From ab3608db3a78656320f68a71e274379e43e73dcf Mon Sep 17 00:00:00 2001 From: Bruno Vavala Date: Tue, 26 Mar 2024 07:15:18 +0000 Subject: [PATCH] make docker build for sgx-based services generate the pdo_service_sgx image Signed-off-by: Bruno Vavala --- docker/Makefile | 4 ++-- docker/README.md | 10 ++++++---- docker/pdo_services_base.dockerfile | 12 ++++-------- docker/test-sgx.yaml | 1 + 4 files changed, 13 insertions(+), 14 deletions(-) diff --git a/docker/Makefile b/docker/Makefile index c3a9f22a..112c00cc 100644 --- a/docker/Makefile +++ b/docker/Makefile @@ -50,7 +50,7 @@ DOCKER_BUILDARGS += --build-arg UID=$(PDO_USER_UID) DOCKER_BUILDARGS += --build-arg GID=$(PDO_GROUP_UID) DOCKER_ARGS = $(DOCKER_BUILDARGS) -IMAGES=base client services_base services ccf_base ccf +IMAGES=base client services_base services services_sgx ccf_base ccf # for the most part this is just used to force rebuild when the # PDO repository has changed @@ -75,7 +75,7 @@ sgx_build_services : repository build_services_base docker build $(DOCKER_ARGS) \ --build-arg PDO_VERSION=$(PDO_VERSION) \ --build-arg SGX_MODE=HW \ - --tag pdo_services:$(PDO_VERSION) \ + --tag pdo_services_sgx:$(PDO_VERSION) \ --file $(DOCKER_DIR)/pdo_services.dockerfile . # docker build dependencies diff --git a/docker/README.md b/docker/README.md index 06cabf61..1945f9de 100644 --- a/docker/README.md +++ b/docker/README.md @@ -81,13 +81,14 @@ on how to use the client container. ### Build for SGX ### -For the contract enclave to run in SGX hardware mode, the `pdo_services` +For the contract enclave to run in SGX hardware mode, the services image must be built using the following target: ```bash make sgx_build_services ``` -Inside the `pdo_services` images, the `SGX_MODE` environment variable -can help distinguish the build type. +This will create the `pdo_service_sgx` image. Inside the image, +the `SGX_MODE=HW` environment variable further indicates that the +service were built to run in SGX. ## Pattern: Local Development in a Container ## @@ -268,7 +269,8 @@ first eservice of a ledger consortium member. Hence, the first service container that is deputed to perform such registration must be instructed to do so. ```bash docker run -v $(SCRIPT_DIR)/xfer/:/project/pdo/xfer --network host \ - --name ${USER}_services_container pdo_services --register + -v :/var/run/aesmd --device=:/dev/sgx/enclave \ + --name ${USER}_services_container pdo_services_sgx --register ``` This updated command allows to trigger the registration step right before starting the services. The policy registration must happen before enclaves are diff --git a/docker/pdo_services_base.dockerfile b/docker/pdo_services_base.dockerfile index ef813eee..a039fe6f 100644 --- a/docker/pdo_services_base.dockerfile +++ b/docker/pdo_services_base.dockerfile @@ -24,9 +24,6 @@ ARG SGX=2.22 ARG OPENSSL=3.0.12 ARG SGXSSL=3.0_Rev1 -ARG SGX_MODE=SIM -ENV SGX_MODE $SGX_MODE - RUN echo "deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu ${UBUNTU_NAME} main" >> /etc/apt/sources.list \ && wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | apt-key add - \ && apt-get update \ @@ -71,17 +68,16 @@ ENV PATH="/opt/intel/sgxsdk.extras/external/toolset/ubuntu${UBUNTU_VERSION}:${PA # ----------------------------------------------------------------- # SGXSSL -# Note that we build sgxssl with SIM mode; the SGX_MODE only changes -# the mode for running tests and we do not want the tests run in HW -# mode +# Note that the SGX_MODE variable only determines the mode for +# running tests. We do not want the tests to run in HW mode here. +# This allows us to keep this image mode-agnostic. # ----------------------------------------------------------------- WORKDIR /tmp RUN . /opt/intel/sgxsdk/environment \ && git clone --depth 1 --branch ${SGXSSL} 'https://github.com/intel/intel-sgx-ssl.git' \ && wget -q -P /tmp/intel-sgx-ssl/openssl_source https://www.openssl.org/source/openssl-${OPENSSL}.tar.gz \ && cd /tmp/intel-sgx-ssl/Linux \ - && if [ $SGX_MODE = SIM ] ; then SKIP_INTELCPU_CHECK=TRUE ; else SKIP_INTELCPU_CHECK=FALSE ; fi \ - && bash -c "make SKIP_INTELCPU_CHECK=$SKIP_INTELCPU_CHECK SGX_MODE=$SGX_MODE NO_THREADS=1 DESTDIR=/opt/intel/sgxssl VERBOSE=0 all &> /dev/null" \ + && bash -c "make SKIP_INTELCPU_CHECK=TRUE SGX_MODE=SIM NO_THREADS=1 DESTDIR=/opt/intel/sgxssl VERBOSE=0 all &> /dev/null" \ && make install \ && make clean \ && rm -rf /tmp/intel-sgx-ssl diff --git a/docker/test-sgx.yaml b/docker/test-sgx.yaml index 049a3602..833be892 100644 --- a/docker/test-sgx.yaml +++ b/docker/test-sgx.yaml @@ -20,6 +20,7 @@ services: - SGX_MODE=HW services_container: + image: pdo_services_sgx:${PDO_VERSION:-latest} volumes: - /var/run/aesmd:/var/run/aesmd devices: