Publish mrenclave (#1473)

* [GHA] introduce a variable for the docker image suffix, and add placeholder for creating the mrenclave stuff. * [GHA] upload mrenclave file * [GHA] transform sgx mode to lowercase for docker image suffix * [GHA] fix cmd * [docker] include sgx_sign utility in worker image and add `mrenclave` command to the `entry_point.sh` * [GHA] use docker run -t integritee-worker mrenclave to get the mrenclave * [GHA] use consistent capitalization * [docker] fix printing the mrenclave * [docker] add newline at the end of the script * [docker] fix printing mrenclave in docker command * [docker] extract the hex value of the mrenclave in entrypoint.sh * [docker] fix grep command * [GHA] grepping in entrypoint doesn't work for some reason, so you we do it in GHA.
integritee-network · Oct 29, 2023 · fc7c17b · fc7c17b
1 parent 46515c7
commit fc7c17b
Show file tree

Hide file tree

Showing 3 changed files with 58 additions and 26 deletions.
diff --git a/.github/workflows/build_and_test.yml b/.github/workflows/build_and_test.yml
@@ -61,6 +61,8 @@ jobs:
         run: |
           fingerprint=$RANDOM
           echo "FINGERPRINT=$fingerprint" >> $GITHUB_ENV
+          SGX_MODE_LOWERCASE=$(echo "${${{ matrix.sgx_mode }},,}")
+          echo "IMAGE_SUFFIX=$SGX_MODE_LOWERCASE-${{ matrix.flavor_id }}-${{ github.sha }}" >> $GITHUB_ENV
           if [[ ${{ matrix.sgx_mode }} == 'HW' ]]; then
              echo "DOCKER_DEVICES=--device=/dev/sgx/enclave --device=/dev/sgx/provision" >> $GITHUB_ENV
              echo "DOCKER_VOLUMES=--volume /var/run/aesmd:/var/run/aesmd --volume /etc/sgx_default_qcnl.conf:/etc/sgx_default_qcnl.conf" >> $GITHUB_ENV
@@ -79,7 +81,7 @@ jobs:
         env:
           DOCKER_BUILDKIT: 1
         run: >
-          docker build -t integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }}
+          docker build -t integritee-worker-${{ env.IMAGE_SUFFIX }}
           --target deployed-worker
           --build-arg WORKER_MODE_ARG=${{ matrix.mode }} --build-arg FINGERPRINT=${FINGERPRINT} --build-arg ADDITIONAL_FEATURES_ARG=${{ matrix.additional_features }} --build-arg SGX_MODE=${{ matrix.sgx_mode }}
           -f build.Dockerfile .
@@ -88,40 +90,51 @@ jobs:
         env:
           DOCKER_BUILDKIT: 1
         run: >
-          docker build -t integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }}
+          docker build -t integritee-cli-client-${{ env.IMAGE_SUFFIX }}
           --target deployed-client
           --build-arg WORKER_MODE_ARG=${{ matrix.mode }} --build-arg ADDITIONAL_FEATURES_ARG=${{ matrix.additional_features }}
           -f build.Dockerfile .
 
       - run: docker images --all
 
       - name: Test Enclave # cargo test is not supported in the enclave, see: https://github.com/apache/incubator-teaclave-sgx-sdk/issues/232
-        run: docker run ${{ env.DOCKER_DEVICES }} ${{ env.DOCKER_VOLUMES }} integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }} test --all
+        run: docker run ${{ env.DOCKER_DEVICES }} ${{ env.DOCKER_VOLUMES }} integritee-worker-${{ env.IMAGE_SUFFIX }} test --all
 
       - name: Export worker image(s)
         run: |
-          docker image save integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }} | gzip > integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz
-          docker image save integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }} | gzip > integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz
+          docker image save integritee-worker-${{ env.IMAGE_SUFFIX }} | gzip > integritee-worker-${{ env.IMAGE_SUFFIX }}.tar.gz
+          docker image save integritee-cli-client-${{ env.IMAGE_SUFFIX }} | gzip > integritee-cli-client-${{ env.IMAGE_SUFFIX }}.tar.gz
 
       - name: Upload worker image
         uses: actions/upload-artifact@v3
         with:
-          name: integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz
-          path: integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz
+          name: integritee-worker-${{ env.IMAGE_SUFFIX }}.tar.gz
+          path: integritee-worker-${{ env.IMAGE_SUFFIX }}.tar.gz
 
       - name: Upload CLI client image
         uses: actions/upload-artifact@v3
         with:
-          name: integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz
-          path: integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz
+          name: integritee-cli-client-${{ env.IMAGE_SUFFIX }}.tar.gz
+          path: integritee-cli-client-${{ env.IMAGE_SUFFIX }}.tar.gz
+
+      - name: Create Enclave Digest File
+        run: |
+          mrenclave_hex=$(docker run integritee-worker-${{ env.IMAGE_SUFFIX }} mrenclave | grep -oP ':\s*\K[a-fA-F0-9]+')
+          echo "$mrenclave_hex" > mrenclave-${{ env.IMAGE_SUFFIX }}.hex
+
+      - name: Upload Enclave Digest File
+        uses: actions/upload-artifact@v3
+        with:
+          name: mrenclave-${{ env.IMAGE_SUFFIX }}.hex
+          path: mrenclave-${{ env.IMAGE_SUFFIX }}.hex
 
       - name: Delete images
         run: |
-          if [[ "$(docker images -q integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }} 2> /dev/null)" != "" ]]; then
-              docker image rmi --force integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }} 2>/dev/null
+          if [[ "$(docker images -q integritee-worker-${{ env.IMAGE_SUFFIX }} 2> /dev/null)" != "" ]]; then
+              docker image rmi --force integritee-worker-${{ env.IMAGE_SUFFIX }} 2>/dev/null
           fi
-          if [[ "$(docker images -q integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }} 2> /dev/null)" != "" ]]; then
-              docker image rmi --force integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }} 2>/dev/null
+          if [[ "$(docker images -q integritee-cli-client-${{ env.IMAGE_SUFFIX }} 2> /dev/null)" != "" ]]; then
+              docker image rmi --force integritee-cli-client-${{ env.IMAGE_SUFFIX }} 2>/dev/null
           fi
           docker images --all
 
@@ -243,6 +256,8 @@ jobs:
       - name: Set env
         run: |
           version=$RANDOM
+          SGX_MODE_LOWERCASE=$(echo "${${{ matrix.sgx_mode }},,}")
+          echo "IMAGE_SUFFIX=$SGX_MODE_LOWERCASE-${{ matrix.flavor_id }}-${{ github.sha }}" >> $GITHUB_ENV
           echo "FLAVOR_ID=${{ matrix.flavor_id }}" >> $GITHUB_ENV
           echo "PROJECT=${{ matrix.flavor_id }}-${{ matrix.demo_name }}" >> $GITHUB_ENV
           echo "VERSION=dev.$version" >> $GITHUB_ENV
@@ -261,21 +276,21 @@ jobs:
       - name: Download Worker Image
         uses: actions/download-artifact@v3
         with:
-          name: integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz
+          name: integritee-worker-${{ env.IMAGE_SUFFIX }}.tar.gz
           path: .
 
       - name: Download CLI client Image
         uses: actions/download-artifact@v3
         with:
-          name: integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz
+          name: integritee-cli-client-${{ env.IMAGE_SUFFIX }}.tar.gz
           path: .
 
       - name: Load Worker & Client Images
         env:
           DOCKER_BUILDKIT: 1
         run: |
-          docker image load --input integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz
-          docker image load --input integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz
+          docker image load --input integritee-worker-${{ env.IMAGE_SUFFIX }}.tar.gz
+          docker image load --input integritee-cli-client-${{ env.IMAGE_SUFFIX }}.tar.gz
           docker images --all
 
       ##
@@ -290,8 +305,8 @@ jobs:
           if [[ "$(docker images -q ${{ env.CLIENT_IMAGE_TAG }} 2> /dev/null)" == "" ]]; then
              docker image rmi --force ${{ env.CLIENT_IMAGE_TAG }} 2>/dev/null
           fi
-          docker tag integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }} ${{ env.WORKER_IMAGE_TAG }}
-          docker tag integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }} ${{ env.CLIENT_IMAGE_TAG }}
+          docker tag integritee-worker-${{ env.IMAGE_SUFFIX }} ${{ env.WORKER_IMAGE_TAG }}
+          docker tag integritee-cli-client-${{ env.IMAGE_SUFFIX }} ${{ env.CLIENT_IMAGE_TAG }}
           docker pull integritee/integritee-node:1.1.3
           docker tag integritee/integritee-node:1.1.3 ${{ env.INTEGRITEE_NODE }}
           docker images --all
@@ -337,11 +352,11 @@ jobs:
 
