Modify makefiles/dockerfiles to allow building of a Nitro EIF (enclave image file).

2023-07-06 11:09:44 -06:00 · 2023-07-06 11:09:44 -06:00 · f54d08094a
commit f54d08094a
parent 0324e98e49
11 changed files with 57 additions and 26 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -1,6 +1,5 @@
 .gopath
 .gocache
 .git
-enclave/build
 enclave/core.*
 docker/Dockerfile
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1 @@
+*.eif filter=lfs diff=lfs merge=lfs -text
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@ -37,6 +37,6 @@ jobs:

      - name: Build and push container image
        run: |
-          make sgx_container
-          docker tag svr2_runenv:latest "${{ secrets.REGISTRY_LOGIN_SERVER }}/svr2:${GITHUB_REF_NAME}"
+          make enclave_release
+          docker tag svr2_sgxrun:latest "${{ secrets.REGISTRY_LOGIN_SERVER }}/svr2:${GITHUB_REF_NAME}"
          docker push "${{ secrets.REGISTRY_LOGIN_SERVER }}/svr2:${GITHUB_REF_NAME}"
--- a/20
+++ b/20
@ -54,12 +54,22 @@ dockersh: dockerbase
 	  $(DOCKER_ARGS) \
 	  svr2_buildenv

-sgx_container: dockerbase
-	docker build -f docker/Dockerfile -t svr2_runenv --target=runner .
-
 enclave_release: docker_enclave_releaser
+	docker build -f docker/Dockerfile -t svr2_nsmrun --target=nsmrun .
+	docker build -f docker/Dockerfile -t svr2_nsmeif --target=nsmeif .
+	docker build -f docker/Dockerfile -t svr2_sgxrun --target=sgxrun .
+	docker run --rm \
+    -v /var/run/docker.sock:/var/run/docker.sock \
+    -v $${PWD}/enclave/releases/nitro:/out/ \
+	  -u "0:0" \
+	  -e "TERM=xterm-256color" \
+    -e "DOCKER_IMAGE=svr2_nsmrun:latest" \
+    -e "OUTPUT_DIR=/out" \
+    -e "CHOWN_TO=$$(id -u):$$(id -g)" \
+    svr2_nsmeif:latest
+
 enclave_releaser: enclave host  # depends on 'host' so its tests will run
-	cp -vn enclave/build/enclave.signed "enclave/releases/default.$$(/opt/openenclave/bin/oesign dump -e enclave/build/enclave.signed | fgrep -i mrenclave | cut -d '=' -f2)"
-	cp -vn enclave/build/enclave.small "enclave/releases/small.$$(/opt/openenclave/bin/oesign dump -e enclave/build/enclave.small | fgrep -i mrenclave | cut -d '=' -f2)"
+	cp -vn enclave/build/enclave.signed "enclave/releases/sgx/default.$$(/opt/openenclave/bin/oesign dump -e enclave/build/enclave.signed | fgrep -i mrenclave | cut -d '=' -f2)"
+	cp -vn enclave/build/enclave.small "enclave/releases/sgx/small.$$(/opt/openenclave/bin/oesign dump -e enclave/build/enclave.small | fgrep -i mrenclave | cut -d '=' -f2)"

 .PHONY: all clean enclave host dockersh docker dockerbase git validate enclave_testbin control enclave_release enclave_releaser
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1
 # To build use:
 # docker build -t oebuild .
-FROM amd64/debian@sha256:c0508353648d7db3c313661409ca41a2d12c63a4d06007387679161a8372329f AS base
+FROM amd64/debian:buster@sha256:108052254277ea53cd807d2782ed3cbe4b9242256af5c7519c6e5692ae2b5d97 AS base

 LABEL description="linux build environment for sgx."

@ -120,30 +120,36 @@ COPY --from=nsmbuild /build/target/release/nsm.h    /opt/nsm/nsm.h

 CMD ["/bin/bash"]

-FROM builder AS build
-
-COPY docker/check_hash.sh docker/sha256.* ./
-RUN ./check_hash.sh /opt/nsm/libnsm.a
-COPY . /src
-RUN cd /src && make clean && make -j16 all enclave_releaser
-
-FROM base AS runner
+FROM base AS sgxrun

 RUN apt-get update && apt-get install -y \
    libsgx-dcap-default-qpl=1.16.100.2-focal1 \
    libsgx-dcap-default-qpl-dev=1.16.100.2-focal1
 COPY docker/sgx_default_qcnl_azure.conf /etc/sgx_default_qcnl.conf
-COPY --from=build /src/host/main /bin/svr2
-COPY --from=build /src/enclave/releases /enclaves
-COPY --from=build /src/host/cmd/control/control /bin/svr2control
+COPY host/main /bin/svr2
+COPY enclave/releases/sgx /enclaves
+COPY host/cmd/control/control /bin/svr2control

 ENTRYPOINT ["/bin/svr2"]

