diff --git a/utils/quartz-enclave/Cargo.toml b/enclaves/quartz/Cargo.toml similarity index 100% rename from utils/quartz-enclave/Cargo.toml rename to enclaves/quartz/Cargo.toml diff --git a/enclaves/quartz/Dockerfile b/enclaves/quartz/Dockerfile new file mode 100644 index 0000000..88e8587 --- /dev/null +++ b/enclaves/quartz/Dockerfile @@ -0,0 +1,48 @@ +FROM gramineproject/gramine:v1.5 + +RUN apt-get update && apt-get install -y jq build-essential + +WORKDIR /workdir + +RUN curl https://sh.rustup.rs -sSf | bash -s -- -y +ENV PATH="/root/.cargo/bin:${PATH}" +RUN rustup toolchain install 1.72.0 + +RUN gramine-sgx-gen-private-key + +# This should be associated with an acive IAS SPID in order for +# gramine tools like gramine-sgx-ias-request and gramine-sgx-ias-verify +ARG RA_TYPE=epid +ENV RA_TYPE=$RA_TYPE +ARG RA_CLIENT_SPID=51CAF5A48B450D624AEFE3286D314894 +ENV RA_CLIENT_SPID=$RA_CLIENT_SPID +ARG RA_CLIENT_LINKABLE=1 +ENV RA_CLIENT_LINKABLE=$RA_CLIENT_LINKABLE + +ARG DEBUG=0 +ENV DEBUG=$DEBUG +ARG SGX=1 +ENV SGX=$SGX + +# Copy the quartz directory and build +COPY . ./quartz +WORKDIR /workdir/quartz +RUN cargo build --release + +WORKDIR /workdir +COPY quartz.manifest.template ./ + +# Make and sign the gramine manifest +RUN gramine-manifest \ + -Dlog_level="error" \ + -Dhome=${HOME} \ + -Darch_libdir="/lib/$(gcc -dumpmachine)" \ + -Dra_type="$RA_TYPE" \ + -Dra_client_spid="$RA_CLIENT_SPID" \ + -Dra_client_linkable="$RA_CLIENT_LINKABLE" \ + -Dquartz_dir="$(pwd)/quartz" \ + quartz.manifest.template quartz.manifest + +RUN gramine-sgx-sign --manifest quartz.manifest --output quartz.manifest.sgx + +CMD [ "gramine-sgx-sigstruct-view quartz.sig" ] diff --git a/enclaves/quartz/quartz.manifest.template b/enclaves/quartz/quartz.manifest.template new file mode 100644 index 0000000..cd0e9c4 --- /dev/null +++ b/enclaves/quartz/quartz.manifest.template @@ -0,0 +1,50 @@ +# Quartz manifest file + +loader.entrypoint = "file:{{ gramine.libos }}" +libos.entrypoint = "{{ quartz_dir }}/target/release/quartz-enclave" + +loader.log_level = "{{ log_level }}" + +loader.env.LD_LIBRARY_PATH = "/lib:{{ arch_libdir }}:/usr/{{ arch_libdir }}" +loader.env.HOME = "{{ home }}" +loader.env.INSIDE_SGX = "1" +loader.env.TLS = { passthrough = true } +loader.env.RA_TYPE = { passthrough = true } +loader.env.RA_TLS_ALLOW_DEBUG_ENCLAVE_INSECURE = { passthrough = true } +loader.env.RA_TLS_ALLOW_OUTDATED_TCB_INSECURE = { passthrough = true } +loader.env.RA_TLS_MRENCLAVE = { passthrough = true } +loader.env.RA_TLS_MRSIGNER = { passthrough = true } +loader.env.RA_TLS_ISV_SVN = { passthrough = true } +loader.env.RA_TLS_ISV_PROD_ID = { passthrough = true } +loader.env.RA_TLS_EPID_API_KEY = { passthrough = true } +loader.env.MYAPP_DATA = { passthrough = true } + +loader.argv = ["quartz-enclave"] + +fs.mounts = [ + { uri = "file:{{ gramine.runtimedir() }}", path = "/lib" }, + { uri = "file:{{ arch_libdir }}", path = "{{ arch_libdir }}" }, + { uri = "file:/usr/{{ arch_libdir }}", path = "/usr{{ arch_libdir }}" }, + { uri = "file:{{ quartz_dir }}", path = "{{ quartz_dir }}" }, +] + +sgx.enclave_size = "512M" +sgx.max_threads = 4 +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} + +sgx.remote_attestation = "{{ ra_type }}" +sgx.ra_client_spid = "{{ ra_client_spid }}" +sgx.ra_client_linkable = {{ 'true' if ra_client_linkable == '1' else 'false' }} + +sgx.trusted_files = [ + "file:{{ gramine.libos }}", + "file:{{ quartz_dir }}/target/release/quartz-enclave", + "file:{{ gramine.runtimedir() }}/", + "file:{{ arch_libdir }}/", + "file:/usr/{{ arch_libdir }}/", +] + +sgx.allowed_files = [ + "file:{{ quartz_dir }}/exchange.sk", + "file:{{ quartz_dir }}/request.json", +] diff --git a/enclaves/quartz/src/main.rs b/enclaves/quartz/src/main.rs new file mode 100644 index 0000000..f328e4d --- /dev/null +++ b/enclaves/quartz/src/main.rs @@ -0,0 +1 @@ +fn main() {} diff --git a/utils/quartz-enclave/src/lib.rs b/utils/quartz-enclave/src/lib.rs deleted file mode 100644 index 939bb65..0000000 --- a/utils/quartz-enclave/src/lib.rs +++ /dev/null @@ -1,21 +0,0 @@ -#![warn( - clippy::checked_conversions, - clippy::panic, - clippy::panic_in_result_fn, - clippy::unwrap_used, - rust_2018_idioms, - unused_lifetimes -)] -#![deny( - trivial_casts, - trivial_numeric_casts, - unused_import_braces, - unused_qualifications, - warnings -)] -#![forbid(unsafe_code)] - -#[cfg(test)] -mod tests { - -}