From 218576d8e979e3fd9b54d29d634be557e0ddc91a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20James=20Toussaint?= Date: Wed, 31 Mar 2021 11:28:44 +0200 Subject: [PATCH 01/39] Python HelloWorld standard app can handle dataset with pretty filename --- cloud-computing/python-hello-world/src/app.py | 16 +++++----------- .../standard/asset/Lorem_ipsum.txt | 1 + cloud-computing/python-hello-world/standard/run | 3 ++- 3 files changed, 8 insertions(+), 12 deletions(-) create mode 100644 cloud-computing/python-hello-world/standard/asset/Lorem_ipsum.txt diff --git a/cloud-computing/python-hello-world/src/app.py b/cloud-computing/python-hello-world/src/app.py index f5340e17..1b2522fe 100644 --- a/cloud-computing/python-hello-world/src/app.py +++ b/cloud-computing/python-hello-world/src/app.py @@ -5,6 +5,7 @@ iexec_out = os.environ['IEXEC_OUT'] iexec_in = os.environ['IEXEC_IN'] +dataset_file = iexec_in + '/' + os.environ['IEXEC_DATASET_FILENAME'] # Do whatever you want text = "Hello, World!" @@ -12,10 +13,10 @@ text = 'Hello, {}!'.format(sys.argv[1]) text = Figlet().renderText(text) + text # Let's add some art for e.g. -# Eventually use some confidential assets -if os.path.exists(iexec_in + '/confidential-asset.txt'): - with open(iexec_in + '/confidential-asset.txt', 'r') as f: - text = text + '\nConfidential asset: ' + f.read() +# Eventually use a dataset (public with Standard mode and confidential with TEE mode) +if os.path.exists(dataset_file): + with open(dataset_file, 'r') as f: + text = text + '\nDataset ({}): {}'.format(dataset_file, f.read()) # Append some results with open(iexec_out + '/result.txt', 'w+') as f: @@ -25,10 +26,3 @@ # Declare everything is computed with open(iexec_out + '/computed.json', 'w+') as f: json.dump({ "deterministic-output-path" : iexec_out + '/result.txt' }, f) - -## Try: -# Basic: -# mkdir -p /tmp/iexec_out && IEXEC_OUT=/tmp/iexec_out IEXEC_IN=/tmp/iexec_in python3 app.py Alice -# -# Tee: -# mkdir -p /tmp/iexec_out && IEXEC_OUT=/tmp/iexec_out IEXEC_IN=../tee/confidential-assets python3 app.py Alice diff --git a/cloud-computing/python-hello-world/standard/asset/Lorem_ipsum.txt b/cloud-computing/python-hello-world/standard/asset/Lorem_ipsum.txt new file mode 100644 index 00000000..1b376877 --- /dev/null +++ b/cloud-computing/python-hello-world/standard/asset/Lorem_ipsum.txt @@ -0,0 +1 @@ +Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. diff --git a/cloud-computing/python-hello-world/standard/run b/cloud-computing/python-hello-world/standard/run index b22f8443..58c8e958 100755 --- a/cloud-computing/python-hello-world/standard/run +++ b/cloud-computing/python-hello-world/standard/run @@ -6,7 +6,8 @@ IEXEC_OUT=/tmp/iexec_out rm -rf $IEXEC_OUT mkdir -p $IEXEC_OUT -docker run --rm -e IEXEC_OUT=/iexec_out -e IEXEC_IN=/iexec_in -v /tmp/iexec_out:/iexec_out python-hello-world $@ + +docker run --rm -e IEXEC_OUT=/iexec_out -e IEXEC_IN=/iexec_in -e IEXEC_DATASET_FILENAME=Lorem_ipsum.txt -v $IEXEC_OUT:/iexec_out -v $(pwd)/asset:/iexec_in python-hello-world $@ echo find $IEXEC_OUT From fd3fe342145d579235b3a82e2caeba713f47157e Mon Sep 17 00:00:00 2001 From: Zied <26070035+zguesmi@users.noreply.github.com> Date: Fri, 2 Apr 2021 18:13:49 +0200 Subject: [PATCH 02/39] Rebuild TEE image for v6 --- cloud-computing/python-hello-world/tee/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloud-computing/python-hello-world/tee/Dockerfile b/cloud-computing/python-hello-world/tee/Dockerfile index 78810fa0..d149cefa 100644 --- a/cloud-computing/python-hello-world/tee/Dockerfile +++ b/cloud-computing/python-hello-world/tee/Dockerfile @@ -1,4 +1,4 @@ -FROM sconecuratedimages/public-apps:python-3.7.3-alpine3.10-scone3.0 +FROM nexus.iex.ec/sconecuratedimages-public-apps:python-3.7.3-alpine3.10-scone3.0 ### install python3 dependencies you need RUN SCONE_MODE=sim pip3 install pyfiglet From e90f4c57a4867b99f6df3fca14e030b5ef1e3dd9 Mon Sep 17 00:00:00 2001 From: Zied <26070035+zguesmi@users.noreply.github.com> Date: Wed, 7 Apr 2021 09:56:38 +0200 Subject: [PATCH 03/39] Upgrade app to v6 --- cloud-computing/nodejs-hello-world/src/app.js | 7 ++++--- cloud-computing/python-hello-world/src/app.py | 8 ++++---- .../offchain-python-hello-world/src/app.py | 7 ++++--- .../offchain-tee-kaiko-pricefeed/src/app.py | 11 +++++++++-- 4 files changed, 21 insertions(+), 12 deletions(-) diff --git a/cloud-computing/nodejs-hello-world/src/app.js b/cloud-computing/nodejs-hello-world/src/app.js index 9c60c945..1ba16d55 100644 --- a/cloud-computing/nodejs-hello-world/src/app.js +++ b/cloud-computing/nodejs-hello-world/src/app.js @@ -3,7 +3,8 @@ const figlet = require('figlet'); const iexecOut = process.env.IEXEC_OUT; const iexecIn = process.env.IEXEC_IN; -const confidentialFilepath = `${iexecIn}/confidential-asset.txt`; +const datasetFilename = process.env.IEXEC_DATASET_FILENAME; +const datasetFilepath = `${iexecIn}/${datasetFilename}`; (async () => { try { @@ -13,8 +14,8 @@ const confidentialFilepath = `${iexecIn}/confidential-asset.txt`; // Eventually use some confidential assets try { - const confidentialFile = await fsPromises.readFile(confidentialFilepath); - text = `${text}\nConfidential asset: ${confidentialFile}`; + const datasetContent = await fsPromises.readFile(datasetFilepath); + text = `${text}\nDataset (${datasetFilepath}): ${datasetContent}`; } catch (e) { // confidential asset does not exist } diff --git a/cloud-computing/python-hello-world/src/app.py b/cloud-computing/python-hello-world/src/app.py index 1b2522fe..d3674bb3 100644 --- a/cloud-computing/python-hello-world/src/app.py +++ b/cloud-computing/python-hello-world/src/app.py @@ -5,7 +5,7 @@ iexec_out = os.environ['IEXEC_OUT'] iexec_in = os.environ['IEXEC_IN'] -dataset_file = iexec_in + '/' + os.environ['IEXEC_DATASET_FILENAME'] +dataset_filepath = iexec_in + '/' + os.environ['IEXEC_DATASET_FILENAME'] # Do whatever you want text = "Hello, World!" @@ -14,9 +14,9 @@ text = Figlet().renderText(text) + text # Let's add some art for e.g. # Eventually use a dataset (public with Standard mode and confidential with TEE mode) -if os.path.exists(dataset_file): - with open(dataset_file, 'r') as f: - text = text + '\nDataset ({}): {}'.format(dataset_file, f.read()) +if os.path.isfile(dataset_filepath): + with open(dataset_filepath, 'r') as f: + text = text + '\nDataset ({}): {}'.format(dataset_filepath, f.read()) # Append some results with open(iexec_out + '/result.txt', 'w+') as f: diff --git a/offchain-computing/offchain-python-hello-world/src/app.py b/offchain-computing/offchain-python-hello-world/src/app.py index c2572ef7..54c53957 100644 --- a/offchain-computing/offchain-python-hello-world/src/app.py +++ b/offchain-computing/offchain-python-hello-world/src/app.py @@ -5,6 +5,7 @@ iexec_out = os.environ['IEXEC_OUT'] iexec_in = os.environ['IEXEC_IN'] +dataset_filepath = iexec_in + '/' + os.environ['IEXEC_DATASET_FILENAME'] # Do whatever you want data = "Hello, World!" @@ -12,9 +13,9 @@ data = 'Hello, {}!'.format(sys.argv[1]) # Eventually use some confidential assets -if os.path.exists(iexec_in + '/confidential-asset.txt'): - with open(iexec_in + '/confidential-asset.txt', 'r') as f: - print('Confidential asset: ' + f.read()) +if os.path.isfile(dataset_filepath): + with open(dataset_filepath, 'r') as f: + print('Dataset ({}): {}'.format(dataset_filepath, f.read())) # Send callback data to smart-contract callback_data = eth_abi.encode_abi([ 'string'], [ data ]).hex() diff --git a/offchain-computing/offchain-tee-kaiko-pricefeed/src/app.py b/offchain-computing/offchain-tee-kaiko-pricefeed/src/app.py index 0bd05fc3..e75b6994 100644 --- a/offchain-computing/offchain-tee-kaiko-pricefeed/src/app.py +++ b/offchain-computing/offchain-tee-kaiko-pricefeed/src/app.py @@ -7,27 +7,32 @@ iexec_out = os.environ['IEXEC_OUT'] iexec_in = os.environ['IEXEC_IN'] +dataset_filepath = iexec_in + '/' + os.environ['IEXEC_DATASET_FILENAME'] class Lib: + @staticmethod def parseValue(rawValue, ethType, power): if re.search('^u?int[0-9]*$', ethType): return round(float(rawValue) * 10 ** int(power)) else: return rawValue + @staticmethod def formatArgs(args): return '&'.join('{}={}'.format(k,v) for k,v in args.items()) + @staticmethod def getAPIKey(): try: - with open(iexec_in + '/' + 'key.txt', 'r') as dataset_file: + with open(dataset_filepath, 'r') as dataset_file: apiKey = dataset_file.read().strip() if not re.search('^[0-9a-zA-Z]{1,128}$', apiKey): raise Exception('Invalid API key') return apiKey - except FileNotFoundError: + except (FileNotFoundError, IsADirectoryError): raise Exception('Missing API key dataset') + @staticmethod def fetchMarketData(region, endpoint, params): print('Request https://{region}.market-api.kaiko.io/v1/data/trades.v1/{endpoint}?{params}'.format( region = region, @@ -51,6 +56,7 @@ def fetchMarketData(region, endpoint, params): ) class PriceFeed: + @staticmethod def fetchRate(baseAsset, quoteAsset): return Lib.fetchMarketData( 'us', @@ -61,6 +67,7 @@ def fetchRate(baseAsset, quoteAsset): }) ) + @staticmethod def run(baseAsset, quoteAsset, power): response = PriceFeed.fetchRate( baseAsset = baseAsset, From 2ff22446229896cb87d13dcc02f221379d5f96c4 Mon Sep 17 00:00:00 2001 From: Zied <26070035+zguesmi@users.noreply.github.com> Date: Wed, 7 Apr 2021 11:02:05 +0200 Subject: [PATCH 04/39] Build TEE v6 images --- cloud-computing/nodejs-hello-world/tee/Dockerfile | 5 +++++ cloud-computing/python-hello-world/tee/Dockerfile | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/cloud-computing/nodejs-hello-world/tee/Dockerfile b/cloud-computing/nodejs-hello-world/tee/Dockerfile index 6369287f..b4c75627 100644 --- a/cloud-computing/nodejs-hello-world/tee/Dockerfile +++ b/cloud-computing/nodejs-hello-world/tee/Dockerfile @@ -1,5 +1,10 @@ FROM sconecuratedimages/public-apps:node-10-alpine-scone3.0 +# TODO change this to public registry +COPY --from=nexus.iex.ec/sconecuratedimages-iexec:cli-alpine /opt/scone/scone-cli /opt/scone/scone-cli +COPY --from=nexus.iex.ec/sconecuratedimages-iexec:cli-alpine /usr/local/bin/scone /usr/local/bin/scone +COPY --from=nexus.iex.ec/sconecuratedimages-iexec:cli-alpine /opt/scone/bin /opt/scone/bin + ### install dependencies you need RUN apk add bash nodejs-npm RUN mkdir /app && cd /app && SCONE_MODE=sim npm install figlet@1.x diff --git a/cloud-computing/python-hello-world/tee/Dockerfile b/cloud-computing/python-hello-world/tee/Dockerfile index d149cefa..78810fa0 100644 --- a/cloud-computing/python-hello-world/tee/Dockerfile +++ b/cloud-computing/python-hello-world/tee/Dockerfile @@ -1,4 +1,4 @@ -FROM nexus.iex.ec/sconecuratedimages-public-apps:python-3.7.3-alpine3.10-scone3.0 +FROM sconecuratedimages/public-apps:python-3.7.3-alpine3.10-scone3.0 ### install python3 dependencies you need RUN SCONE_MODE=sim pip3 install pyfiglet From 9aff1d90c6588b4de5f9da9259c6c6e6677c8f23 Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Fri, 16 Apr 2021 05:58:02 +0000 Subject: [PATCH 05/39] Add Go hello world app --- .../resources/run/docker-compose.yml | 33 +++++++++ .../resources/run/run-scone-app | 18 +++++ .../go-hello-world/resources/run/session.yml | 31 +++++++++ .../go-hello-world/src/helloworld.go | 42 ++++++++++++ cloud-computing/go-hello-world/tee/Dockerfile | 15 +++++ cloud-computing/go-hello-world/tee/build | 3 + .../confidential-asset.txt | 1 + .../go-hello-world/tee/protect-fs.sh | 67 +++++++++++++++++++ 8 files changed, 210 insertions(+) create mode 100644 cloud-computing/go-hello-world/resources/run/docker-compose.yml create mode 100644 cloud-computing/go-hello-world/resources/run/run-scone-app create mode 100644 cloud-computing/go-hello-world/resources/run/session.yml create mode 100644 cloud-computing/go-hello-world/src/helloworld.go create mode 100644 cloud-computing/go-hello-world/tee/Dockerfile create mode 100755 cloud-computing/go-hello-world/tee/build create mode 100644 cloud-computing/go-hello-world/tee/confidential-assets/confidential-asset.txt create mode 100644 cloud-computing/go-hello-world/tee/protect-fs.sh diff --git a/cloud-computing/go-hello-world/resources/run/docker-compose.yml b/cloud-computing/go-hello-world/resources/run/docker-compose.yml new file mode 100644 index 00000000..331afc77 --- /dev/null +++ b/cloud-computing/go-hello-world/resources/run/docker-compose.yml @@ -0,0 +1,33 @@ +version: '3.2' +networks: + scone-net: + external: true + +services: + las: + image: registry.scontain.com:5050/sconecuratedimages/services:las-scone5.3.0 + container_name: las + devices: + - /dev/isgx + networks: + - scone-net + cas: + image: registry.scontain.com:5050/sconecuratedimages/services:cas.preprovisioned-scone5.2.1 + container_name: cas + devices: + - /dev/isgx + depends_on: + - las + networks: + - scone-net + scone-cli: + image: registry.scontain.com:5050/sconecuratedimages/sconecli:sconify-image-scone5.3.0 + container_name: scone-cli + command: bash -c "sleep 5 && scone session create /session.yml --cas cas --only_for_testing-disable-attestation-verification" + volumes: + - ./session.yml:/session.yml + depends_on: + - las + - cas + networks: + - scone-net diff --git a/cloud-computing/go-hello-world/resources/run/run-scone-app b/cloud-computing/go-hello-world/resources/run/run-scone-app new file mode 100644 index 00000000..f076d16f --- /dev/null +++ b/cloud-computing/go-hello-world/resources/run/run-scone-app @@ -0,0 +1,18 @@ +#!/bin/bash + +### TODO on each build: update mrenclave in session + +#cd $(dirname $0) + +docker-compose down > /dev/null +docker network create scone-net > /dev/null +echo "Starting CAS & LAS:" +docker-compose up -d +sleep 5 + +MY_SCONE_APP=tee-go-hello-world +echo "Starting $MY_SCONE_APP" +docker run --rm --network=scone-net --name=my-scone-app --device=/dev/isgx -e SCONE_VERSION=1 -e SCONE_CAS_ADDR="cas" -e SCONE_LAS_ADDR="las" -e SCONE_CONFIG_ID="1/service" $MY_SCONE_APP + +docker-compose down +docker network rm scone-net diff --git a/cloud-computing/go-hello-world/resources/run/session.yml b/cloud-computing/go-hello-world/resources/run/session.yml new file mode 100644 index 00000000..18c59e36 --- /dev/null +++ b/cloud-computing/go-hello-world/resources/run/session.yml @@ -0,0 +1,31 @@ +name: 1 +version: "0.3" + +# Access control: +# - only the data owner (CREATOR) can read or update the session +# - even the data owner cannot read the session secrets (i.e., the volume key and tag) or delete the session + +access_policy: + read: + - CREATOR + update: + - CREATOR + +services: + - name: go-hello-world + image_name: tee-go-hello-world + mrenclaves: [d4906280593115769efef9f46f6b237bc20c338edfcbbf8d2939d58aa76e0e16] + command: "/app/helloworld" + environment: + SCONE_MODE: hw +# JAVA_TOOL_OPTIONS: "-Xmx256m" +# LD_LIBRARY_PATH: "/usr/lib/jvm/java-11-openjdk/lib/server:/usr/lib/jvm/java-11-openjdk/lib:/usr/lib/jvm/java-11-openjdk/../lib" +# pwd: / + +images: + - name: service_image + +security: + attestation: + tolerate: [hyperthreading, software-hardening-needed, insecure-igpu, outdated-tcb, debug-mode] + ignore_advisories: ["INTEL-SA-00161", "INTEL-SA-00289", "INTEL-SA-00381", "INTEL-SA-00389"] diff --git a/cloud-computing/go-hello-world/src/helloworld.go b/cloud-computing/go-hello-world/src/helloworld.go new file mode 100644 index 00000000..a6071e6d --- /dev/null +++ b/cloud-computing/go-hello-world/src/helloworld.go @@ -0,0 +1,42 @@ +package main + +// import the 2 modules we need +import ( + "os" + "fmt" + "io/ioutil" + "log" +) + +func main() { + iexec_out := os.Getenv("IEXEC_OUT") + iexec_in := os.Getenv("IEXEC_IN") + + // read in the contents of the localfile.data + input, err := ioutil.ReadFile(iexec_in + "/input.txt") + // if our program was unable to read the file + // print out the reason why it can't + if err != nil { + fmt.Println(err) + } + + // if it was successful in reading the file then + // print out the contents as a string + fmt.Print(string(input)) + + // Append some results + err = ioutil.WriteFile(iexec_out + "/result.txt", input, 0) + if err != nil { + log.Fatal(err) + } + + // Declare everything is computed + //{"deterministic-output-path": "app/returnResultJson.json"} + dataString := "{\"deterministic-output-path\": \"" + iexec_out + "/result.txt\"}" + dataBytes := []byte(dataString) + err = ioutil.WriteFile(iexec_out + "/computed.json", dataBytes, 0) + if err != nil { + log.Fatal(err) + } + +} diff --git a/cloud-computing/go-hello-world/tee/Dockerfile b/cloud-computing/go-hello-world/tee/Dockerfile new file mode 100644 index 00000000..4af39c10 --- /dev/null +++ b/cloud-computing/go-hello-world/tee/Dockerfile @@ -0,0 +1,15 @@ +FROM registry.scontain.com:5050/sconecuratedimages/crosscompilers + +RUN mkdir /app +COPY ./src /app + +RUN apk update +RUN apk add go git curl +ENV SCONE_HEAP=1G +RUN go build -o /app/helloworld -compiler gccgo -buildmode=exe -gccgoflags -g /app/helloworld.go + +### protect file system with Scone with old procedure +#COPY ./protect-fs.sh ./Dockerfile /build/ +#RUN sh /build/protect-fs.sh /app + +ENTRYPOINT ["/app/helloworld"] diff --git a/cloud-computing/go-hello-world/tee/build b/cloud-computing/go-hello-world/tee/build new file mode 100755 index 00000000..31677ecb --- /dev/null +++ b/cloud-computing/go-hello-world/tee/build @@ -0,0 +1,3 @@ +#!/bin/sh +#cd $(dirname $0) +docker image build -f ../tee/Dockerfile -t tee-go-hello-world .. $@ diff --git a/cloud-computing/go-hello-world/tee/confidential-assets/confidential-asset.txt b/cloud-computing/go-hello-world/tee/confidential-assets/confidential-asset.txt new file mode 100644 index 00000000..96426db1 --- /dev/null +++ b/cloud-computing/go-hello-world/tee/confidential-assets/confidential-asset.txt @@ -0,0 +1 @@ +dummy confidential file diff --git a/cloud-computing/go-hello-world/tee/protect-fs.sh b/cloud-computing/go-hello-world/tee/protect-fs.sh new file mode 100644 index 00000000..8a4b5445 --- /dev/null +++ b/cloud-computing/go-hello-world/tee/protect-fs.sh @@ -0,0 +1,67 @@ +#!/bin/sh + +cd $(dirname $0) + +if [ ! -e Dockerfile ] +then + printf "\nFailed to parse Dockerfile ENTRYPOINT\n" + printf "Did you forget to add your Dockerfile in your build?\n" + printf "COPY ./tee/Dockerfile /build/\n\n" + exit 1 +fi + +ENTRYPOINT_ARSG=$(grep ENTRYPOINT ./Dockerfile | tail -1 | grep -o '"[^"]\+"' | tr -d '"') +echo $ENTRYPOINT_ARSG > ./entrypoint + +if [ -z "$ENTRYPOINT_ARSG" ] +then + printf "\nFailed to parse Dockerfile ENTRYPOINT\n" + printf "Did you forget to add an ENTRYPOINT to your Dockerfile?\n" + printf "ENTRYPOINT [\"executable\", \"param1\", \"param2\"]\n\n" + exit 1 +fi + +#INTERPRETER=$(awk '{print $1}' ./entrypoint) # node or python +ENTRYPOINT=$(cat ./entrypoint) # `node /app/app.js` or `python /app/app.py` + +export SCONE_MODE=sim +export SCONE_HEAP=1G + +APP_FOLDER=$1 + +printf "\n### Starting file system protection ...\n\n" + +scone fspf create /fspf.pb +scone fspf addr /fspf.pb / --not-protected --kernel / +scone fspf addr /fspf.pb /usr --authenticated --kernel /usr +scone fspf addf /fspf.pb /usr /usr +scone fspf addr /fspf.pb /bin --authenticated --kernel /bin +scone fspf addf /fspf.pb /bin /bin +scone fspf addr /fspf.pb /lib --authenticated --kernel /lib +scone fspf addf /fspf.pb /lib /lib +scone fspf addr /fspf.pb /etc/ssl --authenticated --kernel /etc/ssl +scone fspf addf /fspf.pb /etc/ssl /etc/ssl +scone fspf addr /fspf.pb /sbin --authenticated --kernel /sbin +scone fspf addf /fspf.pb /sbin /sbin +#scone fspf addr /fspf.pb /samples --authenticated --kernel /samples +#scone fspf addf /fspf.pb /samples /samples +printf "\n### Protecting code found in folder \"$APP_FOLDER\"\n\n" +scone fspf addr /fspf.pb $APP_FOLDER --authenticated --kernel $APP_FOLDER +scone fspf addf /fspf.pb $APP_FOLDER $APP_FOLDER + +scone fspf encrypt /fspf.pb > ./keytag + +MRENCLAVE="$(SCONE_HEAP=1G SCONE_HASH=1 $ENTRYPOINT)" +FSPF_TAG=$(cat ./keytag | awk '{print $9}') +FSPF_KEY=$(cat ./keytag | awk '{print $11}') +FINGERPRINT="$FSPF_KEY|$FSPF_TAG|$MRENCLAVE|$ENTRYPOINT" +echo $FINGERPRINT > ./fingerprint + +printf "\n\n" +printf "Your application fingerprint (mrenclave) is ready:\n" +printf "#####################################################################\n" +printf "iexec.json:\n\n" +printf "%s\n" "\"app\": { " " \"owner\" : ... " " \"name\": ... " " ..." " \"mrenclave\": \"$FINGERPRINT\"" "}" +printf "#####################################################################\n" +printf "Hint: Replace 'mrenclave' before doing 'iexec app deploy' step.\n" +printf "\n\n" From c4cf54dd0106c827d814471a536843cbee62e0b8 Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Tue, 27 Apr 2021 15:34:56 +0000 Subject: [PATCH 06/39] update protect-fs procedure --- cloud-computing/go-hello-world/src/helloworld.go | 7 ++++--- cloud-computing/go-hello-world/tee/Dockerfile | 6 +++--- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/cloud-computing/go-hello-world/src/helloworld.go b/cloud-computing/go-hello-world/src/helloworld.go index a6071e6d..98491900 100644 --- a/cloud-computing/go-hello-world/src/helloworld.go +++ b/cloud-computing/go-hello-world/src/helloworld.go @@ -11,9 +11,10 @@ import ( func main() { iexec_out := os.Getenv("IEXEC_OUT") iexec_in := os.Getenv("IEXEC_IN") + dataset := os.Getenv("IEXEC_DATASET_FILENAME") // read in the contents of the localfile.data - input, err := ioutil.ReadFile(iexec_in + "/input.txt") + input, err := ioutil.ReadFile(iexec_in + "/" + dataset) // if our program was unable to read the file // print out the reason why it can't if err != nil { @@ -23,13 +24,13 @@ func main() { // if it was successful in reading the file then // print out the contents as a string fmt.Print(string(input)) - + // Append some results err = ioutil.WriteFile(iexec_out + "/result.txt", input, 0) if err != nil { log.Fatal(err) } - + // Declare everything is computed //{"deterministic-output-path": "app/returnResultJson.json"} dataString := "{\"deterministic-output-path\": \"" + iexec_out + "/result.txt\"}" diff --git a/cloud-computing/go-hello-world/tee/Dockerfile b/cloud-computing/go-hello-world/tee/Dockerfile index 4af39c10..77d017e8 100644 --- a/cloud-computing/go-hello-world/tee/Dockerfile +++ b/cloud-computing/go-hello-world/tee/Dockerfile @@ -1,7 +1,7 @@ FROM registry.scontain.com:5050/sconecuratedimages/crosscompilers RUN mkdir /app -COPY ./src /app +COPY ./src /app/ RUN apk update RUN apk add go git curl @@ -9,7 +9,7 @@ ENV SCONE_HEAP=1G RUN go build -o /app/helloworld -compiler gccgo -buildmode=exe -gccgoflags -g /app/helloworld.go ### protect file system with Scone with old procedure -#COPY ./protect-fs.sh ./Dockerfile /build/ -#RUN sh /build/protect-fs.sh /app +COPY ./tee/protect-fs.sh ./tee/Dockerfile /build/ +RUN sh /build/protect-fs.sh /app ENTRYPOINT ["/app/helloworld"] From e01847678047042312035c41076c9e0aec7574ad Mon Sep 17 00:00:00 2001 From: Zied <26070035+zguesmi@users.noreply.github.com> Date: Tue, 27 Apr 2021 19:30:01 +0200 Subject: [PATCH 07/39] Refactor python code and add input files --- cloud-computing/python-hello-world/src/app.py | 99 ++++++++++++++----- 1 file changed, 76 insertions(+), 23 deletions(-) diff --git a/cloud-computing/python-hello-world/src/app.py b/cloud-computing/python-hello-world/src/app.py index d3674bb3..f0bcf9f9 100644 --- a/cloud-computing/python-hello-world/src/app.py +++ b/cloud-computing/python-hello-world/src/app.py @@ -3,26 +3,79 @@ import json from pyfiglet import Figlet -iexec_out = os.environ['IEXEC_OUT'] -iexec_in = os.environ['IEXEC_IN'] -dataset_filepath = iexec_in + '/' + os.environ['IEXEC_DATASET_FILENAME'] - -# Do whatever you want -text = "Hello, World!" -if len(sys.argv) > 1: - text = 'Hello, {}!'.format(sys.argv[1]) -text = Figlet().renderText(text) + text # Let's add some art for e.g. - -# Eventually use a dataset (public with Standard mode and confidential with TEE mode) -if os.path.isfile(dataset_filepath): - with open(dataset_filepath, 'r') as f: - text = text + '\nDataset ({}): {}'.format(dataset_filepath, f.read()) - -# Append some results -with open(iexec_out + '/result.txt', 'w+') as f: - f.write(text) - print(text) - -# Declare everything is computed -with open(iexec_out + '/computed.json', 'w+') as f: - json.dump({ "deterministic-output-path" : iexec_out + '/result.txt' }, f) + +def do_some_computation(): + """ + This function simulates some computation in an iExec application. Script + arguments (if provided) are accessible via "sys.argv" array. In this case, + if the first argument is present, it is used in the greeting message. + """ + name = sys.argv[1] if len(sys.argv) > 1 else "World" + greeting = f'Hello, {name}!' + # Let's add some art for e.g. + art = Figlet().renderText(greeting) + return f'{art}\n{greeting}' + + +def handle_dataset(): + """ + This function shows how to read a dataset file from an iExec application. + Datasets are public in standard mode and confidential in TEE mode. + The dataset location and filename are needed to be able to read it. Both + of which are provided in the following environment variables: + - IEXEC_IN: the path to the folder where the dataset is located. + - IEXEC_DATASET_FILENAME: the name of the dataset file. + """ + iexec_in = os.environ['IEXEC_IN'] + dataset_filename = os.environ['IEXEC_DATASET_FILENAME'] + dataset_filepath = iexec_in + '/' + dataset_filename + text = f'Dataset ({dataset_filepath}): ' + if os.path.isfile(dataset_filepath): + with open(dataset_filepath) as f: + text = text + f.read() + return text + + +def handle_input_files(): + """ + This function demonstrates how to use input files in an iExec application. + The following environment variables are used: + - IEXEC_IN: the path to the folder where input files are located. + - IEXEC_INPUT_FILES_NUMBER: number of available input files. + - IEXEC_INPUT_FILE_NAME_N: the name of the Nth input file. N is between + 1 and IEXEC_INPUT_FILES_NUMBER. + If IEXEC_INPUT_FILES_NUMBER is 0 then no input file is available. + """ + iexec_in = os.environ['IEXEC_IN'] + iexec_input_files_number = int(os.environ['IEXEC_INPUT_FILES_NUMBER']) + text = 'Input files:' + for i in range(1, iexec_input_files_number + 1): + file_path = iexec_in + "/" + os.environ['IEXEC_INPUT_FILE_NAME_' + i] + if os.path.isfile(file_path): + with open(file_path) as f: + text + f'\nInput file ({file_path}): {f.read()}' + return text + + +def save_result(text): + """ + This function shows how to save a result in an iExec application. The result + file(s) should be written in the folder indicated by the environment variable + IEXEC_OUT. After saving the result, the file "computed.json" must be created + in the same folder. It must contain, at least, the path to the determinism + file (deterministic-output-path). + """ + iexec_out = os.environ['IEXEC_OUT'] + result_filepath = iexec_out + '/result.txt' + with open(result_filepath, 'w+') as f: + f.write(text) + with open(iexec_out + '/computed.json', 'w+') as f: + json.dump({"deterministic-output-path": result_filepath}, f) + + +if __name__ == '__main__': + computation_text = do_some_computation() + dataset_text = handle_dataset() + input_files_text = handle_input_files() + result = f'{computation_text}\n{dataset_text}\n{input_files_text}' + save_result(result) \ No newline at end of file From e0a55307eafc3f93e774a06e540bc6866480f961 Mon Sep 17 00:00:00 2001 From: Zied <26070035+zguesmi@users.noreply.github.com> Date: Tue, 27 Apr 2021 19:54:35 +0200 Subject: [PATCH 08/39] Add input files to run script --- cloud-computing/python-hello-world/src/app.py | 12 ++++++------ .../standard/asset/input-file1.txt | 1 + .../standard/asset/input-file2.txt | 1 + cloud-computing/python-hello-world/standard/run | 11 ++++++++++- 4 files changed, 18 insertions(+), 7 deletions(-) create mode 100644 cloud-computing/python-hello-world/standard/asset/input-file1.txt create mode 100644 cloud-computing/python-hello-world/standard/asset/input-file2.txt diff --git a/cloud-computing/python-hello-world/src/app.py b/cloud-computing/python-hello-world/src/app.py index f0bcf9f9..524a4679 100644 --- a/cloud-computing/python-hello-world/src/app.py +++ b/cloud-computing/python-hello-world/src/app.py @@ -14,7 +14,7 @@ def do_some_computation(): greeting = f'Hello, {name}!' # Let's add some art for e.g. art = Figlet().renderText(greeting) - return f'{art}\n{greeting}' + return art + greeting def handle_dataset(): @@ -29,7 +29,7 @@ def handle_dataset(): iexec_in = os.environ['IEXEC_IN'] dataset_filename = os.environ['IEXEC_DATASET_FILENAME'] dataset_filepath = iexec_in + '/' + dataset_filename - text = f'Dataset ({dataset_filepath}): ' + text = f'\nDataset ({dataset_filepath}): ' if os.path.isfile(dataset_filepath): with open(dataset_filepath) as f: text = text + f.read() @@ -48,12 +48,12 @@ def handle_input_files(): """ iexec_in = os.environ['IEXEC_IN'] iexec_input_files_number = int(os.environ['IEXEC_INPUT_FILES_NUMBER']) - text = 'Input files:' + text = '' for i in range(1, iexec_input_files_number + 1): - file_path = iexec_in + "/" + os.environ['IEXEC_INPUT_FILE_NAME_' + i] + file_path = iexec_in + "/" + os.environ['IEXEC_INPUT_FILE_NAME_' + str(i)] if os.path.isfile(file_path): with open(file_path) as f: - text + f'\nInput file ({file_path}): {f.read()}' + text += f'\nInput file [{i}] ({file_path}): {f.read()}' return text @@ -77,5 +77,5 @@ def save_result(text): computation_text = do_some_computation() dataset_text = handle_dataset() input_files_text = handle_input_files() - result = f'{computation_text}\n{dataset_text}\n{input_files_text}' + result = f'{computation_text}\n{dataset_text}\n{input_files_text}\n' save_result(result) \ No newline at end of file diff --git a/cloud-computing/python-hello-world/standard/asset/input-file1.txt b/cloud-computing/python-hello-world/standard/asset/input-file1.txt new file mode 100644 index 00000000..4ac303fb --- /dev/null +++ b/cloud-computing/python-hello-world/standard/asset/input-file1.txt @@ -0,0 +1 @@ +An input file with some very interesting content! diff --git a/cloud-computing/python-hello-world/standard/asset/input-file2.txt b/cloud-computing/python-hello-world/standard/asset/input-file2.txt new file mode 100644 index 00000000..3898a4d9 --- /dev/null +++ b/cloud-computing/python-hello-world/standard/asset/input-file2.txt @@ -0,0 +1 @@ +Another input file with some other very interesting content! diff --git a/cloud-computing/python-hello-world/standard/run b/cloud-computing/python-hello-world/standard/run index 58c8e958..a630b31f 100755 --- a/cloud-computing/python-hello-world/standard/run +++ b/cloud-computing/python-hello-world/standard/run @@ -7,7 +7,16 @@ rm -rf $IEXEC_OUT mkdir -p $IEXEC_OUT -docker run --rm -e IEXEC_OUT=/iexec_out -e IEXEC_IN=/iexec_in -e IEXEC_DATASET_FILENAME=Lorem_ipsum.txt -v $IEXEC_OUT:/iexec_out -v $(pwd)/asset:/iexec_in python-hello-world $@ +docker run --rm \ + -e IEXEC_OUT=/iexec_out \ + -e IEXEC_IN=/iexec_in \ + -e IEXEC_DATASET_FILENAME=Lorem_ipsum.txt \ + -e IEXEC_INPUT_FILES_NUMBER='2' \ + -e IEXEC_INPUT_FILE_NAME_1='input-file1.txt' \ + -e IEXEC_INPUT_FILE_NAME_2='input-file2.txt' \ + -v $IEXEC_OUT:/iexec_out \ + -v $(pwd)/asset:/iexec_in \ + python-hello-world $@ echo find $IEXEC_OUT From 9e382d35387a13f20f91cc4df0f20bd024b77290 Mon Sep 17 00:00:00 2001 From: Zied <26070035+zguesmi@users.noreply.github.com> Date: Tue, 27 Apr 2021 20:03:37 +0200 Subject: [PATCH 09/39] Update TEE part --- .../tee/confidential-assets/input-file1.txt | 1 + .../tee/confidential-assets/input-file2.txt | 1 + cloud-computing/python-hello-world/tee/run | 12 +++++++++++- 3 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 cloud-computing/python-hello-world/tee/confidential-assets/input-file1.txt create mode 100644 cloud-computing/python-hello-world/tee/confidential-assets/input-file2.txt diff --git a/cloud-computing/python-hello-world/tee/confidential-assets/input-file1.txt b/cloud-computing/python-hello-world/tee/confidential-assets/input-file1.txt new file mode 100644 index 00000000..4ac303fb --- /dev/null +++ b/cloud-computing/python-hello-world/tee/confidential-assets/input-file1.txt @@ -0,0 +1 @@ +An input file with some very interesting content! diff --git a/cloud-computing/python-hello-world/tee/confidential-assets/input-file2.txt b/cloud-computing/python-hello-world/tee/confidential-assets/input-file2.txt new file mode 100644 index 00000000..3898a4d9 --- /dev/null +++ b/cloud-computing/python-hello-world/tee/confidential-assets/input-file2.txt @@ -0,0 +1 @@ +Another input file with some other very interesting content! diff --git a/cloud-computing/python-hello-world/tee/run b/cloud-computing/python-hello-world/tee/run index fe7f4f8d..65e03b6c 100755 --- a/cloud-computing/python-hello-world/tee/run +++ b/cloud-computing/python-hello-world/tee/run @@ -6,7 +6,17 @@ IEXEC_OUT=/tmp/iexec_out rm -rf $IEXEC_OUT mkdir -p $IEXEC_OUT -docker run --rm -e IEXEC_OUT=/iexec_out -e IEXEC_IN=/iexec_in -v $IEXEC_OUT:/iexec_out -v $(pwd)/confidential-assets:/iexec_in --device /dev/isgx tee-python-hello-world $@ +docker run --rm \ + -e IEXEC_OUT=/iexec_out \ + -e IEXEC_IN=/iexec_in \ + -e IEXEC_DATASET_FILENAME=confidential-asset.txt \ + -e IEXEC_INPUT_FILES_NUMBER='2' \ + -e IEXEC_INPUT_FILE_NAME_1='input-file1.txt' \ + -e IEXEC_INPUT_FILE_NAME_2='input-file2.txt' \ + -v $IEXEC_OUT:/iexec_out \ + -v $(pwd)/confidential-assets:/iexec_in \ + --device /dev/isgx \ + tee-python-hello-world $@ echo find $IEXEC_OUT From 0c7ccc53abee1fe3f062cd5b08de3b79882d9020 Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Wed, 28 Apr 2021 09:46:50 +0000 Subject: [PATCH 10/39] increatse heap setting and log --- cloud-computing/go-hello-world/src/helloworld.go | 5 +++++ cloud-computing/go-hello-world/tee/Dockerfile | 2 +- cloud-computing/go-hello-world/tee/protect-fs.sh | 4 ++-- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/cloud-computing/go-hello-world/src/helloworld.go b/cloud-computing/go-hello-world/src/helloworld.go index 98491900..67f04c13 100644 --- a/cloud-computing/go-hello-world/src/helloworld.go +++ b/cloud-computing/go-hello-world/src/helloworld.go @@ -18,9 +18,11 @@ func main() { // if our program was unable to read the file // print out the reason why it can't if err != nil { + fmt.Println("READ IEXEC_IN FILE ERROR") fmt.Println(err) } + fmt.Print("READ IEXEC_IN FILE OK") // if it was successful in reading the file then // print out the contents as a string fmt.Print(string(input)) @@ -28,6 +30,7 @@ func main() { // Append some results err = ioutil.WriteFile(iexec_out + "/result.txt", input, 0) if err != nil { + fmt.Println("WRITE FILE FAILED") log.Fatal(err) } @@ -37,7 +40,9 @@ func main() { dataBytes := []byte(dataString) err = ioutil.WriteFile(iexec_out + "/computed.json", dataBytes, 0) if err != nil { + fmt.Println("DECLARE FAILED") log.Fatal(err) } + fmt.Print("EVERYTHING IS OK") } diff --git a/cloud-computing/go-hello-world/tee/Dockerfile b/cloud-computing/go-hello-world/tee/Dockerfile index 77d017e8..92af7688 100644 --- a/cloud-computing/go-hello-world/tee/Dockerfile +++ b/cloud-computing/go-hello-world/tee/Dockerfile @@ -5,7 +5,7 @@ COPY ./src /app/ RUN apk update RUN apk add go git curl -ENV SCONE_HEAP=1G +ENV SCONE_HEAP=4G RUN go build -o /app/helloworld -compiler gccgo -buildmode=exe -gccgoflags -g /app/helloworld.go ### protect file system with Scone with old procedure diff --git a/cloud-computing/go-hello-world/tee/protect-fs.sh b/cloud-computing/go-hello-world/tee/protect-fs.sh index 8a4b5445..2ae069ac 100644 --- a/cloud-computing/go-hello-world/tee/protect-fs.sh +++ b/cloud-computing/go-hello-world/tee/protect-fs.sh @@ -25,7 +25,7 @@ fi ENTRYPOINT=$(cat ./entrypoint) # `node /app/app.js` or `python /app/app.py` export SCONE_MODE=sim -export SCONE_HEAP=1G +export SCONE_HEAP=4G APP_FOLDER=$1 @@ -51,7 +51,7 @@ scone fspf addf /fspf.pb $APP_FOLDER $APP_FOLDER scone fspf encrypt /fspf.pb > ./keytag -MRENCLAVE="$(SCONE_HEAP=1G SCONE_HASH=1 $ENTRYPOINT)" +MRENCLAVE="$(SCONE_HEAP=4G SCONE_HASH=1 $ENTRYPOINT)" FSPF_TAG=$(cat ./keytag | awk '{print $9}') FSPF_KEY=$(cat ./keytag | awk '{print $11}') FINGERPRINT="$FSPF_KEY|$FSPF_TAG|$MRENCLAVE|$ENTRYPOINT" From c9d9387859d4ef10c35c88859554ad4814b32c6b Mon Sep 17 00:00:00 2001 From: Zied <26070035+zguesmi@users.noreply.github.com> Date: Wed, 28 Apr 2021 17:00:33 +0200 Subject: [PATCH 11/39] Increase Go app heap size --- cloud-computing/go-hello-world/tee/Dockerfile | 1 - cloud-computing/go-hello-world/tee/build | 2 +- cloud-computing/go-hello-world/tee/protect-fs.sh | 6 ++---- 3 files changed, 3 insertions(+), 6 deletions(-) diff --git a/cloud-computing/go-hello-world/tee/Dockerfile b/cloud-computing/go-hello-world/tee/Dockerfile index 77d017e8..26a8c48d 100644 --- a/cloud-computing/go-hello-world/tee/Dockerfile +++ b/cloud-computing/go-hello-world/tee/Dockerfile @@ -5,7 +5,6 @@ COPY ./src /app/ RUN apk update RUN apk add go git curl -ENV SCONE_HEAP=1G RUN go build -o /app/helloworld -compiler gccgo -buildmode=exe -gccgoflags -g /app/helloworld.go ### protect file system with Scone with old procedure diff --git a/cloud-computing/go-hello-world/tee/build b/cloud-computing/go-hello-world/tee/build index 31677ecb..684ee1f3 100755 --- a/cloud-computing/go-hello-world/tee/build +++ b/cloud-computing/go-hello-world/tee/build @@ -1,3 +1,3 @@ #!/bin/sh #cd $(dirname $0) -docker image build -f ../tee/Dockerfile -t tee-go-hello-world .. $@ +docker image build -f ../tee/Dockerfile --no-cache -t tee-go-hello-world .. $@ diff --git a/cloud-computing/go-hello-world/tee/protect-fs.sh b/cloud-computing/go-hello-world/tee/protect-fs.sh index 8a4b5445..99ac0ecf 100644 --- a/cloud-computing/go-hello-world/tee/protect-fs.sh +++ b/cloud-computing/go-hello-world/tee/protect-fs.sh @@ -25,7 +25,7 @@ fi ENTRYPOINT=$(cat ./entrypoint) # `node /app/app.js` or `python /app/app.py` export SCONE_MODE=sim -export SCONE_HEAP=1G +export SCONE_HEAP=3G APP_FOLDER=$1 @@ -43,15 +43,13 @@ scone fspf addr /fspf.pb /etc/ssl --authenticated --kernel /etc/ssl scone fspf addf /fspf.pb /etc/ssl /etc/ssl scone fspf addr /fspf.pb /sbin --authenticated --kernel /sbin scone fspf addf /fspf.pb /sbin /sbin -#scone fspf addr /fspf.pb /samples --authenticated --kernel /samples -#scone fspf addf /fspf.pb /samples /samples printf "\n### Protecting code found in folder \"$APP_FOLDER\"\n\n" scone fspf addr /fspf.pb $APP_FOLDER --authenticated --kernel $APP_FOLDER scone fspf addf /fspf.pb $APP_FOLDER $APP_FOLDER scone fspf encrypt /fspf.pb > ./keytag -MRENCLAVE="$(SCONE_HEAP=1G SCONE_HASH=1 $ENTRYPOINT)" +MRENCLAVE="$(SCONE_HASH=1 $ENTRYPOINT)" FSPF_TAG=$(cat ./keytag | awk '{print $9}') FSPF_KEY=$(cat ./keytag | awk '{print $11}') FINGERPRINT="$FSPF_KEY|$FSPF_TAG|$MRENCLAVE|$ENTRYPOINT" From 18e03f4443a4d3f611ffb9160e4ebc69e31f0956 Mon Sep 17 00:00:00 2001 From: Zied <26070035+zguesmi@users.noreply.github.com> Date: Wed, 28 Apr 2021 17:56:59 +0200 Subject: [PATCH 12/39] Change go base image --- cloud-computing/go-hello-world/tee/Dockerfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/cloud-computing/go-hello-world/tee/Dockerfile b/cloud-computing/go-hello-world/tee/Dockerfile index 26a8c48d..dc762f90 100644 --- a/cloud-computing/go-hello-world/tee/Dockerfile +++ b/cloud-computing/go-hello-world/tee/Dockerfile @@ -1,5 +1,4 @@ -FROM registry.scontain.com:5050/sconecuratedimages/crosscompilers - +FROM registry.scontain.com:5050/sconecuratedimages/crosscompilers:latest-scone3.0.0 RUN mkdir /app COPY ./src /app/ From 7e18e765355dd8935b3b80b7b12dd3a0641d6245 Mon Sep 17 00:00:00 2001 From: Zied <26070035+zguesmi@users.noreply.github.com> Date: Thu, 29 Apr 2021 11:19:21 +0200 Subject: [PATCH 13/39] Add standard Go app --- .../go-hello-world/standard/Dockerfile | 10 ++++++++++ .../standard/asset/Lorem_ipsum.txt | 1 + cloud-computing/go-hello-world/standard/build | 4 ++++ cloud-computing/go-hello-world/standard/run | 19 +++++++++++++++++++ cloud-computing/go-hello-world/tee/Dockerfile | 8 ++++---- cloud-computing/go-hello-world/tee/build | 4 ++-- .../go-hello-world/tee/protect-fs.sh | 3 +-- cloud-computing/go-hello-world/tee/run | 19 +++++++++++++++++++ 8 files changed, 60 insertions(+), 8 deletions(-) create mode 100644 cloud-computing/go-hello-world/standard/Dockerfile create mode 100644 cloud-computing/go-hello-world/standard/asset/Lorem_ipsum.txt create mode 100644 cloud-computing/go-hello-world/standard/build create mode 100644 cloud-computing/go-hello-world/standard/run create mode 100755 cloud-computing/go-hello-world/tee/run diff --git a/cloud-computing/go-hello-world/standard/Dockerfile b/cloud-computing/go-hello-world/standard/Dockerfile new file mode 100644 index 00000000..22ee41bb --- /dev/null +++ b/cloud-computing/go-hello-world/standard/Dockerfile @@ -0,0 +1,10 @@ +# same version as Scone +FROM golang:1.9.4-alpine3.7 + +RUN apk --update add go=1.9.4-r0 git curl + +COPY ./src /app + +RUN go build -o /app/helloworld -buildmode=exe -gccgoflags -g /app/helloworld.go + +ENTRYPOINT ["/app/helloworld"] diff --git a/cloud-computing/go-hello-world/standard/asset/Lorem_ipsum.txt b/cloud-computing/go-hello-world/standard/asset/Lorem_ipsum.txt new file mode 100644 index 00000000..1b376877 --- /dev/null +++ b/cloud-computing/go-hello-world/standard/asset/Lorem_ipsum.txt @@ -0,0 +1 @@ +Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. diff --git a/cloud-computing/go-hello-world/standard/build b/cloud-computing/go-hello-world/standard/build new file mode 100644 index 00000000..4a955029 --- /dev/null +++ b/cloud-computing/go-hello-world/standard/build @@ -0,0 +1,4 @@ +#!/bin/sh +cd $(dirname $0) + +docker image build -f ../standard/Dockerfile -t go-hello-world .. $@ diff --git a/cloud-computing/go-hello-world/standard/run b/cloud-computing/go-hello-world/standard/run new file mode 100644 index 00000000..ff2a62ba --- /dev/null +++ b/cloud-computing/go-hello-world/standard/run @@ -0,0 +1,19 @@ +#!/bin/sh +cd $(dirname $0) + +IEXEC_OUT=/tmp/iexec_out + +rm -rf $IEXEC_OUT +mkdir -p $IEXEC_OUT + + +docker run --rm \ + -e IEXEC_OUT=/iexec_out \ + -e IEXEC_IN=/iexec_in \ + -e IEXEC_DATASET_FILENAME=Lorem_ipsum.txt \ + -v $IEXEC_OUT:/iexec_out \ + -v $(pwd)/asset:/iexec_in \ + go-hello-world $@ + +echo +find $IEXEC_OUT \ No newline at end of file diff --git a/cloud-computing/go-hello-world/tee/Dockerfile b/cloud-computing/go-hello-world/tee/Dockerfile index dc762f90..f49a932f 100644 --- a/cloud-computing/go-hello-world/tee/Dockerfile +++ b/cloud-computing/go-hello-world/tee/Dockerfile @@ -1,9 +1,9 @@ FROM registry.scontain.com:5050/sconecuratedimages/crosscompilers:latest-scone3.0.0 -RUN mkdir /app -COPY ./src /app/ -RUN apk update -RUN apk add go git curl +RUN apk --update add go=1.9.4-r0 git curl + +COPY ./src /app + RUN go build -o /app/helloworld -compiler gccgo -buildmode=exe -gccgoflags -g /app/helloworld.go ### protect file system with Scone with old procedure diff --git a/cloud-computing/go-hello-world/tee/build b/cloud-computing/go-hello-world/tee/build index 684ee1f3..7283abeb 100755 --- a/cloud-computing/go-hello-world/tee/build +++ b/cloud-computing/go-hello-world/tee/build @@ -1,3 +1,3 @@ #!/bin/sh -#cd $(dirname $0) -docker image build -f ../tee/Dockerfile --no-cache -t tee-go-hello-world .. $@ +cd $(dirname $0) +docker image build -f ../tee/Dockerfile -t tee-go-hello-world .. $@ diff --git a/cloud-computing/go-hello-world/tee/protect-fs.sh b/cloud-computing/go-hello-world/tee/protect-fs.sh index 99ac0ecf..27431622 100644 --- a/cloud-computing/go-hello-world/tee/protect-fs.sh +++ b/cloud-computing/go-hello-world/tee/protect-fs.sh @@ -21,8 +21,7 @@ then exit 1 fi -#INTERPRETER=$(awk '{print $1}' ./entrypoint) # node or python -ENTRYPOINT=$(cat ./entrypoint) # `node /app/app.js` or `python /app/app.py` +ENTRYPOINT=$(cat ./entrypoint) # `/app/helloworld` export SCONE_MODE=sim export SCONE_HEAP=3G diff --git a/cloud-computing/go-hello-world/tee/run b/cloud-computing/go-hello-world/tee/run new file mode 100755 index 00000000..d5491167 --- /dev/null +++ b/cloud-computing/go-hello-world/tee/run @@ -0,0 +1,19 @@ +#!/bin/sh +cd $(dirname $0) + +IEXEC_OUT=/tmp/iexec_out + +rm -rf $IEXEC_OUT +mkdir -p $IEXEC_OUT + +docker run --rm \ + -e IEXEC_OUT=/iexec_out \ + -e IEXEC_IN=/iexec_in \ + -e IEXEC_DATASET_FILENAME=confidential-asset.txt \ + -v $IEXEC_OUT:/iexec_out \ + -v $(pwd)/confidential-assets:/iexec_in \ + --device /dev/isgx \ + tee-go-hello-world $@ + +echo +find $IEXEC_OUT From 5da6f76bed3f26110e02249d2acb89002012eed2 Mon Sep 17 00:00:00 2001 From: Zied <26070035+zguesmi@users.noreply.github.com> Date: Thu, 29 Apr 2021 12:18:44 +0200 Subject: [PATCH 14/39] Refactor go sources --- .../go-hello-world/src/helloworld.go | 42 +++++++++++-------- 1 file changed, 24 insertions(+), 18 deletions(-) diff --git a/cloud-computing/go-hello-world/src/helloworld.go b/cloud-computing/go-hello-world/src/helloworld.go index 98491900..54a3e283 100644 --- a/cloud-computing/go-hello-world/src/helloworld.go +++ b/cloud-computing/go-hello-world/src/helloworld.go @@ -1,6 +1,5 @@ package main -// import the 2 modules we need import ( "os" "fmt" @@ -11,33 +10,40 @@ import ( func main() { iexec_out := os.Getenv("IEXEC_OUT") iexec_in := os.Getenv("IEXEC_IN") - dataset := os.Getenv("IEXEC_DATASET_FILENAME") + dataset_filename := os.Getenv("IEXEC_DATASET_FILENAME") + dataset_filepath := iexec_in + "/" + dataset_filename - // read in the contents of the localfile.data - input, err := ioutil.ReadFile(iexec_in + "/" + dataset) - // if our program was unable to read the file - // print out the reason why it can't - if err != nil { - fmt.Println(err) + // Print a message + if (len(os.Args) > 1) { + fmt.Println("Hello, " + os.Args[1] + "!") + } else { + fmt.Println("Hello, World!") } - // if it was successful in reading the file then - // print out the contents as a string - fmt.Print(string(input)) + // read in the contents of the dataset + input, err := ioutil.ReadFile(dataset_filepath) + if err != nil { + // if our program was unable to read the file + // print out the reason why it can't + fmt.Println("Error reading dataset file -", err) + } else { + // if it was successful in reading the file then + // print out the contents as a string + fmt.Println("Dataset (" + dataset_filepath + "):", string(input)) + } // Append some results err = ioutil.WriteFile(iexec_out + "/result.txt", input, 0) - if err != nil { - log.Fatal(err) - } + if err != nil { + log.Fatal(err) + } // Declare everything is computed //{"deterministic-output-path": "app/returnResultJson.json"} dataString := "{\"deterministic-output-path\": \"" + iexec_out + "/result.txt\"}" dataBytes := []byte(dataString) err = ioutil.WriteFile(iexec_out + "/computed.json", dataBytes, 0) - if err != nil { - log.Fatal(err) - } - + if err != nil { + log.Fatal(err) + } } From b0673324c0b59b4feb2f58b4dda22e4ac8727b3d Mon Sep 17 00:00:00 2001 From: Zied <26070035+zguesmi@users.noreply.github.com> Date: Thu, 29 Apr 2021 17:17:37 +0200 Subject: [PATCH 15/39] Change scone heap size for go app --- cloud-computing/go-hello-world/tee/protect-fs.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloud-computing/go-hello-world/tee/protect-fs.sh b/cloud-computing/go-hello-world/tee/protect-fs.sh index 4f437741..cba1e8b3 100644 --- a/cloud-computing/go-hello-world/tee/protect-fs.sh +++ b/cloud-computing/go-hello-world/tee/protect-fs.sh @@ -24,7 +24,7 @@ fi ENTRYPOINT=$(cat ./entrypoint) # `/app/helloworld` export SCONE_MODE=sim -export SCONE_HEAP=4G +export SCONE_HEAP=1G APP_FOLDER=$1 From 5acb30a8836045e3756a3f0808967d9de5165cef Mon Sep 17 00:00:00 2001 From: Zied <26070035+zguesmi@users.noreply.github.com> Date: Thu, 29 Apr 2021 17:44:16 +0200 Subject: [PATCH 16/39] Add hello message to result --- cloud-computing/go-hello-world/src/helloworld.go | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/cloud-computing/go-hello-world/src/helloworld.go b/cloud-computing/go-hello-world/src/helloworld.go index 54a3e283..c5b2717e 100644 --- a/cloud-computing/go-hello-world/src/helloworld.go +++ b/cloud-computing/go-hello-world/src/helloworld.go @@ -13,11 +13,13 @@ func main() { dataset_filename := os.Getenv("IEXEC_DATASET_FILENAME") dataset_filepath := iexec_in + "/" + dataset_filename + result := "" + // Print a message if (len(os.Args) > 1) { - fmt.Println("Hello, " + os.Args[1] + "!") + result += "Hello, " + os.Args[1] + "!\n" } else { - fmt.Println("Hello, World!") + result += "Hello, World!\n" } // read in the contents of the dataset @@ -25,15 +27,17 @@ func main() { if err != nil { // if our program was unable to read the file // print out the reason why it can't - fmt.Println("Error reading dataset file -", err) + result += "Error reading dataset file - " + err.Error() } else { // if it was successful in reading the file then // print out the contents as a string - fmt.Println("Dataset (" + dataset_filepath + "):", string(input)) + result += "Dataset (" + dataset_filepath + "): " + string(input) } + fmt.Println(result) + // Append some results - err = ioutil.WriteFile(iexec_out + "/result.txt", input, 0) + err = ioutil.WriteFile(iexec_out + "/result.txt", []byte(result), 0) if err != nil { log.Fatal(err) } From e32096b687dd94533b35931c2127fcc32b810816 Mon Sep 17 00:00:00 2001 From: Zied <26070035+zguesmi@users.noreply.github.com> Date: Thu, 6 May 2021 12:08:46 +0200 Subject: [PATCH 17/39] Convert indentation to spaces --- cloud-computing/go-hello-world/src/helloworld.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cloud-computing/go-hello-world/src/helloworld.go b/cloud-computing/go-hello-world/src/helloworld.go index c5b2717e..be2af82b 100644 --- a/cloud-computing/go-hello-world/src/helloworld.go +++ b/cloud-computing/go-hello-world/src/helloworld.go @@ -13,7 +13,7 @@ func main() { dataset_filename := os.Getenv("IEXEC_DATASET_FILENAME") dataset_filepath := iexec_in + "/" + dataset_filename - result := "" + result := "" // Print a message if (len(os.Args) > 1) { @@ -34,7 +34,7 @@ func main() { result += "Dataset (" + dataset_filepath + "): " + string(input) } - fmt.Println(result) + fmt.Println(result) // Append some results err = ioutil.WriteFile(iexec_out + "/result.txt", []byte(result), 0) From a79fe1e1500c20b9dce1d6643cc496b46ae29e19 Mon Sep 17 00:00:00 2001 From: Zied <26070035+zguesmi@users.noreply.github.com> Date: Fri, 7 May 2021 19:06:29 +0200 Subject: [PATCH 18/39] Update go version and refactor code --- .../go-hello-world/src/helloworld.go | 113 ++++++++++++++---- .../go-hello-world/standard/Dockerfile | 6 +- 2 files changed, 95 insertions(+), 24 deletions(-) diff --git a/cloud-computing/go-hello-world/src/helloworld.go b/cloud-computing/go-hello-world/src/helloworld.go index be2af82b..7f633c47 100644 --- a/cloud-computing/go-hello-world/src/helloworld.go +++ b/cloud-computing/go-hello-world/src/helloworld.go @@ -1,17 +1,22 @@ package main import ( - "os" - "fmt" - "io/ioutil" - "log" + "fmt" + "io/ioutil" + "log" + "os" ) func main() { iexec_out := os.Getenv("IEXEC_OUT") iexec_in := os.Getenv("IEXEC_IN") dataset_filename := os.Getenv("IEXEC_DATASET_FILENAME") - dataset_filepath := iexec_in + "/" + dataset_filename + if iexec_in == "" { + panic("No value for IEXEC_IN") + } + if iexec_out == "" { + panic("No value for IEXEC_OUT") + } result := "" @@ -22,32 +27,98 @@ func main() { result += "Hello, World!\n" } - // read in the contents of the dataset - input, err := ioutil.ReadFile(dataset_filepath) - if err != nil { - // if our program was unable to read the file - // print out the reason why it can't - result += "Error reading dataset file - " + err.Error() + // Read the content of the dataset if present + if dataset_filename != "" { + dataset_filepath := iexec_in + "/" + dataset_filename + input, err := ioutil.ReadFile(dataset_filepath) + if err != nil { + result += "Error reading dataset file - " + err.Error() + } else { + result += "Dataset (" + dataset_filepath + "): " + string(input) + } } else { - // if it was successful in reading the file then - // print out the contents as a string - result += "Dataset (" + dataset_filepath + "): " + string(input) + result += "No dataset present\n" } fmt.Println(result) - // Append some results - err = ioutil.WriteFile(iexec_out + "/result.txt", []byte(result), 0) + // Save result + err := ioutil.WriteFile(iexec_out + "/result.txt", []byte(result), 0) if err != nil { log.Fatal(err) } - // Declare everything is computed - //{"deterministic-output-path": "app/returnResultJson.json"} - dataString := "{\"deterministic-output-path\": \"" + iexec_out + "/result.txt\"}" - dataBytes := []byte(dataString) - err = ioutil.WriteFile(iexec_out + "/computed.json", dataBytes, 0) + // Create computed.json file + dataString := `{"deterministic-output-path\": "` + iexec_out + `/result.txt"}` + err = ioutil.WriteFile(iexec_out + "/computed.json", []byte(dataString), 0) if err != nil { log.Fatal(err) } } + + + + + +// // This function simulates some computation in an iExec application. Script +// // arguments (if provided) are accessible via "sys.argv" array. In this case, +// // if the first argument is present, it is used in the greeting message. +// func doSomeComputation() (string) { +// if (len(os.Args) < 2) { +// return "Hello, World!\n" +// } +// return "Hello, " + os.Args[1] + "!\n" +// } + +// // This function shows how to read a dataset file from an iExec application. +// // Datasets are public in standard mode and confidential in TEE mode. +// // The dataset location and filename are needed to be able to read it. Both +// // of which are provided in the following environment variables: +// // - IEXEC_IN: the path to the folder where the dataset is located. +// // - IEXEC_DATASET_FILENAME: the name of the dataset file. +// func handleDataset() string { +// iexec_in := os.Getenv("IEXEC_IN") +// dataset_filename := os.Getenv("IEXEC_DATASET_FILENAME") +// if iexec_in == "" { +// panic("No value for IEXEC_IN") +// } +// if dataset_filename == "" { +// return "No value for IEXEC_DATASET_FILENAME" +// } +// dataset_filepath := iexec_in + "/" + dataset_filename +// input, err := ioutil.ReadFile(dataset_filepath) +// if err != nil { +// // if our program was unable to read the file +// // print out the reason why it can't +// panic("Error reading dataset file") +// // result += "Error reading dataset file - " + err.Error() +// } +// // if it was successful in reading the file then +// // print out the contents as a string +// return "Dataset (" + dataset_filepath + "): " + string(input) +// } + +// // This function shows how to save a result in an iExec application. The result +// // file(s) should be written in the folder indicated by the environment variable +// // IEXEC_OUT. After saving the result, the file "computed.json" must be created +// // in the same folder. It must contain, at least, the path to the determinism +// // file (deterministic-output-path). +// // Example of computed.json file content: +// // {"deterministic-output-path": "app/returnResultJson.json"} +// func saveResult(iexec_out string, result []byte) { +// err:= ioutil.WriteFile(iexec_out + "/result.txt", result, 0) +// if err != nil { +// log.Fatal(err) +// } +// dataString := `{"deterministic-output-path": "` + iexec_out + `/result.txt"}` +// err = ioutil.WriteFile(iexec_out + "/computed.json", []byte(dataString), 0) +// if err != nil { +// log.Fatal(err) +// } +// } + +// defer func() { +// if err := recover(); err != nil { +// log.Println("work failed:", err) +// } +// }() diff --git a/cloud-computing/go-hello-world/standard/Dockerfile b/cloud-computing/go-hello-world/standard/Dockerfile index 22ee41bb..d72223c9 100644 --- a/cloud-computing/go-hello-world/standard/Dockerfile +++ b/cloud-computing/go-hello-world/standard/Dockerfile @@ -1,10 +1,10 @@ # same version as Scone -FROM golang:1.9.4-alpine3.7 +FROM golang:1.16.0-alpine3.13 -RUN apk --update add go=1.9.4-r0 git curl +RUN apk --update add gcc build-base gcc-go COPY ./src /app -RUN go build -o /app/helloworld -buildmode=exe -gccgoflags -g /app/helloworld.go +RUN go build -compiler=gccgo -buildmode=exe -o /app/helloworld /app/helloworld.go ENTRYPOINT ["/app/helloworld"] From c84f967c1710d5931ff063787577a11139bb8221 Mon Sep 17 00:00:00 2001 From: Zied <26070035+zguesmi@users.noreply.github.com> Date: Mon, 10 May 2021 12:28:50 +0200 Subject: [PATCH 19/39] Clean go code --- .../go-hello-world/src/helloworld.go | 93 +++---------------- 1 file changed, 13 insertions(+), 80 deletions(-) diff --git a/cloud-computing/go-hello-world/src/helloworld.go b/cloud-computing/go-hello-world/src/helloworld.go index 7f633c47..cd8d54b3 100644 --- a/cloud-computing/go-hello-world/src/helloworld.go +++ b/cloud-computing/go-hello-world/src/helloworld.go @@ -8,13 +8,13 @@ import ( ) func main() { - iexec_out := os.Getenv("IEXEC_OUT") - iexec_in := os.Getenv("IEXEC_IN") - dataset_filename := os.Getenv("IEXEC_DATASET_FILENAME") - if iexec_in == "" { + iexecOut := os.Getenv("IEXEC_OUT") + iexecIn := os.Getenv("IEXEC_IN") + datasetFilename := os.Getenv("IEXEC_DATASET_FILENAME") + if iexecIn == "" { panic("No value for IEXEC_IN") } - if iexec_out == "" { + if iexecOut == "" { panic("No value for IEXEC_OUT") } @@ -28,13 +28,13 @@ func main() { } // Read the content of the dataset if present - if dataset_filename != "" { - dataset_filepath := iexec_in + "/" + dataset_filename - input, err := ioutil.ReadFile(dataset_filepath) + if datasetFilename != "" { + datasetFilepath := iexecIn + "/" + datasetFilename + input, err := ioutil.ReadFile(datasetFilepath) if err != nil { - result += "Error reading dataset file - " + err.Error() + log.Fatal("Error reading dataset file", err) } else { - result += "Dataset (" + dataset_filepath + "): " + string(input) + result += "Dataset (" + datasetFilepath + "): " + string(input) } } else { result += "No dataset present\n" @@ -43,82 +43,15 @@ func main() { fmt.Println(result) // Save result - err := ioutil.WriteFile(iexec_out + "/result.txt", []byte(result), 0) + err := ioutil.WriteFile(iexecOut + "/result.txt", []byte(result), 0) if err != nil { log.Fatal(err) } // Create computed.json file - dataString := `{"deterministic-output-path\": "` + iexec_out + `/result.txt"}` - err = ioutil.WriteFile(iexec_out + "/computed.json", []byte(dataString), 0) + dataString := `{"deterministic-output-path\": "` + iexecOut + `/result.txt"}` + err = ioutil.WriteFile(iexecOut + "/computed.json", []byte(dataString), 0) if err != nil { log.Fatal(err) } } - - - - - -// // This function simulates some computation in an iExec application. Script -// // arguments (if provided) are accessible via "sys.argv" array. In this case, -// // if the first argument is present, it is used in the greeting message. -// func doSomeComputation() (string) { -// if (len(os.Args) < 2) { -// return "Hello, World!\n" -// } -// return "Hello, " + os.Args[1] + "!\n" -// } - -// // This function shows how to read a dataset file from an iExec application. -// // Datasets are public in standard mode and confidential in TEE mode. -// // The dataset location and filename are needed to be able to read it. Both -// // of which are provided in the following environment variables: -// // - IEXEC_IN: the path to the folder where the dataset is located. -// // - IEXEC_DATASET_FILENAME: the name of the dataset file. -// func handleDataset() string { -// iexec_in := os.Getenv("IEXEC_IN") -// dataset_filename := os.Getenv("IEXEC_DATASET_FILENAME") -// if iexec_in == "" { -// panic("No value for IEXEC_IN") -// } -// if dataset_filename == "" { -// return "No value for IEXEC_DATASET_FILENAME" -// } -// dataset_filepath := iexec_in + "/" + dataset_filename -// input, err := ioutil.ReadFile(dataset_filepath) -// if err != nil { -// // if our program was unable to read the file -// // print out the reason why it can't -// panic("Error reading dataset file") -// // result += "Error reading dataset file - " + err.Error() -// } -// // if it was successful in reading the file then -// // print out the contents as a string -// return "Dataset (" + dataset_filepath + "): " + string(input) -// } - -// // This function shows how to save a result in an iExec application. The result -// // file(s) should be written in the folder indicated by the environment variable -// // IEXEC_OUT. After saving the result, the file "computed.json" must be created -// // in the same folder. It must contain, at least, the path to the determinism -// // file (deterministic-output-path). -// // Example of computed.json file content: -// // {"deterministic-output-path": "app/returnResultJson.json"} -// func saveResult(iexec_out string, result []byte) { -// err:= ioutil.WriteFile(iexec_out + "/result.txt", result, 0) -// if err != nil { -// log.Fatal(err) -// } -// dataString := `{"deterministic-output-path": "` + iexec_out + `/result.txt"}` -// err = ioutil.WriteFile(iexec_out + "/computed.json", []byte(dataString), 0) -// if err != nil { -// log.Fatal(err) -// } -// } - -// defer func() { -// if err := recover(); err != nil { -// log.Println("work failed:", err) -// } -// }() From f4af2eeee012f0e2a9c9be795d90d6959d54bf5e Mon Sep 17 00:00:00 2001 From: Zied <26070035+zguesmi@users.noreply.github.com> Date: Mon, 10 May 2021 17:55:42 +0200 Subject: [PATCH 20/39] Sconify go image --- .../go-hello-world/{standard => }/Dockerfile | 0 cloud-computing/go-hello-world/build | 4 ++ .../dataset/Lorem-ipsum.txt} | 0 .../resources/run/docker-compose.yml | 2 +- .../go-hello-world/resources/run/session.yml | 2 +- .../go-hello-world/{standard => }/run | 4 +- cloud-computing/go-hello-world/sconify.sh | 20 ++++++ .../go-hello-world/src/helloworld.go | 2 +- cloud-computing/go-hello-world/standard/build | 4 -- cloud-computing/go-hello-world/tee/Dockerfile | 13 ---- cloud-computing/go-hello-world/tee/build | 3 - .../confidential-asset.txt | 1 - .../go-hello-world/tee/protect-fs.sh | 64 ------------------- cloud-computing/go-hello-world/tee/run | 19 ------ 14 files changed, 29 insertions(+), 109 deletions(-) rename cloud-computing/go-hello-world/{standard => }/Dockerfile (100%) create mode 100644 cloud-computing/go-hello-world/build rename cloud-computing/go-hello-world/{standard/asset/Lorem_ipsum.txt => resources/dataset/Lorem-ipsum.txt} (100%) rename cloud-computing/go-hello-world/{standard => }/run (72%) create mode 100644 cloud-computing/go-hello-world/sconify.sh delete mode 100644 cloud-computing/go-hello-world/standard/build delete mode 100644 cloud-computing/go-hello-world/tee/Dockerfile delete mode 100755 cloud-computing/go-hello-world/tee/build delete mode 100644 cloud-computing/go-hello-world/tee/confidential-assets/confidential-asset.txt delete mode 100644 cloud-computing/go-hello-world/tee/protect-fs.sh delete mode 100755 cloud-computing/go-hello-world/tee/run diff --git a/cloud-computing/go-hello-world/standard/Dockerfile b/cloud-computing/go-hello-world/Dockerfile similarity index 100% rename from cloud-computing/go-hello-world/standard/Dockerfile rename to cloud-computing/go-hello-world/Dockerfile diff --git a/cloud-computing/go-hello-world/build b/cloud-computing/go-hello-world/build new file mode 100644 index 00000000..e8886eb8 --- /dev/null +++ b/cloud-computing/go-hello-world/build @@ -0,0 +1,4 @@ +#!/bin/sh +cd $(dirname $0) + +docker image build -f Dockerfile -t go-hello-world . $@ diff --git a/cloud-computing/go-hello-world/standard/asset/Lorem_ipsum.txt b/cloud-computing/go-hello-world/resources/dataset/Lorem-ipsum.txt similarity index 100% rename from cloud-computing/go-hello-world/standard/asset/Lorem_ipsum.txt rename to cloud-computing/go-hello-world/resources/dataset/Lorem-ipsum.txt diff --git a/cloud-computing/go-hello-world/resources/run/docker-compose.yml b/cloud-computing/go-hello-world/resources/run/docker-compose.yml index 331afc77..a532ccf0 100644 --- a/cloud-computing/go-hello-world/resources/run/docker-compose.yml +++ b/cloud-computing/go-hello-world/resources/run/docker-compose.yml @@ -21,7 +21,7 @@ services: networks: - scone-net scone-cli: - image: registry.scontain.com:5050/sconecuratedimages/sconecli:sconify-image-scone5.3.0 + image: registry.scontain.com:5050/sconecuratedimages/iexec-sconify-image:5.3.1 container_name: scone-cli command: bash -c "sleep 5 && scone session create /session.yml --cas cas --only_for_testing-disable-attestation-verification" volumes: diff --git a/cloud-computing/go-hello-world/resources/run/session.yml b/cloud-computing/go-hello-world/resources/run/session.yml index 18c59e36..a02683d7 100644 --- a/cloud-computing/go-hello-world/resources/run/session.yml +++ b/cloud-computing/go-hello-world/resources/run/session.yml @@ -14,7 +14,7 @@ access_policy: services: - name: go-hello-world image_name: tee-go-hello-world - mrenclaves: [d4906280593115769efef9f46f6b237bc20c338edfcbbf8d2939d58aa76e0e16] + mrenclaves: [0ffb1ce764e67185411c0e9983a21a84d6c2ccc3fde7890e26107389fdda83c2] command: "/app/helloworld" environment: SCONE_MODE: hw diff --git a/cloud-computing/go-hello-world/standard/run b/cloud-computing/go-hello-world/run similarity index 72% rename from cloud-computing/go-hello-world/standard/run rename to cloud-computing/go-hello-world/run index ff2a62ba..d87d29e1 100644 --- a/cloud-computing/go-hello-world/standard/run +++ b/cloud-computing/go-hello-world/run @@ -10,9 +10,9 @@ mkdir -p $IEXEC_OUT docker run --rm \ -e IEXEC_OUT=/iexec_out \ -e IEXEC_IN=/iexec_in \ - -e IEXEC_DATASET_FILENAME=Lorem_ipsum.txt \ + -e IEXEC_DATASET_FILENAME=Lorem-ipsum.txt \ -v $IEXEC_OUT:/iexec_out \ - -v $(pwd)/asset:/iexec_in \ + -v $(pwd)/resources/dataset:/iexec_in \ go-hello-world $@ echo diff --git a/cloud-computing/go-hello-world/sconify.sh b/cloud-computing/go-hello-world/sconify.sh new file mode 100644 index 00000000..4c29aa72 --- /dev/null +++ b/cloud-computing/go-hello-world/sconify.sh @@ -0,0 +1,20 @@ +#!/bin/bash + +docker run -it --rm \ + -v /var/run/docker.sock:/var/run/docker.sock \ + registry.scontain.com:5050/sconecuratedimages/iexec-sconify-image:5.3.2 \ + sconify_iexec \ + --name=goHelloWorld \ + --from=go-hello-world \ + --to=tee-go-hello-world \ + --binary-fs \ + --fs-dir=/app \ + --fs-file=/etc/hosts \ + --network=host \ + --nameserver=8.8.8.8 \ + --binary="/app/helloworld" \ + --heap="1G" \ + --dlopen="2" \ + --no-color \ + --verbose \ + --command="/app/helloworld" diff --git a/cloud-computing/go-hello-world/src/helloworld.go b/cloud-computing/go-hello-world/src/helloworld.go index cd8d54b3..8101cb51 100644 --- a/cloud-computing/go-hello-world/src/helloworld.go +++ b/cloud-computing/go-hello-world/src/helloworld.go @@ -49,7 +49,7 @@ func main() { } // Create computed.json file - dataString := `{"deterministic-output-path\": "` + iexecOut + `/result.txt"}` + dataString := `{"deterministic-output-path": "` + iexecOut + `/result.txt"}` err = ioutil.WriteFile(iexecOut + "/computed.json", []byte(dataString), 0) if err != nil { log.Fatal(err) diff --git a/cloud-computing/go-hello-world/standard/build b/cloud-computing/go-hello-world/standard/build deleted file mode 100644 index 4a955029..00000000 --- a/cloud-computing/go-hello-world/standard/build +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh -cd $(dirname $0) - -docker image build -f ../standard/Dockerfile -t go-hello-world .. $@ diff --git a/cloud-computing/go-hello-world/tee/Dockerfile b/cloud-computing/go-hello-world/tee/Dockerfile deleted file mode 100644 index f49a932f..00000000 --- a/cloud-computing/go-hello-world/tee/Dockerfile +++ /dev/null @@ -1,13 +0,0 @@ -FROM registry.scontain.com:5050/sconecuratedimages/crosscompilers:latest-scone3.0.0 - -RUN apk --update add go=1.9.4-r0 git curl - -COPY ./src /app - -RUN go build -o /app/helloworld -compiler gccgo -buildmode=exe -gccgoflags -g /app/helloworld.go - -### protect file system with Scone with old procedure -COPY ./tee/protect-fs.sh ./tee/Dockerfile /build/ -RUN sh /build/protect-fs.sh /app - -ENTRYPOINT ["/app/helloworld"] diff --git a/cloud-computing/go-hello-world/tee/build b/cloud-computing/go-hello-world/tee/build deleted file mode 100755 index 7283abeb..00000000 --- a/cloud-computing/go-hello-world/tee/build +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -cd $(dirname $0) -docker image build -f ../tee/Dockerfile -t tee-go-hello-world .. $@ diff --git a/cloud-computing/go-hello-world/tee/confidential-assets/confidential-asset.txt b/cloud-computing/go-hello-world/tee/confidential-assets/confidential-asset.txt deleted file mode 100644 index 96426db1..00000000 --- a/cloud-computing/go-hello-world/tee/confidential-assets/confidential-asset.txt +++ /dev/null @@ -1 +0,0 @@ -dummy confidential file diff --git a/cloud-computing/go-hello-world/tee/protect-fs.sh b/cloud-computing/go-hello-world/tee/protect-fs.sh deleted file mode 100644 index cba1e8b3..00000000 --- a/cloud-computing/go-hello-world/tee/protect-fs.sh +++ /dev/null @@ -1,64 +0,0 @@ -#!/bin/sh - -cd $(dirname $0) - -if [ ! -e Dockerfile ] -then - printf "\nFailed to parse Dockerfile ENTRYPOINT\n" - printf "Did you forget to add your Dockerfile in your build?\n" - printf "COPY ./tee/Dockerfile /build/\n\n" - exit 1 -fi - -ENTRYPOINT_ARSG=$(grep ENTRYPOINT ./Dockerfile | tail -1 | grep -o '"[^"]\+"' | tr -d '"') -echo $ENTRYPOINT_ARSG > ./entrypoint - -if [ -z "$ENTRYPOINT_ARSG" ] -then - printf "\nFailed to parse Dockerfile ENTRYPOINT\n" - printf "Did you forget to add an ENTRYPOINT to your Dockerfile?\n" - printf "ENTRYPOINT [\"executable\", \"param1\", \"param2\"]\n\n" - exit 1 -fi - -ENTRYPOINT=$(cat ./entrypoint) # `/app/helloworld` - -export SCONE_MODE=sim -export SCONE_HEAP=1G - -APP_FOLDER=$1 - -printf "\n### Starting file system protection ...\n\n" - -scone fspf create /fspf.pb -scone fspf addr /fspf.pb / --not-protected --kernel / -scone fspf addr /fspf.pb /usr --authenticated --kernel /usr -scone fspf addf /fspf.pb /usr /usr -scone fspf addr /fspf.pb /bin --authenticated --kernel /bin -scone fspf addf /fspf.pb /bin /bin -scone fspf addr /fspf.pb /lib --authenticated --kernel /lib -scone fspf addf /fspf.pb /lib /lib -scone fspf addr /fspf.pb /etc/ssl --authenticated --kernel /etc/ssl -scone fspf addf /fspf.pb /etc/ssl /etc/ssl -scone fspf addr /fspf.pb /sbin --authenticated --kernel /sbin -scone fspf addf /fspf.pb /sbin /sbin -printf "\n### Protecting code found in folder \"$APP_FOLDER\"\n\n" -scone fspf addr /fspf.pb $APP_FOLDER --authenticated --kernel $APP_FOLDER -scone fspf addf /fspf.pb $APP_FOLDER $APP_FOLDER - -scone fspf encrypt /fspf.pb > ./keytag - -MRENCLAVE="$(SCONE_HASH=1 $ENTRYPOINT)" -FSPF_TAG=$(cat ./keytag | awk '{print $9}') -FSPF_KEY=$(cat ./keytag | awk '{print $11}') -FINGERPRINT="$FSPF_KEY|$FSPF_TAG|$MRENCLAVE|$ENTRYPOINT" -echo $FINGERPRINT > ./fingerprint - -printf "\n\n" -printf "Your application fingerprint (mrenclave) is ready:\n" -printf "#####################################################################\n" -printf "iexec.json:\n\n" -printf "%s\n" "\"app\": { " " \"owner\" : ... " " \"name\": ... " " ..." " \"mrenclave\": \"$FINGERPRINT\"" "}" -printf "#####################################################################\n" -printf "Hint: Replace 'mrenclave' before doing 'iexec app deploy' step.\n" -printf "\n\n" diff --git a/cloud-computing/go-hello-world/tee/run b/cloud-computing/go-hello-world/tee/run deleted file mode 100755 index d5491167..00000000 --- a/cloud-computing/go-hello-world/tee/run +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/sh -cd $(dirname $0) - -IEXEC_OUT=/tmp/iexec_out - -rm -rf $IEXEC_OUT -mkdir -p $IEXEC_OUT - -docker run --rm \ - -e IEXEC_OUT=/iexec_out \ - -e IEXEC_IN=/iexec_in \ - -e IEXEC_DATASET_FILENAME=confidential-asset.txt \ - -v $IEXEC_OUT:/iexec_out \ - -v $(pwd)/confidential-assets:/iexec_in \ - --device /dev/isgx \ - tee-go-hello-world $@ - -echo -find $IEXEC_OUT From f8230c99de89e87ba388b14c2f971ec9255fe8c3 Mon Sep 17 00:00:00 2001 From: Zied <26070035+zguesmi@users.noreply.github.com> Date: Mon, 10 May 2021 18:32:39 +0200 Subject: [PATCH 21/39] Add readme file --- cloud-computing/go-hello-world/Readme.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 cloud-computing/go-hello-world/Readme.md diff --git a/cloud-computing/go-hello-world/Readme.md b/cloud-computing/go-hello-world/Readme.md new file mode 100644 index 00000000..30404ce4 --- /dev/null +++ b/cloud-computing/go-hello-world/Readme.md @@ -0,0 +1 @@ +TODO \ No newline at end of file From 293e7547319b9cebf6e34098b3a915612dfa286d Mon Sep 17 00:00:00 2001 From: Zied <26070035+zguesmi@users.noreply.github.com> Date: Tue, 11 May 2021 15:14:09 +0200 Subject: [PATCH 22/39] Snapshot: sconify go app --- .../go-hello-world/sconify-5.3.3.sh | 18 ++++++++++++++++++ cloud-computing/go-hello-world/sconify.sh | 3 +-- 2 files changed, 19 insertions(+), 2 deletions(-) create mode 100644 cloud-computing/go-hello-world/sconify-5.3.3.sh diff --git a/cloud-computing/go-hello-world/sconify-5.3.3.sh b/cloud-computing/go-hello-world/sconify-5.3.3.sh new file mode 100644 index 00000000..9f0fd669 --- /dev/null +++ b/cloud-computing/go-hello-world/sconify-5.3.3.sh @@ -0,0 +1,18 @@ +#!/bin/bash + +docker run -it --rm \ + -v /var/run/docker.sock:/var/run/docker.sock \ + registry.scontain.com:5050/sconecuratedimages/iexec-sconify-image:5.3.3 \ + sconify_iexec \ + --name=goHelloWorld \ + --from=go-hello-world \ + --to=tee-go-hello-world:dev-tee-5.3.3 \ + --binary-fs \ + --host-path=/etc/hosts \ + --host-path=/etc/resolv.conf \ + --binary="/app/helloworld" \ + --heap="1G" \ + --dlopen="2" \ + --no-color \ + --verbose \ + --command="/app/helloworld" diff --git a/cloud-computing/go-hello-world/sconify.sh b/cloud-computing/go-hello-world/sconify.sh index 4c29aa72..22d6205b 100644 --- a/cloud-computing/go-hello-world/sconify.sh +++ b/cloud-computing/go-hello-world/sconify.sh @@ -6,9 +6,8 @@ docker run -it --rm \ sconify_iexec \ --name=goHelloWorld \ --from=go-hello-world \ - --to=tee-go-hello-world \ + --to=nexus.iex.ec/tee-go-hello-world:6.2.0 \ --binary-fs \ - --fs-dir=/app \ --fs-file=/etc/hosts \ --network=host \ --nameserver=8.8.8.8 \ From ee893e120f39873c648db2203604b37eef734569 Mon Sep 17 00:00:00 2001 From: Zied <26070035+zguesmi@users.noreply.github.com> Date: Tue, 11 May 2021 18:14:15 +0200 Subject: [PATCH 23/39] Clean --- .../resources/run/docker-compose.yml | 2 +- .../go-hello-world/sconify-5.3.3.sh | 2 +- cloud-computing/go-hello-world/sconify.sh | 19 ------------------- 3 files changed, 2 insertions(+), 21 deletions(-) delete mode 100644 cloud-computing/go-hello-world/sconify.sh diff --git a/cloud-computing/go-hello-world/resources/run/docker-compose.yml b/cloud-computing/go-hello-world/resources/run/docker-compose.yml index a532ccf0..b481689f 100644 --- a/cloud-computing/go-hello-world/resources/run/docker-compose.yml +++ b/cloud-computing/go-hello-world/resources/run/docker-compose.yml @@ -21,7 +21,7 @@ services: networks: - scone-net scone-cli: - image: registry.scontain.com:5050/sconecuratedimages/iexec-sconify-image:5.3.1 + image: registry.scontain.com:5050/sconecuratedimages/iexec-sconify-image:5.3.3 container_name: scone-cli command: bash -c "sleep 5 && scone session create /session.yml --cas cas --only_for_testing-disable-attestation-verification" volumes: diff --git a/cloud-computing/go-hello-world/sconify-5.3.3.sh b/cloud-computing/go-hello-world/sconify-5.3.3.sh index 9f0fd669..6f0615d4 100644 --- a/cloud-computing/go-hello-world/sconify-5.3.3.sh +++ b/cloud-computing/go-hello-world/sconify-5.3.3.sh @@ -6,7 +6,7 @@ docker run -it --rm \ sconify_iexec \ --name=goHelloWorld \ --from=go-hello-world \ - --to=tee-go-hello-world:dev-tee-5.3.3 \ + --to=tee-go-hello-world \ --binary-fs \ --host-path=/etc/hosts \ --host-path=/etc/resolv.conf \ diff --git a/cloud-computing/go-hello-world/sconify.sh b/cloud-computing/go-hello-world/sconify.sh deleted file mode 100644 index 22d6205b..00000000 --- a/cloud-computing/go-hello-world/sconify.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash - -docker run -it --rm \ - -v /var/run/docker.sock:/var/run/docker.sock \ - registry.scontain.com:5050/sconecuratedimages/iexec-sconify-image:5.3.2 \ - sconify_iexec \ - --name=goHelloWorld \ - --from=go-hello-world \ - --to=nexus.iex.ec/tee-go-hello-world:6.2.0 \ - --binary-fs \ - --fs-file=/etc/hosts \ - --network=host \ - --nameserver=8.8.8.8 \ - --binary="/app/helloworld" \ - --heap="1G" \ - --dlopen="2" \ - --no-color \ - --verbose \ - --command="/app/helloworld" From 9435599bc33f3c1ea7da1557835b622f6fe6060c Mon Sep 17 00:00:00 2001 From: Zied <26070035+zguesmi@users.noreply.github.com> Date: Wed, 12 May 2021 10:42:59 +0200 Subject: [PATCH 24/39] Clean go folder --- cloud-computing/go-hello-world/README.md | 61 +++++++++++++++++++ cloud-computing/go-hello-world/Readme.md | 1 - cloud-computing/go-hello-world/build | 4 -- .../resources/run/run-scone-app | 12 +++- .../go-hello-world/resources/run/session.yml | 4 +- cloud-computing/go-hello-world/run | 19 ------ .../{sconify-5.3.3.sh => sconify.sh} | 0 .../go-hello-world/src/helloworld.go | 2 +- 8 files changed, 72 insertions(+), 31 deletions(-) create mode 100644 cloud-computing/go-hello-world/README.md delete mode 100644 cloud-computing/go-hello-world/Readme.md delete mode 100644 cloud-computing/go-hello-world/build delete mode 100644 cloud-computing/go-hello-world/run rename cloud-computing/go-hello-world/{sconify-5.3.3.sh => sconify.sh} (100%) diff --git a/cloud-computing/go-hello-world/README.md b/cloud-computing/go-hello-world/README.md new file mode 100644 index 00000000..5bc08756 --- /dev/null +++ b/cloud-computing/go-hello-world/README.md @@ -0,0 +1,61 @@ +# Go hello-world app + +## Standard mode +By default the application is built in **Standard** mode which +does not use TEE capabilities. + +### Build +Standard mode application is built just like any other dockerized +application: +``` +docker image build -t go-hello-world . +``` + +### Run +The application can be tested locally to make sure it is well setup: +``` +rm -rf /tmp/iexec_out && \ +docker run \ + --rm \ + -e IEXEC_IN=/iexec_in \ + -e IEXEC_DATASET_FILENAME=Lorem-ipsum.txt \ + -e IEXEC_OUT=/iexec_out \ + -v /tmp/iexec_out:/iexec_out \ + -v $(pwd)/resources/dataset:/iexec_in \ + go-hello-world Alice +``` +Once the execution ends, the result should be found in the folder +`/tmp/iexec_out`. + +## TEE (protected) mode +To convert the application into **TEE** mode, first, it needs to be +build in **Standard** mode as instructed in the section above. +Then the produced image is converted using `sconify.sh` script into +a newly created TEE enabled image `tee-go-hello-world`: + +### Build (conversion) +The script can edited to change parameters like **heap size**, new +image name, sources folder, ... + +``` +./sconify.sh +``` + +### Run +(TODO test with CAS and session) +The application can be tested locally to make sure it is well setup: +``` +rm -rf /tmp/iexec_out && \ +docker run \ + --rm \ + -e IEXEC_OUT=/iexec_out \ + -e IEXEC_IN=/iexec_in \ + -v /tmp/iexec_out:/iexec_out \ + -v $(pwd)/resources/dataset:/iexec_in \ + --device /dev/isgx \ + tee-go-hello-world Alice +``` +To get the MREnclave value of the TEE application: +``` +docker run -it --rm -e SCONE_HASH=1 tee-go-hello-world +``` diff --git a/cloud-computing/go-hello-world/Readme.md b/cloud-computing/go-hello-world/Readme.md deleted file mode 100644 index 30404ce4..00000000 --- a/cloud-computing/go-hello-world/Readme.md +++ /dev/null @@ -1 +0,0 @@ -TODO \ No newline at end of file diff --git a/cloud-computing/go-hello-world/build b/cloud-computing/go-hello-world/build deleted file mode 100644 index e8886eb8..00000000 --- a/cloud-computing/go-hello-world/build +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh -cd $(dirname $0) - -docker image build -f Dockerfile -t go-hello-world . $@ diff --git a/cloud-computing/go-hello-world/resources/run/run-scone-app b/cloud-computing/go-hello-world/resources/run/run-scone-app index f076d16f..a3294406 100644 --- a/cloud-computing/go-hello-world/resources/run/run-scone-app +++ b/cloud-computing/go-hello-world/resources/run/run-scone-app @@ -2,8 +2,6 @@ ### TODO on each build: update mrenclave in session -#cd $(dirname $0) - docker-compose down > /dev/null docker network create scone-net > /dev/null echo "Starting CAS & LAS:" @@ -12,7 +10,15 @@ sleep 5 MY_SCONE_APP=tee-go-hello-world echo "Starting $MY_SCONE_APP" -docker run --rm --network=scone-net --name=my-scone-app --device=/dev/isgx -e SCONE_VERSION=1 -e SCONE_CAS_ADDR="cas" -e SCONE_LAS_ADDR="las" -e SCONE_CONFIG_ID="1/service" $MY_SCONE_APP +docker run --rm \ + --name=$MY_SCONE_APP \ + -e SCONE_VERSION=1 \ + -e SCONE_CAS_ADDR="cas" \ + -e SCONE_LAS_ADDR="las" \ + -e SCONE_CONFIG_ID="1/service" \ + --network=scone-net \ + --device=/dev/isgx \ + $MY_SCONE_APP docker-compose down docker network rm scone-net diff --git a/cloud-computing/go-hello-world/resources/run/session.yml b/cloud-computing/go-hello-world/resources/run/session.yml index a02683d7..6a65969d 100644 --- a/cloud-computing/go-hello-world/resources/run/session.yml +++ b/cloud-computing/go-hello-world/resources/run/session.yml @@ -18,9 +18,6 @@ services: command: "/app/helloworld" environment: SCONE_MODE: hw -# JAVA_TOOL_OPTIONS: "-Xmx256m" -# LD_LIBRARY_PATH: "/usr/lib/jvm/java-11-openjdk/lib/server:/usr/lib/jvm/java-11-openjdk/lib:/usr/lib/jvm/java-11-openjdk/../lib" -# pwd: / images: - name: service_image @@ -29,3 +26,4 @@ security: attestation: tolerate: [hyperthreading, software-hardening-needed, insecure-igpu, outdated-tcb, debug-mode] ignore_advisories: ["INTEL-SA-00161", "INTEL-SA-00289", "INTEL-SA-00381", "INTEL-SA-00389"] + # ignore_advisories: ["INTEL-SA-00161", "INTEL-SA-00289", "INTEL-SA-00334", "INTEL-SA-00381", "INTEL-SA-00389"] diff --git a/cloud-computing/go-hello-world/run b/cloud-computing/go-hello-world/run deleted file mode 100644 index d87d29e1..00000000 --- a/cloud-computing/go-hello-world/run +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/sh -cd $(dirname $0) - -IEXEC_OUT=/tmp/iexec_out - -rm -rf $IEXEC_OUT -mkdir -p $IEXEC_OUT - - -docker run --rm \ - -e IEXEC_OUT=/iexec_out \ - -e IEXEC_IN=/iexec_in \ - -e IEXEC_DATASET_FILENAME=Lorem-ipsum.txt \ - -v $IEXEC_OUT:/iexec_out \ - -v $(pwd)/resources/dataset:/iexec_in \ - go-hello-world $@ - -echo -find $IEXEC_OUT \ No newline at end of file diff --git a/cloud-computing/go-hello-world/sconify-5.3.3.sh b/cloud-computing/go-hello-world/sconify.sh similarity index 100% rename from cloud-computing/go-hello-world/sconify-5.3.3.sh rename to cloud-computing/go-hello-world/sconify.sh diff --git a/cloud-computing/go-hello-world/src/helloworld.go b/cloud-computing/go-hello-world/src/helloworld.go index 8101cb51..78bd9018 100644 --- a/cloud-computing/go-hello-world/src/helloworld.go +++ b/cloud-computing/go-hello-world/src/helloworld.go @@ -37,7 +37,7 @@ func main() { result += "Dataset (" + datasetFilepath + "): " + string(input) } } else { - result += "No dataset present\n" + result += "No dataset was found\n" } fmt.Println(result) From 44d267e3a44cea4116a87c2197d604ba4a9bafd5 Mon Sep 17 00:00:00 2001 From: Zied <26070035+zguesmi@users.noreply.github.com> Date: Wed, 12 May 2021 10:43:36 +0200 Subject: [PATCH 25/39] Clean go folder --- .../go-hello-world/resources/{run => tee}/docker-compose.yml | 0 .../go-hello-world/resources/{run => tee}/run-scone-app | 0 cloud-computing/go-hello-world/resources/{run => tee}/session.yml | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename cloud-computing/go-hello-world/resources/{run => tee}/docker-compose.yml (100%) rename cloud-computing/go-hello-world/resources/{run => tee}/run-scone-app (100%) rename cloud-computing/go-hello-world/resources/{run => tee}/session.yml (100%) diff --git a/cloud-computing/go-hello-world/resources/run/docker-compose.yml b/cloud-computing/go-hello-world/resources/tee/docker-compose.yml similarity index 100% rename from cloud-computing/go-hello-world/resources/run/docker-compose.yml rename to cloud-computing/go-hello-world/resources/tee/docker-compose.yml diff --git a/cloud-computing/go-hello-world/resources/run/run-scone-app b/cloud-computing/go-hello-world/resources/tee/run-scone-app similarity index 100% rename from cloud-computing/go-hello-world/resources/run/run-scone-app rename to cloud-computing/go-hello-world/resources/tee/run-scone-app diff --git a/cloud-computing/go-hello-world/resources/run/session.yml b/cloud-computing/go-hello-world/resources/tee/session.yml similarity index 100% rename from cloud-computing/go-hello-world/resources/run/session.yml rename to cloud-computing/go-hello-world/resources/tee/session.yml From b4c2fdaf551f003d6e6c4b002aaed75cfdf6e37a Mon Sep 17 00:00:00 2001 From: Zied <26070035+zguesmi@users.noreply.github.com> Date: Wed, 12 May 2021 10:45:02 +0200 Subject: [PATCH 26/39] Upgrade nodejs app to scone v5 --- .../{standard => }/Dockerfile | 2 +- cloud-computing/nodejs-hello-world/README.md | 81 +++++++++++++++++++ cloud-computing/nodejs-hello-world/Readme.md | 20 ----- .../resources/dataset/Lorem-ipsum.txt | 1 + .../resources/tee/docker-compose.yml | 33 ++++++++ .../resources/tee/run-scone-app | 24 ++++++ .../resources/tee/session.yml | 28 +++++++ cloud-computing/nodejs-hello-world/sconify.sh | 23 ++++++ cloud-computing/nodejs-hello-world/src/app.js | 13 +-- .../nodejs-hello-world/standard/build | 4 - .../nodejs-hello-world/standard/run | 12 --- .../nodejs-hello-world/tee/Dockerfile | 18 ----- cloud-computing/nodejs-hello-world/tee/build | 3 - .../confidential-asset.txt | 1 - .../nodejs-hello-world/tee/protect-fs.sh | 65 --------------- cloud-computing/nodejs-hello-world/tee/run | 12 --- 16 files changed, 194 insertions(+), 146 deletions(-) rename cloud-computing/nodejs-hello-world/{standard => }/Dockerfile (91%) create mode 100644 cloud-computing/nodejs-hello-world/README.md delete mode 100644 cloud-computing/nodejs-hello-world/Readme.md create mode 100644 cloud-computing/nodejs-hello-world/resources/dataset/Lorem-ipsum.txt create mode 100644 cloud-computing/nodejs-hello-world/resources/tee/docker-compose.yml create mode 100644 cloud-computing/nodejs-hello-world/resources/tee/run-scone-app create mode 100644 cloud-computing/nodejs-hello-world/resources/tee/session.yml create mode 100644 cloud-computing/nodejs-hello-world/sconify.sh delete mode 100755 cloud-computing/nodejs-hello-world/standard/build delete mode 100755 cloud-computing/nodejs-hello-world/standard/run delete mode 100644 cloud-computing/nodejs-hello-world/tee/Dockerfile delete mode 100755 cloud-computing/nodejs-hello-world/tee/build delete mode 100644 cloud-computing/nodejs-hello-world/tee/confidential-assets/confidential-asset.txt delete mode 100644 cloud-computing/nodejs-hello-world/tee/protect-fs.sh delete mode 100755 cloud-computing/nodejs-hello-world/tee/run diff --git a/cloud-computing/nodejs-hello-world/standard/Dockerfile b/cloud-computing/nodejs-hello-world/Dockerfile similarity index 91% rename from cloud-computing/nodejs-hello-world/standard/Dockerfile rename to cloud-computing/nodejs-hello-world/Dockerfile index 6a9f6bcc..eaadedc1 100644 --- a/cloud-computing/nodejs-hello-world/standard/Dockerfile +++ b/cloud-computing/nodejs-hello-world/Dockerfile @@ -1,4 +1,4 @@ -FROM node:10 +FROM node:14 ### install your dependencies RUN mkdir /app && cd /app && npm install figlet@1.x diff --git a/cloud-computing/nodejs-hello-world/README.md b/cloud-computing/nodejs-hello-world/README.md new file mode 100644 index 00000000..becb0181 --- /dev/null +++ b/cloud-computing/nodejs-hello-world/README.md @@ -0,0 +1,81 @@ +# Node hello-world app + +## Standard mode +By default the application is built in **Standard** mode which +does not use TEE capabilities. + +### Build +Standard mode application is built just like any other dockerized +application: +``` +docker image build -t nodejs-hello-world . +``` + +### Run +The application can be tested locally to make sure it is well setup: +``` +rm -rf /tmp/iexec_out && \ +docker run \ + --rm \ + -e IEXEC_IN=/iexec_in \ + -e IEXEC_DATASET_FILENAME=Lorem-ipsum.txt \ + -e IEXEC_OUT=/iexec_out \ + -v /tmp/iexec_out:/iexec_out \ + -v $(pwd)/resources/dataset:/iexec_in \ + nodejs-hello-world Alice +``` +Once the execution ends, the result should be found in the folder +`/tmp/iexec_out`. + +## TEE (protected) mode +To convert the application into **TEE** mode, first, it needs to be +build in **Standard** mode as instructed in the section above. +Then the produced image is converted using `sconify.sh` script into +a newly created TEE enabled image `tee-nodejs-hello-world`: + +### Build (conversion) +The script can edited to change parameters like **heap size**, new +image name, sources folder, ... + +``` +./sconify.sh +``` + +### Run +(TODO test with CAS and session) +The application can be tested locally to make sure it is well setup: +``` +rm -rf /tmp/iexec_out && \ +docker run \ + --rm \ + -e IEXEC_OUT=/iexec_out \ + -e IEXEC_IN=/iexec_in \ + -v /tmp/iexec_out:/iexec_out \ + -v $(pwd)/resources/dataset:/iexec_in \ + --device /dev/isgx \ + tee-nodejs-hello-world Alice +``` +To get the MREnclave value of the TEE application: +``` +docker run -it --rm -e SCONE_HASH=1 tee-nodejs-hello-world +``` + + \ No newline at end of file diff --git a/cloud-computing/nodejs-hello-world/Readme.md b/cloud-computing/nodejs-hello-world/Readme.md deleted file mode 100644 index 1e650574..00000000 --- a/cloud-computing/nodejs-hello-world/Readme.md +++ /dev/null @@ -1,20 +0,0 @@ - - -* Basic - -Build: -`./standard/build` - -Run locally: -`./standard/run` -`./standard/run Alice` - - -* Tee - -Build: -`./tee/build` - -Run locally: -`./tee/run` -`./tee/run Alice` diff --git a/cloud-computing/nodejs-hello-world/resources/dataset/Lorem-ipsum.txt b/cloud-computing/nodejs-hello-world/resources/dataset/Lorem-ipsum.txt new file mode 100644 index 00000000..1b376877 --- /dev/null +++ b/cloud-computing/nodejs-hello-world/resources/dataset/Lorem-ipsum.txt @@ -0,0 +1 @@ +Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. diff --git a/cloud-computing/nodejs-hello-world/resources/tee/docker-compose.yml b/cloud-computing/nodejs-hello-world/resources/tee/docker-compose.yml new file mode 100644 index 00000000..b481689f --- /dev/null +++ b/cloud-computing/nodejs-hello-world/resources/tee/docker-compose.yml @@ -0,0 +1,33 @@ +version: '3.2' +networks: + scone-net: + external: true + +services: + las: + image: registry.scontain.com:5050/sconecuratedimages/services:las-scone5.3.0 + container_name: las + devices: + - /dev/isgx + networks: + - scone-net + cas: + image: registry.scontain.com:5050/sconecuratedimages/services:cas.preprovisioned-scone5.2.1 + container_name: cas + devices: + - /dev/isgx + depends_on: + - las + networks: + - scone-net + scone-cli: + image: registry.scontain.com:5050/sconecuratedimages/iexec-sconify-image:5.3.3 + container_name: scone-cli + command: bash -c "sleep 5 && scone session create /session.yml --cas cas --only_for_testing-disable-attestation-verification" + volumes: + - ./session.yml:/session.yml + depends_on: + - las + - cas + networks: + - scone-net diff --git a/cloud-computing/nodejs-hello-world/resources/tee/run-scone-app b/cloud-computing/nodejs-hello-world/resources/tee/run-scone-app new file mode 100644 index 00000000..b8ff436b --- /dev/null +++ b/cloud-computing/nodejs-hello-world/resources/tee/run-scone-app @@ -0,0 +1,24 @@ +#!/bin/bash + +### TODO on each build: update mrenclave in session + +docker-compose down > /dev/null +docker network create scone-net > /dev/null +echo "Starting CAS & LAS:" +docker-compose up -d +sleep 5 + +MY_SCONE_APP=tee-nodejs-hello-world +echo "Starting $MY_SCONE_APP" +docker run --rm \ + --name=$MY_SCONE_APP \ + -e SCONE_VERSION=1 \ + -e SCONE_CAS_ADDR="cas" \ + -e SCONE_LAS_ADDR="las" \ + -e SCONE_CONFIG_ID="1/service" \ + --network=scone-net \ + --device=/dev/isgx \ + $MY_SCONE_APP + +docker-compose down +docker network rm scone-net diff --git a/cloud-computing/nodejs-hello-world/resources/tee/session.yml b/cloud-computing/nodejs-hello-world/resources/tee/session.yml new file mode 100644 index 00000000..801ba665 --- /dev/null +++ b/cloud-computing/nodejs-hello-world/resources/tee/session.yml @@ -0,0 +1,28 @@ +name: 1 +version: "0.3" + +# Access control: +# - only the data owner (CREATOR) can read or update the session +# - even the data owner cannot read the session secrets (i.e., the volume key and tag) or delete the session + +access_policy: + read: + - CREATOR + update: + - CREATOR + +services: + - name: nodejs-hello-world + image_name: tee-nodejs-hello-world + mrenclaves: [0ffb1ce764e67185411c0e9983a21a84d6c2ccc3fde7890e26107389fdda83c2] + command: "node /app/app.js" + environment: + SCONE_MODE: hw + +images: + - name: service_image + +security: + attestation: + tolerate: [hyperthreading, software-hardening-needed, insecure-igpu, outdated-tcb, debug-mode] + ignore_advisories: ["INTEL-SA-00161", "INTEL-SA-00289", "INTEL-SA-00381", "INTEL-SA-00389"] diff --git a/cloud-computing/nodejs-hello-world/sconify.sh b/cloud-computing/nodejs-hello-world/sconify.sh new file mode 100644 index 00000000..57ed5b9d --- /dev/null +++ b/cloud-computing/nodejs-hello-world/sconify.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +docker run -it --rm \ + -v /var/run/docker.sock:/var/run/docker.sock \ + registry.scontain.com:5050/sconecuratedimages/iexec-sconify-image:5.3.3 \ + sconify_iexec \ + --name=nodejsHelloWorld \ + --from=nodejs-hello-world \ + --to=tee-nodejs-hello-world \ + --binary-fs \ + --fs-dir=/app \ + --host-path=/etc/hosts \ + --host-path=/etc/resolv.conf \ + --binary="/usr/local/bin/node" \ + --heap="1G" \ + --dlopen="2" \ + --no-color \ + --verbose \ + --command="node /app/app.js" + + +# docker tag registry.scontain.com:5050/sconecuratedimages/iexec:node-14.4.0-alpine3.11 registry.scontain.com:5050/sconecuratedimages/node:14.4.0-alpine3.11 +# build diff --git a/cloud-computing/nodejs-hello-world/src/app.js b/cloud-computing/nodejs-hello-world/src/app.js index 1ba16d55..9c9ca687 100644 --- a/cloud-computing/nodejs-hello-world/src/app.js +++ b/cloud-computing/nodejs-hello-world/src/app.js @@ -10,14 +10,15 @@ const datasetFilepath = `${iexecIn}/${datasetFilename}`; try { // Write hello to fs let text = process.argv.length > 2 ? `Hello, ${process.argv[2]}!` : 'Hello, World'; - text = `${figlet.textSync(text)}\n${text}`; // Let's add some art for e.g. + text = `${figlet.textSync(text)}\n${text}\n`; // Let's add some art for e.g. // Eventually use some confidential assets try { const datasetContent = await fsPromises.readFile(datasetFilepath); - text = `${text}\nDataset (${datasetFilepath}): ${datasetContent}`; + text += `Dataset (${datasetFilepath}): ${datasetContent}\n`; } catch (e) { // confidential asset does not exist + text += `No dataset was found\n` } // Append some results await fsPromises.writeFile(`${iexecOut}/result.txt`, text); @@ -35,11 +36,3 @@ const datasetFilepath = `${iexecIn}/${datasetFilename}`; process.exit(1); } })(); - -/* Try -Basic: -mkdir -p /tmp/iexec_out && IEXEC_OUT=/tmp/iexec_out IEXEC_IN=/tmp/iexec_in node app.js Alice - -Tee: -mkdir -p /tmp/iexec_out && IEXEC_OUT=/tmp/iexec_out IEXEC_IN=../tee/confidential-assets node app.js Alice -*/ diff --git a/cloud-computing/nodejs-hello-world/standard/build b/cloud-computing/nodejs-hello-world/standard/build deleted file mode 100755 index 52ca37fc..00000000 --- a/cloud-computing/nodejs-hello-world/standard/build +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh -cd $(dirname $0) - -docker image build -f ../standard/Dockerfile -t node-hello-world .. $@ diff --git a/cloud-computing/nodejs-hello-world/standard/run b/cloud-computing/nodejs-hello-world/standard/run deleted file mode 100755 index 78fee211..00000000 --- a/cloud-computing/nodejs-hello-world/standard/run +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/sh -cd $(dirname $0) - -IEXEC_OUT=/tmp/iexec_out - -rm -rf $IEXEC_OUT -mkdir -p $IEXEC_OUT - -docker run --rm -e IEXEC_OUT=/iexec_out -e IEXEC_IN=/iexec_in -v $IEXEC_OUT:/iexec_out node-hello-world $@ - -echo -find $IEXEC_OUT diff --git a/cloud-computing/nodejs-hello-world/tee/Dockerfile b/cloud-computing/nodejs-hello-world/tee/Dockerfile deleted file mode 100644 index b4c75627..00000000 --- a/cloud-computing/nodejs-hello-world/tee/Dockerfile +++ /dev/null @@ -1,18 +0,0 @@ -FROM sconecuratedimages/public-apps:node-10-alpine-scone3.0 - -# TODO change this to public registry -COPY --from=nexus.iex.ec/sconecuratedimages-iexec:cli-alpine /opt/scone/scone-cli /opt/scone/scone-cli -COPY --from=nexus.iex.ec/sconecuratedimages-iexec:cli-alpine /usr/local/bin/scone /usr/local/bin/scone -COPY --from=nexus.iex.ec/sconecuratedimages-iexec:cli-alpine /opt/scone/bin /opt/scone/bin - -### install dependencies you need -RUN apk add bash nodejs-npm -RUN mkdir /app && cd /app && SCONE_MODE=sim npm install figlet@1.x - -COPY ./src /app - -### protect file system with Scone -COPY ./tee/protect-fs.sh ./tee/Dockerfile /build/ -RUN sh /build/protect-fs.sh /app - -ENTRYPOINT [ "node", "/app/app.js"] diff --git a/cloud-computing/nodejs-hello-world/tee/build b/cloud-computing/nodejs-hello-world/tee/build deleted file mode 100755 index 11d298dd..00000000 --- a/cloud-computing/nodejs-hello-world/tee/build +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -cd $(dirname $0) -docker image build -f ../tee/Dockerfile -t tee-nodejs-hello-world .. $@ diff --git a/cloud-computing/nodejs-hello-world/tee/confidential-assets/confidential-asset.txt b/cloud-computing/nodejs-hello-world/tee/confidential-assets/confidential-asset.txt deleted file mode 100644 index 96426db1..00000000 --- a/cloud-computing/nodejs-hello-world/tee/confidential-assets/confidential-asset.txt +++ /dev/null @@ -1 +0,0 @@ -dummy confidential file diff --git a/cloud-computing/nodejs-hello-world/tee/protect-fs.sh b/cloud-computing/nodejs-hello-world/tee/protect-fs.sh deleted file mode 100644 index b23c5397..00000000 --- a/cloud-computing/nodejs-hello-world/tee/protect-fs.sh +++ /dev/null @@ -1,65 +0,0 @@ -#!/bin/sh - -cd $(dirname $0) - -if [ ! -e Dockerfile ] -then - printf "\nFailed to parse Dockerfile ENTRYPOINT\n" - printf "Did you forget to add your Dockerfile in your build?\n" - printf "COPY ./tee/Dockerfile /build/\n\n" - exit 1 -fi - -ENTRYPOINT_ARSG=$(grep ENTRYPOINT ./Dockerfile | tail -1 | grep -o '"[^"]\+"' | tr -d '"') -echo $ENTRYPOINT_ARSG > ./entrypoint - -if [ -z "$ENTRYPOINT_ARSG" ] -then - printf "\nFailed to parse Dockerfile ENTRYPOINT\n" - printf "Did you forget to add an ENTRYPOINT to your Dockerfile?\n" - printf "ENTRYPOINT [\"executable\", \"param1\", \"param2\"]\n\n" - exit 1 -fi - -INTERPRETER=$(awk '{print $1}' ./entrypoint) # python -ENTRYPOINT=$(cat ./entrypoint) # /python /app/app.py - -export SCONE_MODE=sim -export SCONE_HEAP=1G - -APP_FOLDER=$1 - -printf "\n### Starting file system protection ...\n\n" - -scone fspf create /fspf.pb -scone fspf addr /fspf.pb / --not-protected --kernel / -scone fspf addr /fspf.pb /usr --authenticated --kernel /usr -scone fspf addf /fspf.pb /usr /usr -scone fspf addr /fspf.pb /bin --authenticated --kernel /bin -scone fspf addf /fspf.pb /bin /bin -scone fspf addr /fspf.pb /lib --authenticated --kernel /lib -scone fspf addf /fspf.pb /lib /lib -scone fspf addr /fspf.pb /etc/ssl --authenticated --kernel /etc/ssl -scone fspf addf /fspf.pb /etc/ssl /etc/ssl -scone fspf addr /fspf.pb /sbin --authenticated --kernel /sbin -scone fspf addf /fspf.pb /sbin /sbin -printf "\n### Protecting code found in folder \"$APP_FOLDER\"\n\n" -scone fspf addr /fspf.pb $APP_FOLDER --authenticated --kernel $APP_FOLDER -scone fspf addf /fspf.pb $APP_FOLDER $APP_FOLDER - -scone fspf encrypt /fspf.pb > ./keytag - -MRENCLAVE="$(SCONE_HASH=1 $INTERPRETER)" -FSPF_TAG=$(cat ./keytag | awk '{print $9}') -FSPF_KEY=$(cat ./keytag | awk '{print $11}') -FINGERPRINT="$FSPF_KEY|$FSPF_TAG|$MRENCLAVE|$ENTRYPOINT" -echo $FINGERPRINT > ./fingerprint - -printf "\n\n" -printf "Your application fingerprint (mrenclave) is ready:\n" -printf "#####################################################################\n" -printf "iexec.json:\n\n" -printf "%s\n" "\"app\": { " " \"owner\" : ... " " \"name\": ... " " ..." " \"mrenclave\": \"$FINGERPRINT\"" "}" -printf "#####################################################################\n" -printf "Hint: Replace 'mrenclave' before doing 'iexec app deploy' step.\n" -printf "\n\n" diff --git a/cloud-computing/nodejs-hello-world/tee/run b/cloud-computing/nodejs-hello-world/tee/run deleted file mode 100755 index f6c03b56..00000000 --- a/cloud-computing/nodejs-hello-world/tee/run +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/sh -cd $(dirname $0) - -IEXEC_OUT=/tmp/iexec_out - -rm -rf $IEXEC_OUT -mkdir -p $IEXEC_OUT - -docker run --rm -e IEXEC_OUT=/iexec_out -e IEXEC_IN=/iexec_in -v $IEXEC_OUT:/iexec_out -v $(pwd)/confidential-assets:/iexec_in --device /dev/isgx tee-nodejs-hello-world $@ - -echo -find $IEXEC_OUT From 714cbf5d5eb1c36468980140171c64dccf13caf8 Mon Sep 17 00:00:00 2001 From: Zied <26070035+zguesmi@users.noreply.github.com> Date: Wed, 12 May 2021 10:51:10 +0200 Subject: [PATCH 27/39] Add comment for workaround --- cloud-computing/nodejs-hello-world/sconify.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/cloud-computing/nodejs-hello-world/sconify.sh b/cloud-computing/nodejs-hello-world/sconify.sh index 57ed5b9d..97d0037b 100644 --- a/cloud-computing/nodejs-hello-world/sconify.sh +++ b/cloud-computing/nodejs-hello-world/sconify.sh @@ -1,5 +1,9 @@ #!/bin/bash +# Until the correct image is made available, do this workaround: +# docker image pull registry.scontain.com:5050/sconecuratedimages/iexec:node-14.4.0-alpine3.11 +# docker image tag registry.scontain.com:5050/sconecuratedimages/iexec:node-14.4.0-alpine3.11 registry.scontain.com:5050/sconecuratedimages/node:14.4.0-alpine3.11 + docker run -it --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ registry.scontain.com:5050/sconecuratedimages/iexec-sconify-image:5.3.3 \ @@ -17,7 +21,3 @@ docker run -it --rm \ --no-color \ --verbose \ --command="node /app/app.js" - - -# docker tag registry.scontain.com:5050/sconecuratedimages/iexec:node-14.4.0-alpine3.11 registry.scontain.com:5050/sconecuratedimages/node:14.4.0-alpine3.11 -# build From edf80108c9385df7173890edf7b4ce4bc3171a2c Mon Sep 17 00:00:00 2001 From: Zied <26070035+zguesmi@users.noreply.github.com> Date: Wed, 12 May 2021 11:37:53 +0200 Subject: [PATCH 28/39] Use alpine based node --- cloud-computing/nodejs-hello-world/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloud-computing/nodejs-hello-world/Dockerfile b/cloud-computing/nodejs-hello-world/Dockerfile index eaadedc1..dc2fd2a8 100644 --- a/cloud-computing/nodejs-hello-world/Dockerfile +++ b/cloud-computing/nodejs-hello-world/Dockerfile @@ -1,4 +1,4 @@ -FROM node:14 +FROM node:14-alpine3.10 ### install your dependencies RUN mkdir /app && cd /app && npm install figlet@1.x From d9a38774f87b235069847588c971e0f037920c5c Mon Sep 17 00:00:00 2001 From: Zied <26070035+zguesmi@users.noreply.github.com> Date: Wed, 12 May 2021 12:09:01 +0200 Subject: [PATCH 29/39] Update Readme --- cloud-computing/nodejs-hello-world/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cloud-computing/nodejs-hello-world/README.md b/cloud-computing/nodejs-hello-world/README.md index becb0181..4e89e941 100644 --- a/cloud-computing/nodejs-hello-world/README.md +++ b/cloud-computing/nodejs-hello-world/README.md @@ -29,8 +29,8 @@ Once the execution ends, the result should be found in the folder ## TEE (protected) mode To convert the application into **TEE** mode, first, it needs to be -build in **Standard** mode as instructed in the section above. -Then the produced image is converted using `sconify.sh` script into +built in **Standard** mode as instructed in the section above. +Then the standard image is converted using `sconify.sh` script into a newly created TEE enabled image `tee-nodejs-hello-world`: ### Build (conversion) From 074e90f8ef93f820258ac8abecf671ed890558e3 Mon Sep 17 00:00:00 2001 From: Zied <26070035+zguesmi@users.noreply.github.com> Date: Wed, 12 May 2021 12:11:41 +0200 Subject: [PATCH 30/39] Update Readme --- cloud-computing/nodejs-hello-world/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cloud-computing/nodejs-hello-world/README.md b/cloud-computing/nodejs-hello-world/README.md index 4e89e941..c191afd8 100644 --- a/cloud-computing/nodejs-hello-world/README.md +++ b/cloud-computing/nodejs-hello-world/README.md @@ -10,6 +10,8 @@ application: ``` docker image build -t nodejs-hello-world . ``` +**IMPORTANT:** /!\ Please note that the base node image should be in alpine if +it will be converted into TEE mode.** ### Run The application can be tested locally to make sure it is well setup: From 44a099161dbae0a7e7897ce98cb616ee150235a4 Mon Sep 17 00:00:00 2001 From: Zied <26070035+zguesmi@users.noreply.github.com> Date: Wed, 12 May 2021 12:11:58 +0200 Subject: [PATCH 31/39] Update Readme --- cloud-computing/nodejs-hello-world/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloud-computing/nodejs-hello-world/README.md b/cloud-computing/nodejs-hello-world/README.md index c191afd8..4a94c63c 100644 --- a/cloud-computing/nodejs-hello-world/README.md +++ b/cloud-computing/nodejs-hello-world/README.md @@ -11,7 +11,7 @@ application: docker image build -t nodejs-hello-world . ``` **IMPORTANT:** /!\ Please note that the base node image should be in alpine if -it will be converted into TEE mode.** +it will be converted into TEE mode. ### Run The application can be tested locally to make sure it is well setup: From 2cea857ffc047f76370854316c2be9a353e16122 Mon Sep 17 00:00:00 2001 From: Zied <26070035+zguesmi@users.noreply.github.com> Date: Tue, 18 May 2021 11:05:11 +0200 Subject: [PATCH 32/39] Upgrade python hello world app to Scone v5 --- cloud-computing/go-hello-world/README.md | 5 +- .../{dataset => data}/Lorem-ipsum.txt | 0 cloud-computing/nodejs-hello-world/README.md | 27 ++----- .../{dataset => data}/Lorem-ipsum.txt | 0 .../{standard => }/Dockerfile | 4 +- cloud-computing/python-hello-world/README.md | 70 +++++++++++++++++++ cloud-computing/python-hello-world/Readme.md | 20 ------ .../data/Lorem-ipsum.txt} | 0 .../asset => resources/data}/input-file1.txt | 0 .../asset => resources/data}/input-file2.txt | 0 .../resources/tee/docker-compose.yml | 33 +++++++++ .../resources/tee/run-scone-app | 24 +++++++ .../resources/tee/session.yml | 28 ++++++++ cloud-computing/python-hello-world/sconify.sh | 23 ++++++ .../python-hello-world/standard/build | 4 -- .../python-hello-world/standard/run | 22 ------ .../python-hello-world/tee/Dockerfile | 12 ---- cloud-computing/python-hello-world/tee/build | 3 - .../confidential-asset.txt | 1 - .../tee/confidential-assets/input-file1.txt | 1 - .../tee/confidential-assets/input-file2.txt | 1 - .../python-hello-world/tee/protect-fs.sh | 65 ----------------- cloud-computing/python-hello-world/tee/run | 22 ------ 23 files changed, 189 insertions(+), 176 deletions(-) rename cloud-computing/go-hello-world/resources/{dataset => data}/Lorem-ipsum.txt (100%) rename cloud-computing/nodejs-hello-world/resources/{dataset => data}/Lorem-ipsum.txt (100%) rename cloud-computing/python-hello-world/{standard => }/Dockerfile (56%) create mode 100644 cloud-computing/python-hello-world/README.md delete mode 100644 cloud-computing/python-hello-world/Readme.md rename cloud-computing/python-hello-world/{standard/asset/Lorem_ipsum.txt => resources/data/Lorem-ipsum.txt} (100%) rename cloud-computing/python-hello-world/{standard/asset => resources/data}/input-file1.txt (100%) rename cloud-computing/python-hello-world/{standard/asset => resources/data}/input-file2.txt (100%) create mode 100644 cloud-computing/python-hello-world/resources/tee/docker-compose.yml create mode 100644 cloud-computing/python-hello-world/resources/tee/run-scone-app create mode 100644 cloud-computing/python-hello-world/resources/tee/session.yml create mode 100644 cloud-computing/python-hello-world/sconify.sh delete mode 100755 cloud-computing/python-hello-world/standard/build delete mode 100755 cloud-computing/python-hello-world/standard/run delete mode 100644 cloud-computing/python-hello-world/tee/Dockerfile delete mode 100755 cloud-computing/python-hello-world/tee/build delete mode 100644 cloud-computing/python-hello-world/tee/confidential-assets/confidential-asset.txt delete mode 100644 cloud-computing/python-hello-world/tee/confidential-assets/input-file1.txt delete mode 100644 cloud-computing/python-hello-world/tee/confidential-assets/input-file2.txt delete mode 100644 cloud-computing/python-hello-world/tee/protect-fs.sh delete mode 100755 cloud-computing/python-hello-world/tee/run diff --git a/cloud-computing/go-hello-world/README.md b/cloud-computing/go-hello-world/README.md index 5bc08756..45ce511d 100644 --- a/cloud-computing/go-hello-world/README.md +++ b/cloud-computing/go-hello-world/README.md @@ -21,11 +21,14 @@ docker run \ -e IEXEC_DATASET_FILENAME=Lorem-ipsum.txt \ -e IEXEC_OUT=/iexec_out \ -v /tmp/iexec_out:/iexec_out \ - -v $(pwd)/resources/dataset:/iexec_in \ + -v $(pwd)/resources/data:/iexec_in \ go-hello-world Alice ``` Once the execution ends, the result should be found in the folder `/tmp/iexec_out`. +``` +cat /tmp/iexec_out/result.txt +``` ## TEE (protected) mode To convert the application into **TEE** mode, first, it needs to be diff --git a/cloud-computing/go-hello-world/resources/dataset/Lorem-ipsum.txt b/cloud-computing/go-hello-world/resources/data/Lorem-ipsum.txt similarity index 100% rename from cloud-computing/go-hello-world/resources/dataset/Lorem-ipsum.txt rename to cloud-computing/go-hello-world/resources/data/Lorem-ipsum.txt diff --git a/cloud-computing/nodejs-hello-world/README.md b/cloud-computing/nodejs-hello-world/README.md index 4a94c63c..f616a87b 100644 --- a/cloud-computing/nodejs-hello-world/README.md +++ b/cloud-computing/nodejs-hello-world/README.md @@ -10,8 +10,8 @@ application: ``` docker image build -t nodejs-hello-world . ``` -**IMPORTANT:** /!\ Please note that the base node image should be in alpine if -it will be converted into TEE mode. +**IMPORTANT:** /!\ Please note that the base node image should be +alpine based if it will be converted into TEE mode. ### Run The application can be tested locally to make sure it is well setup: @@ -28,6 +28,9 @@ docker run \ ``` Once the execution ends, the result should be found in the folder `/tmp/iexec_out`. +``` +cat /tmp/iexec_out/result.txt +``` ## TEE (protected) mode To convert the application into **TEE** mode, first, it needs to be @@ -61,23 +64,3 @@ To get the MREnclave value of the TEE application: ``` docker run -it --rm -e SCONE_HASH=1 tee-nodejs-hello-world ``` - - \ No newline at end of file diff --git a/cloud-computing/nodejs-hello-world/resources/dataset/Lorem-ipsum.txt b/cloud-computing/nodejs-hello-world/resources/data/Lorem-ipsum.txt similarity index 100% rename from cloud-computing/nodejs-hello-world/resources/dataset/Lorem-ipsum.txt rename to cloud-computing/nodejs-hello-world/resources/data/Lorem-ipsum.txt diff --git a/cloud-computing/python-hello-world/standard/Dockerfile b/cloud-computing/python-hello-world/Dockerfile similarity index 56% rename from cloud-computing/python-hello-world/standard/Dockerfile rename to cloud-computing/python-hello-world/Dockerfile index 668bc04a..9d45ef94 100644 --- a/cloud-computing/python-hello-world/standard/Dockerfile +++ b/cloud-computing/python-hello-world/Dockerfile @@ -1,8 +1,8 @@ -FROM python:3.7.3-alpine3.10 +FROM python:3.7-alpine3.10 ### install python3 dependencies you need RUN pip3 install pyfiglet COPY ./src /app -ENTRYPOINT ["python", "/app/app.py"] +ENTRYPOINT ["python3", "/app/app.py"] diff --git a/cloud-computing/python-hello-world/README.md b/cloud-computing/python-hello-world/README.md new file mode 100644 index 00000000..c8f4904d --- /dev/null +++ b/cloud-computing/python-hello-world/README.md @@ -0,0 +1,70 @@ +# Python hello-world app + +## Standard mode +By default the application is built in **Standard** mode which +does not use TEE capabilities. + +### Build +Standard mode application is built just like any other dockerized +application: +``` +docker image build -t python-hello-world . +``` +**IMPORTANT:** /!\ Please note that the base python image should be +alpine based if the application will be converted into TEE mode. + +### Run +The application can be tested locally to make sure it is well setup: +``` +rm -rf /tmp/iexec_out && \ +docker run \ + --rm \ + -e IEXEC_IN=/iexec_in \ + -e IEXEC_OUT=/iexec_out \ + -e IEXEC_DATASET_FILENAME=Lorem-ipsum.txt \ + -e IEXEC_INPUT_FILES_NUMBER=2 \ + -e IEXEC_INPUT_FILES_FOLDER=/iexec_in \ + -e IEXEC_INPUT_FILE_NAME_1=input-file1.txt \ + -e IEXEC_INPUT_FILE_NAME_2=input-file2.txt \ + -v /tmp/iexec_out:/iexec_out \ + -v $(pwd)/resources/data:/iexec_in \ + python-hello-world Alice +``` +Once the execution ends, the result should be found in the folder +`/tmp/iexec_out`. +``` +cat /tmp/iexec_out/result.txt +``` + +## TEE (protected) mode +To convert the application into **TEE** mode, first, it needs to be +built in **Standard** mode as instructed in the section above. +Then the standard image is converted using `sconify.sh` script into +a newly created TEE enabled image `tee-python-hello-world`: + +### Build (conversion) +The script can edited to change parameters like **heap size**, new +image name, sources folder, ... + +``` +bash sconify.sh +``` + +### Run +(TODO test with CAS and session) +The application can be tested locally to make sure it is well setup: +``` +rm -rf /tmp/iexec_out && \ +docker run \ + --rm \ + -e IEXEC_OUT=/iexec_out \ + -e IEXEC_IN=/iexec_in \ + -v /tmp/iexec_out:/iexec_out \ + -v $(pwd)/resources/data:/iexec_in \ + --device /dev/isgx \ + tee-python-hello-world Alice +``` +To get the MREnclave value of the TEE application: +``` +docker run -it --rm -e SCONE_HASH=1 tee-python-hello-world +``` diff --git a/cloud-computing/python-hello-world/Readme.md b/cloud-computing/python-hello-world/Readme.md deleted file mode 100644 index 1e650574..00000000 --- a/cloud-computing/python-hello-world/Readme.md +++ /dev/null @@ -1,20 +0,0 @@ - - -* Basic - -Build: -`./standard/build` - -Run locally: -`./standard/run` -`./standard/run Alice` - - -* Tee - -Build: -`./tee/build` - -Run locally: -`./tee/run` -`./tee/run Alice` diff --git a/cloud-computing/python-hello-world/standard/asset/Lorem_ipsum.txt b/cloud-computing/python-hello-world/resources/data/Lorem-ipsum.txt similarity index 100% rename from cloud-computing/python-hello-world/standard/asset/Lorem_ipsum.txt rename to cloud-computing/python-hello-world/resources/data/Lorem-ipsum.txt diff --git a/cloud-computing/python-hello-world/standard/asset/input-file1.txt b/cloud-computing/python-hello-world/resources/data/input-file1.txt similarity index 100% rename from cloud-computing/python-hello-world/standard/asset/input-file1.txt rename to cloud-computing/python-hello-world/resources/data/input-file1.txt diff --git a/cloud-computing/python-hello-world/standard/asset/input-file2.txt b/cloud-computing/python-hello-world/resources/data/input-file2.txt similarity index 100% rename from cloud-computing/python-hello-world/standard/asset/input-file2.txt rename to cloud-computing/python-hello-world/resources/data/input-file2.txt diff --git a/cloud-computing/python-hello-world/resources/tee/docker-compose.yml b/cloud-computing/python-hello-world/resources/tee/docker-compose.yml new file mode 100644 index 00000000..b481689f --- /dev/null +++ b/cloud-computing/python-hello-world/resources/tee/docker-compose.yml @@ -0,0 +1,33 @@ +version: '3.2' +networks: + scone-net: + external: true + +services: + las: + image: registry.scontain.com:5050/sconecuratedimages/services:las-scone5.3.0 + container_name: las + devices: + - /dev/isgx + networks: + - scone-net + cas: + image: registry.scontain.com:5050/sconecuratedimages/services:cas.preprovisioned-scone5.2.1 + container_name: cas + devices: + - /dev/isgx + depends_on: + - las + networks: + - scone-net + scone-cli: + image: registry.scontain.com:5050/sconecuratedimages/iexec-sconify-image:5.3.3 + container_name: scone-cli + command: bash -c "sleep 5 && scone session create /session.yml --cas cas --only_for_testing-disable-attestation-verification" + volumes: + - ./session.yml:/session.yml + depends_on: + - las + - cas + networks: + - scone-net diff --git a/cloud-computing/python-hello-world/resources/tee/run-scone-app b/cloud-computing/python-hello-world/resources/tee/run-scone-app new file mode 100644 index 00000000..e56034c0 --- /dev/null +++ b/cloud-computing/python-hello-world/resources/tee/run-scone-app @@ -0,0 +1,24 @@ +#!/bin/bash + +### TODO on each build: update mrenclave in session + +docker-compose down > /dev/null +docker network create scone-net > /dev/null +echo "Starting CAS & LAS:" +docker-compose up -d +sleep 5 + +MY_SCONE_APP=tee-python-hello-world +echo "Starting $MY_SCONE_APP" +docker run --rm \ + --name=$MY_SCONE_APP \ + -e SCONE_VERSION=1 \ + -e SCONE_CAS_ADDR="cas" \ + -e SCONE_LAS_ADDR="las" \ + -e SCONE_CONFIG_ID="1/service" \ + --network=scone-net \ + --device=/dev/isgx \ + $MY_SCONE_APP + +docker-compose down +docker network rm scone-net diff --git a/cloud-computing/python-hello-world/resources/tee/session.yml b/cloud-computing/python-hello-world/resources/tee/session.yml new file mode 100644 index 00000000..73edf1d6 --- /dev/null +++ b/cloud-computing/python-hello-world/resources/tee/session.yml @@ -0,0 +1,28 @@ +name: 1 +version: "0.3" + +# Access control: +# - only the data owner (CREATOR) can read or update the session +# - even the data owner cannot read the session secrets (i.e., the volume key and tag) or delete the session + +access_policy: + read: + - CREATOR + update: + - CREATOR + +services: + - name: python-hello-world + image_name: tee-python-hello-world + mrenclaves: [0ffb1ce764e67185411c0e9983a21a84d6c2ccc3fde7890e26107389fdda83c2] + command: "node /app/app.js" + environment: + SCONE_MODE: hw + +images: + - name: service_image + +security: + attestation: + tolerate: [hyperthreading, software-hardening-needed, insecure-igpu, outdated-tcb, debug-mode] + ignore_advisories: ["INTEL-SA-00161", "INTEL-SA-00289", "INTEL-SA-00381", "INTEL-SA-00389"] diff --git a/cloud-computing/python-hello-world/sconify.sh b/cloud-computing/python-hello-world/sconify.sh new file mode 100644 index 00000000..36faf833 --- /dev/null +++ b/cloud-computing/python-hello-world/sconify.