40 lines
1.5 KiB
Markdown
40 lines
1.5 KiB
Markdown
## Gramine experiments using MTCS
|
|
|
|
This is a Dockerfile for replaying the mtcs experiment in gramine, starting from the manifest file from https://github.com/informalsystems/cofi-private/issues/104
|
|
The starting point for the Dockerfile is the Gramine-based from Revm Relay hackathon. https://github.com/amiller/gramine-sgx-revm/
|
|
|
|
The point of this is to emphasize the verification process that can be completed even without SGX, by reproducing the MRENCLAVE and inspecting remote attestation quotes.
|
|
|
|
## Init the git submodules
|
|
|
|
This repo references mtcs as a submodule, but the Dockerfile simply copies mtcs from the current directory.
|
|
So don't forget to have git apply the submodules when cloning the repo
|
|
```bash
|
|
git submodule update --init --recursive
|
|
```
|
|
## Replicating the MRENCLAVE build (no SGX required
|
|
|
|
The following will build mtcs, then freeze all dependencies from the docker environment into the gramine manifest, and finally display the resulting MRENCLAVE
|
|
```bash
|
|
docker build . --tag mtcs
|
|
docker run mtcs
|
|
```
|
|
|
|
Let's see how long this remains reproducible:
|
|
```
|
|
mr_enclave: fa9149158c693b09e83480b48c2e7344c941aadca6d5829834f2af9f2690435e
|
|
```
|
|
|
|
## Execution on an SGX machine
|
|
|
|
This is tested on a local SGX machine, not Azure
|
|
|
|
```bash
|
|
docker run -it --device /dev/sgx_enclave \
|
|
-v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket \
|
|
-v ./data:/workdir/data \
|
|
mtcs bash
|
|
is-sgx-available
|
|
gramine-sgx ./mtcs
|
|
cat mtcs/data/micro-set-offs.out
|
|
``` |