Add the RAG (retrieval-augmented generation) with Intel TDX solution. (#251)

* Add grpc RA-TLS backend support for Azure TDX and Azure SGX (#252)

* Add grpc RA-TLS backend support for Azure TDX and Azure SGX

* Update index.md

* Remove cczoo/grpc-ra-tls/grpc/grpc_ratls.patch and add to .gitignore

* Enable support for Microsoft Azure Attestation

* Update index.md

* Update requirements.txt

* Add HFL support for Azure TDX (#253)

* Add HFL support for Azure TDX

* Update tdx-hfl.md

* Enable support for Microsoft Azure Attestation

* Update tdx-hfl.md

* Update .readthedocs.yaml

* Update .readthedocs.yaml

* docs: Fix typos and styling (#254)

Fixes typos and grammar. Standardizes paragraph padding,
punctuation usage, code formatting, and multi-line code language
for syntax highlighting. Formats references to other files as links.

* docs: Fix grammar and styling (#256)

Fixes grammar, typos and rewords some sections for readability.
Standardizes paragraph padding, punctuation usage, code formatting,
and multi-line code language for syntax highlighting.

* docs: Fix file seperators and add clarifying details (#257)

Fixes backslashes to forward slashes per unix convention for file
path seperation and adds clarification that "parameter server"
corresponds to `ps0`.

* Add grpc RA-TLS backend support for Google Cloud TDX (#258)

* Core changes for enabling grpc-ra-tls WL on GC

Signed-off-by: Gopa Das <gopa.das@intel.com>

* Updated sgx_ra_tls_tdx.cc for GCP TDX

* Updated index.md for Google Cloud

* Fix items from code review

---------

Signed-off-by: Gopa Das <gopa.das@intel.com>
Co-authored-by: Hui, Sammy <sammy.hui@intel.com>

* Add rag with Intel TDX solutions

* Update dcap package

* Polish dockerfile

* Polish frontend dockerfile

---------

Signed-off-by: Gopa Das <gopa.das@intel.com>
Co-authored-by: shui1 <sammy.hui@intel.com>
Co-authored-by: Zhu Yunge <yunge.zhu@intel.com>
Co-authored-by: Elliot Jones <elliotx.jones@intel.com>
Co-authored-by: gopadas <74206306+gopadas@users.noreply.github.com>

Author: 5 people

.readthedocs.yaml

@@ -1,5 +1,15 @@
+# .readthedocs.yml
+# Read the Docs configuration file
+# See https://docs.readthedocs.io/en/stable/config-file/v2.html for details
+
+# Required
 version: 2
 
+build:
+  os: ubuntu-20.04
+  tools:
+    python: "3.8"
+
 sphinx:
   configuration: documents/readthedoc/docs/source/conf.py
 

cczoo/common/docker/gramine/build_docker_image.azure.sh

@@ -0,0 +1,40 @@
+#
+# Copyright (c) 2022 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#!/bin/bash
+set -e
+
+function usage() {
+    echo -e "usage:"
+    echo -e '  ./build_docker_image.azure.sh ${tag}'
+    echo -e "  {tag}"
+    echo -e "       custom image tag, default: latest"
+}
+
+usage
+
+if  [ -n "$1" ] ; then
+    tag=$1
+else
+    tag=latest
+fi
+
+docker build \
+    --build-arg no_proxy=${no_proxy} \
+    --build-arg http_proxy=${http_proxy} \
+    --build-arg https_proxy=${https_proxy} \
+    -f gramine-sgx-dev.azure.dockerfile \
+    -t gramine-sgx-dev-azure:${tag} \
+    .

