make docker build in sim/hw mode selectable through makefile targets;…

… move enclave signing key generation outside docker build and pass key to the container; add the necessary volume and device to test PDO in SGX; update services container to copy enclave signing key to the right location, do the build, then remove the key; add yaml file for docker compose tests in sgx; consolidate sgx keys folder under the xfer folder Signed-off-by: Bruno Vavala <bruno.vavala@intel.com>
bvavala · Mar 19, 2024 · 5883065 · 5883065
1 parent da18b88
commit 5883065
Show file tree

Hide file tree

Showing 13 changed files with 102 additions and 16 deletions.
diff --git a/build/common-config.sh b/build/common-config.sh
@@ -110,7 +110,7 @@ var_set() {
 	"
 	env_key_sort[$i]="PDO_HOSTNAME"; i=$i+1; export PDO_HOSTNAME=${env_val[PDO_HOSTNAME]}
 
-    env_val[PDO_SGX_KEY_ROOT]="${PDO_SGX_KEY_ROOT:-${SCRIPTDIR}/keys/sgx_mode_${SGX_MODE,,}}"
+    env_val[PDO_SGX_KEY_ROOT]="${PDO_SGX_KEY_ROOT:-${PDO_SOURCE_ROOT}/docker/xfer/services/keys/sgx}"
 	env_desc[PDO_SGX_KEY_ROOT]="
 		PDO_SGX_KEY_ROOT is the root directory where SGX & IAS related keys are stored.
 		The default points to a directory which contains values which are good

diff --git a/build/keys/sgx_mode_hw/.gitignore b/build/keys/sgx_mode_hw/.gitignore
diff --git a/build/keys/sgx_mode_sim/.gitignore b/build/keys/sgx_mode_sim/.gitignore
diff --git a/docker/Makefile b/docker/Makefile
@@ -45,6 +45,7 @@ PDO_USER_UID ?= $(shell id -u)
 PDO_GROUP_UID ?= $(shell id -g)
 
 DOCKER_DIR = ${PDO_SOURCE_ROOT}/docker
+DOCKER_ENCLAVE_SIGNING_PEM = $(DOCKER_DIR)/xfer/services/keys/sgx/enclave_code_sign.pem
 DOCKER_USERNAME = $(LOGNAME)
 DOCKER_BUILDARGS += --build-arg UID=$(PDO_USER_UID)
 DOCKER_BUILDARGS += --build-arg GID=$(PDO_GROUP_UID)
@@ -58,25 +59,63 @@ TIMESTAMP := $(shell /bin/date "+%Y%m%d%H%M%S")
 
 all : $(addprefix build_,$(IMAGES))
 
-rebuild_% : repository
+rebuild_% : repository $(DOCKER_ENCLAVE_SIGNING_PEM)
 	docker build $(DOCKER_ARGS) \
 		--build-arg REBUILD=$(TIMESTAMP) \
 		--build-arg PDO_VERSION=$(PDO_VERSION) \
+		--build-arg SGX_MODE=SIM \
+		--build-arg DOCKER_ENCLAVE_SIGNING_PEM=$(DOCKER_ENCLAVE_SIGNING_PEM:$(DOCKER_DIR)/%=%) \
 		--tag pdo_$*:$(PDO_VERSION) \
 		--file '$(DOCKER_DIR)'/pdo_$*.dockerfile .
 
-build_% : repository
+build_% : repository $(DOCKER_ENCLAVE_SIGNING_PEM)
 	docker build $(DOCKER_ARGS) \
 		--build-arg PDO_VERSION=$(PDO_VERSION) \
+		--build-arg SGX_MODE=SIM \
+		--build-arg DOCKER_ENCLAVE_SIGNING_PEM=$(DOCKER_ENCLAVE_SIGNING_PEM:$(DOCKER_DIR)/%=%) \
 		--tag pdo_$*:$(PDO_VERSION) \
 		--file '$(DOCKER_DIR)'/pdo_$*.dockerfile .
 
