From 4909a4f7fbc119a0b71fc53a53ca90688a80fc4e Mon Sep 17 00:00:00 2001 From: "Zheng, Qi" Date: Wed, 9 Mar 2022 19:08:34 +0800 Subject: [PATCH] Fix init_ra HW action timing issue --- .github/workflows/hw_mode_test.yml | 72 +++---------------- .../init_ra_flow/run_till_ready.sh | 27 +++++++ docs/remote_attestation.md | 6 ++ 3 files changed, 44 insertions(+), 61 deletions(-) create mode 100755 demos/remote_attestation/init_ra_flow/run_till_ready.sh diff --git a/.github/workflows/hw_mode_test.yml b/.github/workflows/hw_mode_test.yml index ecbab56d..adad5dbb 100644 --- a/.github/workflows/hw_mode_test.yml +++ b/.github/workflows/hw_mode_test.yml @@ -835,57 +835,6 @@ jobs: if: ${{ always() }} run: docker stop ${{ env.CONTAINER_NAME }} - RA_TLS_test: - if: github.event_name == 'push' || ${{ contains(github.event.pull_request.labels.*.name, 'SGX-hardware-test-required') }} - runs-on: ${{ matrix.self_runner }} - strategy: - matrix: - self_runner: [[self-hosted, SGX2-HW]] - - steps: - - name: Clean before running - run: | - sudo chown -R ${{ secrets.CI_ADMIN }} "${{ github.workspace }}" - - - name: Checkout code - if: github.event_name == 'push' - uses: actions/checkout@v2 - with: - submodules: true - - - name: Checkout code from fork - if: ${{ contains(github.event.pull_request.labels.*.name, 'SGX-hardware-test-required') }} - uses: actions/checkout@v2 - with: - ref: refs/pull/${{ github.event.pull_request.number }}/merge - submodules: true - - - uses: ./.github/workflows/composite_action/hw - with: - container-name: ${{ github.job }} - build-envs: 'OCCLUM_RELEASE_BUILD=1' - - - name: Download source code - run: docker exec ${{ env.CONTAINER_NAME }} bash -c "cd /root/occlum/demos/ra_tls; ./download_and_prepare.sh" - - - name: Build and install gRPC+RATLS - run: docker exec ${{ env.CONTAINER_NAME }} bash -c "cd /root/occlum/demos/ra_tls; ./build_and_install.sh musl" - - - name: Build occlum instances - run: docker exec ${{ env.CONTAINER_NAME }} bash -c "cd /root/occlum/demos/ra_tls; ./build_occlum_instance.sh musl" - - - name: Run gRPC server - run: docker exec ${{ env.CONTAINER_NAME }} bash -c "cd /root/occlum/demos/ra_tls; ./run.sh server &" - - - name: Run gRPC client - run: | - sleep ${{ env.nap_time }}; - docker exec ${{ env.CONTAINER_NAME }} bash -c "cd /root/occlum/demos/ra_tls; ./run.sh client cert" - - - name: Clean the environment - if: ${{ always() }} - run: docker stop ${{ env.CONTAINER_NAME }} - Init_RA_test: if: github.event_name == 'push' || ${{ contains(github.event.pull_request.labels.*.name, 'SGX-hardware-test-required') }} runs-on: ${{ matrix.self_runner }} @@ -916,21 +865,22 @@ jobs: container-name: ${{ github.job }} build-envs: 'OCCLUM_RELEASE_BUILD=1' - - name: Build the init-ra all content - run: docker exec ${{ env.CONTAINER_NAME }} bash -c "cd /root/occlum/demos/remote_attestation/init_ra_flow; ./build_content.sh" + - name: Install dependencies + run: docker exec ${{ env.CONTAINER_NAME }} bash -c "apt update && apt install -y netcat" - - name: Run init-ra server and client(flask-tls) on backgroud - run: docker exec ${{ env.CONTAINER_NAME }} bash -c "cd /root/occlum/demos/remote_attestation/init_ra_flow; ./run.sh" + - name: Build the init-ra all content + run: docker exec ${{ env.CONTAINER_NAME }} bash -c "source /opt/intel/sgxsdk/environment; cd /root/occlum/demos/remote_attestation/init_ra_flow; ./build_content.sh" + + - name: Run init-ra server and client(flask-tls) on backgroud tiil ready + run: docker exec ${{ env.CONTAINER_NAME }} bash -c "cd /root/occlum/demos/remote_attestation/init_ra_flow; ./run_till_ready.sh" - name: Test PUT data with certificate - run: | - docker exec ${{ env.CONTAINER_NAME }} bash -c "cd /root/occlum/demos/remote_attestation/init_ra_flow; - curl --cacert flask.crt -X PUT https://localhost:4996/customer/1 -d "data=Tom" + run: docker exec ${{ env.CONTAINER_NAME }} bash -c "cd /root/occlum/demos/remote_attestation/init_ra_flow; + curl --cacert flask.crt -X PUT https://localhost:4996/customer/1 -d "data=Tom"" - name: Test GET data with certificate - run: | - docker exec ${{ env.CONTAINER_NAME }} bash -c "cd /root/occlum/demos/remote_attestation/init_ra_flow; - curl --cacert flask.crt -X GET https://localhost:4996/customer/1 + run: docker exec ${{ env.CONTAINER_NAME }} bash -c "cd /root/occlum/demos/remote_attestation/init_ra_flow; + curl --cacert flask.crt -X GET https://localhost:4996/customer/1" - name: Clean the environment if: ${{ always() }} diff --git a/demos/remote_attestation/init_ra_flow/run_till_ready.sh b/demos/remote_attestation/init_ra_flow/run_till_ready.sh new file mode 100755 index 00000000..da44526c --- /dev/null +++ b/demos/remote_attestation/init_ra_flow/run_till_ready.sh @@ -0,0 +1,27 @@ +#!/bin/bash +set -e + +GRPC_SERVER_IP=localhost +GRPC_SERVER_PORT=50051 +FLASK_SERVER_IP=localhost +FLASK_SERVER_PORT=4996 + +echo "Start GRPC server on backgound ..." + +pushd occlum_server +occlum run /bin/server & +popd + +while ! nc -z $GRPC_SERVER_IP $GRPC_SERVER_PORT; do + sleep 1 +done + +echo "Start Flask-TLS restful web portal on backgound ..." + +pushd occlum_client +occlum run /bin/rest_api.py & +popd + +while ! nc -z $FLASK_SERVER_IP $FLASK_SERVER_PORT; do + sleep 1 +done diff --git a/docs/remote_attestation.md b/docs/remote_attestation.md index 5f1b08bd..fd2c74e9 100644 --- a/docs/remote_attestation.md +++ b/docs/remote_attestation.md @@ -26,6 +26,12 @@ For details how to use the library, please refer to the [`demo`](../demos/remote The source code of the library is in the [`path`](../tools/toolchains/dcap_lib/). +## Init-RA solution + +To ease the effort to utilize the remote attestation in real project, Occlum provides a `Init RA` way to seperate the RA operation and the actual application. With this way, the APP developers don't need know too much about the RA and the application doesn't need to be modified for RA. + +Details please refer to the demo [`init_ra_flow`](demos/remote_attestation/init_ra_flow). + ## SGX KSS (Key Separation and Sharing feature) support Starting from SGX2, there is a new Key Separation and Sharing feature which provides more flexibility. The new feature gives user a chance to fill in some meaningful information to the enclave either in the signing or running stage.