100755 --- a/mse-run.sh +++ b/mse-run.sh @@ -39,7 +39,7 @@ set_default_variables() { FORCE=0 HOST="0.0.0.0" PORT="443" - SUBJECT="CN=cosmian.app,O=Cosmian Tech,C=FR,L=Paris,ST=Ile-de-France" + SUBJECT="CN=cosmian.io,O=Cosmian Tech,C=FR,L=Paris,ST=Ile-de-France" # Constant variables PACKAGE_DIR="/opt/input" # Location of the src package @@ -169,10 +169,15 @@ OWNER_GROUP=$(stat -c "%u:%g" "$PACKAGE_CODE_TARBALL") if [ ! -f $MANIFEST_SGX ] || [ $FORCE -eq 1 ]; then echo "Untar the code..." mkdir -p "$APP_DIR" + APP_DIR_OWNER_GROUP=$(stat -c "%u:%g" "$APP_DIR") + tar xvf "$PACKAGE_CODE_TARBALL" -C "$APP_DIR" --no-same-owner - # We should put the same owner to the untar files to be able to - # remove them outside the docker when computing the MREnclave for instance - chown -R "$OWNER_GROUP" "$APP_DIR" + + if [ "$OWNER_GROUP" != "$APP_DIR_OWNER_GROUP" ]; then + # We should put the same owner to the untar files to be able to + # remove them outside the docker when computing the MREnclave for instance + chown -R "$OWNER_GROUP" "$APP_DIR" + fi # Install dependencies # /!\ should not be used to verify MRENCLAVE on client side @@ -193,7 +198,12 @@ if [ ! -f $MANIFEST_SGX ] || [ $FORCE -eq 1 ]; then # Prepare the certificate if necessary if [ -f "$PACKAGE_CERT_PATH" ]; then cp "$PACKAGE_CERT_PATH" "$CERT_PATH" - chown -R "$OWNER_GROUP" "$CERT_PATH" + + CERT_PATH_OWNER_GROUP=$(stat -c "%u:%g" "$CERT_PATH") + if [ "$OWNER_GROUP" != "$CERT_PATH_OWNER_GROUP" ]; then + chown -R "$OWNER_GROUP" "$CERT_PATH" + fi + SSL_APP_MODE="--certificate" SSL_APP_MODE_VALUE="$CERT_PATH" else @@ -262,3 +272,4 @@ if [ $DRY_RUN -eq 0 ]; then # Start the enclave gramine-sgx ./python fi + diff --git a/python.manifest.template b/python.manifest.template index d664478..5eea105 100644 --- a/python.manifest.template +++ b/python.manifest.template @@ -3,7 +3,7 @@ libos.entrypoint = "{{ entrypoint }}" loader.log_level = "{{ log_level }}" loader.env.LD_LIBRARY_PATH = "/lib:/usr/lib:{{ arch_libdir }}:/usr/{{ arch_libdir }}" -loader.env.PYTHONPATH = "/usr/local/lib/python3.8/site-packages" +loader.env.PYTHONPATH = "/usr/local/lib/python3.10/site-packages" loader.env.PYTHONDONTWRITEBYTECODE = "1" loader.env.PYTHONPYCACHEPREFIX = "/tmp" loader.env.PYTHONUNBUFFERED = "1" @@ -25,7 +25,7 @@ fs.mounts = [ { path = "{{ entrypoint }}", uri = "file:{{ entrypoint }}" }, { path = "{{ python.stdlib }}", uri = "file:{{ python.stdlib }}" }, { path = "/usr/local/bin/mse-bootstrap", uri = "file:{{ env.get('GRAMINE_VENV', '/usr/local') }}/bin/mse-bootstrap" }, - { path = "/usr/local/lib/python3.8", uri = "file:{{ env.get('GRAMINE_VENV', '/usr/local') }}/lib/python3.8" }, + { path = "/usr/local/lib/python3.10", uri = "file:{{ env.get('GRAMINE_VENV', '/usr/local') }}/lib/python3.10" }, { path = "/tmp", type = "tmpfs" }, { path = "/opt/input/app", uri = "file:{{ app_dir }}/" }, { path = "/root", uri = "file:{{ home_dir }}/", type = "encrypted", key_name = "_sgx_mrenclave" }, @@ -47,7 +47,7 @@ sgx.trusted_files = [ "file:{{ arch_libdir }}/", "file:/usr/{{ arch_libdir }}/", "file:{{ python.stdlib }}/", - "file:{{ env.get('GRAMINE_VENV', '/usr/local') }}/lib/python3.8/", + "file:{{ env.get('GRAMINE_VENV', '/usr/local') }}/lib/python3.10/", "file:/etc/localtime", "file:/etc/mime.types", "file:/usr/share/zoneinfo/UTC",