From a8da3ddcfa42e81e3b37b33bddd37fb452658a2c Mon Sep 17 00:00:00 2001
From: Valentyn Faychuk <faitchouk.valentyn@gmail.com>
Date: Sun, 6 Oct 2024 14:19:01 +0300
Subject: [PATCH] package the challenge within enclave

---
 rewrite/README.md                    | 28 ++++++++++
 rewrite/scripts/Dockerfile           |  4 --
 rewrite/scripts/Occlum.json          | 80 ++++++++++++++++++++++++++++
 rewrite/scripts/challenge.Dockerfile |  5 ++
 rewrite/scripts/challenge.sh         | 13 +++++
 rewrite/scripts/package.sh           | 32 +++++++++++
 rewrite/scripts/signing_key.pem      | 40 ++++++++++++++
 rewrite/scripts/start.sh             | 12 -----
 rewrite/scripts/testnet.sh           | 15 +++---
 rewrite/src/main.rs                  |  2 +-
 10 files changed, 205 insertions(+), 26 deletions(-)
 create mode 100644 rewrite/README.md
 delete mode 100644 rewrite/scripts/Dockerfile
 create mode 100644 rewrite/scripts/Occlum.json
 create mode 100644 rewrite/scripts/challenge.Dockerfile
 create mode 100755 rewrite/scripts/challenge.sh
 create mode 100644 rewrite/scripts/package.sh
 create mode 100644 rewrite/scripts/signing_key.pem
 delete mode 100755 rewrite/scripts/start.sh

diff --git a/rewrite/README.md b/rewrite/README.md
new file mode 100644
index 0000000..bc6d457
--- /dev/null
+++ b/rewrite/README.md
@@ -0,0 +1,28 @@
+# Welcome to the HACKER CHALLENGE
+
+## Building and packaging the challenge
+
+The host can be without SGX support.
+To build and package the challenge you will need the docker environment.
+Do the following steps to build the challenge:
+
+```bash
+# Notice that there is no SGX device mounted
+docker run --rm -it -v /path/to/rewrite:/root/rewrite occlum/occlum:latest-ubuntu20.04
+# Inside the docker container do env preparation to build the image
+rustup install stable-x86_64-unknown-linux-gnu
+rustup default stable
+rustup target add x86_64-unknown-linux-musl
+
+cd /root/rewrite && ./scripts/package.sh
+# Feel free to exit the container once the challenge was packaged
+exit
+```
+
+## Testing the challenge
+
+To test the challenge you will need the SGX support.
+
+## Contributing to the challenge
+
+Don't forget to run `cargo clippy` and `cargo fmt` before submitting a PR.
\ No newline at end of file
diff --git a/rewrite/scripts/Dockerfile b/rewrite/scripts/Dockerfile
deleted file mode 100644
index 6e80e44..0000000
--- a/rewrite/scripts/Dockerfile
+++ /dev/null
@@ -1,4 +0,0 @@
-FROM alpine:edge
-COPY start.sh /start.sh
-COPY hacker-challenge /hacker-challenge
-ENTRYPOINT ["/start.sh"]
diff --git a/rewrite/scripts/Occlum.json b/rewrite/scripts/Occlum.json
new file mode 100644
index 0000000..9572bb3
--- /dev/null
+++ b/rewrite/scripts/Occlum.json
@@ -0,0 +1,80 @@
+{
+  "resource_limits": {
+    "kernel_space_heap_size": "32MB",
+    "kernel_space_stack_size": "1MB",
+    "user_space_size": "300MB",
+    "max_num_of_threads": 32
+  },
+  "process": {
+    "default_stack_size": "4MB",
+    "default_heap_size": "32MB",
+    "default_mmap_size": "100MB"
+  },
+  "entry_points": [
+    "/bin"
+  ],
+  "env": {
+    "default": [
+      "OCCLUM=yes"
+    ],
+    "untrusted": [
+      "EXAMPLE"
+    ]
+  },
+  "metadata": {
+    "product_id": 0,
+    "version_number": 0,
+    "debuggable": false,
+    "enable_kss": false,
+    "family_id": {
+      "high": "0x0",
+      "low": "0x0"
+    },
+    "ext_prod_id": {
+      "high": "0x0",
+      "low": "0x0"
+    }
+  },
+  "feature": {
+    "amx": 0,
+    "pkru": 0,
+    "enable_edmm": false,
+    "enable_posix_shm": false
+  },
+  "mount": [
+    {
+      "target": "/",
+      "type": "unionfs",
+      "options": {
+        "layers": [
+          {
+            "target": "/",
+            "type": "sefs",
+            "source": "./build/mount/__ROOT",
+            "options": {
+              "MAC": ""
+            }
+          },
+          {
+            "target": "/",
+            "type": "sefs",
+            "source": "./run/mount/__ROOT"
+          }
+        ]
+      }
+    },
+    {
+      "target": "/host",
+      "type": "hostfs",
+      "source": "."
