diff --git a/docker/compose/avalon-fib-gsgx.yaml b/docker/compose/avalon-fib-gsgx.yaml index ccee72c57..c4f0c815b 100644 --- a/docker/compose/avalon-fib-gsgx.yaml +++ b/docker/compose/avalon-fib-gsgx.yaml @@ -18,7 +18,4 @@ services: graphene-python-workload: image: gsc-avalon-fibonacci-workload-dev devices: - - "/dev/gsgx:/dev/gsgx" - - "/dev/isgx:/dev/isgx" - volumes: - - /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket + - "/dev/sgx_enclave:/dev/sgx_enclave" diff --git a/docs/graphene-workload-tutorial/create_workload.py b/docs/graphene-workload-tutorial/create_workload.py index a6a665836..0e28fad58 100755 --- a/docs/graphene-workload-tutorial/create_workload.py +++ b/docs/graphene-workload-tutorial/create_workload.py @@ -45,7 +45,8 @@ os.path.join("src","my_workload.py.template"), os.path.join("tests","test_work_orders.json.template"), "workload.json.template", - "Makefile.template" + "Makefile.template", + "setup.py.template" } IN_DIR = "workload" diff --git a/docs/graphene-workload-tutorial/workload/avalon-workload-gsgx.yaml.template b/docs/graphene-workload-tutorial/workload/avalon-workload-gsgx.yaml.template index 951660b79..9eada7d4f 100644 --- a/docs/graphene-workload-tutorial/workload/avalon-workload-gsgx.yaml.template +++ b/docs/graphene-workload-tutorial/workload/avalon-workload-gsgx.yaml.template @@ -18,7 +18,4 @@ services: graphene-python-workload: image: gsc-avalon-{{ my_workload }}-workload-dev devices: - - "/dev/gsgx:/dev/gsgx" - - "/dev/isgx:/dev/isgx" - volumes: - - /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket + - "/dev/sgx_enclave:/dev/sgx_enclave" diff --git a/docs/graphene-workload-tutorial/workload/compose/graphene-sgx.yaml.template b/docs/graphene-workload-tutorial/workload/compose/graphene-sgx.yaml.template index a245bb2a3..69341a06e 100644 --- a/docs/graphene-workload-tutorial/workload/compose/graphene-sgx.yaml.template +++ b/docs/graphene-workload-tutorial/workload/compose/graphene-sgx.yaml.template @@ -18,7 +18,4 @@ services: process-work-order: image: gsc-avalon-{{ my_workload }}-workload-dev devices: - - "/dev/gsgx:/dev/gsgx" - - "/dev/isgx:/dev/isgx" - volumes: - - /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket + - "/dev/sgx_enclave:/dev/sgx_enclave" diff --git a/docs/graphene-workload-tutorial/workload/graphene_sgx/build_gsc_workload.sh.template b/docs/graphene-workload-tutorial/workload/graphene_sgx/build_gsc_workload.sh.template index 04d6ff30d..7a213fb58 100755 --- a/docs/graphene-workload-tutorial/workload/graphene_sgx/build_gsc_workload.sh.template +++ b/docs/graphene-workload-tutorial/workload/graphene_sgx/build_gsc_workload.sh.template @@ -1,6 +1,6 @@ #! /bin/bash -# Copyright 2020 Intel Corporation +# Copyright 2021 Intel Corporation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -37,30 +37,13 @@ if [ "$GSC_IMAGE_EXISTS" = "yes" ]; then sudo docker rmi $GSC_IMAGE_NAME --force fi -# Manifest files -MANIFEST_FILE_DIR="${TCF_HOME}/tc/graphene/python_worker/graphene_sgx/manifest" -MANIFEST_FILES="python.manifest -sh.manifest -gcc.manifest -collect2.manifest -ld.manifest" -# Generate list of manifest files -LIST_MANIFEST_FILES="" -for f in $MANIFEST_FILES -do - FILE_NAME=${MANIFEST_FILE_DIR}/$f - if [ ! -f $FILE_NAME ]; then - echo "ERROR:Manifest file $FILE_NAME doesn't exist" - exit - fi - LIST_MANIFEST_FILES+=${MANIFEST_FILE_DIR}/$f - LIST_MANIFEST_FILES+=" " -done -echo $LIST_MANIFEST_FILES +# Manifest file + +MANIFEST_FILE="${TCF_HOME}tc/graphene/python_worker/graphene_sgx/manifest/avalon.manifest" # Build image echo "Build unsigned GSC image" -./gsc build --insecure-args $IMAGE_NAME $LIST_MANIFEST_FILES +./gsc build --insecure-args $IMAGE_NAME $MANIFEST_FILE # Generate signing key if it doesn't exists SIGN_KEY_FILE=enclave-key.pem @@ -70,4 +53,5 @@ fi # Sign image to generate final GSC image echo "Generate Signed GSC image" -./gsc sign-image $IMAGE_NAME $SIGN_KEY_FILE +./gsc sign-image $IMAGE_NAME $SIGN_KEY_FILE + diff --git a/docs/graphene-workload-tutorial/workload/setup.py.template b/docs/graphene-workload-tutorial/workload/setup.py.template new file mode 100644 index 000000000..ef38790f6 --- /dev/null +++ b/docs/graphene-workload-tutorial/workload/setup.py.template @@ -0,0 +1,34 @@ +#!/usr/bin/env python + +# Copyright 2021 Intel Corporation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import sys + +# This should only be run with python3 +if sys.version_info[0] < 3: + print('ERROR: must run with python3') + sys.exit(1) + +from setuptools import setup, find_packages + +setup(name='avalon_python_{{ my_workload }}_workload', + version=0.6, + description='Avalon python workload for Graphene', + author='Hyperledger Avalon', + url='https://github.com/hyperledger/avalon', + packages=find_packages(), + data_files=[], + entry_points={} + ) diff --git a/enclave_manager/Dockerfile-graphene b/enclave_manager/Dockerfile-graphene index fc2eaa13e..465968321 100644 --- a/enclave_manager/Dockerfile-graphene +++ b/enclave_manager/Dockerfile-graphene @@ -167,8 +167,6 @@ COPY ./enclave_manager/Makefile-graphene /project/avalon/enclave_manager/ COPY ./enclave_manager/avalon_enclave_manager/*.py /project/avalon/enclave_manager/avalon_enclave_manager/ COPY ./enclave_manager/avalon_enclave_manager/${ENCLAVE_TYPE} /project/avalon/enclave_manager/avalon_enclave_manager/${ENCLAVE_TYPE} COPY ./enclave_manager/avalon_enclave_manager/wpe_common /project/avalon/enclave_manager/avalon_enclave_manager/wpe_common -COPY ./wpe_mr_enclave.txt /project/avalon/ - WORKDIR /project/avalon/enclave_manager diff --git a/examples/graphene_apps/python_workloads/fibonacci/Makefile b/examples/graphene_apps/python_workloads/fibonacci/Makefile index b5dd85594..e42c986c3 100644 --- a/examples/graphene_apps/python_workloads/fibonacci/Makefile +++ b/examples/graphene_apps/python_workloads/fibonacci/Makefile @@ -32,7 +32,6 @@ build : install: @echo INSTALLING WHEEL FILE ================= pip3 install $(WHEEL_FILE) - clean: if pip3 uninstall --yes $(WHEEL_FILE); then echo UNINSTALLED $(WHEEL_FILE) WHEEL FILE ; fi rm -rf build deps dist *.egg-info diff --git a/examples/graphene_apps/python_workloads/fibonacci/README.md b/examples/graphene_apps/python_workloads/fibonacci/README.md index 6f119c407..58dc3741a 100644 --- a/examples/graphene_apps/python_workloads/fibonacci/README.md +++ b/examples/graphene_apps/python_workloads/fibonacci/README.md @@ -60,7 +60,7 @@ https://creativecommons.org/licenses/by/4.0/ - To run fibonacci workload as a docker container in Graphene-SGX environment and to use a test application to send work order requests, execute the following command from [fibonacci](https://github.com/hyperledger/avalon/tree/master/examples/graphene_apps/python_workloads/fibonacci) directory. - `docker-compose -f docker-compose.yaml -f compose/graphene-sgx.yaml up` + `docker-compose -f docker-compose.yaml -f compose/graphene-wpe-sgx.yaml up` Above command will run test work orders listed in file [*test_fib_work_orders.json*](http://github.com/hyperledger/avalon/tree/master/examples/graphene_apps/python_workloads/fibonacci/tests/test_fib_work_orders.json). diff --git a/examples/graphene_apps/python_workloads/fibonacci/graphene_sgx/build_gsc_fibonacci_workload.sh b/examples/graphene_apps/python_workloads/fibonacci/graphene_sgx/build_gsc_fibonacci_workload.sh index 1573c022a..d28e5297f 100755 --- a/examples/graphene_apps/python_workloads/fibonacci/graphene_sgx/build_gsc_fibonacci_workload.sh +++ b/examples/graphene_apps/python_workloads/fibonacci/graphene_sgx/build_gsc_fibonacci_workload.sh @@ -18,6 +18,7 @@ # Avalon python worker docker image name. IMAGE_NAME=avalon-fibonacci-workload-dev +echo "Building GSC image $IMAGE_NAME started" # Graphenized