noormohammedb/hacker-challenge-sgx-general
1
0
Fork 0
forked from general/hacker-challenge
Code Pull Requests Activity

package the challenge within enclave

Browse Source
This commit is contained in:
Valentyn Faychuk 2024-10-06 14:19:01 +03:00
parent 9f7a8fb602
commit a8da3ddcfa
10 changed files with 205 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
rewrite/README.md Normal file
View File

@ -0,0 +1,28 @@
# Welcome to the HACKER CHALLENGE
## Building and packaging the challenge
The host can be without SGX support.
To build and package the challenge you will need the docker environment.
Do the following steps to build the challenge:
```bash
# Notice that there is no SGX device mounted
docker run --rm -it -v /path/to/rewrite:/root/rewrite occlum/occlum:latest-ubuntu20.04
# Inside the docker container do env preparation to build the image
rustup install stable-x86_64-unknown-linux-gnu
rustup default stable
rustup target add x86_64-unknown-linux-musl
cd /root/rewrite && ./scripts/package.sh
# Feel free to exit the container once the challenge was packaged
exit
```
## Testing the challenge
To test the challenge you will need the SGX support.
## Contributing to the challenge
Don't forget to run `cargo clippy` and `cargo fmt` before submitting a PR.

4
rewrite/scripts/Dockerfile
View File

@ -1,4 +0,0 @@
FROM alpine:edge
COPY start.sh /start.sh
COPY hacker-challenge /hacker-challenge
ENTRYPOINT ["/start.sh"]

80
rewrite/scripts/Occlum.json Normal file
View File

@ -0,0 +1,80 @@
{
"resource_limits": {
"kernel_space_heap_size": "32MB",
"kernel_space_stack_size": "1MB",
"user_space_size": "300MB",
"max_num_of_threads": 32
},
"process": {
"default_stack_size": "4MB",
"default_heap_size": "32MB",
"default_mmap_size": "100MB"
},
"entry_points": [
"/bin"
],
"env": {
"default": [
"OCCLUM=yes"
],
"untrusted": [
"EXAMPLE"
]
},
"metadata": {
"product_id": 0,
"version_number": 0,
"debuggable": false,
"enable_kss": false,
"family_id": {
"high": "0x0",
"low": "0x0"
},
"ext_prod_id": {
"high": "0x0",
"low": "0x0"
}
},
"feature": {
"amx": 0,
"pkru": 0,
"enable_edmm": false,
"enable_posix_shm": false
},
"mount": [
{
"target": "/",
"type": "unionfs",
"options": {
"layers": [
{
"target": "/",
"type": "sefs",
"source": "./build/mount/__ROOT",
"options": {
"MAC": ""
}
},
{
"target": "/",
"type": "sefs",
"source": "./run/mount/__ROOT"
}
]
}
},
{
"target": "/host",
"type": "hostfs",
"source": "."
},
{
"target": "/proc",
"type": "procfs"
},
{
"target": "/dev",
"type": "devfs"
}
]
}

5
rewrite/scripts/challenge.Dockerfile Normal file
View File

@ -0,0 +1,5 @@
FROM occlum/occlum:latest-ubuntu20.04
COPY challenge.sh /challenge.sh
COPY challenge.tar.gz /challenge.tar.gz
WORKDIR /
ENTRYPOINT ["/challenge.sh"]

13
rewrite/scripts/challenge.sh Executable file
View File

@ -0,0 +1,13 @@
#!/bin/sh
# This script is the entrypoint of the challenge container
tar -xzf challenge.tar.gz && cd challenge
if [ -z "${INIT_NODES}" ]; then
echo "The INIT_NODES environment variable is not set."
else
echo $INIT_NODES | tr ' ' '\n' > detee_challenge_nodes
fi
occlum run /bin/hacker-challenge