cczoo/common/docker/gramine/gramine-sgx-dev.azure.dockerfile

@@ -0,0 +1,125 @@
+#
+# Copyright (c) 2023 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# https://github.com/oscarlab/graphene/blob/master/Tools/gsc/images/graphene_aks.latest.dockerfile
+
+FROM ubuntu:20.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+ENV INSTALL_PREFIX=/usr/local
+ENV LD_LIBRARY_PATH=${INSTALL_PREFIX}/lib:${INSTALL_PREFIX}/lib/x86_64-linux-gnu:${LD_LIBRARY_PATH}
+ENV PATH=${INSTALL_PREFIX}/bin:${LD_LIBRARY_PATH}:${PATH}
+ENV LC_ALL=C.UTF-8 LANG=C.UTF-8
+
+# Install initial dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends \
+        wget \
+        ca-certificates \
+    && apt-get clean && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /dcap
+RUN wget -q https://download.01.org/intel-sgx/sgx-dcap/1.19/linux/distro/ubuntu20.04-server/sgx_debian_local_repo.tgz \
+    && tar -xvf sgx_debian_local_repo.tgz
+RUN ["/bin/bash", "-c", "set -o pipefail && echo 'deb [trusted=yes arch=amd64] file:/dcap/sgx_debian_local_repo focal main' | tee /etc/apt/sources.list.d/intel-sgx.list"]
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+        apt-utils \
+        build-essential \
+        autoconf \
+        libtool \
+        python3-pip \
+        python3-dev \
+        git \
+        zlib1g-dev \
+        unzip \
+        vim \
+        jq \
+        gawk bison python3-click python3-jinja2 golang ninja-build \
+        libprotobuf-c-dev python3-protobuf protobuf-c-compiler protobuf-compiler\
+        libgmp-dev libmpfr-dev libmpc-dev libisl-dev nasm \
+# Install SGX PSW
+        libsgx-pce-logic libsgx-ae-qve libsgx-quote-ex libsgx-quote-ex-dev libsgx-qe3-logic sgx-aesm-service \
+# Install SGX DCAP
+        libsgx-dcap-ql-dev libsgx-dcap-quote-verify-dev \
+# Install dependencies for Azure DCAP Client
+        libssl-dev libcurl4-openssl-dev pkg-config nlohmann-json3-dev \
+    && apt-get clean && rm -rf /var/lib/apt/lists/*
+
+# Build and install the Azure DCAP Client (Release 1.12.1)
+WORKDIR /azure
+ARG AZUREDIR=/azure
+RUN git clone https://github.com/microsoft/Azure-DCAP-Client ${AZUREDIR} \
+    && git checkout bc7b484e5fa9a8daa684032c7270f76800b7007d \
+    && git submodule update --recursive --init
+
+WORKDIR /azure/src/Linux
+RUN ./configure \
+    && make DEBUG=1 \
+    && make install \
+    && cp libdcap_quoteprov.so /usr/lib/x86_64-linux-gnu/
+
+# Gramine
+ENV GRAMINEDIR=/gramine
+ENV SGX_DCAP_VERSION=DCAP_1.11
+ENV GRAMINE_VERSION=v1.2
+ENV ISGX_DRIVER_PATH=${GRAMINEDIR}/driver
+ENV WERROR=1
+ENV SGX=1
+
+RUN pip3 install --no-cache-dir 'toml==0.10.2' 'meson==1.2.2' 'cryptography==41.0.4'
+
+WORKDIR ${GRAMINEDIR}
+RUN git clone https://github.com/gramineproject/gramine.git ${GRAMINEDIR} \
+    && git checkout ${GRAMINE_VERSION}
+
+WORKDIR ${ISGX_DRIVER_PATH}
+RUN git clone https://github.com/intel/SGXDataCenterAttestationPrimitives.git ${ISGX_DRIVER_PATH} \
+    && git checkout ${SGX_DCAP_VERSION}
+
+ARG BUILD_TYPE=release
+WORKDIR ${GRAMINEDIR}
+RUN LD_LIBRARY_PATH="" meson setup build/ --buildtype=${BUILD_TYPE} -Dprefix=${INSTALL_PREFIX} -Ddirect=enabled -Dsgx=enabled -Ddcap=enabled -Dsgx_driver=dcap1.10 -Dsgx_driver_include_path=${ISGX_DRIVER_PATH}/driver/linux/include \
+    && LD_LIBRARY_PATH="" ninja -C build/ \
+    && LD_LIBRARY_PATH="" ninja -C build/ install
+
+# Install mbedtls
+RUN cd ${GRAMINEDIR}/build/subprojects/mbedtls-mbedtls* \
+    && cp -r -- *_gramine.a ${INSTALL_PREFIX}/lib \
+    && cd ${GRAMINEDIR}/subprojects/mbedtls-mbedtls*/mbedtls-mbedtls* \
+    && cp -r include/mbedtls ${INSTALL_PREFIX}/include
+
+# Install cJSON
+RUN cd ${GRAMINEDIR}/subprojects/cJSON*/ \
+    && make static \
+    && cp -r -- *.a ${INSTALL_PREFIX}/lib \
+    && mkdir -p ${INSTALL_PREFIX}/include/cjson \
+    && cp -r -- *.h ${INSTALL_PREFIX}/include/cjson
+
+RUN echo "enabled=0" > /etc/default/apport \
+    && echo "exit 0" > /usr/sbin/policy-rc.d
+
+# Clean tmp files
+RUN apt-get clean all \
+    && rm -rf /var/lib/apt/lists/* \
+    && rm -rf ~/.cache/* \
+    && rm -rf /tmp/*
+
+RUN gramine-sgx-gen-private-key
+
+COPY configs /
+
+# Workspace
+ENV WORK_SPACE_PATH=${GRAMINEDIR}
+WORKDIR ${WORK_SPACE_PATH}

