-
Notifications
You must be signed in to change notification settings - Fork 42
/
Copy pathDockerfile.pdo-dev
233 lines (215 loc) · 9.85 KB
/
Dockerfile.pdo-dev
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
# Copyright 2017 Intel Corporation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# ------------------------------------------------------------------------------
# Description:
# Builds the environment with all prerequistes needed to build Private Data Objects.
#
# Configuration (build) paramaters
# - ubuntu version to use: UBUNTU_VERSION (default: 18.04)
# - ubuntu name to use: UBUNTU_NAME (default: bionic)
# - sgx sdk/psw version: SGX (default: 2.15.1)
# - openssl version: OPENSSL (default: 1.1.1g)
# - sgxssl version: SGXSSL (default: 2.10_1.1.1g)
# - additional apt packages: ADD_APT_PKGS (default: )
# Build:
# $ docker build docker -f docker/Dockerfile.pdo-dev -t pdo-dev
# - if you want to build with different version than 18.04/bionic, say 20.04/focal,
# add --build-arg UBUNTU_VERSION=18.04 --build-arg UBUNTU_NAME=focal
# - if behind a proxy, make sure you've configured ~/.docker/config.json with your proxy setting
# and the docker daemon itself also has the proxy properly configured, for systemd based hosts
# like ubuntu see https://docs.docker.com/config/daemon/systemd/#httphttps-proxy
#
# Run:
# $ cd <directory where you checked out private-data-objects>
# $ docker run -it pdo-dev
# - to run with SGX HW, add options '--device=/dev/isgx -v /var/run/aesmd:/var/run/aesmd ')
# then you can build system as "usual", e.g., to build it as
# . /project/pdo/src/build/common-config.sh
# make -C /project/pdo/src/build/
# etc etc
# Note: your host SGX PSW runtime should be at a similar level than the one in the container
# or the PSW/aesmd might cause enclave launch problems
# - if behind a proxy, make sure you've configured ~/.docker/config.json with your proxy setting
# - if you want to debug with gdb and alike, you also might want to add options
# '--security-opt seccomp=unconfined --security-opt apparmor=unconfined --cap-add=SYS_PTRACE '
# - for develooping based on source in host you might map source into container with an option
# like -v $(pwd):/project/pdo/src/private-data-objects/
ARG UBUNTU_VERSION=20.04
ARG UBUNTU_NAME=focal
# NOTE:
# - unfortunately, we do need both name (for repo) and version (for sgx directories), only docker image supports both ..
# 18.04 <-> bionic, 20.04 <-> focal
# - right now, full sgx support exists only for bionic;
# xenial (16.04) has support only PSW but not SDK;
# support for focal is still in the making but hopefully will exist soon...
FROM ubuntu:${UBUNTU_VERSION}
# Dockerfile limitations force a repetition of global args
ARG UBUNTU_VERSION
ARG UBUNTU_NAME
ARG SGX=2.15.1
ARG OPENSSL=1.1.1g
ARG SGXSSL=2.10_1.1.1g
ARG ADD_APT_PKGS=
# Add necessary packages
# TODO(xenial): we need to manually install protobuf 3 as xenial has v2
# Note: ocamlbuild is required by PREREQ but does not exist for xenial. However, the relevant componets are part of 'ocaml' package, later ubuntu split up that package ...
RUN apt-get update \
&& DEBIAN_FRONTEND="noninteractive" \
# above makes sure any install of 'tzdata' or alike (as e.g., pulled in via ubuntu 20.04) does not hang ...
apt-get install -y -q\
autoconf \
automake \
build-essential \
ca-certificates \
cmake \
curl \
dh-autoreconf \
git \
gnupg \
libcurl4-openssl-dev \
liblmdb-dev \
libprotobuf-dev \
libsecp256k1-dev \
libssl-dev \
libtool \
tinyscheme \
make \
ocaml \
ocamlbuild \
pkg-config \
protobuf-compiler \
python \
python3-dev \
python3-venv \
python3-virtualenv \
software-properties-common \
swig \
tar \
unzip \
virtualenv \
wget \
xxd \
net-tools \
dnsutils \
$ADD_APT_PKGS \
&& apt-get -y -q upgrade \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/* \
# environment variables
# we keep all definitions in '/etc/profile.d/pdo.sh'. Alas, this is called only for login shells
# so add it at least to /etc/bash.bashrc. Nothing equivalent seems to exist for dash/sh, which is used
# during build, so in that case we will have to explicitly '. /etc/profile.d/pdo.sh'.
# NOTE: There seems to be _nothing_ which is guaranteed to be always called, e.g., /etc/environment
# also does not work as it is not always called
&& sed -i '1s;^;. /etc/profile.d/pdo.sh\n;' /etc/bash.bashrc
# Install SGX PSW packages
RUN echo "deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu ${UBUNTU_NAME} main" >> /etc/apt/sources.list \
&& wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | apt-key add - \
&& apt-get update \
&& apt-get install -y \
# We do not need daemons like AESMD as we run them on host (side-steps also
# issues with config of /etc/aesmd.conf like proxy ..). Without this option
# aesmd and lots of other plugsin are automatically pulled in.
# See SGX Installation notes and, in particular, linux/installer/docker/Dockerfile
# in linux-sgx git repo of sdk/psw source.
--no-install-recommends \
# - dependencies
build-essential python \
# - sgx packages
# - runtime
libsgx-urts \
# (also pulls in libsgx-enclave-common)
# - basic architectural services, e.g., launch & attestation
# sgx-aesm-service (see above why commented out)
libsgx-uae-service
# Note:
# - above is "old" style from epid days. Since sdk 2.7 libsgx-uae-service is
# split into subpackages
# - launch service
# libsgx-launch
# - algorithm agnostic attestation service
# libsgx-quote-ex
# - EPID-based attestation service
# libsgx-epid
# - DCAP-based attesation service
# libsgx-dcap* ...
# correspondingly, also libsgx_uae_service.so and <sgx_uae_service.h>
# is split into corresponding smaller libraries and header-files to make
# integration with DCAP easier and minimize pulling in unnecessary dependencies
# Install SGX SDK
RUN mkdir -p /opt/intel
WORKDIR /opt/intel
RUN SGX_SDK_BIN_REPO=https://download.01.org/intel-sgx/sgx-linux/${SGX}/distro/ubuntu${UBUNTU_VERSION}-server \
&& SGX_SDK_BIN_FILE=$(cd /tmp; wget --spider --recursive --level=1 --no-parent ${SGX_SDK_BIN_REPO} 2>&1 | perl -ne 'if (m|'${SGX_SDK_BIN_REPO}'/(sgx_linux_x64_sdk.*)|) { print "$1\n"; }') \
&& wget -q ${SGX_SDK_BIN_REPO}/${SGX_SDK_BIN_FILE} \
&& chmod +x ${SGX_SDK_BIN_FILE} \
&& echo -e "no\n/opt/intel" | ./${SGX_SDK_BIN_FILE} \
&& rm ${SGX_SDK_BIN_FILE} \
&& echo ". /opt/intel/sgxsdk/environment" >> /etc/profile.d/pdo.sh
# LVI mitigations, needed to compile sgxssl, requires a
# recent version of binutils (>= 2.32). Ubuntu 18.04 only
# has 2.30 but Intel ships binary distro for 2.32.51.20190719
RUN [ "$UBUNTU_VERSION" = "20.04" ] \
&& SGX_SDK_BINUTILS_REPO=https://download.01.org/intel-sgx/sgx-linux/${SGX} \
&& SGX_SDK_BINUTILS_FILE=$(cd /tmp; wget --spider --recursive --level=1 --no-parent ${SGX_SDK_BINUTILS_REPO} 2>&1 | perl -ne 'if (m|'${SGX_SDK_BINUTILS_REPO}'/(as.ld.objdump.*)|) { print "$1\n"; }') \
&& wget -q ${SGX_SDK_BINUTILS_REPO}/${SGX_SDK_BINUTILS_FILE} \
&& mkdir sgxsdk.extras \
&& cd sgxsdk.extras \
&& tar -zxf ../${SGX_SDK_BINUTILS_FILE} \
&& rm ../${SGX_SDK_BINUTILS_FILE} \
&& echo "export PATH=/opt/intel/sgxsdk.extras/external/toolset/ubuntu${UBUNTU_VERSION}:${PATH}" >> /etc/profile.d/pdo.sh
# Note: above install file contains binutitls for all supported distros.
# So to same some space (~100m) & make smaller images one could delete
# all subdirectores other than ${UBUNTU_VERSION} ...
ENV PATH="/opt/intel/sgxsdk.extras/external/toolset/ubuntu${UBUNTU_VERSION}:${PATH}"
# SGXSSL
RUN git clone 'https://github.com/intel/intel-sgx-ssl.git' \
&& cd intel-sgx-ssl \
&& . /opt/intel/sgxsdk/environment \
&& git checkout lin_${SGXSSL} \
&& cd openssl_source \
&& wget -q https://www.openssl.org/source/openssl-${OPENSSL}.tar.gz \
&& cd ../Linux \
&& make SGX_MODE=SIM DESTDIR=/opt/intel/sgxssl all test \
&& make install \
&& make clean \
&& echo "export SGX_SSL=/opt/intel/sgxssl" >> /etc/profile.d/pdo.sh
# Install contract interpreter related stuff
# - tinyscheme
# Install Tinyscheme
RUN mkdir -p /opt/tinyscheme
WORKDIR /opt/tinyscheme
RUN wget -q https://downloads.sourceforge.net/project/tinyscheme/tinyscheme/tinyscheme-1.41/tinyscheme-1.41.zip \
&& unzip tinyscheme-1.41.zip \
&& rm tinyscheme-1.41.zip \
&& cd tinyscheme-1.41 \
&& make FEATURES='-DUSE_DL=1 -DUSE_PLIST=1'
# - get wasi sdk
RUN wget -q -P /tmp https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-12/wasi-sdk_12.0_amd64.deb \
&& dpkg --install /tmp/wasi-sdk_12.0_amd64.deb
# environment setup as required by PDO
# Note
# - though this works though only for docker run, if you derive images from
# this one you might have to specify explicitly variables like PDO_HOME,
# PDO_ENCLAVE & SGX_MODE!
# - make sure /etc/environment is always included for bash
RUN \
mkdir -p /project/pdo \
&& echo "export PDO_INSTALL_ROOT=/project/pdo/build" >> /etc/profile.d/pdo.sh \
&& echo "export PDO_HOME=/project/pdo/build/opt/pdo" >> /etc/profile.d/pdo.sh \
&& echo "export PDO_ENCLAVE_CODE_SIGN_PEM=/project/pdo/enclave.pem" >> /etc/profile.d/pdo.sh \
&& openssl genrsa -3 3072 > /project/pdo/enclave.pem \
&& echo "if ([ -c /dev/isgx ] && [ -S /var/run/aesmd/aesm.socket ]); then export SGX_MODE=HW; else export SGX_MODE=SIM; fi;" >> /root/.bashrc
WORKDIR /project/pdo/
ENTRYPOINT ["/bin/bash"]