Merge pull request #156 from brave/add-enclave-bypass

Add enclave bypass Dockerfile, nginx config and scripts
brave · Aug 1, 2023 · 6010493 · 6010493
2 parents b1a81b1 + 790ff9f
commit 6010493
Show file tree

Hide file tree

Showing 6 changed files with 134 additions and 0 deletions.
diff --git a/misc/temporary-enclave-bypass/Dockerfile b/misc/temporary-enclave-bypass/Dockerfile
@@ -0,0 +1,30 @@
+# Build the web server application itself.
+# Use the -alpine variant so it will run in a alpine-based container.
+FROM public.ecr.aws/docker/library/rust:1.71.0-alpine as rust-builder
+# Base image may not support C linkage.
+RUN apk add musl-dev
+
+WORKDIR /src/
+COPY Cargo.toml Cargo.lock ./
+COPY src src
+# The '--locked' argument is important for reproducibility because it ensures
+# that we use specific dependencies.
+RUN cargo build --locked --release
+
+RUN cargo install vsock-relay
+
+FROM amazonlinux:2.0.20230207.0
+
+RUN echo "timeout=60.0" >> /etc/yum.conf
+RUN amazon-linux-extras install aws-nitro-enclaves-cli nginx1 -y && \
+    yum install aws-nitro-enclaves-cli-devel wget curl strace awscli -y && \
+    yum clean all && \
+    rm -rf /var/cache/yum && \
+    mkdir -p /enclave
+
+COPY --from=rust-builder /src/target/release/star-randsrv /usr/local/bin/
+COPY --from=rust-builder /usr/local/cargo/bin/vsock-relay /usr/local/bin/
+COPY ./misc/temporary-enclave-bypass/scripts/*.sh /usr/local/bin/
+COPY ./misc/temporary-enclave-bypass/nginx.conf /etc/nginx/
+
+EXPOSE 8080
diff --git a/misc/temporary-enclave-bypass/Makefile b/misc/temporary-enclave-bypass/Makefile
@@ -0,0 +1,2 @@
+all:
+	docker build -t temporary-enclave-bypass -f Dockerfile ../../
diff --git a/misc/temporary-enclave-bypass/nginx.conf b/misc/temporary-enclave-bypass/nginx.conf
@@ -0,0 +1,21 @@
+worker_processes 10;
+worker_rlimit_nofile 8192;
+
+events {
+    worker_connections 4096;
+}
+
+http {
+    server {
+        listen 8080;
+
+        location /enclave {
+            proxy_pass https://127.0.0.1:8443;
+    		proxy_ssl_verify off;
+        }
+
+        location / {
+            proxy_pass http://127.0.0.1:8081;
+        }
+    }
+}
diff --git a/misc/temporary-enclave-bypass/scripts/build.sh b/misc/temporary-enclave-bypass/scripts/build.sh
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+docker_image_base="${1}"
+
+# service var is the service we wish to run in the enclave
+service=""
+if [ "${2}" != "" ]; then
+    service="/${2}"
+fi
+
+and_run="${3}"
+run_cpu_count="${4}"
+run_memory="${5}"
+
+set -eux
+
+# wait for a few seconds for eks to pull down the right version
+sleep 20
+
+# get the latest docker image of the base image we are looking for
+docker_image=$(docker images --format "{{.Repository}} {{.CreatedAt}}" | grep "${docker_image_base}" | sort -rk 2 | awk -v s="${service}" 'NR==1{printf "%s%s", $1, s}')
+
+if [ -z "${docker_image}" ]; then
+    docker_image=${docker_image_base}
+fi
+
+aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin ${docker_image}
+
+# get the latest docker image of the base image we are looking for with tag
+docker_image_tag=$(docker images --format "{{.Repository}} {{.Tag}} {{.CreatedAt}}" | grep "${docker_image_base}" | sort -rk 3 | awk -v s="${service}" 'NR==1{printf "%s%s:%s", $1, s, $2}')
+if [ -z "${docker_image_tag}" ]; then
+    docker_image_tag=${docker_image_base}
+fi
+
+nitro-cli build-enclave --docker-uri ${docker_image_tag} --output-file nitro-image.eif
+
+if [ "${and_run}" == "run" ]; then 
+  /usr/local/bin/run.sh "${service}" ${run_cpu_count} ${run_memory}
+fi
+
diff --git a/misc/temporary-enclave-bypass/scripts/run.sh b/misc/temporary-enclave-bypass/scripts/run.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+cpu_count=${2:-2}
+memory=${3:-512}
+cid="4"
+
+set -eux
+
+nitro-cli run-enclave \
+    --enclave-cid "${cid}" \
+    --cpu-count ${cpu_count} \
+    --memory ${memory} \
+    --eif-path nitro-image.eif > /tmp/output.json
+cat /tmp/output.json
+
+# background the proxy startup
+/usr/local/bin/start-proxies.sh "${cid}" &
+
+# run star-randsrv
+echo "Starting star-randsrv."
+star-randsrv \
+  --epoch-seconds 604800 \
+  --epoch-base-time 2023-05-01T00:00:00Z \
+  --increase-nofile-limit \
+  --listen "127.0.0.1:8081"
+
diff --git a/misc/temporary-enclave-bypass/scripts/start-proxies.sh b/misc/temporary-enclave-bypass/scripts/start-proxies.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -eux
+
+CID="${1}"
+PARENT_CID="3" # the CID of the EC2 instance
+
+echo "cid is ${CID}"
+# it's now time to set up proxy tools
+
+# run vsock relay to proxy enclave attestation requests
+/usr/local/bin/vsock-relay -s "127.0.0.1:8443" -l "4:443" -c 1000 &
+
+# run nginx to proxy attestation & randsrv requests
+nginx