fix compilation and runtime

2024-10-06 15:34:02 +03:00 · 2024-10-06 15:34:02 +03:00 · c74aa76612
commit c74aa76612
parent a8da3ddcfa
7 changed files with 98 additions and 10 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,6 +1,5 @@
-target
-build
-detee_challenge_nodes
-.cargo
+**/target
+**/build
+#detee_challenge_nodes
 .idea
 .tmp
--- a/rewrite/.cargo/config.toml
+++ b/rewrite/.cargo/config.toml
@ -0,0 +1,2 @@
+[net]
+git-fetch-with-cli = true
--- a/rewrite/README.md
+++ b/rewrite/README.md
@ -8,12 +8,23 @@ Do the following steps to build the challenge:

 ```bash
 # Notice that there is no SGX device mounted
-docker run --rm -it -v /path/to/rewrite:/root/rewrite occlum/occlum:latest-ubuntu20.04
+docker run --rm --name packager -it -v /path/to/rewrite:/root/rewrite occlum/occlum:latest-ubuntu20.04
 # Inside the docker container do env preparation to build the image
 rustup install stable-x86_64-unknown-linux-gnu
 rustup default stable
 rustup target add x86_64-unknown-linux-musl

+mkdir -p /root/.ssh
+
+# Outside the container copy the ssh keys to the container to download occlum-ratls dependency
+docker cp ~/.ssh/config packager:/root/.ssh/config
+docker cp ~/.ssh/gitea_ed25519 packager:/root/.ssh/gitea_ed25519
+
+apt update && apt install openssh-client
+ssh-keyscan -H gitea.detee.cloud >> ~/.ssh/known_hosts
+chown -R root:root /root/.ssh
+chmod 600 /root/.ssh/gitea_ed25519
+
 cd /root/rewrite && ./scripts/package.sh
 # Feel free to exit the container once the challenge was packaged
 exit
--- a/rewrite/scripts/challenge.Dockerfile
+++ b/rewrite/scripts/challenge.Dockerfile
@ -1,5 +1,6 @@
 FROM occlum/occlum:latest-ubuntu20.04
 COPY challenge.sh /challenge.sh
 COPY challenge.tar.gz /challenge.tar.gz
+COPY challenge.qcnl.conf /etc/sgx_default_qcnl.conf
 WORKDIR /
 ENTRYPOINT ["/challenge.sh"]
--- a/rewrite/scripts/challenge.qcnl.conf
+++ b/rewrite/scripts/challenge.qcnl.conf
@ -0,0 +1,71 @@
+{
+  // *** ATTENTION : This file is in JSON format so the keys are case sensitive. Don't change them.
+  
+  //PCCS server address
+  "pccs_url": "https://api.trustedservices.intel.com/sgx/certification/v4/"
+
+  // To accept insecure HTTPS certificate, set this option to false
+  ,"use_secure_cert": true
+
+  // You can use the Intel PCS or another PCCS to get quote verification collateral.  Retrieval of PCK 
+  // Certificates will always use the PCCS described in pccs_url.  When collateral_service is not defined, both 
+  // PCK Certs and verification collateral will be retrieved using pccs_url  
+  //,"collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/"
+
+  // If you use a PCCS service to get the quote verification collateral, you can specify which PCCS API version is to be used.
+  // The legacy 3.0 API will return CRLs in HEX encoded DER format and the sgx_ql_qve_collateral_t.version will be set to 3.0, while
+  // the new 3.1 API will return raw DER format and the sgx_ql_qve_collateral_t.version will be set to 3.1. The pccs_api_version 
+  // setting is ignored if collateral_service is set to the Intel PCS. In this case, the pccs_api_version is forced to be 3.1 
+  // internally.  Currently, only values of 3.0 and 3.1 are valid.  Note, if you set this to 3.1, the PCCS use to retrieve 
+  // verification collateral must support the new 3.1 APIs.
+  //,"pccs_api_version": "3.1"
+
+  // Maximum retry times for QCNL. If RETRY is not defined or set to 0, no retry will be performed.
+  // It will first wait one second and then for all forthcoming retries it will double the waiting time.
