From c3162d513e45381a47567ef96481d301fe6ec26d Mon Sep 17 00:00:00 2001 From: Veena Saini Date: Wed, 8 Dec 2021 22:36:03 +0530 Subject: [PATCH 1/5] Add example of AKS attestation and secret provisioning Signed-off-by: Veena Saini --- Examples/aks-attestation/.gitignore | 1 + Examples/aks-attestation/README.md | 140 ++++++++++++++++++ .../aks-secret-prov-client-deployment.yaml | 29 ++++ .../aks-secret-prov-client.dockerfile | 27 ++++ .../aks-secret-prov-client.manifest | 19 +++ .../aks-secret-prov-server-deployment.yaml | 39 +++++ .../aks-secret-prov-server.dockerfile | 44 ++++++ .../base-image-generation-script.sh | 24 +++ Examples/aks-attestation/certs/README | 13 ++ .../aks-attestation/certs/server2-sha256.crt | 101 +++++++++++++ Examples/aks-attestation/certs/server2.key | 27 ++++ .../aks-attestation/certs/test-ca-sha256.crt | 32 ++++ Examples/aks-attestation/gramine_build.sh | 49 ++++++ 13 files changed, 545 insertions(+) create mode 100644 Examples/aks-attestation/.gitignore create mode 100644 Examples/aks-attestation/README.md create mode 100644 Examples/aks-attestation/aks-secret-prov-client-deployment.yaml create mode 100644 Examples/aks-attestation/aks-secret-prov-client.dockerfile create mode 100644 Examples/aks-attestation/aks-secret-prov-client.manifest create mode 100644 Examples/aks-attestation/aks-secret-prov-server-deployment.yaml create mode 100644 Examples/aks-attestation/aks-secret-prov-server.dockerfile create mode 100755 Examples/aks-attestation/base-image-generation-script.sh create mode 100644 Examples/aks-attestation/certs/README create mode 100644 Examples/aks-attestation/certs/server2-sha256.crt create mode 100644 Examples/aks-attestation/certs/server2.key create mode 100644 Examples/aks-attestation/certs/test-ca-sha256.crt create mode 100755 Examples/aks-attestation/gramine_build.sh diff --git a/Examples/aks-attestation/.gitignore b/Examples/aks-attestation/.gitignore new file mode 100644 index 00000000..ad83f82c --- /dev/null +++ b/Examples/aks-attestation/.gitignore @@ -0,0 +1 @@ +/gramine diff --git a/Examples/aks-attestation/README.md b/Examples/aks-attestation/README.md new file mode 100644 index 00000000..34488a66 --- /dev/null +++ b/Examples/aks-attestation/README.md @@ -0,0 +1,140 @@ +# Gramine Attestation Inside AKS cluster + +This guide demonstrates how Gramine DCAP attestation quote can be generated and verified from +within an AKS cluster. Here, we provide an end-to-end example to help Cloud Solution Providers +integrate Gramine’s RA-TLS attestation and secret provisioning feature with a confidential compute +cluster managed by Azure Kubernetes Service. This guide contains necessary reference wrappers that +enable Gramine to use AKS components such as AESMD and DCAP quote provider libraries. This guide +also describes a microservice deployment for the RA-TLS verifier (server) that can be readily +deployed to the AKS cluster. + +## Preparing client and server images + +This demonstration is based on the `ra-tls-secret-prov` example from +https://github.com/gramineproject/gramine/tree/master/CI-Examples/ra-tls-secret-prov. Familiarity +with this example is highly recommended before proceeding further. The sample contains client and +server applications, where by default server is running on localhost:4433. In the example, the +client sends its SGX quote to the server for verification. After successful quote verification, the +server sends a secret to the client. To run these client and server applications inside the AKS +cluster, user needs to prepare two docker images, one for the client and one for the server. In our +AKS attestation example, the server will no longer run on localhost, instead it will run in a Docker +container inside the AKS cluster. The server container should be assigned a DNS name +(e.g., ``) to be accessible from the outside of the container. The client will send +requests to this DNS name. Therefore, for demonstration we updated the example certificates from +https://github.com/gramineproject/gramine/tree/master/CI-Examples/ra-tls-secret-prov/certs by +replacing the "Common Name" field in the server certificate (i.e., `server2-sha256.crt`) from +`localhost` to ``. + +In order to create base client and server images for the AKS environment, user can execute the +`base-image-generation-script.sh` script. Since both client and server applications will +run inside containers in the AKS cluster, and the client application will send its SGX quote to the +server for verification, therefore the user needs to graminize the client application. Hence, the +following two steps create a native Docker server image and a graminized GSC client image for the +AKS cluster. + +Note: This example is Ubuntu-specific (tested version is Ubuntu 18.04). + +### Creating server image + +1. The `base-image-generation-script.sh` script will create the native Docker server image with the + name `aks-secret-prov-server-img:latest`. + +2. Push the server image to Docker Hub or your preferred registry: + + ```sh + $ docker tag aks-secret-prov-server-img:latest \ + /aks-secret-prov-server-img:latest + $ docker push /aks-secret-prov-server-img:latest + ``` + +3. Deploy `aks-secret-prov-server-img:latest` in the AKS confidential compute cluster: + - Reference deployment file: + `aks-secret-prov-server-deployment.yaml` + +### Creating client image + +1. The `base-image-generation-script.sh` script will create the native Docker client image with the + name `aks-secret-prov-client-img:latest`. + +2. Create the GSC client image: + + Note: We tested this example with DCAP driver 1.11 specified in the GSC configuration file. + + ```sh + $ cd gsc + $ cp config.yaml.template config.yaml + $ openssl genrsa -3 -out enclave-key.pem 3072 + $ ./gsc build aks-secret-prov-client-img:latest \ + Examples/aks-attestation/aks-secret-prov-client.manifest + $ ./gsc sign-image aks-secret-prov-client-img:latest enclave-key.pem + ``` + +5. Push resulting image to Docker Hub or your preferred registry: + + ```sh + $ docker tag gsc-aks-secret-prov-client-img:latest \ + /gsc-aks-secret-prov-client-img:latest + $ docker push /gsc-aks-secret-prov-client-img:latest + ``` + +6. Deploy `gsc-aks-secret-prov-client-img:latest` in AKS confidential compute cluster: + - Reference deployment file: + `aks-secret-prov-client-deployment.yaml` + +## Deploying client and server images in AKS Confidential Compute cluster + +AKS confidential compute cluster can be created using the following +[link](https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-enclave-nodes-aks-get-started). + +Gramine performs out-of-proc mode DCAP quote generation. Out-of-proc mode quote generation requires +aesmd service. To fulfill this requirement, AKS provides the +[sgxquotehelper daemonset](https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-nodes-aks-addon#out-of-proc-attestation-for-confidential-workloads) +(can be enabled by `--enable-sgxquotehelper` during cluster creation). This feature exposes aesmd +service for the container node. The service will internally connect with az-dcap-client to fetch the +platform collateral required for quote generation. In this demo, the +`aks-secret-prov-client-deployment.yaml` uses aesmd service exposed by AKS with the help of the +sgxquotehelper plugin. + +In our example, the client will generate the SGX quote that will be embedded inside the RA-TLS +certificate. On receiving the quote, the server will internally verify it using the +libsgx-dcap-quote-verify library via the az-dcap-client library. + +### Deployment + +```sh +$ kubectl apply -f aks-secret-prov-server-deployment.yaml +``` + +Once the server container is in running state, start the client container as shown below: + +```sh +$ kubectl apply -f aks-secret-prov-client-deployment.yaml +``` + +At this stage, a successful RA-TLS verification will be completed, and the secrets will be +provisioned from the server to the client. + +## Checking SGX quote generation and verification + +Verify the client job is completed: + +```sh +$ kubectl get pods +``` + +Receive logs to verify the secret has been provisioned to the client: + +```sh +$ kubectl logs -l app=gsc-ra-tls-secret-prov-client --tail=50 +``` + +Expected output: + +`--- Received secret = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'` + +Delete both client and server containers: + +```sh +$ kubectl delete -f aks-secret-prov-server-deployment.yaml +$ kubectl delete -f aks-secret-prov-client-deployment.yaml +``` diff --git a/Examples/aks-attestation/aks-secret-prov-client-deployment.yaml b/Examples/aks-attestation/aks-secret-prov-client-deployment.yaml new file mode 100644 index 00000000..f2c92792 --- /dev/null +++ b/Examples/aks-attestation/aks-secret-prov-client-deployment.yaml @@ -0,0 +1,29 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: secret-prov-client + labels: + app: secret-prov-client +spec: + template: + metadata: + labels: + app: gsc-ra-tls-secret-prov-client + spec: + volumes: + - name: var-run-aesmd + hostPath: + path: /var/run/aesmd + containers: + - name: gsc-ra-tls-secret-prov-client-container + image: /gsc-aks-secret-prov-client-img:latest + env: + - name: SECRET_PROVISION_SERVERS + value: "ra-tls-server-aks-dns.eastus.cloudapp.azure.com:4433" + resources: + limits: + kubernetes.azure.com/sgx_epc_mem_in_MiB: 10 + volumeMounts: + - name: var-run-aesmd + mountPath: /var/run/aesmd + restartPolicy: Never diff --git a/Examples/aks-attestation/aks-secret-prov-client.dockerfile b/Examples/aks-attestation/aks-secret-prov-client.dockerfile new file mode 100644 index 00000000..fea5094e --- /dev/null +++ b/Examples/aks-attestation/aks-secret-prov-client.dockerfile @@ -0,0 +1,27 @@ +FROM ubuntu:18.04 + +RUN apt-get update \ + && env DEBIAN_FRONTEND=noninteractive apt-get install -y wget \ + build-essential \ + gnupg2 \ + libcurl3-gnutls \ + python3 + +# Installing DCAP libraries +RUN echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu bionic main' \ + > /etc/apt/sources.list.d/intel-sgx.list \ + && wget https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key \ + && apt-key add intel-sgx-deb.key + +RUN apt-get update \ + && apt-get install -y libsgx-urts \ + libsgx-dcap-ql \ + libsgx-quote-ex + +WORKDIR /ra-tls-secret-prov + +COPY gramine/CI-Examples/ra-tls-secret-prov/certs ./certs + +COPY gramine/CI-Examples/ra-tls-secret-prov/secret_prov_min_client /usr/local/bin + +ENTRYPOINT ["secret_prov_min_client"] diff --git a/Examples/aks-attestation/aks-secret-prov-client.manifest