From 35e0650b92063915e030d0a8564b91d7ea32a465 Mon Sep 17 00:00:00 2001 From: Dmitrii Kuvaiskii Date: Wed, 1 Jun 2022 04:23:33 -0700 Subject: [PATCH] Allow to skip SGX token generation SGX Launch Token (aka EINITTOKEN) is generated right-before Gramine launch via the `gramine-sgx-get-token` tool. For DCAP platforms, the SGX token is unused, so there is no need to generate it. This commit introduces a GSC switch `--skip-token-generation` for this. This is useful for DCAP platforms (one less file in the Docker container), and enables such scenarios as `docker run --read-only`. Also, skipping running `gramine-sgx-get-token` paves a path to removing Python as a run-time dependency for GSC-built Docker images. Signed-off-by: Dmitrii Kuvaiskii --- Documentation/index.rst | 5 +++++ gsc.py | 3 +++ templates/apploader.common.template | 2 ++ 3 files changed, 10 insertions(+) diff --git a/Documentation/index.rst b/Documentation/index.rst index e460f782..f71a869b 100644 --- a/Documentation/index.rst +++ b/Documentation/index.rst @@ -101,6 +101,11 @@ Gramine image. Allow untrusted arguments to be specified at :command:`docker run`. Otherwise any arguments specified during :command:`docker run` are ignored. +.. option:: --skip-token-generation + + Allows to skip SGX token generation (via :command:`gramine-sgx-get-token`). + Useful for DCAP platforms and read-only filesystems. + .. option:: --no-cache Disable Docker's caches during :command:`gsc build`. This builds the diff --git a/gsc.py b/gsc.py index 4d51ce34..4da6afe0 100755 --- a/gsc.py +++ b/gsc.py @@ -425,6 +425,9 @@ def gsc_info_image(args): sub_build.add_argument('--insecure-args', action='store_true', help='Allow to specify untrusted arguments during Docker run. ' 'Otherwise arguments are ignored.') +sub_build.add_argument('--skip-token-generation', action='store_true', + help='Allows to skip SGX token generation (via `gramine-sgx-get-token`). ' + 'Useful for DCAP platforms and read-only filesystems.') sub_build.add_argument('-nc', '--no-cache', action='store_true', help='Build graminized Docker image without any cached images.') sub_build.add_argument('--rm', action='store_true', diff --git a/templates/apploader.common.template b/templates/apploader.common.template index b6ab2d5a..a6f55f03 100644 --- a/templates/apploader.common.template +++ b/templates/apploader.common.template @@ -8,7 +8,9 @@ set -ex # Default to Linux-SGX if no PAL was specified if [ -z "$GSC_PAL" ] || [ "$GSC_PAL" == "Linux-SGX" ] then + {% if not skip_token_generation %} gramine-sgx-get-token --sig /entrypoint.sig --output /entrypoint.token + {% endif %} gramine-sgx /entrypoint {% if insecure_args %}{{binary_arguments}} "${@}"{% endif %} else gramine-direct /entrypoint {{binary_arguments}} "${@}"