Feature/v6.0 go production

cloud-computing/go-hello-world/Dockerfile

@@ -0,0 +1,10 @@
+# same version as Scone
+FROM golang:1.16.0-alpine3.13
+
+RUN apk --update add gcc build-base gcc-go
+
+COPY ./src /app
+
+RUN go build -compiler=gccgo -buildmode=exe -o /app/helloworld /app/helloworld.go
+
+ENTRYPOINT ["/app/helloworld"]

cloud-computing/go-hello-world/README.md

@@ -0,0 +1,68 @@
+# Go hello-world app
+
+## Standard mode
+By default the application is built in **Standard** mode which
+does not use TEE capabilities.
+
+### Build
+Standard mode application is built just like any other dockerized
+application:
+```
+docker image build -t go-hello-world .
+```
+
+### Run
+The application can be tested locally to make sure it is well setup:
+```
+rm -rf /tmp/iexec_out && \
+docker run \
+        --rm \
+        -e IEXEC_IN=/iexec_in \
+        -e IEXEC_DATASET_FILENAME=Lorem-ipsum.txt \
+        -e IEXEC_OUT=/iexec_out \
+        -v /tmp/iexec_out:/iexec_out \
+        -v $(pwd)/resources/data:/iexec_in \
+        go-hello-world Alice
+```
+Once the execution ends, the result should be found in the folder
+`/tmp/iexec_out`.
+```
+cat /tmp/iexec_out/result.txt
+```
+
+## TEE (protected) mode
+To convert the application into **TEE** mode, first, it needs to be
+build in **Standard** mode as instructed in the section above.
+Then the produced image is converted using `sconify.sh` script into
+a newly created TEE enabled image `tee-go-hello-world`:
+
+### Build (conversion)
+The script can edited to change parameters like **heap size**, new
+image name, sources folder, ...
+
+```
+bash sconify.sh
+```
+
+### Run
+(TODO test with CAS and session)
+
+First of all, Intel® SGX driver needs to be present on the host machine.
+These [instructions](https://github.com/intel/linux-sgx-driver) provide
+information about how to install it.
+The application can be tested locally to make sure it is well setup:
+```
+rm -rf /tmp/iexec_out && \
+docker run \
+        --rm \
+        -e IEXEC_OUT=/iexec_out \
+        -e IEXEC_IN=/iexec_in \
+        -v /tmp/iexec_out:/iexec_out \
+        -v $(pwd)/resources/dataset:/iexec_in \
+        --device /dev/isgx \
+        tee-go-hello-world Alice
+```
+To get the MREnclave value of the TEE application:
+```
+docker run -it --rm -e SCONE_HASH=1 tee-go-hello-world
+```

cloud-computing/go-hello-world/resources/data/Lorem-ipsum.txt

@@ -0,0 +1 @@
+Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

cloud-computing/go-hello-world/resources/tee/docker-compose.yml

@@ -0,0 +1,33 @@
+version: '3.2'
+networks:
+  scone-net:
+    external: true
+
+services:
+    las:
+        image: registry.scontain.com:5050/sconecuratedimages/services:las-scone5.3.0
+        container_name: las
+        devices:
+          - /dev/isgx
+        networks:
+          - scone-net
+    cas:
+        image: registry.scontain.com:5050/sconecuratedimages/services:cas.preprovisioned-scone5.2.1
+        container_name: cas
+        devices:
+          - /dev/isgx
+        depends_on:
+          - las
+        networks:
+          - scone-net
+    scone-cli:
+        image: registry.scontain.com:5050/sconecuratedimages/iexec-sconify-image:5.3.3
+        container_name: scone-cli
+        command: bash -c "sleep 5 && scone session create /session.yml --cas cas --only_for_testing-disable-attestation-verification"
+        volumes:
+          - ./session.yml:/session.yml
+        depends_on:
+          - las
+          - cas
+        networks:
+          - scone-net

