package the challenge within enclave

rewrite/README.md

@@ -0,0 +1,28 @@
+# Welcome to the HACKER CHALLENGE
+
+## Building and packaging the challenge
+
+The host can be without SGX support.
+To build and package the challenge you will need the docker environment.
+Do the following steps to build the challenge:
+
+```bash
+# Notice that there is no SGX device mounted
+docker run --rm -it -v /path/to/rewrite:/root/rewrite occlum/occlum:latest-ubuntu20.04
+# Inside the docker container do env preparation to build the image
+rustup install stable-x86_64-unknown-linux-gnu
+rustup default stable
+rustup target add x86_64-unknown-linux-musl
+
+cd /root/rewrite && ./scripts/package.sh
+# Feel free to exit the container once the challenge was packaged
+exit
+```
+
+## Testing the challenge
+
+To test the challenge you will need the SGX support.
+
+## Contributing to the challenge
+
+Don't forget to run `cargo clippy` and `cargo fmt` before submitting a PR.

rewrite/scripts/Dockerfile

@@ -1,4 +0,0 @@
-FROM alpine:edge
-COPY start.sh /start.sh
-COPY hacker-challenge /hacker-challenge
-ENTRYPOINT ["/start.sh"]

rewrite/scripts/Occlum.json

@@ -0,0 +1,80 @@
+{
+  "resource_limits": {
+    "kernel_space_heap_size": "32MB",
+    "kernel_space_stack_size": "1MB",
+    "user_space_size": "300MB",
+    "max_num_of_threads": 32
+  },
+  "process": {
+    "default_stack_size": "4MB",
+    "default_heap_size": "32MB",
+    "default_mmap_size": "100MB"
+  },
+  "entry_points": [
+    "/bin"
+  ],
+  "env": {
+    "default": [
+      "OCCLUM=yes"
+    ],
+    "untrusted": [
+      "EXAMPLE"
+    ]
+  },
+  "metadata": {
+    "product_id": 0,
+    "version_number": 0,
+    "debuggable": false,
+    "enable_kss": false,
+    "family_id": {
+      "high": "0x0",
+      "low": "0x0"
+    },
+    "ext_prod_id": {
+      "high": "0x0",
+      "low": "0x0"
+    }
+  },
+  "feature": {
+    "amx": 0,
+    "pkru": 0,
+    "enable_edmm": false,
+    "enable_posix_shm": false
+  },
+  "mount": [
+    {
+      "target": "/",
+      "type": "unionfs",
+      "options": {
+        "layers": [
+          {
+            "target": "/",
+            "type": "sefs",
+            "source": "./build/mount/__ROOT",
+            "options": {
+              "MAC": ""
+            }
+          },
+          {
+            "target": "/",
+            "type": "sefs",
+            "source": "./run/mount/__ROOT"
+          }
+        ]
+      }
+    },
+    {
+      "target": "/host",
+      "type": "hostfs",
+      "source": "."
+    },
+    {
+      "target": "/proc",
+      "type": "procfs"
+    },
+    {
+      "target": "/dev",
+      "type": "devfs"
+    }
+  ]
+}

rewrite/scripts/challenge.Dockerfile

@@ -0,0 +1,5 @@
+FROM occlum/occlum:latest-ubuntu20.04
+COPY challenge.sh /challenge.sh
+COPY challenge.tar.gz /challenge.tar.gz
+WORKDIR /
+ENTRYPOINT ["/challenge.sh"]

rewrite/scripts/challenge.sh

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+# This script is the entrypoint of the challenge container
+
+tar -xzf challenge.tar.gz && cd challenge
+
+if [ -z "${INIT_NODES}" ]; then
+  echo "The INIT_NODES environment variable is not set."
+else
+  echo $INIT_NODES | tr ' ' '\n' > detee_challenge_nodes
+fi
+
+occlum run /bin/hacker-challenge

