Initial release of Dockerfiles and scripts for building and running Mitigator

LICENSE.txt

@@ -0,0 +1,23 @@
+This software is licensed under the MIT License, however, other code that is used within it may be licensed under more restrictive licenses. 
+
+MIT License
+
+Copyright (c) 2020 Miti Mazmudar and Ian Goldberg
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

attach-mitigator

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+docker exec -it  mitigator bash

build-driver

@@ -0,0 +1,15 @@
+#!/bin/bash -x
+
+rm -rf linux-sgx-driver
+git clone https://github.com/intel/linux-sgx-driver.git
+cd linux-sgx-driver
+git checkout f7dc97c0
+make
+cp -av sgx_user.h ../graphene-docker/
+cd ..
+rm -rf graphene-sgx-driver
+git clone https://github.com/oscarlab/graphene-sgx-driver.git
+cd graphene-sgx-driver
+git checkout 30d4b940
+ISGX_DRIVER_PATH=../linux-sgx-driver ISGX_DRIVER_VERSION=2.5 make
+cp -av isgx_version.h ../graphene-docker/

build-mitigator

@@ -0,0 +1,5 @@
+#!/bin/bash -x
+
+cd sgx-docker && docker build -t sgx . || exit 1
+cd ../graphene-docker && docker build -t graphene . || exit 1
+cd ../docker && docker build -t mitigator . || exit 1

docker/Dockerfile

@@ -0,0 +1,83 @@
+FROM graphene
+ENV SGX_SDK=/opt/intel/sgxsdk/
+
+RUN mkdir source
+WORKDIR source
+## Setting up prereqs for decryptor - Intel SGX SSL
+# Just curling the tar.gz file and then running the build script didn't work as the extracted folder had a different name (dependent on the foldername which was compressed) --- I didnt want to make a new fork of the sgxssl script for that.
+RUN git clone https://github.com/openssl/openssl.git OpenSSL_1.1.1d && \
+	cd OpenSSL_1.1.1d && git checkout tags/OpenSSL_1_1_1d && \
+	cd ../ && tar -cf OpenSSL_1.1.1d.tar.gz OpenSSL_1.1.1d/
+
+#Setting up SGXSSL with the version of OpenSSL that we downloaded in the previous step.
+RUN git clone https://github.com/intel/intel-sgx-ssl.git && \
+	cd intel-sgx-ssl && git checkout tags/lin_2.5_1.1.1d && \
+	cp ../OpenSSL_1.1.1d.tar.gz ./openssl_source/  && \
+	cd Linux &&  make && make install
+
+#Setting up protobuf definitions for exchanging LA and post-LA messages between enclaves.
+RUN git clone https://git-crysp.uwaterloo.ca/miti/dhmsgs_proto_defs.git && \
+	cd dhmsgs_proto_defs/ && protoc --cpp_out=./ ./*.proto
+
+#Setting up the decryptor enclave itself.
+RUN git clone https://git-crysp.uwaterloo.ca/miti/Decryptor.git && \
+	cd Decryptor/ && make
+
+#Setting up common files used in the verifier, PHP extension for LA/post-LA message processing.
+RUN git clone https://git-crysp.uwaterloo.ca/miti/commonVerifierPHPfiles.git
+
+#Setting up a patched version of the linux-sgx repo's SDK for running LA on graphene.
+RUN git clone https://git-crysp.uwaterloo.ca/miti/linux-sgx-trts-modified.git && \
+	cd linux-sgx-trts-modified && git checkout local_attestation_for_graphene && \
+	bash ./download_prebuilt.sh && make USE_OPT_LIBS=0
+
+#Setting up the verifier.
+RUN git clone https://git-crysp.uwaterloo.ca/miti/verifier.git && \
+	cd verifier/ && git checkout recreating_state_for_teeter && \
+	export SGX_SDK_TRTS_MODIFIED=/root/source/linux-sgx-trts-modified/build/linux && make && \
+	cp verifier /root/graphene/LibOS/shim/test/native && \
+	git checkout master && \
+	cp verifier.manifest.template /root/graphene/LibOS/shim/test/native && \
+	cp grapheneMakefile /root/graphene/LibOS/shim/test/native/Makefile
+
+#Build the verifier
+WORKDIR /root/graphene/LibOS/shim/test/native
+RUN make SGX=1
+
+RUN apt update && apt install -y php7.0-dev tmux libxml2-dev 
+
+WORKDIR /root/source
+RUN git clone --recursive https://github.com/CopernicaMarketingSoftware/PHP-CPP.git && \
+	cd PHP-CPP/ && git checkout tags/v2.1.4 &&  make all && \
+	cp libphpcpp.so.* /usr/lib/ && make install
+
+RUN git clone https://git-crysp.uwaterloo.ca/miti/Apache_PHP_extension.git && \
+	cd Apache_PHP_extension && git checkout recreating_state_for_teeter  && \
+	make
+
+WORKDIR /root/graphene/LibOS/shim/test/apps/apache
+RUN cp /root/source/Apache_PHP_extension/apacheMakefile ./Makefile 
+RUN cp /root/source/Apache_PHP_extension/*.tar.gz ./
+#Don't make the manifest yet - make the apache/php build first and then the manifest.
+RUN make SGX=1 build-apache 
+
+#Add the updated httpd.manifest.template
+RUN cp /root/source/Apache_PHP_extension/httpd.manifest.template ./
+#Add the PHP .ini file from the PHP folder to /obj/lib 
+RUN cp ./php-7.0.7/php.ini-development ./obj/lib/php.ini 
+#Add the extension to the obj/modules folder. 
+RUN cp /root/source/Apache_PHP_extension/localattestation_decryption.so ./obj/modules/
+#Add the extension directory and the extension name to the php.ini 
+RUN echo "extension_dir=/root/graphene/LibOS/shim/test/apps/apache/obj/modules" >> obj/lib/php.ini && \ 
+	echo "extension=localattestation_decryption.so" >> obj/lib/php.ini
+#Add all php source code files to the right place. 
+RUN cp /root/source/Apache_PHP_extension/*.php ./obj/htdocs
+#Fix the configuration file for Apache
+RUN sed -i s/User/#User/g obj/conf/httpd.conf
+RUN sed -i s/Group/#Group/g obj/conf/httpd.conf
+RUN cat /root/source/Apache_PHP_extension/httpd.conf >> obj/conf/httpd.conf
+RUN make SGX=1 
+
+WORKDIR /root 
+COPY deploy_enclaves.sh ./
+RUN chmod 755 ./deploy_enclaves.sh

