general/occlum
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add demo with init aecs

Browse Source
This commit is contained in:
Zheng, Qi 2023-03-24 19:08:51 +08:00 committed by volcano
parent e6563e7fe3
commit 566f32f7fc
3 changed files with 103 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
demos/remote_attestation/init_aecs_client/README.md Normal file
View File

@ -0,0 +1,54 @@
# Secret acquisition with AECS client in Occlum Init
In this demo, we will show how to acquire secrets in Occlum init by AECS client.
[AECS](https://github.com/SOFAEnclave/enclave-configuration-service) is a short name of **Attestation based Enclave Configuration Service**. Basically, part of its function is acting as a remote attestation based key management service.
Occlum provides a way to embed the AECS client function in Occlum Init process by simply running `occlum new --init-ra aecs` to initiate an Occlum instance.
## Start a demo AECS server
A public docker image for AECS server is provided for test only. It's running in simulation mode and also has debug log messages. Start it like this:
```
git clone https://github.com/SOFAEnclave/enclave-configuration-service.git
cd enclave-configuration-service
./deployment/aecs_test.sh start # stop command to stop it
```
Once successful, a demo AECS server is started locally. It holds secrets **secret-my-keypair** and **secret-my-aes256-key** for test purpose. The below client demo tries to acquire those two secrets in customized **Occlum Init** by predefined **init_ra_conf.json**.
## Build and Run the client demo
### Prerequisites
A valid PCCS service should be accessible in your environment. This demo is verified in Aliyun, thus `https://sgx-dcap-server.cn-shanghai.aliyuncs.com/sgx/certification/v3/` is used as the PCCS URL. And please also make sure the client demo can access the locally started AECS server. For example,
* Start the Occlum develop container with host network
```
docker run --rm -it \
--device /dev/sgx/enclave --device /dev/sgx/provision \
--network host \
occlum/occlum:latest-ubuntu20.04 bash
```
In the container, update the **pccs_url** in the file `/etc/sgx_default_qcnl.conf` with the valid address.
### Build the demo
Just run `build.sh`, it generates an Occlum instance with:
* Init with AECS client.
* `busybox` is added to act as the real application.
Note, a valid PCCS URL needs to be passed to the Occlum instance. In our case, Aliyun `https://sgx-dcap-server.cn-shanghai.aliyuncs.com/sgx/certification/v3/` is used. Also, to acquire the secrets, the secret name and saved path should be filled into the `init_ra_conf.json` before occlum build. Details please refer to the script [build.sh](./build.sh).
### Run the demo
The boot flow of the demo is as below.
```
init (get secrets and save to rootfs per the definition in init_ra_conf.json) --> busybox
```
Thus, a simple command as below will print the secret **secret-my-keypair** acquired in **init** process.
```
occlum run /bin/busybox cat /etc/saved_secret_rsa_keypair
```

9
demos/remote_attestation/init_aecs_client/app.yaml Normal file
View File

@ -0,0 +1,9 @@
includes:
- base.yaml
# bash
targets:
# copy busybox
- target: /bin
copy:
- files:
- /opt/occlum/toolchains/busybox/glibc/busybox

40
demos/remote_attestation/init_aecs_client/build.sh Executable file
View File

@ -0,0 +1,40 @@
#! /bin/bash
set -e
UA_ENV_PCCS_URL=${1:-https://sgx-dcap-server.cn-shanghai.aliyuncs.com/sgx/certification/v3/}
function update_client_init_ra_conf()
{
local ua_pccs_url=$1
# Fill in the keys
new_json="$(jq '.kms_keys = [ {"key": "secret-my-keypair", "path": "/etc/saved_secret_rsa_keypair", "service": "service1"}] |
.kms_keys += [ {"key": "secret-my-aes256-key", "path": "/etc/saved_secret_aes_256", "service": "service1"}]' init_ra_conf.json)" && \
echo "${new_json}" > init_ra_conf.json
# Fill in the ua pccs url
new_json="$(jq .ua_env_pccs_url=\"$ua_pccs_url\" init_ra_conf.json)" && \
echo "${new_json}" > init_ra_conf.json
# Fill in the KMS ra_config measurements if necessary.
}
rm -rf occlum_instance
occlum new occlum_instance --init-ra aecs
pushd occlum_instance
rm -rf image
copy_bom -f ../app.yaml --root image --include-dir /opt/occlum/etc/template
new_json="$(jq '.resource_limits.user_space_size = "800MB" |
.resource_limits.kernel_space_stack_size ="2MB" ' Occlum.json)" && \
echo "${new_json}" > Occlum.json
# Update init_ra_conf.json
update_client_init_ra_conf $UA_ENV_PCCS_URL
occlum build
popd