From 790ff9f3ad6d8edf7ed67ce5dadd8eb37035129e Mon Sep 17 00:00:00 2001 From: Darnell Andries Date: Mon, 31 Jul 2023 17:58:11 -0700 Subject: [PATCH] Add enclave bypass Dockerfile, nginx config and scripts --- misc/temporary-enclave-bypass/Dockerfile | 30 ++++++++++++++ misc/temporary-enclave-bypass/Makefile | 2 + misc/temporary-enclave-bypass/nginx.conf | 21 ++++++++++ .../temporary-enclave-bypass/scripts/build.sh | 40 +++++++++++++++++++ misc/temporary-enclave-bypass/scripts/run.sh | 26 ++++++++++++ .../scripts/start-proxies.sh | 15 +++++++ 6 files changed, 134 insertions(+) create mode 100644 misc/temporary-enclave-bypass/Dockerfile create mode 100644 misc/temporary-enclave-bypass/Makefile create mode 100644 misc/temporary-enclave-bypass/nginx.conf create mode 100755 misc/temporary-enclave-bypass/scripts/build.sh create mode 100755 misc/temporary-enclave-bypass/scripts/run.sh create mode 100755 misc/temporary-enclave-bypass/scripts/start-proxies.sh diff --git a/misc/temporary-enclave-bypass/Dockerfile b/misc/temporary-enclave-bypass/Dockerfile new file mode 100644 index 0000000..3ef0c65 --- /dev/null +++ b/misc/temporary-enclave-bypass/Dockerfile @@ -0,0 +1,30 @@ +# Build the web server application itself. +# Use the -alpine variant so it will run in a alpine-based container. +FROM public.ecr.aws/docker/library/rust:1.71.0-alpine as rust-builder +# Base image may not support C linkage. +RUN apk add musl-dev + +WORKDIR /src/ +COPY Cargo.toml Cargo.lock ./ +COPY src src +# The '--locked' argument is important for reproducibility because it ensures +# that we use specific dependencies. +RUN cargo build --locked --release + +RUN cargo install vsock-relay + +FROM amazonlinux:2.0.20230207.0 + +RUN echo "timeout=60.0" >> /etc/yum.conf +RUN amazon-linux-extras install aws-nitro-enclaves-cli nginx1 -y && \ + yum install aws-nitro-enclaves-cli-devel wget curl strace awscli -y && \ + yum clean all && \ + rm -rf /var/cache/yum && \ + mkdir -p /enclave + +COPY --from=rust-builder /src/target/release/star-randsrv /usr/local/bin/ +COPY --from=rust-builder /usr/local/cargo/bin/vsock-relay /usr/local/bin/ +COPY ./misc/temporary-enclave-bypass/scripts/*.sh /usr/local/bin/ +COPY ./misc/temporary-enclave-bypass/nginx.conf /etc/nginx/ + +EXPOSE 8080 diff --git a/misc/temporary-enclave-bypass/Makefile b/misc/temporary-enclave-bypass/Makefile new file mode 100644 index 0000000..276b636 --- /dev/null +++ b/misc/temporary-enclave-bypass/Makefile @@ -0,0 +1,2 @@ +all: + docker build -t temporary-enclave-bypass -f Dockerfile ../../ diff --git a/misc/temporary-enclave-bypass/nginx.conf b/misc/temporary-enclave-bypass/nginx.conf new file mode 100644 index 0000000..74f5b1e --- /dev/null +++ b/misc/temporary-enclave-bypass/nginx.conf @@ -0,0 +1,21 @@ +worker_processes 10; +worker_rlimit_nofile 8192; + +events { + worker_connections 4096; +} + +http { + server { + listen 8080; + + location /enclave { + proxy_pass https://127.0.0.1:8443; + proxy_ssl_verify off; + } + + location / { + proxy_pass http://127.0.0.1:8081; + } + } +} diff --git a/misc/temporary-enclave-bypass/scripts/build.sh b/misc/temporary-enclave-bypass/scripts/build.sh new file mode 100755 index 0000000..26e515e --- /dev/null +++ b/misc/temporary-enclave-bypass/scripts/build.sh @@ -0,0 +1,40 @@ +#!/bin/bash + +docker_image_base="${1}" + +# service var is the service we wish to run in the enclave +service="" +if [ "${2}" != "" ]; then + service="/${2}" +fi + +and_run="${3}" +run_cpu_count="${4}" +run_memory="${5}" + +set -eux + +# wait for a few seconds for eks to pull down the right version +sleep 20 + +# get the latest docker image of the base image we are looking for +docker_image=$(docker images --format "{{.Repository}} {{.CreatedAt}}" | grep "${docker_image_base}" | sort -rk 2 | awk -v s="${service}" 'NR==1{printf "%s%s", $1, s}') + +if [ -z "${docker_image}" ]; then + docker_image=${docker_image_base} +fi + +aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin ${docker_image} + +# get the latest docker image of the base image we are looking for with tag +docker_image_tag=$(docker images --format "{{.Repository}} {{.Tag}} {{.CreatedAt}}" | grep "${docker_image_base}" | sort -rk 3 | awk -v s="${service}" 'NR==1{printf "%s%s:%s", $1, s, $2}') +if [ -z "${docker_image_tag}" ]; then + docker_image_tag=${docker_image_base} +fi + +nitro-cli build-enclave --docker-uri ${docker_image_tag} --output-file nitro-image.eif + +if [ "${and_run}" == "run" ]; then + /usr/local/bin/run.sh "${service}" ${run_cpu_count} ${run_memory} +fi + diff --git a/misc/temporary-enclave-bypass/scripts/run.sh b/misc/temporary-enclave-bypass/scripts/run.sh new file mode 100755 index 0000000..85501a1 --- /dev/null +++ b/misc/temporary-enclave-bypass/scripts/run.sh @@ -0,0 +1,26 @@ +#!/bin/bash + +cpu_count=${2:-2} +memory=${3:-512} +cid="4" + +set -eux + +nitro-cli run-enclave \ + --enclave-cid "${cid}" \ + --cpu-count ${cpu_count} \ + --memory ${memory} \ + --eif-path nitro-image.eif > /tmp/output.json +cat /tmp/output.json + +# background the proxy startup +/usr/local/bin/start-proxies.sh "${cid}" & + +# run star-randsrv +echo "Starting star-randsrv." +star-randsrv \ + --epoch-seconds 604800 \ + --epoch-base-time 2023-05-01T00:00:00Z \ + --increase-nofile-limit \ + --listen "127.0.0.1:8081" + diff --git a/misc/temporary-enclave-bypass/scripts/start-proxies.sh b/misc/temporary-enclave-bypass/scripts/start-proxies.sh new file mode 100755 index 0000000..0fac480 --- /dev/null +++ b/misc/temporary-enclave-bypass/scripts/start-proxies.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +set -eux + +CID="${1}" +PARENT_CID="3" # the CID of the EC2 instance + +echo "cid is ${CID}" +# it's now time to set up proxy tools + +# run vsock relay to proxy enclave attestation requests +/usr/local/bin/vsock-relay -s "127.0.0.1:8443" -l "4:443" -c 1000 & + +# run nginx to proxy attestation & randsrv requests +nginx