cloud-computing/go-hello-world/resources/tee/run-scone-app

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+### TODO on each build: update mrenclave in session
+
+docker-compose down > /dev/null
+docker network create scone-net > /dev/null
+echo "Starting CAS & LAS:"
+docker-compose up -d
+sleep 5
+
+MY_SCONE_APP=tee-go-hello-world
+echo "Starting $MY_SCONE_APP"
+docker run --rm \
+        --name=$MY_SCONE_APP \
+        -e SCONE_VERSION=1 \
+        -e SCONE_CAS_ADDR="cas" \
+        -e SCONE_LAS_ADDR="las" \
+        -e SCONE_CONFIG_ID="1/service" \
+        --network=scone-net \
+        --device=/dev/isgx \
+        $MY_SCONE_APP
+
+docker-compose down
+docker network rm scone-net

cloud-computing/go-hello-world/resources/tee/session.yml

@@ -0,0 +1,29 @@
+name: 1
+version: "0.3"
+
+# Access control:
+#   - only the data owner (CREATOR) can read or update the session
+#   - even the data owner cannot read the session secrets (i.e., the volume key and tag) or delete the session
+
+access_policy:
+  read:
+   - CREATOR
+  update:
+   - CREATOR
+
+services:
+   - name: service
+     image_name: service_image
+     mrenclaves: [5e0955204071b0f9d108bc7244ab25e331550046849f739f736c9536574fffb0]
+     command: "/app/helloworld"
+     environment:
+      IEXEC_IN: /iexec_in
+      IEXEC_OUT: /iexec_out
+
+images:
+  - name: service_image
+
+security:
+  attestation:
+    tolerate: [hyperthreading, software-hardening-needed, insecure-igpu, outdated-tcb, debug-mode]
+    ignore_advisories: ["INTEL-SA-00161", "INTEL-SA-00289", "INTEL-SA-00334", "INTEL-SA-00381", "INTEL-SA-00389"]

cloud-computing/go-hello-world/sconify.args

@@ -0,0 +1,12 @@
+--name=goHelloWorld \
+--from=${IMG_FROM} \
+--to=${IMG_TO} \
+--binary-fs \
+--host-path=/etc \
+--host-path=/opt \
+--binary="/app/helloworld" \
+--heap="1G" \
+--dlopen="2" \
+--no-color \
+--verbose \
+--command="/app/helloworld"

cloud-computing/go-hello-world/src/helloworld.go

@@ -0,0 +1,57 @@
+package main
+
+import (
+	"fmt"
+	"io/ioutil"
+	"log"
+	"os"
+)
+
+func main() {
+    iexecOut := os.Getenv("IEXEC_OUT")
+    iexecIn := os.Getenv("IEXEC_IN")
+    datasetFilename := os.Getenv("IEXEC_DATASET_FILENAME")
+    if iexecIn == "" {
+        panic("No value for IEXEC_IN")
+    }
+    if iexecOut == "" {
+        panic("No value for IEXEC_OUT")
+    }
+
+    result := ""
+
+    // Print a message
+    if (len(os.Args) > 1) {
+        result += "Hello, " + os.Args[1] + "!\n"
+    } else {
+        result += "Hello, World!\n"
+    }
+
+    // Read the content of the dataset if present
+    if datasetFilename != "" {
+        datasetFilepath := iexecIn + "/" + datasetFilename
+        input, err := ioutil.ReadFile(datasetFilepath)
+        if err != nil {
+            log.Fatal("Error reading dataset file", err)
+        } else {
+            result += "Dataset (" + datasetFilepath + "): " + string(input)
+        }
+    } else {
+        result += "No dataset was found\n"
+    }
+
+    fmt.Println(result)
+
+    // Save result
+    err := ioutil.WriteFile(iexecOut + "/result.txt", []byte(result), 0)
+    if err != nil {
+        log.Fatal(err)
+    }
+
+    // Create computed.json file
+    dataString := `{"deterministic-output-path": "` + iexecOut + `/result.txt"}`
+    err = ioutil.WriteFile(iexecOut + "/computed.json", []byte(dataString), 0)
+    if err != nil {
+        log.Fatal(err)
+    }
+}

cloud-computing/nodejs-hello-world/standard/Dockerfile → cloud-computing/nodejs-hello-world/Dockerfile

