diff --git a/Dockerfile b/Dockerfile index dc86ff4..1c5591f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,3 +1,52 @@ +FROM ubuntu:22.04 as gramine-build +USER root +ENV DEBIAN_FRONTEND=noninteractive +ENV TS=Etc/UTC +ENV LANG C.UTF-8 +ENV LC_ALL C.UTF-8 + +WORKDIR /root +RUN echo 'APT::Install-Suggests "0";' >> /etc/apt/apt.conf.d/00-docker +RUN echo 'APT::Install-Recommends "0";' >> /etc/apt/apt.conf.d/00-docker + +ARG KERNEL_VERSION=6.2.0-39-generic + +RUN apt-get update && apt-get upgrade -y && apt-get install -y \ + git \ + build-essential \ + protobuf-compiler \ + libprotobuf-dev \ + libprotobuf-c-dev \ + protobuf-c-compiler \ + autoconf \ + bison \ + gawk \ + nasm \ + ninja-build \ + meson \ + pkg-config \ + python3 \ + python3-pip \ + python3-cryptography \ + python3-click \ + python3-jinja2 \ + python3-protobuf \ + python3-pyelftools \ + python3-tomli \ + python3-tomli-w \ + wget \ + linux-headers-$KERNEL_VERSION && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* +RUN git clone https://github.com/gramineproject/gramine +RUN cd gramine/ && git checkout 0bea67b7b7c00ce351d8f308268c6a6979996d8c && \ + meson setup build/ --buildtype=release \ + -Ddirect=enabled \ + -Dsgx=enabled \ + -Dsgx_driver_include_path=/usr/src/linux-headers-$KERNEL_VERSION/arch/x86/include/uapi && \ + ninja -C build/ && \ + ninja -C build/ install + FROM ubuntu:22.04 USER root @@ -11,14 +60,24 @@ ENV PYTHONUNBUFFERED 1 RUN echo 'APT::Install-Suggests "0";' >> /etc/apt/apt.conf.d/00-docker RUN echo 'APT::Install-Recommends "0";' >> /etc/apt/apt.conf.d/00-docker -RUN apt-get update && apt-get install -y \ +RUN apt-get update && apt-get upgrade -y && apt-get install -y \ git \ build-essential \ pkg-config \ curl \ + libprotobuf-dev \ + libprotobuf-c-dev \ + protobuf-c-compiler \ python3 \ python3-pip \ python3-venv \ + python3-cryptography \ + python3-click \ + python3-jinja2 \ + python3-protobuf \ + python3-pyelftools \ + python3-tomli \ + python3-tomli-w \ gnupg \ ca-certificates \ curl \ @@ -26,17 +85,15 @@ RUN apt-get update && apt-get install -y \ wget && \ rm -rf /var/lib/apt/lists/* -# Gramine APT repository -RUN curl -fsSLo /usr/share/keyrings/gramine-keyring.gpg https://packages.gramineproject.io/gramine-keyring.gpg && \ - echo "deb [arch=amd64 signed-by=/usr/share/keyrings/gramine-keyring.gpg] https://packages.gramineproject.io/ jammy main" \ - | tee /etc/apt/sources.list.d/gramine.list +COPY --from=gramine-build /usr/local/bin/gramine-* /usr/local/bin/ +COPY --from=gramine-build /usr/local/lib/python3.10/dist-packages/graminelibos /usr/local/lib/python3.10/dist-packages/graminelibos +COPY --from=gramine-build /usr/local/lib/x86_64-linux-gnu/gramine/ /usr/local/lib/x86_64-linux-gnu/gramine/ # Intel SGX APT repository RUN curl -fsSLo /usr/share/keyrings/intel-sgx-deb.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key && \ echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx-deb.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main" \ | tee /etc/apt/sources.list.d/intel-sgx.list - # Install Intel SGX dependencies and Gramine RUN apt-get update && apt-get install -y \ libsgx-launch \ @@ -48,14 +105,13 @@ RUN apt-get update && apt-get install -y \ linux-base-sgx \ libsgx-dcap-default-qpl \ sgx-aesm-service \ - libsgx-aesm-quote-ex-plugin \ - gramine && \ + libsgx-aesm-quote-ex-plugin && \ rm -rf /var/lib/apt/lists/* WORKDIR /opt/intel -ARG SGX_SDK_VERSION=2.19 -ARG SGX_SDK_INSTALLER=sgx_linux_x64_sdk_2.19.100.3.bin +ARG SGX_SDK_VERSION=2.22 +ARG SGX_SDK_INSTALLER=sgx_linux_x64_sdk_2.22.100.3.bin # Install Intel SGX SDK RUN curl -fsSLo $SGX_SDK_INSTALLER https://download.01.org/intel-sgx/sgx-linux/$SGX_SDK_VERSION/distro/ubuntu22.04-server/$SGX_SDK_INSTALLER \ diff --git a/python.manifest.template b/python.manifest.template index 5eea105..b4a568c 100644 --- a/python.manifest.template +++ b/python.manifest.template @@ -10,6 +10,8 @@ loader.env.PYTHONUNBUFFERED = "1" loader.env.TMP_PATH = "/tmp" loader.env.HOME = "/root" loader.env.KEY_PATH = "/key" +loader.env.ENCLAVE_SK_PATH = "/key/enclave.key" +loader.env.ENCLAVE_PK_PATH = "/key/enclave.pub" loader.env.SECRETS_PATH = "/root/.cache/mse/secrets.json" loader.env.SEALED_SECRETS_PATH = "/root/.cache/mse/sealed_secrets.json" loader.env.MODULE_PATH = "/mse-app"