feat(tee): create SGX container with nix

Signed-off-by: Harald Hoyer <[email protected]>
matter-labs · May 23, 2024 · f85d506 · f85d506
1 parent c80c57c
commit f85d506
Show file tree

Hide file tree

Showing 13 changed files with 493 additions and 25 deletions.
diff --git a/.github/workflows/build_and_publish_tee.yaml b/.github/workflows/build_and_publish_tee.yaml
@@ -30,12 +30,33 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
+      - uses: cachix/install-nix-action@v27
+        with:
+          extra_nix_config: |
+            access-tokens = github.com=${{ github.token }}
+            trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE=
+            substituters = https://cache.nixos.org/ https://nixsgx.cachix.org/
+
+      - name: Enable magic Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@main
+
       - name: Log in to Docker Hub
         uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USER }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
+      - name: Build base images
+        run: |
+          nix build -L .#docker-era-fee-withdrawer-azure
+          export IMAGE_TAG=$(docker load < result | grep -Po 'Loaded image.*: \K.*')
+          echo "Pushing image ${IMAGE_TAG} to Docker Hub"
+          docker tag "${IMAGE_TAG}" matterlabsrobot/"${IMAGE_TAG}"
+          docker push matterlabsrobot/"${IMAGE_TAG}"
+          docker tag matterlabsrobot/"${IMAGE_TAG}" matterlabsrobot/"${IMAGE_TAG%:*}:latest"
+          docker push matterlabsrobot/"${IMAGE_TAG%:*}:latest"          
+          sed -i -e "s#FROM ${IMAGE_TAG%:*}:latest#FROM matterlabsrobot/${IMAGE_TAG%:*}:latest" tee/Dockerfile-azure
+
       - name: Generate build ID for Flux Image Automation
         id: build
         run: |
@@ -51,10 +72,10 @@ jobs:
         uses: docker/build-push-action@v5
         if: ${{ !startsWith(github.ref, 'refs/tags') }}
         with:
-          context: .
+          context: tee
           push: true
           tags: |
             "us-docker.pkg.dev/matterlabs-infra/matterlabs-docker/fee-withdrawer-v2-tee:latest"
             "us-docker.pkg.dev/matterlabs-infra/matterlabs-docker/fee-withdrawer-v2-tee:${{ steps.build.outputs.BUILD_ID }}"
-          file: Dockerfile
+          file: tee/Dockerfile-azure
           no-cache: true
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -0,0 +1,62 @@
+{
+  description = "teepot";
+
+  inputs = {
+    nixsgx-flake.url = "github:matter-labs/nixsgx";
+    nixpkgs.follows = "nixsgx-flake/nixpkgs";
+
+    nix-filter.url = "github:numtide/nix-filter";
+    flake-utils.url = "github:numtide/flake-utils";
+  };
+
+  outputs = { self, nixpkgs, flake-utils, nix-filter, nixsgx-flake }:
+    flake-utils.lib.eachSystem [ "x86_64-linux" ] (system:
+      let
+        pkgs = import nixpkgs { inherit system; overlays = [ nixsgx-flake.overlays.default ]; };
+        filter = nix-filter.lib;
+        extra-inputs = pkgs // { nixpkgs = nixpkgs; pkgs = pkgs; lib = pkgs.lib; };
+
+        efw-pkgs = { era-fee-withdrawer = era-fee-withdrawer; };
+
+        era-fee-withdrawer =
+          pkgs.callPackage
+            ./tee/nix/era-fee-withdrawer.nix
+            {
+              pname = "era-fee-withdrawer";
+              version = "2.2.34-pre.0";
+              src = filter {
+                root = ./.;
+                include = [
+                  "src"
+                  "tests"
+                  ./package.json
+                  ./tsconfig.json
+                  ./yarn.lock