rewrite/scripts/package.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+set -e
+
+script_dir=$(dirname "$0")
+cd "${script_dir}/.."
+
+occlum-cargo build --release
+strip target/x86_64-unknown-linux-musl/release/hacker-challenge
+
+cat > challenge.yaml <<EOF
+includes:
+  - base.yaml
+targets:
+  - target: /bin
+    copy:
+      - files:
+        - ../target/x86_64-unknown-linux-musl/release/hacker-challenge
+  - target: /lib
+    copy:
+      - files:
+        - /opt/occlum/toolchains/dcap_lib/musl/libocclum_dcap.so.0.1.0
+EOF
+
+rm -rf challenge_instance && mkdir challenge_instance && cd challenge_instance
+occlum init && rm -rf image
+cp ../scripts/Occlum.json ./
+copy_bom -f ../challenge.yaml --root image --include-dir /opt/occlum/etc/template
+# TODO: "--enable-edmm Y" must be only for platforms that support SGX2
+# TODO: make sure the bundle needs SGX2 to run since SGX1 is vulnerable to https://x.com/PratyushRT/status/1828183761055330373
+occlum build --sign-key ../scripts/signing_key.pem
+occlum package challenge.tar.gz
+mv challenge.tar.gz ../scripts/challenge.tar.gz

rewrite/scripts/signing_key.pem

@@ -0,0 +1,40 @@
+-----BEGIN PRIVATE KEY-----
+MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQCwkW9VPSw/1TBy
+zueoRDz+D+Cxw+2ODbQ1MEpT28Ikyqi8zu00KocYRDX4yiaznnXO/FrBDHB4QJ/F
+cBaLnjl/lr4CZu8KIeCVhc/lSUGd4azLyR5ZpcmNqlkpkVhLmEtuYGHth+AR84zj
+GOPJx3mR1CUsaWfFVogoyDNQBhQFZxWkbcGbzPDiUbqUImwMH2rf8HXhXLt41xn7
+GdgNtR8qPKjzDwCvL4KE0QkNNedDv5xBY4f8bpy2Y4wkvCNXpIYazATZhgu/QSPm
+/BGFxHrwaU2sfKNOD26EmlLaEdXgjd0wdabDRjjZo4afCqc6bmQkm4NjPLvxw/cC
+Sd9ovukqktehtTsB7Xb5d5yiBnM7PGXe034tDHjbtR+YVYN8rNBdgKSm1Eqghdn8
+cchei+cK8ChGFcOqkrHIuXbol3ypqeVme01e5cz9VSrzdncEWZqEyd3x7tZmAOjR
+/n35xg/OvLwSsJKCobeZgJxZESrjRYZHmBGqxkZn5pzC0wgKP08CAQMCggGAC8Vt
+0nuLe7jhGLh12ASMmXiGckBDCXhhWOEWBZcvE4T6Lrh2Nq2AeRWdMrgktqQp/Lt9
+hFYpoZ3ohKESkddZKqOmRG1DIs8O+ObJl9GvCoaC/ITf49faPKT04KNKJyxJS6AG
+h01TNGWR7QGoyS9ugTBGvrGxlbBvei964zOa70sjk37Io/yYl58McEaPvIqguZiQ
+ZFuD9v1F/6xjvKWsvoyTy+/u+pzEb0EivJ0xjQzGJn4aIeU9pcJerR2b9Mazfu+h
+RNVBObUwCjKB8kLG0LmZjIqsVK2LeV84ajW5U3iBHHgIMhdFDD3ndqVR+vsUzdWm
+/c18tkuxkRZ5HwClDv72GhG0kUsEymMAQt2VGeCGr4AoWg8GgxkFhhEu2Bn/y82n
+WnOEwiZZkyRySaHbM0DIU5rd6uKK/uj6RD3C1EZ3/s6XxgzGD2o8oWH88NTflSTH
+Vvge3EyaTHB8wC4y1tIoAWKmNvQTL1+SAuXHuLhdmcMBAUrhGDFIm3wfjlUzAoHB
+AMM/B/kamtzBKP0h1f1q2dB9X+YHDcU5cM2BgozOcmfncJkJMdNQC7jGhihYtdha
+vkr9eB+FhfMwc8dJz08Qp1m1RLFXMNC0QEa3ShWiNE4kM9esOJj7bkr0hzQ/1W5z
+Ug0VHQS/G8pYbgqsX6qbwz6L68EBU115IH5ar0In9jtqizwuPZ1PaH+ACeObxtEm
++NsHoVpHv4QEdV9io7nN7XsoCqvohCddb089Ia2WmXq2BavA4yh7ye8B2sg10joI
+iwKBwQDngonX7J6A4ipQ5J5Wb/rlC+6KVXySqtGahIIUHYeUltvsY/oAmSFpPHCD
+AiOtXW3KGUJkrOdQJBu6rvdIpJXv7SdpVHWt0+7W806haIJo8E2+pOhNL6jiSUWJ
+E+9ks4FfXrlVUGd17ixSorZjdEvLmH+fAW+J02xauB2m0Rv+HlI8Mism1smWm5Ob
+HN4WuYfsmo5/HUf5f2j4BIr9Qye9RFlSAFEi9yiDqeyAA92VwgSZah9u50wOAYDe
+V1x5OM0CgcEAgioFULxnPdYbU2vj/kc74FOVRASz2ND13lZXCImhmppLELDL4jVd
+JdmuxZB5Oucph1OlalkD93WihNvfigsaO84ty4914Hgq2c+GuRbNiW135R17EKee
+3KMEzX/jnveMCLi+AyoShuWescg/xxKCKbKdK1Y3k6YVqZHKLBqkJ5xc0sl+aN+a
+/6qxQmfZ4MSl51prkYUqWAL46kHCe96eUhqxx/BYGj5KNNNryQ8Q/HlZHStCGv0x
+SgE8hXk20VsHAoHBAJpXBo/zFFXsHDXtvuRKp0NdSbGOUwxx4RGtrA1pBQ255/Lt
+UVW7a5t9oFdWwnOTnoa7gZhzROAYEnx0pNsYY/VIxPDi+R6NSeSiNGubAZtK3n8Y
+mt4fxeww2QYNSkMiVj+Ue441mk6eyDcXJEJNh90QVRSrn7E3nZHQE8SLZ/6+4X12
+x28527m9DRITPrnRBUhnCaoThVD/m1ADB1OCGn4tkOFVi2ykxa0b8wACk7ksAxDx
+aknviAlWVemPkvt7MwKBwQCM934CRatNfHOlvzb21jm34Egk2LMp0uPjFzqW2JOQ
+NM67966EjGCuR8i3n+tTRvGuYIUQvF2NhymZHQdpOWbc4wPXw4jM1j9BLREH45tS
+TEeh41OgEuyF1ZjCDdukG/TUAoY3xlb7+pA9sD6dv0KxTmvdUcvtze2nBHgkyxul
+wUhjowJS8WsDR72P6Lub1wIT1yI/6UNkx7RaY7pmNUh96D0Hkhh/vZ9/F7/1+Gnu
+9DTouKJTmbNzsk375oViTww=
+-----END PRIVATE KEY-----