 FROM public.ecr.aws/amazonlinux/amazonlinux@sha256:94e7183b0739140dbd5b639fb7600f0a2299cec5df8780c26d9cb409da5315a9 AS nsmrun
-COPY --from=build /src/enclave/build/enclave.nsm /bin/svr2
+ADD enclave/build/enclave.nsm /bin/svr2
 ENTRYPOINT ["/bin/svr2", "--sock_type=af_vsock"]

 FROM alpine@sha256:ff6bdca1701f3a8a67e328815ff2346b0e4067d32ec36b7992c1fdc001dc8517 AS sevrun
-COPY --from=build /src/enclave/build/enclave.sev /bin/svr2
+COPY enclave/build/enclave.sev /bin/svr2
 EXPOSE 27427
 ENTRYPOINT ["/bin/svr2", "--sock_type=af_inet"]
+
+FROM public.ecr.aws/amazonlinux/amazonlinux@sha256:94e7183b0739140dbd5b639fb7600f0a2299cec5df8780c26d9cb409da5315a9 AS nsmeif
+RUN yum install -y \
+    aws-nitro-enclaves-cli.x86_64 \
+    aws-nitro-enclaves-cli-devel.x86_64 \
+    perl \
+    docker \
+    jq
+ENV DOCKER_IMAGE svr2_nsmrun:latest
+ENV OUTPUT_FILE /tmp/svr2.eif
+ENV CHOWN_TO 0:0
+COPY docker/build_eif.sh build_eif.sh
+ENTRYPOINT ./build_eif.sh
--- a/docker/build_eif.sh
+++ b/docker/build_eif.sh
@ -0,0 +1,8 @@
+#!/bin/bash
+set -e
+set -x
+STDOUT=$(mktemp)
+TMPDIR=$(mktemp -d)
+nitro-cli build-enclave --docker-uri ${DOCKER_IMAGE} --output-file ${TMPDIR}/svr2.eif >$STDOUT
+chown ${CHOWN_TO} ${TMPDIR}/svr2.eif
+cp -vn ${TMPDIR}/svr2.eif ${OUTPUT_DIR}/nitro.$(cat $STDOUT | jq -r '.Measurements.PCR0[:8] + "." + .Measurements.PCR1[:8] + "." + .Measurements.PCR2[:8]').eif
--- a/docker/sources.list
+++ b/docker/sources.list
@ -1,5 +1,5 @@
-deb http://snapshot.debian.org/archive/debian/20220912T000000Z/ bullseye main
-deb http://snapshot.debian.org/archive/debian/20220912T000000Z/ bullseye-updates main
+deb http://snapshot.debian.org/archive/debian/20230630T000000Z/ bullseye main
+deb http://snapshot.debian.org/archive/debian/20230630T000000Z/ bullseye-updates main

-deb http://snapshot.debian.org/archive/debian/20220912T000000Z/ buster main
-deb http://snapshot.debian.org/archive/debian/20220912T000000Z/ buster-updates main
+deb http://snapshot.debian.org/archive/debian/20230630T000000Z/ buster main
+deb http://snapshot.debian.org/archive/debian/20230630T000000Z/ buster-updates main
--- a/enclave/env/nsm/nsm.cc
+++ b/enclave/env/nsm/nsm.cc
@ -164,6 +164,10 @@ class Environment : public ::svr2::env::socket::Environment {
    // https://docs.aws.amazon.com/enclaves/latest/user/set-up-attestation.html
    // We only care about:
    //   0: Enclave image file - A contiguous measure of the contents of the image file, without the section data.
+    //      Note:  0 can change when an otherwise exactly-the-same image is rebuilt, due to changes in in-image
+    //      timestamps, etc.  However, it could also change with changes to shared libraries etc, so we do
+    //      check against this.  Be careful, though, that attempts to rebuild the same SVR code may result in
+    //      mismatches here.
    //   1: Linux kernel and bootstrap - A contiguous measurement of the kernel and boot ramfs data.
    //   2: Application - A contiguous, in-order measurement of the user applications, without the boot ramfs.
    // We use & rather than && so that all three are processed without preemption.
--- a/enclave/releases/nitro/nitro.d4948796.52b91975.7d9942ab.eif
+++ b/enclave/releases/nitro/nitro.d4948796.52b91975.7d9942ab.eif
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d360f14f3a052983ca5c796d40c6b3353a859e6402a4b4143f6f7eabd76ead41
+size 181374156
--- a/enclave/releases/sgx/default.6ee1042f9e20f880326686dd4ba50c25359f01e9f733eeba4382bca001d45094
+++ b/enclave/releases/sgx/default.6ee1042f9e20f880326686dd4ba50c25359f01e9f733eeba4382bca001d45094
--- a/enclave/releases/sgx/small.a8a261420a6bb9b61aa25bf8a79e8bd20d7652531feb3381cbffd446d270be95
+++ b/enclave/releases/sgx/small.a8a261420a6bb9b61aa25bf8a79e8bd20d7652531feb3381cbffd446d270be95