WIP: sgx: add QuoteVerification demo and cleanup hostNetwork dependency

Signed-off-by: Mikko Ylinen <[email protected]>

.trivyignore

@@ -9,11 +9,6 @@ AVD-DS-0002
 # initcontainers require privileged access
 AVD-KSV-0017
 
-# Sharing the host’s network namespace permits processes in the pod to communicate with
-# processes bound to the host’s loopback adapter.
-# sgx single-node demo deployment uses hostNetwork: true to be able to use the default setting for PCCS URL from containers
-AVD-KSV-0009
-
 # Do not allow privilege escalation from node proxy
 # Check whether role permits privilege escalation from node proxy
 # gpu plugin in kubelet mode requires "nodes/proxy" resource access

demo/screencast-sgx.sh

@@ -27,7 +27,7 @@ cleanup()
   out 'Cleanup demo artifacts' 20
   out 'delete node-feature-discovery deployment:' 20
   command 'kubectl delete -k https://github.com/intel/intel-device-plugins-for-kubernetes/deployments/nfd/overlays/node-feature-rules?ref=main || true' 20
-  command 'kubectl delete -k https://github.com/intel/intel-device-plugins-for-kubernetes/deployments/nfd/overlays/sgx?ref=main || true' 20
+  command 'kubectl delete -k https://github.com/intel/intel-device-plugins-for-kubernetes/deployments/nfd?ref=main || true' 20
   out 'delete SGX Device Plugin deployment:' 20
   command 'kubectl delete sgxdeviceplugin sgxdeviceplugin-sample || true' 20
   out 'delete Intel Device Plugin Operator deployment:' 20
@@ -69,10 +69,10 @@ screen3()
   clear
   out "2. Deploy node-feature-discovery for Kubernetes"
   out "It's used to label SGX capable nodes and register SGX EPC as an extended resource"
-  command "kubectl apply -k https://github.com/intel/intel-device-plugins-for-kubernetes/deployments/nfd/overlays/sgx?ref=main"
+  command "kubectl apply -k https://github.com/intel/intel-device-plugins-for-kubernetes/deployments/nfd?ref=main"
   out "Check its pod is running"
   command "kubectl wait --for=condition=Ready pod/$(kubectl get --no-headers -l app=nfd-worker -o=jsonpath='{.items[0].metadata.name}' pods -n node-feature-discovery) -n node-feature-discovery"
-  out "Create NodeFeatureRules for SGX specific labels"
+  out "Create NodeFeatureRules for SGX specific labels and SGX EPC extended resource"
   command 'kubectl apply -k https://github.com/intel/intel-device-plugins-for-kubernetes/deployments/nfd/overlays/node-feature-rules?ref=main || true' 20
 }
 
@@ -91,8 +91,8 @@ screen5()
 {
   clear
   out "4. Verify node resources"
-  command "kubectl get nodes -o json | jq .items[].status.allocatable | grep sgx"
-  command "kubectl get nodes -o json | jq .items[].metadata.labels | grep sgx"
+  command "kubectl get nodes -o jsonpath='{.items[].status.allocatable}' | jq | grep sgx"
+  command "kubectl get nodes -o jsonpath='{.items[].metadata.labels}' | jq | grep kubernetes.io\/sgx"
   out "Both node labels and resources for SGX are in place"
 }
 

demo/sgx-sdk-demo/Dockerfile

@@ -23,7 +23,7 @@ RUN apt-get update && \
 # SGX SDK is installed in /opt/intel directory.
 WORKDIR /opt/intel
 
-ARG DCAP_VERSION=DCAP_1.17
+ARG DCAP_VERSION=DCAP_1.18
 
 RUN echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main" | \
     tee -a /etc/apt/sources.list.d/intel-sgx.list \
@@ -32,11 +32,12 @@ RUN echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://d
  && apt-get update \
  && env DEBIAN_FRONTEND=noninteractive apt-get install -y \
     libsgx-dcap-ql-dev \
+    libsgx-dcap-quote-verify-dev \
     libsgx-dcap-default-qpl-dev \
     libsgx-quote-ex-dev
 
