tlsnotary/tlsn
1
0
Fork 0
mirror of https://github.com/tlsnotary/tlsn.git synced 2026-01-09 21:38:00 -05:00
Code Issues Packages Projects Releases 12 Wiki Activity

ci: SGX build: drop TEE GH environment, use regular secret (#751)

Browse Source
This commit is contained in:
Hendrik Eeckhaut
2025-03-27 11:40:04 +01:00
committed by GitHub
parent f0e2200d22
commit 8c889ac498
16 changed files with 3 additions and 673 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
.github/scripts/gramine.sh vendored
View File

@@ -1,43 +0,0 @@
#/bin/sh
# this is to be ran in a docker container via an github action that has gramine set-up already e.g.,
# notaryserverbuilds.azurecr.io/builder/gramine
# with sgx hardware:
# ./gramine.sh sgx
#
# without:
# ./gramine.sh
##
if [ -z "$1" ]
then
run='gramine-direct notary-server &'
else
run='gramine-sgx notary-server &'
fi
curl https://sh.rustup.rs -sSf | sh -s -- -y
. "$HOME/.cargo/env"
apt install libssl-dev
gramine-sgx-gen-private-key
SGX=1 make
gramine-sgx-sign -m notary-server.manifest -o notary-server.sgx
mr_enclave=$(gramine-sgx-sigstruct-view --verbose --output-format=json notary-server.sig |jq .mr_enclave)
echo "mrenclave=$mr_enclave" >> "$GITHUB_OUTPUT"
echo "#### sgx mrenclave" | tee >> $GITHUB_STEP_SUMMARY
echo "\`\`\`${mr_enclave}\`\`\`" | tee >> $GITHUB_STEP_SUMMARY
eval "$run"
sleep 5
if [ "$1" ]; then
curl 127.0.0.1:7047/info
else
quote=$(curl 127.0.0.1:7047/info | jq .quote.rawQuote)
echo $quote
echo "quote=$quote" >> $GITHUB_OUTPUT
echo "#### 🔒 signed quote ${quote}" | tee >> $GITHUB_STEP_SUMMARY
echo "${quote}" | tee >> $GITHUB_STEP_SUMMARY
fi

1
.github/workflows/ci.yml vendored
View File

@@ -214,7 +214,6 @@ jobs:
gramine-sgx:
runs-on: ubuntu-latest
needs: build-sgx
environment: tee
container:
image: gramineproject/gramine:latest

