Intel QPL support (#31)

* Add Intel QPL to container images

* Add installation instructions for generic Intel SGX environments

Signed-off-by: Daniel Weiße <[email protected]>

.dockerignore

@@ -0,0 +1,15 @@
+vscode
+.idea
+**/target
+vendor
+**/build
+**/**/build
+admin_private.key
+admin_certificate.crt
+era-config.json
+recovery_priv.key
+recovery_pub.key
+recovery.json
+recovery_key_decrypted
+recovery_key_encrypted
+private.pem

.gitignore

@@ -4,7 +4,6 @@
 vendor
 **/build
 **/**/build
-go.sum
 admin_private.key
 admin_certificate.crt
 era-config.json
@@ -13,3 +12,4 @@ recovery_pub.key
 recovery.json
 recovery_key_decrypted
 recovery_key_encrypted
+private.pem

Dockerfile

@@ -1,24 +1,33 @@
 # syntax=docker/dockerfile:experimental
 
 FROM alpine/git:latest AS pull
-RUN git clone https://github.com/edgelesssys/emojivoto.git /emojivoto
+COPY . /emojivoto
 
 FROM ghcr.io/edgelesssys/ego-deploy:latest AS emoji_base
 RUN apt-get update && \
     apt-get install -y --no-install-recommends curl dnsutils iptables jq nghttp2 && \
     apt clean && \
     apt autoclean
+COPY ./start.sh /start.sh
 
 FROM ghcr.io/edgelesssys/ego-dev:latest AS emoji_build
-RUN go get github.com/golang/protobuf/protoc-gen-go && \
-    go get google.golang.org/grpc/cmd/protoc-gen-go-grpc
 WORKDIR /node
 RUN curl -sL https://deb.nodesource.com/setup_10.x -o nodesource_setup.sh && \
     bash nodesource_setup.sh
 RUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - && \
     echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list
 RUN apt update && \
-    apt install -y yarn nodejs
+    apt install -y yarn nodejs wget tar unzip
+ARG GEN_GO_VER=1.28.1
+ARG GEN_GO_GRPC_VER=1.2.0
+ARG PB_VER=21.8
+RUN wget -q https://github.com/protocolbuffers/protobuf/releases/download/v${PB_VER}/protoc-${PB_VER}-linux-x86_64.zip && \
+    unzip protoc-${PB_VER}-linux-x86_64.zip -d /root/.local && \
+    cp /root/.local/bin/protoc /usr/local/bin/protoc
+RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@v${GEN_GO_VER} && \
+    go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v${GEN_GO_GRPC_VER}
+ENV PATH="$PATH:/root/.local/bin:/root/go/bin"
+
 COPY --from=pull /emojivoto /emojivoto
 WORKDIR /emojivoto
 RUN --mount=type=secret,id=signingkey,dst=/emojivoto/emojivoto-web/private.pem,required=true \
@@ -27,8 +36,16 @@ RUN --mount=type=secret,id=signingkey,dst=/emojivoto/emojivoto-web/private.pem,r
     ego env make build
 
 FROM ghcr.io/edgelesssys/ego-dev:latest AS patch_build
-RUN go get github.com/golang/protobuf/protoc-gen-go && \
-    go get google.golang.org/grpc/cmd/protoc-gen-go-grpc
+RUN apt update && apt install -y wget tar unzip
+ARG GEN_GO_VER=1.28.1
+ARG GEN_GO_GRPC_VER=1.2.0
+ARG PB_VER=21.8
+RUN wget -q https://github.com/protocolbuffers/protobuf/releases/download/v${PB_VER}/protoc-${PB_VER}-linux-x86_64.zip && \
+    unzip protoc-${PB_VER}-linux-x86_64.zip -d /root/.local && \
+    cp /root/.local/bin/protoc /usr/local/bin/protoc
+ENV PATH="$PATH:/root/.local/bin:/root/go/bin"
+RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@v${GEN_GO_VER} && \
+    go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v${GEN_GO_GRPC_VER}
 COPY --from=pull /emojivoto /emojivoto
 WORKDIR /emojivoto
 RUN --mount=type=secret,id=signingkey,dst=/emojivoto/emojivoto-voting-svc/private.pem,required=true \
@@ -37,22 +54,22 @@ RUN --mount=type=secret,id=signingkey,dst=/emojivoto/emojivoto-voting-svc/privat
 FROM emoji_base AS release_emoji_svc
 LABEL description="/emojivoto-emoji-svc"
 COPY --from=emoji_build /emojivoto/emojivoto-emoji-svc/target/emojivoto-emoji-svc /emojivoto-emoji-svc
-ENTRYPOINT ["ego", "marblerun", "/emojivoto-emoji-svc"]
+ENTRYPOINT ["/start.sh", "/emojivoto-emoji-svc"]
 
