gramineproject · aneessahib · Nov 21, 2022
diff --git a/Examples/aks-attestation/README.md b/Examples/aks-attestation/README.md
@@ -48,37 +48,32 @@ Note: This example is Ubuntu 18.04-specific. This example was tested with Gramin
     $ docker push <dockerhubusername>/aks-secret-prov-server-img:latest
     ```
 
-3. Deploy `aks-secret-prov-server-img:latest` in the AKS confidential compute cluster using reference
-   deployment file: `aks-secret-prov-server-deployment.yaml`
+3. Deploy `aks-secret-prov-server-img:latest` in the AKS confidential compute cluster using
+   reference deployment file: `aks-secret-prov-server-deployment.yaml`
 
 ### Creating client (SGX application) image
 
-The client Docker image must run the client application inside the SGX enclave. For this, we use the
-Gramine Shielded Containers (GSC) tool (https://github.com/gramineproject/gsc). GSC transforms the
-native Docker client image into a new "graminized" Docker image.
+The client Docker image must run the client application (`client.c` in this case) inside the SGX
+enclave. For this, we use the Gramine Shielded Containers (GSC) tool (https://github.com/gramineproject/gsc).
+GSC transforms the native Docker client image into a new "graminized" Docker image.
 
-1. The `base-image-generation-script.sh` script will create the native Docker client image with the
-   name `aks-secret-prov-client-img:latest`.
+1. The `base-image-generation-script.sh` script will first create the native Docker client image
+   with the name `aks-secret-prov-client-img:latest`.
 
-2. Create the GSC client image (note that we tested this example with DCAP driver 1.11 specified in
-   the GSC configuration file):
+2. The script then creates a GSC client image `gsc-aks-secret-prov-client-img:latest` (note that we
+   tested this example with DCAP driver 1.11 specified in `config.yaml.template`) signed with a
+   test enclave signing key.
 
-    ```sh
-    $ cd gsc
-    $ ./gsc build aks-secret-prov-client-img:latest \
-        Examples/aks-attestation/aks-secret-prov-client.manifest
-    $ ./gsc sign-image aks-secret-prov-client-img:latest enclave-key.pem
-    ```
-
-5. Push resulting image to Docker Hub or your preferred registry:
+3. The user is now expected to push `gsc-aks-secret-prov-client-img:latest` to Docker Hub or the
+   preferred registry:
 
     ```sh
     $ docker tag gsc-aks-secret-prov-client-img:latest \
         <dockerhubusername>/gsc-aks-secret-prov-client-img:latest
     $ docker push <dockerhubusername>/gsc-aks-secret-prov-client-img:latest
     ```
 
-6. Deploy `gsc-aks-secret-prov-client-img:latest` in AKS confidential compute cluster using
+4. Deploy `gsc-aks-secret-prov-client-img:latest` in AKS confidential compute cluster using
    reference deployment file: `aks-secret-prov-client-deployment.yaml`
 
 ## Deploying client and server images in AKS confidential compute cluster
@@ -101,6 +96,12 @@ libsgx-dcap-quote-verify library via the az-dcap-client library.
 
 ### Deployment
 
+Create a ConfigMap for the ssl artifacts that will be later injected into the server pod.
+```sh
+$ kubectl create configmap ssl-certs --from-file=ssl/ca.crt --from-file=ssl/server.key \
+  --from-file=ssl/server.crt
+```
+
 ```sh
 $ kubectl apply -f aks-secret-prov-server-deployment.yaml
 ```
@@ -131,7 +132,7 @@ $ kubectl logs -l app=gsc-ra-tls-secret-prov-client --tail=50
 
 Expected output:
 
-`--- Received secret = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'`
+`--- Received secret = 'A_SIMPLE_SECRET' ---`
 
 Delete both client and server containers:
 

diff --git a/Examples/aks-attestation/aks-secret-prov-client.dockerfile b/Examples/aks-attestation/aks-secret-prov-client.dockerfile
@@ -1,27 +1,10 @@
 FROM ubuntu:18.04
 
 RUN apt-get update \
-    && env DEBIAN_FRONTEND=noninteractive apt-get install -y wget \
-    build-essential \
-    gnupg2 \
-    libcurl3-gnutls \
-    python3
+    && env DEBIAN_FRONTEND=noninteractive apt-get install -y git build-essential
 