 # Install SGX SDK
-ARG SGX_SDK_URL=https://download.01.org/intel-sgx/sgx-linux/2.20/distro/ubuntu22.04-server/sgx_linux_x64_sdk_2.20.100.4.bin
+ARG SGX_SDK_URL=https://download.01.org/intel-sgx/sgx-linux/2.21/distro/ubuntu22.04-server/sgx_linux_x64_sdk_2.21.100.1.bin
 RUN wget ${SGX_SDK_URL} \
  && export SGX_SDK_INSTALLER=$(basename $SGX_SDK_URL) \
  && chmod +x $SGX_SDK_INSTALLER \
@@ -55,6 +56,12 @@ RUN cd SGXDataCenterAttestationPrimitives/SampleCode/QuoteGenerationSample \
     && make \
     && cd -
 
+RUN cd SGXDataCenterAttestationPrimitives/SampleCode/QuoteVerificationSample \
+    && . /opt/intel/sgxsdk/environment \
+    && make HW_RELEASE=1 \
+    && sgx_sign sign -key ../QuoteGenerationSample/Enclave/Enclave_private_sample.pem -enclave enclave.so -out enclave.signed.so -config Enclave/Enclave.config.xml \
+    && cd -
+
 FROM ubuntu:22.04
 
 RUN apt-get update && \
@@ -75,6 +82,7 @@ RUN echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://d
     libsgx-dcap-ql \
     libsgx-dcap-default-qpl \
  && mkdir -p /opt/intel/sgx-sample-app/ \
+ && mkdir -p /opt/intel/sgx-quote-verification/ \
  && mkdir -p /opt/intel/sgx-quote-generation/
 
 COPY --from=builder /opt/intel/sgxsdk/SampleCode/SampleEnclave/app /opt/intel/sgx-sample-app/sgx-sample-app
@@ -83,4 +91,9 @@ COPY --from=builder /opt/intel/sgxsdk/SampleCode/SampleEnclave/enclave.signed.so
 COPY --from=builder /opt/intel/SGXDataCenterAttestationPrimitives/SampleCode/QuoteGenerationSample/app /opt/intel/sgx-quote-generation/sgx-quote-generation
 COPY --from=builder /opt/intel/SGXDataCenterAttestationPrimitives/SampleCode/QuoteGenerationSample/enclave.signed.so /opt/intel/sgx-quote-generation/enclave.signed.so
 
+COPY --from=builder /opt/intel/SGXDataCenterAttestationPrimitives/SampleCode/QuoteVerificationSample/app /opt/intel/sgx-quote-verification/sgx-quote-verification
+COPY --from=builder /opt/intel/SGXDataCenterAttestationPrimitives/SampleCode/QuoteVerificationSample/enclave.signed.so /opt/intel/sgx-quote-verification/enclave.signed.so
+
+COPY --chmod=555 run-dcap-flow /opt/intel
+
 ENTRYPOINT /opt/intel/sgx-sample-app/sgx-sample-app

demo/sgx-sdk-demo/run-dcap-flow

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+pushd sgx-quote-generation
+
+./sgx-quote-generation
+
+popd
+
+pushd sgx-quote-verification
+
+./sgx-quote-verification -quote ../sgx-quote-generation/quote.dat

deployments/sgx_aesmd/base/intel-sgx-aesmd.yaml

@@ -15,7 +15,6 @@ spec:
       annotations:
         sgx.intel.com/quote-provider: "aesmd"
     spec:
-      hostNetwork: true
       containers:
       - name: aesmd
         image: intel/sgx-aesmd-demo:devel

deployments/sgx_enclave_apps/overlays/sgx_ecdsa_aesmd_quote/change_workingdir_and_command.json

@@ -1,4 +1,4 @@
 [
-  {"op": "replace", "path": "/spec/template/spec/containers/0/workingDir", "value": "/opt/intel/sgx-quote-generation/"},
-  {"op": "replace", "path": "/spec/template/spec/containers/0/command", "value": ["/opt/intel/sgx-quote-generation/sgx-quote-generation"]}
+  {"op": "replace", "path": "/spec/template/spec/containers/0/workingDir", "value": "/opt/intel/"},
+  {"op": "replace", "path": "/spec/template/spec/containers/0/command", "value": ["/opt/intel/run-dcap-flow"]}
 ]

deployments/sgx_enclave_apps/overlays/sgx_ecdsa_inproc_quote/kustomization.yaml

@@ -10,5 +10,4 @@ configMapGenerator:
   - sgx_default_qcnl.conf
   name: sgx-attestation-conf
 patches:
-- path: add_hostnetwork.yaml
 - path: add_sgx_default_qcnl_conf.yaml