From b0989b6d46ad703f0bd63930092f875035051a80 Mon Sep 17 00:00:00 2001 From: Devki Jha Date: Thu, 20 Jul 2023 11:18:02 +0100 Subject: [PATCH] add swtpm demo add tss script --- .github/workflows/demo_test.yml | 23 +++++++++++++++++++ demos/README.md | 1 + demos/swtpm/README.md | 40 +++++++++++++++++++++++++++++++++ demos/swtpm/install_swtpm.sh | 32 ++++++++++++++++++++++++++ demos/swtpm/run_client.sh | 18 +++++++++++++++ demos/swtpm/run_swtpm.sh | 24 ++++++++++++++++++++ demos/swtpm/swtpm.yaml | 15 +++++++++++++ 7 files changed, 153 insertions(+) create mode 100644 demos/swtpm/README.md create mode 100755 demos/swtpm/install_swtpm.sh create mode 100755 demos/swtpm/run_client.sh create mode 100755 demos/swtpm/run_swtpm.sh create mode 100644 demos/swtpm/swtpm.yaml diff --git a/.github/workflows/demo_test.yml b/.github/workflows/demo_test.yml index 0f0f5e69..e384784a 100644 --- a/.github/workflows/demo_test.yml +++ b/.github/workflows/demo_test.yml @@ -871,3 +871,26 @@ jobs: - name: Run runtime boot instance run: docker exec ${{ github.job }} bash -c "cd /root/occlum/demos/runtime_boot/boot_instance && occlum run /bin/occlum_bash_test.sh" + + Swtpm_test: + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@v1 + with: + submodules: true + + - uses: ./.github/workflows/composite_action/sim + with: + container-name: ${{ github.job }} + build-envs: 'OCCLUM_RELEASE_BUILD=1' + + - name: download and build swtpm + run: docker exec ${{ github.job }} bash -c "cd /root/occlum/demos/swtpm; ./install_swtpm.sh" + + - name: Run swtpm server + run: docker exec ${{ github.job }} bash -c "cd /root/occlum/demos/swtpm && SGX_MODE=SIM ./run_swtpm.sh" & + + - name: download tss and run a test + run: | + sleep ${{ env.nap_time }}; + docker exec ${{ github.job }} bash -c "cd /root/occlum/demos/swtpm; ./run_client.sh" diff --git a/demos/README.md b/demos/README.md index 37bfa271..6549d5d4 100644 --- a/demos/README.md +++ b/demos/README.md @@ -28,6 +28,7 @@ This set of demos shows how real-world apps can be easily run inside SGX enclave * [redis](redis/): A demo of [Redis](https://redis.io). * [sofaboot](sofaboot/): A demo of [SOFABoot](https://github.com/sofastack/sofa-boot), an open source Java development framework based on Spring Boot. * [sqlite](sqlite/) A demo of [SQLite](https://www.sqlite.org) SQL database engine. +* [swtpm](swtpm/) A demo of [SWTPM](https://github.com/stefanberger/swtpm) Software Trusted Platform Module (TPM) Emulator. * [tensorflow](tensorflow/tensorflow_training): A demo of [TensorFlow](https://www.tensorflow.org/) MNIST classification training. * [tensorflow_lite](tensorflow_lite/): A demo and benchmark of [TensorFlow Lite](https://www.tensorflow.org/lite) inference engine. * [tensorflow_serving](tensorflow/tensorflow_serving): A demo of [TensorFlow Serving](https://github.com/tensorflow/serving) diff --git a/demos/swtpm/README.md b/demos/swtpm/README.md new file mode 100644 index 00000000..984bddb5 --- /dev/null +++ b/demos/swtpm/README.md @@ -0,0 +1,40 @@ +# Run SWTPM on Occlum + +[`SWTPM`](https://github.com/stefanberger/swtpm) is a widely used open-source software-based Trusted Platform Module (TPM) emulator based on [`Libtpms`](https://github.com/stefanberger/libtpms). This project demonstrates how SWTPM can be used in SGX enclave using Occlum. + +Step 1: Download and install SWTPM +``` +./install_swtpm.sh +``` +This command downloads Libtpms and SWTPM source code and builds from it. +When completed, all SWTPM related binaries and tools are installed. + +Step 2: Run SWTPM +``` +./run_swtpm.sh +``` +This command initializes and runs the SWTPM in SGX. + +When completed, the server starts to wait for TPM Software Stack (TSS). SWTPM is compatible with all type of TSS. For more information on TSS, check [`IBM's TPM2.0 TSS`](https://sourceforge.net/p/ibmtpm20tss/tss/ci/master/tree/) or [`TCG TPM2 TSS`](https://github.com/tpm2-software/tpm2-tss). + + +(Optional) Step 3: Test with [`IBM's TPM2.0 