-
Notifications
You must be signed in to change notification settings - Fork 18
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
sample/quote: Add Makefile and README (#71)
Signed-off-by: Cedric Xing <[email protected]>
- Loading branch information
Showing
9 changed files
with
93 additions
and
27 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| .acon/ | ||
| client/sampleclient | ||
| *.json | ||
| *.pem | ||
| *.cer |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| # Copyright © 2023 Intel Corporation | ||
| # SPDX-License-Identifier: Apache-2.0 | ||
|
|
||
| ACONCLI ?= aconcli | ||
| OPENSSL ?= openssl | ||
| DOCKER ?= docker | ||
| GO ?= go | ||
| SERVER ?= sampleserver | ||
|
|
||
| all: server.json client/sampleclient | ||
|
|
||
| server.json: server/Dockerfile signer.pem signer.cer | .acon/ | ||
| $(DOCKER) build -t $(SERVER) -f $< $(PWD)/../.. | ||
| $(ACONCLI) generate -i $(SERVER) $@ | ||
| $(ACONCLI) sign -k signer.pem -c signer.cer $@ | ||
|
|
||
| %.pem: | ||
| $(OPENSSL) ecparam -genkey -name secp384r1 -out $@ | ||
|
|
||
| %.cer: %.pem | ||
| $(OPENSSL) req -x509 -sha384 -key $< -out $@ -outform der -subj /CN=self-signed-$< | ||
|
|
||
| client/sampleclient: | ||
| CGO_ENABLED=0 $(GO) -C $(@D) build -v | ||
|
|
||
| .acon/: | ||
| $(ACONCLI) init | ||
|
|
||
| clean: | ||
| rm -rf .acon/ *.json *.pem *.cer | ||
| $(GO) -C client $@ | ||
| $(DOCKER) rmi -f $(SERVER) | ||
|
|
||
| .PHONY: all clean |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| # Remote Attestation Sample Code | ||
|
|
||
| This directory contains sample source code to demonstrate how remote attestation works in ACON containers. More information on TDX remote attestation can be found at https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/TDX_Quoting_Library_API.pdf. | ||
|
|
||
| This sample is comprised of a server and a client that communicate with each other over TCP. The server is an ACON container that generates TDX quotes upon requests from the client, which is a command line application running in the host. | ||
|
|
||
| The client works with the server to retrieve a TD quote, along with the measurement logs and additional attestation data. It then verifies the quote, checks if RTMR values in the quote match those calculated from the measurement logs and if the server has attached the expected attestation data, and finally decodes/displays everything it receives. Additionally, the quote is written to `quote.bin`, while RTMR logs and report data are written to `quote.json`. | ||
|
|
||
| Simply type `make` to build both the server and the client. `docker`, `openssl`, and [`aconcli`](../../doc/GettingStarted.md#building-aconcli) are required in the build process. | ||
|
|
||
| Running the sample requires a TDX enabled platform. | ||
|
|
||
| - The server must be started first, by | ||
|
|
||
| ```sh | ||
| TCP_PORT=5555 ATD=1 ATD_TCPFWD=8080:8085 ATD_KERNEL=/path/to/vmlinuz ATD_RD=/path/to/initrd.img aconcli run -ni -c:$TCP_PORT server.json | ||
| ``` | ||
|
|
||
| **Note**: `TCP_PORT` and `ATD` could be substituted by whatever deemed appropriate by the user. `ATD_TCPFWD` specifies TCP port forwarding rules and **must** be set to `8080:8085` (to map TCP port `8080` on the host to `8085` on the guest) for the sample client to work. `ATD_KERNEL` and `ATD_RD` should be set to the file paths to the guest kernel and initrd image, respectively. | ||
|
|
||
| - Then the client can be started simply by | ||
|
|
||
| ```sh | ||
| client/sampleclient | ||
| ``` | ||
|
|
||
| **Note**: The `app` executable in the [client/](client/) directory is required for verifying the quote. It is built from the [quote verification sample code](https://github.com/intel-innersource/frameworks.security.confidential-computing.tee.dcap-trunk/tree/master/dcap_source/SampleCode/QuoteVerificationSample) of [DCAP](https://github.com/intel-innersource/frameworks.security.confidential-computing.tee.dcap-trunk) and is provided here for the users' convenience (so that DCAP wouldn't have to be built/installed for building this sample). |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,6 @@ | ||
| // Copyright © 2023 Intel Corporation | ||
| // SPDX-License-Identifier: Apache-2.0 | ||
|
|
||
| package main | ||
|
|
||
| import ( | ||
|
|
||
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| # Copyright © 2023 Intel Corporation | ||
| # SPDX-License-Identifier: Apache-2.0 | ||
|
|
||
| # | ||
| # This file is used by ../Makefile to build the sample server | ||
| # | ||
|
|
||
| FROM alpine:latest AS builder | ||
|
|
||
| RUN apk update && apk add g++ libc++-static | ||
| WORKDIR /work | ||
| COPY sdk/ samples/quote/server/ ./ | ||
| RUN c++ -std=c++14 -Os -static-pie -flto -Iinclude/ -Wl,--gc-sections,-s src/quote_server.cpp -o quote_server | ||
|
|
||
| FROM scratch | ||
|
|
||
| COPY --from=builder /work/quote_server / | ||
| ENTRYPOINT ["/quote_server"] |
3 changes: 3 additions & 0 deletions
3
samples/quote/container/src/quote_server.cpp → samples/quote/server/src/quote_server.cpp
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters