From c74aa76612c7bd404621fcb2e6283b0903d39f22 Mon Sep 17 00:00:00 2001 From: Valentyn Faychuk Date: Sun, 6 Oct 2024 15:34:02 +0300 Subject: [PATCH] fix compilation and runtime --- .gitignore | 7 ++- rewrite/.cargo/config.toml | 2 + rewrite/README.md | 13 ++++- rewrite/scripts/challenge.Dockerfile | 1 + rewrite/scripts/challenge.qcnl.conf | 71 ++++++++++++++++++++++++++++ rewrite/scripts/package.sh | 0 rewrite/scripts/testnet.sh | 14 ++++-- 7 files changed, 98 insertions(+), 10 deletions(-) create mode 100644 rewrite/.cargo/config.toml create mode 100644 rewrite/scripts/challenge.qcnl.conf mode change 100644 => 100755 rewrite/scripts/package.sh diff --git a/.gitignore b/.gitignore index 0a89498..9d00ece 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,5 @@ -target -build -detee_challenge_nodes -.cargo +**/target +**/build +#detee_challenge_nodes .idea .tmp diff --git a/rewrite/.cargo/config.toml b/rewrite/.cargo/config.toml new file mode 100644 index 0000000..c91c3f3 --- /dev/null +++ b/rewrite/.cargo/config.toml @@ -0,0 +1,2 @@ +[net] +git-fetch-with-cli = true diff --git a/rewrite/README.md b/rewrite/README.md index bc6d457..92d71bc 100644 --- a/rewrite/README.md +++ b/rewrite/README.md @@ -8,12 +8,23 @@ Do the following steps to build the challenge: ```bash # Notice that there is no SGX device mounted -docker run --rm -it -v /path/to/rewrite:/root/rewrite occlum/occlum:latest-ubuntu20.04 +docker run --rm --name packager -it -v /path/to/rewrite:/root/rewrite occlum/occlum:latest-ubuntu20.04 # Inside the docker container do env preparation to build the image rustup install stable-x86_64-unknown-linux-gnu rustup default stable rustup target add x86_64-unknown-linux-musl +mkdir -p /root/.ssh + +# Outside the container copy the ssh keys to the container to download occlum-ratls dependency +docker cp ~/.ssh/config packager:/root/.ssh/config +docker cp ~/.ssh/gitea_ed25519 packager:/root/.ssh/gitea_ed25519 + +apt update && apt install openssh-client +ssh-keyscan -H gitea.detee.cloud >> ~/.ssh/known_hosts +chown -R root:root /root/.ssh +chmod 600 /root/.ssh/gitea_ed25519 + cd /root/rewrite && ./scripts/package.sh # Feel free to exit the container once the challenge was packaged exit diff --git a/rewrite/scripts/challenge.Dockerfile b/rewrite/scripts/challenge.Dockerfile index 5dcb3d4..01c55c9 100644 --- a/rewrite/scripts/challenge.Dockerfile +++ b/rewrite/scripts/challenge.Dockerfile @@ -1,5 +1,6 @@ FROM occlum/occlum:latest-ubuntu20.04 COPY challenge.sh /challenge.sh COPY challenge.tar.gz /challenge.tar.gz +COPY challenge.qcnl.conf /etc/sgx_default_qcnl.conf WORKDIR / ENTRYPOINT ["/challenge.sh"] diff --git a/rewrite/scripts/challenge.qcnl.conf b/rewrite/scripts/challenge.qcnl.conf new file mode 100644 index 0000000..1c350d6 --- /dev/null +++ b/rewrite/scripts/challenge.qcnl.conf @@ -0,0 +1,71 @@ +{ + // *** ATTENTION : This file is in JSON format so the keys are case sensitive. Don't change them. + + //PCCS server address + "pccs_url": "https://api.trustedservices.intel.com/sgx/certification/v4/" + + // To accept insecure HTTPS certificate, set this option to false + ,"use_secure_cert": true + + // You can use the Intel PCS or another PCCS to get quote verification collateral. Retrieval of PCK + // Certificates will always use the PCCS described in pccs_url. When collateral_service is not defined, both + // PCK Certs and verification collateral will be retrieved using pccs_url + //,"collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/" + + // If you use a PCCS service to get the quote verification collateral, you can specify which PCCS API version is to be used. + // The legacy 3.0 API will return CRLs in HEX encoded DER format and the sgx_ql_qve_collateral_t.version will be set to 3.0, while + // the new 3.1 API will return raw DER format and the sgx_ql_qve_collateral_t.version will be set to 3.1. The pccs_api_version + // setting is ignored if collateral_service is set to the Intel PCS. In this case, the pccs_api_version is forced to be 3.1 + // internally. Currently, only values of 3.0 and 3.1 are valid. Note, if you set this to 3.1, the PCCS use to retrieve + // verification collateral must support the new 3.1 APIs. + //,"pccs_api_version": "3.1" + + // Maximum retry times for QCNL. If RETRY is not defined or set to 0, no retry will be performed. + // It will first wait one second and then for all forthcoming retries it will double the waiting time. + // By using retry_delay you disable this exponential backoff algorithm + ,"retry_times": 6 + + // Sleep this amount of seconds before each retry when a transfer has failed with a transient error + ,"retry_delay": 10 + + // If local_pck_url is defined, the QCNL will try to retrieve PCK cert chain from local_pck_url first, + // and failover to pccs_url as in legacy mode. + //,"local_pck_url": "http://localhost:8081/sgx/certification/v4/" + + // If local_pck_url is not defined, set pck_cache_expire_hours to a none-zero value will enable local cache. + // The PCK certificates will be cached in memory and then to the disk drive. + // ===== Important: Once the local cache files are created, currently there is no other way to clean them other + // than to delete them manually, or wait for them to expire after "pck_cache_expire_hours" hours. + // To delete the cache files manually, go to these foders: + // Linux : $AZDCAP_CACHE, $XDG_CACHE_HOME, $HOME, $TMPDIR, /tmp/ + // Windows : $AZDCAP_CACHE, $LOCALAPPDATA\..\..\LocalLow + // If there is a folder called .dcap-qcnl, delete it. Restart the service after all cache + // folders were deleted. The same method applies to "verify_collateral_cache_expire_hours" + ,"pck_cache_expire_hours": 168 + + // To set cache expire time for quote verification collateral in hours + // See the above comment for pck_cache_expire_hours for more information on the local cache. + ,"verify_collateral_cache_expire_hours": 168 + + // When the "local_cache_only" parameter is set to true, the QPL/QCNL will exclusively use PCK certificates + // from local cache files and will not request any PCK certificates from service providers, whether local or remote. + // To ensure that the PCK cache is available for use, an administrator must pre-populate the cache folders with + // the appropriate cache files. To generate these cache files for specific platforms, the administrator can use + // the PCCS admin tool. Once the cache files are generated, the administrator must distribute them to each platform + // that requires provisioning. + ,"local_cache_only": false + + // You can add custom request headers and parameters to the get certificate API. + // But the default PCCS implementation just ignores them. + //,"custom_request_options" : { + // "get_cert" : { + // "headers": { + // "head1": "value1" + // }, + // "params": { + // "param1": "value1", + // "param2": "value2" + // } + // } + //} +} diff --git a/rewrite/scripts/package.sh b/rewrite/scripts/package.sh old mode 100644 new mode 100755 diff --git a/rewrite/scripts/testnet.sh b/rewrite/scripts/testnet.sh index e7236f8..4485d57 100755 --- a/rewrite/scripts/testnet.sh +++ b/rewrite/scripts/testnet.sh @@ -2,23 +2,26 @@ set -e # WARNING: Build and package the hacker-challenge first, see README.md +# TODO: check if scripts/challenge.tar.gz exists, if not tell to build first script_dir=$(dirname "$0") cd "${script_dir}/.." +rm -rf build && mkdir build + cp scripts/challenge.* build/ && cd build -docker build -t hacker-challenge:latest . +docker build -f challenge.Dockerfile -t hacker-challenge:latest . docker ps -a | grep 'hacker-challenge' | awk '{ print $NF }' | xargs docker rm -f || true -docker run -d --name "hacker-challenge_0" \ +docker run --device /dev/sgx/enclave --device /dev/sgx/provision -d --name "hacker-challenge_0" \ hacker-challenge:latest - cd "../${script_dir}/../../mint_sol" +# TODO: build the mint_sol as part of the build process cargo build --release -sleep 1 +sleep 3 address=$(docker logs hacker-challenge_0 | grep 'SOL' | awk '{ print $NF }') @@ -35,11 +38,12 @@ done # for i in {1..10} for i in {11..20} do - docker run -d --name "hacker-challenge_$i" -p 313${i}:31372 \ + docker run --device /dev/sgx/enclave --device /dev/sgx/provision -d --name "hacker-challenge_$i" -p 313${i}:31372 \ --env INIT_NODES="172.17.0.2 172.17.0.3 172.17.0.4" \ hacker-challenge:latest done +sleep 3 for i in {11..20} do