 FROM emoji_base AS release_voting_svc
 LABEL description="emojivoto-voting-svc"
 COPY --from=emoji_build /emojivoto/emojivoto-voting-svc/target/emojivoto-voting-svc /emojivoto-voting-svc
-ENTRYPOINT ["ego", "marblerun", "/emojivoto-voting-svc"]
+ENTRYPOINT ["/start.sh", "/emojivoto-voting-svc"]
 
 FROM emoji_base AS release_voting_update
 LABEL description="emojivoto-voting-update"
 COPY --from=patch_build /emojivoto/emojivoto-voting-svc/target/emojivoto-voting-svc /emojivoto-voting-svc
-ENTRYPOINT ["ego", "marblerun", "/emojivoto-voting-svc"]
+ENTRYPOINT ["/start.sh", "/emojivoto-voting-svc"]
 
 FROM emoji_base AS release_web
 LABEL description="emojivoto-web"
 COPY --from=emoji_build /emojivoto/emojivoto-web/target/emojivoto-web /emojivoto-web
 COPY --from=emoji_build /emojivoto/emojivoto-web/target/web /web
 COPY --from=emoji_build /emojivoto/emojivoto-web/target/dist /dist
 COPY --from=emoji_build /emojivoto/emojivoto-web/target/emojivoto-vote-bot /emojivoto-vote-bot
-ENTRYPOINT ["ego", "marblerun", "/emojivoto-web"]
+ENTRYPOINT ["/start.sh", "/emojivoto-web"]

README.md

@@ -34,17 +34,27 @@ Confidential emojivoto is build as a confidential computing application:
 
     Deploy with [MarbleRun CLI](https://www.marblerun.sh/docs/getting-started/quickstart/#step-1-install-the-cli)
 
-    * If you're running minikube on a machine that support SGX1+FLC (e.g.Azure Standard_DC*s)
+    * If you're running minikube on an Azure VM that supports SGX1+FLC (e.g.Azure Standard_DC*s)
 
-    ```bash
-    marblerun install
-    ```
+        ```bash
+        marblerun install
+        ```
+
+    * If you're running minikube on a generic SGX capable machine that supports SGX1+FLC
+
+        Assuming you have a PCCS reachable at `https://localhost:8081/sgx/certification/v3/`, install MarbleRun using the following command:
+
+        ```bash
+        marblerun install --dcap-qpl=intel --dcap-pccs-url="https://host.minikube.internal:8081/sgx/certification/v3/" --dcap-secure-cert="FALSE"
+        ```
+
+        See [our docs](https://docs.edgeless.systems/marblerun/deployment/kubernetes#dcap-configuration) for more information on how to configure MarbleRun for generic SGX environments.
 
     * Otherwise
 
-    ```bash
-    marblerun install --simulation
-    ```
+        ```bash
+        marblerun install --simulation
+        ```
 
     Wait for the control plane to finish installing:
 
@@ -114,17 +124,18 @@ Confidential emojivoto is build as a confidential computing application:
 
     Create a new user called `emojivoto-admin` in the `Users` section in `tools/manifest.json`.
     Set the output of the previous command as the value for `Certificate`, and create a role binding for `updateVoting`:
+
     ```javascript
     {
         //...
         "Users": {
-	    	"emojivoto-admin": {
+            "emojivoto-admin": {
                 "Certificate": "-----BEGIN CERTIFICATE-----\nMIIFazCCA1...hIl3LfuHs=\n-----END CERTIFICATE-----\n",
                 "Roles": [
                     "updateVoting"
                 ]
             }
-	    }
+        }
         //...
     }
     ```
@@ -143,16 +154,18 @@ Confidential emojivoto is build as a confidential computing application:
     ```
 
     Use the following command to preserve newlines correctly:
+
     ```bash
     awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' recovery_pub.key
     ```
 
     Set the output of the previous command in `tools/manifest.json` as the value for `recoveryKey1` in the `RecoveryKeys` section:
-    ```json
+
+    ```javascript
     //...
     "RecoveryKeys": {
-		"recoveryKey1": "-----BEGIN PUBLIC KEY-----\nMIICIjANBg...8CAwEAAQ==\n-----END PUBLIC KEY-----\n"
-	}
+        "recoveryKey1": "-----BEGIN PUBLIC KEY-----\nMIICIjANBg...8CAwEAAQ==\n-----END PUBLIC KEY-----\n"
+    }
     //...
     ```
 
@@ -185,34 +198,47 @@ Confidential emojivoto is build as a confidential computing application:
 
 1. Deploy emojivoto using [helm](https://helm.sh/docs/intro/install/)
 
-    * If you're running minikube on a machine that support SGX1+FLC
+    * If you're running minikube on an Azure VM that supports SGX1+FLC
 
-    ```bash
-    helm install -f ./kubernetes/sgx_values.yaml emojivoto ./kubernetes --create-namespace -n emojivoto
-    ```
+        ```bash
+        helm install -f ./kubernetes/sgx_values.yaml emojivoto ./kubernetes --create-namespace -n emojivoto
+        ```
+
+    * If you're running minikube on a SGX capable machine that supports SGX1+FLC
+
+        Assuming you have a PCCS reachable at `https://localhost:8081/sgx/certification/v3/`, install emojivoto using the following command:
+
+        ```bash
+        helm install -f ./kubernetes/sgx_values.yaml emojivoto ./kubernetes --create-namespace -n emojivoto \
+            --set dcap.qpl=intel \
+            --set dcap.pccsUrl="https://host.minikube.internal:8081/sgx/certification/v3/" \
+            --set dcap.useSecureCert="FALSE"
+        ```
+
+        The values for `dcap.qpl` and `dcap.useSecureCert` should be the same as the values for the flags `--dcap-pccs-url` and `--dcap-secure-cert` used when installing MarbleRun.
 