docker/deploy_enclaves.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+#To exit a tmux session, use Ctrl+B and then press D. 
+#To enter a tmux session, use tmux at -t <session_name> where session_name is decryptor, verifier or phpext.
+#List existing sessions by pressing tmux ls.
+
+cd ~/graphene && make SGX_RUN=1 
+cd ~/source/Decryptor && tmux new-session -d -s dec './app; bash';
+cd ~/graphene/LibOS/shim/test/native && tmux new-session -d -s ver './pal_loader SGX verifier; bash'
+sleep 20; #Should have better logic here to check if the previous command exited successfully (server should only be started after the verifier finishes, or else it will try to do LA with the decryptor and crash' 
+cd ~/graphene/LibOS/shim/test/apps/apache && tmux new-session -d -s php "make SGX_RUN=1; sudo make start-graphene-server; bash" 
+

graphene-docker/Dockerfile

@@ -0,0 +1,20 @@
+FROM sgx
+RUN apt update
+RUN apt install -y gawk python-pip
+RUN pip install protobuf
+RUN pip install pycrypto
+
+WORKDIR /root
+RUN git clone https://github.com/oscarlab/graphene
+WORKDIR graphene
+RUN git checkout 58e6087
+RUN git submodule init
+RUN git submodule update
+RUN cd Pal/src/host/Linux-SGX/sgx-driver && git checkout 30d4b940
+WORKDIR /root/graphene
+COPY isgx_version.h Pal/src/host/Linux-SGX/sgx-driver/
+RUN mkdir Pal/src/host/Linux-SGX/sgx-driver/linux-sgx-driver
+COPY sgx_user.h Pal/src/host/Linux-SGX/sgx-driver/linux-sgx-driver/
+RUN openssl genrsa -3 -out Pal/src/host/Linux-SGX/signer/enclave-key.pem 3072
+RUN make SGX=1
+WORKDIR /root

install-driver

@@ -0,0 +1,18 @@
+#!/bin/bash -x
+
+service aesmd stop
+/sbin/modprobe -r graphene-sgx
+/sbin/modprobe -r isgx
+mkdir -p "/lib/modules/"`uname -r`"/kernel/drivers/intel/sgx"
+cp linux-sgx-driver/isgx.ko graphene-sgx-driver/graphene-sgx.ko "/lib/modules/"`uname -r`"/kernel/drivers/intel/sgx"
+cat /etc/modules | grep -Fxq isgx || echo isgx >> /etc/modules
+cat /etc/modules | grep -Fxq graphene-sgx || echo graphene-sgx >> /etc/modules
+/sbin/depmod
+/sbin/modprobe isgx
+/sbin/modprobe graphene-sgx
+service aesmd start
+if [ "`sysctl -n vm.mmap_min_addr`" != 0 ]; then
+	cat /etc/sysctl.conf | grep -Fxq 'vm.mmap_min_addr = 0' || \
+		echo -e "\n# For Graphene-SGX\nvm.mmap_min_addr = 0" >> /etc/sysctl.conf
+	sysctl -p
+fi

run-mitigator

@@ -0,0 +1,2 @@
+#!/bin/bash
+docker run --device /dev/isgx --device /dev/gsgx --name mitigator --rm -p 8044:8044 -dt mitigator bash -c "start-aesmd && exec bash"

sgx-docker/Dockerfile

@@ -0,0 +1,15 @@
+FROM ubuntu:16.04
+RUN apt update && apt install -y build-essential sudo ocaml automake autoconf libtool wget python libssl-dev git protobuf-compiler libprotobuf-dev cmake curl libcurl4-openssl-dev lsb-release debhelper unzip nano kmod
+WORKDIR /root
+RUN git clone https://github.com/intel/linux-sgx.git
+WORKDIR linux-sgx
+RUN git checkout sgx_2.1
+RUN ./download_prebuilt.sh #Apparently need to run this even if we use opensource libraries - issue #363
+RUN make USE_OPT_LIBS=0 #For using opensource libraries for sgx library code.
+RUN make sdk_install_pkg
+RUN make psw_install_pkg
+WORKDIR linux/installer/bin
+RUN echo -e "no\n/opt/intel" | ./sgx_linux_x64_sdk_*.bin
+RUN echo -e "no\n/opt/intel" | ./sgx_linux_x64_psw_*.bin
+COPY start-aesmd /usr/local/sbin/
+WORKDIR /root

sgx-docker/start-aesmd

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+su -s /bin/bash aesmd -c "LD_LIBRARY_PATH=/opt/intel/sgxpsw/aesm /opt/intel/sgxpsw/aesm/aesm_service"

stop-mitigator

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+docker stop mitigator