# syntax=docker/dockerfile:1 # To build use: # docker build -t oebuild . FROM amd64/debian:bookworm@sha256:f2c0a2c38468521a54160b3e6105d4be0afa9f0c70eddc45def08aa75c8b4404 AS base LABEL description="linux build environment for sgx." COPY docker/apt.conf docker/sources.list /etc/apt/ RUN rm -rf /etc/apt/sources.list.d/* COPY docker/sgx_runtime_libraries.sh /tmp/ RUN /tmp/sgx_runtime_libraries.sh ARG OPENENCLAVE_VERSION=0.19.15 ARG OPENENCLAVE_HASH=6d4344dc993f0ad28a87ed57cc483c466ea1076aa2574af161521bc552aa31d0 ADD --checksum=sha256:${OPENENCLAVE_HASH} \ https://github.com/openenclave/openenclave/releases/download/v${OPENENCLAVE_VERSION}/Ubuntu_2204_open-enclave_${OPENENCLAVE_VERSION}_amd64.deb ./ RUN dpkg -i Ubuntu_2204_open-enclave_${OPENENCLAVE_VERSION}_amd64.deb FROM public.ecr.aws/amazonlinux/amazonlinux:2023.8.20250908.0@sha256:0afbc075facf7bb19482cd244d037222d6f998e8a443106fe245d23008910452 AS amazon FROM amazon AS nsmbuild ENV HOST_MACHINE=x86_64 ENV RUST_VERSION=1.89.0 ENV RUSTUP_HOME=/usr/local/rustup \ CARGO_HOME=/usr/local/cargo \ PATH=/usr/local/cargo/bin:$PATH RUN yum install -y gcc RUN set -eux; \ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs/ | sh -s -- --default-toolchain ${RUST_VERSION} -y ; \ chmod -R a+w $RUSTUP_HOME $CARGO_HOME; \ rustup --version; \ cargo --version; \ rustc --version COPY docker/aws-nitro-enclaves-nsm-api /build COPY docker/aws-nitro.Cargo.lock /build/Cargo.lock WORKDIR /build RUN set -eux; \ (cd nsm-lib && cargo build --release --locked) RUN ar mD target/release/libnsm.a $(ar t target/release/libnsm.a | env -u LANG LC_ALL=C sort) FROM base AS builder RUN mkdir /src && \ while true; do apt-get update && break; done && \ while true; do apt-get install -y \ libssl-dev \ gdb \ libtool \ bison \ automake \ flex \ libcurl4 \ pkg-config \ make \ unzip \ git \ gcc \ libgtest-dev \ cmake \ valgrind \ xz-utils \ libstdc++-12-dev \ && break; done && apt-get clean ARG PROTOBUF_PLATFORM=linux-x86_64 ARG PROTOBUF_VERSION=21.8 ARG PROTOBUF_BASE=protoc-${PROTOBUF_VERSION}-${PROTOBUF_PLATFORM} ADD --checksum=sha256:f90d0dd59065fef94374745627336d622702b67f0319f96cee894d41a974d47a https://github.com/protocolbuffers/protobuf/releases/download/v${PROTOBUF_VERSION}/${PROTOBUF_BASE}.zip ./ RUN mkdir -p ${PROTOBUF_BASE} \ && cd ${PROTOBUF_BASE} \ && unzip -o ../${PROTOBUF_BASE}.zip \ && cd .. \ && mv ${PROTOBUF_BASE} /opt/protobuf ARG GOLANG_PLATFORM=linux-amd64 ARG GOLANG_VERSION=1.25.5 ARG GOLANG_TAR_GZ=go${GOLANG_VERSION}.${GOLANG_PLATFORM}.tar.gz ADD --checksum=sha256:9e9b755d63b36acf30c12a9a3fc379243714c1c6d3dd72861da637f336ebb35b https://go.dev/dl/${GOLANG_TAR_GZ} ./ RUN tar xzf ${GOLANG_TAR_GZ} \ && mv go /opt/ # Rather than ADD --checksum=xxx this file, we wget it within a RUN so the file itself, # which is quite large, doesn't show up in any intermediate layers. ARG CLANG_VERSION=11.1.0 ARG LATEST_CLANG_11=${CLANG_VERSION}-x86_64-linux-gnu-ubuntu-20.10 COPY docker/clang+llvm-${LATEST_CLANG_11}.tar.xz.sha256 /tmp RUN cd /tmp && \ wget -nv https://github.com/llvm/llvm-project/releases/download/llvmorg-${CLANG_VERSION}/clang+llvm-${LATEST_CLANG_11}.tar.xz && \ sha256sum -c clang+llvm-${LATEST_CLANG_11}.tar.xz.sha256 && \ tar xvf clang+llvm-${LATEST_CLANG_11}.tar.xz \ clang+llvm-${LATEST_CLANG_11}/bin/clang-11 \ clang+llvm-${LATEST_CLANG_11}/lib/clang/${CLANG_VERSION}/include && \ mv clang+llvm-${LATEST_CLANG_11} /opt/clang && \ ln -s /opt/clang/bin/clang-11 /opt/clang/bin/clang++-11 && \ rm -fv clang+llvm-${LATEST_CLANG_11}.tar.xz ENV PATH="/opt/clang/bin:/opt/openenclave/bin:/opt/go/bin:/opt/protobuf/bin:${PATH}" ENV GOROOT="/opt/go" ENV GOBIN="/opt/go/bin" ENV PKG_CONFIG_PATH="/opt/openenclave/share/pkgconfig" ARG PROTOC_GEN_GO_GITREV=96a179180f0ad6bba9b1e7b6e38d0affb0168e9a RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@${PROTOC_GEN_GO_GITREV} RUN echo "export PS1='buildenv: \w$ '" >> /etc/bash.bashrc # Set this after `go install` so we don't use the same cache as root. ENV GOPATH="/src/.gopath" ENV GOCACHE="/src/.gocache" ENV CARGO_HOME="/src/.cargohome" ENV CARGO_TARGET_DIR="/src/.cargotarget" WORKDIR /src COPY --from=nsmbuild /build/target/release/libnsm.a /opt/nsm/libnsm.a COPY --from=nsmbuild /build/target/release/nsm.h /opt/nsm/nsm.h ARG RUST_VERSION=1.92.0 ADD --checksum=sha256:d2ccef59dd9f7439f2c694948069f789a044dc1addcc0803613232af8f88ee0c https://static.rust-lang.org/dist/rust-${RUST_VERSION}-x86_64-unknown-linux-gnu.tar.xz /tmp/ RUN apt-get install -y xz-utils && \ (cd /tmp && tar xJf /tmp/rust-${RUST_VERSION}-x86_64-unknown-linux-gnu.tar.xz) && \ (cd /tmp/rust-${RUST_VERSION}-x86_64-unknown-linux-gnu && ./install.sh) && \ (rm -fv /tmp/rust-${RUST_VERSION}-x86_64-unknown-linux-gnu.tar.xz && rm -rf /tmp/rust-${RUST_VERSION}-x86_64-unknown-linux-gnu) CMD ["/bin/bash"] FROM base AS sgxrun RUN apt-get update && apt-get install -y \ libsgx-dcap-default-qpl=1.22.100.3-jammy1 \ libsgx-dcap-default-qpl-dev=1.22.100.3-jammy1 \ libcurl4 && apt-get clean COPY host/main /bin/svr2 COPY enclave/releases/sgx /enclaves COPY host/cmd/control/control /bin/svr3control RUN ln -s /bin/svr3control /bin/svr2control ENTRYPOINT ["/bin/svr2"] FROM amazon AS nsmrun ADD --chown=0:0 enclave/build/enclave.nsm /bin/svr2 ENTRYPOINT ["/bin/svr2", "--sock_type=af_vsock"] FROM alpine@sha256:ff6bdca1701f3a8a67e328815ff2346b0e4067d32ec36b7992c1fdc001dc8517 AS sevrun COPY enclave/build/enclave.sev /bin/svr2 EXPOSE 27427 ENTRYPOINT ["/bin/svr2", "--sock_type=af_inet"] FROM amazon AS nsmeif RUN yum install -y \ aws-nitro-enclaves-cli.x86_64 \ aws-nitro-enclaves-cli-devel.x86_64 \ perl \ docker \ jq ENV DOCKER_IMAGE svr2_nsmrun:latest ENV OUTPUT_FILE /tmp/svr2.eif ENV CHOWN_TO 0:0 COPY docker/build_eif.sh build_eif.sh ENTRYPOINT ./build_eif.sh FROM amazon AS nsmhost RUN yum install -y \ aws-nitro-enclaves-cli.x86_64 \ jq COPY docker/nitro_start.sh nitro_start.sh RUN mkdir /releases COPY enclave/releases/nitro/* /releases COPY host/main /bin/svr2 COPY host/cmd/control/control /bin/svr3control RUN ln -s /bin/svr3control /bin/svr2control ENTRYPOINT ["./nitro_start.sh"]