156
.github/workflows/tee-cd.yml vendored
View File

@@ -1,156 +0,0 @@
name: azure-tee-release
permissions:
contents: read
id-token: write
attestations: write
on:
workflow_dispatch:
inputs:
ref:
description: 'git branch'
required: false
default: 'dev'
type: string
#on:
# release:
# types: [published]
# branches:
# - 'releases/**'
env:
GIT_COMMIT_HASH: ${{ github.event.pull_request.head.sha || github.sha }}
GIT_COMMIT_TIMESTAMP: ${{ github.event.repository.updated_at}}
REGISTRY: notaryserverbuilds.azurecr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
update-reverse-proxy:
permissions:
contents: write
environment: tee
runs-on: [self-hosted, linux]
outputs:
teeport: ${{ steps.portbump.outputs.newport}}
deploy: ${{ steps.portbump.outputs.deploy}}
steps:
- name: checkout repository
uses: actions/checkout@v4
- name: update caddyfile
id: portbump
env:
RELEASE_TAG: ${{ github.event.release.tag_name || inputs.ref }}
run: |
echo "tag: $RELEASE_TAG"
NEXT_PORT=$(bash cd-scripts/tee/azure/updateproxy.sh 'cd-scripts/tee/azure/Caddyfile' $RELEASE_TAG)
echo "newport=$NEXT_PORT" >> $GITHUB_OUTPUT
echo "new deploy port: $NEXT_PORT 🚀" >> $GITHUB_STEP_SUMMARY
chmod +r -R cd-scripts/tee/azure/
- name: Deploy updated Caddyfile to server
if: ${{ steps.portbump.outputs.deploy == 'new' }}
uses: appleboy/scp-action@v0.1.7
with:
host: ${{ secrets.AZURE_TEE_PROD_HOST }}
username: ${{ secrets.AZURE_PROD_TEE_USERNAME }}
key: ${{ secrets.AZURE_TEE_PROD_KEY }}
source: "cd-scripts/tee/azure/Caddyfile"
target: "~/"
- name: Reload Caddy on server
if: ${{ steps.portbump.outputs.deploy == 'new' }}
uses: appleboy/ssh-action@v1.0.3
with:
host: ${{ secrets.AZURE_TEE_PROD_HOST }}
username: ${{ secrets.AZURE_PROD_TEE_USERNAME }}
key: ${{ secrets.AZURE_TEE_PROD_KEY }}
script: |
sudo cp ~/cd-scripts/tee/azure/Caddyfile /etc/caddy/Caddyfile
sudo systemctl reload caddy
build-measure:
environment: tee
runs-on: [self-hosted, linux]
needs: [ update-reverse-proxy ]
container:
image: notaryserverbuilds.azurecr.io/prod/gramine
credentials:
username: notaryserverbuilds
password: ${{ secrets.AZURE_CR_BUILDS_PW }}
env:
GIT_COMMIT_HASH: ${{ github.event.pull_request.head.sha || github.sha }}
volumes:
- /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket
options: "--device /dev/sgx_enclave"
steps:
- name: get code
uses: actions/checkout@v4
- name: sccache
if: github.event_name != 'release'
# && github.event_name != 'workflow_dispatch'
uses: mozilla-actions/sccache-action@v0.0.6
- name: set rust env for scc
if: github.event_name != 'release'
# && github.event_name != 'workflow_dispatch'
run: |
echo "SCCACHE_GHA_ENABLED=true" >> $GITHUB_ENV
echo "RUSTC_WRAPPER=sccache" >> $GITHUB_ENV
- name: reverse proxy port
run: echo "${{needs.update-reverse-proxy.outputs.teeport}}" | tee >> $GITHUB_STEP_SUMMARY
- name: get hardware measurement
working-directory: ${{ github.workspace }}/crates/notary/server/tee
run: |
chmod +x ../../../../.github/scripts/gramine.sh && ../../../../.github/scripts/gramine.sh sgx
artifact-deploy:
environment: tee
runs-on: [self-hosted, linux]
needs: [ build-measure, update-reverse-proxy ]
steps:
- name: auth to registry
uses: docker/login-action@v3
with:
registry: notaryserverbuilds.azurecr.io
username: notaryserverbuilds
password: ${{ secrets.AZURE_CR_BUILDS_PW }}
- name: get code
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Get Git commit timestamps
run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV
- name: Build and push
id: deploypush
uses: docker/build-push-action@v6
with:
provenance: mode=max
no-cache: true
context: ${{ github.workspace }}/crates/notary/server/tee
push: true
tags: notaryserverbuilds.azurecr.io/prod/notary-sgx:${{ env.GIT_COMMIT_HASH }}
labels: ${{needs.update-reverse-proxy.outputs.teeport}}
env:
# reproducible builds: https://github.com/moby/buildkit/blob/master/docs/build-repro.md#source_date_epoch
SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }}
- name: Generate SBOM
uses: anchore/sbom-action@v0
with:
image: notaryserverbuilds.azurecr.io/prod/notary-sgx:${{ env.GIT_COMMIT_HASH }}
format: 'cyclonedx-json'
output-file: 'sbom.cyclonedx.json'
# attestation section ::
# https://docs.docker.com/build/ci/github-actions/attestations/
- name: Attest
uses: actions/attest-build-provenance@v1
with:
subject-name: notaryserverbuilds.azurecr.io/prod/notary-sgx
subject-digest: ${{ steps.deploypush.outputs.digest }}
push-to-registry: true
-
name: run
run: |
if [[ ${{ needs.update-reverse-proxy.outputs.deploy }} == 'new' ]]; then
docker run --device /dev/sgx_enclave --device /dev/sgx_provision --volume=/var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket -p ${{needs.update-reverse-proxy.outputs.teeport}}:7047 notaryserverbuilds.azurecr.io/prod/notary-sgx:${{ env.GIT_COMMIT_HASH }} &
else
old=$(docker ps --filter "name=${{needs.update-reverse-proxy.outputs.teeport}}")
docker rm -f $old
docker run --name ${{needs.update-reverse-proxy.outputs.teeport}} --device /dev/sgx_enclave --device /dev/sgx_provision --volume=/var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket -p ${{needs.update-reverse-proxy.outputs.teeport}}:7047 notaryserverbuilds.azurecr.io/prod/notary-sgx:${{ env.GIT_COMMIT_HASH }} &
fi

