Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gsc build and gsc-sign fail when building/signing images for ubuntu18.04 #87

Open
max-lepikhin opened this issue Sep 12, 2022 · 2 comments
Open

gsc build and gsc-sign fail when building/signing images for ubuntu18.04 #87

max-lepikhin opened this issue Sep 12, 2022 · 2 comments

Comments

@max-lepikhin
Copy link

What fails?

  1. gsc build fails to find sgx_user.h:
meson.build:165:8: ERROR: Problem encountered: Invalid SGX driver configuration (-Dsgx_driver and/or -Dsgx_driver_include_path); expected "sgx_user.h" to exist under "/gramine/driver/driver/linux/include"

Suggested fix by Dmitrii: change templates/Dockerfile.common.compile.template to have "-Dsgx_driver=dcap1.6"
2. gsc sign-image fails with:

Traceback (most recent call last):
  File "/gramine/meson_build_output/bin/gramine-sgx-sign", line 74, in <module>
    main() # pylint: disable=no-value-for-parameter
  File "/usr/local/lib/python3.6/dist-packages/click/core.py", line 1128, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/lib/python3.6/dist-packages/click/core.py", line 1053, in main
    rv = self.invoke(ctx)
  File "/usr/local/lib/python3.6/dist-packages/click/core.py", line 1395, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/lib/python3.6/dist-packages/click/core.py", line 754, in invoke
    return __callback(*args, **kwargs)
  File "/gramine/meson_build_output/bin/gramine-sgx-sign", line 48, in main
    sigstruct.sign(sign_with_local_key, key)
  File "/gramine/meson_build_output/lib/python3.6/site-packages/graminelibos/sigstruct.py", line 167, in sign
    exponent_int, modulus_int, signature_int = do_sign_callback(data, *args, **kwargs)
  File "/gramine/meson_build_output/lib/python3.6/site-packages/graminelibos/sgx_sign.py", line 584, in sign_with_local_key
    modulus = bytes.fromhex(modulus_out[8:8+offs.SE_KEY_SIZE*2].decode())
ValueError: non-hexadecimal number found in fromhex() arg at position 512

I guessed it required newer version of python. And changed templates/ubuntu/Dockerfile.build.template to be:

{% extends "Dockerfile.common.build.template" %}

{% block install %}
RUN apt-get update \
 && apt-get install -y wget libcurl4
RUN wget https://packages.microsoft.com/ubuntu/18.04/prod/pool/main/a/az-dcap-client/az-dcap-client_1.10_amd64.deb \
 && dpkg -i az-dcap-client_1.10_amd64.deb

RUN apt-get update \
    && env DEBIAN_FRONTEND=noninteractive apt-get install -y \
        binutils \
        libcurl4-openssl-dev \
        libffi-dev \
        libprotobuf-c-dev \
        locales \
        locales-all \
        openssl \
        python3.8 \
        python3.8-dev \
        python3-cryptography \
        python3-pip \
        python3-protobuf \
        python3-pyelftools

# Default python 3.6 fails to parse key from hex inside
# Gramine sign_key.py. Create link to python 3.8.
RUN rm /usr/bin/python3
RUN ln -s /usr/bin/python3.8 /usr/bin/python3

RUN ls -l /usr/bin/python*

# Older version of markupsafe is required for subsequent install.
RUN pip3 install markupsafe==1.0.0
RUN pip3 install click jinja2 protobuf 'toml>=0.10'
RUN pip3 install -U cffi

{% if debug %}
RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y \
        gdb \
        less \
        libunwind8 \
        python3-pytest \
        strace \
        vim
{% endif %}

RUN locale-gen en_US.UTF-8
ENV LC_ALL en_US.UTF-8
ENV LANG en_US.UTF-8
ENV LANGUAGE en_US.UTF-8
{% endblock %}

----------------------- files ---------------------

Script to run build and sign. Please replace todo.