TSS`](https://sourceforge.net/p/ibmtpm20tss/tss/ci/master/tree/) +``` +./run_client.sh +``` +This command first install TSS and specifies the TPM ports. Next, it starts the TPM and runs getrandom function to create a random number of 128 Bytes. The output is similar to as given below. + + ``` + d5 7b b6 98 ce 93 c1 55 66 0d 90 d0 24 ae fc 3a + 89 09 00 a7 ea d3 ca c8 4d 40 46 60 53 21 00 0a + eb a7 eb ef 13 3e 0a de df 29 85 8c 50 34 c0 0c + 2a 9e 74 e4 50 65 c2 30 16 eb e8 e3 a2 74 a9 7c + 84 06 7c 0f 4e 10 1c 0c 80 fb a7 1c 0b ba 13 d7 + de 25 e0 44 2f 22 75 76 70 87 e0 a3 c5 bb 28 5c + df 26 a5 92 48 e2 3a e5 77 ce 76 df 76 84 3a 6a + b7 97 33 94 8d 57 2e 90 b5 61 89 cb 62 ed ce 09 +``` + + + + diff --git a/demos/swtpm/install_swtpm.sh b/demos/swtpm/install_swtpm.sh new file mode 100755 index 00000000..23db3087 --- /dev/null +++ b/demos/swtpm/install_swtpm.sh @@ -0,0 +1,32 @@ +#!/bin/bash + +set -e +script_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" + +# Prepare environment +DEPS="git gcc-multilib fuse automake autoconf libtool make gcc libc-dev libssl-dev libc6-dev libgmp-dev libnspr4-dev libnss3-dev pkg-config libfuse-dev libglib2.0-dev expect libtasn1-dev socat tpm-tools python3-twisted gnutls-dev gnutls-bin libjson-glib-dev libseccomp-dev gawk net-tools build-essential devscripts equivs" + +apt-get update +apt-get install -y ${DEPS} + +# 1. Init occlum workspace +[ -d occlum_instance ] || occlum new occlum_instance + +# 2. Install libtpms and swtpm to specified position +[ -d $script_dir/libtpms ] || mkdir $script_dir/libtpms && + cd $script_dir/libtpms && + git clone https://github.com/stefanberger/libtpms.git . && + ./autogen.sh --with-openssl --prefix=/usr --with-tpm2 && + make && + make check && + make install && + cd .. + +[ -d $script_dir/swtpm ] || mkdir $script_dir/swtpm && + cd $script_dir/swtpm && + git clone https://github.com/stefanberger/swtpm.git . && + ./autogen.sh --prefix=/usr && + make && + make check && + make install + diff --git a/demos/swtpm/run_client.sh b/demos/swtpm/run_client.sh new file mode 100755 index 00000000..817b88f7 --- /dev/null +++ b/demos/swtpm/run_client.sh @@ -0,0 +1,18 @@ +#!/bin/bash + +# Download and install TSS +wget https://sourceforge.net/projects/ibmtpm20tss/files/ibmtss1.5.0.tar.gz/download -O ibmtss1.5.0.tar.gz +mkdir ibmtss +cd ibmtss +tar zxvf ../ibmtss1.5.0.tar.gz +cd utils +make -f makefiletpmc + + +# Set the TPM variables for TSS +export TPM_COMMAND_PORT=2321 TPM_PLATFORM_PORT=2322 TPM_SERVER_NAME=localhost TPM_INTERFACE_TYPE=socsim TPM_SERVER_TYPE=raw + + +# Start the TPM and test +./startup +./getrandom -by 128 diff --git a/demos/swtpm/run_swtpm.sh b/demos/swtpm/run_swtpm.sh new file mode 100755 index 00000000..3bbf5e96 --- /dev/null +++ b/demos/swtpm/run_swtpm.sh @@ -0,0 +1,24 @@ +#!/bin/bash +set -e + +BLUE='\033[1;34m' +NC='\033[0m' + +[ -d /bin/myvtpm ] || mkdir /bin/myvtpm +cd occlum_instance && rm -rf image +copy_bom -f ../swtpm.yaml --root image --include-dir /opt/occlum/etc/template + +new_json="$(jq '.resource_limits.user_space_size = "800MB" | + .resource_limits.kernel_space_heap_size = "600MB"| + .env.default += ["LD_LIBRARY_PATH=/bin/:/opt/occlum/glibc/lib/"] ' Occlum.json)" && \ +echo "${new_json}" > Occlum.json + +# Build Occlum +echo -e "${BLUE}Occlum build swtpm${NC}" +occlum build + +# Run the python demo +echo -e "${BLUE}Occlum start swtpm${NC}" + +occlum run /bin/swtpm socket --tpmstate dir=/bin/myvtpm --tpm2 --ctrl type=tcp,port=2322,bindaddr=0.0.0.0 --server type=tcp,port=2321,bindaddr=0.0.0.0 --flags not-need-init --seccomp action=none + diff --git a/demos/swtpm/swtpm.yaml b/demos/swtpm/swtpm.yaml new file mode 100644 index 00000000..1e637261 --- /dev/null +++ b/demos/swtpm/swtpm.yaml @@ -0,0 +1,15 @@ +includes: + - base.yaml +# copy directories +targets: + - target: /bin + copy: + - dirs: + - /usr/bin/ + - /usr/lib/swtpm/ + - ../libtpms/src/.libs/ + - /usr/lib/x86_64-linux-gnu/ + - target: /bin/myvtpm + copy: + - dirs: + - /bin/myvtpm