31
appspec.yml
View File

@@ -1,31 +0,0 @@
# AWS CodeDeploy application specification file
version: 0.0
os: linux
files:
- source: /
destination: /home/ubuntu/tlsn
permissions:
- object: /home/ubuntu/tlsn
owner: ubuntu
group: ubuntu
hooks:
BeforeInstall:
- location: cd-scripts/appspec-scripts/before_install.sh
timeout: 300
runas: ubuntu
AfterInstall:
- location: cd-scripts/appspec-scripts/after_install.sh
timeout: 300
runas: ubuntu
ApplicationStart:
- location: cd-scripts/appspec-scripts/start_app.sh
timeout: 300
runas: ubuntu
ApplicationStop:
- location: cd-scripts/appspec-scripts/stop_app.sh
timeout: 300
runas: ubuntu
ValidateService:
- location: cd-scripts/appspec-scripts/validate_app.sh
timeout: 300
runas: ubuntu

35
cd-scripts/appspec-scripts/after_install.sh
View File

@@ -1,35 +0,0 @@
#!/bin/bash
set -e
TAG=$(curl http://169.254.169.254/latest/meta-data/tags/instance/stable)
APP_NAME=$(echo $APPLICATION_NAME | awk -F- '{ print $2 }')
if [ $APP_NAME = "stable" ]; then
# Prepare directories for stable versions
sudo mkdir ~/${APP_NAME}_${TAG}
sudo mv ~/tlsn ~/${APP_NAME}_${TAG}
sudo mkdir -p ~/${APP_NAME}_${TAG}/tlsn/notary/target/release
sudo chown -R ubuntu.ubuntu ~/${APP_NAME}_${TAG}
# Download .git directory
aws s3 cp s3://tlsn-deploy/$APP_NAME/.git ~/${APP_NAME}_${TAG}/tlsn/.git --recursive
# Download binary
aws s3 cp s3://tlsn-deploy/$APP_NAME/notary-server ~/${APP_NAME}_${TAG}/tlsn/notary/target/release
chmod +x ~/${APP_NAME}_${TAG}/tlsn/notary/target/release/notary-server
else
# Prepare directory for dev
sudo rm -rf ~/$APP_NAME/tlsn
sudo mv ~/tlsn/ ~/$APP_NAME
sudo mkdir -p ~/$APP_NAME/tlsn/notary/target/release
sudo chown -R ubuntu.ubuntu ~/$APP_NAME
# Download .git directory
aws s3 cp s3://tlsn-deploy/$APP_NAME/.git ~/$APP_NAME/tlsn/.git --recursive
# Download binary
aws s3 cp s3://tlsn-deploy/$APP_NAME/notary-server ~/$APP_NAME/tlsn/notary/target/release
chmod +x ~/$APP_NAME/tlsn/notary/target/release/notary-server
fi
exit 0

20
cd-scripts/appspec-scripts/before_install.sh
View File

@@ -1,20 +0,0 @@
#!/bin/bash
set -e
APP_NAME=$(echo $APPLICATION_NAME | awk -F- '{ print $2 }')
if [ $APP_NAME = "stable" ]; then
VERSIONS_DEPLOYED=$(find ~/ -maxdepth 1 -type d -name 'stable_*')
VERSIONS_DEPLOYED_COUNT=$(echo $VERSIONS_DEPLOYED | wc -w)
if [ $VERSIONS_DEPLOYED_COUNT -gt 3 ]; then
echo "More than 3 stable versions found"
exit 1
fi
else
if [ ! -d ~/$APP_NAME ]; then
mkdir ~/$APP_NAME
fi
fi
exit 0

26
cd-scripts/appspec-scripts/start_app.sh
View File

@@ -1,26 +0,0 @@
#!/bin/bash
# Port tagging will also be used to manipulate proxy server via modify_proxy.sh script
set -ex
TAG=$(curl http://169.254.169.254/latest/meta-data/tags/instance/stable)
APP_NAME=$(echo $APPLICATION_NAME | awk -F- '{ print $2 }')
if [ $APP_NAME = "stable" ]; then
# Check if all stable ports are in use. If true, terminate the deployment
[[ $(netstat -lnt4 | egrep -c ':(7047|7057|7067)\s') -eq 3 ]] && { echo "All stable ports are in use"; exit 1; }
STABLE_PORTS="7047 7057 7067"
for PORT in $STABLE_PORTS; do
PORT_LISTENING=$(netstat -lnt4 | egrep -cw $PORT || true)
if [ $PORT_LISTENING -eq 0 ]; then
~/${APP_NAME}_${TAG}/tlsn/notary/target/release/notary-server --config-file ~/.notary/${APP_NAME}_${PORT}/config.yaml &> ~/${APP_NAME}_${TAG}/tlsn/notary.log &
# Create a tag that will be used for service validation
INSTANCE_ID=$(curl http://169.254.169.254/latest/meta-data/instance-id)
aws ec2 create-tags --resources $INSTANCE_ID --tags "Key=port,Value=$PORT"
break
fi
done
else
~/$APP_NAME/tlsn/notary/target/release/notary-server --config-file ~/.notary/$APP_NAME/config.yaml &> ~/$APP_NAME/tlsn/notary.log &
fi
exit 0

36
cd-scripts/appspec-scripts/stop_app.sh
View File

@@ -1,36 +0,0 @@
#!/bin/bash
# AWS CodeDeploy hook sequence: https://docs.aws.amazon.com/codedeploy/latest/userguide/reference-appspec-file-structure-hooks.html#appspec-hooks-server
set -ex
APP_NAME=$(echo $APPLICATION_NAME | awk -F- '{ print $2 }')
if [ $APP_NAME = "stable" ]; then
VERSIONS_DEPLOYED=$(find ~/ -maxdepth 1 -type d -name 'stable_*')
VERSIONS_DEPLOYED_COUNT=$(echo $VERSIONS_DEPLOYED | wc -w)
# Remove oldest version if exists
if [ $VERSIONS_DEPLOYED_COUNT -eq 3 ]; then
echo "Candidate versions to be removed:"
OLDEST_DIR=""
OLDEST_TIME=""
for DIR in $VERSIONS_DEPLOYED; do
TIME=$(stat -c %W $DIR)
if [ -z $OLDEST_TIME ] || [ $TIME -lt $OLDEST_TIME ]; then
OLDEST_DIR=$DIR
OLDEST_TIME=$TIME
fi
done
echo "The oldest version is running under: $OLDEST_DIR"
PID=$(lsof $OLDEST_DIR/tlsn/notary/target/release/notary-server | awk '{ print $2 }' | tail -1)
kill -15 $PID || true
rm -rf $OLDEST_DIR
fi
else
PID=$(pgrep -f notary.*$APP_NAME)
kill -15 $PID || true
fi
exit 0

21
cd-scripts/appspec-scripts/validate_app.sh
View File

@@ -1,21 +0,0 @@
#!/bin/bash
set -e
# Verify proccess is running
APP_NAME=$(echo $APPLICATION_NAME | awk -F- '{ print $2 }')
# Verify that listening sockets exist
if [ $APP_NAME = "stable" ]; then
PORT=$(curl http://169.254.169.254/latest/meta-data/tags/instance/port)
ps -ef | grep notary.*$APP_NAME.*$PORT | grep -v grep
[ $? -eq 0 ] || exit 1
else
PORT=7048
pgrep -f notary.*$APP_NAME
[ $? -eq 0 ] || exit 1
fi
EXPOSED_PORTS=$(netstat -lnt4 | egrep -cw $PORT)
[ $EXPOSED_PORTS -eq 1 ] || exit 1
exit 0

14
cd-scripts/modify_proxy.sh
View File

@@ -1,14 +0,0 @@
#!/bin/bash
# This script is executed on proxy side, in order to assign the available port to latest stable version
set -e
PORT=$1
VERSION=$2
sed -i "/# Port $PORT/{n;s/v[0-9].[0-9].[0-9]-[a-z]*.[0-9]*/$VERSION/g}" /etc/nginx/sites-available/tlsnotary-pse
sed -i "/# Port $PORT/{n;n;s/v[0-9].[0-9].[0-9]-[a-z]*.[0-9]*/$VERSION/g}" /etc/nginx/sites-available/tlsnotary-pse
nginx -t
nginx -s reload
exit 0

90
cd-scripts/tee/azure/Caddyfile
View File

@@ -1,90 +0,0 @@
#
# global block =>
# email is for acme
# # # #
{
key_type p256
email mac@pse.dev # for acme
servers {
metrics
}
log {
output stdout
format console {
time_format common_log
time_local
}
level DEBUG
}
}
#
# server block, acme turned on (default when using dns)
# reverse proxy with fail_duration + lb will try upstreams sequentially (fallback)
# e.g. => `reverse_proxy :4000 :5000 10.10.10.10:1000 tlsnotary.org:443`
# will always deliver to :4000 if its up, but if :4000 is down for more than 4s it trys the next one
# # # #
notary.codes {
handle_path /v0.1.0-alpha.8* {
reverse_proxy :4003 :3333 {
lb_try_duration 4s
fail_duration 10s
lb_policy header X-Upstream {
fallback first
}
}
}
handle_path /v0.1.0-alpha.7* {
reverse_proxy :4002 :3333 {
lb_try_duration 4s
fail_duration 10s
lb_policy header X-Upstream {
fallback first
}
}
}
handle_path /v0.1.0-alpha.6* {
reverse_proxy :4001 :3333 {
lb_try_duration 4s
fail_duration 10s
lb_policy header X-Upstream {
fallback first
}
}
}
handle_path /nightly* {
reverse_proxy :3333 {
lb_try_duration 4s
fail_duration 10s
lb_policy header X-Upstream {
fallback first
}
}
}
handle_path /proxy* {
reverse_proxy :55688 proxy.notary.codes:443 {
lb_try_duration 4s
fail_duration 10s
lb_policy header X-Upstream {
fallback first
}
}
}
handle {
root * /srv
file_server
}
handle_errors {
@404 {
expression {http.error.status_code} == 404
}
rewrite @404 /index.html
file_server
}
}
}

7
cd-scripts/tee/azure/prometheus.yaml
View File

@@ -1,7 +0,0 @@
global:
scrape_interval: 15s
scrape_configs:
- job_name: caddy
static_configs:
- targets: ['localhost:2019']

84
cd-scripts/tee/azure/updateproxy.sh
View File

@@ -1,84 +0,0 @@
#!/bin/sh
# Variables (Update these as needed)x
CADDYFILE=${1:-/etc/caddy/Caddyfile} # Path to your Caddyfile
GIT_COMMIT_HASH=${2:-dev}
BASE_PORT=6061 # The starting port for your reverse_proxy directives
# Function to check if handle_path for the given commit hash exists
handle_path_exists() {
local commit_hash=$1
#echo "handle_path_exists $1 -- CADDYFILE: $CADDYFILE"
grep -q "handle_path /${commit_hash}\*" "$CADDYFILE"
}
# Function to extract the port for a given commit hash
extract_port_for_commit() {
local commit_hash=$1
#echo "extract_port_for_commit $1 -- 2: $2"
grep -Pzo "handle_path /${commit_hash}\* \{\n\s*reverse_proxy :(.*) " "$CADDYFILE" | grep -Poa "reverse_proxy :(.*) " | awk '{print $2}'
}
# Function to get the last port in the Caddyfile
get_last_port() {
grep -Po "reverse_proxy :([0-9]+)" "$CADDYFILE" | awk -F: '{print $2}' | sort -n | tail -1
}
# Function to add a new handle_path block with incremented port inside notary.codes block
add_new_handle_path() {
local new_port=$1
local commit_hash=$2
# Use a temporary file for inserting the handle_path block
tmp_file=$(mktemp)
# Add the new handle_path in the notary.codes block
awk -v port="$new_port" -v hash="$commit_hash" '
/notary\.codes \{/ {
print;
print " handle_path /" hash "* {";
print " reverse_proxy :" port " :3333 {";
print " lb_try_duration 4s";
print " fail_duration 10s";
print " lb_policy header X-Upstream {";
print " fallback first";
print " }";
print " }";
print " }";
next;
}
{ print }
' "$CADDYFILE" > "$tmp_file"
# Overwrite the original Caddyfile with the updated content
mv "$tmp_file" "$CADDYFILE"
}
#git action perms +r
chmod 664 cd-scripts/tee/azure/Caddyfile
# Check if the commit hash already exists in a handle_path
if handle_path_exists "$GIT_COMMIT_HASH"; then
existing_port=$(extract_port_for_commit "$GIT_COMMIT_HASH")
echo "${existing_port:1}"
exit 0
else
# Get the last port used and increment it
last_port=$(get_last_port)
if [[ -z "$last_port" ]]; then
last_port=$BASE_PORT
fi
new_port=$((last_port + 1))
# Add the new handle_path block inside notary.codes block
add_new_handle_path "$new_port" "$GIT_COMMIT_HASH"
echo $new_port
# commit the changes
git config user.name github-actions
git config user.email github-actions@github.com
git add -A
git commit --quiet --allow-empty -m "azure tee reverse proxy => port:$NEXT_PORT/${RELEASE_TAG}"
git push --quiet
echo "deploy=new" >> $GITHUB_OUTPUT
exit 0
fi

25
crates/notary/server/tee/Dockerfile
View File

@@ -1,25 +0,0 @@
#tlsnotary server for testing <> gramine sgx (gramine1.7, g++13, libiomp off :()
### notaryserverbuilds.azurecr.io/prod/notary-sgx
FROM notaryserverbuilds.azurecr.io/prod/gramine AS teesdk
ARG TOOLCHAIN=1.81.0
ENV PATH=/root/.cargo/bin:/usr/local/musl/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
RUN set -eux \
&& curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain=$TOOLCHAIN \
&& rustup target add \
x86_64-unknown-linux-gnu
RUN apt update && apt install -y libssl-dev libclang-dev
ARG TLSN_TAG=dev
ARG TLSN_FT=tee_quote
RUN git clone --depth 1 -b $TLSN_TAG https://github.com/tlsnotary/tlsn /tlsn && \
cargo build --release --bin notary-server --features $TLSN_FT --color always --manifest-path /tlsn/Cargo.toml
RUN cd tlsn/crates/notary/server/tee && gramine-sgx-gen-private-key && SGX=1 make
FROM notaryserverbuilds.azurecr.io/prod/gramine AS teetime
WORKDIR /tee
COPY --from=teesdk tlsn/crates/notary/server/tee .
ENTRYPOINT ["gramine-sgx", "notary-server"]

63
crates/notary/server/tee/Makefile
View File

@@ -1,63 +0,0 @@
# notary-server testing only
ROOT_DIR := $(dir $(realpath $(lastword $(MAKEFILE_LIST))))
ARCH_LIBDIR ?= /lib/$(shell $(CC) -dumpmachine)
SELF_EXE = ./notary-server
.PHONY: all
all: $(SELF_EXE) notary-server.manifest
ifeq ($(SGX),1)
all: notary-server.manifest.sgx notary-server.sig
endif
ifeq ($(DEBUG),1)
GRAMINE_LOG_LEVEL = debug
else
GRAMINE_LOG_LEVEL = error
endif
# Note that we're compiling in release mode regardless of the DEBUG setting passed
# to Make, as compiling in debug mode results in an order of magnitude's difference in
# performance that makes testing by running a benchmark with ab painful. The primary goal
# of the DEBUG setting is to control Gramine's loglevel.
-include $(SELF_EXE).d # See also: .cargo/config.toml
$(SELF_EXE): $(ROOT_DIR)../Cargo.toml
cargo build --bin notary-server --release --features tee_quote
notary-server.manifest: notary-server.manifest.template
cp ../../../../target/release/notary-server . && \
gramine-manifest \
-Dlog_level=$(GRAMINE_LOG_LEVEL) \
-Darch_libdir=$(ARCH_LIBDIR) \
-Dself_exe=$(SELF_EXE) \
$< $@
# Make on Ubuntu <= 20.04 doesn't support "Rules with Grouped Targets" (`&:`),
# see the helloworld example for details on this workaround.
notary-server.manifest.sgx notary-server.sig: sgx_sign
@:
.INTERMEDIATE: sgx_sign
sgx_sign: notary-server.manifest $(SELF_EXE)
gramine-sgx-sign \
--manifest $< \
--output $<.sgx
ifeq ($(SGX),)
GRAMINE = gramine-direct
else
GRAMINE = gramine-sgx
endif
.PHONY: start-gramine-server
start-gramine-server: all
$(GRAMINE) notary-server
.PHONY: clean
clean:
$(RM) -rf *.token *.sig *.manifest.sgx *.manifest result-* OUTPUT
.PHONY: distclean
distclean: clean
$(RM) -rf $(SELF_EXE) Cargo.lock

24
crates/notary/server/tee/README.md
View File

@@ -1,21 +1,3 @@
#### gramine with intel SGX
```bash
SGX=1 make
```
```bash
SGX=1 make start-gramine-server
```
#### gramine emulating SGX
```
make
```
```
make start-gramine-server
```
#### generate measurement without SGX hardware
```
make
```
```
gramine-sgx-sigstruct-view --verbose --output-format=toml notary-server.sig
```
This folder contains the necessary files to build a Docker image for running the Notary Server on Intel SGX-enabled hardware.
The container is built as part of the CI pipeline. For details on the build process, refer to the [CI workflow configuration](../../../../.github/workflows/ci.yml).