docker image name for python worker. GSC_IMAGE_NAME=gsc-$IMAGE_NAME @@ -37,30 +38,12 @@ if [ "$GSC_IMAGE_EXISTS" = "yes" ]; then sudo docker rmi $GSC_IMAGE_NAME --force fi -# Manifest files -MANIFEST_FILE_DIR="${TCF_HOME}/tc/graphene/python_worker/graphene_sgx/manifest" -MANIFEST_FILES="python.manifest -sh.manifest -gcc.manifest -collect2.manifest -ld.manifest" -# Generate list of manifest files -LIST_MANIFEST_FILES="" -for f in $MANIFEST_FILES -do - FILE_NAME=${MANIFEST_FILE_DIR}/$f - if [ ! -f $FILE_NAME ]; then - echo "ERROR:Manifest file $FILE_NAME doesn't exist" - exit - fi - LIST_MANIFEST_FILES+=${MANIFEST_FILE_DIR}/$f - LIST_MANIFEST_FILES+=" " -done -echo $LIST_MANIFEST_FILES +# Manifest file +MANIFEST_FILE="${TCF_HOME}tc/graphene/python_worker/graphene_sgx/manifest/avalon.manifest" # Build image echo "Build unsigned GSC image" -./gsc build --insecure-args $IMAGE_NAME $LIST_MANIFEST_FILES +./gsc build --insecure-args $IMAGE_NAME $MANIFEST_FILE # Generate signing key if it doesn't exists SIGN_KEY_FILE=enclave-key.pem @@ -70,13 +53,5 @@ fi # Sign image to generate final GSC image echo "Generate Signed GSC image" -./gsc sign-image $IMAGE_NAME $SIGN_KEY_FILE +./gsc sign-image $IMAGE_NAME $SIGN_KEY_FILE -# Extract enclave info from GSC image -./gsc info-image $GSC_IMAGE_NAME > gsc-info.toml - -# Extract mrenclave corresponding to python and persist to file -python3 $TCF_HOME/scripts/mr_enclave.py - -# Move MRENCLAVE file to TCF_HOME -mv wpe_mr_enclave.txt $TCF_HOME diff --git a/examples/graphene_apps/python_workloads/fibonacci/src/fibonacci.py b/examples/graphene_apps/python_workloads/fibonacci/src/fibonacci.py index 15e20b194..91f053170 100644 --- a/examples/graphene_apps/python_workloads/fibonacci/src/fibonacci.py +++ b/examples/graphene_apps/python_workloads/fibonacci/src/fibonacci.py @@ -54,7 +54,6 @@ def execute(self, in_data_array): logger.error(out_msg) result = False return result, out_msg_bytes - # ------------------------------------------------------------------------- def _fibonacci(self, n): diff --git a/tc/graphene/python_worker/compose/graphene-sgx.yaml b/tc/graphene/python_worker/compose/graphene-sgx.yaml index d0101296c..639d910f3 100644 --- a/tc/graphene/python_worker/compose/graphene-sgx.yaml +++ b/tc/graphene/python_worker/compose/graphene-sgx.yaml @@ -18,7 +18,4 @@ services: process-work-order: image: gsc-avalon-python-worker-dev devices: - - "/dev/gsgx:/dev/gsgx" - - "/dev/isgx:/dev/isgx" - volumes: - - /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket + - "dev/sgx_enclave:/dev/sgx_enclave" diff --git a/tc/graphene/python_worker/graphene_sgx/manifest/avalon.manifest b/tc/graphene/python_worker/graphene_sgx/manifest/avalon.manifest new file mode 100644 index 000000000..1b590bb56 --- /dev/null +++ b/tc/graphene/python_worker/graphene_sgx/manifest/avalon.manifest @@ -0,0 +1,26 @@ +sgx.enclave_size = "256M" # Minimum enclave size, can be increased based on the requirements +sgx.thread_num = 8 +sgx.allow_file_creation = 1 +sgx.file_check_policy = "allow_all_but_log" + + +# the below files may differ from Docker container to Docker container, so they are marked as +# allowed (this may be insecure if untrusted host maliciously modified these files!) +# sgx.allowed_files.etchostname = "file:/etc/hostname" +# sgx.allowed_files.etchosts = "file:/etc/hosts" +# sgx.allowed_files.etcresolv = "file:/etc/resolv.conf" + +# Below are the required files to be allowed for "Gramine Integration with Avalon" +sgx.allowed_files = [ + "file:/usr/local/lib/python3.9/", + "file:/home/python_worker/bash", # for getdents test + "file:/etc/hostname", + "file:/etc/hosts", + "file:/etc/resolv.conf", + "file:/root/.python_history-00001.tmp", + "file:/tmp" +] + +# To enable eventfd() for using libzmq system calls, which is disable in Graphene by default. +sys.insecure__allow_eventfd = true +