-# Installing DCAP libraries
-RUN echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu bionic main' \
-    > /etc/apt/sources.list.d/intel-sgx.list \
-    && wget https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key \
-    && apt-key add intel-sgx-deb.key
+COPY client.c /client.c
+RUN client.c -o min_client && cp min_client /usr/local/bin
+COPY ssl/ca.crt /ca.crt
 
-RUN apt-get update \
-    && apt-get install -y libsgx-urts \
-    libsgx-dcap-ql \
-    libsgx-quote-ex
-
-WORKDIR /ra-tls-secret-prov
-
-COPY gramine/CI-Examples/ra-tls-secret-prov/ssl ./ssl
-
-COPY gramine/CI-Examples/ra-tls-secret-prov/secret_prov_min_client /usr/local/bin
-
-ENTRYPOINT ["secret_prov_min_client"]
+ENTRYPOINT ["min_client"]
diff --git a/Examples/aks-attestation/aks-secret-prov-client.manifest b/Examples/aks-attestation/aks-secret-prov-client.manifest
@@ -1,19 +1,11 @@
-# Secret Provisioning library (client-side) is preloaded
-loader.env.LD_PRELOAD = "libsecret_prov_attest.so"
+sgx.enclave_size = "1024M"
+sgx.thread_num = 8
 
+# Attestation related entries
+sgx.remote_attestation = "dcap"
+loader.env.LD_PRELOAD =  "/gramine/meson_build_output/lib/x86_64-linux-gnu/libsecret_prov_attest.so"
 loader.env.SECRET_PROVISION_SERVERS = { passthrough = true }
 loader.env.SECRET_PROVISION_CONSTRUCTOR = "1"
-loader.env.SECRET_PROVISION_CA_CHAIN_PATH = "ssl/ca.crt"
+loader.env.SECRET_PROVISION_CA_CHAIN_PATH = "/ca.crt"
 
-sgx.remote_attestation = true
-
-sgx.allowed_files = [
-  "file:/etc/ethers",
-  "file:/etc/gai.conf",
-  "file:/etc/group",
-  "file:/etc/host.conf",
-  "file:/etc/hosts",
-  "file:/etc/nsswitch.conf",
-  "file:/etc/passwd",
-  "file:/etc/resolv.conf",
-]
+sys.enable_extra_runtime_domain_names_conf = true
diff --git a/Examples/aks-attestation/aks-secret-prov-server-deployment.yaml b/Examples/aks-attestation/aks-secret-prov-server-deployment.yaml
@@ -20,6 +20,18 @@ spec:
         resources:
           limits:
             kubernetes.azure.com/sgx_epc_mem_in_MiB: 10
+        volumeMounts:
+        - name: ssl
+          mountPath: /ra-tls-secret-prov/ssl/
+        env:
+        - name: RA_TLS_ALLOW_DEBUG_ENCLAVE_INSECURE
+          value: "1"
+        - name: RA_TLS_ALLOW_OUTDATED_TCB_INSECURE
+          value: "1"
+      volumes:
+      - name: ssl
+        configMap:
+          name: ssl-certs
 
 # TODO: Requesting an SGX machine is not needed, but Intel DCAP libraries have a bug of trying to
 # open the SGX driver (see https://github.com/intel/linux-sgx/issues/756)

diff --git a/Examples/aks-attestation/aks-secret-prov-server.dockerfile b/Examples/aks-attestation/aks-secret-prov-server.dockerfile
@@ -2,7 +2,9 @@ FROM ubuntu:18.04
 
 RUN apt-get update \
     && env DEBIAN_FRONTEND=noninteractive apt-get install -y \
+    build-essential \
     curl \
+    git \
     gnupg2 \
     wget
 
@@ -13,21 +15,31 @@ RUN apt-get update \
 RUN wget https://packages.microsoft.com/ubuntu/18.04/prod/pool/main/a/az-dcap-client/az-dcap-client_1.10_amd64.deb \
  && dpkg -i az-dcap-client_1.10_amd64.deb
 
-WORKDIR /ra-tls-secret-prov
-
-COPY gramine/CI-Examples/ra-tls-secret-prov/ssl ./ssl
-COPY gramine/CI-Examples/ra-tls-secret-prov/files ./files
-
-COPY gramine/CI-Examples/ra-tls-secret-prov/secret_prov_server_dcap /usr/local/bin
-
 RUN echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu bionic main' \
     > /etc/apt/sources.list.d/intel-sgx.list \
     && wget https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key \
     && apt-key add intel-sgx-deb.key
 
