This guide will show you how to run the ecdsa baesd remote attestation server on Occlum Libos and rune
.
- It is recommended to develop in the Occlum image.
docker run -it --privileged --network host \
-v /dev/sgx_enclave:/dev/sgx/enclave \
-v /dev/sgx_provision:/dev/sgx/provision \
-v /var/run/aesmd:/var/run/aesmd \
occlum/occlum:0.28.0-ubuntu20.04
-
Please refer to this guide to install DCAP. Note: If your platform is pre-product SGX platform (SBX), please follow this guide to resolve the quote verification problem on SBX platforms.
-
After you resolve the quote verification problem on SBX platforms, please to recompile Occlum using the following command:
cd occlum
make submodule && OCCLUM_RELEASE_BUILD=1 make install
- Download the latest source code of RATS TLS
mkdir -p "$WORKSPACE"
cd "$WORKSPACE"
git clone https://github.com/inclavare-containers/rats-tls
- Build and install RATS TLS
cd rats-tls
cmake -DRATS_TLS_BUILD_MODE="occlum" -DBUILD_SAMPLES=on -H. -Bbuild
make -C build install
Note that the implementation of the Unix socket in Occlum is NOT complete yet. Occlum only supports the connection between the internal Unix sockets of Occlum.
In addition, Occlum only provides occlum-go
to compile go program. While the rats-tls is compiled based on gcc
. In practice, using occlum-go
to compile the rats-tls-server
program linked with rats-tls will generate undefined symbol errors. Therefore we provide the server and client programs in C language for functional elaboration. With the continuous development of occlum functions, this will no longer be a problem.
Right now, RATS TLS running on Occlum Libos supports the following instance types:
Priority | Tls Wrapper instances | Attester instances | Verifier instances | Crypto Wrapper Instance |
---|---|---|---|---|
low | nulltls | nullattester | nullverifier | nullcrypto |
Medium | openssl | sgx_ecdsa | sgx_ecdsa_qve | openssl |
cd /usr/share/rats-tls/samples
# 1. Init Occlum server Workspace
rm -rf occlum_workspace_server
mkdir occlum_workspace_server
cd occlum_workspace_server
occlum init
# 2. Copy files into Occlum Workspace and Build
cp ../rats-tls-server image/bin
cp /lib/x86_64-linux-gnu/libdl.so.2 image/opt/occlum/glibc/lib
cp /usr/lib/x86_64-linux-gnu/libssl.so.1.1 image/opt/occlum/glibc/lib
cp /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 image/opt/occlum/glibc/lib
mkdir -p image/usr/local/lib
cp -rf /usr/local/lib/rats-tls image/usr/local/lib
occlum build
occlum run /bin/rats-tls-server -m -l debug
Type the following commands to generate a minimal, self-contained package (.tar.gz) for the Occlum instance.
cd occlum_workspace_server
occlum package occlum_instance.tar.gz
Now you can build your occlum container image in occlum_workspace directory on your host system.
Type the following commands to create a Dockerfile
:
cp /usr/lib/x86_64-linux-gnu/libsgx_pce.signed.so ./
cp /usr/lib/x86_64-linux-gnu/libsgx_qe3.signed.so ./
cp /usr/lib/x86_64-linux-gnu/libsgx_qve.signed.so ./
cat >Dockerfile <<EOF
FROM ubuntu:18.04
RUN mkdir -p /run/rune
WORKDIR /run/rune
ADD occlum_instance.tar.gz /run/rune
COPY libsgx_pce.signed.so /usr/lib/x86_64-linux-gnu
COPY libsgx_qe3.signed.so /usr/lib/x86_64-linux-gnu
COPY libsgx_qve.signed.so /usr/lib/x86_64-linux-gnu/
ENTRYPOINT ["/bin/rats-tls-server"]
EOF
then build the Occlum container image with the command:
docker build . -t occlum-app
Please refer to guide to integrate OCI runtime rune with docker.
docker run -it --rm --runtime=rune --net host \
-e ENCLAVE_TYPE=intelSgx \
-e ENCLAVE_RUNTIME_PATH=/opt/occlum/build/lib/libocclum-pal.so \
-e ENCLAVE_RUNTIME_ARGS=occlum_workspace_server \
occlum-app -m
Note that -m
option means build mutual remote attestation with client. You can remove -m
to build one-way attestation.
There are two way to run client.
cd /usr/share/rats-tls/samples
# 1. Init Occlum client Workspace
rm -rf occlum_workspace_client
mkdir occlum_workspace_client
cd occlum_workspace_client
occlum init
# 2. Copy files into Occlum Workspace and Build
cp ../rats-tls-client image/bin
cp /lib/x86_64-linux-gnu/libdl.so.2 image/opt/occlum/glibc/lib
cp /usr/lib/x86_64-linux-gnu/libssl.so.1.1 image/opt/occlum/glibc/lib
cp /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 image/opt/occlum/glibc/lib
mkdir -p image/usr/local/lib
cp -rf /usr/local/lib/rats-tls image/usr/local/lib
occlum build
occlum run /bin/rats-tls-client -l debug -m
cd "$WORKSPACE"/rats-tls
make -C build clean && make -C build uninstall
cmake -DRATS_TLS_BUILD_MODE="sgx" -DBUILD_SAMPLES=on -H. -Bbuild
make -C build install
cd /usr/share/rats-tls/samples
./rats-tls-client -a sgx_ecdsa -m -l debug