commit 290272120acfc95a26b9960bbff166c533f54b1d Author: Andrew Miller Date: Sun Sep 10 12:21:35 2023 -0500 dockerfile for mtcs diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..d9a833e --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +*~ +*.manifest +*.manifest.sgx \ No newline at end of file diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..4012028 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,32 @@ +FROM gramineproject/gramine:v1.5 + +RUN apt-get update && apt-get install -y jq build-essential + +WORKDIR /workdir + +RUN curl https://sh.rustup.rs -sSf | bash -s -- -y +ENV PATH="/root/.cargo/bin:${PATH}" +RUN rustup toolchain install 1.72.0 + +RUN gramine-sgx-gen-private-key + +# This should be associated with an acive IAS SPID in order for +# gramine tools like gramine-sgx-ias-request and gramine-sgx-ias-verify +ENV RA_CLIENT_SPID=51CAF5A48B450D624AEFE3286D314894 +ENV RA_CLIENT_LINKABLE=1 + +# Copy the mtcs directory and build +COPY mtcs ./mtcs +WORKDIR /workdir/mtcs +RUN cargo build --release + +WORKDIR /workdir +COPY mtcs.manifest.template ./ + +COPY data/micro-set-offs.csv mtcs/data + +# Make and sign the gramine manifest +RUN gramine-manifest -Dlog_level="error" -Dhome=${HOME} -Darch_libdir="/lib/$(gcc -dumpmachine)" -Dmtcs_dir="$(pwd)/mtcs" -Dtestname="micro-set-offs" mtcs.manifest.template mtcs.manifest +RUN gramine-sgx-sign --manifest mtcs.manifest --output mtcs.manifest.sgx + +CMD [ "gramine-sgx-sigstruct-view mtcs.sig" ] diff --git a/README.md b/README.md new file mode 100644 index 0000000..7513fe8 --- /dev/null +++ b/README.md @@ -0,0 +1,33 @@ +## Gramine experiments using MTCS + +This is a Dockerfile for replaying the mtcs experiment in gramine, starting from the manifest file from https://github.com/informalsystems/cofi-private/issues/104 +The starting point for the Dockerfile is the Gramine-based from Revm Relay hackathon. https://github.com/amiller/gramine-sgx-revm/ + +The point of this is to emphasize the verification process that can be completed even without SGX, by reproducing the MRENCLAVE and inspecting remote attestation quotes. + +## Replicating the MRENCLAVE build (no SGX required) + +The following will build mtcs, then freeze all dependencies from the docker environment into the gramine manifest, and finally display the resulting MRENCLAVE +```bash +docker build . --tag mtcs +docker run -it -v ./data:/workdir/data mtcs +``` + +Let's see how long this remains reproducible: +``` + mr_enclave: fa9149158c693b09e83480b48c2e7344c941aadca6d5829834f2af9f2690435e +``` + +## Execution on an SGX machine + +This is tested on a local SGX machine, not Azure + +```bash +docker run -it --device /dev/sgx_enclave \ + -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket \ + -v ./data:/workdir/data \ + mtcs bash +is-sgx-available +gramine-sgx ./mtcs +cat mtcs/data/micro-set-offs.out +``` \ No newline at end of file diff --git a/data/micro-set-offs.csv b/data/micro-set-offs.csv new file mode 100644 index 0000000..e0274cc --- /dev/null +++ b/data/micro-set-offs.csv @@ -0,0 +1,5 @@ +id,debtor,creditor,amount,set_off,remainder +1,10,20,100,100,0 +2,20,30,100,100,0 +3,30,10,200,100,100 +4,40,30,100,0,100 diff --git a/mtcs b/mtcs new file mode 160000 index 0000000..3f13e5c --- /dev/null +++ b/mtcs @@ -0,0 +1 @@ +Subproject commit 3f13e5c0fd0623a9dc7f4b4227be4678fa947531 diff --git a/mtcs.manifest.template b/mtcs.manifest.template new file mode 100644 index 0000000..1bbf5a1 --- /dev/null +++ b/mtcs.manifest.template @@ -0,0 +1,35 @@ +# MTCS manifest file example + +loader.entrypoint = "file:{{ gramine.libos }}" +libos.entrypoint = "{{ mtcs_dir }}/target/release/mtcs-cli" + +loader.log_level = "{{ log_level }}" + +loader.env.LD_LIBRARY_PATH = "/lib:{{ arch_libdir }}:/usr/{{ arch_libdir }}" +loader.env.HOME = "{{ home }}" + +loader.argv = ["-v", "-i", "{{ mtcs_dir }}/data/{{ testname }}.csv", "-o", "{{ mtcs_dir }}/data/{{ testname }}.out"] + +fs.mounts = [ + { uri = "file:{{ gramine.runtimedir() }}", path = "/lib" }, + { uri = "file:{{ arch_libdir }}", path = "{{ arch_libdir }}" }, + { uri = "file:/usr/{{ arch_libdir }}", path = "/usr{{ arch_libdir }}" }, + { uri = "file:{{ mtcs_dir }}", path = "{{ mtcs_dir }}" }, +] + +sgx.enclave_size = "512M" +sgx.max_threads = 4 +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} + +sgx.trusted_files = [ + "file:{{ gramine.libos }}", + "file:{{ mtcs_dir }}/target/release/mtcs-cli", + "file:{{ mtcs_dir }}/data/{{ testname }}.csv", + "file:{{ gramine.runtimedir() }}/", + "file:{{ arch_libdir }}/", + "file:/usr/{{ arch_libdir }}/", +] + +sgx.allowed_files = [ + "file:{{ mtcs_dir }}/data/{{ testname }}.out", +]