Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enclave key for end users #19

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Enclave key for end users #19

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
8f4026c
Add env variable with path to enclave's keypair into host
grydz Jul 21, 2023
ec18fcf
Bump Intel SGX SDK to 2.22
grydz Jul 26, 2023
f85d507
Fix try to upgrade ubuntu image
grydz Dec 27, 2023
57a1974
Fix: compile Gramine with patch for Python + SSL
grydz Dec 27, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
76 changes: 66 additions & 10 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,52 @@
FROM ubuntu:22.04 as gramine-build
USER root
ENV DEBIAN_FRONTEND=noninteractive
ENV TS=Etc/UTC
ENV LANG C.UTF-8
ENV LC_ALL C.UTF-8

WORKDIR /root
RUN echo 'APT::Install-Suggests "0";' >> /etc/apt/apt.conf.d/00-docker
RUN echo 'APT::Install-Recommends "0";' >> /etc/apt/apt.conf.d/00-docker

ARG KERNEL_VERSION=6.2.0-39-generic

RUN apt-get update && apt-get upgrade -y && apt-get install -y \
git \
build-essential \
protobuf-compiler \
libprotobuf-dev \
libprotobuf-c-dev \
protobuf-c-compiler \
autoconf \
bison \
gawk \
nasm \
ninja-build \
meson \
pkg-config \
python3 \
python3-pip \
python3-cryptography \
python3-click \
python3-jinja2 \
python3-protobuf \
python3-pyelftools \
python3-tomli \
python3-tomli-w \
wget \
linux-headers-$KERNEL_VERSION && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
RUN git clone https://github.com/gramineproject/gramine
RUN cd gramine/ && git checkout 0bea67b7b7c00ce351d8f308268c6a6979996d8c && \
meson setup build/ --buildtype=release \
-Ddirect=enabled \
-Dsgx=enabled \
-Dsgx_driver_include_path=/usr/src/linux-headers-$KERNEL_VERSION/arch/x86/include/uapi && \
ninja -C build/ && \
ninja -C build/ install

FROM ubuntu:22.04

USER root
Expand All @@ -11,32 +60,40 @@ ENV PYTHONUNBUFFERED 1

RUN echo 'APT::Install-Suggests "0";' >> /etc/apt/apt.conf.d/00-docker
RUN echo 'APT::Install-Recommends "0";' >> /etc/apt/apt.conf.d/00-docker
RUN apt-get update && apt-get install -y \
RUN apt-get update && apt-get upgrade -y && apt-get install -y \
git \
build-essential \
pkg-config \
curl \
libprotobuf-dev \
libprotobuf-c-dev \
protobuf-c-compiler \
python3 \
python3-pip \
python3-venv \
python3-cryptography \
python3-click \
python3-jinja2 \
python3-protobuf \
python3-pyelftools \
python3-tomli \
python3-tomli-w \
gnupg \
ca-certificates \
curl \
tzdata \
wget && \
rm -rf /var/lib/apt/lists/*

# Gramine APT repository
RUN curl -fsSLo /usr/share/keyrings/gramine-keyring.gpg https://packages.gramineproject.io/gramine-keyring.gpg && \
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/gramine-keyring.gpg] https://packages.gramineproject.io/ jammy main" \
| tee /etc/apt/sources.list.d/gramine.list
COPY --from=gramine-build /usr/local/bin/gramine-* /usr/local/bin/
COPY --from=gramine-build /usr/local/lib/python3.10/dist-packages/graminelibos /usr/local/lib/python3.10/dist-packages/graminelibos
COPY --from=gramine-build /usr/local/lib/x86_64-linux-gnu/gramine/ /usr/local/lib/x86_64-linux-gnu/gramine/

# Intel SGX APT repository
RUN curl -fsSLo /usr/share/keyrings/intel-sgx-deb.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key && \
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx-deb.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main" \
| tee /etc/apt/sources.list.d/intel-sgx.list


# Install Intel SGX dependencies and Gramine
RUN apt-get update && apt-get install -y \
libsgx-launch \
Expand All @@ -48,14 +105,13 @@ RUN apt-get update && apt-get install -y \
linux-base-sgx \
libsgx-dcap-default-qpl \
sgx-aesm-service \
libsgx-aesm-quote-ex-plugin \
gramine && \
libsgx-aesm-quote-ex-plugin && \
rm -rf /var/lib/apt/lists/*

WORKDIR /opt/intel

ARG SGX_SDK_VERSION=2.19
ARG SGX_SDK_INSTALLER=sgx_linux_x64_sdk_2.19.100.3.bin
ARG SGX_SDK_VERSION=2.22
ARG SGX_SDK_INSTALLER=sgx_linux_x64_sdk_2.22.100.3.bin

# Install Intel SGX SDK
RUN curl -fsSLo $SGX_SDK_INSTALLER https://download.01.org/intel-sgx/sgx-linux/$SGX_SDK_VERSION/distro/ubuntu22.04-server/$SGX_SDK_INSTALLER \
Expand Down
2 changes: 2 additions & 0 deletions python.manifest.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@ loader.env.PYTHONUNBUFFERED = "1"
loader.env.TMP_PATH = "/tmp"
loader.env.HOME = "/root"
loader.env.KEY_PATH = "/key"
loader.env.ENCLAVE_SK_PATH = "/key/enclave.key"
loader.env.ENCLAVE_PK_PATH = "/key/enclave.pub"
loader.env.SECRETS_PATH = "/root/.cache/mse/secrets.json"
loader.env.SEALED_SECRETS_PATH = "/root/.cache/mse/sealed_secrets.json"
loader.env.MODULE_PATH = "/mse-app"
Expand Down