-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Publish mrenclave #1473
Merged
Merged
Publish mrenclave #1473
Changes from 10 commits
Commits
Show all changes
13 commits
Select commit
Hold shift + click to select a range
f80be3f
[GHA] introduce a variable for the docker image suffix, and add place…
clangenb 475cbbf
[GHA] upload mrenclave file
clangenb 37deae8
[GHA] transform sgx mode to lowercase for docker image suffix
clangenb 78bfcee
[GHA] fix cmd
clangenb d4a362b
[docker] include sgx_sign utility in worker image and add `mrenclave`…
clangenb 0cfb560
[GHA] use docker run -t integritee-worker mrenclave to get the mrenclave
clangenb cfb9939
[GHA] use consistent capitalization
clangenb 10abe91
[docker] fix printing the mrenclave
clangenb 0953d11
[docker] add newline at the end of the script
clangenb d33cd88
[docker] fix printing mrenclave in docker command
clangenb 9a3b494
[docker] extract the hex value of the mrenclave in entrypoint.sh
clangenb 7febd4f
[docker] fix grep command
clangenb c53b37a
[GHA] grepping in entrypoint doesn't work for some reason, so you we …
clangenb File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -61,6 +61,8 @@ jobs: | |
run: | | ||
fingerprint=$RANDOM | ||
echo "FINGERPRINT=$fingerprint" >> $GITHUB_ENV | ||
SGX_MODE_LOWERCASE=$(echo "${${{ matrix.sgx_mode }},,}") | ||
echo "IMAGE_SUFFIX=$SGX_MODE_LOWERCASE-${{ matrix.flavor_id }}-${{ github.sha }}" >> $GITHUB_ENV | ||
if [[ ${{ matrix.sgx_mode }} == 'HW' ]]; then | ||
echo "DOCKER_DEVICES=--device=/dev/sgx/enclave --device=/dev/sgx/provision" >> $GITHUB_ENV | ||
echo "DOCKER_VOLUMES=--volume /var/run/aesmd:/var/run/aesmd --volume /etc/sgx_default_qcnl.conf:/etc/sgx_default_qcnl.conf" >> $GITHUB_ENV | ||
|
@@ -79,7 +81,7 @@ jobs: | |
env: | ||
DOCKER_BUILDKIT: 1 | ||
run: > | ||
docker build -t integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }} | ||
docker build -t integritee-worker-${{ env.IMAGE_SUFFIX }} | ||
--target deployed-worker | ||
--build-arg WORKER_MODE_ARG=${{ matrix.mode }} --build-arg FINGERPRINT=${FINGERPRINT} --build-arg ADDITIONAL_FEATURES_ARG=${{ matrix.additional_features }} --build-arg SGX_MODE=${{ matrix.sgx_mode }} | ||
-f build.Dockerfile . | ||
|
@@ -88,40 +90,51 @@ jobs: | |
env: | ||
DOCKER_BUILDKIT: 1 | ||
run: > | ||
docker build -t integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }} | ||
docker build -t integritee-cli-client-${{ env.IMAGE_SUFFIX }} | ||
--target deployed-client | ||
--build-arg WORKER_MODE_ARG=${{ matrix.mode }} --build-arg ADDITIONAL_FEATURES_ARG=${{ matrix.additional_features }} | ||
-f build.Dockerfile . | ||
|
||
- run: docker images --all | ||
|
||
- name: Test Enclave # cargo test is not supported in the enclave, see: https://github.com/apache/incubator-teaclave-sgx-sdk/issues/232 | ||
run: docker run ${{ env.DOCKER_DEVICES }} ${{ env.DOCKER_VOLUMES }} integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }} test --all | ||
run: docker run ${{ env.DOCKER_DEVICES }} ${{ env.DOCKER_VOLUMES }} integritee-worker-${{ env.IMAGE_SUFFIX }} test --all | ||
|
||
- name: Export worker image(s) | ||
run: | | ||
docker image save integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }} | gzip > integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz | ||
docker image save integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }} | gzip > integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz | ||
docker image save integritee-worker-${{ env.IMAGE_SUFFIX }} | gzip > integritee-worker-${{ env.IMAGE_SUFFIX }}.tar.gz | ||