32
rewrite/scripts/package.sh Normal file
View File

@ -0,0 +1,32 @@
#!/bin/bash
set -e
script_dir=$(dirname "$0")
cd "${script_dir}/.."
occlum-cargo build --release
strip target/x86_64-unknown-linux-musl/release/hacker-challenge
cat > challenge.yaml <<EOF
includes:
- base.yaml
targets:
- target: /bin
copy:
- files:
- ../target/x86_64-unknown-linux-musl/release/hacker-challenge
- target: /lib
copy:
- files:
- /opt/occlum/toolchains/dcap_lib/musl/libocclum_dcap.so.0.1.0
EOF
rm -rf challenge_instance && mkdir challenge_instance && cd challenge_instance
occlum init && rm -rf image
cp ../scripts/Occlum.json ./
copy_bom -f ../challenge.yaml --root image --include-dir /opt/occlum/etc/template
# TODO: "--enable-edmm Y" must be only for platforms that support SGX2
# TODO: make sure the bundle needs SGX2 to run since SGX1 is vulnerable to https://x.com/PratyushRT/status/1828183761055330373
occlum build --sign-key ../scripts/signing_key.pem
occlum package challenge.tar.gz
mv challenge.tar.gz ../scripts/challenge.tar.gz

40
rewrite/scripts/signing_key.pem Normal file
View File

@ -0,0 +1,40 @@
-----BEGIN PRIVATE KEY-----
MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQCwkW9VPSw/1TBy
zueoRDz+D+Cxw+2ODbQ1MEpT28Ikyqi8zu00KocYRDX4yiaznnXO/FrBDHB4QJ/F
cBaLnjl/lr4CZu8KIeCVhc/lSUGd4azLyR5ZpcmNqlkpkVhLmEtuYGHth+AR84zj
GOPJx3mR1CUsaWfFVogoyDNQBhQFZxWkbcGbzPDiUbqUImwMH2rf8HXhXLt41xn7
GdgNtR8qPKjzDwCvL4KE0QkNNedDv5xBY4f8bpy2Y4wkvCNXpIYazATZhgu/QSPm
/BGFxHrwaU2sfKNOD26EmlLaEdXgjd0wdabDRjjZo4afCqc6bmQkm4NjPLvxw/cC
Sd9ovukqktehtTsB7Xb5d5yiBnM7PGXe034tDHjbtR+YVYN8rNBdgKSm1Eqghdn8
cchei+cK8ChGFcOqkrHIuXbol3ypqeVme01e5cz9VSrzdncEWZqEyd3x7tZmAOjR
/n35xg/OvLwSsJKCobeZgJxZESrjRYZHmBGqxkZn5pzC0wgKP08CAQMCggGAC8Vt
0nuLe7jhGLh12ASMmXiGckBDCXhhWOEWBZcvE4T6Lrh2Nq2AeRWdMrgktqQp/Lt9
hFYpoZ3ohKESkddZKqOmRG1DIs8O+ObJl9GvCoaC/ITf49faPKT04KNKJyxJS6AG
h01TNGWR7QGoyS9ugTBGvrGxlbBvei964zOa70sjk37Io/yYl58McEaPvIqguZiQ
ZFuD9v1F/6xjvKWsvoyTy+/u+pzEb0EivJ0xjQzGJn4aIeU9pcJerR2b9Mazfu+h
RNVBObUwCjKB8kLG0LmZjIqsVK2LeV84ajW5U3iBHHgIMhdFDD3ndqVR+vsUzdWm
/c18tkuxkRZ5HwClDv72GhG0kUsEymMAQt2VGeCGr4AoWg8GgxkFhhEu2Bn/y82n
WnOEwiZZkyRySaHbM0DIU5rd6uKK/uj6RD3C1EZ3/s6XxgzGD2o8oWH88NTflSTH
Vvge3EyaTHB8wC4y1tIoAWKmNvQTL1+SAuXHuLhdmcMBAUrhGDFIm3wfjlUzAoHB
AMM/B/kamtzBKP0h1f1q2dB9X+YHDcU5cM2BgozOcmfncJkJMdNQC7jGhihYtdha
vkr9eB+FhfMwc8dJz08Qp1m1RLFXMNC0QEa3ShWiNE4kM9esOJj7bkr0hzQ/1W5z
Ug0VHQS/G8pYbgqsX6qbwz6L68EBU115IH5ar0In9jtqizwuPZ1PaH+ACeObxtEm
+NsHoVpHv4QEdV9io7nN7XsoCqvohCddb089Ia2WmXq2BavA4yh7ye8B2sg10joI
iwKBwQDngonX7J6A4ipQ5J5Wb/rlC+6KVXySqtGahIIUHYeUltvsY/oAmSFpPHCD
AiOtXW3KGUJkrOdQJBu6rvdIpJXv7SdpVHWt0+7W806haIJo8E2+pOhNL6jiSUWJ
E+9ks4FfXrlVUGd17ixSorZjdEvLmH+fAW+J02xauB2m0Rv+HlI8Mism1smWm5Ob
HN4WuYfsmo5/HUf5f2j4BIr9Qye9RFlSAFEi9yiDqeyAA92VwgSZah9u50wOAYDe
V1x5OM0CgcEAgioFULxnPdYbU2vj/kc74FOVRASz2ND13lZXCImhmppLELDL4jVd
JdmuxZB5Oucph1OlalkD93WihNvfigsaO84ty4914Hgq2c+GuRbNiW135R17EKee
3KMEzX/jnveMCLi+AyoShuWescg/xxKCKbKdK1Y3k6YVqZHKLBqkJ5xc0sl+aN+a
/6qxQmfZ4MSl51prkYUqWAL46kHCe96eUhqxx/BYGj5KNNNryQ8Q/HlZHStCGv0x
SgE8hXk20VsHAoHBAJpXBo/zFFXsHDXtvuRKp0NdSbGOUwxx4RGtrA1pBQ255/Lt
UVW7a5t9oFdWwnOTnoa7gZhzROAYEnx0pNsYY/VIxPDi+R6NSeSiNGubAZtK3n8Y
mt4fxeww2QYNSkMiVj+Ue441mk6eyDcXJEJNh90QVRSrn7E3nZHQE8SLZ/6+4X12
x28527m9DRITPrnRBUhnCaoThVD/m1ADB1OCGn4tkOFVi2ykxa0b8wACk7ksAxDx
aknviAlWVemPkvt7MwKBwQCM934CRatNfHOlvzb21jm34Egk2LMp0uPjFzqW2JOQ
NM67966EjGCuR8i3n+tTRvGuYIUQvF2NhymZHQdpOWbc4wPXw4jM1j9BLREH45tS
TEeh41OgEuyF1ZjCDdukG/TUAoY3xlb7+pA9sD6dv0KxTmvdUcvtze2nBHgkyxul
wUhjowJS8WsDR72P6Lub1wIT1yI/6UNkx7RaY7pmNUh96D0Hkhh/vZ9/F7/1+Gnu
9DTouKJTmbNzsk375oViTww=
-----END PRIVATE KEY-----

