diff --git a/common/crypto/attestation-api/docker/container/README.md b/common/crypto/attestation-api/docker/container/README.md new file mode 100644 index 00000000..416f507c --- /dev/null +++ b/common/crypto/attestation-api/docker/container/README.md @@ -0,0 +1,3 @@ +This directory contains scripts to set up the attestation API dependencies in the docker container. + +The scripts are obviously meant to be run before the attestation API build and, possibly, during the docker build. diff --git a/common/crypto/attestation-api/docker/container/setup.sh b/common/crypto/attestation-api/docker/container/setup.sh new file mode 100755 index 00000000..e10b5ead --- /dev/null +++ b/common/crypto/attestation-api/docker/container/setup.sh @@ -0,0 +1,69 @@ +#!/bin/bash +# Copyright 2024 Intel Corporation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +# install quote library, necessary for dcap attestation generation +# install quote verify library, necessary for attestation conversion and verification +# (though inside the enclave we use the static libraries of DCAP) +apt-get update \ + && apt-get install -y \ + && --no-install-recommends \ + libsgx-dcap-ql-dev \ + libsgx-dcap-quote-verify-dev + +# ----------------------------------------------------------------- +# SGX DCAP Primitives +# ----------------------------------------------------------------- +apt-get update +apt-get install -y -q \ + libboost-dev \ + libboost-system-dev \ + libboost-thread-dev \ + protobuf-c-compiler \ + libprotobuf-c-dev \ + protobuf-compiler + +# Note: libsgx-dcap-default-qpl-dev adds libdcap_quoteprov.so and /usr/include/sgx_default_quote_provider.h +apt-get install -y \ + basez \ + clang \ + libsgx-dcap-default-qpl \ + libsgx-dcap-default-qpl-dev \ + jq + +export DCAP=1.22 +export DCAP_PRIMITIVES=/tmp/SGXDataCenterAttestationPrimitives + +git clone https://github.com/intel/SGXDataCenterAttestationPrimitives.git ${DCAP_PRIMITIVES} \ + && cd ${DCAP_PRIMITIVES}/QuoteVerification \ + && git checkout DCAP_${DCAP} \ + && git submodule update --init --recursive + +cd ${DCAP_PRIMITIVES}/QuoteGeneration \ + && ./download_prebuilt.sh \ + && make GEN_STATIC=1 + +# NOTE: below the build (./release) is run twice. Unfortunately, this is necessary because both builds fails +# when run separately in a clean environment, but succeed if they run in sequence, and produce the expected result. +# This issue has been communicated to the developers of the DCAP primitives. +cd ${DCAP_PRIMITIVES}/QuoteVerification/QVL/Src \ + && ./release -DBUILD_ENCLAVE=ON -DBUILD_TESTS=OFF ; ./release -DBUILD_ENCLAVE=ON -DBUILD_ATTESTATION_APP=OFF -DBUILD_TESTS=OFF + +echo '{\n\ + "pccs_url": "https://localhost:8081/sgx/certification/v4/", \n\ + "collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/",\n\ + "use_secure_cert": false\n\ + }' > /etc/sgx_default_qcnl.conf + diff --git a/docker/pdo_services_base.dockerfile b/docker/pdo_services_base.dockerfile index f84c21a2..339366f6 100644 --- a/docker/pdo_services_base.dockerfile +++ b/docker/pdo_services_base.dockerfile @@ -36,8 +36,6 @@ RUN echo "deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu ${U --no-install-recommends \ libsgx-urts \ libsgx-uae-service \ - libsgx-dcap-ql-dev \ - libsgx-dcap-quote-verify-dev \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* @@ -86,50 +84,11 @@ RUN . /opt/intel/sgxsdk/environment \ ENV SGX_SSL="/opt/intel/sgxssl" - # ----------------------------------------------------------------- -# SGX DCAP Primitives +# Install dependencies for Attestation API # ----------------------------------------------------------------- -RUN apt-get update -RUN apt-get install -y -q \ - libboost-dev \ - libboost-system-dev \ - libboost-thread-dev \ - protobuf-c-compiler \ - libprotobuf-c-dev \ - protobuf-compiler -RUN apt-get install -y \ - basez \ - clang \ - libsgx-dcap-default-qpl \ - #libsgx-dcap-default-qpl-dev adds libdcap_quoteprov.so and /usr/include/sgx_default_quote_provider.h - libsgx-dcap-default-qpl-dev \ - jq - -ARG DCAP=1.22 -ENV DCAP_PRIMITIVES=/tmp/SGXDataCenterAttestationPrimitives - -RUN git clone https://github.com/intel/SGXDataCenterAttestationPrimitives.git ${DCAP_PRIMITIVES} \ - && cd ${DCAP_PRIMITIVES}/QuoteVerification \ - && git checkout DCAP_${DCAP} \ - && git submodule update --init --recursive - -RUN cd ${DCAP_PRIMITIVES}/QuoteGeneration \ - && ./download_prebuilt.sh \ - && make GEN_STATIC=1 - -# NOTE: below the build (./release) is run twice. Unfortunately, this is necessary because both builds fails -# when run separately in a clean environment, but succeed if they run in sequence, and produce the expected result. -# This issue has been communicated to the developers of the DCAP primitives. -RUN cd ${DCAP_PRIMITIVES}/QuoteVerification/QVL/Src \ - && ./release -DBUILD_ENCLAVE=ON -DBUILD_TESTS=OFF ; ./release -DBUILD_ENCLAVE=ON -DBUILD_ATTESTATION_APP=OFF -DBUILD_TESTS=OFF - -RUN echo '{\n\ - "pccs_url": "https://localhost:8081/sgx/certification/v4/", \n\ - "collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/",\n\ - "use_secure_cert": false\n\ - }' > /etc/sgx_default_qcnl.conf +RUN /project/pdo/common/crypto/attestation-api/docker/container/setup.sh # ----------------------------------------------------------------- # -----------------------------------------------------------------