From f54d08094a2f765f2dc44323b1da20089da8e477 Mon Sep 17 00:00:00 2001
From: gram-signal <84339875+gram-signal@users.noreply.github.com>
Date: Thu, 6 Jul 2023 11:09:44 -0600
Subject: [PATCH] Modify makefiles/dockerfiles to allow building of a Nitro EIF
 (enclave image file).

---
 .dockerignore                                 |   1 -
 .gitattributes                                |   1 +
 .github/workflows/push.yml                    |   4 +--
 Makefile                                      |  20 ++++++++---
 docker/Dockerfile                             |  34 ++++++++++--------
 docker/build_eif.sh                           |   8 +++++
 docker/sources.list                           |   8 ++---
 enclave/env/nsm/nsm.cc                        |   4 +++
 .../nitro.d4948796.52b91975.7d9942ab.eif      |   3 ++
 ...dd4ba50c25359f01e9f733eeba4382bca001d45094 | Bin
 ...f8a79e8bd20d7652531feb3381cbffd446d270be95 | Bin
 11 files changed, 57 insertions(+), 26 deletions(-)
 create mode 100644 .gitattributes
 create mode 100755 docker/build_eif.sh
 create mode 100644 enclave/releases/nitro/nitro.d4948796.52b91975.7d9942ab.eif
 rename enclave/releases/{ => sgx}/default.6ee1042f9e20f880326686dd4ba50c25359f01e9f733eeba4382bca001d45094 (100%)
 rename enclave/releases/{ => sgx}/small.a8a261420a6bb9b61aa25bf8a79e8bd20d7652531feb3381cbffd446d270be95 (100%)

diff --git a/.dockerignore b/.dockerignore
index 6513a3c..cc329d9 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,6 +1,5 @@
 .gopath
 .gocache
 .git
-enclave/build
 enclave/core.*
 docker/Dockerfile
diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..f43a18f
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1 @@
+*.eif filter=lfs diff=lfs merge=lfs -text
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
index 22bd09c..b29ef47 100644
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@@ -37,6 +37,6 @@ jobs:
 
       - name: Build and push container image
         run: |
-          make sgx_container
-          docker tag svr2_runenv:latest "${{ secrets.REGISTRY_LOGIN_SERVER }}/svr2:${GITHUB_REF_NAME}"
+          make enclave_release
+          docker tag svr2_sgxrun:latest "${{ secrets.REGISTRY_LOGIN_SERVER }}/svr2:${GITHUB_REF_NAME}"
           docker push "${{ secrets.REGISTRY_LOGIN_SERVER }}/svr2:${GITHUB_REF_NAME}"
diff --git a/Makefile b/Makefile
index 909638b..3954b71 100644
--- a/Makefile
+++ b/Makefile
@@ -54,12 +54,22 @@ dockersh: dockerbase
 	  $(DOCKER_ARGS) \
 	  svr2_buildenv
 
-sgx_container: dockerbase
-	docker build -f docker/Dockerfile -t svr2_runenv --target=runner .
-
 enclave_release: docker_enclave_releaser
+	docker build -f docker/Dockerfile -t svr2_nsmrun --target=nsmrun .
+	docker build -f docker/Dockerfile -t svr2_nsmeif --target=nsmeif .
+	docker build -f docker/Dockerfile -t svr2_sgxrun --target=sgxrun .
+	docker run --rm \
+    -v /var/run/docker.sock:/var/run/docker.sock \
+    -v $${PWD}/enclave/releases/nitro:/out/ \
+	  -u "0:0" \
+	  -e "TERM=xterm-256color" \
+    -e "DOCKER_IMAGE=svr2_nsmrun:latest" \
+    -e "OUTPUT_DIR=/out" \
+    -e "CHOWN_TO=$$(id -u):$$(id -g)" \
+    svr2_nsmeif:latest
+
 enclave_releaser: enclave host  # depends on 'host' so its tests will run
-	cp -vn enclave/build/enclave.signed "enclave/releases/default.$$(/opt/openenclave/bin/oesign dump -e enclave/build/enclave.signed | fgrep -i mrenclave | cut -d '=' -f2)"
-	cp -vn enclave/build/enclave.small "enclave/releases/small.$$(/opt/openenclave/bin/oesign dump -e enclave/build/enclave.small | fgrep -i mrenclave | cut -d '=' -f2)"
+	cp -vn enclave/build/enclave.signed "enclave/releases/sgx/default.$$(/opt/openenclave/bin/oesign dump -e enclave/build/enclave.signed | fgrep -i mrenclave | cut -d '=' -f2)"
+	cp -vn enclave/build/enclave.small "enclave/releases/sgx/small.$$(/opt/openenclave/bin/oesign dump -e enclave/build/enclave.small | fgrep -i mrenclave | cut -d '=' -f2)"
 
 .PHONY: all clean enclave host dockersh docker dockerbase git validate enclave_testbin control enclave_release enclave_releaser
diff --git a/docker/Dockerfile b/docker/Dockerfile
index 517d094..de8e8b8 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1
 # To build use:
 # docker build -t oebuild .
-FROM amd64/debian@sha256:c0508353648d7db3c313661409ca41a2d12c63a4d06007387679161a8372329f AS base
+FROM amd64/debian:buster@sha256:108052254277ea53cd807d2782ed3cbe4b9242256af5c7519c6e5692ae2b5d97 AS base
 
 LABEL description="linux build environment for sgx."
 
@@ -120,30 +120,36 @@ COPY --from=nsmbuild /build/target/release/nsm.h    /opt/nsm/nsm.h
 
 CMD ["/bin/bash"]
 
-FROM builder AS build
-
-COPY docker/check_hash.sh docker/sha256.* ./
-RUN ./check_hash.sh /opt/nsm/libnsm.a
-COPY . /src
-RUN cd /src && make clean && make -j16 all enclave_releaser
-
-FROM base AS runner
+FROM base AS sgxrun
 
 RUN apt-get update && apt-get install -y \
     libsgx-dcap-default-qpl=1.16.100.2-focal1 \
     libsgx-dcap-default-qpl-dev=1.16.100.2-focal1
 COPY docker/sgx_default_qcnl_azure.conf /etc/sgx_default_qcnl.conf
-COPY --from=build /src/host/main /bin/svr2
-COPY --from=build /src/enclave/releases /enclaves
-COPY --from=build /src/host/cmd/control/control /bin/svr2control
+COPY host/main /bin/svr2
+COPY enclave/releases/sgx /enclaves
+COPY host/cmd/control/control /bin/svr2control
 
 ENTRYPOINT ["/bin/svr2"]
 
 FROM public.ecr.aws/amazonlinux/amazonlinux@sha256:94e7183b0739140dbd5b639fb7600f0a2299cec5df8780c26d9cb409da5315a9 AS nsmrun
-COPY --from=build /src/enclave/build/enclave.nsm /bin/svr2
+ADD enclave/build/enclave.nsm /bin/svr2
 ENTRYPOINT ["/bin/svr2", "--sock_type=af_vsock"]
 
 FROM alpine@sha256:ff6bdca1701f3a8a67e328815ff2346b0e4067d32ec36b7992c1fdc001dc8517 AS sevrun
-COPY --from=build /src/enclave/build/enclave.sev /bin/svr2
+COPY enclave/build/enclave.sev /bin/svr2
 EXPOSE 27427
 ENTRYPOINT ["/bin/svr2", "--sock_type=af_inet"]
+
+FROM public.ecr.aws/amazonlinux/amazonlinux@sha256:94e7183b0739140dbd5b639fb7600f0a2299cec5df8780c26d9cb409da5315a9 AS nsmeif
+RUN yum install -y \
+    aws-nitro-enclaves-cli.x86_64 \
+    aws-nitro-enclaves-cli-devel.x86_64 \
+    perl \
+    docker \
+    jq
+ENV DOCKER_IMAGE svr2_nsmrun:latest
+ENV OUTPUT_FILE /tmp/svr2.eif
+ENV CHOWN_TO 0:0
+COPY docker/build_eif.sh build_eif.sh
+ENTRYPOINT ./build_eif.sh
diff --git a/docker/build_eif.sh b/docker/build_eif.sh
new file mode 100755
index 0000000..4a45a49
--- /dev/null
+++ b/docker/build_eif.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+set -e
+set -x
+STDOUT=$(mktemp)
+TMPDIR=$(mktemp -d)
+nitro-cli build-enclave --docker-uri ${DOCKER_IMAGE} --output-file ${TMPDIR}/svr2.eif >$STDOUT
+chown ${CHOWN_TO} ${TMPDIR}/svr2.eif
+cp -vn ${TMPDIR}/svr2.eif ${OUTPUT_DIR}/nitro.$(cat $STDOUT | jq -r '.Measurements.PCR0[:8] + "." + .Measurements.PCR1[:8] + "." + .Measurements.PCR2[:8]').eif
diff --git a/docker/sources.list b/docker/sources.list
index 337ccde..1604ae1 100644
--- a/docker/sources.list
+++ b/docker/sources.list
@@ -1,5 +1,5 @@
-deb http://snapshot.debian.org/archive/debian/20220912T000000Z/ bullseye main
-deb http://snapshot.debian.org/archive/debian/20220912T000000Z/ bullseye-updates main
+deb http://snapshot.debian.org/archive/debian/20230630T000000Z/ bullseye main
+deb http://snapshot.debian.org/archive/debian/20230630T000000Z/ bullseye-updates main
 