docker image save integritee-cli-client-${{ env.IMAGE_SUFFIX }} | gzip > integritee-cli-client-${{ env.IMAGE_SUFFIX }}.tar.gz | ||
|
||
- name: Upload worker image | ||
uses: actions/upload-artifact@v3 | ||
with: | ||
name: integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz | ||
path: integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz | ||
name: integritee-worker-${{ env.IMAGE_SUFFIX }}.tar.gz | ||
path: integritee-worker-${{ env.IMAGE_SUFFIX }}.tar.gz | ||
|
||
- name: Upload CLI client image | ||
uses: actions/upload-artifact@v3 | ||
with: | ||
name: integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz | ||
path: integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz | ||
name: integritee-cli-client-${{ env.IMAGE_SUFFIX }}.tar.gz | ||
path: integritee-cli-client-${{ env.IMAGE_SUFFIX }}.tar.gz | ||
|
||
- name: Create Enclave Digest File | ||
run: | | ||
mrenclave_hex=$(docker run integritee-worker-${{ env.IMAGE_SUFFIX }} mrenclave | grep -o -E '[0-9a-fA-F]{64}') | ||
echo "$mrenclave_hex" > mrenclave-${{ env.IMAGE_SUFFIX }}.hex | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I would like to confirm consensus here: We create a Objections: @brenzi? |
||
|
||
- name: Upload Enclave Digest File | ||
uses: actions/upload-artifact@v3 | ||
with: | ||
name: mrenclave-${{ env.IMAGE_SUFFIX }}.hex | ||
path: mrenclave-${{ env.IMAGE_SUFFIX }}.hex | ||
|
||
- name: Delete images | ||
run: | | ||
if [[ "$(docker images -q integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }} 2> /dev/null)" != "" ]]; then | ||
docker image rmi --force integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }} 2>/dev/null | ||
if [[ "$(docker images -q integritee-worker-${{ env.IMAGE_SUFFIX }} 2> /dev/null)" != "" ]]; then | ||
docker image rmi --force integritee-worker-${{ env.IMAGE_SUFFIX }} 2>/dev/null | ||
fi | ||
if [[ "$(docker images -q integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }} 2> /dev/null)" != "" ]]; then | ||
docker image rmi --force integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }} 2>/dev/null | ||
if [[ "$(docker images -q integritee-cli-client-${{ env.IMAGE_SUFFIX }} 2> /dev/null)" != "" ]]; then | ||
docker image rmi --force integritee-cli-client-${{ env.IMAGE_SUFFIX }} 2>/dev/null | ||
fi | ||
docker images --all | ||
|
||
|
@@ -243,6 +256,8 @@ jobs: | |
- name: Set env | ||
run: | | ||
version=$RANDOM | ||
SGX_MODE_LOWERCASE=$(echo "${${{ matrix.sgx_mode }},,}") | ||
echo "IMAGE_SUFFIX=$SGX_MODE_LOWERCASE-${{ matrix.flavor_id }}-${{ github.sha }}" >> $GITHUB_ENV | ||
echo "FLAVOR_ID=${{ matrix.flavor_id }}" >> $GITHUB_ENV | ||
echo "PROJECT=${{ matrix.flavor_id }}-${{ matrix.demo_name }}" >> $GITHUB_ENV | ||
echo "VERSION=dev.$version" >> $GITHUB_ENV | ||
|
@@ -261,21 +276,21 @@ jobs: | |
- name: Download Worker Image | ||
uses: actions/download-artifact@v3 | ||
with: | ||
name: integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz | ||
name: integritee-worker-${{ env.IMAGE_SUFFIX }}.tar.gz | ||
path: . | ||
|
||
- name: Download CLI client Image | ||
uses: actions/download-artifact@v3 | ||
with: | ||
name: integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz | ||
name: integritee-cli-client-${{ env.IMAGE_SUFFIX }}.tar.gz | ||
path: . | ||
|
||
- name: Load Worker & Client Images | ||
env: | ||
DOCKER_BUILDKIT: 1 | ||
run: | | ||
docker image load --input integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz | ||
docker image load --input integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz | ||