+all_sgx : $(addprefix build_sgx_,$(IMAGES))
+
+rebuild_sgx_% : repository $(DOCKER_ENCLAVE_SIGNING_PEM)
+	docker build $(DOCKER_ARGS) \
+        --build-arg REBUILD=$(TIMESTAMP) \
+        --build-arg PDO_VERSION=$(PDO_VERSION) \
+        --build-arg SGX_MODE=HW \
+		--build-arg DOCKER_ENCLAVE_SIGNING_PEM=$(DOCKER_ENCLAVE_SIGNING_PEM:$(DOCKER_DIR)/%=%) \
+        --tag pdo_$*:$(PDO_VERSION) \
+        --file $(DOCKER_DIR)/pdo_$*.dockerfile .
+
+build_sgx_% : repository $(DOCKER_ENCLAVE_SIGNING_PEM)
+	docker build $(DOCKER_ARGS) \
+        --build-arg PDO_VERSION=$(PDO_VERSION) \
+        --build-arg SGX_MODE=HW \
+		--build-arg DOCKER_ENCLAVE_SIGNING_PEM=$(DOCKER_ENCLAVE_SIGNING_PEM:$(DOCKER_DIR)/%=%) \
+        --tag pdo_$*:$(PDO_VERSION) \
+        --file $(DOCKER_DIR)/pdo_$*.dockerfile .
+
+# the enclave signing key must be available in the xfer folder
+# as it has to be transferred to the container
+$(DOCKER_ENCLAVE_SIGNING_PEM) : ${PDO_ENCLAVE_CODE_SIGN_PEM}
+	cp ${PDO_ENCLAVE_CODE_SIGN_PEM} $(DOCKER_ENCLAVE_SIGNING_PEM)
+
+# the enclave signing key is necessary at build time
+# a new one is generated on the host if not provided
+${PDO_ENCLAVE_CODE_SIGN_PEM} :
+	openssl genrsa -3 -out ${PDO_ENCLAVE_CODE_SIGN_PEM} 3072
+
 # docker build dependencies
 build_client: build_base
 build_services: build_services_base
 build_services_base: build_base
 build_ccf: build_ccf_base
 
+build_sgx_client: build_sgx_base
+build_sgx_services: build_sgx_services_base
+build_sgx_services_base: build_sgx_base
+build_sgx_ccf: build_sgx_ccf_base
+
 clean_% :
 	docker rmi -f pdo_$*:$(PDO_VERSION)
 
@@ -130,12 +169,30 @@ TEST_FILES += -f services_base.yaml
 TEST_FILES += -f ccf_base.yaml
 TEST_FILES += -f test.yaml
 
+TEST_SGX_FILES = ${TEST_FILES}
+TEST_SGX_FILES += -f test-sgx.yaml
+
+SGX_DEVICE_PATH=$(shell if [ -e "/dev/isgx" ]; \
+				then echo "/dev/isgx"; \
+				elif [ -e "/dev/sgx/enclave" ]; \
+					then echo "/dev/sgx/enclave"; \
+				else echo "ERROR: NO SGX DEVICE FOUND"; \
+				fi)
+
+DOCKER_COMPOSE_SGX := env SGX_DEVICE_PATH=${SGX_DEVICE_PATH} docker-compose
+
 build_test : repository build_services build_ccf build_client
 
 test : clean_config clean_repository build_test stop_all
 	PDO_VERSION=$(PDO_VERSION) docker-compose $(TEST_FILES) up --abort-on-container-exit
 	PDO_VERSION=$(PDO_VERSION) docker-compose $(TEST_FILES) down
 
+sgx_build_test : repository build_sgx_services build_sgx_ccf build_sgx_client
+
+sgx_test : clean_config clean_repository sgx_build_test stop_all
+	PDO_VERSION=$(PDO_VERSION) $(DOCKER_COMPOSE_SGX) $(TEST_SGX_FILES) up --abort-on-container-exit
+	PDO_VERSION=$(PDO_VERSION) $(DOCKER_COMPOSE_SGX) $(TEST_SGX_FILES) down
+
 # -----------------------------------------------------------------
 # Cleaning is a bit interesting because the containers don't go away
 # unless they are told to very nicely. Until they go away they hold onto

diff --git a/docker/pdo_services.dockerfile b/docker/pdo_services.dockerfile
@@ -42,6 +42,10 @@ ENV WASM_MEM_CONFIG=${WASM_MEM_CONFIG}
 ARG PDO_LOG_LEVEL=info
 ENV PDO_LOG_LEVEL=${PDO_LOG_LEVEL}
 
+ARG DOCKER_ENCLAVE_SIGNING_PEM
+RUN test -n "${DOCKER_ENCLAVE_SIGNING_PEM}" || \
+    (echo "DOCKER_ENCLAVE_SIGNING_PEM not set; provide path relative to docker context" && false)
+
 # copy the source files into the image
 WORKDIR /project/pdo
 COPY --chown=${UNAME}:${UNAME} repository /project/pdo/src
@@ -52,12 +56,22 @@ COPY --chown=${UNAME}:${UNAME} repository /project/pdo/src
 WORKDIR /project/pdo/tools
 COPY --chown=${UNAME}:${UNAME} tools/*.sh ./
 
+# copy the enclave signing key from the host to the container
+# note: the source comes from the DOCKER_ENCLAVE_SIGNING_PEM argument provided by the host
+#       the destination is in the PDO_ENCLAVE_CODE_SIGN_PEM value specified in the docker environment.sh
+#       so we copy the key in the tmp folder, and then move it to the right location
+COPY --chown=${UNAME}:${UNAME} ${DOCKER_ENCLAVE_SIGNING_PEM} /tmp/enclave_code_sign.pem
+RUN bash -c '. environment.sh; install -D /dev/null ${PDO_ENCLAVE_CODE_SIGN_PEM}; mv /tmp/enclave_code_sign.pem ${PDO_ENCLAVE_CODE_SIGN_PEM}'
+
 # built it!
 ARG UID=1000
 ARG GID=${UID}
 RUN --mount=type=cache,uid=${UID},gid=${GID},target=/project/pdo/.cache/pip \
     /project/pdo/tools/build_services.sh
 
