add docker target for sgx service build; add enclave signing key init…

…ialization in the repository (if one exists on the host); add docker volumes and devices that are necessary for sgx; add docker compose yaml for sgx testing

Signed-off-by: Bruno Vavala <[email protected]>

docker/Makefile

@@ -71,12 +71,21 @@ build_% : repository
 		--tag pdo_$*:$(PDO_VERSION) \
 		--file '$(DOCKER_DIR)'/pdo_$*.dockerfile .
 
+build_sgx_services : repository
+	docker build $(DOCKER_ARGS) \
+        --build-arg PDO_VERSION=$(PDO_VERSION) \
+        --build-arg SGX_MODE=HW \
+        --tag pdo_services:$(PDO_VERSION) \
+        --file $(DOCKER_DIR)/pdo_services.dockerfile .
+
 # docker build dependencies
 build_client: build_base
 build_services: build_services_base
 build_services_base: build_base
 build_ccf: build_ccf_base
 
+build_sgx_services: build_services_base
+
 clean_% :
 	docker rmi -f pdo_$*:$(PDO_VERSION)
 
@@ -112,6 +121,12 @@ stop_client :
 # performance requirements are relatively low.
 # -----------------------------------------------------------------
 repository :
+	# if an enclave signing key is available on the host, copy that under build/keys in the repo
+	# Note: the docker build (see PDO_ENCLAVE_CODE_SIGN_PEM in environment.sh) expects the key there
+	[ ! -e ${PDO_ENCLAVE_CODE_SIGN_PEM} ] ||\
+		(test ${PDO_ENCLAVE_CODE_SIGN_PEM} -ef ${PDO_SGX_KEY_ROOT}/enclave_code_sign.pem || \
+		cp ${PDO_ENCLAVE_CODE_SIGN_PEM} ${PDO_SGX_KEY_ROOT}/enclave_code_sign.pem)
+	# clone the repo
 	git clone --single-branch --branch $(PDO_BRANCH) --recurse-submodules '$(PDO_REPO)' repository
 
 clean_repository :
@@ -130,12 +145,30 @@ TEST_FILES += -f services_base.yaml
 TEST_FILES += -f ccf_base.yaml
 TEST_FILES += -f test.yaml
 
+TEST_SGX_FILES = ${TEST_FILES}
+TEST_SGX_FILES += -f test-sgx.yaml
+
+SGX_DEVICE_PATH=$(shell if [ -e "/dev/isgx" ]; \
+				then echo "/dev/isgx"; \
+				elif [ -e "/dev/sgx/enclave" ]; \
+					then echo "/dev/sgx/enclave"; \
+				else echo "ERROR: NO SGX DEVICE FOUND"; \
+				fi)
+
+DOCKER_COMPOSE_SGX := env SGX_DEVICE_PATH=${SGX_DEVICE_PATH} docker-compose
+
 build_test : repository build_services build_ccf build_client
 
 test : clean_config clean_repository build_test stop_all
 	PDO_VERSION=$(PDO_VERSION) docker-compose $(TEST_FILES) up --abort-on-container-exit
 	PDO_VERSION=$(PDO_VERSION) docker-compose $(TEST_FILES) down
 
+sgx_build_test : repository build_sgx_services build_ccf build_client
+
+sgx_test : clean_config clean_repository sgx_build_test stop_all
+	PDO_VERSION=$(PDO_VERSION) $(DOCKER_COMPOSE_SGX) $(TEST_SGX_FILES) up --abort-on-container-exit
+	PDO_VERSION=$(PDO_VERSION) $(DOCKER_COMPOSE_SGX) $(TEST_SGX_FILES) down
+
 # -----------------------------------------------------------------
 # Cleaning is a bit interesting because the containers don't go away
 # unless they are told to very nicely. Until they go away they hold onto

docker/pdo_services.dockerfile

@@ -27,6 +27,9 @@ FROM pdo_services_base:${PDO_VERSION}
 # -----------------------------------------------------------------
 ARG REBUILD=0
 
+ARG SGX_MODE=SIM
+ENV SGX_MODE $SGX_MODE
+
 ARG PDO_DEBUG_BUILD=0
 ENV PDO_DEBUG_BUILD=${PDO_DEBUG_BUILD}
 

docker/test-sgx.yaml

@@ -0,0 +1,27 @@
+# Copyright 2024 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ------------------------------------------------------------------------------
+version: "3.4"
+
+services:
+  ccf_container:
+    environment:
+      - SGX_MODE=HW
+
+  services_container:
+    volumes:
+      - /var/run/aesmd:/var/run/aesmd
+    devices:
+      - ${SGX_DEVICE_PATH:-/dev/isgx}:${SGX_DEVICE_PATH:-/dev/isgx}
+

docker/tools/environment.sh

@@ -44,14 +44,7 @@ fi
 
 export XFER_DIR=${XFER_DIR:-/project/pdo/xfer}
 
-# if the container is running HW mode, then we will grab the
-# SGX keys from the xfer directory; we know that the default
-# keys must be overridden
-if [ ${SGX_MODE} == "HW" ]; then
-    export PDO_SGX_KEY_ROOT=${XFER_DIR}/services/keys/sgx
-else
-    export PDO_SGX_KEY_ROOT=${PDO_SOURCE_ROOT}/build/keys/sgx_mode_${SGX_MODE,,}
-fi
+export PDO_SGX_KEY_ROOT=${PDO_SOURCE_ROOT}/build/keys/sgx_mode_${SGX_MODE,,}
 