12
rewrite/scripts/start.sh
View File

@ -1,12 +0,0 @@
#!/bin/sh
# This script start the hacker challenge from within the docker container.
# It's only purpose is to help bootstrap a test network.
if [ -z "${INIT_NODES}" ]; then
echo "The INIT_NODES environment variable is not set."
else
echo $INIT_NODES | tr ' ' '\n' > /detee_challenge_nodes
fi
/hacker-challenge

13
rewrite/scripts/testnet.sh
View File

@ -1,15 +1,12 @@
#!/bin/bash
set -e
# WARNING: Build and package the hacker-challenge first, see README.md
script_dir=$(dirname "$0")
cd "${script_dir}/.."
set -e
cargo build --release --target x86_64-unknown-linux-musl
rm -rf build
mkdir -p build
cp ./target/x86_64-unknown-linux-musl/release/hacker-challenge build/
cp scripts/start.sh build/
cp scripts/Dockerfile build/
cd build
cp scripts/challenge.* build/ && cd build
docker build -t hacker-challenge:latest .
docker ps -a | grep 'hacker-challenge' | awk '{ print $NF }' | xargs docker rm -f || true

2
rewrite/src/main.rs
View File

@ -19,7 +19,7 @@ use tokio::{
time::{sleep, Duration},
};
const INIT_NODES: &str = "detee_challenge_nodes";
const INIT_NODES: &str = "/host/detee_challenge_nodes";
const DISK_PERSISTENCE: &str = "TRY_TO_HACK_THIS";
pub async fn localhost_cron(ds: Arc<Store>, tx: Sender<NodeUpdate>) {