rewrite/scripts/start.sh

@@ -1,12 +0,0 @@
-#!/bin/sh
-
-# This script start the hacker challenge from within the docker container.
-# It's only purpose is to help bootstrap a test network.
-
-if [ -z "${INIT_NODES}" ]; then
-  echo "The INIT_NODES environment variable is not set."
-else
-  echo $INIT_NODES | tr ' ' '\n' > /detee_challenge_nodes
-fi
-
-/hacker-challenge

rewrite/scripts/testnet.sh

@@ -1,15 +1,12 @@
 #!/bin/bash
+set -e
+
+# WARNING: Build and package the hacker-challenge first, see README.md
+
 script_dir=$(dirname "$0")
 cd "${script_dir}/.."
-set -e
-cargo build --release --target x86_64-unknown-linux-musl
-rm -rf build
-mkdir -p build
-cp ./target/x86_64-unknown-linux-musl/release/hacker-challenge build/
-cp scripts/start.sh build/
-cp scripts/Dockerfile build/
-cd build
 
+cp scripts/challenge.* build/ && cd build
 docker build -t hacker-challenge:latest .
 
 docker ps -a | grep 'hacker-challenge' | awk '{ print $NF }' | xargs docker rm -f || true

rewrite/src/main.rs

@@ -19,7 +19,7 @@ use tokio::{
     time::{sleep, Duration},
 };
 
-const INIT_NODES: &str = "detee_challenge_nodes";
+const INIT_NODES: &str = "/host/detee_challenge_nodes";
 const DISK_PERSISTENCE: &str = "TRY_TO_HACK_THIS";
 
 pub async fn localhost_cron(ds: Arc<Store>, tx: Sender<NodeUpdate>) {