From 12864aa120f8087c45a57ff6ba1e9b8c1536fb3d Mon Sep 17 00:00:00 2001 From: Bruno Vavala Date: Tue, 5 Nov 2024 22:48:39 +0000 Subject: [PATCH] move attestation api dependencies for pdo to separate script, and call that from pdo docker build Signed-off-by: Bruno Vavala --- build/common-config.sh | 6 ++ common/crypto/attestation-api/CMakeLists.txt | 5 ++ .../docker/container/README.md | 3 + .../attestation-api/docker/container/setup.sh | 71 +++++++++++++++++++ docker/pdo_services_base.dockerfile | 48 ++----------- docker/tools/environment.sh | 1 + 6 files changed, 91 insertions(+), 43 deletions(-) create mode 100644 common/crypto/attestation-api/docker/container/README.md create mode 100755 common/crypto/attestation-api/docker/container/setup.sh diff --git a/build/common-config.sh b/build/common-config.sh index 5c8873cd..363c9cbb 100755 --- a/build/common-config.sh +++ b/build/common-config.sh @@ -34,6 +34,12 @@ var_set() { " env_key_sort[$i]="WASM_SRC"; i=$i+1; export WASM_SRC=${env_val[WASM_SRC]}; + env_val[DCAP_PRIMITIVES]="${DCAP_PRIMITIVES:-/tmp/SGXDataCenterAttestationPrimitives}" + env_desc[DCAP_PRIMITIVES]=" + DCAP_PRIMITIVES points to the source repo of DCAP + " + env_key_sort[$i]="DCAP_PRIMITIVES"; i=$i+1; export DCAP_PRIMITIVES=${env_val[DCAP_PRIMITIVES]}; + env_val[PDO_MEMORY_CONFIG]="${PDO_MEMORY_CONFIG:-MEDIUM}" env_desc[PDO_MEMORY_CONFIG]=" PDO_MEMORY_CONFIG indicates the memory configuration for the diff --git a/common/crypto/attestation-api/CMakeLists.txt b/common/crypto/attestation-api/CMakeLists.txt index 181c7045..16ed4a4d 100644 --- a/common/crypto/attestation-api/CMakeLists.txt +++ b/common/crypto/attestation-api/CMakeLists.txt @@ -12,6 +12,10 @@ set(CMAKE_CXX_EXTENSIONS OFF) INCLUDE(CMakeVariables.txt) +IF (NOT DEFINED ENV{DCAP_PRIMITIVES}) + MESSAGE(FATAL_ERROR "DCAP_PRIMITIVES variable with source repo path not defined") +ENDIF() + ################################################################################################### # First run cmake in common ################################################################################################### @@ -95,6 +99,7 @@ ADD_CUSTOM_COMMAND(TARGET ${B64ATTESTATION_TO_B64COLLATERAL} TARGET_INCLUDE_DIRECTORIES(${B64ATTESTATION_TO_B64COLLATERAL} PRIVATE common) +# newer DCAP (1.22) libs need the qal (older, 1.19, don't) SET(DCAP_LINK_LIBS ${DCAP_QV_PATH}/appraisal/qal/libdcap_qal.a) TARGET_LINK_LIBRARIES(${B64ATTESTATION_TO_B64COLLATERAL} diff --git a/common/crypto/attestation-api/docker/container/README.md b/common/crypto/attestation-api/docker/container/README.md new file mode 100644 index 00000000..416f507c --- /dev/null +++ b/common/crypto/attestation-api/docker/container/README.md @@ -0,0 +1,3 @@ +This directory contains scripts to set up the attestation API dependencies in the docker container. + +The scripts are obviously meant to be run before the attestation API build and, possibly, during the docker build. diff --git a/common/crypto/attestation-api/docker/container/setup.sh b/common/crypto/attestation-api/docker/container/setup.sh new file mode 100755 index 00000000..e34eb270 --- /dev/null +++ b/common/crypto/attestation-api/docker/container/setup.sh @@ -0,0 +1,71 @@ +#!/bin/bash +# Copyright 2024 Intel Corporation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e + +apt-get update + +# install quote library, necessary for dcap attestation generation +# install quote verify library, necessary for attestation conversion and verification +# (though inside the enclave we use the static libraries of DCAP) +apt-get install -y \ + --no-install-recommends \ + libsgx-dcap-ql-dev \ + libsgx-dcap-quote-verify-dev + +# ----------------------------------------------------------------- +# SGX DCAP Primitives +# ----------------------------------------------------------------- +apt-get install -y -q \ + libboost-dev \ + libboost-system-dev \ + libboost-thread-dev \ + protobuf-c-compiler \ + libprotobuf-c-dev \ + protobuf-compiler + +# Note: libsgx-dcap-default-qpl-dev adds libdcap_quoteprov.so and /usr/include/sgx_default_quote_provider.h +apt-get install -y \ + basez \ + clang \ + libsgx-dcap-default-qpl \ + libsgx-dcap-default-qpl-dev \ + jq + +export DCAP=1.22 + +git clone https://github.com/intel/SGXDataCenterAttestationPrimitives.git ${DCAP_PRIMITIVES} \ + && cd ${DCAP_PRIMITIVES}/QuoteVerification \ + && git checkout DCAP_${DCAP} \ + && git submodule update --init --recursive + +cd ${DCAP_PRIMITIVES}/QuoteGeneration \ + && ./download_prebuilt.sh \ + && make GEN_STATIC=1 + +# NOTE: below the build (./release) is run twice. Unfortunately, this is necessary because both builds fails +# when run separately in a clean environment, but succeed if they run in sequence, and produce the expected result. +# This issue has been communicated to the developers of the DCAP primitives. +cd ${DCAP_PRIMITIVES}/QuoteVerification/QVL/Src +./release -DBUILD_ENCLAVE=ON -DBUILD_TESTS=OFF || true +./release -DBUILD_ENCLAVE=ON -DBUILD_ATTESTATION_APP=OFF -DBUILD_TESTS=OFF + +# set up the qcnl to connect to the local pccs for dcap verification collateral +echo '{\n\ + "pccs_url": "https://localhost:8081/sgx/certification/v4/", \n\ + "collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/",\n\ + "use_secure_cert": false\n\ + }' > /etc/sgx_default_qcnl.conf + diff --git a/docker/pdo_services_base.dockerfile b/docker/pdo_services_base.dockerfile index f84c21a2..c95dbca5 100644 --- a/docker/pdo_services_base.dockerfile +++ b/docker/pdo_services_base.dockerfile @@ -36,8 +36,6 @@ RUN echo "deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu ${U --no-install-recommends \ libsgx-urts \ libsgx-uae-service \ - libsgx-dcap-ql-dev \ - libsgx-dcap-quote-verify-dev \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* @@ -86,50 +84,14 @@ RUN . /opt/intel/sgxsdk/environment \ ENV SGX_SSL="/opt/intel/sgxssl" - # ----------------------------------------------------------------- -# SGX DCAP Primitives +# Install dependencies for Attestation API # ----------------------------------------------------------------- -RUN apt-get update -RUN apt-get install -y -q \ - libboost-dev \ - libboost-system-dev \ - libboost-thread-dev \ - protobuf-c-compiler \ - libprotobuf-c-dev \ - protobuf-compiler -RUN apt-get install -y \ - basez \ - clang \ - libsgx-dcap-default-qpl \ - #libsgx-dcap-default-qpl-dev adds libdcap_quoteprov.so and /usr/include/sgx_default_quote_provider.h - libsgx-dcap-default-qpl-dev \ - jq - -ARG DCAP=1.22 -ENV DCAP_PRIMITIVES=/tmp/SGXDataCenterAttestationPrimitives - -RUN git clone https://github.com/intel/SGXDataCenterAttestationPrimitives.git ${DCAP_PRIMITIVES} \ - && cd ${DCAP_PRIMITIVES}/QuoteVerification \ - && git checkout DCAP_${DCAP} \ - && git submodule update --init --recursive - -RUN cd ${DCAP_PRIMITIVES}/QuoteGeneration \ - && ./download_prebuilt.sh \ - && make GEN_STATIC=1 - -# NOTE: below the build (./release) is run twice. Unfortunately, this is necessary because both builds fails -# when run separately in a clean environment, but succeed if they run in sequence, and produce the expected result. -# This issue has been communicated to the developers of the DCAP primitives. -RUN cd ${DCAP_PRIMITIVES}/QuoteVerification/QVL/Src \ - && ./release -DBUILD_ENCLAVE=ON -DBUILD_TESTS=OFF ; ./release -DBUILD_ENCLAVE=ON -DBUILD_ATTESTATION_APP=OFF -DBUILD_TESTS=OFF - -RUN echo '{\n\ - "pccs_url": "https://localhost:8081/sgx/certification/v4/", \n\ - "collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/",\n\ - "use_secure_cert": false\n\ - }' > /etc/sgx_default_qcnl.conf +# as the pdo repo is not available at this point, we copy the script in the container +COPY repository/common/crypto/attestation-api/docker/container/setup.sh /tmp +RUN DCAP_PRIMITIVES=/tmp/SGXDataCenterAttestationPrimitives /tmp/setup.sh +RUN rm /tmp/setup.sh # ----------------------------------------------------------------- # ----------------------------------------------------------------- diff --git a/docker/tools/environment.sh b/docker/tools/environment.sh index 41c83e86..b12ef1ea 100755 --- a/docker/tools/environment.sh +++ b/docker/tools/environment.sh @@ -35,6 +35,7 @@ export PDO_HOME=${PDO_INSTALL_ROOT}/opt/pdo export PDO_LEDGER_KEY_ROOT=${PDO_HOME}/keys/ledger export PDO_LEDGER_KEY_SKF=${PDO_LEDGER_KEY_ROOT}/pdo_validator.priv export WASM_SRC="${PDO_SOURCE_ROOT}/interpreters/wasm-micro-runtime" +export DCAP_PRIMITIVES=${DCAP_PRIMITIVES:-/tmp/SGXDataCenterAttestationPrimitives} if [ ${PDO_LEDGER_TYPE,,} = "ccf" ]; then export PDO_DEFAULT_SIGCURVE=SECP384R1