+    },
+    {
+      "target": "/proc",
+      "type": "procfs"
+    },
+    {
+      "target": "/dev",
+      "type": "devfs"
+    }
+  ]
+}
diff --git a/rewrite/scripts/challenge.Dockerfile b/rewrite/scripts/challenge.Dockerfile
new file mode 100644
index 0000000..5dcb3d4
--- /dev/null
+++ b/rewrite/scripts/challenge.Dockerfile
@@ -0,0 +1,5 @@
+FROM occlum/occlum:latest-ubuntu20.04
+COPY challenge.sh /challenge.sh
+COPY challenge.tar.gz /challenge.tar.gz
+WORKDIR /
+ENTRYPOINT ["/challenge.sh"]
diff --git a/rewrite/scripts/challenge.sh b/rewrite/scripts/challenge.sh
new file mode 100755
index 0000000..1d00ed4
--- /dev/null
+++ b/rewrite/scripts/challenge.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+# This script is the entrypoint of the challenge container
+
+tar -xzf challenge.tar.gz && cd challenge
+
+if [ -z "${INIT_NODES}" ]; then
+  echo "The INIT_NODES environment variable is not set."
+else
+  echo $INIT_NODES | tr ' ' '\n' > detee_challenge_nodes
+fi
+
+occlum run /bin/hacker-challenge
diff --git a/rewrite/scripts/package.sh b/rewrite/scripts/package.sh
new file mode 100644
index 0000000..8a4b3b8
--- /dev/null
+++ b/rewrite/scripts/package.sh
@@ -0,0 +1,32 @@
+#!/bin/bash
+set -e
+
+script_dir=$(dirname "$0")
+cd "${script_dir}/.."
+
+occlum-cargo build --release
+strip target/x86_64-unknown-linux-musl/release/hacker-challenge
+
+cat > challenge.yaml <<EOF
+includes:
+  - base.yaml
+targets:
+  - target: /bin
+    copy:
+      - files:
+        - ../target/x86_64-unknown-linux-musl/release/hacker-challenge
+  - target: /lib
+    copy:
+      - files:
+        - /opt/occlum/toolchains/dcap_lib/musl/libocclum_dcap.so.0.1.0
+EOF
+
+rm -rf challenge_instance && mkdir challenge_instance && cd challenge_instance
+occlum init && rm -rf image
+cp ../scripts/Occlum.json ./
+copy_bom -f ../challenge.yaml --root image --include-dir /opt/occlum/etc/template
+# TODO: "--enable-edmm Y" must be only for platforms that support SGX2
+# TODO: make sure the bundle needs SGX2 to run since SGX1 is vulnerable to https://x.com/PratyushRT/status/1828183761055330373
+occlum build --sign-key ../scripts/signing_key.pem
+occlum package challenge.tar.gz
+mv challenge.tar.gz ../scripts/challenge.tar.gz