cczoo/grpc-ra-tls/.gitignore

@@ -1,3 +1,4 @@
 *.deb
 *.prm
 *.tar*
+grpc/grpc_ratls.patch

cczoo/grpc-ra-tls/azure_tdx/build_docker_image.sh

@@ -0,0 +1,30 @@
+#
+# Copyright (c) 2023 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#!/bin/bash
+set -e
+
+if  [ ! -n "$1" ] ; then
+    tag=latest
+else
+    tag=$1
+fi
+
+DOCKER_BUILDKIT=0 docker build \
+    -f grpc-ra-tls.azure_tdx.dockerfile .. \
+    -t grpc-ra-tls:azure_tdx_${tag} \
+    --build-arg no_proxy=${no_proxy} \
+    --build-arg http_proxy=${http_proxy} \
+    --build-arg https_proxy=${https_proxy} \

cczoo/grpc-ra-tls/azure_tdx/grpc-ra-tls.azure_tdx.dockerfile

@@ -0,0 +1,96 @@
+#
+# Copyright (c) 2023 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM ubuntu:20.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+ENV INSTALL_PREFIX=/usr/local
+ENV LD_LIBRARY_PATH=${INSTALL_PREFIX}/lib:${INSTALL_PREFIX}/lib/x86_64-linux-gnu:${LD_LIBRARY_PATH}
+ENV PATH=${INSTALL_PREFIX}/bin:${LD_LIBRARY_PATH}:${PATH}
+ENV LC_ALL=C.UTF-8 LANG=C.UTF-8
+
+# Install initial dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends \
+        wget \
+        ca-certificates \
+    && apt-get clean && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /dcap
+RUN wget https://download.01.org/intel-sgx/sgx-dcap/1.19/linux/distro/ubuntu20.04-server/sgx_debian_local_repo.tgz \
+    && tar -xvf sgx_debian_local_repo.tgz
+RUN ["/bin/bash", "-c", "set -o pipefail && echo 'deb [trusted=yes arch=amd64] file:/dcap/sgx_debian_local_repo focal main' | tee /etc/apt/sources.list.d/intel-sgx.list"]
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+        apt-utils \
+        python3-pip \
+        git \
+        vim \
+# required for gRPC build
+        build-essential cmake libcurl4-openssl-dev nlohmann-json3-dev \
+# SGX PSW packages required for gRPC build
+        libtdx-attest libtdx-attest-dev \
+# required for bazel setup
+        unzip \
+# required for Azure confidential-computing-cvm-guest-attestation
+        libjsoncpp-dev libboost-all-dev libssl1.1 \
+    && apt-get clean && rm -rf /var/lib/apt/lists/*
+
+# Azure confidential-computing-cvm-guest-attestation
+WORKDIR /
+RUN git clone -b tdx-preview https://github.com/Azure/confidential-computing-cvm-guest-attestation
+WORKDIR /confidential-computing-cvm-guest-attestation
+RUN git checkout e045e8f52543f823f9a85d1b33338f99dec70397
+WORKDIR /confidential-computing-cvm-guest-attestation/tdx-attestation-app