b/Examples/aks-attestation/aks-secret-prov-client.manifest new file mode 100644 index 00000000..22d5f6d7 --- /dev/null +++ b/Examples/aks-attestation/aks-secret-prov-client.manifest @@ -0,0 +1,19 @@ +# Secret Provisioning library (client-side) is preloaded +loader.env.LD_PRELOAD = "libsecret_prov_attest.so" + +loader.env.SECRET_PROVISION_SERVERS = { passthrough = true } +loader.env.SECRET_PROVISION_CONSTRUCTOR = "1" +loader.env.SECRET_PROVISION_CA_CHAIN_PATH = "certs/test-ca-sha256.crt" + +sgx.remote_attestation = true + +sgx.allowed_files = [ + "file:/etc/ethers", + "file:/etc/gai.conf", + "file:/etc/group", + "file:/etc/host.conf", + "file:/etc/hosts", + "file:/etc/nsswitch.conf", + "file:/etc/passwd", + "file:/etc/resolv.conf", +] diff --git a/Examples/aks-attestation/aks-secret-prov-server-deployment.yaml b/Examples/aks-attestation/aks-secret-prov-server-deployment.yaml new file mode 100644 index 00000000..10419f03 --- /dev/null +++ b/Examples/aks-attestation/aks-secret-prov-server-deployment.yaml @@ -0,0 +1,39 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ra-tls-secret-prov-server +spec: + replicas: 1 + selector: + matchLabels: + app: ra-tls-secret-prov-server + template: + metadata: + labels: + app: ra-tls-secret-prov-server + spec: + containers: + - name: ra-tls-secret-prov-server-container + image: /aks-secret-prov-server-img:latest + ports: + - containerPort: 4433 + resources: + limits: + kubernetes.azure.com/sgx_epc_mem_in_MiB: 10 + +# TODO: Requesting an SGX machine is not needed, but Intel DCAP libraries have a bug of trying to +# open the SGX driver (see https://github.com/intel/linux-sgx/issues/756) + +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + service.beta.kubernetes.io/azure-dns-label-name: ra-tls-server-aks-dns + name: ra-tls-secret-prov-server +spec: + type: LoadBalancer + ports: + - port: 4433 + selector: + app: ra-tls-secret-prov-server diff --git a/Examples/aks-attestation/aks-secret-prov-server.dockerfile b/Examples/aks-attestation/aks-secret-prov-server.dockerfile new file mode 100644 index 00000000..fee3590d --- /dev/null +++ b/Examples/aks-attestation/aks-secret-prov-server.dockerfile @@ -0,0 +1,44 @@ +FROM ubuntu:18.04 + +RUN apt-get update \ + && env DEBIAN_FRONTEND=noninteractive apt-get install -y \ + build-essential \ + gnupg2 \ + libcurl3-gnutls \ + libcurl4-openssl-dev \ + python3 \ + wget + +# Installing Azure DCAP Quote Provider Library (az-dcap-client). +# Here, the version of az-dcap-client should be in sync with the az-dcap-client +# version used for quote generation. User can replace the below package with the +# latest package. +RUN wget https://packages.microsoft.com/ubuntu/18.04/prod/pool/main/a/az-dcap-client/az-dcap-client_1.10_amd64.deb \ + && dpkg -i az-dcap-client_1.10_amd64.deb + +# Installing DCAP Quote Verification Library +RUN echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu bionic main' \ + > /etc/apt/sources.list.d/intel-sgx.list \ + && wget https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key \ + && apt-key add intel-sgx-deb.key + +RUN apt-get update && apt-get install -y libsgx-dcap-quote-verify + +WORKDIR /ra-tls-secret-prov + +COPY gramine/CI-Examples/ra-tls-secret-prov/certs ./certs +COPY gramine/CI-Examples/ra-tls-secret-prov/files ./files + +COPY gramine/CI-Examples/ra-tls-secret-prov/secret_prov_server_dcap /usr/local/bin + +RUN mkdir libs + +COPY gramine/meson_build_output/lib/x86_64-linux-gnu/libsecret_prov_verify_dcap.so libs +COPY gramine/meson_build_output/lib/x86_64-linux-gnu/libsgx_util.so libs +COPY gramine/meson_build_output/lib/x86_64-linux-gnu/libmbedcrypto_gramine.so.* libs +COPY gramine/meson_build_output/lib/x86_64-linux-gnu/libmbedtls_gramine.so.* libs +COPY gramine/meson_build_output/lib/x86_64-linux-gnu/libmbedx509_gramine.so.* libs + +ENV LD_LIBRARY_PATH = "${LD_LIBRARY_PATH}:/ra-tls-secret-prov/libs" + +ENTRYPOINT ["secret_prov_server_dcap"] diff --git a/Examples/aks-attestation/base-image-generation-script.sh b/Examples/aks-attestation/base-image-generation-script.sh new file mode 100755 index 00000000..60c3bbe4 --- /dev/null +++ b/Examples/aks-attestation/base-image-generation-script.sh @@ -0,0 +1,24 @@ +# Download and build Gramine. We need it to build and copy ra-tls-secret-prov files and +# relevant libraries into the server and client Dockerfiles. +if [ -d "gramine" ]; then + echo "***** gramine directory exists, proceeding to image generation *****" +else + bash ./gramine_build.sh +fi + +# Include Meson build output packages dir in $PKG_CONFIG_PATH, contains mbedTLS and util libs +export PKG_CONFIG_PATH="$(find $PWD/gramine/meson_build_output/lib -type d -path '*/pkgconfig'):${PKG_CONFIG_PATH}" + +# Create Server image +cd gramine/CI-Examples/ra-tls-secret-prov +make clean && make dcap +cd ../../../ +docker build -f aks-secret-prov-server.dockerfile -t aks-secret-prov-server-img . + +# Create Client image +cd gramine/CI-Examples/ra-tls-secret-prov +make clean && make secret_prov_min_client +cd ../../../ +docker build -f aks-secret-prov-client.dockerfile -t aks-secret-prov-client-img . + +rm -rf gramine/ diff --git a/Examples/aks-attestation/certs/README b/Examples/aks-attestation/certs/README new file mode 100644 index 00000000..3498ce9b --- /dev/null +++ b/Examples/aks-attestation/certs/README @@ -0,0 +1,13 @@ +This directory contains pre-generated example certificates. In particular: + +- `test-ca-sha256.crt` -- RSA SHA256 root CA certificate in PEM format. Loaded + in client (attester) so that client can verify the server's certificate. +- `server2-sha256.crt` -- RSA SHA256 leaf server certificate in PEM format. + Loaded in server (verifier), so it will send it to the client during TLS + handshake. The "Common Name" field is set to + `ra-tls-server-aks-dns.eastus.cloudapp.azure.com`. +- `server2.key` -- RSA private key in PEM format. Loaded in server (verifier). + +Note: These certificates should not be used in production. Here, user should + update the server2-sha256.crt with ``Common Name`` pointing to the DNS + name of the ra-tls-secret-prov server deployed in the AKS cluster. diff --git a/Examples/aks-attestation/certs/server2-sha256.crt b/Examples/aks-attestation/certs/server2-sha256.crt new file mode 100644 index 00000000..76bc11b7 --- /dev/null +++ b/Examples/aks-attestation/certs/server2-sha256.crt @@ -0,0 +1,101 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4660 (0x1234) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=NL, ST=NL, L=NL, O=PolarSSL, CN=PolarSSL Test CA + Validity + Not Before: Nov 9 05:11:04 2021 GMT + Not After : Nov 9 05:11:04 2022 GMT + Subject: C=NL, ST=NL, O=PolarSSL, CN=ra-tls-server-aks-dns.eastus.cloudapp.azure.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:a6:86:86:58:40:f6:02:6e:e1:07:70:d6:bb:25: + ae:1c:bc:d3:15:f0:f8:47:85:85:fd:38:85:e9:99: + bc:8f:63:ef:9e:a9:98:cc:ef:81:81:cf:77:2d:f7: + a9:29:54:e5:cf:dc:59:12:ce:c6:aa:a0:8d:d6:93: + 1b:5c:79:68:81:bb:04:d9:e1:af:11:ec:c6:63:b6: + d4:77:b8:31:8e:c4:bc:46:dd:de:7c:0b:1f:95:60: + e0:15:67:af:47:94:df:25:2b:da:ea:29:89:2e:43: + 5f:43:23:4f:47:db:4b:33:16:14:10:0b:5c:7c:80: + 97:6c:c9:23:ef:d2:16:96:1d:f5:d5:3f:78:fa:17: + 8d:22:47:c1:7d:42:66:19:16:a9:bd:66:42:33:77: + 79:87:4a:6e:85:80:b5:5e:89:ad:31:33:ba:c7:b9: + 19:57:fa:80:80:fd:2d:d5:3c:a9:85:3f:67:c5:1b: + 11:d9:43:c2:97:fd:5e:a8:ba:e5:21:7f:75:22:ff: + 53:26:ec:e1:3a:e4:d0:df:8b:71:2b:b6:d1:c0:dc: + bb:8b:97:07:53:7d:74:98:7e:55:36:82:dc:a2:d2: + 5f:ea:22:85:93:93:90:48:59:11:45:94:b2:82:e8: + 38:84:7b:9b:a0:7d:9d:6a:f2:60:7d:0d:55:11:31: + ab:af + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + OpenSSL Generated Certificate + X509v3 Subject Key Identifier: + A0:EC:6E:8A:20:C5:81:3F:6F:27:09:7B:D6:94:DF:E0:DB:57:67:55 + X509v3 Authority Key Identifier: + keyid:8A:35:A0:64:6B:D1:3F:28:92:55:12:6D:5A:6D:FD:EE:F0:2A:D5:DB + + Signature Algorithm: sha256WithRSAEncryption + 7d:90:5c:df:55:cd:3e:46:4a:75:0e:a3:9a:d3:56:27:15:5a: + 0c:d2:cb:10:4c:b0:df:e1:88:21:cb:23:a2:c3:0f:d0:ea:d3: + b4:41:65:d4:98:95:a6:7e:4d:5e:d2:32:40:eb:63:ab:5b:70: + 43:b8:0c:4d:5d:31:52:a2:f2:04:f9:aa:55:96:45:16:db:e3: + 9c:db:79:96:8f:3a:c8:a5:f2:f6:d0:69:03:3e:d4:df:1f:9d: + 84:a9:81:ef:73:de:04:59:eb:1f:d3:65:24:e4:92:e8:00:2f: + 9e:d6:01:22:9f:9a:57:ff:52:54:42:0b:a5:b3:71:56:53:14: + 5c:ad:c4:99:0e:81:97:c0:88:73:3b:ef:1f:2b:9d:52:43:68: + a7:78:b6:46:c6:92:cf:f3:a8:87:a9:a5:76:0c:a3:9f:b7:2b: + 51:62:d7:b0:2a:58:eb:e3:56:c9:5e:d9:f7:db:60:c1:70:ef: + 29:08:4e:dc:6e:b6:e5:82:60:e5:5d:c4:68:4f:63:90:7f:af: + 77:f1:89:00:0d:73:be:24:aa:0d:13:93:c3:9c:e2:e9:6b:44: + d7:12:f6:32:69:40:0b:9f:c5:15:80:43:aa:9b:1b:32:fa:00: + b6:9a:c0:c8:db:18:0f:2e:02:94:0e:1a:bf:dc:ad:b3:bb:c6: + ab:9c:6e:80:e3:0e:80:a3:f0:b7:b7:e1:fe:a5:56:1c:75:d3: + 3e:33:5a:62:a0:3f:1b:eb:31:71:2f:92:8b:26:1f:c3:9b:84: + cd:d6:8c:29:b6:62:44:f7:7e:bc:4e:19:ad:76:09:fc:dd:c6: + aa:ce:ec:e3:14:bb:df:c5:6e:c9:32:e7:9b:dd:06:ab:33:04: + 30:22:f3:9e:4f:9b:7e:3f:53:48:04:c2:36:f9:bf:87:cb:8c: + bc:c5:b4:e5:33:df:3d:82:aa:21:ae:ac:75:87:0c:22:54:36: + 4c:84:1e:4d:01:ab:c6:86:c0:88:1e:8e:58:c2:4f:42:4e:2e: + 2f:77:0c:ae:5a:c4:b3:0a:a6:6a:57:ea:fe:33:d2:a5:50:21: + a5:d9:cf:09:4a:4f:3f:04:aa:1d:86:22:e2:7b:0a:88:e9:4e: + 22:c6:f3:a9:9f:fd:8c:d1:b0:4e:b1:d5:16:52:60:41:2a:da: + ba:51:12:40:67:20:37:06:0b:bc:8c:5b:09:c4:de:ff:69:8c: + 39:26:21:15:62:d0:aa:62:b8:bc:8f:67:8b:d5:43:a7:c0:8e: + 86:c4:fe:12:77:96:b5:12:b8:f5:fc:39:78:59:66:e1:ff:ff: + 2b:e4:83:ef:8f:0a:80:50:a2:13:6c:a5:dd:eb:2c:26:80:b3: + 87:72:10:7e:24:db:07:ff +-----BEGIN CERTIFICATE----- +MIIEszCCApugAwIBAgICEjQwDQYJKoZIhvcNAQELBQAwVTELMAkGA1UEBhMCTkwx +CzAJBgNVBAgMAk5MMQswCQYDVQQHDAJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAX +BgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcNMjExMTA5MDUxMTA0WhcNMjIxMTA5 +MDUxMTA0WjBnMQswCQYDVQQGEwJOTDELMAkGA1UECAwCTkwxETAPBgNVBAoMCFBv +bGFyU1NMMTgwNgYDVQQDDC9yYS10bHMtc2VydmVyLWFrcy1kbnMuZWFzdHVzLmNs +b3VkYXBwLmF6dXJlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AKaGhlhA9gJu4Qdw1rslrhy80xXw+EeFhf04hemZvI9j756pmMzvgYHPdy33qSlU +5c/cWRLOxqqgjdaTG1x5aIG7BNnhrxHsxmO21He4MY7EvEbd3nwLH5Vg4BVnr0eU +3yUr2uopiS5DX0MjT0fbSzMWFBALXHyAl2zJI+/SFpYd9dU/ePoXjSJHwX1CZhkW +qb1mQjN3eYdKboWAtV6JrTEzuse5GVf6gID9LdU8qYU/Z8UbEdlDwpf9Xqi65SF/ +dSL/Uybs4Trk0N+LcSu20cDcu4uXB1N9dJh+VTaC3KLSX+oihZOTkEhZEUWUsoLo +OIR7m6B9nWryYH0NVRExq68CAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhC +AQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFKDs +boogxYE/bycJe9aU3+DbV2dVMB8GA1UdIwQYMBaAFIo1oGRr0T8oklUSbVpt/e7w +KtXbMA0GCSqGSIb3DQEBCwUAA4ICAQB9kFzfVc0+Rkp1DqOa01YnFVoM0ssQTLDf +4YghyyOiww/Q6tO0QWXUmJWmfk1e0jJA62OrW3BDuAxNXTFSovIE+apVlkUW2+Oc +23mWjzrIpfL20GkDPtTfH52EqYHvc94EWesf02Uk5JLoAC+e1gEin5pX/1JUQgul +s3FWUxRcrcSZDoGXwIhzO+8fK51SQ2ineLZGxpLP86iHqaV2DKOftytRYtewKljr +41bJXtn322DBcO8pCE7cbrblgmDlXcRoT2OQf6938YkADXO+JKoNE5PDnOLpa0TX +EvYyaUALn8UVgEOqmxsy+gC2msDI2xgPLgKUDhq/3K2zu8arnG6A4w6Ao/C3t+H+ +pVYcddM+M1pioD8b6zFxL5KLJh/Dm4TN1owptmJE9368Thmtdgn83caqzuzjFLvf +xW7JMueb3QarMwQwIvOeT5t+P1NIBMI2+b+Hy4y8xbTlM989gqohrqx1hwwiVDZM +hB5NAavGhsCIHo5Ywk9CTi4vdwyuWsSzCqZqV+r+M9KlUCGl2c8JSk8/BKodhiLi +ewqI6U4ixvOpn/2M0bBOsdUWUmBBKtq6URJAZyA3Bgu8jFsJxN7/aYw5JiEVYtCq +Yri8j2eL1UOnwI6GxP4Sd5a1Erj1/Dl4WWbh//8r5IPvjwqAUKITbKXd6ywmgLOH +chB+JNsH/w== +-----END CERTIFICATE----- diff --git a/Examples/aks-attestation/certs/server2.key b/Examples/aks-attestation/certs/server2.key new file mode 100644 index 00000000..45604cc1 --- /dev/null +++ b/Examples/aks-attestation/certs/server2.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEApoaGWED2Am7hB3DWuyWuHLzTFfD4R4WF/TiF6Zm8j2PvnqmY +zO+Bgc93LfepKVTlz9xZEs7GqqCN1pMbXHlogbsE2eGvEezGY7bUd7gxjsS8Rt3e +fAsflWDgFWevR5TfJSva6imJLkNfQyNPR9tLMxYUEAtcfICXbMkj79IWlh311T94 ++heNIkfBfUJmGRapvWZCM3d5h0puhYC1XomtMTO6x7kZV/qAgP0t1TyphT9nxRsR +2UPCl/1eqLrlIX91Iv9TJuzhOuTQ34txK7bRwNy7i5cHU310mH5VNoLcotJf6iKF +k5OQSFkRRZSygug4hHuboH2davJgfQ1VETGrrwIDAQABAoIBABWyc3CuTh91CPbq +OeA6gZwW8j3qnr7a4+FhavlL4aihMchveoxBLJOYT4P6v9y1xhe2MxjjPjlfH/v0 +QN1kqDw2/OPSpvfj7NlzKe3LXxGmCo4FPIbXAC97ZtcDInBmMkjqlORrswcHGjNq +N1s6dGrclpKcmFlUe+ZdssP9kJnQabiESxIjpKHgFVYLdYFeXdGxdvOE8p3hOci2 +ftrHK9/fXym+/MFdywxZCfhzpPaJJyJIqH0gbMZDOLv2rBaymf+FEgfEG4LgFas8 +CZf/hM6HkxcmCMVgcP8Oagb0NEnOAauUSmRowfLVd8Ob7ZlvrQKAkIHgH+shQ3hI +h6E+6LECgYEAzuhqasEHILxQpEwBXcoa9rQJHYIf27NSFNlKsal6IkCZCDlWbdQn +t+xbHPDnyRYv4PVYhh/2catlD6JLivxenTNm1fBdKzo/yMDKM6gubqaIo3B5Q8OB +hDlubFCxboPQ1bq05QAK1d8R4b4CmBqPXDQ/KrfFgEn47YmsrxpVs9kCgYEAzglI +bmqCiNV4Qw2sfp15lIPanuRfE9W2tDbj+ND4rafOJGrDuwEIpTMqSTW1hSOY58EL +w5VMa2+bqqOEufNH21HtpWQv2zVU8EbB0KevdP/f5xjGKhysoWOL/q6l1PPbF1Bg +pY/fPW+9xNuskb9XUXhkZ3tsPYeXPwnsLaGFDscCgYA0zYFi7xH3m7dkxnTOz6Yj +8XwmCLBCrDe1VGLIhjzCAwRK4f8ZljvwpyP1ddFhMwVS/qnxyLRm+9uVqtBmjtNC +gPysemP8hSgD/pdbqX74BA34z9pSndEuwk1Y3Rr63i7sbHJ/wowBWqVAm/IjiRuu +5zJ7n1yKydX6INlt8mWOuQKBgGCqgk0rs6q3XQE4vSF6iLxhUIUT6HfJ4TqUNkla +4hG3lUQIw2RNi9zWMJTAmjWpCehR7k8JER2m84YPygnkVmZT/geHBdz3HK7Ow8g9 +pFhkZIxsVy0S3vupVNlc33kWIEjD8VQ8OCT+9C4UUtbeyvzyW0kh4xrLLu7onOKb +0W2pAoGAfZ9UC4FrLfYgXAYz3WzHuVa4Z/r3PXswI5djINFZIAwLKjD7/E3R7BCq +pOag/PuESJu9CNcgYNURtOeIaW7MN80UN7086y0SnAw6OQXtIrSSHMEkTMr7iSXm +/VtC24AL/L7YSd8fRNXxYAJvkwowOllbNI8uKnzZn9JkaWBZajg= +-----END RSA PRIVATE KEY----- diff --git a/Examples/aks-attestation/certs/test-ca-sha256.crt b/Examples/aks-attestation/certs/test-ca-sha256.crt new file mode 100644 index 00000000..54028f0b --- /dev/null +++ b/Examples/aks-attestation/certs/test-ca-sha256.crt @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFeDCCA2CgAwIBAgIBADANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJOTDEL +MAkGA1UECAwCTkwxCzAJBgNVBAcMAk5MMREwDwYDVQQKDAhQb2xhclNTTDEZMBcG +A1UEAwwQUG9sYXJTU0wgVGVzdCBDQTAeFw0yMTExMDkwNTA4MDhaFw0zMTExMDcw +NTA4MDhaMFUxCzAJBgNVBAYTAk5MMQswCQYDVQQIDAJOTDELMAkGA1UEBwwCTkwx +ETAPBgNVBAoMCFBvbGFyU1NMMRkwFwYDVQQDDBBQb2xhclNTTCBUZXN0IENBMIIC +IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAt4LPFNvOHrkgztHoZ9LR+69Q +uhDzaPmlEGngmJSgxMZi5dJJ7ZnEJtZ+8bjX/DTCZcl7lOwwSHurb9a3GPgP/DRt +0jGqqtDiwZnc1OoJ9mLnj+BoB1hhWSMuIcJ+cM292Aac+12Ih9mThtzhbxzW/6xD +neyAtRjF/iRBNq3FIiAMj3c+w+BBVmEbasBpuXs/4S9BTvyPrGFjg+jKf842wTwG +Vz82goPKaOMByRWbhEKhYT9al/iKcdPIPjzA6HB3XyPjLm9xpIXR1+RidO98UhsC +Llzw8xeUi+aq2MHLilBEUsHqVoJqWqFOCfJhOQGFzPQNPnWk1l7FOvJvYSr4XR1/ +6eIUqzFlG30ImG7uVCzhLunk092aPNGvewogTLiprmeLLBAks70NzPD9W1UQhXhB +SqZN6FNpczAdn5x+UxCUQkmFs8siCtLbh7Z3H2lx34IaiH9Xw+YTV244J/5UuUBR +jWrncbM+XElXo4RzF3gIL4EmvxKTzEWWh3b6SNpvirdJFbSkwByOYfBZ3XUuQDsa +Df9UGAgD1EBHwpuZB9VYT1rVA0x9o2ovjwYXY4AjHRCgqe53FeUSyxyY/xXKqiPn +jJjZuo2Pif2W+Il14Me1e30SD8+8fbdfoaPiGYQ02aW5AvElbMk4KEGnIlgiYhs9 +qAn36FqlaOkiwI7CQH8CAwEAAaNTMFEwHQYDVR0OBBYEFIo1oGRr0T8oklUSbVpt +/e7wKtXbMB8GA1UdIwQYMBaAFIo1oGRr0T8oklUSbVpt/e7wKtXbMA8GA1UdEwEB +/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAHkCHYagsPWfOipq6vXqaaCmHaaY +dOao9BjawfZbZOrYXFYFDcSVP4iGltEs3NBBrzjkbqmRlDT4R3uvWuvD+TlIUroL +0eGjPwmljGqW2eokjuySf9V48PdH12xwFnSYRn/qFiiEB7LconoxGhtXLOF1ry0q +99d4Lk/8pUlOVWFCQ5kv+Fp27oungmS6n4H2973HbzRbm8rxQJrrtomvQcU5DgN3 +b6q+37VVprE5dGJZ/+XCZ85lbOMnvN3H8zd1rftFnU2fxNK8DZ8cqb//BOI5lWpg +wBc8zUNCrNnPb8An/xpbS1P0BUGxxSWeyiXOwv9mxc3x7zJLVrDQLVd6GbhBnLE6 +Z9aC2Eh8gNLvBhs/JVaQKPn3iVyqNAaXaOg90TnlliO9EVbA0212HyC2+ShbdkwE +9TEDP9QPAr8Y/tU0hCpALelwE8VZJv1rp71Ga6CivlfDcgBoVygAQQ8tH+PcS+u6 +1r+B0TPml86mUAzG5lAW+ZuSjw727aLlLOnk/7F8jOShz817lA6eMqtlzYZpM+lR +B8ZNdkuuQq3z8OkJ78Gjby4NeDguF/dMlXD5me+AJ4FMqeCEN3g6QKh8ThzoSp8h +ZxmK9bX/MagiL0upybyqTDqgNCKNkpcqY168Nborx/T5J4srsBdJoCDi3jO1Q3nk +UvFuODojjTxO9Bwa +-----END CERTIFICATE----- diff --git a/Examples/aks-attestation/gramine_build.sh b/Examples/aks-attestation/gramine_build.sh new file mode 100755 index 00000000..81980c1d --- /dev/null +++ b/Examples/aks-attestation/gramine_build.sh @@ -0,0 +1,49 @@ +# This script assumes that in-kernel driver is installed on the host system. +# Please refer to https://gramine.readthedocs.io/en/latest/building.html#id2 for more details. + +# install Gramine dependencies +sudo apt-get install -y \ + autoconf \ + bison \ + build-essential \ + coreutils \ + curl \ + gawk \ + git \ + libcurl4-openssl-dev \ + libprotobuf-c-dev \ + linux-headers-generic \ + ninja-build \ + pkg-config \ + protobuf-c-compiler \ + python3 \ + python3-pip \ + python3-protobuf \ + wget + +sudo python3 -B -m pip install 'toml>=0.10' 'meson>=0.55' + +# Download Gramine +git clone https://github.com/gramineproject/gramine.git +cd gramine +mkdir -p meson_build_output + +# Generate Signing Key +openssl genrsa -3 -out Pal/src/host/Linux-SGX/signer/enclave-key.pem 3072 + +# Install DCAP dependencies +echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu bionic main' | \ + sudo tee /etc/apt/sources.list.d/intel-sgx.list +wget https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key +sudo apt-key add intel-sgx-deb.key +sudo apt-get install --no-install-recommends -y libsgx-urts libsgx-dcap-quote-verify-dev + +# Build Gramine with DCAP enabled mode (assuming in-kernel driver) +meson setup build/ --prefix="$PWD/meson_build_output" --buildtype=release -Ddirect=enabled \ + -Dsgx=enabled -Ddcap=enabled +ninja -C build/ +ninja -C build/ install + +# Copy dummy server certificate with Common Name as " +cd ../ +cp -r certs/ gramine/CI-Examples/ra-tls-secret-prov/ From 48100050781f5adc73fefd6a2bae1925d2f39521 Mon Sep 17 00:00:00 2001 From: Veena Saini Date: Fri, 10 Dec 2021 13:57:54 +0530 Subject: [PATCH 2/5] fixup! Add example of AKS attestation and secret provisioning Signed-off-by: Veena Saini --- Examples/aks-attestation/README.md | 33 +++++++++++++++--------------- 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/Examples/aks-attestation/README.md b/Examples/aks-attestation/README.md index 34488a66..a0e68f78 100644 --- a/Examples/aks-attestation/README.md +++ b/Examples/aks-attestation/README.md @@ -15,19 +15,21 @@ https://github.com/gramineproject/gramine/tree/master/CI-Examples/ra-tls-secret- with this example is highly recommended before proceeding further. The sample contains client and server applications, where by default server is running on localhost:4433. In the example, the client sends its SGX quote to the server for verification. After successful quote verification, the -server sends a secret to the client. To run these client and server applications inside the AKS -cluster, user needs to prepare two docker images, one for the client and one for the server. In our -AKS attestation example, the server will no longer run on localhost, instead it will run in a Docker -container inside the AKS cluster. The server container should be assigned a DNS name -(e.g., ``) to be accessible from the outside of the container. The client will send -requests to this DNS name. Therefore, for demonstration we updated the example certificates from +server sends a secret to the client. + +To run these client and server applications inside the AKS cluster, user needs to prepare two Docker +images, one for the client and one for the server. In our AKS attestation example, the server will +no longer run on localhost, instead it will run in a Docker container inside the AKS cluster. The +server container should be assigned a DNS name (e.g., ``) to be accessible from the +outside of the container. The client will send requests to this DNS name. Therefore, for +demonstration we updated the example certificates from https://github.com/gramineproject/gramine/tree/master/CI-Examples/ra-tls-secret-prov/certs by replacing the "Common Name" field in the server certificate (i.e., `server2-sha256.crt`) from `localhost` to ``. -In order to create base client and server images for the AKS environment, user can execute the -`base-image-generation-script.sh` script. Since both client and server applications will -run inside containers in the AKS cluster, and the client application will send its SGX quote to the +In order to create base client and server Docker images for the AKS environment, user can execute +the `base-image-generation-script.sh` script. Since both client and server applications will run +inside containers in the AKS cluster, and the client application will send its SGX quote to the server for verification, therefore the user needs to graminize the client application. Hence, the following two steps create a native Docker server image and a graminized GSC client image for the AKS cluster. @@ -56,14 +58,11 @@ Note: This example is Ubuntu-specific (tested version is Ubuntu 18.04). 