diff --git a/Examples/aks-attestation/.gitignore b/Examples/aks-attestation/.gitignore new file mode 100644 index 00000000..ad83f82c --- /dev/null +++ b/Examples/aks-attestation/.gitignore @@ -0,0 +1 @@ +/gramine diff --git a/Examples/aks-attestation/README.md b/Examples/aks-attestation/README.md new file mode 100644 index 00000000..27740c2c --- /dev/null +++ b/Examples/aks-attestation/README.md @@ -0,0 +1,138 @@ +# Gramine attestation inside AKS cluster + +This guide demonstrates how Gramine DCAP attestation quote can be generated and verified from +within an AKS cluster. Here, we provide an end-to-end example to help Cloud Solution Providers +integrate Gramine’s RA-TLS attestation and secret provisioning feature with a confidential compute +cluster managed by Azure Kubernetes Service. This guide contains necessary reference wrappers that +enable Gramine to use AKS components such as AESMD and DCAP quote provider libraries. This guide +also describes a microservice deployment for the RA-TLS verifier (secret provisioning service) that +can be readily deployed to the AKS cluster. + +## Preparing client (SGX application) and server (secret provisioning service) images + +This demonstration is based on the `ra-tls-secret-prov` example from +https://github.com/gramineproject/gramine/tree/master/CI-Examples/ra-tls-secret-prov. Familiarity +with this example is highly recommended before proceeding further. The sample contains client and +server applications, where by default server is running on localhost:4433. In the example, the +client sends its SGX quote to the server for verification. After successful quote verification, the +server sends a secret to the client. + +To run these client and server applications inside the AKS cluster, user needs to prepare two Docker +images, one for the client and one for the server. In our AKS attestation example, the server will +no longer run on localhost, instead it will run in a Docker container inside the AKS cluster. The +server container should be assigned a DNS name (e.g., ``) to be accessible from the +outside of the container. The client will send requests to this DNS name. Therefore, for +demonstration we updated the example certificates from +https://github.com/gramineproject/gramine/tree/master/CI-Examples/ra-tls-secret-prov/certs by +replacing the "Common Name" field in the server certificate (i.e., `server2-sha256.crt`) from +`localhost` to ``. + +In order to create base client and server Docker images for the AKS environment, user can execute +the `base-image-generation-script.sh` script. Since both client and server applications will run +inside containers in the AKS cluster, and the client application will send its SGX quote to the +server for verification, therefore the user needs to graminize the client application. Hence, the +following two steps create a native Docker server image and a graminized GSC client image for the +AKS cluster. + +Note: This example is Ubuntu-specific (tested version is Ubuntu 18.04). + +### Creating server (secret provisioning service) image + +1. The `base-image-generation-script.sh` script will create the native Docker server image with the + name `aks-secret-prov-server-img:latest`. + +2. Push the server image to Docker Hub or your preferred registry: + + ```sh + $ docker tag aks-secret-prov-server-img:latest \ + /aks-secret-prov-server-img:latest + $ docker push /aks-secret-prov-server-img:latest + ``` + +3. Deploy `aks-secret-prov-server-img:latest` in the AKS confidential compute cluster using reference + deployment file: `aks-secret-prov-server-deployment.yaml` + +### Creating client (SGX application) image + +1. The `base-image-generation-script.sh` script will create the native Docker client image with the + name `aks-secret-prov-client-img:latest`. + +2. Create the GSC client image (note that we tested this example with DCAP driver 1.11 specified in + the GSC configuration file): + + ```sh + $ cd gsc + $ ./gsc build aks-secret-prov-client-img:latest \ + Examples/aks-attestation/aks-secret-prov-client.manifest + $ ./gsc sign-image aks-secret-prov-client-img:latest enclave-key.pem + ``` + +5. Push resulting image to Docker Hub or your preferred registry: + + ```sh + $ docker tag gsc-aks-secret-prov-client-img:latest \ + /gsc-aks-secret-prov-client-img:latest + $ docker push /gsc-aks-secret-prov-client-img:latest + ``` + +6. Deploy `gsc-aks-secret-prov-client-img:latest` in AKS confidential compute cluster using + reference deployment file: `aks-secret-prov-client-deployment.yaml` + +## Deploying client and server images in AKS confidential compute cluster + +AKS confidential compute cluster can be created using the following +[link](https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-enclave-nodes-aks-get-started). + +Gramine performs out-of-proc mode DCAP quote generation. Out-of-proc mode quote generation requires +AESMD service. To fulfill this requirement, AKS provides the +[sgxquotehelper daemonset](https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-nodes-aks-addon#out-of-proc-attestation-for-confidential-workloads) +(can be enabled by `--enable-sgxquotehelper` during cluster creation). This feature exposes AESMD +service for the container node. The service will internally connect with az-dcap-client to fetch the +platform collateral required for quote generation. In this demo, the +`aks-secret-prov-client-deployment.yaml` file uses AESMD service exposed by AKS with the help of the +sgxquotehelper plugin. + +In our example, the client will generate the SGX quote that will be embedded inside the RA-TLS +certificate. On receiving the quote, the server will internally verify it using the +libsgx-dcap-quote-verify library via the az-dcap-client library. + +### Deployment + +```sh +$ kubectl apply -f aks-secret-prov-server-deployment.yaml +``` + +Once the server (secret provisioning service) container is in running state, start the client +(SGX application) container as shown below: + +```sh +$ kubectl apply -f aks-secret-prov-client-deployment.yaml +``` + +At this stage, a successful RA-TLS verification will be completed, and the secrets will be +provisioned from the server to the client. + +## Checking SGX quote generation and verification + +Verify the client job is completed: + +```sh +$ kubectl get pods +``` + +Receive logs to verify the secret has been provisioned to the client: + +```sh +$ kubectl logs -l app=gsc-ra-tls-secret-prov-client --tail=50 +``` + +Expected output: + +`--- Received