-
Notifications
You must be signed in to change notification settings - Fork 93
Gramine Integartion with Avalon #775
base: main
Are you sure you want to change the base?
Changes from 1 commit
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -38,29 +38,13 @@ if [ "$GSC_IMAGE_EXISTS" = "yes" ]; then | |
fi | ||
|
||
# Manifest files | ||
MANIFEST_FILE_DIR="${TCF_HOME}/tc/graphene/python_worker/graphene_sgx/manifest" | ||
MANIFEST_FILES="python.manifest | ||
sh.manifest | ||
gcc.manifest | ||
collect2.manifest | ||
ld.manifest" | ||
# Generate list of manifest files | ||
LIST_MANIFEST_FILES="" | ||
for f in $MANIFEST_FILES | ||
do | ||
FILE_NAME=${MANIFEST_FILE_DIR}/$f | ||
if [ ! -f $FILE_NAME ]; then | ||
echo "ERROR:Manifest file $FILE_NAME doesn't exist" | ||
exit | ||
fi | ||
LIST_MANIFEST_FILES+=${MANIFEST_FILE_DIR}/$f | ||
LIST_MANIFEST_FILES+=" " | ||
done | ||
echo $LIST_MANIFEST_FILES | ||
|
||
MANIFEST_FILE="${TCF_HOME}tc/graphene/python_worker/graphene_sgx/manifest/avalon.manifest" | ||
echo $MANIFEST_FILE | ||
|
||
# Build image | ||
echo "Build unsigned GSC image" | ||
./gsc build --insecure-args $IMAGE_NAME $LIST_MANIFEST_FILES | ||
sudo ./gsc build --insecure-args $IMAGE_NAME $MANIFEST_FILE | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why sudo needed here? gsc binary should run with user permission itself. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. yes, sudo is not required. gsc runs with user permission, tested with gramine production release. Removed sudo, in all the gsc build scripts |
||
|
||
# Generate signing key if it doesn't exists | ||
SIGN_KEY_FILE=enclave-key.pem | ||
|
@@ -70,4 +54,7 @@ fi | |
|
||
# Sign image to generate final GSC image | ||
echo "Generate Signed GSC image" | ||
./gsc sign-image $IMAGE_NAME $SIGN_KEY_FILE | ||
sudo ./gsc sign-image $IMAGE_NAME $SIGN_KEY_FILE | ||
|
||
# Retrieve SGX-related information from graphenized image using gsc info-image | ||
# sudo ./gsc info-image $IMAGE_NAME | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Remove commented lines. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Removed |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
#!/usr/bin/env python | ||
|
||
# Copyright 2020 Intel Corporation | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. change copyright to 2021 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Updated the copyright to 2021 |
||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
import sys | ||
|
||
# This should only be run with python3 | ||
if sys.version_info[0] < 3: | ||
print('ERROR: must run with python3') | ||
sys.exit(1) | ||
|
||
from setuptools import setup, find_packages | ||
|
||
setup(name='avalon_python_{{ my_workload }}_workload', | ||
version=0.6, | ||
description='Avalon python workload for Graphene', | ||
author='Hyperledger Avalon', | ||
url='https://github.com/hyperledger/avalon', | ||
packages=find_packages(), | ||
data_files=[], | ||
entry_points={} | ||
) |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -167,7 +167,7 @@ COPY ./enclave_manager/Makefile-graphene /project/avalon/enclave_manager/ | |
COPY ./enclave_manager/avalon_enclave_manager/*.py /project/avalon/enclave_manager/avalon_enclave_manager/ | ||
COPY ./enclave_manager/avalon_enclave_manager/${ENCLAVE_TYPE} /project/avalon/enclave_manager/avalon_enclave_manager/${ENCLAVE_TYPE} | ||
COPY ./enclave_manager/avalon_enclave_manager/wpe_common /project/avalon/enclave_manager/avalon_enclave_manager/wpe_common | ||
COPY ./wpe_mr_enclave.txt /project/avalon/ | ||
# COPY ./wpe_mr_enclave.txt /project/avalon/ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. remove the line There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Removed |
||
|
||
|
||
