FROM rust:1.80-alpine AS build
ARG CARGO_FLAGS=""
# By default we assume that there is an "enclave" directory in the root of the
# Quartz app that contains the enclave's code.
ARG ENCLAVE_DIR="enclave"
COPY . /opt/src
WORKDIR /opt/src
# TODO: Remove once the Quartz dependencies are open-sourced
RUN apk update && \
apk add --no-cache git openssh && \
mkdir -m 0700 /root/.ssh && \
cp .secrets/* /root/.ssh/ && \
chmod 0600 /root/.ssh/* && \
chmod 0644 /root/.ssh/*.pub && \
ssh-keyscan github.com >> /root/.ssh/known_hosts
# System dependencies for building our binary
RUN apk update && \
apk add --no-cache build-base protobuf-dev
RUN cd /opt/src/${ENCLAVE_DIR} && \
CARGO_TARGET_DIR=./target cargo build --release ${CARGO_FLAGS}
# TODO: Remove once the Quartz dependencies are open-sourced
RUN rm -rf /root/.ssh/
#------------------------------------------------------------------------------
FROM gramineproject/gramine:1.7-jammy
ARG ENCLAVE_DIR="enclave"
# By default we assume that the enclave binary's name is just "enclave".
ARG ENCLAVE_BIN="enclave"
ARG TRUSTED_HEIGHT
ARG TRUSTED_HASH
RUN apt update && \
apt install -y build-essential
# Copy the enclave binary we built in the previous stage
COPY --from=build /opt/src/${ENCLAVE_DIR}/target/release/${ENCLAVE_BIN} /opt/enclave/bin/enclave
COPY --from=build /opt/src/${ENCLAVE_DIR}/quartz.manifest.template /opt/enclave/
WORKDIR /opt/enclave
# TODO - update entire file to use DCAP, not EPID
RUN gramine-sgx-gen-private-key > /dev/null 2>&1 && \
gramine-manifest \
-Dlog_level="error" \
-Dhome="/opt/enclave" \
-Denclave_dir="/opt/enclave" \
-Denclave_executable="/opt/enclave/bin/enclave" \
-Darch_libdir="/lib/$(gcc -dumpmachine)" \
-Dra_type="epid" \
-Dra_client_linkable=1 \
-Dtrusted_height="${TRUSTED_HEIGHT}" \
-Dtrusted_hash="${TRUSTED_HASH}" \
-Dgramine_port=11090 \
quartz.manifest.template quartz.manifest && \
gramine-sgx-sign --manifest quartz.manifest --output quartz.manifest.sgx
CMD ["/restart_aesm.sh && gramine-sgx ./quartz"]