secret = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'` + +Delete both client and server containers: + +```sh +$ kubectl delete -f aks-secret-prov-server-deployment.yaml +$ kubectl delete -f aks-secret-prov-client-deployment.yaml +``` diff --git a/Examples/aks-attestation/aks-secret-prov-client-deployment.yaml b/Examples/aks-attestation/aks-secret-prov-client-deployment.yaml new file mode 100644 index 00000000..f5110851 --- /dev/null +++ b/Examples/aks-attestation/aks-secret-prov-client-deployment.yaml @@ -0,0 +1,29 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: secret-prov-client + labels: + app: secret-prov-client +spec: + template: + metadata: + labels: + app: gsc-ra-tls-secret-prov-client + spec: + volumes: + - name: var-run-aesmd + hostPath: + path: /var/run/aesmd + containers: + - name: gsc-ra-tls-secret-prov-client-container + image: /gsc-aks-secret-prov-client-img:latest + env: + - name: SECRET_PROVISION_SERVERS + value: "ra-tls-server-aks-dns.eastus.cloudapp.azure.com:4433" + resources: + limits: + kubernetes.azure.com/sgx_epc_mem_in_MiB: 10 + volumeMounts: + - name: var-run-aesmd + mountPath: /var/run/aesmd + restartPolicy: Never diff --git a/Examples/aks-attestation/aks-secret-prov-client.dockerfile b/Examples/aks-attestation/aks-secret-prov-client.dockerfile new file mode 100644 index 00000000..fea5094e --- /dev/null +++ b/Examples/aks-attestation/aks-secret-prov-client.dockerfile @@ -0,0 +1,27 @@ +FROM ubuntu:18.04 + +RUN apt-get update \ + && env DEBIAN_FRONTEND=noninteractive apt-get install -y wget \ + build-essential \ + gnupg2 \ + libcurl3-gnutls \ + python3 + +# Installing DCAP libraries +RUN echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu bionic main' \ + > /etc/apt/sources.list.d/intel-sgx.list \ + && wget https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key \ + && apt-key add intel-sgx-deb.key + +RUN apt-get update \ + && apt-get install -y libsgx-urts \ + libsgx-dcap-ql \ + libsgx-quote-ex + +WORKDIR /ra-tls-secret-prov + +COPY gramine/CI-Examples/ra-tls-secret-prov/certs ./certs + +COPY gramine/CI-Examples/ra-tls-secret-prov/secret_prov_min_client /usr/local/bin + +ENTRYPOINT ["secret_prov_min_client"] diff --git a/Examples/aks-attestation/aks-secret-prov-client.manifest b/Examples/aks-attestation/aks-secret-prov-client.manifest new file mode 100644 index 00000000..22d5f6d7 --- /dev/null +++ b/Examples/aks-attestation/aks-secret-prov-client.manifest @@ -0,0 +1,19 @@ +# Secret Provisioning library (client-side) is preloaded +loader.env.LD_PRELOAD = "libsecret_prov_attest.so" + +loader.env.SECRET_PROVISION_SERVERS = { passthrough = true } +loader.env.SECRET_PROVISION_CONSTRUCTOR = "1" +loader.env.SECRET_PROVISION_CA_CHAIN_PATH = "certs/test-ca-sha256.crt" + +sgx.remote_attestation = true + +sgx.allowed_files = [ + "file:/etc/ethers", + "file:/etc/gai.conf", + "file:/etc/group", + "file:/etc/host.conf", + "file:/etc/hosts", + "file:/etc/nsswitch.conf", + "file:/etc/passwd", + "file:/etc/resolv.conf", +] diff --git a/Examples/aks-attestation/aks-secret-prov-server-deployment.yaml b/Examples/aks-attestation/aks-secret-prov-server-deployment.yaml new file mode 100644 index 00000000..2dce0080 --- /dev/null +++ b/Examples/aks-attestation/aks-secret-prov-server-deployment.yaml @@ -0,0 +1,39 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ra-tls-secret-prov-server +spec: + replicas: 1 + selector: + matchLabels: + app: ra-tls-secret-prov-server + template: + metadata: + labels: + app: ra-tls-secret-prov-server + spec: + containers: + - name: ra-tls-secret-prov-server-container + image: /aks-secret-prov-server-img:latest + ports: + - containerPort: 4433 + resources: + limits: + kubernetes.azure.com/sgx_epc_mem_in_MiB: 10 + +# TODO: Requesting an SGX machine is not needed, but Intel DCAP libraries have a bug of trying to +# open the SGX driver (see https://github.com/intel/linux-sgx/issues/756) + +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + service.beta.kubernetes.io/azure-dns-label-name: ra-tls-server-aks-dns + name: ra-tls-secret-prov-server +spec: + type: LoadBalancer + ports: + - port: 4433 + selector: + app: ra-tls-secret-prov-server diff --git a/Examples/aks-attestation/aks-secret-prov-server.dockerfile b/Examples/aks-attestation/aks-secret-prov-server.dockerfile new file mode 100644 index 00000000..fee3590d --- /dev/null +++ b/Examples/aks-attestation/aks-secret-prov-server.dockerfile @@ -0,0 +1,44 @@ +FROM ubuntu:18.04 + +RUN apt-get update \ + && env DEBIAN_FRONTEND=noninteractive apt-get install -y \ + build-essential \ + gnupg2 \ + libcurl3-gnutls \ + libcurl4-openssl-dev \ + python3 \ + wget + +# Installing Azure DCAP Quote Provider Library (az-dcap-client). +# Here, the version of az-dcap-client should be in sync with the az-dcap-client +# version used for quote generation. User can replace the below package with the +# latest package. +RUN wget https://packages.microsoft.com/ubuntu/18.04/prod/pool/main/a/az-dcap-client/az-dcap-client_1.10_amd64.deb \ + && dpkg -i az-dcap-client_1.10_amd64.deb + +# Installing DCAP Quote Verification Library +RUN echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu bionic main' \ + > /etc/apt/sources.list.d/intel-sgx.list \ + && wget https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key \ + && apt-key add intel-sgx-deb.key + +RUN apt-get update && apt-get install -y libsgx-dcap-quote-verify + +WORKDIR /ra-tls-secret-prov + +COPY gramine/CI-Examples/ra-tls-secret-prov/certs ./certs +COPY gramine/CI-Examples/ra-tls-secret-prov/files ./files + +COPY gramine/CI-Examples/ra-tls-secret-prov/secret_prov_server_dcap /usr/local/bin + +RUN mkdir libs + +COPY gramine/meson_build_output/lib/x86_64-linux-gnu/libsecret_prov_verify_dcap.so libs +COPY gramine/meson_build_output/lib/x86_64-linux-gnu/libsgx_util.so libs +COPY gramine/meson_build_output/lib/x86_64-linux-gnu/libmbedcrypto_gramine.so.* libs +COPY gramine/meson_build_output/lib/x86_64-linux-gnu/libmbedtls_gramine.so.* libs +COPY gramine/meson_build_output/lib/x86_64-linux-gnu/libmbedx509_gramine.so.