diff --git a/rewrite/scripts/signing_key.pem b/rewrite/scripts/signing_key.pem
new file mode 100644
index 0000000..c23a936
--- /dev/null
+++ b/rewrite/scripts/signing_key.pem
@@ -0,0 +1,40 @@
+-----BEGIN PRIVATE KEY-----
+MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQCwkW9VPSw/1TBy
+zueoRDz+D+Cxw+2ODbQ1MEpT28Ikyqi8zu00KocYRDX4yiaznnXO/FrBDHB4QJ/F
+cBaLnjl/lr4CZu8KIeCVhc/lSUGd4azLyR5ZpcmNqlkpkVhLmEtuYGHth+AR84zj
+GOPJx3mR1CUsaWfFVogoyDNQBhQFZxWkbcGbzPDiUbqUImwMH2rf8HXhXLt41xn7
+GdgNtR8qPKjzDwCvL4KE0QkNNedDv5xBY4f8bpy2Y4wkvCNXpIYazATZhgu/QSPm
+/BGFxHrwaU2sfKNOD26EmlLaEdXgjd0wdabDRjjZo4afCqc6bmQkm4NjPLvxw/cC
+Sd9ovukqktehtTsB7Xb5d5yiBnM7PGXe034tDHjbtR+YVYN8rNBdgKSm1Eqghdn8
+cchei+cK8ChGFcOqkrHIuXbol3ypqeVme01e5cz9VSrzdncEWZqEyd3x7tZmAOjR
+/n35xg/OvLwSsJKCobeZgJxZESrjRYZHmBGqxkZn5pzC0wgKP08CAQMCggGAC8Vt
+0nuLe7jhGLh12ASMmXiGckBDCXhhWOEWBZcvE4T6Lrh2Nq2AeRWdMrgktqQp/Lt9
+hFYpoZ3ohKESkddZKqOmRG1DIs8O+ObJl9GvCoaC/ITf49faPKT04KNKJyxJS6AG
+h01TNGWR7QGoyS9ugTBGvrGxlbBvei964zOa70sjk37Io/yYl58McEaPvIqguZiQ
+ZFuD9v1F/6xjvKWsvoyTy+/u+pzEb0EivJ0xjQzGJn4aIeU9pcJerR2b9Mazfu+h
+RNVBObUwCjKB8kLG0LmZjIqsVK2LeV84ajW5U3iBHHgIMhdFDD3ndqVR+vsUzdWm
+/c18tkuxkRZ5HwClDv72GhG0kUsEymMAQt2VGeCGr4AoWg8GgxkFhhEu2Bn/y82n
+WnOEwiZZkyRySaHbM0DIU5rd6uKK/uj6RD3C1EZ3/s6XxgzGD2o8oWH88NTflSTH
+Vvge3EyaTHB8wC4y1tIoAWKmNvQTL1+SAuXHuLhdmcMBAUrhGDFIm3wfjlUzAoHB
+AMM/B/kamtzBKP0h1f1q2dB9X+YHDcU5cM2BgozOcmfncJkJMdNQC7jGhihYtdha
+vkr9eB+FhfMwc8dJz08Qp1m1RLFXMNC0QEa3ShWiNE4kM9esOJj7bkr0hzQ/1W5z
+Ug0VHQS/G8pYbgqsX6qbwz6L68EBU115IH5ar0In9jtqizwuPZ1PaH+ACeObxtEm
++NsHoVpHv4QEdV9io7nN7XsoCqvohCddb089Ia2WmXq2BavA4yh7ye8B2sg10joI
+iwKBwQDngonX7J6A4ipQ5J5Wb/rlC+6KVXySqtGahIIUHYeUltvsY/oAmSFpPHCD
+AiOtXW3KGUJkrOdQJBu6rvdIpJXv7SdpVHWt0+7W806haIJo8E2+pOhNL6jiSUWJ
+E+9ks4FfXrlVUGd17ixSorZjdEvLmH+fAW+J02xauB2m0Rv+HlI8Mism1smWm5Ob
+HN4WuYfsmo5/HUf5f2j4BIr9Qye9RFlSAFEi9yiDqeyAA92VwgSZah9u50wOAYDe
+V1x5OM0CgcEAgioFULxnPdYbU2vj/kc74FOVRASz2ND13lZXCImhmppLELDL4jVd
+JdmuxZB5Oucph1OlalkD93WihNvfigsaO84ty4914Hgq2c+GuRbNiW135R17EKee
+3KMEzX/jnveMCLi+AyoShuWescg/xxKCKbKdK1Y3k6YVqZHKLBqkJ5xc0sl+aN+a
+/6qxQmfZ4MSl51prkYUqWAL46kHCe96eUhqxx/BYGj5KNNNryQ8Q/HlZHStCGv0x
+SgE8hXk20VsHAoHBAJpXBo/zFFXsHDXtvuRKp0NdSbGOUwxx4RGtrA1pBQ255/Lt
