cycles-quartz/docker/enclave-sgx/Dockerfile

FROM rust:1.80-alpine AS build

ARG CARGO_FLAGS=""
# By default we assume that there is an "enclave" directory in the root of the
# Quartz app that contains the enclave's code.
ARG ENCLAVE_DIR="enclave"

COPY . /opt/src
WORKDIR /opt/src

# TODO: Remove once the Quartz dependencies are open-sourced
RUN apk update && \
    apk add --no-cache git openssh && \
    mkdir -m 0700 /root/.ssh && \
    cp .secrets/* /root/.ssh/ && \
    chmod 0600 /root/.ssh/* && \
    chmod 0644 /root/.ssh/*.pub && \
    ssh-keyscan github.com >> /root/.ssh/known_hosts

# System dependencies for building our binary
RUN apk update && \
    apk add --no-cache build-base protobuf-dev

RUN cd /opt/src/${ENCLAVE_DIR} && \
    CARGO_TARGET_DIR=./target cargo build --release ${CARGO_FLAGS}

# TODO: Remove once the Quartz dependencies are open-sourced
RUN rm -rf /root/.ssh/

#------------------------------------------------------------------------------

FROM gramineproject/gramine:1.7-jammy

ARG ENCLAVE_DIR="enclave"
# By default we assume that the enclave binary's name is just "enclave".
ARG ENCLAVE_BIN="enclave"
ARG TRUSTED_HEIGHT
ARG TRUSTED_HASH

RUN apt update && \
    apt install -y build-essential

# Copy the enclave binary we built in the previous stage
COPY --from=build /opt/src/${ENCLAVE_DIR}/target/release/${ENCLAVE_BIN} /opt/enclave/bin/enclave
COPY --from=build /opt/src/${ENCLAVE_DIR}/quartz.manifest.template /opt/enclave/

WORKDIR /opt/enclave

# TODO - update entire file to use DCAP, not EPID
RUN gramine-sgx-gen-private-key > /dev/null 2>&1 && \
    gramine-manifest  \
        -Dlog_level="error"  \
        -Dhome="/opt/enclave"  \
        -Denclave_dir="/opt/enclave"  \
        -Denclave_executable="/opt/enclave/bin/enclave" \
        -Darch_libdir="/lib/$(gcc -dumpmachine)"  \
        -Dra_type="epid" \
        -Dra_client_linkable=1 \
        -Dtrusted_height="${TRUSTED_HEIGHT}"  \
        -Dtrusted_hash="${TRUSTED_HASH}"  \
        -Dgramine_port=11090 \
        quartz.manifest.template quartz.manifest && \
    gramine-sgx-sign --manifest quartz.manifest --output quartz.manifest.sgx

CMD ["/restart_aesm.sh && gramine-sgx ./quartz"]
feat: Add support for running Quartz app enclave in a Docker container (EPID) (#155) Signed-off-by: Thane Thomson <connect@thanethomson.com> 2024-08-16 20:38:52 +00:00			`FROM rust:1.80-alpine AS build`

			`ARG CARGO_FLAGS=""`
			`# By default we assume that there is an "enclave" directory in the root of the`
			`# Quartz app that contains the enclave's code.`
			`ARG ENCLAVE_DIR="enclave"`

			`COPY . /opt/src`
			`WORKDIR /opt/src`

			`# TODO: Remove once the Quartz dependencies are open-sourced`
			`RUN apk update && \`
			`apk add --no-cache git openssh && \`
			`mkdir -m 0700 /root/.ssh && \`
			`cp .secrets/* /root/.ssh/ && \`
			`chmod 0600 /root/.ssh/* && \`
			`chmod 0644 /root/.ssh/*.pub && \`
			`ssh-keyscan github.com >> /root/.ssh/known_hosts`

			`# System dependencies for building our binary`
			`RUN apk update && \`
			`apk add --no-cache build-base protobuf-dev`

			`RUN cd /opt/src/${ENCLAVE_DIR} && \`
			`CARGO_TARGET_DIR=./target cargo build --release ${CARGO_FLAGS}`

			`# TODO: Remove once the Quartz dependencies are open-sourced`
			`RUN rm -rf /root/.ssh/`

			`#------------------------------------------------------------------------------`

			`FROM gramineproject/gramine:1.7-jammy`

			`ARG ENCLAVE_DIR="enclave"`
			`# By default we assume that the enclave binary's name is just "enclave".`
			`ARG ENCLAVE_BIN="enclave"`
			`ARG TRUSTED_HEIGHT`
			`ARG TRUSTED_HASH`

			`RUN apt update && \`
			`apt install -y build-essential`

			`# Copy the enclave binary we built in the previous stage`
			`COPY --from=build /opt/src/${ENCLAVE_DIR}/target/release/${ENCLAVE_BIN} /opt/enclave/bin/enclave`
			`COPY --from=build /opt/src/${ENCLAVE_DIR}/quartz.manifest.template /opt/enclave/`

			`WORKDIR /opt/enclave`

docs: Update docs to reflect crate reorg naming, and remove EPID docs (#233) Co-authored-by: Dave Kaj <davidkajpust@informal.systems> Co-authored-by: Ethan Buchman <ethan@coinculture.info> 2024-10-02 03:57:13 +00:00			`# TODO - update entire file to use DCAP, not EPID`
feat: Add support for running Quartz app enclave in a Docker container (EPID) (#155) Signed-off-by: Thane Thomson <connect@thanethomson.com> 2024-08-16 20:38:52 +00:00			`RUN gramine-sgx-gen-private-key > /dev/null 2>&1 && \`
			`gramine-manifest \`
			`-Dlog_level="error" \`
			`-Dhome="/opt/enclave" \`
			`-Denclave_dir="/opt/enclave" \`
			`-Denclave_executable="/opt/enclave/bin/enclave" \`
			`-Darch_libdir="/lib/$(gcc -dumpmachine)" \`
			`-Dra_type="epid" \`
			`-Dra_client_linkable=1 \`
			`-Dtrusted_height="${TRUSTED_HEIGHT}" \`
			`-Dtrusted_hash="${TRUSTED_HASH}" \`
			`-Dgramine_port=11090 \`
			`quartz.manifest.template quartz.manifest && \`
			`gramine-sgx-sign --manifest quartz.manifest --output quartz.manifest.sgx`

			`CMD ["/restart_aesm.sh && gramine-sgx ./quartz"]`