* libs + +ENV LD_LIBRARY_PATH = "${LD_LIBRARY_PATH}:/ra-tls-secret-prov/libs" + +ENTRYPOINT ["secret_prov_server_dcap"] diff --git a/Examples/aks-attestation/base-image-generation-script.sh b/Examples/aks-attestation/base-image-generation-script.sh new file mode 100755 index 00000000..60c3bbe4 --- /dev/null +++ b/Examples/aks-attestation/base-image-generation-script.sh @@ -0,0 +1,24 @@ +# Download and build Gramine. We need it to build and copy ra-tls-secret-prov files and +# relevant libraries into the server and client Dockerfiles. +if [ -d "gramine" ]; then + echo "***** gramine directory exists, proceeding to image generation *****" +else + bash ./gramine_build.sh +fi + +# Include Meson build output packages dir in $PKG_CONFIG_PATH, contains mbedTLS and util libs +export PKG_CONFIG_PATH="$(find $PWD/gramine/meson_build_output/lib -type d -path '*/pkgconfig'):${PKG_CONFIG_PATH}" + +# Create Server image +cd gramine/CI-Examples/ra-tls-secret-prov +make clean && make dcap +cd ../../../ +docker build -f aks-secret-prov-server.dockerfile -t aks-secret-prov-server-img . + +# Create Client image +cd gramine/CI-Examples/ra-tls-secret-prov +make clean && make secret_prov_min_client +cd ../../../ +docker build -f aks-secret-prov-client.dockerfile -t aks-secret-prov-client-img . + +rm -rf gramine/ diff --git a/Examples/aks-attestation/certs/README b/Examples/aks-attestation/certs/README new file mode 100644 index 00000000..3498ce9b --- /dev/null +++ b/Examples/aks-attestation/certs/README @@ -0,0 +1,13 @@ +This directory contains pre-generated example certificates. In particular: + +- `test-ca-sha256.crt` -- RSA SHA256 root CA certificate in PEM format. Loaded + in client (attester) so that client can verify the server's certificate. +- `server2-sha256.crt` -- RSA SHA256 leaf server certificate in PEM format. + Loaded in server (verifier), so it will send it to the client during TLS + handshake. The "Common Name" field is set to + `ra-tls-server-aks-dns.eastus.cloudapp.azure.com`. +- `server2.key` -- RSA private key in PEM format. Loaded in server (verifier). + +Note: These certificates should not be used in production. Here, user should + update the server2-sha256.crt with ``Common Name`` pointing to the DNS + name of the ra-tls-secret-prov server deployed in the AKS cluster. diff --git a/Examples/aks-attestation/certs/server2-sha256.crt b/Examples/aks-attestation/certs/server2-sha256.crt new file mode 100644 index 00000000..76bc11b7 --- /dev/null +++ b/Examples/aks-attestation/certs/server2-sha256.crt @@ -0,0 +1,101 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4660 (0x1234) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=NL, ST=NL, L=NL, O=PolarSSL, CN=PolarSSL Test CA + Validity + Not Before: Nov 9 05:11:04 2021 GMT + Not After : Nov 9 05:11:04 2022 GMT + Subject: C=NL, ST=NL, O=PolarSSL, CN=ra-tls-server-aks-dns.eastus.cloudapp.azure.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:a6:86:86:58:40:f6:02:6e:e1:07:70:d6:bb:25: + ae:1c:bc:d3:15:f0:f8:47:85:85:fd:38:85:e9:99: + bc:8f:63:ef:9e:a9:98:cc:ef:81:81:cf:77:2d:f7: + a9:29:54:e5:cf:dc:59:12:ce:c6:aa:a0:8d:d6:93: + 1b:5c:79:68:81:bb:04:d9:e1:af:11:ec:c6:63:b6: + d4:77:b8:31:8e:c4:bc:46:dd:de:7c:0b:1f:95:60: + e0:15:67:af:47:94:df:25:2b:da:ea:29:89:2e:43: + 5f:43:23:4f:47:db:4b:33:16:14:10:0b:5c:7c:80: + 97:6c:c9:23:ef:d2:16:96:1d:f5:d5:3f:78:fa:17: + 8d:22:47:c1:7d:42:66:19:16:a9:bd:66:42:33:77: + 79:87:4a:6e:85:80:b5:5e:89:ad:31:33:ba:c7:b9: + 19:57:fa:80:80:fd:2d:d5:3c:a9:85:3f:67:c5:1b: + 11:d9:43:c2:97:fd:5e:a8:ba:e5:21:7f:75:22:ff: + 53:26:ec:e1:3a:e4:d0:df:8b:71:2b:b6:d1:c0:dc: + bb:8b:97:07:53:7d:74:98:7e:55:36:82:dc:a2:d2: + 5f:ea:22:85:93:93:90:48:59:11:45:94:b2:82:e8: + 38:84:7b:9b:a0:7d:9d:6a:f2:60:7d:0d:55:11:31: + ab:af + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + OpenSSL Generated Certificate + X509v3 Subject Key Identifier: + A0:EC:6E:8A:20:C5:81:3F:6F:27:09:7B:D6:94:DF:E0:DB:57:67:55 + X509v3 Authority Key Identifier: + keyid:8A:35:A0:64:6B:D1:3F:28:92:55:12:6D:5A:6D:FD:EE:F0:2A:D5:DB + + Signature Algorithm: sha256WithRSAEncryption + 7d:90:5c:df:55:cd:3e:46:4a:75:0e:a3:9a:d3:56:27:15:5a: + 0c:d2:cb:10:4c:b0:df:e1:88:21:cb:23:a2:c3:0f:d0:ea:d3: + b4:41:65:d4:98:95:a6:7e:4d:5e:d2:32:40:eb:63:ab:5b:70: + 43:b8:0c:4d:5d:31:52:a2:f2:04:f9:aa:55:96:45:16:db:e3: + 9c:db:79:96:8f:3a:c8:a5:f2:f6:d0:69:03:3e:d4:df:1f:9d: + 84:a9:81:ef:73:de:04:59:eb:1f:d3:65:24:e4:92:e8:00:2f: + 9e:d6:01:22:9f:9a:57:ff:52:54:42:0b:a5:b3:71:56:53:14: + 5c:ad:c4:99:0e:81:97:c0:88:73:3b:ef:1f:2b:9d:52:43:68: + a7:78:b6:46:c6:92:cf:f3:a8:87:a9:a5:76:0c:a3:9f:b7:2b: + 51:62:d7:b0:2a:58:eb:e3:56:c9:5e:d9:f7:db:60:c1:70:ef: + 29:08:4e:dc:6e:b6:e5:82:60:e5:5d:c4:68:4f:63:90:7f:af: + 77:f1:89:00:0d:73:be:24:aa:0d:13:93:c3:9c:e2:e9:6b:44: + d7:12:f6:32:69:40:0b:9f:c5:15:80:43:aa:9b:1b:32:fa:00: + b6:9a:c0:c8:db:18:0f:2e:02:94:0e:1a:bf:dc:ad:b3:bb:c6: + ab:9c:6e:80:e3:0e:80:a3:f0:b7:b7:e1:fe:a5:56:1c:75:d3: + 3e:33:5a:62:a0:3f:1b:eb:31:71:2f:92:8b:26:1f:c3:9b:84: + cd:d6:8c:29:b6:62:44:f7:7e:bc:4e:19:ad:76:09:fc:dd:c6: + aa:ce:ec:e3:14:bb:df:c5:6e:c9:32:e7:9b:dd:06:ab:33:04: + 30:22:f3:9e:4f:9b:7e:3f:53:48:04:c2:36:f9:bf:87:cb:8c: + bc:c5:b4:e5:33:df:3d:82:aa:21:ae:ac:75:87:0c:22:54:36: + 4c:84:1e:4d:01:ab:c6:86:c0:88:1e:8e:58:c2:4f:42:4e:2e: + 2f:77:0c:ae:5a:c4:b3:0a:a6:6a:57:ea:fe:33:d2:a5:50:21: + a5:d9:cf:09:4a:4f:3f:04:aa:1d:86:22:e2:7b:0a:88:e9:4e: + 22:c6:f3:a9:9f:fd:8c:d1:b0:4e:b1:d5:16:52:60:41:2a:da: + ba:51:12:40:67:20:37:06:0b:bc:8c:5b:09:c4:de:ff:69:8c: + 39:26:21:15:62:d0:aa:62:b8:bc:8f:67:8b:d5:43:a7:c0:8e: + 86:c4:fe:12:77:96:b5:12:b8:f5:fc:39:78:59:66:e1:ff:ff: + 2b:e4:83:ef:8f:0a:80:50:a2:13:6c:a5:dd:eb:2c:26:80:b3: + 87:72:10:7e:24:db:07:ff +-----BEGIN CERTIFICATE----- +MIIEszCCApugAwIBAgICEjQwDQYJKoZIhvcNAQELBQAwVTELMAkGA1UEBhMCTkwx +CzAJBgNVBAgMAk5MMQswCQYDVQQHDAJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAX +BgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcNMjExMTA5MDUxMTA0WhcNMjIxMTA5 +MDUxMTA0WjBnMQswCQYDVQQGEwJOTDELMAkGA1UECAwCTkwxETAPBgNVBAoMCFBv +bGFyU1NMMTgwNgYDVQQDDC9yYS10bHMtc2VydmVyLWFrcy1kbnMuZWFzdHVzLmNs +b3VkYXBwLmF6dXJlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AKaGhlhA9gJu4Qdw1rslrhy80xXw+EeFhf04hemZvI9j756pmMzvgYHPdy33qSlU +5c/cWRLOxqqgjdaTG1x5aIG7BNnhrxHsxmO21He4MY7EvEbd3nwLH5Vg4BVnr0eU +3yUr2uopiS5DX0MjT0fbSzMWFBALXHyAl2zJI+/SFpYd9dU/ePoXjSJHwX1CZhkW +qb1mQjN3eYdKboWAtV6JrTEzuse5GVf6gID9LdU8qYU/Z8UbEdlDwpf9Xqi65SF/ +dSL/Uybs4Trk0N+LcSu20cDcu4uXB1N9dJh+VTaC3KLSX+oihZOTkEhZEUWUsoLo +OIR7m6B9nWryYH0NVRExq68CAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhC +AQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFKDs +boogxYE/bycJe9aU3+DbV2dVMB8GA1UdIwQYMBaAFIo1oGRr0T8oklUSbVpt/e7w +KtXbMA0GCSqGSIb3DQEBCwUAA4ICAQB9kFzfVc0+Rkp1DqOa01YnFVoM0ssQTLDf +4YghyyOiww/Q6tO0QWXUmJWmfk1e0jJA62OrW3BDuAxNXTFSovIE+apVlkUW2+Oc +23mWjzrIpfL20GkDPtTfH52EqYHvc94EWesf02Uk5JLoAC+e1gEin5pX/1JUQgul +s3FWUxRcrcSZDoGXwIhzO+8fK51SQ2ineLZGxpLP86iHqaV2DKOftytRYtewKljr +41bJXtn322DBcO8pCE7cbrblgmDlXcRoT2OQf6938YkADXO+JKoNE5PDnOLpa0TX +EvYyaUALn8UVgEOqmxsy+gC2msDI2xgPLgKUDhq/3K2zu8arnG6A4w6Ao/C3t+H+ +pVYcddM+M1pioD8b6zFxL5KLJh/Dm4TN1owptmJE9368Thmtdgn83caqzuzjFLvf +xW7JMueb3QarMwQwIvOeT5t+P1NIBMI2+b+Hy4y8xbTlM989gqohrqx1hwwiVDZM +hB5NAavGhsCIHo5Ywk9CTi4vdwyuWsSzCqZqV+r+M9KlUCGl2c8JSk8/BKodhiLi +ewqI6U4ixvOpn/2M0bBOsdUWUmBBKtq6URJAZyA3Bgu8jFsJxN7/aYw5JiEVYtCq +Yri8j2eL1UOnwI6GxP4Sd5a1Erj1/Dl4WWbh//8r5IPvjwqAUKITbKXd6ywmgLOH +chB+JNsH/w== +-----END CERTIFICATE----- diff --git a/Examples/aks-attestation/certs/server2.key b/Examples/aks-attestation/certs/server2.key new file mode 100644 index 00000000..45604cc1 --- /dev/null +++ b/Examples/aks-attestation/certs/server2.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEApoaGWED2Am7hB3DWuyWuHLzTFfD4R4WF/TiF6Zm8j2PvnqmY +zO+Bgc93LfepKVTlz9xZEs7GqqCN1pMbXHlogbsE2eGvEezGY7bUd7gxjsS8Rt3e +fAsflWDgFWevR5TfJSva6imJLkNfQyNPR9tLMxYUEAtcfICXbMkj79IWlh311T94 ++heNIkfBfUJmGRapvWZCM3d5h0puhYC1XomtMTO6x7kZV/qAgP0t1TyphT9nxRsR +2UPCl/1eqLrlIX91Iv9TJuzhOuTQ34txK7bRwNy7i5cHU310mH5VNoLcotJf6iKF +k5OQSFkRRZSygug4hHuboH2davJgfQ1VETGrrwIDAQABAoIBABWyc3CuTh91CPbq +OeA6gZwW8j3qnr7a4+FhavlL4aihMchveoxBLJOYT4P6v9y1xhe2MxjjPjlfH/v0 +QN1kqDw2/OPSpvfj7NlzKe3LXxGmCo4FPIbXAC97ZtcDInBmMkjqlORrswcHGjNq +N1s6dGrclpKcmFlUe+ZdssP9kJnQabiESxIjpKHgFVYLdYFeXdGxdvOE8p3hOci2 +ftrHK9/fXym+/MFdywxZCfhzpPaJJyJIqH0gbMZDOLv2rBaymf+FEgfEG4LgFas8 +CZf/hM6HkxcmCMVgcP8Oagb0NEnOAauUSmRowfLVd8Ob7ZlvrQKAkIHgH+shQ3hI +h6E+6LECgYEAzuhqasEHILxQpEwBXcoa9rQJHYIf27NSFNlKsal6IkCZCDlWbdQn +t+xbHPDnyRYv4PVYhh/2catlD6JLivxenTNm1fBdKzo/yMDKM6gubqaIo3B5Q8OB +hDlubFCxboPQ1bq05QAK1d8R4b4CmBqPXDQ/KrfFgEn47YmsrxpVs9kCgYEAzglI +bmqCiNV4Qw2sfp15lIPanuRfE9W2tDbj+ND4rafOJGrDuwEIpTMqSTW1hSOY58EL +w5VMa2+bqqOEufNH21HtpWQv2zVU8EbB0KevdP/f5xjGKhysoWOL/q6l1PPbF1Bg +pY/fPW+9xNuskb9XUXhkZ3tsPYeXPwnsLaGFDscCgYA0zYFi7xH3m7dkxnTOz6Yj +8XwmCLBCrDe1VGLIhjzCAwRK4f8ZljvwpyP1ddFhMwVS/qnxyLRm+9uVqtBmjtNC +gPysemP8hSgD/pdbqX74BA34z9pSndEuwk1Y3Rr63i7sbHJ/wowBWqVAm/IjiRuu +5zJ7n1yKydX6INlt8mWOuQKBgGCqgk0rs6q3XQE4vSF6iLxhUIUT6HfJ4TqUNkla +4hG3lUQIw2RNi9zWMJTAmjWpCehR7k8JER2m84YPygnkVmZT/geHBdz3HK7Ow8g9 +pFhkZIxsVy0S3vupVNlc33kWIEjD8VQ8OCT+9C4UUtbeyvzyW0kh4xrLLu7onOKb +0W2pAoGAfZ9UC4FrLfYgXAYz3WzHuVa4Z/r3PXswI5djINFZIAwLKjD7/E3R7BCq +pOag/PuESJu9CNcgYNURtOeIaW7MN80UN7086y0SnAw6OQXtIrSSHMEkTMr7iSXm +/VtC24AL/L7YSd8fRNXxYAJvkwowOllbNI8uKnzZn9JkaWBZajg= +-----END RSA PRIVATE KEY----- diff --git a/Examples/aks-attestation/certs/test-ca-sha256.crt b/Examples/aks-attestation/certs/test-ca-sha256.crt new file mode 100644 index 00000000..54028f0b --- /dev/null +++ b/Examples/aks-attestation/certs/test-ca-sha256.crt @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFeDCCA2CgAwIBAgIBADANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJOTDEL +MAkGA1UECAwCTkwxCzAJBgNVBAcMAk5MMREwDwYDVQQKDAhQb2xhclNTTDEZMBcG +A1UEAwwQUG9sYXJTU0wgVGVzdCBDQTAeFw0yMTExMDkwNTA4MDhaFw0zMTExMDcw +NTA4MDhaMFUxCzAJBgNVBAYTAk5MMQswCQYDVQQIDAJOTDELMAkGA1UEBwwCTkwx +ETAPBgNVBAoMCFBvbGFyU1NMMRkwFwYDVQQDDBBQb2xhclNTTCBUZXN0IENBMIIC +IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAt4LPFNvOHrkgztHoZ9LR+69Q +uhDzaPmlEGngmJSgxMZi5dJJ7ZnEJtZ+8bjX/DTCZcl7lOwwSHurb9a3GPgP/DRt +0jGqqtDiwZnc1OoJ9mLnj+BoB1hhWSMuIcJ+cM292Aac+12Ih9mThtzhbxzW/6xD +neyAtRjF/iRBNq3FIiAMj3c+w+BBVmEbasBpuXs/4S9BTvyPrGFjg+jKf842wTwG +Vz82goPKaOMByRWbhEKhYT9al/iKcdPIPjzA6HB3XyPjLm9xpIXR1+RidO98UhsC +Llzw8xeUi+aq2MHLilBEUsHqVoJqWqFOCfJhOQGFzPQNPnWk1l7FOvJvYSr4XR1/ +6eIUqzFlG30ImG7uVCzhLunk092aPNGvewogTLiprmeLLBAks70NzPD9W1UQhXhB +SqZN6FNpczAdn5x+UxCUQkmFs8siCtLbh7Z3H2lx34IaiH9Xw+YTV244J/5UuUBR +jWrncbM+XElXo4RzF3gIL4EmvxKTzEWWh3b6SNpvirdJFbSkwByOYfBZ3XUuQDsa +Df9UGAgD1EBHwpuZB9VYT1rVA0x9o2ovjwYXY4AjHRCgqe53FeUSyxyY/xXKqiPn +jJjZuo2Pif2W+Il14Me1e30SD8+8fbdfoaPiGYQ02aW5AvElbMk4KEGnIlgiYhs9 +qAn36FqlaOkiwI7CQH8CAwEAAaNTMFEwHQYDVR0OBBYEFIo1oGRr0T8oklUSbVpt +/e7wKtXbMB8GA1UdIwQYMBaAFIo1oGRr0T8oklUSbVpt/e7wKtXbMA8GA1UdEwEB +/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAHkCHYagsPWfOipq6vXqaaCmHaaY +dOao9BjawfZbZOrYXFYFDcSVP4iGltEs3NBBrzjkbqmRlDT4R3uvWuvD+TlIUroL +0eGjPwmljGqW2eokjuySf9V48PdH12xwFnSYRn/qFiiEB7LconoxGhtXLOF1ry0q +99d4Lk/8pUlOVWFCQ5kv+Fp27oungmS6n4H2973HbzRbm8rxQJrrtomvQcU5DgN3 +b6q+37VVprE5dGJZ/+XCZ85lbOMnvN3H8zd1rftFnU2fxNK8DZ8cqb//BOI5lWpg +wBc8zUNCrNnPb8An/xpbS1P0BUGxxSWeyiXOwv9mxc3x7zJLVrDQLVd6GbhBnLE6 +Z9aC2Eh8gNLvBhs/JVaQKPn3iVyqNAaXaOg90TnlliO9EVbA0212HyC2+ShbdkwE +9TEDP9QPAr8Y/tU0hCpALelwE8VZJv1rp71Ga6CivlfDcgBoVygAQQ8tH+PcS+u6 +1r+B0TPml86mUAzG5lAW+ZuSjw727aLlLOnk/7F8jOShz817lA6eMqtlzYZpM+lR +B8ZNdkuuQq3z8OkJ78Gjby4NeDguF/dMlXD5me+AJ4FMqeCEN3g6QKh8ThzoSp8h +ZxmK9bX/MagiL0upybyqTDqgNCKNkpcqY168Nborx/T5J4srsBdJoCDi3jO1Q3nk +UvFuODojjTxO9Bwa +-----END CERTIFICATE----- diff --git a/Examples/aks-attestation/gramine_build.sh b/Examples/aks-attestation/gramine_build.sh new file mode 100755 index 00000000..218b58ed --- /dev/null +++ b/Examples/aks-attestation/gramine_build.sh @@ -0,0 +1,50 @@ +# This script assumes that in-kernel driver is installed on the host system. +# Please refer to https://gramine.readthedocs.io/en/latest/devel/building.html#install-the-intel-sgx-driver +# for more details. + +# Install Gramine dependencies +sudo apt-get install -y \ + autoconf \ + bison \ + build-essential \ + coreutils \ + curl \ + gawk \ + git \ + libcurl4-openssl-dev \ + libprotobuf-c-dev \ + linux-headers-generic \ + ninja-build \ + pkg-config \ + protobuf-c-compiler \ + python3 \ + python3-pip \ + python3-protobuf \ + wget + +sudo python3 -B -m pip install 'toml>=0.10' 'meson>=0.55' + +# Download Gramine +git clone https://github.com/gramineproject/gramine.git --depth=1 +cd gramine +mkdir -p meson_build_output + +# Generate signing key +openssl genrsa -3 -out Pal/src/host/Linux-SGX/signer/enclave-key.pem 3072 + +# Install DCAP dependencies +echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu bionic main' | \ + sudo tee /etc/apt/sources.list.d/intel-sgx.list +wget https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key +sudo apt-key add intel-sgx-deb.key +sudo apt-get install --no-install-recommends -y libsgx-urts libsgx-dcap-quote-verify-dev + +# Build Gramine with DCAP enabled mode (assuming in-kernel driver) +meson setup build/ --prefix="$PWD/meson_build_output" --buildtype=release -Ddirect=enabled \ + -Dsgx=enabled -Ddcap=enabled +ninja -C build/ +ninja -C build/ install + +# Copy dummy server certificate with Common Name as " +cd ../ +cp -r certs/ gramine/CI-Examples/ra-tls-secret-prov/