+UVW7a5t9oFdWwnOTnoa7gZhzROAYEnx0pNsYY/VIxPDi+R6NSeSiNGubAZtK3n8Y
+mt4fxeww2QYNSkMiVj+Ue441mk6eyDcXJEJNh90QVRSrn7E3nZHQE8SLZ/6+4X12
+x28527m9DRITPrnRBUhnCaoThVD/m1ADB1OCGn4tkOFVi2ykxa0b8wACk7ksAxDx
+aknviAlWVemPkvt7MwKBwQCM934CRatNfHOlvzb21jm34Egk2LMp0uPjFzqW2JOQ
+NM67966EjGCuR8i3n+tTRvGuYIUQvF2NhymZHQdpOWbc4wPXw4jM1j9BLREH45tS
+TEeh41OgEuyF1ZjCDdukG/TUAoY3xlb7+pA9sD6dv0KxTmvdUcvtze2nBHgkyxul
+wUhjowJS8WsDR72P6Lub1wIT1yI/6UNkx7RaY7pmNUh96D0Hkhh/vZ9/F7/1+Gnu
+9DTouKJTmbNzsk375oViTww=
+-----END PRIVATE KEY-----
diff --git a/rewrite/scripts/start.sh b/rewrite/scripts/start.sh
deleted file mode 100755
index 11ac960..0000000
--- a/rewrite/scripts/start.sh
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/bin/sh
-
-# This script start the hacker challenge from within the docker container.
-# It's only purpose is to help bootstrap a test network.
-
-if [ -z "${INIT_NODES}" ]; then
-  echo "The INIT_NODES environment variable is not set."
-else
-  echo $INIT_NODES | tr ' ' '\n' > /detee_challenge_nodes
-fi
-
-/hacker-challenge
diff --git a/rewrite/scripts/testnet.sh b/rewrite/scripts/testnet.sh
index 1627dbc..e7236f8 100755
--- a/rewrite/scripts/testnet.sh
+++ b/rewrite/scripts/testnet.sh
@@ -1,15 +1,12 @@
 #!/bin/bash
-script_dir=$(dirname "$0") 
-cd "${script_dir}/.."
 set -e
-cargo build --release --target x86_64-unknown-linux-musl
-rm -rf build
-mkdir -p build
-cp ./target/x86_64-unknown-linux-musl/release/hacker-challenge build/
-cp scripts/start.sh build/
-cp scripts/Dockerfile build/
-cd build
 
+# WARNING: Build and package the hacker-challenge first, see README.md
+
+script_dir=$(dirname "$0")
+cd "${script_dir}/.."
+
+cp scripts/challenge.* build/ && cd build
 docker build -t hacker-challenge:latest .
 
 docker ps -a | grep 'hacker-challenge' | awk '{ print $NF }' | xargs docker rm -f || true
diff --git a/rewrite/src/main.rs b/rewrite/src/main.rs
index 86b077b..c6ce536 100644
--- a/rewrite/src/main.rs
+++ b/rewrite/src/main.rs
@@ -19,7 +19,7 @@ use tokio::{
     time::{sleep, Duration},
 };
 
-const INIT_NODES: &str = "detee_challenge_nodes";
+const INIT_NODES: &str = "/host/detee_challenge_nodes";
 const DISK_PERSISTENCE: &str = "TRY_TO_HACK_THIS";
 
 pub async fn localhost_cron(ds: Arc<Store>, tx: Sender<NodeUpdate>) {