gsc
gsc copied to clipboard
gramineproject
gsc build and gsc-sign fail when building/signing images for ubuntu18.04
What fails?
- gsc build fails to find sgx_user.h:
meson.build:165:8: ERROR: Problem encountered: Invalid SGX driver configuration (-Dsgx_driver and/or -Dsgx_driver_include_path); expected "sgx_user.h" to exist under "/gramine/driver/driver/linux/include"
Suggested fix by Dmitrii: change templates/Dockerfile.common.compile.template to have "-Dsgx_driver=dcap1.6" 2. gsc sign-image fails with:
Traceback (most recent call last):
File "/gramine/meson_build_output/bin/gramine-sgx-sign", line 74, in <module>
main() # pylint: disable=no-value-for-parameter
File "/usr/local/lib/python3.6/dist-packages/click/core.py", line 1128, in __call__
return self.main(*args, **kwargs)
File "/usr/local/lib/python3.6/dist-packages/click/core.py", line 1053, in main
rv = self.invoke(ctx)
File "/usr/local/lib/python3.6/dist-packages/click/core.py", line 1395, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/local/lib/python3.6/dist-packages/click/core.py", line 754, in invoke
return __callback(*args, **kwargs)
File "/gramine/meson_build_output/bin/gramine-sgx-sign", line 48, in main
sigstruct.sign(sign_with_local_key, key)
File "/gramine/meson_build_output/lib/python3.6/site-packages/graminelibos/sigstruct.py", line 167, in sign
exponent_int, modulus_int, signature_int = do_sign_callback(data, *args, **kwargs)
File "/gramine/meson_build_output/lib/python3.6/site-packages/graminelibos/sgx_sign.py", line 584, in sign_with_local_key
modulus = bytes.fromhex(modulus_out[8:8+offs.SE_KEY_SIZE*2].decode())
ValueError: non-hexadecimal number found in fromhex() arg at position 512
I guessed it required newer version of python. And changed templates/ubuntu/Dockerfile.build.template to be:
{% extends "Dockerfile.common.build.template" %}
{% block install %}
RUN apt-get update \
&& apt-get install -y wget libcurl4
RUN wget https://packages.microsoft.com/ubuntu/18.04/prod/pool/main/a/az-dcap-client/az-dcap-client_1.10_amd64.deb \
&& dpkg -i az-dcap-client_1.10_amd64.deb
RUN apt-get update \
&& env DEBIAN_FRONTEND=noninteractive apt-get install -y \
binutils \
libcurl4-openssl-dev \
libffi-dev \
libprotobuf-c-dev \
locales \
locales-all \
openssl \
python3.8 \
python3.8-dev \
python3-cryptography \
python3-pip \
python3-protobuf \
python3-pyelftools
# Default python 3.6 fails to parse key from hex inside
# Gramine sign_key.py. Create link to python 3.8.
RUN rm /usr/bin/python3
RUN ln -s /usr/bin/python3.8 /usr/bin/python3
RUN ls -l /usr/bin/python*
# Older version of markupsafe is required for subsequent install.
RUN pip3 install markupsafe==1.0.0
RUN pip3 install click jinja2 protobuf 'toml>=0.10'
RUN pip3 install -U cffi
{% if debug %}
RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y \
gdb \
less \
libunwind8 \
python3-pytest \
strace \
vim
{% endif %}
RUN locale-gen en_US.UTF-8
ENV LC_ALL en_US.UTF-8
ENV LANG en_US.UTF-8
ENV LANGUAGE en_US.UTF-8
{% endblock %}
----------------------- files ---------------------
Script to run build and sign. Please replace todo.