+RUN dpkg -i package/azguestattestation1_1.0.3_amd64.deb
+
+# bazel
+RUN wget -q https://github.com/bazelbuild/bazel/releases/download/3.7.2/bazel-3.7.2-installer-linux-x86_64.sh
+RUN bash bazel-3.7.2-installer-linux-x86_64.sh && echo "source /usr/local/lib/bazel/bin/bazel-complete.bash" >> ~/.bashrc
+
+# grpc
+ENV GRPC_ROOT=/grpc
+ENV GRPC_PATH=${GRPC_ROOT}/src
+ENV SGX_RA_TLS_BACKEND=AZURE_TDX
+ENV SGX_RA_TLS_SDK=DEFAULT
+ENV BUILD_TYPE=Release
+
+ARG GRPC_VERSION=v1.38.1
+ARG GRPC_VERSION_PATH=${GRPC_ROOT}/${GRPC_VERSION}
+RUN git clone --recurse-submodules -b ${GRPC_VERSION} https://github.com/grpc/grpc ${GRPC_VERSION_PATH}
+
+RUN ln -s ${GRPC_VERSION_PATH} ${GRPC_PATH}
+
+COPY grpc/common ${GRPC_VERSION_PATH}
+COPY grpc/${GRPC_VERSION} ${GRPC_VERSION_PATH}
+COPY grpc/common/azure_tdx_config.json /etc
+
+# Install Python dependencies
+RUN pip3 install --upgrade --no-cache-dir \
+        'pip==23.1.*' 'certifi==2022.12.7' 'requests==2.31.*' 'urllib3==1.26.*' 'cython==0.29.36'\
+    && pip3 install --no-cache-dir -r "${GRPC_PATH}/requirements.txt"
+
+# Build grpc ra-tls example server/client
+WORKDIR ${GRPC_PATH}/examples/cpp/ratls
+RUN build.sh
+WORKDIR ${GRPC_PATH}/examples/python/ratls
+RUN build.sh
+
+# Clean tmp files
+RUN apt-get clean all \
+    && rm -rf /var/lib/apt/lists/* \
+    && rm -rf ~/.cache/pip/* \
+    && rm -rf /tmp/*
+
+WORKDIR ${GRPC_PATH}/examples/cpp/ratls/build

cczoo/grpc-ra-tls/azure_tdx/start_container.sh

@@ -0,0 +1,38 @@
+#
+# Copyright (c) 2023 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#!/bin/bash
+set -e
+
+usage() {
+    echo -e "Usage: $0 IMAGE_ID"
+    echo -e "  IMAGE_ID   Container image ID;"
+}
+
+if [ "$#" -lt 1 ]; then
+    usage
+    exit 1
+fi
+
+image_id=${1}
+
+docker run -itd \
+    --privileged=true \
+    -p 8500:8500 \
+    --cap-add=SYS_PTRACE \
+    --security-opt seccomp=unconfined \
+    -v /dev:/dev \
+    ${image_id} \
+    bash

cczoo/grpc-ra-tls/gcp_tdx/build_docker_image.sh

@@ -0,0 +1,30 @@
+#
+# Copyright (c) 2023 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#!/bin/bash
+set -e
+
+if  [ ! -n "$1" ] ; then
+    tag=latest
+else
+    tag=$1
+fi
+
+DOCKER_BUILDKIT=0 docker build \
+    -f grpc-ra-tls.gcp_tdx.dockerfile .. \
+    -t grpc-ra-tls:gcp_tdx_${tag} \
+    --build-arg no_proxy=${no_proxy} \
+    --build-arg http_proxy=${http_proxy} \
+    --build-arg https_proxy=${https_proxy} \