Dockerfiles and scripts for sgx and graphene

build-driver

@@ -0,0 +1,14 @@
+#!/bin/bash -x
+
+rm -rf linux-sgx-driver
+git clone https://github.com/intel/linux-sgx-driver.git
+cd linux-sgx-driver
+git checkout sgx2
+make
+cp -av sgx_user.h ../graphene-docker/
+cd ..
+rm -rf graphene-sgx-driver
+git clone https://github.com/oscarlab/graphene-sgx-driver.git
+cd graphene-sgx-driver
+ISGX_DRIVER_PATH=../linux-sgx-driver ISGX_DRIVER_VERSION=2.5 make
+cp -av isgx_version.h ../graphene-docker/

build-mitigator

@@ -0,0 +1,5 @@
+#!/bin/bash -x
+
+cd sgx-docker && docker build -t sgx . || exit 1
+cd ../graphene-docker && docker build -t graphene . || exit 1
+cd ../docker && docker build -t mitigator . || exit 1

docker/Dockerfile

@@ -0,0 +1 @@
+FROM graphene

graphene-docker/Dockerfile

@@ -0,0 +1,17 @@
+FROM sgx
+RUN apt update
+RUN apt install -y gawk python-pip
+RUN pip install protobuf
+RUN pip install pycrypto
+WORKDIR /root
+RUN git clone https://github.com/oscarlab/graphene
+WORKDIR graphene
+RUN git checkout 58e6087
+RUN git submodule init
+RUN git submodule update
+COPY isgx_version.h Pal/src/host/Linux-SGX/sgx-driver/
+RUN mkdir Pal/src/host/Linux-SGX/sgx-driver/linux-sgx-driver
+COPY sgx_user.h Pal/src/host/Linux-SGX/sgx-driver/linux-sgx-driver/
+RUN openssl genrsa -3 -out Pal/src/host/Linux-SGX/signer/enclave-key.pem 3072
+RUN make SGX=1
+WORKDIR /root

install-driver

@@ -0,0 +1,18 @@
+#!/bin/bash -x
+
+service aesmd stop
+/sbin/modprobe -r graphene-sgx
+/sbin/modprobe -r isgx
+mkdir -p "/lib/modules/"`uname -r`"/kernel/drivers/intel/sgx"
+cp linux-sgx-driver/isgx.ko graphene-sgx-driver/graphene-sgx.ko "/lib/modules/"`uname -r`"/kernel/drivers/intel/sgx"
+cat /etc/modules | grep -Fxq isgx || echo isgx >> /etc/modules
+cat /etc/modules | grep -Fxq graphene-sgx || echo graphene-sgx >> /etc/modules
+/sbin/depmod
+/sbin/modprobe isgx
+/sbin/modprobe graphene-sgx
+service aesmd start
+if [ "`sysctl -n vm.mmap_min_addr`" != 0 ]; then
+	cat /etc/sysctl.conf | grep -Fxq 'vm.mmap_min_addr = 0' || \
+		echo -e "\n# For Graphene-SGX\nvm.mmap_min_addr = 0" >> /etc/sysctl.conf
+	sysctl -p
+fi

run-mitigator

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+docker run --device /dev/isgx --device /dev/gsgx -it mitigator bash -c "start-aesmd && exec bash"

sgx-docker/Dockerfile

@@ -0,0 +1,17 @@
+FROM ubuntu:16.04
+RUN apt update && apt install -y build-essential sudo ocaml automake autoconf libtool wget python libssl-dev git protobuf-compiler libprotobuf-dev cmake curl libcurl4-openssl-dev lsb-release debhelper
+WORKDIR /root
+RUN git clone https://github.com/intel/linux-sgx.git
+WORKDIR linux-sgx
+RUN git checkout sgx_2.6
+RUN ./download_prebuilt.sh
+RUN make
+RUN make sdk_install_pkg
+RUN make deb_pkg
+WORKDIR linux/installer/bin
+RUN echo -e "no\n/opt/intel" | ./sgx_linux_x64_sdk_*.bin
+WORKDIR ../deb
+RUN dpkg -i libsgx-enclave-common_*.deb libsgx-urts_*.deb
+RUN dpkg -i libsgx-enclave-common-dev_*.deb
+COPY start-aesmd /usr/local/sbin/
+WORKDIR /root

sgx-docker/start-aesmd

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+su -s /bin/bash aesmd -c "LD_LIBRARY_PATH=/opt/intel/libsgx-enclave-common/aesm /opt/intel/libsgx-enclave-common/aesm/aesm_service"