Gramine Integartion with Avalon

docker/compose/avalon-fib-gsgx.yaml

@@ -18,7 +18,4 @@ services:
   graphene-python-workload:
     image: gsc-avalon-fibonacci-workload-dev
     devices:
-      - "/dev/gsgx:/dev/gsgx"
-      - "/dev/isgx:/dev/isgx"
-    volumes:
-      - /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket
+      - "/dev/sgx_enclave:/dev/sgx_enclave"

docs/graphene-workload-tutorial/create_workload.py

@@ -45,7 +45,8 @@
     os.path.join("src","my_workload.py.template"),
     os.path.join("tests","test_work_orders.json.template"),
     "workload.json.template",
-    "Makefile.template"
+    "Makefile.template",
+    "setup.py.template"
 }
 
 IN_DIR = "workload"

docs/graphene-workload-tutorial/workload/avalon-workload-gsgx.yaml.template

@@ -18,7 +18,4 @@ services:
   graphene-python-workload:
     image: gsc-avalon-{{ my_workload }}-workload-dev
     devices:
-      - "/dev/gsgx:/dev/gsgx"
-      - "/dev/isgx:/dev/isgx"
-    volumes:
-      - /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket
+      - "/dev/sgx_enclave:/dev/sgx_enclave"

docs/graphene-workload-tutorial/workload/compose/graphene-sgx.yaml.template

@@ -18,7 +18,4 @@ services:
   process-work-order:
     image: gsc-avalon-{{ my_workload }}-workload-dev
     devices:
-      - "/dev/gsgx:/dev/gsgx"
-      - "/dev/isgx:/dev/isgx"
-    volumes:
-      - /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket
+      - "/dev/sgx_enclave:/dev/sgx_enclave"

docs/graphene-workload-tutorial/workload/graphene_sgx/build_gsc_workload.sh.template

@@ -1,6 +1,6 @@
 #! /bin/bash
 
-# Copyright 2020 Intel Corporation
+# Copyright 2021 Intel Corporation
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -37,30 +37,13 @@ if [ "$GSC_IMAGE_EXISTS" = "yes" ]; then
   sudo docker rmi $GSC_IMAGE_NAME --force
 fi
 
-# Manifest files
-MANIFEST_FILE_DIR="${TCF_HOME}/tc/graphene/python_worker/graphene_sgx/manifest"
-MANIFEST_FILES="python.manifest
-sh.manifest
-gcc.manifest
-collect2.manifest
-ld.manifest"
-# Generate list of manifest files
-LIST_MANIFEST_FILES=""
-for f in $MANIFEST_FILES
-do
-  FILE_NAME=${MANIFEST_FILE_DIR}/$f
-  if [ ! -f $FILE_NAME ]; then
-    echo "ERROR:Manifest file $FILE_NAME doesn't exist"
-    exit
-  fi
-  LIST_MANIFEST_FILES+=${MANIFEST_FILE_DIR}/$f
-  LIST_MANIFEST_FILES+=" "
-done
-echo $LIST_MANIFEST_FILES
+# Manifest file
+
+MANIFEST_FILE="${TCF_HOME}tc/graphene/python_worker/graphene_sgx/manifest/avalon.manifest"
 
 # Build image
 echo "Build unsigned GSC image"
-./gsc build --insecure-args $IMAGE_NAME $LIST_MANIFEST_FILES
+./gsc build --insecure-args $IMAGE_NAME $MANIFEST_FILE
 
 # Generate signing key if it doesn't exists
 SIGN_KEY_FILE=enclave-key.pem
@@ -70,4 +53,5 @@ fi
 
 # Sign image to generate final GSC image
 echo "Generate Signed GSC image"
-./gsc sign-image $IMAGE_NAME $SIGN_KEY_FILE
+./gsc sign-image $IMAGE_NAME  $SIGN_KEY_FILE
+

docs/graphene-workload-tutorial/workload/setup.py.template

@@ -0,0 +1,34 @@
+#!/usr/bin/env python
+
+# Copyright 2021 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import sys
+
+# This should only be run with python3
+if sys.version_info[0] < 3:
+    print('ERROR: must run with python3')
+    sys.exit(1)
+
+from setuptools import setup, find_packages
+
+setup(name='avalon_python_{{ my_workload }}_workload',
+      version=0.6,
+      description='Avalon python workload for Graphene',
+      author='Hyperledger Avalon',
+      url='https://github.com/hyperledger/avalon',
+      packages=find_packages(),
+      data_files=[],
+      entry_points={}
+      )

enclave_manager/Dockerfile-graphene

@@ -167,8 +167,6 @@ COPY ./enclave_manager/Makefile-graphene /project/avalon/enclave_manager/
 COPY ./enclave_manager/avalon_enclave_manager/*.py /project/avalon/enclave_manager/avalon_enclave_manager/
 COPY ./enclave_manager/avalon_enclave_manager/${ENCLAVE_TYPE} /project/avalon/enclave_manager/avalon_enclave_manager/${ENCLAVE_TYPE}
 COPY ./enclave_manager/avalon_enclave_manager/wpe_common /project/avalon/enclave_manager/avalon_enclave_manager/wpe_common
-COPY ./wpe_mr_enclave.txt /project/avalon/
-
 
 WORKDIR /project/avalon/enclave_manager
 

examples/graphene_apps/python_workloads/fibonacci/Makefile

@@ -32,7 +32,6 @@ build :
 install:
 	@echo INSTALLING WHEEL FILE =================
 	pip3 install $(WHEEL_FILE)
-
 clean:
 	if pip3 uninstall --yes $(WHEEL_FILE); then echo UNINSTALLED $(WHEEL_FILE) WHEEL FILE ; fi
 	rm -rf build deps dist *.egg-info

examples/graphene_apps/python_workloads/fibonacci/README.md

@@ -60,7 +60,7 @@ https://creativecommons.org/licenses/by/4.0/
 
 - To run fibonacci workload as a docker container in Graphene-SGX environment and to use a test application to send work order requests, execute the following command from [fibonacci](https://github.com/hyperledger/avalon/tree/master/examples/graphene_apps/python_workloads/fibonacci) directory.
 