1. The `base-image-generation-script.sh` script will create the native Docker client image with the name `aks-secret-prov-client-img:latest`. -2. Create the GSC client image: - - Note: We tested this example with DCAP driver 1.11 specified in the GSC configuration file. +2. Create the GSC client image (note that we tested this example with DCAP driver 1.11 specified in + the GSC configuration file): ```sh $ cd gsc - $ cp config.yaml.template config.yaml - $ openssl genrsa -3 -out enclave-key.pem 3072 $ ./gsc build aks-secret-prov-client-img:latest \ Examples/aks-attestation/aks-secret-prov-client.manifest $ ./gsc sign-image aks-secret-prov-client-img:latest enclave-key.pem @@ -87,12 +86,12 @@ AKS confidential compute cluster can be created using the following [link](https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-enclave-nodes-aks-get-started). Gramine performs out-of-proc mode DCAP quote generation. Out-of-proc mode quote generation requires -aesmd service. To fulfill this requirement, AKS provides the +AESMD service. To fulfill this requirement, AKS provides the [sgxquotehelper daemonset](https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-nodes-aks-addon#out-of-proc-attestation-for-confidential-workloads) -(can be enabled by `--enable-sgxquotehelper` during cluster creation). This feature exposes aesmd +(can be enabled by `--enable-sgxquotehelper` during cluster creation). This feature exposes AESMD service for the container node. The service will internally connect with az-dcap-client to fetch the platform collateral required for quote generation. In this demo, the -`aks-secret-prov-client-deployment.yaml` uses aesmd service exposed by AKS with the help of the +`aks-secret-prov-client-deployment.yaml` file uses AESMD service exposed by AKS with the help of the sgxquotehelper plugin. In our example, the client will generate the SGX quote that will be embedded inside the RA-TLS From 89187dcbb0196638a6126c56c81e8e06dd37900c Mon Sep 17 00:00:00 2001 From: Veena Saini Date: Mon, 10 Jan 2022 15:32:51 +0530 Subject: [PATCH 3/5] fixup! Add example of AKS attestation and secret provisioning Signed-off-by: Veena Saini --- Examples/aks-attestation/README.md | 10 ++++------ .../aks-secret-prov-client-deployment.yaml | 12 ++++++------ .../aks-secret-prov-server-deployment.yaml | 2 +- Examples/aks-attestation/gramine_build.sh | 8 ++++---- 4 files changed, 15 insertions(+), 17 deletions(-) diff --git a/Examples/aks-attestation/README.md b/Examples/aks-attestation/README.md index a0e68f78..46b317d6 100644 --- a/Examples/aks-attestation/README.md +++ b/Examples/aks-attestation/README.md @@ -1,4 +1,4 @@ -# Gramine Attestation Inside AKS cluster +# Gramine attestation inside AKS cluster This guide demonstrates how Gramine DCAP attestation quote can be generated and verified from within an AKS cluster. Here, we provide an end-to-end example to help Cloud Solution Providers @@ -50,8 +50,7 @@ Note: This example is Ubuntu-specific (tested version is Ubuntu 18.04). ``` 3. Deploy `aks-secret-prov-server-img:latest` in the AKS confidential compute cluster: - - Reference deployment file: - `aks-secret-prov-server-deployment.yaml` + - Reference deployment file: `aks-secret-prov-server-deployment.yaml` ### Creating client image @@ -77,10 +76,9 @@ Note: This example is Ubuntu-specific (tested version is Ubuntu 18.04). ``` 6. Deploy `gsc-aks-secret-prov-client-img:latest` in AKS confidential compute cluster: - - Reference deployment file: - `aks-secret-prov-client-deployment.yaml` + - Reference deployment file: `aks-secret-prov-client-deployment.yaml` -## Deploying client and server images in AKS Confidential Compute cluster +## Deploying client and server images in AKS confidential compute cluster AKS confidential compute cluster can be created using the following [link](https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-enclave-nodes-aks-get-started). diff --git a/Examples/aks-attestation/aks-secret-prov-client-deployment.yaml b/Examples/aks-attestation/aks-secret-prov-client-deployment.yaml index f2c92792..f5110851 100644 --- a/Examples/aks-attestation/aks-secret-prov-client-deployment.yaml +++ b/Examples/aks-attestation/aks-secret-prov-client-deployment.yaml @@ -1,14 +1,14 @@ apiVersion: batch/v1 kind: Job metadata: - name: secret-prov-client - labels: - app: secret-prov-client + name: secret-prov-client + labels: + app: secret-prov-client spec: - template: + template: metadata: - labels: - app: gsc-ra-tls-secret-prov-client + labels: + app: gsc-ra-tls-secret-prov-client spec: volumes: - name: var-run-aesmd diff --git a/Examples/aks-attestation/aks-secret-prov-server-deployment.yaml b/Examples/aks-attestation/aks-secret-prov-server-deployment.yaml index 10419f03..2dce0080 100644 --- a/Examples/aks-attestation/aks-secret-prov-server-deployment.yaml +++ b/Examples/aks-attestation/aks-secret-prov-server-deployment.yaml @@ -22,7 +22,7 @@ spec: kubernetes.azure.com/sgx_epc_mem_in_MiB: 10 # TODO: Requesting an SGX machine is not needed, but Intel DCAP libraries have a bug of trying to -# open the SGX driver (see https://github.com/intel/linux-sgx/issues/756) +# open the SGX driver (see https://github.com/intel/linux-sgx/issues/756) --- apiVersion: v1 diff --git a/Examples/aks-attestation/gramine_build.sh b/Examples/aks-attestation/gramine_build.sh index 81980c1d..1a43bc33 100755 --- a/Examples/aks-attestation/gramine_build.sh +++ b/Examples/aks-attestation/gramine_build.sh @@ -1,7 +1,7 @@ # This script assumes that in-kernel driver is installed on the host system. -# Please refer to https://gramine.readthedocs.io/en/latest/building.html#id2 for more details. +# Please refer to https://gramine.readthedocs.io/en/latest/devel/building.html#id2 for more details. -# install Gramine dependencies +# Install Gramine dependencies sudo apt-get install -y \ autoconf \ bison \ @@ -24,11 +24,11 @@ sudo apt-get install -y \ sudo python3 -B -m pip install 'toml>=0.10' 'meson>=0.55' # Download Gramine -git clone https://github.com/gramineproject/gramine.git +git clone https://github.com/gramineproject/gramine.git --depth=1 cd gramine mkdir -p meson_build_output -# Generate Signing Key +# Generate signing key openssl genrsa -3 -out Pal/src/host/Linux-SGX/signer/enclave-key.pem 3072 # Install DCAP dependencies From 782fa946224587c1761f08a59ab30fd752b75c96 Mon Sep 17 00:00:00 2001 From: Veena Saini Date: Wed, 26 Jan 2022 19:18:11 +0530 Subject: [PATCH 4/5] fixup! Add example of AKS attestation and secret provisioning Signed-off-by: Veena Saini --- Examples/aks-attestation/README.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/Examples/aks-attestation/README.md b/Examples/aks-attestation/README.md index 46b317d6..4e2c7adf 100644 --- a/Examples/aks-attestation/README.md +++ b/Examples/aks-attestation/README.md @@ -5,10 +5,10 @@ within an AKS cluster. Here, we provide an end-to-end example to help Cloud Solu integrate Gramine’s RA-TLS attestation and secret provisioning feature with a confidential compute cluster managed by Azure Kubernetes Service. This guide contains necessary reference wrappers that enable Gramine to use AKS components such as AESMD and DCAP quote provider libraries. This guide -also describes a microservice deployment for the RA-TLS verifier (server) that can be readily -deployed to the AKS cluster. +also describes a microservice deployment for the RA-TLS verifier (secret provisioning service) that +can be readily deployed to the AKS cluster. -## Preparing client and server images +## Preparing client (SGX application) and server (secret provisioning service) images This demonstration is based on the `ra-tls-secret-prov` example from https://github.com/gramineproject/gramine/tree/master/CI-Examples/ra-tls-secret-prov. Familiarity @@ -36,7 +36,7 @@ AKS cluster. Note: This example is Ubuntu-specific (tested version is Ubuntu 18.04). -### Creating server image +### Creating server (secret provisioning service) image 1. The `base-image-generation-script.sh` script will create the native Docker server image with the name `aks-secret-prov-server-img:latest`. @@ -52,7 +52,7 @@ Note: This example is Ubuntu-specific (tested version is Ubuntu 18.04). 3. Deploy `aks-secret-prov-server-img:latest` in the AKS confidential compute cluster: - Reference deployment file: `aks-secret-prov-server-deployment.yaml` -### Creating client image +### Creating client (SGX application) image 1. The `base-image-generation-script.sh` script will create the native Docker client image with the name `aks-secret-prov-client-img:latest`. @@ -102,7 +102,8 @@ libsgx-dcap-quote-verify library via the az-dcap-client library. $ kubectl apply -f aks-secret-prov-server-deployment.yaml ``` -Once the server container is in running state, start the client container as shown below: +Once the server (secret provisioning service) container is in running state, start the client +(SGX application) container as shown below: ```sh $ kubectl apply -f aks-secret-prov-client-deployment.yaml From c9d42232e4f6a41d25791d918d659db055ad2b0f Mon Sep 17 00:00:00 2001 From: Veena Saini Date: Wed, 26 Jan 2022 19:45:33 +0530 Subject: [PATCH 5/5] fixup! Add example of AKS attestation and secret provisioning Signed-off-by: Veena Saini --- Examples/aks-attestation/README.md | 8 ++++---- Examples/aks-attestation/gramine_build.sh | 3 ++- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/Examples/aks-attestation/README.md b/Examples/aks-attestation/README.md index 4e2c7adf..27740c2c 100644 --- a/Examples/aks-attestation/README.md +++ b/Examples/aks-attestation/README.md @@ -49,8 +49,8 @@ Note: This example is Ubuntu-specific (tested version is Ubuntu 18.04). $ docker push /aks-secret-prov-server-img:latest ``` -3. Deploy `aks-secret-prov-server-img:latest` in the AKS confidential compute cluster: - - Reference deployment file: `aks-secret-prov-server-deployment.yaml` +3. Deploy `aks-secret-prov-server-img:latest` in the AKS confidential compute cluster using reference + deployment file: `aks-secret-prov-server-deployment.yaml` ### Creating client (SGX application) image @@ -75,8 +75,8 @@ Note: This example is Ubuntu-specific (tested version is Ubuntu 18.04). $ docker push /gsc-aks-secret-prov-client-img:latest ``` -6. Deploy `gsc-aks-secret-prov-client-img:latest` in AKS confidential compute cluster: - - Reference deployment file: `aks-secret-prov-client-deployment.yaml` +6. Deploy `gsc-aks-secret-prov-client-img:latest` in AKS confidential compute cluster using + reference deployment file: `aks-secret-prov-client-deployment.yaml` ## Deploying client and server images in AKS confidential compute cluster diff --git a/Examples/aks-attestation/gramine_build.sh b/Examples/aks-attestation/gramine_build.sh index 1a43bc33..218b58ed 100755 --- a/Examples/aks-attestation/gramine_build.sh +++ b/Examples/aks-attestation/gramine_build.sh @@ -1,5 +1,6 @@ # This script assumes that in-kernel driver is installed on the host system. -# Please refer to https://gramine.readthedocs.io/en/latest/devel/building.html#id2 for more details. +# Please refer to https://gramine.readthedocs.io/en/latest/devel/building.html#install-the-intel-sgx-driver +# for more details. # Install Gramine dependencies sudo apt-get install -y \