Skip to content

Commit

Permalink
fix: Fix Docker issues
Browse files Browse the repository at this point in the history
  • Loading branch information
binglekruger committed Nov 28, 2024
1 parent 45bb6d5 commit e539562
Show file tree
Hide file tree
Showing 3 changed files with 44 additions and 7 deletions.
1 change: 1 addition & 0 deletions sgx-mvp/docker/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
docker-sgx-mvp.sig
24 changes: 20 additions & 4 deletions sgx-mvp/docker/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -60,8 +60,10 @@ ENV PATH="/root/.cargo/bin:${PATH}"

# Clone only the sgx-mvp directory
WORKDIR /app
RUN git clone --depth 1 --sparse https://github.com/ntls-io/trusted-compute-MVP.git && \
RUN git config --global core.sparseCheckout true && \
git clone --depth 1 --filter=blob:none https://github.com/ntls-io/trusted-compute-MVP.git && \
cd trusted-compute-MVP && \
git sparse-checkout init --cone && \
git sparse-checkout set sgx-mvp

# Create necessary library directory
Expand All @@ -71,10 +73,20 @@ RUN mkdir -p /lib/x86_64-pc-linux-gnu && \
RUN mkdir -p /var/run/aesmd/

# Build the MVP with temporarily mounted key
RUN --mount=type=secret,id=enclave_key,target=/app/trusted-compute-MVP/keys/enclave-key.pem \
RUN --mount=type=secret,id=enclave_key,target=/app/trusted-compute-MVP/sgx-mvp/keys/enclave-key.pem \
cd /app/trusted-compute-MVP/sgx-mvp && \
make SGX=1 RA_TYPE=dcap && \
rm -f /app/trusted-compute-MVP/keys/enclave-key.pem
make SGX=1 RA_TYPE=dcap

# Verify signing key cleanup
RUN echo "Verifying key cleanup..." && \
if [ -f /app/trusted-compute-MVP/sgx-mvp/keys/enclave-key.pem ]; then \
echo "ERROR: Signing key still present!" && \
ls -l /app/trusted-compute-MVP/sgx-mvp/keys/enclave-key.pem && \
exit 1; \
else \
echo "SUCCESS: Verified that signing key was properly removed." && \
ls -la /app/trusted-compute-MVP/sgx-mvp/keys/ || echo "keys directory does not exist (expected)"; \
fi

COPY restart_aesm.sh /restart_aesm.sh

Expand All @@ -93,8 +105,12 @@ RUN apt-get update && \
RUN echo '#!/bin/bash\n\
/restart_aesm.sh\n\
socat TCP-LISTEN:8081,fork TCP:127.0.0.1:8080 & \n\
cd /app/trusted-compute-MVP/sgx-mvp && \
gramine-sgx sgx-mvp\n'\
> /start.sh && chmod +x /start.sh

# Set the working directory where the manifest file is located
WORKDIR /app/trusted-compute-MVP/sgx-mvp

ENTRYPOINT ["/bin/sh", "-c"]
CMD ["/start.sh"]
26 changes: 23 additions & 3 deletions sgx-mvp/docker/build.sh
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,16 @@ set -euo pipefail

usage() {
echo "Usage: build.sh [ubuntu20,ubuntu22]"
echo ""
echo "Before building, ensure you have:"
echo "1. Generated your Gramine signing key at /keys/enclave-key.pem"
echo "2. Set proper permissions (chmod 400) on your key"
echo ""
echo "To generate a development key (if you haven't already):"
echo " gramine-sgx-gen-private-key /keys/enclave-key.pem"
echo " chmod 400 /keys/enclave-key.pem"
echo ""
echo "Note: For production deployments, use your production signing key."
exit 1
}

Expand Down Expand Up @@ -31,10 +41,15 @@ esac
# Check if key exists
if [ ! -f "$key_path" ]; then
echo "No signing key found at $key_path"
echo "For development:"
echo ""
echo "For development environments:"
echo " gramine-sgx-gen-private-key /keys/enclave-key.pem"
echo "For production:"
echo " Please use your production signing key"
echo " chmod 400 /keys/enclave-key.pem"
echo ""
echo "For production environments:"
echo " Please use your secure production signing key"
echo " Copy it to /keys/enclave-key.pem"
echo " Ensure permissions are set with: chmod 400 /keys/enclave-key.pem"
exit 1
fi

Expand All @@ -46,4 +61,9 @@ docker build \
-t sgx-mvp:stable-"${codename}" \
.

# Extract the sig file using a temporary container
container_id=$(docker create sgx-mvp:stable-"${codename}")
docker cp "$container_id":/app/trusted-compute-MVP/sgx-mvp/sgx-mvp.sig docker-sgx-mvp.sig
docker rm "$container_id"

echo "Build complete!"

0 comments on commit e539562

Please sign in to comment.