 RUN curl -fsSLo /usr/share/keyrings/gramine-keyring.gpg https://packages.gramineproject.io/gramine-keyring.gpg
-RUN echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/gramine-keyring.gpg] https://packages.gramineproject.io/ stable main' | tee /etc/apt/sources.list.d/gramine.list
+RUN echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/gramine-keyring.gpg] https://packages.gramineproject.io/ bionic main' | tee /etc/apt/sources.list.d/gramine.list
 RUN apt-get update
 RUN apt-get install -y gramine-dcap
 
-ENTRYPOINT ["secret_prov_server_dcap"]
+RUN git clone --depth 1 --branch v1.3.1 https://github.com/gramineproject/gramine.git
+
+ARG server_dcap_pf="n"
+RUN if [ $server_dcap_pf="y" ]; then \
+        sed -i "s|verify_measurements_callback,|NULL,|g" \
+        "gramine/CI-Examples/ra-tls-secret-prov/secret_prov_pf/server.c"; \
+    fi
+
+RUN mkdir -p /ra-tls-secret-prov/secret_prov_minimal
+RUN cd gramine/CI-Examples/ra-tls-secret-prov/ \
+    && make clean && make dcap \
+    && cp secret_prov_minimal/server_dcap /ra-tls-secret-prov/secret_prov_minimal/
+
+RUN rm -rf gramine >/dev/null 2>&1
+
+WORKDIR /ra-tls-secret-prov/secret_prov_minimal
+
+ENTRYPOINT ["./server_dcap"]
diff --git a/Examples/aks-attestation/base-image-generation-script.sh b/Examples/aks-attestation/base-image-generation-script.sh
@@ -1,17 +1,17 @@
-# Install Gramine, and build the ra-tls-secret-prov files and
-# relevant libraries to be used in the server and client Dockerfiles.
-/bin/sh install_gramine.sh
-
 # Create Server image
-cd gramine/CI-Examples/ra-tls-secret-prov
-make clean && make dcap
-cd ../../../
 docker build -f aks-secret-prov-server.dockerfile -t aks-secret-prov-server-img .
 
 # Create Client image
-cd gramine/CI-Examples/ra-tls-secret-prov
-make clean && make secret_prov_min_client
-cd ../../../
 docker build -f aks-secret-prov-client.dockerfile -t aks-secret-prov-client-img .
 