+                ];
+              };
+            };
+
+        docker-era-fee-withdrawer-azure = pkgs.callPackage ./tee/nix/docker-era-fee-withdrawer-azure.nix efw-pkgs;
+
+        docker-era-fee-withdrawer-dcap = pkgs.callPackage ./tee/nix/docker-era-fee-withdrawer-dcap.nix efw-pkgs;
+      in
+      {
+        formatter = pkgs.nixpkgs-fmt;
+
+        packages = {
+          era-fee-withdrawer = era-fee-withdrawer;
+          docker-era-fee-withdrawer-azure = docker-era-fee-withdrawer-azure;
+          docker-era-fee-withdrawer-dcap = docker-era-fee-withdrawer-dcap;
+          default = docker-era-fee-withdrawer-azure;
+        };
+
+        devShells = {
+          default = pkgs.mkShell {
+            inputsFrom = [ era-fee-withdrawer ];
+            nativeBuildInputs = with pkgs; [
+              nixsgx.gramine
+            ];
+          };
+        };
+      });
+}
diff --git a/restart_aesm.sh b/restart_aesm.sh
diff --git a/tee/Dockerfile-azure b/tee/Dockerfile-azure
@@ -0,0 +1,27 @@
+FROM era-fee-withdrawer-azure:latest
+
+WORKDIR /app
+
+COPY enclave-key.pem era-fee-withdrawer.manifest.toml ./
+
+RUN printf "precedence ::ffff:0:0/96  100\n" > /etc/gai.conf
+
+# The final touch for a reproducible docker file
+RUN touch -r /nix/store * .?* /etc/gai.conf
+
+RUN set -eux; export HOME=/app; \
+    gramine-manifest -Darch_libdir=/lib -Dexecdir=/bin -Dlog_level=error era-fee-withdrawer.manifest.toml era-fee-withdrawer.manifest; \
+    gramine-sgx-sign --manifest era-fee-withdrawer.manifest --output era-fee-withdrawer.manifest.sgx --key enclave-key.pem; \
+    rm enclave-key.pem
+
+# Uncomment, if a signed sigstruct exists
+# COPY era-fee-withdrawer-azure.sig .
+# RUN mv era-fee-withdrawer-azure.sig era-fee-withdrawer
+RUN touch -r /nix/store era-fee-withdrawer.sig
+
+ENTRYPOINT ["/bin/sh", "-c"]
+ENV SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt
+ENV UV_USE_IO_URING=0
+
+#CMD [ "echo tee-era-fee-withdrawer in simulation mode starting ; exec gramine-direct era-fee-withdrawer" ]
+CMD [ "echo tee-era-fee-withdrawer in SGX mode starting ; restart-aesmd ; exec gramine-sgx era-fee-withdrawer" ]
diff --git a/tee/Dockerfile-dcap b/tee/Dockerfile-dcap
@@ -0,0 +1,30 @@
+FROM era-fee-withdrawer-dcap:latest
+
+WORKDIR /app
+
+COPY sgx_default_qcnl.json ./sgx_default_qcnl.conf
+RUN rm /etc/sgx_default_qcnl.conf && ln -s /app/sgx_default_qcnl.conf /etc/sgx_default_qcnl.conf
+
+COPY enclave-key.pem era-fee-withdrawer.manifest.toml ./
+
+RUN printf "precedence ::ffff:0:0/96  100\n" > /etc/gai.conf
+
+# The final touch for a reproducible docker file
+RUN touch -r /nix/store * .?* /etc/gai.conf
+
+RUN set -eux; export HOME=/app; \
+    gramine-manifest -Darch_libdir=/lib -Dexecdir=/bin -Dlog_level=error era-fee-withdrawer.manifest.toml era-fee-withdrawer.manifest; \
+    gramine-sgx-sign --manifest era-fee-withdrawer.manifest --output era-fee-withdrawer.manifest.sgx --key enclave-key.pem; \
+    rm enclave-key.pem
+
+# Uncomment, if a signed sigstruct exists
+# COPY era-fee-withdrawer-dcap.sig .
+# RUN mv era-fee-withdrawer-dcap.sig era-fee-withdrawer.sig
+RUN touch -r /nix/store era-fee-withdrawer.sig
+
+ENTRYPOINT ["/bin/sh", "-c"]
+ENV SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt
+ENV UV_USE_IO_URING=0
+
+#CMD [ "echo era-fee-withdrawer in simulation mode starting ; exec gramine-direct era-fee-withdrawer" ]
+CMD [ "echo era-fee-withdrawer in SGX mode starting ; restart-aesmd ; exec gramine-sgx era-fee-withdrawer" ]