       - name: Delete images
         run: |
-          if [[ "$(docker images -q integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }} 2> /dev/null)" != "" ]]; then
-              docker image rmi --force integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }} 2>/dev/null
+          if [[ "$(docker images -q integritee-worker-${{ env.IMAGE_SUFFIX }} 2> /dev/null)" != "" ]]; then
+              docker image rmi --force integritee-worker-${{ env.IMAGE_SUFFIX }} 2>/dev/null
           fi
-          if [[ "$(docker images -q integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }} 2> /dev/null)" != "" ]]; then
-              docker image rmi --force integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }} 2>/dev/null
+          if [[ "$(docker images -q integritee-cli-client-${{ env.IMAGE_SUFFIX }} 2> /dev/null)" != "" ]]; then
+              docker image rmi --force integritee-cli-client-${{ env.IMAGE_SUFFIX }} 2>/dev/null
           fi
           if [[ "$(docker images -q ${{ env.WORKER_IMAGE_TAG }} 2> /dev/null)" != "" ]]; then
              docker image rmi --force ${{ env.WORKER_IMAGE_TAG }} 2>/dev/null
@@ -386,6 +401,8 @@ jobs:
         run: |
           fingerprint=$RANDOM
           echo "FINGERPRINT=$fingerprint" >> $GITHUB_ENV
+          SGX_MODE_LOWERCASE=$(echo "${${{ matrix.sgx_mode }},,}")
+          echo "IMAGE_SUFFIX=$SGX_MODE_LOWERCASE-${{ matrix.flavor_id }}-${{ github.sha }}" >> $GITHUB_ENV
           if [[ ${{ matrix.sgx_mode }} == 'HW' ]]; then
               echo "DOCKER_DEVICES=--device=/dev/sgx/enclave --device=/dev/sgx/provision" >> $GITHUB_ENV
               echo "DOCKER_VOLUMES=--volume /var/run/aesmd:/var/run/aesmd --volume /etc/sgx_default_qcnl.conf:/etc/sgx_default_qcnl.conf" >> $GITHUB_ENV

diff --git a/build.Dockerfile b/build.Dockerfile
@@ -124,14 +124,17 @@ WORKDIR /usr/local/bin
 
 COPY --from=builder /opt/sgxsdk /opt/sgxsdk
 COPY --from=builder /home/ubuntu/work/worker/bin/* ./
+COPY --from=builder /home/ubuntu/work/worker/extract_identity ./
 COPY --from=builder /lib/x86_64-linux-gnu/libsgx* /lib/x86_64-linux-gnu/
 COPY --from=builder /lib/x86_64-linux-gnu/libdcap* /lib/x86_64-linux-gnu/
 
 RUN chmod +x /usr/local/bin/integritee-service
+RUN chmod +x /usr/local/bin/extract_identity
 RUN ls -al /usr/local/bin
 
 # checks
 ENV SGX_SDK /opt/sgxsdk
+ENV SGX_ENCLAVE_SIGNER $SGX_SDK/bin/x64/sgx_sign
 ENV LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/intel/sgx-aesm-service/aesm:$SGX_SDK/sdk_libs
 ENV AESM_PATH=/opt/intel/sgx-aesm-service/aesm
 

diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
@@ -1,7 +1,19 @@
 #!/bin/bash
 set -e
 
-# run aesmd in the background
-/opt/intel/sgx-aesm-service/aesm/aesm_service
+# Check if the first argument is "mrenclave"
+if [ "$1" = "mrenclave" ]; then
+    # If "mrenclave" is provided, execute the corresponding command
+    $SGX_ENCLAVE_SIGNER dump \
+      -enclave /usr/local/bin/enclave.signed.so \
+      -dumpfile df.out && \
+        /usr/local/bin/extract_identity < df.out && rm df.out | grep -oP ':\s*\K[a-fA-F0-9]+'
 
-exec /usr/local/bin/integritee-service "${@}"
+else
+    # If no specific command is provided, execute the default unnamed command
+
+    # run aesmd in the background
+    /opt/intel/sgx-aesm-service/aesm/aesm_service
+
+    exec /usr/local/bin/integritee-service "${@}"
+fi