-deb http://snapshot.debian.org/archive/debian/20220912T000000Z/ buster main
-deb http://snapshot.debian.org/archive/debian/20220912T000000Z/ buster-updates main
+deb http://snapshot.debian.org/archive/debian/20230630T000000Z/ buster main
+deb http://snapshot.debian.org/archive/debian/20230630T000000Z/ buster-updates main
diff --git a/enclave/env/nsm/nsm.cc b/enclave/env/nsm/nsm.cc
index 8e341f6..60dbd69 100644
--- a/enclave/env/nsm/nsm.cc
+++ b/enclave/env/nsm/nsm.cc
@@ -164,6 +164,10 @@ class Environment : public ::svr2::env::socket::Environment {
     // https://docs.aws.amazon.com/enclaves/latest/user/set-up-attestation.html
     // We only care about:
     //   0: Enclave image file - A contiguous measure of the contents of the image file, without the section data.
+    //      Note:  0 can change when an otherwise exactly-the-same image is rebuilt, due to changes in in-image
+    //      timestamps, etc.  However, it could also change with changes to shared libraries etc, so we do
+    //      check against this.  Be careful, though, that attempts to rebuild the same SVR code may result in
+    //      mismatches here.
     //   1: Linux kernel and bootstrap - A contiguous measurement of the kernel and boot ramfs data.
     //   2: Application - A contiguous, in-order measurement of the user applications, without the boot ramfs.
     // We use & rather than && so that all three are processed without preemption.
diff --git a/enclave/releases/nitro/nitro.d4948796.52b91975.7d9942ab.eif b/enclave/releases/nitro/nitro.d4948796.52b91975.7d9942ab.eif
new file mode 100644
index 0000000..a922cbd
--- /dev/null
+++ b/enclave/releases/nitro/nitro.d4948796.52b91975.7d9942ab.eif
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d360f14f3a052983ca5c796d40c6b3353a859e6402a4b4143f6f7eabd76ead41
+size 181374156
diff --git a/enclave/releases/default.6ee1042f9e20f880326686dd4ba50c25359f01e9f733eeba4382bca001d45094 b/enclave/releases/sgx/default.6ee1042f9e20f880326686dd4ba50c25359f01e9f733eeba4382bca001d45094
similarity index 100%
rename from enclave/releases/default.6ee1042f9e20f880326686dd4ba50c25359f01e9f733eeba4382bca001d45094
rename to enclave/releases/sgx/default.6ee1042f9e20f880326686dd4ba50c25359f01e9f733eeba4382bca001d45094
diff --git a/enclave/releases/small.a8a261420a6bb9b61aa25bf8a79e8bd20d7652531feb3381cbffd446d270be95 b/enclave/releases/sgx/small.a8a261420a6bb9b61aa25bf8a79e8bd20d7652531feb3381cbffd446d270be95
similarity index 100%
rename from enclave/releases/small.a8a261420a6bb9b61aa25bf8a79e8bd20d7652531feb3381cbffd446d270be95
rename to enclave/releases/sgx/small.a8a261420a6bb9b61aa25bf8a79e8bd20d7652531feb3381cbffd446d270be95