+  // By using retry_delay you disable this exponential backoff algorithm
+  ,"retry_times": 6
+
+  // Sleep this amount of seconds before each retry when a transfer has failed with a transient error
+  ,"retry_delay": 10
+
+  // If local_pck_url is defined, the QCNL will try to retrieve PCK cert chain from local_pck_url first,
+  // and failover to pccs_url as in legacy mode.
+  //,"local_pck_url": "http://localhost:8081/sgx/certification/v4/"
+
+  // If local_pck_url is not defined, set pck_cache_expire_hours to a none-zero value will enable local cache. 
+  // The PCK certificates will be cached in memory and then to the disk drive. 
+  // ===== Important: Once the local cache files are created, currently there is no other way to clean them other
+  //                  than to delete them manually, or wait for them to expire after "pck_cache_expire_hours" hours.
+  //                  To delete the cache files manually, go to these foders:
+  //                       Linux : $AZDCAP_CACHE, $XDG_CACHE_HOME, $HOME, $TMPDIR, /tmp/
+  //                       Windows : $AZDCAP_CACHE, $LOCALAPPDATA\..\..\LocalLow
+  //                  If there is a folder called .dcap-qcnl, delete it. Restart the service after all cache 
+  //                  folders were deleted. The same method applies to "verify_collateral_cache_expire_hours"
+  ,"pck_cache_expire_hours": 168
+
+  // To set cache expire time for quote verification collateral in hours
+  // See the above comment for pck_cache_expire_hours for more information on the local cache.
+  ,"verify_collateral_cache_expire_hours": 168
+
+  // When the "local_cache_only" parameter is set to true, the QPL/QCNL will exclusively use PCK certificates 
+  // from local cache files and will not request any PCK certificates from service providers, whether local or remote. 
+  // To ensure that the PCK cache is available for use, an administrator must pre-populate the cache folders with 
+  // the appropriate cache files. To generate these cache files for specific platforms, the administrator can use 
+  // the PCCS admin tool. Once the cache files are generated, the administrator must distribute them to each platform 
+  // that requires provisioning.
+  ,"local_cache_only": false
+
+  // You can add custom request headers and parameters to the get certificate API.
+  // But the default PCCS implementation just ignores them. 
+  //,"custom_request_options" : {
+  //  "get_cert" : {
+  //    "headers": {
+  //      "head1": "value1"
+  //    },
+  //    "params": {
+  //      "param1": "value1",
+  //      "param2": "value2"
+  //    }
+  //  }
+  //}
+}
--- a/rewrite/scripts/package.sh
+++ b/rewrite/scripts/package.sh
--- a/rewrite/scripts/testnet.sh
+++ b/rewrite/scripts/testnet.sh
@ -2,23 +2,26 @@
 set -e

 # WARNING: Build and package the hacker-challenge first, see README.md
+# TODO: check if scripts/challenge.tar.gz exists, if not tell to build first

 script_dir=$(dirname "$0")
 cd "${script_dir}/.."

+rm -rf build && mkdir build
+
 cp scripts/challenge.* build/ && cd build
-docker build -t hacker-challenge:latest .
+docker build -f challenge.Dockerfile -t hacker-challenge:latest .

 docker ps -a | grep 'hacker-challenge' | awk '{ print $NF }' | xargs docker rm -f || true

-docker run -d --name "hacker-challenge_0" \
+docker run --device /dev/sgx/enclave --device /dev/sgx/provision -d --name "hacker-challenge_0" \
  hacker-challenge:latest

-
 cd "../${script_dir}/../../mint_sol"
+# TODO: build the mint_sol as part of the build process
 cargo build --release

-sleep 1
+sleep 3

 address=$(docker logs hacker-challenge_0 | grep 'SOL' | awk '{ print $NF }')

@ -35,11 +38,12 @@ done
 # for i in {1..10}
 for i in {11..20}
 do
-  docker run -d --name "hacker-challenge_$i" -p 313${i}:31372 \
+  docker run --device /dev/sgx/enclave --device /dev/sgx/provision -d --name "hacker-challenge_$i" -p 313${i}:31372 \
    --env INIT_NODES="172.17.0.2 172.17.0.3 172.17.0.4" \
    hacker-challenge:latest
 done

+sleep 3

 for i in {11..20}
 do