-rm -rf gramine/
+# Clone GSC repo
+git clone --depth 1 https://github.com/gramineproject/gsc.git
+cd gsc
+cp ../config.yaml.template config.yaml
+
+# Generate an unsigned GSC image
+./gsc build aks-secret-prov-client-img ../aks-secret-prov-client.manifest
+
+# Create a test signing key, and generate the signed image
+openssl genrsa -3 -aes128 -passout pass:test@123 -out enclave-key.pem 3072
+./gsc sign-image aks-secret-prov-client-img enclave-key.pem -p test@123
diff --git a/Examples/aks-attestation/client.c b/Examples/aks-attestation/client.c
@@ -0,0 +1,15 @@
+/* SPDX-License-Identifier: LGPL-3.0-or-later */
+/* Copyright (C) 2020 Intel Labs */
+
+#include <stdio.h>
+#include <stdlib.h>
+
+int main(void) {
+    char* secret = getenv("SECRET_PROVISION_SECRET_STRING");
+    if (secret)
+        printf("--- Received secret = '%s' ---\n", secret);
+    else
+        printf("--- Did not receive any secret! ---\n");
+
+    return 0;
+}
diff --git a/Examples/aks-attestation/config.yaml.template b/Examples/aks-attestation/config.yaml.template
@@ -0,0 +1,28 @@
+# DO NOT CHANGE! BELOW WILL BE REPLACED BY THE CURATION SCRIPT!
+# Currently tested distros are
+# - ubuntu:18.04, ubuntu:20.04, ubuntu:21.04
+# - debian:10, debian:11
+
+Distro: "ubuntu:18.04"
+
+# If the image has a specific registry, define it here.
+# Empty by default; example value: "registry.access.redhat.com/ubi8".
+Registry: ""
+
+# If you're using your own fork and branch of Gramine, specify the GitHub link and the branch name
+# below; typically, you want to keep the default values though
+Gramine:
+    Repository: "https://github.com/gramineproject/gramine.git"
+    Branch:     "v1.3.1"
+
+# Specify the Intel SGX driver installed on your target machine (more specifically, on the machine
+# where the graminized Docker container will run); Default assumption is DCAP out-of-tree driver,
+# but for DCAP in-kernel driver: use empty values like below
+#
+#   - DCAP in-kernel driver: use empty values like below
+#         Repository: ""
+#         Branch:     ""
+#
+SGXDriver:
+    Repository: "https://github.com/intel/SGXDataCenterAttestationPrimitives.git"
+    Branch:     "DCAP_1.11 && cp -r driver/linux/* ."
diff --git a/Examples/aks-attestation/install_gramine.sh b/Examples/aks-attestation/install_gramine.sh
diff --git a/Examples/aks-attestation/ssl/ca.crt b/Examples/aks-attestation/ssl/ca.crt
@@ -1,32 +1,23 @@
 -----BEGIN CERTIFICATE-----
-MIIFeDCCA2CgAwIBAgIBADANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJOTDEL
-MAkGA1UECAwCTkwxCzAJBgNVBAcMAk5MMREwDwYDVQQKDAhQb2xhclNTTDEZMBcG
-A1UEAwwQUG9sYXJTU0wgVGVzdCBDQTAeFw0yMTExMDkwNTA4MDhaFw0zMTExMDcw
-NTA4MDhaMFUxCzAJBgNVBAYTAk5MMQswCQYDVQQIDAJOTDELMAkGA1UEBwwCTkwx
-ETAPBgNVBAoMCFBvbGFyU1NMMRkwFwYDVQQDDBBQb2xhclNTTCBUZXN0IENBMIIC
-IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAt4LPFNvOHrkgztHoZ9LR+69Q
-uhDzaPmlEGngmJSgxMZi5dJJ7ZnEJtZ+8bjX/DTCZcl7lOwwSHurb9a3GPgP/DRt