-  `docker-compose -f docker-compose.yaml -f compose/graphene-sgx.yaml up`
+  `docker-compose -f docker-compose.yaml -f compose/graphene-wpe-sgx.yaml up`
 
   Above command will run test work orders listed in file [*test_fib_work_orders.json*](http://github.com/hyperledger/avalon/tree/master/examples/graphene_apps/python_workloads/fibonacci/tests/test_fib_work_orders.json).
 

examples/graphene_apps/python_workloads/fibonacci/graphene_sgx/build_gsc_fibonacci_workload.sh

@@ -18,6 +18,7 @@
 
 # Avalon python worker docker image name.
 IMAGE_NAME=avalon-fibonacci-workload-dev
+echo "Building GSC image $IMAGE_NAME started"
 # Graphenized docker image name for python worker.
 GSC_IMAGE_NAME=gsc-$IMAGE_NAME
 
@@ -37,30 +38,12 @@ if [ "$GSC_IMAGE_EXISTS" = "yes" ]; then
   sudo docker rmi $GSC_IMAGE_NAME --force
 fi
 
-# Manifest files
-MANIFEST_FILE_DIR="${TCF_HOME}/tc/graphene/python_worker/graphene_sgx/manifest"
-MANIFEST_FILES="python.manifest
-sh.manifest
-gcc.manifest
-collect2.manifest
-ld.manifest"
-# Generate list of manifest files
-LIST_MANIFEST_FILES=""
-for f in $MANIFEST_FILES
-do
-  FILE_NAME=${MANIFEST_FILE_DIR}/$f
-  if [ ! -f $FILE_NAME ]; then
-    echo "ERROR:Manifest file $FILE_NAME doesn't exist"
-    exit
-  fi
-  LIST_MANIFEST_FILES+=${MANIFEST_FILE_DIR}/$f
-  LIST_MANIFEST_FILES+=" "
-done
-echo $LIST_MANIFEST_FILES
+# Manifest file
+MANIFEST_FILE="${TCF_HOME}tc/graphene/python_worker/graphene_sgx/manifest/avalon.manifest"
 
 # Build image
 echo "Build unsigned GSC image"
-./gsc build --insecure-args $IMAGE_NAME $LIST_MANIFEST_FILES
+./gsc build --insecure-args $IMAGE_NAME $MANIFEST_FILE
 
 # Generate signing key if it doesn't exists
 SIGN_KEY_FILE=enclave-key.pem
@@ -70,13 +53,5 @@ fi
 
 # Sign image to generate final GSC image
 echo "Generate Signed GSC image"
-./gsc sign-image $IMAGE_NAME $SIGN_KEY_FILE
+./gsc sign-image $IMAGE_NAME  $SIGN_KEY_FILE
 
-# Extract enclave info from GSC image
-./gsc info-image $GSC_IMAGE_NAME > gsc-info.toml
-
-# Extract mrenclave corresponding to python and persist to file
-python3 $TCF_HOME/scripts/mr_enclave.py
-
-# Move MRENCLAVE file to TCF_HOME
-mv wpe_mr_enclave.txt $TCF_HOME

examples/graphene_apps/python_workloads/fibonacci/src/fibonacci.py

@@ -54,7 +54,6 @@ def execute(self, in_data_array):
             logger.error(out_msg)
             result = False
         return result, out_msg_bytes
-
 # -------------------------------------------------------------------------
 
     def _fibonacci(self, n):

tc/graphene/python_worker/compose/graphene-sgx.yaml

@@ -18,7 +18,4 @@ services:
   process-work-order:
     image: gsc-avalon-python-worker-dev
     devices:
-      - "/dev/gsgx:/dev/gsgx"
-      - "/dev/isgx:/dev/isgx"
-    volumes:
-      - /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket
+      - "dev/sgx_enclave:/dev/sgx_enclave"

tc/graphene/python_worker/graphene_sgx/manifest/avalon.manifest

@@ -0,0 +1,26 @@
+sgx.enclave_size = "256M" # Minimum enclave size, can be increased based on the requirements
+sgx.thread_num = 8
+sgx.allow_file_creation = 1
+sgx.file_check_policy = "allow_all_but_log"
+
+
+# the below files may differ from Docker container to Docker container, so they are marked as
+# allowed (this may be insecure if untrusted host maliciously modified these files!)
+# sgx.allowed_files.etchostname = "file:/etc/hostname"
+# sgx.allowed_files.etchosts    = "file:/etc/hosts"
+# sgx.allowed_files.etcresolv   = "file:/etc/resolv.conf"
+
+# Below are the required files to be allowed for "Gramine Integration with Avalon"
+sgx.allowed_files = [
+  "file:/usr/local/lib/python3.9/",
+  "file:/home/python_worker/bash", # for getdents test
+  "file:/etc/hostname",
+  "file:/etc/hosts",
+  "file:/etc/resolv.conf",
+  "file:/root/.python_history-00001.tmp",
+  "file:/tmp"
+]
+
+# To enable eventfd() for using libzmq system calls, which is disable in Graphene by default.
+sys.insecure__allow_eventfd = true
+