+# remove the enclave signing key from the container after the build
+RUN bash -c '. environment.sh; rm -rf ${PDO_ENCLAVE_CODE_SIGN_PEM}'
+
 # Network ports for running services
 EXPOSE 7001 7002 7003 7004 7005
 EXPOSE 7101 7102 7103 7104 7105

diff --git a/docker/test-sgx.yaml b/docker/test-sgx.yaml
@@ -0,0 +1,23 @@
+# Copyright 2024 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ------------------------------------------------------------------------------
+version: "3.4"
+
+services:
+  services_container:
+    volumes:
+      - /var/run/aesmd:/var/run/aesmd
+    devices:
+      - ${SGX_DEVICE_PATH:-/dev/isgx}:${SGX_DEVICE_PATH:-/dev/isgx}
+
diff --git a/docker/tools/environment.sh b/docker/tools/environment.sh
@@ -47,15 +47,11 @@ export XFER_DIR=${XFER_DIR:-/project/pdo/xfer}
 # if the container is running HW mode, then we will grab the
 # SGX keys from the xfer directory; we know that the default
 # keys must be overridden
-if [ ${SGX_MODE} == "HW" ]; then
-    export PDO_SGX_KEY_ROOT=${XFER_DIR}/services/keys/sgx
-else
-    export PDO_SGX_KEY_ROOT=${PDO_SOURCE_ROOT}/build/keys/sgx_mode_${SGX_MODE,,}
-fi
+export PDO_SGX_KEY_ROOT=${XFER_DIR}/services/keys/sgx
 
 # this variable is needed for the build for signing the
 # eservice and pservice enclaves
-export PDO_ENCLAVE_CODE_SIGN_PEM=${PDO_SGX_KEY_ROOT}/enclave_code_sign.pem
+export PDO_ENCLAVE_CODE_SIGN_PEM=${PDO_HOME}/keys/sgx/enclave_code_sign.pem
 
 # these are only used for configuration and registration
 # they are not used at build or run time

diff --git a/docker/tools/run_services_tests.sh b/docker/tools/run_services_tests.sh
@@ -56,7 +56,7 @@ yell check for registration
 # -----------------------------------------------------------------
 # this probably requires additional CCF keys, need to test this
 if [ "$SGX_MODE" == "HW" ]; then
-    if [ ! -f ${XFER}/ccf/keys/memberccf_privk.pem ] ; then
+    if [ ! -f ${XFER_DIR}/ccf/keys/memberccf_privk.pem ] ; then
         die unable to locate CCF policies keys
     fi
 

diff --git a/docker/tools/start_services.sh b/docker/tools/start_services.sh
@@ -115,7 +115,7 @@ try cp ${XFER_DIR}/ccf/keys/networkcert.pem ${PDO_LEDGER_KEY_ROOT}/
 yell register the enclave if necessary
 # -----------------------------------------------------------------
 if [ "${F_REGISTER,,}" == 'yes' ]; then
-    if [ ! -f ${XFER}/ccf/keys/memberccf_privk.pem ] ; then
+    if [ ! -f ${XFER_DIR}/ccf/keys/memberccf_privk.pem ] ; then
         die unable to locate CCF policies keys
     fi
 

diff --git a/build/keys/sgx_mode_sim/sgx_ias_key.pem → ...er/xfer/services/keys/sgx/sgx_ias_key.pem b/build/keys/sgx_mode_sim/sgx_ias_key.pem → ...er/xfer/services/keys/sgx/sgx_ias_key.pem
diff --git a/build/keys/sgx_mode_sim/sgx_spid.txt → docker/xfer/services/keys/sgx/sgx_spid.txt b/build/keys/sgx_mode_sim/sgx_spid.txt → docker/xfer/services/keys/sgx/sgx_spid.txt
diff --git a/build/keys/sgx_mode_sim/sgx_spid_api_key.txt → ...er/services/keys/sgx/sgx_spid_api_key.txt b/build/keys/sgx_mode_sim/sgx_spid_api_key.txt → ...er/services/keys/sgx/sgx_spid_api_key.txt
diff --git a/docs/environment.md b/docs/environment.md
@@ -140,7 +140,7 @@ run in a real SGX enclave.
 
 <!-- -------------------------------------------------- -->
 ### `PDO_SGX_KEY_ROOT`
-(default: `${PDO_SOURCE_ROOT}/build/keys/sgx_mode_${SGX_MODE,,}/`):
+(default: `${PDO_SOURCE_ROOT}/docker/xfer/services/keys/sgx/`):
 
 `PDO_SGX_KEY_ROOT` is the root directory where SGX and IAS related keys
 are stored. The default points to a directory which contains values