#!/bin/bash
set -e
SCRIPT_DIR="$(realpath "$(dirname -- "${BASH_SOURCE[0]}")")"
echo $SCRIPT_DIR
# Input/output docker images' tags.
NATIVE_VERSION=0.0.1
ENCRYPTED_VERSION=$NATIVE_VERSION
NATIVE_IMAGE=todo-repo/todo-image-${NATIVE_VERSION}
GSC_IMAGE=gsc-$NATIVE_IMAGE
GSC_UNSIGNED_IMAGE=$GSC_IMAGE-unsigned
ENCRYPTED_IMAGE=todo-repo/todo-image-${ENCRYPTED_VERSION}
# Remove gsc images as the tool checks for their existence as
# a way to check for errors during build.
docker rmi -f $GSC_IMAGE $GSC_UNSIGNED_IMAGE
echo "Native image='$NATIVE_IMAGE'"
echo "Encrypted image='$ENCRYPTED_IMAGE'"
# Get the gsc tool - gsc in the root of the repo is the python script to run.
BASE_DIR=$HOME/tmp
GSC_DIR=$BASE_DIR/gsc
GSC=$GSC_DIR/gsc
mkdir -p $BASE_DIR
if [ ! -f "$GSC" ]; then
git clone --depth 1 https://github.com/gramineproject/gsc.git $GSC_DIR
chmod +x $GSC
fi
# Create venv for bringing python dependencies required by gsc.
VENV_DIR=$BASE_DIR/venv
mkdir -p $VENV_DIR
if [ ! -d "$VENV_DIR/bin" ]; then
python3 -m venv $VENV_DIR
fi
source $VENV_DIR/bin/activate
# Bring dependencies needed by gsc.
pip3 install docker jinja2 toml pyyaml
# Graminize the image.
CONFIG_FILE=$SCRIPT_DIR/gramine_gsc_config.yaml
MANIFEST_FILE=$SCRIPT_DIR/gramine.manifest
cd $GSC_DIR
$GSC build -c $CONFIG_FILE $NATIVE_IMAGE $MANIFEST_FILE || cd -
# Run docker inspect to fail the script if the image was not generated.
docker image inspect $GSC_UNSIGNED_IMAGE
# Generate signing key.
echo "Generating key file"
KEY_FILE=$BASE_DIR/image_key.pem
openssl genrsa -out $KEY_FILE 2048
# Generate signed image <--- THIS STEP FAILS
cd $GSC_DIR
$GSC sign-image -c $CONFIG_FILE $NATIVE_IMAGE $KEY_FILE || cd -
Contents of gramine_gsc_config.yaml:
Distro: "ubuntu:18.04"
Registry: ""
Gramine:
Repository: "https://github.com/gramineproject/gramine.git"
Branch: "v1.2"
SGXDriver:
# Intel recommended using LD_1.33 - special version for Azure and DCAP_1.6
# in gsc/templates/Dockerfile.common.compile.template
Repository: "https://github.com/intel/SGXDataCenterAttestationPrimitives.git"
Branch: "DCAP_1.6 && cp -r driver/linux/* ."
Contents of gramine.manifest:
sgx.remote_attestation = false
sgx.enclave_size = "2G"
Contents of dockerfile for native image, hello.py contains print("testing"):
FROM ubuntu:18.04
RUN apt-get update
RUN apt-get install -y \
python3.8
WORKDIR /app
COPY hello.py .
ENTRYPOINT ["python3", "-m", "hello"]
How does your native image even work? If I use it, I don't have python3 at all:
$ docker run --rm -it --entrypoint /bin/bash ubuntu18.04-test-image
root@1a7f289fb468:/# python3
bash: python3: command not found
root@1a7f289fb468:/# which python
root@1a7f289fb468:/# which python3
root@1a7f289fb468:/# which python3.8
/usr/bin/python3.8
Copy/paste error, please use this one:
FROM ubuntu:18.04
RUN apt-get update
RUN apt-get install -y \
python3.8
RUN ln -s /usr/bin/python3.8 /usr/bin/python3
WORKDIR /app
COPY hello.py .
ENTRYPOINT ["python3", "-m", "hello"]