@@ -1,4 +1,4 @@
-FROM node:10
+FROM node:14-alpine3.10
 
 ### install your dependencies
 RUN mkdir /app && cd /app && npm install figlet@1.x

cloud-computing/nodejs-hello-world/README.md

@@ -0,0 +1,70 @@
+# Node hello-world app
+
+## Standard mode
+By default the application is built in **Standard** mode which
+does not use TEE capabilities.
+
+### Build
+Standard mode application is built just like any other dockerized
+application:
+```
+docker image build -t nodejs-hello-world .
+```
+**IMPORTANT:** /!\ Please note that the base node image should be 
+alpine based if it will be converted into TEE mode.
+
+### Run
+The application can be tested locally to make sure it is well setup:
+```
+rm -rf /tmp/iexec_out && \
+docker run \
+        --rm \
+        -e IEXEC_IN=/iexec_in \
+        -e IEXEC_DATASET_FILENAME=Lorem-ipsum.txt \
+        -e IEXEC_OUT=/iexec_out \
+        -v /tmp/iexec_out:/iexec_out \
+        -v $(pwd)/resources/dataset:/iexec_in \
+        nodejs-hello-world Alice
+```
+Once the execution ends, the result should be found in the folder
+`/tmp/iexec_out`.
+```
+cat /tmp/iexec_out/result.txt
+```
+
+## TEE (protected) mode
+To convert the application into **TEE** mode, first, it needs to be
+built in **Standard** mode as instructed in the section above.
+Then the standard image is converted using `sconify.sh` script into
+a newly created TEE enabled image `tee-nodejs-hello-world`:
+
+### Build (conversion)
+The script can edited to change parameters like **heap size**, new
+image name, sources folder, ...
+
+```
+bash sconify.sh
+```
+
+### Run
+(TODO test with CAS and session)
+
+First of all, Intel® SGX driver needs to be present on the host machine.
+These [instructions](https://github.com/intel/linux-sgx-driver) provide
+information about how to install it.
+The application can be tested locally to make sure it is well setup:
+```
+rm -rf /tmp/iexec_out && \
+docker run \
+        --rm \
+        -e IEXEC_OUT=/iexec_out \
+        -e IEXEC_IN=/iexec_in \
+        -v /tmp/iexec_out:/iexec_out \
+        -v $(pwd)/resources/dataset:/iexec_in \
+        --device /dev/isgx \
+        tee-nodejs-hello-world Alice
+```
+To get the MREnclave value of the TEE application:
+```
+docker run -it --rm -e SCONE_HASH=1 tee-nodejs-hello-world
+```

cloud-computing/nodejs-hello-world/resources/data/Lorem-ipsum.txt

@@ -0,0 +1 @@
+Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

cloud-computing/nodejs-hello-world/resources/tee/docker-compose.yml

@@ -0,0 +1,33 @@
+version: '3.2'
+networks:
+  scone-net:
+    external: true
+
+services:
+    las:
+        image: registry.scontain.com:5050/sconecuratedimages/services:las-scone5.3.0
+        container_name: las
+        devices:
+          - /dev/isgx
+        networks:
+          - scone-net
+    cas:
+        image: registry.scontain.com:5050/sconecuratedimages/services:cas.preprovisioned-scone5.2.1
+        container_name: cas
+        devices:
+          - /dev/isgx
+        depends_on:
+          - las
+        networks:
+          - scone-net
+    scone-cli:
+        image: registry.scontain.com:5050/sconecuratedimages/iexec-sconify-image:5.3.3
+        container_name: scone-cli
+        command: bash -c "sleep 5 && scone session create /session.yml --cas cas --only_for_testing-disable-attestation-verification"
+        volumes:
+          - ./session.yml:/session.yml
+        depends_on:
+          - las
+          - cas
+        networks:
+          - scone-net