     * Otherwise
 
-    ```bash
-    helm install -f ./kubernetes/nosgx_values.yaml emojivoto ./kubernetes --create-namespace -n emojivoto
-    ```
+        ```bash
+        helm install -f ./kubernetes/nosgx_values.yaml emojivoto ./kubernetes --create-namespace -n emojivoto
+        ```
 
     You can check with `kubectl get pods -n emojivoto` that all pods are running.
 
-
 1. Verify the manifest
     You can verify the manifest on the client-side before using the app:
 
     * If you're running minikube on a machine that support SGX1+FLC
-    ```bash
-    marblerun manifest verify tools/manifest.json $MARBLERUN
-    ```
+
+        ```bash
+        marblerun manifest verify tools/manifest.json $MARBLERUN
+        ```
 
     * Otherwise
-    ```bash
-    marblerun manifest verify tools/manifest.json $MARBLERUN --insecure
-    ```
 
+        ```bash
+        marblerun manifest verify tools/manifest.json $MARBLERUN --insecure
+        ```
 
 1. Use the app!
 
@@ -221,7 +247,7 @@ Confidential emojivoto is build as a confidential computing application:
     ```
 
     * Browse to [https://localhost](https://localhost).
-    * If your running on a custom domain browse to https://\<your-domain\>
+    * If your running on a custom domain browse to `https://\<your-domain\>`
 
     You’ll be presented with a certificate warning because your browser does not know MarbleRun’s root certificate as a root of trust. You can safely ignore this error for now and proceed to the website.
     Voila! Your emoji votes have never been safer!
@@ -241,6 +267,7 @@ Confidential emojivoto is build as a confidential computing application:
     ```bash
     marblerun manifest update tools/update-manifest.json $MARBLERUN --cert admin_certificate.crt --key admin_private.key [--insecure]
     ```
+
     We can now update the image used by the emojivoto voting Statefulset:
 
     ```bash
@@ -345,14 +372,14 @@ The following tasks are performed by the script:
     * emojivoto-xxx.cluster-domain -> NGINX-Ingress-Controller
 1. Create an emojivoto deployment
 1. Create an ingress resource to forward traffic via HTTPS-SNI
-    * https://emojivoto-xxx.cluster-domain -> emojivoto
+    * `https://emojivoto-xxx.cluster-domain` -> emojivoto
 
 Uninstall with:
+
 ```bash
 tools/aks_uninstall.sh
 ```
 
-
 ### Generating some traffic
 
 The `VoteBot` service can generate some traffic for you. It votes on emoji

common.mk

@@ -9,7 +9,7 @@ clean:
 	mkdir -p gen
 
 protoc:
-	protoc -I .. ../proto/*.proto --go_out=plugins=grpc:gen
+	protoc -I .. ../proto/*.proto --go_out=./gen --go_opt=paths=source_relative --go-grpc_out=./gen --go-grpc_opt=paths=source_relative
 
 package: protoc compile
 

emojivoto-emoji-svc/api/api.go

@@ -10,10 +10,10 @@ import (
 
 type EmojiServiceServer struct {
 	allEmoji emoji.AllEmoji
+	pb.UnimplementedEmojiServiceServer
 }
 
 func (svc *EmojiServiceServer) ListAll(ctx context.Context, req *pb.ListAllEmojiRequest) (*pb.ListAllEmojiResponse, error) {
-
 	emoji := svc.allEmoji.List()
 
 	list := make([]*pb.Emoji, 0)
@@ -44,6 +44,6 @@ func (svc *EmojiServiceServer) FindByShortcode(ctx context.Context, req *pb.Find
 
 func NewGrpServer(grpcServer *grpc.Server, allEmoji emoji.AllEmoji) {
 	pb.RegisterEmojiServiceServer(grpcServer, &EmojiServiceServer{
-		allEmoji,
+		allEmoji: allEmoji,
 	})
 }

emojivoto-emoji-svc/enclave/enclave.json

@@ -1,6 +1,6 @@
 {
-    "Exe": "target/emojivoto-emoji-svc",
-    "Key": "private.pem",
+    "Exe": "../target/emojivoto-emoji-svc",
+    "Key": "../private.pem",
     "Debug": true,
     "Heapsize": 512,
     "ProductID": 5,