Skip to content

Latest commit

 

History

History
171 lines (122 loc) · 5.6 KB

run_rats_tls_with_occlum.md

File metadata and controls

171 lines (122 loc) · 5.6 KB

This guide will show you how to run the ecdsa baesd remote attestation server on Occlum Libos and rune.

Before you start

  1. It is recommended to develop in the Occlum image.
docker run -it --privileged --network host \
  -v /dev/sgx_enclave:/dev/sgx/enclave \
  -v /dev/sgx_provision:/dev/sgx/provision \
  -v /var/run/aesmd:/var/run/aesmd \
  occlum/occlum:0.28.0-ubuntu20.04
  1. Please refer to this guide to install DCAP. Note: If your platform is pre-product SGX platform (SBX), please follow this guide to resolve the quote verification problem on SBX platforms.

  2. After you resolve the quote verification problem on SBX platforms, please to recompile Occlum using the following command:

cd occlum
make submodule && OCCLUM_RELEASE_BUILD=1 make install

Quick start

  1. Download the latest source code of RATS TLS
mkdir -p "$WORKSPACE"
cd "$WORKSPACE"
git clone https://github.com/inclavare-containers/rats-tls
  1. Build and install RATS TLS
cd rats-tls
cmake -DRATS_TLS_BUILD_MODE="occlum" -DBUILD_SAMPLES=on -H. -Bbuild
make -C build install

Note that the implementation of the Unix socket in Occlum is NOT complete yet. Occlum only supports the connection between the internal Unix sockets of Occlum.

In addition, Occlum only provides occlum-go to compile go program. While the rats-tls is compiled based on gcc. In practice, using occlum-go to compile the rats-tls-server program linked with rats-tls will generate undefined symbol errors. Therefore we provide the server and client programs in C language for functional elaboration. With the continuous development of occlum functions, this will no longer be a problem.

RUN RATS TLS with Occlum and Rune

Right now, RATS TLS running on Occlum Libos supports the following instance types:

Priority Tls Wrapper instances Attester instances Verifier instances Crypto Wrapper Instance
low nulltls nullattester nullverifier nullcrypto
Medium openssl sgx_ecdsa sgx_ecdsa_qve openssl

Building Occlum container image

cd /usr/share/rats-tls/samples

# 1. Init Occlum server Workspace
rm -rf occlum_workspace_server
mkdir occlum_workspace_server
cd occlum_workspace_server
occlum init

# 2. Copy files into Occlum Workspace and Build
cp ../rats-tls-server image/bin
cp /lib/x86_64-linux-gnu/libdl.so.2 image/opt/occlum/glibc/lib
cp /usr/lib/x86_64-linux-gnu/libssl.so.1.1 image/opt/occlum/glibc/lib
cp /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 image/opt/occlum/glibc/lib
mkdir -p image/usr/local/lib
cp -rf /usr/local/lib/rats-tls image/usr/local/lib

occlum build
occlum run /bin/rats-tls-server -m -l debug

Type the following commands to generate a minimal, self-contained package (.tar.gz) for the Occlum instance.

cd occlum_workspace_server
occlum package occlum_instance.tar.gz

Create Occlum container image

Now you can build your occlum container image in occlum_workspace directory on your host system.

Type the following commands to create a Dockerfile:

cp /usr/lib/x86_64-linux-gnu/libsgx_pce.signed.so ./
cp /usr/lib/x86_64-linux-gnu/libsgx_qe3.signed.so ./
cp /usr/lib/x86_64-linux-gnu/libsgx_qve.signed.so ./

cat >Dockerfile <<EOF
FROM ubuntu:18.04

RUN mkdir -p /run/rune
WORKDIR /run/rune

ADD occlum_instance.tar.gz /run/rune

COPY libsgx_pce.signed.so /usr/lib/x86_64-linux-gnu
COPY libsgx_qe3.signed.so /usr/lib/x86_64-linux-gnu
COPY libsgx_qve.signed.so /usr/lib/x86_64-linux-gnu/

ENTRYPOINT ["/bin/rats-tls-server"]
EOF

then build the Occlum container image with the command:

docker build . -t occlum-app

Integrate OCI Runtime rune with Docker

Please refer to guide to integrate OCI runtime rune with docker.

Running Occlum container image

docker run -it --rm --runtime=rune --net host \
  -e ENCLAVE_TYPE=intelSgx \
  -e ENCLAVE_RUNTIME_PATH=/opt/occlum/build/lib/libocclum-pal.so \
  -e ENCLAVE_RUNTIME_ARGS=occlum_workspace_server \
  occlum-app -m

Note that -m option means build mutual remote attestation with client. You can remove -m to build one-way attestation.

Run client

There are two way to run client.

Run client based on Occlum

cd /usr/share/rats-tls/samples

# 1. Init Occlum client Workspace
rm -rf occlum_workspace_client
mkdir occlum_workspace_client
cd occlum_workspace_client
occlum init

# 2. Copy files into Occlum Workspace and Build
cp ../rats-tls-client image/bin
cp /lib/x86_64-linux-gnu/libdl.so.2 image/opt/occlum/glibc/lib
cp /usr/lib/x86_64-linux-gnu/libssl.so.1.1 image/opt/occlum/glibc/lib
cp /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 image/opt/occlum/glibc/lib
mkdir -p image/usr/local/lib
cp -rf /usr/local/lib/rats-tls image/usr/local/lib

occlum build
occlum run /bin/rats-tls-client -l debug -m

Run client based on sgxsdk

cd "$WORKSPACE"/rats-tls
make -C build clean && make -C build uninstall
cmake -DRATS_TLS_BUILD_MODE="sgx" -DBUILD_SAMPLES=on -H. -Bbuild
make -C build install
cd /usr/share/rats-tls/samples
./rats-tls-client -a sgx_ecdsa -m -l debug