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +# Until the correct image is made available, do this workaround: +# docker image pull registry.scontain.com:5050/sconecuratedimages/iexec:node-14.4.0-alpine3.11 +# docker image tag registry.scontain.com:5050/sconecuratedimages/iexec:node-14.4.0-alpine3.11 registry.scontain.com:5050/sconecuratedimages/node:14.4.0-alpine3.11 + +docker run -it --rm \ + -v /var/run/docker.sock:/var/run/docker.sock \ + registry.scontain.com:5050/sconecuratedimages/iexec-sconify-image:5.3.3 \ + sconify_iexec \ + --name=pythonHelloWorld \ + --from=python-hello-world \ + --to=tee-python-hello-world \ + --binary-fs \ + --fs-dir=/app \ + --host-path=/etc/hosts \ + --host-path=/etc/resolv.conf \ + --binary="/usr/local/bin/python3.7" \ + --heap="1G" \ + --dlopen="2" \ + --no-color \ + --verbose \ + --command="python3 /app/app.py" diff --git a/cloud-computing/python-hello-world/standard/build b/cloud-computing/python-hello-world/standard/build deleted file mode 100755 index 294fd2f6..00000000 --- a/cloud-computing/python-hello-world/standard/build +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh -cd $(dirname $0) - -docker image build -f ../standard/Dockerfile -t python-hello-world .. $@ diff --git a/cloud-computing/python-hello-world/standard/run b/cloud-computing/python-hello-world/standard/run deleted file mode 100755 index a630b31f..00000000 --- a/cloud-computing/python-hello-world/standard/run +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/sh -cd $(dirname $0) - -IEXEC_OUT=/tmp/iexec_out - -rm -rf $IEXEC_OUT -mkdir -p $IEXEC_OUT - - -docker run --rm \ - -e IEXEC_OUT=/iexec_out \ - -e IEXEC_IN=/iexec_in \ - -e IEXEC_DATASET_FILENAME=Lorem_ipsum.txt \ - -e IEXEC_INPUT_FILES_NUMBER='2' \ - -e IEXEC_INPUT_FILE_NAME_1='input-file1.txt' \ - -e IEXEC_INPUT_FILE_NAME_2='input-file2.txt' \ - -v $IEXEC_OUT:/iexec_out \ - -v $(pwd)/asset:/iexec_in \ - python-hello-world $@ - -echo -find $IEXEC_OUT diff --git a/cloud-computing/python-hello-world/tee/Dockerfile b/cloud-computing/python-hello-world/tee/Dockerfile deleted file mode 100644 index 78810fa0..00000000 --- a/cloud-computing/python-hello-world/tee/Dockerfile +++ /dev/null @@ -1,12 +0,0 @@ -FROM sconecuratedimages/public-apps:python-3.7.3-alpine3.10-scone3.0 - -### install python3 dependencies you need -RUN SCONE_MODE=sim pip3 install pyfiglet - -COPY ./src /app - -### protect file system with Scone -COPY ./tee/protect-fs.sh ./tee/Dockerfile /build/ -RUN sh /build/protect-fs.sh /app - -ENTRYPOINT ["python", "/app/app.py"] diff --git a/cloud-computing/python-hello-world/tee/build b/cloud-computing/python-hello-world/tee/build deleted file mode 100755 index 5eb88e6d..00000000 --- a/cloud-computing/python-hello-world/tee/build +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -cd $(dirname $0) -docker image build -f ../tee/Dockerfile -t tee-python-hello-world .. $@ diff --git a/cloud-computing/python-hello-world/tee/confidential-assets/confidential-asset.txt b/cloud-computing/python-hello-world/tee/confidential-assets/confidential-asset.txt deleted file mode 100644 index 96426db1..00000000 --- a/cloud-computing/python-hello-world/tee/confidential-assets/confidential-asset.txt +++ /dev/null @@ -1 +0,0 @@ -dummy confidential file diff --git a/cloud-computing/python-hello-world/tee/confidential-assets/input-file1.txt b/cloud-computing/python-hello-world/tee/confidential-assets/input-file1.txt deleted file mode 100644 index 4ac303fb..00000000 --- a/cloud-computing/python-hello-world/tee/confidential-assets/input-file1.txt +++ /dev/null @@ -1 +0,0 @@ -An input file with some very interesting content! diff --git a/cloud-computing/python-hello-world/tee/confidential-assets/input-file2.txt b/cloud-computing/python-hello-world/tee/confidential-assets/input-file2.txt deleted file mode 100644 index 3898a4d9..00000000 --- a/cloud-computing/python-hello-world/tee/confidential-assets/input-file2.txt +++ /dev/null @@ -1 +0,0 @@ -Another input file with some other very interesting content! diff --git a/cloud-computing/python-hello-world/tee/protect-fs.sh b/cloud-computing/python-hello-world/tee/protect-fs.sh deleted file mode 100644 index b23c5397..00000000 --- a/cloud-computing/python-hello-world/tee/protect-fs.sh +++ /dev/null @@ -1,65 +0,0 @@ -#!/bin/sh - -cd $(dirname $0) - -if [ ! -e Dockerfile ] -then - printf "\nFailed to parse Dockerfile ENTRYPOINT\n" - printf "Did you forget to add your Dockerfile in your build?\n" - printf "COPY ./tee/Dockerfile /build/\n\n" - exit 1 -fi - -ENTRYPOINT_ARSG=$(grep ENTRYPOINT ./Dockerfile | tail -1 | grep -o '"[^"]\+"' | tr -d '"') -echo $ENTRYPOINT_ARSG > ./entrypoint - -if [ -z "$ENTRYPOINT_ARSG" ] -then - printf "\nFailed to parse Dockerfile ENTRYPOINT\n" - printf "Did you forget to add an ENTRYPOINT to your Dockerfile?\n" - printf "ENTRYPOINT [\"executable\", \"param1\", \"param2\"]\n\n" - exit 1 -fi - -INTERPRETER=$(awk '{print $1}' ./entrypoint) # python -ENTRYPOINT=$(cat ./entrypoint) # /python /app/app.py - -export SCONE_MODE=sim -export SCONE_HEAP=1G - -APP_FOLDER=$1 - -printf "\n### Starting file system protection ...\n\n" - -scone fspf create /fspf.pb -scone fspf addr /fspf.pb / --not-protected --kernel / -scone fspf addr /fspf.pb /usr --authenticated --kernel /usr -scone fspf addf /fspf.pb /usr /usr -scone fspf addr /fspf.pb /bin --authenticated --kernel /bin -scone fspf addf /fspf.pb /bin /bin -scone fspf addr /fspf.pb /lib --authenticated --kernel /lib -scone fspf addf /fspf.pb /lib /lib -scone fspf addr /fspf.pb /etc/ssl --authenticated --kernel /etc/ssl -scone fspf addf /fspf.pb /etc/ssl /etc/ssl -scone fspf addr /fspf.pb /sbin --authenticated --kernel /sbin -scone fspf addf /fspf.pb /sbin /sbin -printf "\n### Protecting code found in folder \"$APP_FOLDER\"\n\n" -scone fspf addr /fspf.pb $APP_FOLDER --authenticated --kernel $APP_FOLDER -scone fspf addf /fspf.pb $APP_FOLDER $APP_FOLDER - -scone fspf encrypt /fspf.pb > ./keytag - -MRENCLAVE="$(SCONE_HASH=1 $INTERPRETER)" -FSPF_TAG=$(cat ./keytag | awk '{print $9}') -FSPF_KEY=$(cat ./keytag | awk '{print $11}') -FINGERPRINT="$FSPF_KEY|$FSPF_TAG|$MRENCLAVE|$ENTRYPOINT" -echo $FINGERPRINT > ./fingerprint - -printf "\n\n" -printf "Your application fingerprint (mrenclave) is ready:\n" -printf "#####################################################################\n" -printf "iexec.json:\n\n" -printf "%s\n" "\"app\": { " " \"owner\" : ... " " \"name\": ... " " ..." " \"mrenclave\": \"$FINGERPRINT\"" "}" -printf "#####################################################################\n" -printf "Hint: Replace 'mrenclave' before doing 'iexec app deploy' step.\n" -printf "\n\n" diff --git a/cloud-computing/python-hello-world/tee/run b/cloud-computing/python-hello-world/tee/run deleted file mode 100755 index 65e03b6c..00000000 --- a/cloud-computing/python-hello-world/tee/run +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/sh -cd $(dirname $0) - -IEXEC_OUT=/tmp/iexec_out - -rm -rf $IEXEC_OUT -mkdir -p $IEXEC_OUT - -docker run --rm \ - -e IEXEC_OUT=/iexec_out \ - -e IEXEC_IN=/iexec_in \ - -e IEXEC_DATASET_FILENAME=confidential-asset.txt \ - -e IEXEC_INPUT_FILES_NUMBER='2' \ - -e IEXEC_INPUT_FILE_NAME_1='input-file1.txt' \ - -e IEXEC_INPUT_FILE_NAME_2='input-file2.txt' \ - -v $IEXEC_OUT:/iexec_out \ - -v $(pwd)/confidential-assets:/iexec_in \ - --device /dev/isgx \ - tee-python-hello-world $@ - -echo -find $IEXEC_OUT From 468b4d7760b70b60cbf58c698be40a073c9670b6 Mon Sep 17 00:00:00 2001 From: Zied <26070035+zguesmi@users.noreply.github.com> Date: Tue, 18 May 2021 11:31:39 +0200 Subject: [PATCH 33/39] Update sessions for testing --- cloud-computing/go-hello-world/README.md | 2 +- .../go-hello-world/resources/tee/session.yml | 12 ++++++------ cloud-computing/nodejs-hello-world/README.md | 2 +- .../nodejs-hello-world/resources/tee/session.yml | 11 ++++++----- .../python-hello-world/resources/tee/session.yml | 13 +++++++------ 5 files changed, 21 insertions(+), 19 deletions(-) diff --git a/cloud-computing/go-hello-world/README.md b/cloud-computing/go-hello-world/README.md index 45ce511d..e35a4cf6 100644 --- a/cloud-computing/go-hello-world/README.md +++ b/cloud-computing/go-hello-world/README.md @@ -41,7 +41,7 @@ The script can edited to change parameters like **heap size**, new image name, sources folder, ... ``` -./sconify.sh +bash sconify.sh ``` ### Run diff --git a/cloud-computing/go-hello-world/resources/tee/session.yml b/cloud-computing/go-hello-world/resources/tee/session.yml index 6a65969d..5f26c86e 100644 --- a/cloud-computing/go-hello-world/resources/tee/session.yml +++ b/cloud-computing/go-hello-world/resources/tee/session.yml @@ -12,12 +12,13 @@ access_policy: - CREATOR services: - - name: go-hello-world - image_name: tee-go-hello-world - mrenclaves: [0ffb1ce764e67185411c0e9983a21a84d6c2ccc3fde7890e26107389fdda83c2] + - name: service + image_name: service_image + mrenclaves: [5e0955204071b0f9d108bc7244ab25e331550046849f739f736c9536574fffb0] command: "/app/helloworld" environment: - SCONE_MODE: hw + IEXEC_IN: /iexec_in + IEXEC_OUT: /iexec_out images: - name: service_image @@ -25,5 +26,4 @@ images: security: attestation: tolerate: [hyperthreading, software-hardening-needed, insecure-igpu, outdated-tcb, debug-mode] - ignore_advisories: ["INTEL-SA-00161", "INTEL-SA-00289", "INTEL-SA-00381", "INTEL-SA-00389"] - # ignore_advisories: ["INTEL-SA-00161", "INTEL-SA-00289", "INTEL-SA-00334", "INTEL-SA-00381", "INTEL-SA-00389"] + ignore_advisories: ["INTEL-SA-00161", "INTEL-SA-00289", "INTEL-SA-00334", "INTEL-SA-00381", "INTEL-SA-00389"] diff --git a/cloud-computing/nodejs-hello-world/README.md b/cloud-computing/nodejs-hello-world/README.md index f616a87b..4bfe7767 100644 --- a/cloud-computing/nodejs-hello-world/README.md +++ b/cloud-computing/nodejs-hello-world/README.md @@ -43,7 +43,7 @@ The script can edited to change parameters like **heap size**, new image name, sources folder, ... ``` -./sconify.sh +bash sconify.sh ``` ### Run diff --git a/cloud-computing/nodejs-hello-world/resources/tee/session.yml b/cloud-computing/nodejs-hello-world/resources/tee/session.yml index 801ba665..9747a0d5 100644 --- a/cloud-computing/nodejs-hello-world/resources/tee/session.yml +++ b/cloud-computing/nodejs-hello-world/resources/tee/session.yml @@ -12,12 +12,13 @@ access_policy: - CREATOR services: - - name: nodejs-hello-world - image_name: tee-nodejs-hello-world - mrenclaves: [0ffb1ce764e67185411c0e9983a21a84d6c2ccc3fde7890e26107389fdda83c2] + - name: service + image_name: service_image + mrenclaves: [5f7645b0f4c733c98c31f8daa2c6827c4e9bdc22b6ffac65699e10a0f1015340] command: "node /app/app.js" environment: - SCONE_MODE: hw + IEXEC_IN: /iexec_in + IEXEC_OUT: /iexec_out images: - name: service_image @@ -25,4 +26,4 @@ images: security: attestation: tolerate: [hyperthreading, software-hardening-needed, insecure-igpu, outdated-tcb, debug-mode] - ignore_advisories: ["INTEL-SA-00161", "INTEL-SA-00289", "INTEL-SA-00381", "INTEL-SA-00389"] + ignore_advisories: ["INTEL-SA-00161", "INTEL-SA-00289", "INTEL-SA-00334", "INTEL-SA-00381", "INTEL-SA-00389"] diff --git a/cloud-computing/python-hello-world/resources/tee/session.yml b/cloud-computing/python-hello-world/resources/tee/session.yml index 73edf1d6..ed5a6431 100644 --- a/cloud-computing/python-hello-world/resources/tee/session.yml +++ b/cloud-computing/python-hello-world/resources/tee/session.yml @@ -12,12 +12,13 @@ access_policy: - CREATOR services: - - name: python-hello-world - image_name: tee-python-hello-world - mrenclaves: [0ffb1ce764e67185411c0e9983a21a84d6c2ccc3fde7890e26107389fdda83c2] - command: "node /app/app.js" + - name: service + image_name: service_image + mrenclaves: [eca3ace86f1e8a5c47123c8fd271319e9eb25356803d36666dc620f30365c0c1] + command: "python3 /app/app.py" environment: - SCONE_MODE: hw + IEXEC_IN: /iexec_in + IEXEC_OUT: /iexec_out images: - name: service_image @@ -25,4 +26,4 @@ images: security: attestation: tolerate: [hyperthreading, software-hardening-needed, insecure-igpu, outdated-tcb, debug-mode] - ignore_advisories: ["INTEL-SA-00161", "INTEL-SA-00289", "INTEL-SA-00381", "INTEL-SA-00389"] + ignore_advisories: ["INTEL-SA-00161", "INTEL-SA-00289", "INTEL-SA-00334", "INTEL-SA-00381", "INTEL-SA-00389"] From be697cbbfc6c7c829c4ab66e0b019e942e1cee60 Mon Sep 17 00:00:00 2001 From: Zied <26070035+zguesmi@users.noreply.github.com> Date: Wed, 19 May 2021 11:26:30 +0200 Subject: [PATCH 34/39] Add sgx installation instructions --- cloud-computing/go-hello-world/README.md | 4 ++++ cloud-computing/nodejs-hello-world/README.md | 4 ++++ cloud-computing/python-hello-world/README.md | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/cloud-computing/go-hello-world/README.md b/cloud-computing/go-hello-world/README.md index e35a4cf6..19a42317 100644 --- a/cloud-computing/go-hello-world/README.md +++ b/cloud-computing/go-hello-world/README.md @@ -46,6 +46,10 @@ bash sconify.sh ### Run (TODO test with CAS and session) + +First of all, Intel® SGX driver needs to be present on the host machine. +These [instructions](https://github.com/intel/linux-sgx-driver) provide +information about how to install it. The application can be tested locally to make sure it is well setup: ``` rm -rf /tmp/iexec_out && \ diff --git a/cloud-computing/nodejs-hello-world/README.md b/cloud-computing/nodejs-hello-world/README.md index 4bfe7767..54c9248b 100644 --- a/cloud-computing/nodejs-hello-world/README.md +++ b/cloud-computing/nodejs-hello-world/README.md @@ -48,6 +48,10 @@ bash sconify.sh ### Run (TODO test with CAS and session) + +First of all, Intel® SGX driver needs to be present on the host machine. +These [instructions](https://github.com/intel/linux-sgx-driver) provide +information about how to install it. The application can be tested locally to make sure it is well setup: ``` rm -rf /tmp/iexec_out && \ diff --git a/cloud-computing/python-hello-world/README.md b/cloud-computing/python-hello-world/README.md index c8f4904d..13f04f92 100644 --- a/cloud-computing/python-hello-world/README.md +++ b/cloud-computing/python-hello-world/README.md @@ -52,6 +52,10 @@ bash sconify.sh ### Run (TODO test with CAS and session) + +First of all, Intel® SGX driver needs to be present on the host machine. +These [instructions](https://github.com/intel/linux-sgx-driver) provide +information about how to install it. The application can be tested locally to make sure it is well setup: ``` rm -rf /tmp/iexec_out && \ From b2c42ab5868d4e23c9eb3cc73bb09ab156f07596 Mon Sep 17 00:00:00 2001 From: Damien <15243951+DamienMure@users.noreply.github.com> Date: Wed, 26 May 2021 11:23:35 +0200 Subject: [PATCH 35/39] ajout nouveau sconify.args file --- cloud-computing/go-hello-world/sconify.args | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 cloud-computing/go-hello-world/sconify.args diff --git a/cloud-computing/go-hello-world/sconify.args b/cloud-computing/go-hello-world/sconify.args new file mode 100644 index 00000000..8b1ebfc4 --- /dev/null +++ b/cloud-computing/go-hello-world/sconify.args @@ -0,0 +1,12 @@ +--name=goHelloWorld \ +--from=go-hello-world \ +--to=tee-go-hello-world \ +--binary-fs \ +--host-path=/etc/hosts \ +--host-path=/etc/resolv.conf \ +--binary="/app/helloworld" \ +--heap="1G" \ +--dlopen="2" \ +--no-color \ +--verbose \ +--command="/app/helloworld" From 8a5b458d794cd3f43917a2fee930dc5466c34970 Mon Sep 17 00:00:00 2001 From: Damien <15243951+DamienMure@users.noreply.github.com> Date: Wed, 26 May 2021 17:39:45 +0200 Subject: [PATCH 36/39] reformat des arg sconify --- cloud-computing/go-hello-world/sconify.args | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/cloud-computing/go-hello-world/sconify.args b/cloud-computing/go-hello-world/sconify.args index 8b1ebfc4..d7ec178b 100644 --- a/cloud-computing/go-hello-world/sconify.args +++ b/cloud-computing/go-hello-world/sconify.args @@ -4,9 +4,9 @@ --binary-fs \ --host-path=/etc/hosts \ --host-path=/etc/resolv.conf \ ---binary="/app/helloworld" \ ---heap="1G" \ ---dlopen="2" \ +--binary=/app/helloworld \ +--heap=1G \ +--dlopen=2 \ --no-color \ --verbose \ ---command="/app/helloworld" +--command=/app/helloworld From 23471b0e26b866d6ad2c819e22d47ec032596ba0 Mon Sep 17 00:00:00 2001 From: Damien <15243951+DamienMure@users.noreply.github.com> Date: Thu, 27 May 2021 12:35:01 +0200 Subject: [PATCH 37/39] variabiliser FROM/TO --- cloud-computing/go-hello-world/sconify.args | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cloud-computing/go-hello-world/sconify.args b/cloud-computing/go-hello-world/sconify.args index d7ec178b..fbc5adc1 100644 --- a/cloud-computing/go-hello-world/sconify.args +++ b/cloud-computing/go-hello-world/sconify.args @@ -1,6 +1,6 @@ --name=goHelloWorld \ ---from=go-hello-world \ ---to=tee-go-hello-world \ +--from=${IMG_FROM} \ +--to=${IMG_TO} \ --binary-fs \ --host-path=/etc/hosts \ --host-path=/etc/resolv.conf \ From 14e504027c6e67f1199a5606827683cb3757ec59 Mon Sep 17 00:00:00 2001 From: Damien <15243951+DamienMure@users.noreply.github.com> Date: Fri, 28 May 2021 15:13:52 +0200 Subject: [PATCH 38/39] retrait sconify.sh --- cloud-computing/go-hello-world/sconify.sh | 18 ------------------ 1 file changed, 18 deletions(-) delete mode 100644 cloud-computing/go-hello-world/sconify.sh diff --git a/cloud-computing/go-hello-world/sconify.sh b/cloud-computing/go-hello-world/sconify.sh deleted file mode 100644 index 6f0615d4..00000000 --- a/cloud-computing/go-hello-world/sconify.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/bash - -docker run -it --rm \ - -v /var/run/docker.sock:/var/run/docker.sock \ - registry.scontain.com:5050/sconecuratedimages/iexec-sconify-image:5.3.3 \ - sconify_iexec \ - --name=goHelloWorld \ - --from=go-hello-world \ - --to=tee-go-hello-world \ - --binary-fs \ - --host-path=/etc/hosts \ - --host-path=/etc/resolv.conf \ - --binary="/app/helloworld" \ - --heap="1G" \ - --dlopen="2" \ - --no-color \ - --verbose \ - --command="/app/helloworld" From b46ea367a79359a20f0b17a3b3dd673e11862a22 Mon Sep 17 00:00:00 2001 From: Damien <15243951+DamienMure@users.noreply.github.com> Date: Fri, 28 May 2021 15:16:52 +0200 Subject: [PATCH 39/39] nouvelle config scone --- cloud-computing/go-hello-world/sconify.args | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/cloud-computing/go-hello-world/sconify.args b/cloud-computing/go-hello-world/sconify.args index fbc5adc1..827df3e7 100644 --- a/cloud-computing/go-hello-world/sconify.args +++ b/cloud-computing/go-hello-world/sconify.args @@ -2,11 +2,11 @@ --from=${IMG_FROM} \ --to=${IMG_TO} \ --binary-fs \ ---host-path=/etc/hosts \ ---host-path=/etc/resolv.conf \ ---binary=/app/helloworld \ ---heap=1G \ ---dlopen=2 \ +--host-path=/etc \ +--host-path=/opt \ +--binary="/app/helloworld" \ +--heap="1G" \ +--dlopen="2" \ --no-color \ --verbose \ ---command=/app/helloworld +--command="/app/helloworld"