dockerfile for mtcs

.gitignore

@@ -0,0 +1,3 @@
+*~
+*.manifest
+*.manifest.sgx

Dockerfile

@@ -0,0 +1,32 @@
+FROM gramineproject/gramine:v1.5
+
+RUN apt-get update && apt-get install -y jq build-essential
+
+WORKDIR /workdir
+
+RUN curl https://sh.rustup.rs -sSf | bash -s -- -y
+ENV PATH="/root/.cargo/bin:${PATH}"
+RUN rustup toolchain install 1.72.0
+
+RUN gramine-sgx-gen-private-key
+
+# This should be associated with an acive IAS SPID in order for
+# gramine tools like gramine-sgx-ias-request and gramine-sgx-ias-verify
+ENV RA_CLIENT_SPID=51CAF5A48B450D624AEFE3286D314894
+ENV RA_CLIENT_LINKABLE=1
+
+# Copy the mtcs directory and build
+COPY mtcs ./mtcs
+WORKDIR /workdir/mtcs
+RUN cargo build --release
+
+WORKDIR /workdir
+COPY mtcs.manifest.template ./
+
+COPY data/micro-set-offs.csv mtcs/data
+
+# Make and sign the gramine manifest
+RUN gramine-manifest -Dlog_level="error" -Dhome=${HOME} -Darch_libdir="/lib/$(gcc -dumpmachine)" -Dmtcs_dir="$(pwd)/mtcs" -Dtestname="micro-set-offs" mtcs.manifest.template mtcs.manifest
+RUN gramine-sgx-sign --manifest mtcs.manifest --output mtcs.manifest.sgx
+
+CMD [ "gramine-sgx-sigstruct-view mtcs.sig" ]

README.md

@@ -0,0 +1,33 @@
+## Gramine experiments using MTCS
+
+This is a Dockerfile for replaying the mtcs experiment in gramine, starting from the manifest file from https://github.com/informalsystems/cofi-private/issues/104
+The starting point for the Dockerfile is the Gramine-based from Revm Relay hackathon. https://github.com/amiller/gramine-sgx-revm/
+
+The point of this is to emphasize the verification process that can be completed even without SGX, by reproducing the MRENCLAVE and inspecting remote attestation quotes.
+
+## Replicating the MRENCLAVE build (no SGX required)
+
+The following will build mtcs, then freeze all dependencies from the docker environment into the gramine manifest, and finally display the resulting MRENCLAVE
+```bash
+docker build . --tag mtcs
+docker run -it -v ./data:/workdir/data mtcs
+```
+
+Let's see how long this remains reproducible:
+```
+     mr_enclave: fa9149158c693b09e83480b48c2e7344c941aadca6d5829834f2af9f2690435e
+```
+
+## Execution on an SGX machine
+
+This is tested on a local SGX machine, not Azure
+
+```bash
+docker run -it --device /dev/sgx_enclave \
+       -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket \
+       -v ./data:/workdir/data \
+       mtcs bash
+is-sgx-available
+gramine-sgx ./mtcs
+cat mtcs/data/micro-set-offs.out
+```

data/micro-set-offs.csv

@@ -0,0 +1,5 @@
+id,debtor,creditor,amount,set_off,remainder
+1,10,20,100,100,0
+2,20,30,100,100,0
+3,30,10,200,100,100
+4,40,30,100,0,100

mtcs

@@ -0,0 +1 @@
+Subproject commit 3f13e5c0fd0623a9dc7f4b4227be4678fa947531

mtcs.manifest.template

@@ -0,0 +1,35 @@
+# MTCS manifest file example
+
+loader.entrypoint = "file:{{ gramine.libos }}"
+libos.entrypoint = "{{ mtcs_dir }}/target/release/mtcs-cli"
+
+loader.log_level = "{{ log_level }}"
+
+loader.env.LD_LIBRARY_PATH = "/lib:{{ arch_libdir }}:/usr/{{ arch_libdir }}"
+loader.env.HOME = "{{ home }}"
+
+loader.argv = ["-v", "-i", "{{ mtcs_dir }}/data/{{ testname }}.csv", "-o", "{{ mtcs_dir }}/data/{{ testname }}.out"]
+
+fs.mounts = [
+  { uri = "file:{{ gramine.runtimedir() }}", path = "/lib" },
+  { uri = "file:{{ arch_libdir }}", path = "{{ arch_libdir }}" },
+  { uri = "file:/usr/{{ arch_libdir }}", path = "/usr{{ arch_libdir }}" },
+  { uri = "file:{{ mtcs_dir }}", path = "{{ mtcs_dir }}" },
+]
+
+sgx.enclave_size = "512M"
+sgx.max_threads = 4
+sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
+
+sgx.trusted_files = [
+  "file:{{ gramine.libos }}",
+  "file:{{ mtcs_dir }}/target/release/mtcs-cli",
+  "file:{{ mtcs_dir }}/data/{{ testname }}.csv",
+  "file:{{ gramine.runtimedir() }}/",
+  "file:{{ arch_libdir }}/",
+  "file:/usr/{{ arch_libdir }}/",
+]
+
+sgx.allowed_files = [
+  "file:{{ mtcs_dir }}/data/{{ testname }}.out",
+]