-
Notifications
You must be signed in to change notification settings - Fork 39
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
971968c
commit ab7232e
Showing
2 changed files
with
38 additions
and
112 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,144 +1,70 @@ | ||
# Building Veracruz | ||
|
||
<img src = "https://confidentialcomputing.io/wp-content/uploads/sites/85/2019/08/cc_consortium-color.svg" width=192> | ||
<img src = "https://confidentialcomputing.io/wp-content/uploads/sites/10/2022/07/cc_consortium-color.svg" width=192> | ||
|
||
This is the repository for the Docker container used for developing Veracruz. | ||
Veracruz is an open-source runtime for collaborative privacy-preserving compute. | ||
The main Veracruz repository can be found [here](https://github.com/veracruz-project/veracruz). | ||
|
||
Veracruz is an adopted project of the Confidential Compute Consortium (CCC). | ||
|
||
## Supported platforms | ||
|
||
- AWS Nitro Enclaves | ||
- Linux (no TEE technology used) | ||
This directory has the code for building the Docker containers used | ||
for developing Veracruz. | ||
|
||
## Requirements | ||
|
||
- **Docker:** | ||
- **Docker:** | ||
We use Docker to provide a consistent build environment. Follow this guide to [install Docker](https://docs.docker.com/engine/install/) if necessary. | ||
- **Enable Docker squash experimental feature:** *The tests are done on a linux machine. [To enable docker experimental features on another OS.](https://docs.docker.com/engine/reference/commandline/checkpoint_create/)* | ||
We use the `squash` docker experimental feature to help reduce the Veracruz docker image size, to enable this feature: | ||
- run: | ||
```sh | ||
sudo service docker stop | ||
``` | ||
- copy the following in `/etc/docker/daemon.json ` | ||
```sh | ||
{ | ||
"experimental": true | ||
} | ||
``` | ||
- run: | ||
```sh | ||
sudo service docker start | ||
``` | ||
|
||
## Local build setup | ||
|
||
Once all the necessary requirements are available, run the following commands: | ||
- Clone the Veracruz repository: This will pull the docker submodule | ||
|
||
``` | ||
git clone --recursive https://github.com/veracruz-project/veracruz.git | ||
export VERACRUZ_ROOT=$PWD/veracruz | ||
``` | ||
- Once you have a local copy of the Veracruz source: | ||
|
||
``` | ||
cd veracruz/docker | ||
``` | ||
|
||
The following instructions depend on the platform you're building for. (SGX, Arm TZ) | ||
|
||
Note that building the Docker image will take a long time (we appreciate any suggestions on how this can be sped up!) | ||
|
||
- ### Build Instructions for AWS Nitro Enclaves | ||
``` | ||
make nitro-base | ||
``` | ||
|
||
- ### Build Instructions for Linux | ||
``` | ||
make linux-base | ||
``` | ||
|
||
- ### Starting the veracruz container | ||
For AWS Nitro Enclaves: | ||
``` | ||
make nitro-run | ||
``` | ||
|
||
Or, for Linux: | ||
``` | ||
make linux-run | ||
``` | ||
|
||
There should be a Docker container running called "veracruz_<PLATFORM>_<USERNAME>". To verify that it's running, run: | ||
``` | ||
docker ps | ||
``` | ||
|
||
You can now start a shell in the newly created container: | ||
For Nitro: | ||
Enter this directory in a local copy of the Veracruz source: | ||
``` | ||
make nitro-exec | ||
cd veracruz/docker | ||
``` | ||
|
||
For Linux: | ||
``` | ||
make linux-exec | ||
``` | ||
## Build and run | ||
|
||
## Test Instructions for AWS Nitro Enclaves | ||
There are several different Docker containers that can be used, | ||
depending on the platform. If you are new to Veracruz you should | ||
probably try `localci` first. | ||
|
||
Once inside the container, set up your local environment. | ||
### `localci` | ||
|
||
Now, to build the binaries: | ||
To build the container: | ||
``` | ||
cd workspaces/ | ||
make nitro | ||
make localci-build | ||
``` | ||
|
||
and to run the tests: | ||
|
||
To run the container: | ||
``` | ||
cd workspaces/nitro-host/ | ||
make test-server | ||
make veracruz-test | ||
make localci-run | ||
``` | ||
|
||
## Test Instructions for Linux | ||
With `docker ps` you should now be able to see the container running. | ||
|
||
Once inside the container, build the binaries: | ||
To get a shell in the container running as the appropriate non-root user: | ||
``` | ||
cd workspaces/ | ||
make linux | ||
make localci-exec | ||
``` | ||
|
||
and to run the tests: | ||
|
||
The Veracruz tree should be mounted in the container, so you can run, | ||
for example: | ||
``` | ||
cd workspaces/linux-host/ | ||
make test-server | ||
make veracruz-test | ||
cd /work/veracruz/workspaces | ||
make linux && make linux-tests | ||
make nitro | ||
``` | ||
|
||
# Cleaning a build | ||
(On an ordinary Linux system you can build for `nitro`, but not run | ||
the tests.) | ||
|
||
The Veracruz Makefile exposes a build target, `clean`, which recursively | ||
invokes `cargo clean` for each major subcomponent of the project. However, | ||
sometimes this is not enough to fix a broken build environment (note that this | ||
is common when using `xargo` to build e.g. the examples, or the rest of the | ||
SDK). In that case, it is useful to also delete the contents of the | ||
`~/.xargo` directory, in addition to the standard clean build process described | ||
above. | ||
### `ci` | ||
|
||
# Generating the certificates | ||
This is the same as `localci`, above, except that you will run as | ||
root. This container is used for CI in the cloud. | ||
|
||
Cryptographic certificates can be generated by using the following `openssl` | ||
invocation: | ||
### `linux` | ||
|
||
``` | ||
openssl req -new -x509 -key <key filename> -sha256 -nodes -days 3650 -out <certificate filename> -config cert.conf | ||
``` | ||
This is the same as `localci`, above, except only for the Linux | ||
platform. | ||
|
||
### `nitro` | ||
|
||
This is the same as `localci`, above, except only for the AWS Nitro | ||
platform and you can also run the Nitro tests on appropriate hardware. | ||
See the [Nitro instructions](../NITRO_INSTRUCTIONS.markdown). |