#!/bin/bash
set -e

SCRIPT_DIR="$(realpath "$(dirname -- "${BASH_SOURCE[0]}")")"
echo $SCRIPT_DIR

# Input/output docker images' tags.
NATIVE_VERSION=0.0.1
ENCRYPTED_VERSION=$NATIVE_VERSION
NATIVE_IMAGE=todo-repo/todo-image-${NATIVE_VERSION}
GSC_IMAGE=gsc-$NATIVE_IMAGE
GSC_UNSIGNED_IMAGE=$GSC_IMAGE-unsigned
ENCRYPTED_IMAGE=todo-repo/todo-image-${ENCRYPTED_VERSION}

# Remove gsc images as the tool checks for their existence as
# a way to check for errors during build.
docker rmi -f $GSC_IMAGE $GSC_UNSIGNED_IMAGE

echo "Native image='$NATIVE_IMAGE'"
echo "Encrypted image='$ENCRYPTED_IMAGE'"

# Get the gsc tool - gsc in the root of the repo is the python script to run.
BASE_DIR=$HOME/tmp
GSC_DIR=$BASE_DIR/gsc
GSC=$GSC_DIR/gsc
mkdir -p $BASE_DIR
if [ ! -f "$GSC" ]; then
    git clone --depth 1 https://github.com/gramineproject/gsc.git $GSC_DIR
    chmod +x $GSC
fi

# Create venv for bringing python dependencies required by gsc.
VENV_DIR=$BASE_DIR/venv
mkdir -p $VENV_DIR
if [ ! -d "$VENV_DIR/bin" ]; then
    python3 -m venv $VENV_DIR
fi
source $VENV_DIR/bin/activate

# Bring dependencies needed by gsc.
pip3 install docker jinja2 toml pyyaml

# Graminize the image.
CONFIG_FILE=$SCRIPT_DIR/gramine_gsc_config.yaml
MANIFEST_FILE=$SCRIPT_DIR/gramine.manifest
cd $GSC_DIR
$GSC build -c $CONFIG_FILE $NATIVE_IMAGE $MANIFEST_FILE || cd -

# Run docker inspect to fail the script if the image was not generated.
docker image inspect $GSC_UNSIGNED_IMAGE

# Generate signing key.
echo "Generating key file"
KEY_FILE=$BASE_DIR/image_key.pem
openssl genrsa -out $KEY_FILE 2048

# Generate signed image <--- THIS STEP FAILS
cd $GSC_DIR
$GSC sign-image -c $CONFIG_FILE $NATIVE_IMAGE $KEY_FILE || cd -

Contents of gramine_gsc_config.yaml:

Distro: "ubuntu:18.04"

Registry: ""

Gramine:
    Repository: "https://github.com/gramineproject/gramine.git"
    Branch:     "v1.2"

SGXDriver:
    # Intel recommended using LD_1.33 - special version for Azure and DCAP_1.6
    # in gsc/templates/Dockerfile.common.compile.template
    Repository: "https://github.com/intel/SGXDataCenterAttestationPrimitives.git"
    Branch:     "DCAP_1.6 && cp -r driver/linux/* ."

Contents of gramine.manifest:

sgx.remote_attestation = false

sgx.enclave_size = "2G"

Contents of dockerfile for native image, hello.py contains print("testing"):

FROM ubuntu:18.04

RUN apt-get update
RUN apt-get install -y \
  python3.8

WORKDIR /app
COPY hello.py .

ENTRYPOINT ["python3", "-m", "hello"]
@dimakuv
Copy link
Contributor

dimakuv commented Sep 13, 2022

How does your native image even work? If I use it, I don't have python3 at all:

$ docker run --rm -it --entrypoint /bin/bash ubuntu18.04-test-image

root@1a7f289fb468:/# python3
bash: python3: command not found

root@1a7f289fb468:/# which python
root@1a7f289fb468:/# which python3
root@1a7f289fb468:/# which python3.8
/usr/bin/python3.8

@max-lepikhin
Copy link
Author

Copy/paste error, please use this one:

FROM ubuntu:18.04

RUN apt-get update
RUN apt-get install -y \
  python3.8

RUN ln -s /usr/bin/python3.8 /usr/bin/python3

WORKDIR /app
COPY hello.py .

ENTRYPOINT ["python3", "-m", "hello"]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dimakuv @max-lepikhin