WORKDIR /project/avalon/enclave_manager | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -18,6 +18,7 @@ | |
|
||
# Avalon python worker docker image name. | ||
IMAGE_NAME=avalon-fibonacci-workload-dev | ||
echo "Building GSC image $IMAGE_NAME started" | ||
# Graphenized docker image name for python worker. | ||
GSC_IMAGE_NAME=gsc-$IMAGE_NAME | ||
|
||
|
@@ -38,29 +39,13 @@ if [ "$GSC_IMAGE_EXISTS" = "yes" ]; then | |
fi | ||
|
||
# Manifest files | ||
MANIFEST_FILE_DIR="${TCF_HOME}/tc/graphene/python_worker/graphene_sgx/manifest" | ||
MANIFEST_FILES="python.manifest | ||
sh.manifest | ||
gcc.manifest | ||
collect2.manifest | ||
ld.manifest" | ||
# Generate list of manifest files | ||
LIST_MANIFEST_FILES="" | ||
for f in $MANIFEST_FILES | ||
do | ||
FILE_NAME=${MANIFEST_FILE_DIR}/$f | ||
if [ ! -f $FILE_NAME ]; then | ||
echo "ERROR:Manifest file $FILE_NAME doesn't exist" | ||
exit | ||
fi | ||
LIST_MANIFEST_FILES+=${MANIFEST_FILE_DIR}/$f | ||
LIST_MANIFEST_FILES+=" " | ||
done | ||
echo $LIST_MANIFEST_FILES | ||
|
||
MANIFEST_FILE="./avalon.manifest" #"${TCF_HOME}tc/graphene/python_worker/graphene_sgx/manifest/python.manifest" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. its better to address file with absolute path than relative path, it leads to bugs if run from different paths There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Addressed the file with absolute path. |
||
echo $MANIFEST_FILE | ||
|
||
# Build image | ||
echo "Build unsigned GSC image" | ||
./gsc build --insecure-args $IMAGE_NAME $LIST_MANIFEST_FILES | ||
sudo ./gsc build --insecure-args $IMAGE_NAME $MANIFEST_FILE | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. remove sudo here and everywhere |
||
|
||
# Generate signing key if it doesn't exists | ||
SIGN_KEY_FILE=enclave-key.pem | ||
|
@@ -70,13 +55,7 @@ fi | |
|
||
# Sign image to generate final GSC image | ||
echo "Generate Signed GSC image" | ||
./gsc sign-image $IMAGE_NAME $SIGN_KEY_FILE | ||
|
||
# Extract enclave info from GSC image | ||
./gsc info-image $GSC_IMAGE_NAME > gsc-info.toml | ||
|
||
# Extract mrenclave corresponding to python and persist to file | ||
python3 $TCF_HOME/scripts/mr_enclave.py | ||
sudo ./gsc sign-image $IMAGE_NAME $SIGN_KEY_FILE | ||
|
||
# Move MRENCLAVE file to TCF_HOME | ||
mv wpe_mr_enclave.txt $TCF_HOME | ||
# Retrieve SGX-related information from graphenized image using gsc info-image | ||
# sudo ./gsc info-image $IMAGE_NAME |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
sgx.enclave_size = "256M" # Minimum enclave size, can be increased based on the requirements | ||
sgx.thread_num = 8 | ||
sgx.allow_file_creation = 1 | ||
sgx.file_check_policy = "allow_all_but_log" | ||
|
||
|
||
# the below files may differ from Docker container to Docker container, so they are marked as | ||
# allowed (this may be insecure if untrusted host maliciously modified these files!) | ||
# sgx.allowed_files.etchostname = "file:/etc/hostname" | ||
# sgx.allowed_files.etchosts = "file:/etc/hosts" | ||
# sgx.allowed_files.etcresolv = "file:/etc/resolv.conf" | ||
|
||
# Below are the required files to be allowed for "Gramine Integration with Avalon" | ||
sgx.allowed_files = [ | ||
"file:/usr/local/lib/python3.9/", | ||
"file:/home/python_worker/bash", # for getdents test | ||
"file:/etc/hostname", | ||
"file:/etc/hosts", | ||
"file:/etc/resolv.conf", | ||
"file:/root/.python_history-00001.tmp", | ||
"file:/tmp" | ||
] | ||
|
||
# To enable eventfd() for using libzmq system calls, which is disable in Graphene by default. | ||
sys.insecure__allow_eventfd = true | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need to print manifest filename? You could remove if added for debugging.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added for debugging purpose, removed now