general/occlum
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[demo] Update init_aecs demo by setting PCCS URL when running

Browse Source
This commit is contained in:
Zheng, Qi 2023-09-04 17:34:42 +08:00 committed by volcano
parent b7ea38874b
commit 99dedabc0b
2 changed files with 8 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
demos/remote_attestation/init_aecs_client/README.md
View File

@ -49,6 +49,8 @@ init (get secrets and save to rootfs per the definition in init_ra_conf.json) --
``` ```
Thus, a simple command as below will print the secret **secret-my-keypair** acquired in **init** process. Thus, a simple command as below will print the secret **secret-my-keypair** acquired in **init** process.
Just note, **UA_ENV_PCCS_URL** needs to be set as PCCS URL when running.
``` ```
occlum run /bin/busybox cat /etc/saved_secret_rsa_keypair UA_ENV_PCCS_URL=https://sgx-dcap-server.cn-shanghai.aliyuncs.com/sgx/certification/v3/ occlum run /bin/busybox cat /etc/saved_secret_rsa_keypair
``` ```

15
demos/remote_attestation/init_aecs_client/build.sh
View File

@ -2,21 +2,15 @@
set -e set -e
UA_ENV_PCCS_URL=${1:-https://sgx-dcap-server.cn-shanghai.aliyuncs.com/sgx/certification/v3/}
function update_client_init_ra_conf() function update_client_init_ra_conf()
{ {
local ua_pccs_url=$1
# Fill in the keys # Fill in the keys
new_json="$(jq '.kms_keys = [ {"key": "secret-my-keypair", "path": "/etc/saved_secret_rsa_keypair", "service": "service1"}] | new_json="$(jq '.kms_keys = [ {"key": "secret-my-keypair", "path": "/etc/saved_secret_rsa_keypair", "service": "service1"}] |
.kms_keys += [ {"key": "secret-my-aes256-key", "path": "/etc/saved_secret_aes_256", "service": "service1"}]' init_ra_conf.json)" && \ .kms_keys += [ {"key": "secret-my-aes256-key", "path": "/etc/saved_secret_aes_256", "service": "service1"}]' init_ra_conf.json)" && \
echo "${new_json}" > init_ra_conf.json echo "${new_json}" > init_ra_conf.json
# Fill in the ua pccs url # Fill in the ua pccs url if for sure
new_json="$(jq .ua_env_pccs_url=\"$ua_pccs_url\" init_ra_conf.json)" && \ # otherwise this value could overwritten when running with env UA_ENV_PCCS_URL set
echo "${new_json}" > init_ra_conf.json
# Fill in the KMS ra_config measurements if necessary. # Fill in the KMS ra_config measurements if necessary.
} }
@ -29,11 +23,12 @@ rm -rf image
copy_bom -f ../app.yaml --root image --include-dir /opt/occlum/etc/template copy_bom -f ../app.yaml --root image --include-dir /opt/occlum/etc/template
new_json="$(jq '.resource_limits.user_space_size = "800MB" | new_json="$(jq '.resource_limits.user_space_size = "800MB" |
.resource_limits.kernel_space_stack_size ="2MB" ' Occlum.json)" && \ .resource_limits.kernel_space_stack_size ="2MB" |
.env.untrusted += [ "UA_ENV_PCCS_URL", "OCCLUM_INIT_RA_KMS_SERVER" ]' Occlum.json)" && \
echo "${new_json}" > Occlum.json echo "${new_json}" > Occlum.json
# Update init_ra_conf.json # Update init_ra_conf.json
update_client_init_ra_conf $UA_ENV_PCCS_URL update_client_init_ra_conf
occlum build occlum build