docker image load --input integritee-worker-${{ env.IMAGE_SUFFIX }}.tar.gz | ||
docker image load --input integritee-cli-client-${{ env.IMAGE_SUFFIX }}.tar.gz | ||
docker images --all | ||
|
||
## | ||
|
@@ -290,8 +305,8 @@ jobs: | |
if [[ "$(docker images -q ${{ env.CLIENT_IMAGE_TAG }} 2> /dev/null)" == "" ]]; then | ||
docker image rmi --force ${{ env.CLIENT_IMAGE_TAG }} 2>/dev/null | ||
fi | ||
docker tag integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }} ${{ env.WORKER_IMAGE_TAG }} | ||
docker tag integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }} ${{ env.CLIENT_IMAGE_TAG }} | ||
docker tag integritee-worker-${{ env.IMAGE_SUFFIX }} ${{ env.WORKER_IMAGE_TAG }} | ||
docker tag integritee-cli-client-${{ env.IMAGE_SUFFIX }} ${{ env.CLIENT_IMAGE_TAG }} | ||
docker pull integritee/integritee-node:1.1.3 | ||
docker tag integritee/integritee-node:1.1.3 ${{ env.INTEGRITEE_NODE }} | ||
docker images --all | ||
|
@@ -337,11 +352,11 @@ jobs: | |
|
||
- name: Delete images | ||
run: | | ||
if [[ "$(docker images -q integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }} 2> /dev/null)" != "" ]]; then | ||
docker image rmi --force integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }} 2>/dev/null | ||
if [[ "$(docker images -q integritee-worker-${{ env.IMAGE_SUFFIX }} 2> /dev/null)" != "" ]]; then | ||
docker image rmi --force integritee-worker-${{ env.IMAGE_SUFFIX }} 2>/dev/null | ||
fi | ||
if [[ "$(docker images -q integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }} 2> /dev/null)" != "" ]]; then | ||
docker image rmi --force integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }} 2>/dev/null | ||
if [[ "$(docker images -q integritee-cli-client-${{ env.IMAGE_SUFFIX }} 2> /dev/null)" != "" ]]; then | ||
docker image rmi --force integritee-cli-client-${{ env.IMAGE_SUFFIX }} 2>/dev/null | ||
fi | ||
if [[ "$(docker images -q ${{ env.WORKER_IMAGE_TAG }} 2> /dev/null)" != "" ]]; then | ||
docker image rmi --force ${{ env.WORKER_IMAGE_TAG }} 2>/dev/null | ||
|
@@ -386,6 +401,8 @@ jobs: | |
run: | | ||
fingerprint=$RANDOM | ||
echo "FINGERPRINT=$fingerprint" >> $GITHUB_ENV | ||
SGX_MODE_LOWERCASE=$(echo "${${{ matrix.sgx_mode }},,}") | ||
echo "IMAGE_SUFFIX=$SGX_MODE_LOWERCASE-${{ matrix.flavor_id }}-${{ github.sha }}" >> $GITHUB_ENV | ||
if [[ ${{ matrix.sgx_mode }} == 'HW' ]]; then | ||
echo "DOCKER_DEVICES=--device=/dev/sgx/enclave --device=/dev/sgx/provision" >> $GITHUB_ENV | ||
echo "DOCKER_VOLUMES=--volume /var/run/aesmd:/var/run/aesmd --volume /etc/sgx_default_qcnl.conf:/etc/sgx_default_qcnl.conf" >> $GITHUB_ENV | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,17 @@ | ||
#!/bin/bash | ||
set -e | ||
|
||
# run aesmd in the background | ||
/opt/intel/sgx-aesm-service/aesm/aesm_service | ||
# Check if the first argument is "mrenclave" | ||
if [ "$1" = "mrenclave" ]; then | ||
# If "mrenclave" is provided, execute the corresponding command | ||
$SGX_ENCLAVE_SIGNER dump -enclave /usr/local/bin/enclave.signed.so -dumpfile df.out && \ | ||
/usr/local/bin/extract_identity < df.out && rm df.out | ||
|
||
exec /usr/local/bin/integritee-service "${@}" | ||
else | ||
# If no specific command is provided, execute the default unnamed command | ||
|
||
# run aesmd in the background | ||
/opt/intel/sgx-aesm-service/aesm/aesm_service | ||
|
||
exec /usr/local/bin/integritee-service "${@}" | ||
fi |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A docker image tag must have lower case letters only.