make docker build for sgx-based services generate the pdo_service_sgx…

… image Signed-off-by: Bruno Vavala <[email protected]>
bvavala · Mar 26, 2024 · 905f954 · 905f954
1 parent 45b2fac
commit 905f954
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 14 deletions.
diff --git a/docker/Makefile b/docker/Makefile
@@ -50,7 +50,7 @@ DOCKER_BUILDARGS += --build-arg UID=$(PDO_USER_UID)
 DOCKER_BUILDARGS += --build-arg GID=$(PDO_GROUP_UID)
 DOCKER_ARGS = $(DOCKER_BUILDARGS)
 
-IMAGES=base client services_base services ccf_base ccf
+IMAGES=base client services_base services services_sgx ccf_base ccf
 
 # for the most part this is just used to force rebuild when the
 # PDO repository has changed
@@ -75,7 +75,7 @@ sgx_build_services : repository build_services_base
 	docker build $(DOCKER_ARGS) \
         --build-arg PDO_VERSION=$(PDO_VERSION) \
         --build-arg SGX_MODE=HW \
-        --tag pdo_services:$(PDO_VERSION) \
+        --tag pdo_services_sgx:$(PDO_VERSION) \
         --file $(DOCKER_DIR)/pdo_services.dockerfile .
 
 # docker build dependencies

diff --git a/docker/README.md b/docker/README.md
@@ -81,13 +81,14 @@ on how to use the client container.
 
 ### Build for SGX ###
 
-For the contract enclave to run in SGX hardware mode, the `pdo_services`
+For the contract enclave to run in SGX hardware mode, the services
 image must be built using the following target:
 ```bash
     make build_sgx_services
 ```
-Inside the `pdo_services` images, the `SGX_MODE` environment variable 
-can help distinguish the build type.
+This will create the `pdo_service_sgx` image. Inside the image,
+the `SGX_MODE=HW` environment variable further indicates that the
+service were built to run in SGX.
 
 <!--- xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx --->
 ## Pattern: Local Development in a Container ##
@@ -268,7 +269,8 @@ first eservice of a ledger consortium member. Hence, the first service container
 that is deputed to perform such registration must be instructed to do so.
 ```bash
     docker run -v $(SCRIPT_DIR)/xfer/:/project/pdo/xfer --network host \
-        --name ${USER}_services_container pdo_services --register
+        -v <host aesmd socket>:/var/run/aesmd --device=<host SGX device>:/dev/sgx/enclave \
+        --name ${USER}_services_container pdo_services_sgx --register
 ```
 This updated command allows to trigger the registration step right before
 starting the services. The policy registration must happen before enclaves are 

diff --git a/docker/pdo_services_base.dockerfile b/docker/pdo_services_base.dockerfile
@@ -24,9 +24,6 @@ ARG SGX=2.22
 ARG OPENSSL=3.0.12
 ARG SGXSSL=3.0_Rev1
 
-ARG SGX_MODE=SIM
-ENV SGX_MODE $SGX_MODE
-
 RUN echo "deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu ${UBUNTU_NAME} main" >> /etc/apt/sources.list \
  && wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | apt-key add - \
  && apt-get update \
@@ -71,17 +68,16 @@ ENV PATH="/opt/intel/sgxsdk.extras/external/toolset/ubuntu${UBUNTU_VERSION}:${PA
 
 # -----------------------------------------------------------------
 # SGXSSL
-# Note that we build sgxssl with SIM mode; the SGX_MODE only changes
-# the mode for running tests and we do not want the tests run in HW
-# mode
+# Note that the SGX_MODE variable only determines the mode for
+# running tests. We do not want the tests to run in HW mode here.
+# This allows us to keep this image mode-agnostic.
 # -----------------------------------------------------------------
 WORKDIR /tmp
 RUN . /opt/intel/sgxsdk/environment \
     && git clone --depth 1 --branch ${SGXSSL} 'https://github.com/intel/intel-sgx-ssl.git' \
     && wget -q -P /tmp/intel-sgx-ssl/openssl_source https://www.openssl.org/source/openssl-${OPENSSL}.tar.gz \
     && cd /tmp/intel-sgx-ssl/Linux \
-    && if [ $SGX_MODE = SIM ] ; then SKIP_INTELCPU_CHECK=TRUE ; else SKIP_INTELCPU_CHECK=FALSE ; fi \
-    && bash -c "make SKIP_INTELCPU_CHECK=$SKIP_INTELCPU_CHECK SGX_MODE=$SGX_MODE NO_THREADS=1 DESTDIR=/opt/intel/sgxssl VERBOSE=0 all &> /dev/null" \
+    && bash -c "make SKIP_INTELCPU_CHECK=TRUE SGX_MODE=SIM NO_THREADS=1 DESTDIR=/opt/intel/sgxssl VERBOSE=0 all &> /dev/null" \
     && make install \
     && make clean \
     && rm -rf /tmp/intel-sgx-ssl

diff --git a/docker/test-sgx.yaml b/docker/test-sgx.yaml
@@ -20,6 +20,7 @@ services:
       - SGX_MODE=HW
 
   services_container:
+    image: pdo_services_sgx:${PDO_VERSION:-latest}
     volumes:
       - /var/run/aesmd:/var/run/aesmd
     devices: