-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add enclave bypass Dockerfile, nginx config and scripts
- Loading branch information
Showing
6 changed files
with
134 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
# Build the web server application itself. | ||
# Use the -alpine variant so it will run in a alpine-based container. | ||
FROM public.ecr.aws/docker/library/rust:1.71.0-alpine as rust-builder | ||
# Base image may not support C linkage. | ||
RUN apk add musl-dev | ||
|
||
WORKDIR /src/ | ||
COPY Cargo.toml Cargo.lock ./ | ||
COPY src src | ||
# The '--locked' argument is important for reproducibility because it ensures | ||
# that we use specific dependencies. | ||
RUN cargo build --locked --release | ||
|
||
RUN cargo install vsock-relay | ||
|
||
FROM amazonlinux:2.0.20230207.0 | ||
|
||
RUN echo "timeout=60.0" >> /etc/yum.conf | ||
RUN amazon-linux-extras install aws-nitro-enclaves-cli nginx1 -y && \ | ||
yum install aws-nitro-enclaves-cli-devel wget curl strace awscli -y && \ | ||
yum clean all && \ | ||
rm -rf /var/cache/yum && \ | ||
mkdir -p /enclave | ||
|
||
COPY --from=rust-builder /src/target/release/star-randsrv /usr/local/bin/ | ||
COPY --from=rust-builder /usr/local/cargo/bin/vsock-relay /usr/local/bin/ | ||
COPY ./misc/temporary-enclave-bypass/scripts/*.sh /usr/local/bin/ | ||
COPY ./misc/temporary-enclave-bypass/nginx.conf /etc/nginx/ | ||
|
||
EXPOSE 8080 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
all: | ||
docker build -t temporary-enclave-bypass -f Dockerfile ../../ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
worker_processes 10; | ||
worker_rlimit_nofile 8192; | ||
|
||
events { | ||
worker_connections 4096; | ||
} | ||
|
||
http { | ||
server { | ||
listen 8080; | ||
|
||
location /enclave { | ||
proxy_pass https://127.0.0.1:8443; | ||
proxy_ssl_verify off; | ||
} | ||
|
||
location / { | ||
proxy_pass http://127.0.0.1:8081; | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
#!/bin/bash | ||
|
||
docker_image_base="${1}" | ||
|
||
# service var is the service we wish to run in the enclave | ||
service="" | ||
if [ "${2}" != "" ]; then | ||
service="/${2}" | ||
fi | ||
|
||
and_run="${3}" | ||
run_cpu_count="${4}" | ||
run_memory="${5}" | ||
|
||
set -eux | ||
|
||
# wait for a few seconds for eks to pull down the right version | ||
sleep 20 | ||
|
||
# get the latest docker image of the base image we are looking for | ||
docker_image=$(docker images --format "{{.Repository}} {{.CreatedAt}}" | grep "${docker_image_base}" | sort -rk 2 | awk -v s="${service}" 'NR==1{printf "%s%s", $1, s}') | ||
|
||
if [ -z "${docker_image}" ]; then | ||
docker_image=${docker_image_base} | ||
fi | ||
|
||
aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin ${docker_image} | ||
|
||
# get the latest docker image of the base image we are looking for with tag | ||
docker_image_tag=$(docker images --format "{{.Repository}} {{.Tag}} {{.CreatedAt}}" | grep "${docker_image_base}" | sort -rk 3 | awk -v s="${service}" 'NR==1{printf "%s%s:%s", $1, s, $2}') | ||
if [ -z "${docker_image_tag}" ]; then | ||
docker_image_tag=${docker_image_base} | ||
fi | ||
|
||
nitro-cli build-enclave --docker-uri ${docker_image_tag} --output-file nitro-image.eif | ||
|
||
if [ "${and_run}" == "run" ]; then | ||
/usr/local/bin/run.sh "${service}" ${run_cpu_count} ${run_memory} | ||
fi | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
#!/bin/bash | ||
|
||
cpu_count=${2:-2} | ||
memory=${3:-512} | ||
cid="4" | ||
|
||
set -eux | ||
|
||
nitro-cli run-enclave \ | ||
--enclave-cid "${cid}" \ | ||
--cpu-count ${cpu_count} \ | ||
--memory ${memory} \ | ||
--eif-path nitro-image.eif > /tmp/output.json | ||
cat /tmp/output.json | ||
|
||
# background the proxy startup | ||
/usr/local/bin/start-proxies.sh "${cid}" & | ||
|
||
# run star-randsrv | ||
echo "Starting star-randsrv." | ||
star-randsrv \ | ||
--epoch-seconds 604800 \ | ||
--epoch-base-time 2023-05-01T00:00:00Z \ | ||
--increase-nofile-limit \ | ||
--listen "127.0.0.1:8081" | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
#!/bin/bash | ||
|
||
set -eux | ||
|
||
CID="${1}" | ||
PARENT_CID="3" # the CID of the EC2 instance | ||
|
||
echo "cid is ${CID}" | ||
# it's now time to set up proxy tools | ||
|
||
# run vsock relay to proxy enclave attestation requests | ||
/usr/local/bin/vsock-relay -s "127.0.0.1:8443" -l "4:443" -c 1000 & | ||
|
||
# run nginx to proxy attestation & randsrv requests | ||
nginx |