-0jGqqtDiwZnc1OoJ9mLnj+BoB1hhWSMuIcJ+cM292Aac+12Ih9mThtzhbxzW/6xD
-neyAtRjF/iRBNq3FIiAMj3c+w+BBVmEbasBpuXs/4S9BTvyPrGFjg+jKf842wTwG
-Vz82goPKaOMByRWbhEKhYT9al/iKcdPIPjzA6HB3XyPjLm9xpIXR1+RidO98UhsC
-Llzw8xeUi+aq2MHLilBEUsHqVoJqWqFOCfJhOQGFzPQNPnWk1l7FOvJvYSr4XR1/
-6eIUqzFlG30ImG7uVCzhLunk092aPNGvewogTLiprmeLLBAks70NzPD9W1UQhXhB
-SqZN6FNpczAdn5x+UxCUQkmFs8siCtLbh7Z3H2lx34IaiH9Xw+YTV244J/5UuUBR
-jWrncbM+XElXo4RzF3gIL4EmvxKTzEWWh3b6SNpvirdJFbSkwByOYfBZ3XUuQDsa
-Df9UGAgD1EBHwpuZB9VYT1rVA0x9o2ovjwYXY4AjHRCgqe53FeUSyxyY/xXKqiPn
-jJjZuo2Pif2W+Il14Me1e30SD8+8fbdfoaPiGYQ02aW5AvElbMk4KEGnIlgiYhs9
-qAn36FqlaOkiwI7CQH8CAwEAAaNTMFEwHQYDVR0OBBYEFIo1oGRr0T8oklUSbVpt
-/e7wKtXbMB8GA1UdIwQYMBaAFIo1oGRr0T8oklUSbVpt/e7wKtXbMA8GA1UdEwEB
-/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAHkCHYagsPWfOipq6vXqaaCmHaaY
-dOao9BjawfZbZOrYXFYFDcSVP4iGltEs3NBBrzjkbqmRlDT4R3uvWuvD+TlIUroL
-0eGjPwmljGqW2eokjuySf9V48PdH12xwFnSYRn/qFiiEB7LconoxGhtXLOF1ry0q
-99d4Lk/8pUlOVWFCQ5kv+Fp27oungmS6n4H2973HbzRbm8rxQJrrtomvQcU5DgN3
-b6q+37VVprE5dGJZ/+XCZ85lbOMnvN3H8zd1rftFnU2fxNK8DZ8cqb//BOI5lWpg
-wBc8zUNCrNnPb8An/xpbS1P0BUGxxSWeyiXOwv9mxc3x7zJLVrDQLVd6GbhBnLE6
-Z9aC2Eh8gNLvBhs/JVaQKPn3iVyqNAaXaOg90TnlliO9EVbA0212HyC2+ShbdkwE
-9TEDP9QPAr8Y/tU0hCpALelwE8VZJv1rp71Ga6CivlfDcgBoVygAQQ8tH+PcS+u6
-1r+B0TPml86mUAzG5lAW+ZuSjw727aLlLOnk/7F8jOShz817lA6eMqtlzYZpM+lR
-B8ZNdkuuQq3z8OkJ78Gjby4NeDguF/dMlXD5me+AJ4FMqeCEN3g6QKh8ThzoSp8h
-ZxmK9bX/MagiL0upybyqTDqgNCKNkpcqY168Nborx/T5J4srsBdJoCDi3jO1Q3nk
-UvFuODojjTxO9Bwa
+MIIDyTCCArECFFCVBflv4VVpy+Wx3OoT0loU28yzMA0GCSqGSIb3DQEBCwUAMIGg
+MQswCQYDVQQGEwJYWDEOMAwGA1UEBwwFWFhYWFgxEzARBgNVBAoMCk15IENvbXBh
+bnkxEzARBgNVBAsMCkRlcGFydG1lbnQxODA2BgNVBAMML3JhLXRscy1zZXJ2ZXIt
+YWtzLWRucy5lYXN0dXMuY2xvdWRhcHAuYXp1cmUuY29tMR0wGwYJKoZIhvcNAQkB
+Fg5tZUBleGFtcGxlLmNvbTAeFw0yMjExMTExOTU1NDJaFw0yNTA4MzExOTU1NDJa
+MIGgMQswCQYDVQQGEwJYWDEOMAwGA1UEBwwFWFhYWFgxEzARBgNVBAoMCk15IENv
+bXBhbnkxEzARBgNVBAsMCkRlcGFydG1lbnQxODA2BgNVBAMML3JhLXRscy1zZXJ2
+ZXItYWtzLWRucy5lYXN0dXMuY2xvdWRhcHAuYXp1cmUuY29tMR0wGwYJKoZIhvcN
+AQkBFg5tZUBleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAMHQEP2Qjcm1yoU0R8cZnsWwm91g+Mqt3VBpWBD4MCI+uBy5y4pBqGEBqx5p
+rDl9ye77108EqdmODPfg2l9AhE5CQ/CpQAgtGaDs4APrxK0qYehlcI10x3iH6SQl
+YQCk6Q81SytM9cCncByDi9UnSSYN4PI5PTuvQ0XYKhsPuW1TbPcY+2Z43ubBC/Px
+4wMKX7ym+9quywKhKS5fnRmGXAsLQ8K0lxWbmq9GHn+xDgm0c8X04geQEs3jUQTL
+tTpN8T2VMhRZPKeTice7hT8Yx+Jz3kEDXz31/cS+jqIJfSElYR6le4fbxx3At9cA
+07bmYNI0Hy0Uf7DphRSt8/68XzsCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAD+If
+EQRcGALIzpfJqEV3CmmJKTyuZyNpFfbHnuKAUn1M6i6dS0Yu2xcTOUtQs5yb3/hX
+2hRpyUfN6v9BRmfnewYWwBdKh2SI1bETfxuW1csK0MafFm94x2FxRxtpH0UIBj6m
+wdaFdYx/jBheHcxsrBIwuSMfWGb82VXUfpz4bcL2EsAsO2tXqKdzPjwiirYJMMF8
+yvfeZMgmJ45H3YCo9quoG3Z3VplpWmO11tUSwfY9hKvOR1PLjdRV0RBhRMMIBMk6
+rWwec/2KYpR6hwvEfTVp/KYDy2z4VUjrrL1FEKrdc0UuZVASl3Frq/VTD8Ia+o0D
+E3Dxh9coeocMkwET1g==
 -----END CERTIFICATE-----