 # this variable is needed for the build for signing the
 # eservice and pservice enclaves

docker/tools/run_services_tests.sh

@@ -27,6 +27,16 @@ check_pdo_runtime_env
 export no_proxy=$PDO_HOSTNAME,$PDO_LEDGER_ADDRESS,$no_proxy
 export NO_PROXY=$PDO_HOSTNAME,$PDO_LEDGER_ADDRESS,$NO_PROXY
 
+# -----------------------------------------------------------------
+yell copy sgx keys
+# -----------------------------------------------------------------
+# this collateral *must* be copied before configuring the services
+# as it will be included in the service/enclave toml files
+[ -z "$(ls -A ${XFER_DIR}/services/keys/sgx/)" ] ||\
+    cp ${XFER_DIR}/services/keys/sgx/* ${PDO_SGX_KEY_ROOT}
+# refresh the environment variables (necessary for SGX-related ones)
+source /project/pdo/tools/environment.sh
+
 # -----------------------------------------------------------------
 yell configure services for host $PDO_HOSTNAME and ledger $PDO_LEDGER_URL
 # -----------------------------------------------------------------
@@ -56,7 +66,7 @@ yell check for registration
 # -----------------------------------------------------------------
 # this probably requires additional CCF keys, need to test this
 if [ "$SGX_MODE" == "HW" ]; then
-    if [ ! -f ${XFER}/ccf/keys/memberccf_privk.pem ] ; then
+    if [ ! -f ${XFER_DIR}/ccf/keys/memberccf_privk.pem ] ; then
         die unable to locate CCF policies keys
     fi
 

docker/tools/start_services.sh

@@ -115,7 +115,7 @@ try cp ${XFER_DIR}/ccf/keys/networkcert.pem ${PDO_LEDGER_KEY_ROOT}/
 yell register the enclave if necessary
 # -----------------------------------------------------------------
 if [ "${F_REGISTER,,}" == 'yes' ]; then
-    if [ ! -f ${XFER}/ccf/keys/memberccf_privk.pem ] ; then
+    if [ ! -f ${XFER_DIR}/ccf/keys/memberccf_privk.pem ] ; then
         die unable to locate CCF policies keys
     fi
 

eservice/bin/register-with-ledger.sh

@@ -69,11 +69,14 @@ function Store {
     yell Download IAS certificates and Compute the enclave information
     try eservice-enclave-info \
         --spid ${SPID} \
+        --spid-api-key ${PDO_SPID_API_KEY} \
         --save ${eservice_enclave_info_file} \
         --loglevel warn \
+        --logfile __screen__ \
         --identity ${ESERVICE_IDENTITY} \
         --config ${ESERVICE_TOML} ${ENCLAVE_TOML} \
         --config-dir ${ETCDIR}
+    yell Enclave info are ready
 }
 
 # Registers MR_ENCLAVE & BASENAMES with Ledger
@@ -88,6 +91,7 @@ function Register {
         : "PDO_IAS_KEY_PEM" "${PDO_IAS_KEY_PEM:?Registration failed! PDO_IAS_KEY_PEM environment variable not set}"
 
         if [ ${PDO_LEDGER_TYPE} == "ccf" ]; then
+            yell Register enclave with CCF ledger
             source ${PDO_INSTALL_ROOT}/bin/activate
             try ${PDO_INSTALL_ROOT}/bin/ccf_set_expected_sgx_measurements \
                 --logfile __screen__ --loglevel INFO --mrenclave ${VAR_MRENCLAVE} \

eservice/pdo/eservice/scripts/EServiceEnclaveInfoCLI.py

@@ -37,8 +37,7 @@ def GetBasename(spid, save_path, config) :
     while True :
         try :
             logger.debug('initialize the enclave')
-            enclave_config = {}
-            info = pdo_enclave_helper.get_enclave_service_info(spid, config=enclave_config)
+            info = pdo_enclave_helper.get_enclave_service_info(spid)
 
             logger.info('save MR_ENCLAVE and MR_BASENAME to %s', save_path)
             with open(save_path, "w") as file :
@@ -170,7 +169,7 @@ def Main() :
     sys.stderr = plogger.stream_to_logger(logging.getLogger('STDERR'), logging.WARN)
 
     # GO!
-    LocalMain(config, spid, save_path)
+    LocalMain(config, spid, spid_api_key, save_path)
 
 ## -----------------------------------------------------------------
 ## Entry points