From 95cc0a5c57f06de4c06fcc6a34ed08ad5686ff71 Mon Sep 17 00:00:00 2001 From: Adarsh Anand Date: Wed, 27 Nov 2024 06:28:20 +0000 Subject: [PATCH] Update GSC with Gramine's new SGX driver requirements Signed-off-by: Adarsh Anand --- Documentation/index.rst | 10 ---------- config.yaml.template | 19 ------------------- templates/Dockerfile.common.compile.template | 18 ------------------ templates/centos/Dockerfile.compile.template | 2 +- .../centos/stream/Dockerfile.compile.template | 2 +- templates/debian/Dockerfile.compile.template | 11 +++++++++-- .../ubi-minimal/Dockerfile.build.template | 1 - .../ubi-minimal/Dockerfile.compile.template | 2 +- .../redhat/ubi/Dockerfile.build.template | 1 - .../redhat/ubi/Dockerfile.compile.template | 2 +- templates/suse/Dockerfile.compile.template | 2 +- 11 files changed, 14 insertions(+), 56 deletions(-) diff --git a/Documentation/index.rst b/Documentation/index.rst index 4a1cd46f..1271ffcb 100644 --- a/Documentation/index.rst +++ b/Documentation/index.rst @@ -359,16 +359,6 @@ in :file:`config.yaml.template`. provided for popular cloud-provider environments. `Gramine.Repository` and `Gramine.Branch` are ignored in case `Gramine.Image` is specified. -.. describe:: SGXDriver.Repository - - Source repository of the Intel SGX driver. Default value: "" - (in-kernel driver). - -.. describe:: SGXDriver.Branch - - Use this branch of the repository. Default value: "" - (in-kernel driver). - Run graminized Docker images ============================= diff --git a/config.yaml.template b/config.yaml.template index 7fa41920..2466ee63 100644 --- a/config.yaml.template +++ b/config.yaml.template @@ -32,22 +32,3 @@ Registry: "" Gramine: Repository: "https://github.com/gramineproject/gramine.git" Branch: "master" - -# Specify the Intel SGX driver installed on your machine (more specifically, on the machine where -# the graminized Docker container will run); there are several variants of the SGX driver: -# -# - upstream (in-kernel) driver: use empty values like below -# Repository: "" -# Branch: "" -# -# - DCAP out-of-tree driver: same as above, use empty values -# Repository: "" -# Branch: "" -# -# - legacy out-of-tree driver: use something like the below values, but adjust the branch name -# Repository: "https://github.com/01org/linux-sgx-driver.git" -# Branch: "sgx_driver_1.9" -# -SGXDriver: - Repository: "" - Branch: "" diff --git a/templates/Dockerfile.common.compile.template b/templates/Dockerfile.common.compile.template index c0f276f8..ddd1d7f2 100644 --- a/templates/Dockerfile.common.compile.template +++ b/templates/Dockerfile.common.compile.template @@ -13,28 +13,10 @@ RUN cd /gramine \ && git fetch origin {{Gramine.Branch}} \ && git checkout {{Gramine.Branch}} -{% if "linux-sgx-driver" in SGXDriver.Repository %} -RUN cd /gramine \ - && git clone {{SGXDriver.Repository}} driver \ - && cd driver \ - && git checkout {{SGXDriver.Branch}} -{% else %} -RUN mkdir -p /gramine/driver/asm \ - && cd /gramine/driver/asm \ - && wget --timeout=10 -O sgx.h \ - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/plain/arch/x86/include/uapi/asm/sgx.h?h=v5.11 \ - && sha256sum sgx.h | grep -q a34a997ade42b61376b1c5d3d50f839fd28f2253fa047cb9c0e68a1b00477956 -{% endif %} - RUN cd /gramine \ && meson setup build/ --prefix="/gramine/meson_build_output" \ --buildtype={{buildtype}} \ -Ddirect=enabled -Dsgx=enabled \ {% if template_path(Distro).startswith('ubuntu:') %}-Ddcap=enabled{% endif %} \ - {% if "linux-sgx-driver" in SGXDriver.Repository %} \ - -Dsgx_driver=oot -Dsgx_driver_include_path=/gramine/driver \ - {% else %} \ - -Dsgx_driver=upstream -Dsgx_driver_include_path=/gramine/driver \ - {% endif %} \ && ninja -C build \ && ninja -C build install diff --git a/templates/centos/Dockerfile.compile.template b/templates/centos/Dockerfile.compile.template index 5c5000d4..370f584a 100644 --- a/templates/centos/Dockerfile.compile.template +++ b/templates/centos/Dockerfile.compile.template @@ -19,6 +19,7 @@ RUN dnf update -y \ gcc-c++ \ git \ httpd \ + kernel-headers \ libevent-devel \ make \ nasm \ @@ -36,7 +37,6 @@ RUN dnf update -y \ python3-pip \ python3-protobuf \ rpm-build \ - wget \ && /usr/bin/python3 -B -m pip install 'tomli>=1.1.0' 'tomli-w>=0.4.0' 'meson>=0.56,!=1.2.*' {% endblock %} diff --git a/templates/centos/stream/Dockerfile.compile.template b/templates/centos/stream/Dockerfile.compile.template index 2877e1a1..cd3451bd 100644 --- a/templates/centos/stream/Dockerfile.compile.template +++ b/templates/centos/stream/Dockerfile.compile.template @@ -18,6 +18,7 @@ RUN dnf distro-sync -y \ gcc-c++ \ git \ httpd \ + kernel-headers \ libcurl-devel \ make \ nasm \ @@ -36,7 +37,6 @@ RUN dnf distro-sync -y \ python3-pip \ python3-protobuf \ rpm-build \ - wget \ yum-utils \ && /usr/bin/python3 -B -m pip install 'tomli>=1.1.0' 'tomli-w>=0.4.0' 'meson>=0.56,!=1.2.*' diff --git a/templates/debian/Dockerfile.compile.template b/templates/debian/Dockerfile.compile.template index b713aa94..a80f5ab0 100644 --- a/templates/debian/Dockerfile.compile.template +++ b/templates/debian/Dockerfile.compile.template @@ -3,6 +3,14 @@ # NOTE: meson v1.2.* has a bug that leads to Gramine build failure because of not found `libcurl.a` {% block install %} {% set distro = Distro.split(':') %} + +{%- if distro[0] == "debian" and distro[1] | int == 11 %} +# linux-libc-dev providing sgx.h is available in the debian bullseye-backports repo for debian 11 +RUN echo 'deb http://deb.debian.org/debian bullseye-backports main' > /etc/apt/sources.list.d/backports.list \ + && env DEBIAN_FRONTEND=noninteractive apt-get update \ + && env DEBIAN_FRONTEND=noninteractive apt-get install -y -t bullseye-backports linux-libc-dev +{%- endif %} + RUN env DEBIAN_FRONTEND=noninteractive apt-get update \ && env DEBIAN_FRONTEND=noninteractive apt-get install -y \ autoconf \ @@ -14,7 +22,7 @@ RUN env DEBIAN_FRONTEND=noninteractive apt-get update \ gawk \ git \ libprotobuf-c-dev \ - linux-headers-generic \ + linux-libc-dev \ nasm \ ninja-build \ pkg-config \ @@ -23,7 +31,6 @@ RUN env DEBIAN_FRONTEND=noninteractive apt-get update \ python3 \ python3-cryptography \ python3-protobuf \ - wget \ # please see the comment in Dockerfile.build.template for explanation why this condition is needed {%- if (distro[0] == "debian" and distro[1] | int >= 12) or (distro[0] == "ubuntu" and distro[1] | int >= 23) %} diff --git a/templates/redhat/ubi-minimal/Dockerfile.build.template b/templates/redhat/ubi-minimal/Dockerfile.build.template index 621b10fc..9fa243d7 100644 --- a/templates/redhat/ubi-minimal/Dockerfile.build.template +++ b/templates/redhat/ubi-minimal/Dockerfile.build.template @@ -29,7 +29,6 @@ RUN rm -rf /etc/rhsm-host \ python3-protobuf \ python3-pyelftools \ python3-voluptuous \ - wget \ which \ && /usr/bin/python3 -B -m pip install click jinja2 \ 'tomli>=1.1.0' 'tomli-w>=0.4.0' \ diff --git a/templates/redhat/ubi-minimal/Dockerfile.compile.template b/templates/redhat/ubi-minimal/Dockerfile.compile.template index 5c25c0f1..8e812412 100644 --- a/templates/redhat/ubi-minimal/Dockerfile.compile.template +++ b/templates/redhat/ubi-minimal/Dockerfile.compile.template @@ -25,6 +25,7 @@ RUN rm -rf /etc/rhsm-host \ gcc-c++ \ git \ httpd \ + kernel-headers \ libevent-devel \ make \ nasm \ @@ -43,7 +44,6 @@ RUN rm -rf /etc/rhsm-host \ python3-protobuf \ python3-voluptuous \ rpm-build \ - wget \ && /usr/bin/python3 -B -m pip install 'tomli>=1.1.0' 'tomli-w>=0.4.0' 'meson>=0.56,!=1.2.*' {% endblock %} diff --git a/templates/redhat/ubi/Dockerfile.build.template b/templates/redhat/ubi/Dockerfile.build.template index cb8f6739..ed06adfe 100644 --- a/templates/redhat/ubi/Dockerfile.build.template +++ b/templates/redhat/ubi/Dockerfile.build.template @@ -28,7 +28,6 @@ RUN rm -rf /etc/rhsm-host \ python3-protobuf \ python3-pyelftools \ python3-voluptuous \ - wget \ && /usr/bin/python3 -B -m pip install click jinja2 \ 'tomli>=1.1.0' 'tomli-w>=0.4.0' \ && dnf repolist \ diff --git a/templates/redhat/ubi/Dockerfile.compile.template b/templates/redhat/ubi/Dockerfile.compile.template index b33704b1..1802e94e 100644 --- a/templates/redhat/ubi/Dockerfile.compile.template +++ b/templates/redhat/ubi/Dockerfile.compile.template @@ -25,6 +25,7 @@ RUN rm -rf /etc/rhsm-host \ gcc-c++ \ git \ httpd \ + kernel-headers \ libevent-devel \ make \ nasm \ @@ -43,7 +44,6 @@ RUN rm -rf /etc/rhsm-host \ python3-protobuf \ python3-voluptuous \ rpm-build \ - wget \ && /usr/bin/python3 -B -m pip install 'tomli>=1.1.0' 'tomli-w>=0.4.0' 'meson>=0.56,!=1.2.*' {% endblock %} diff --git a/templates/suse/Dockerfile.compile.template b/templates/suse/Dockerfile.compile.template index 665ec88e..b9c90460 100644 --- a/templates/suse/Dockerfile.compile.template +++ b/templates/suse/Dockerfile.compile.template @@ -26,6 +26,7 @@ RUN SUSEConnect -p PackageHub/{{ver}}/x86_64 \ gcc11 \ gcc11-c++ \ git \ + linux-glibc-devel \ libevent-devel \ libprotobuf-c-devel \ libprotobuf-c1 \ @@ -43,7 +44,6 @@ RUN SUSEConnect -p PackageHub/{{ver}}/x86_64 \ python3-protobuf \ python3-tomli \ rpm-build \ - wget \ which \ && /usr/bin/python3 -B -m pip install 'tomli-w>=0.4.0' \ && update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-11 10 \