From 934a081587f01a43b5c7eb8d9d03cd4c0c298028 Mon Sep 17 00:00:00 2001 From: Sankaranarayanan Venkatasubramanian Date: Thu, 5 Jan 2023 17:23:41 +0530 Subject: [PATCH 1/2] Update positional arguments 'manifest' and 'key' to optional arguments Signed-off-by: Sankaranarayanan Venkatasubramanian --- Documentation/index.rst | 24 ++++++++++++------------ Examples/openvino/README.md | 7 ++++--- gsc.py | 5 +++-- test/README.rst | 5 +++-- 4 files changed, 22 insertions(+), 19 deletions(-) diff --git a/Documentation/index.rst b/Documentation/index.rst index 3c740bf1..94a28de9 100644 --- a/Documentation/index.rst +++ b/Documentation/index.rst @@ -85,7 +85,7 @@ Builds an unsigned graminized Docker image of an application image called ``gsc--unsigned`` by compiling Gramine or relying on a prebuilt Gramine image. -:command:`gsc build` [*OPTIONS*] <*IMAGE-NAME*> <*APP.MANIFEST*> +:command:`gsc build` [*OPTIONS*] <*IMAGE-NAME*> .. option:: -d @@ -121,13 +121,13 @@ Gramine image. Specify configuration file. Default: :file:`config.yaml`. -.. option:: IMAGE-NAME +.. option:: -m - Name of the application Docker image. + Manifest file (Gramine configuration). -.. option:: APP.MANIFEST +.. option:: IMAGE-NAME - Manifest file (Gramine configuration). + Name of the application Docker image. .. program:: gsc-sign-image @@ -139,12 +139,16 @@ Docker image called ``gsc-``. :command:`gsc sign-image` always removes intermediate Docker images, if successful or not, to ensure the removal of the signing key in them. -:command:`gsc sign-image` [*OPTIONS*] <*IMAGE-NAME*> <*KEY-FILE*> +:command:`gsc sign-image` [*OPTIONS*] <*IMAGE-NAME*> .. option:: -c Specify configuration file. Default: :file:`config.yaml` +.. option:: -k + + Used to sign the Intel SGX enclave + .. option:: -p Provide passphrase for the enclave signing key (if applicable) @@ -153,10 +157,6 @@ of the signing key in them. Name of the application Docker image -.. option:: KEY-FILE - - Used to sign the Intel SGX enclave - .. program:: gsc-build-gramine :command:`gsc build-gramine` -- build Gramine-only Docker image @@ -437,13 +437,13 @@ This example assumes that all prerequisites are installed and configured. .. code-block:: sh - ./gsc build --insecure-args python test/generic.manifest + ./gsc build --insecure-args --manifest test/generic.manifest python #. Sign the graminized Docker image using :command:`gsc sign-image`: .. code-block:: sh - ./gsc sign-image python enclave-key.pem + ./gsc sign-image --key enclave-key.pem python #. Retrieve SGX-related information from graminized image using :command:`gsc info-image`: diff --git a/Examples/openvino/README.md b/Examples/openvino/README.md index 0d5fcf4f..a2c07541 100644 --- a/Examples/openvino/README.md +++ b/Examples/openvino/README.md @@ -16,13 +16,14 @@ docker build --tag ubuntu20.04-openvino --file ubuntu20.04-openvino.dockerfile . 2. Graminize the Docker image using `gsc build`: ```bash cd ../.. -./gsc build --insecure-args ubuntu20.04-openvino \ - Examples/openvino/ubuntu20.04-openvino.manifest +./gsc build --insecure-args \ + --manifest Examples/openvino/ubuntu20.04-openvino.manifest \ + ubuntu20.04-openvino ``` 3. Sign the graminized Docker image using `gsc sign-image`: ```bash -./gsc sign-image ubuntu20.04-openvino enclave-key.pem +./gsc sign-image --key enclave-key.pem ubuntu20.04-openvino ``` ## Running the benchmark in GSC diff --git a/gsc.py b/gsc.py index cfcefc93..64c11790 100755 --- a/gsc.py +++ b/gsc.py @@ -472,8 +472,8 @@ def gsc_info_image(args): help='Set build-time variables (same as "docker build --build-arg").') sub_build.add_argument('-c', '--config_file', type=argparse.FileType('r', encoding='UTF-8'), default='config.yaml', help='Specify configuration file.') +sub_build.add_argument('-m', '--manifest', help='Manifest file to use.'); sub_build.add_argument('image', help='Name of the application Docker image.') -sub_build.add_argument('manifest', help='Manifest file to use.') sub_build_gramine = subcommands.add_parser('build-gramine', help='Build base-Gramine Docker image') @@ -501,7 +501,8 @@ def gsc_info_image(args): sub_sign.add_argument('-c', '--config_file', type=argparse.FileType('r', encoding='UTF-8'), default='config.yaml', help='Specify configuration file.') sub_sign.add_argument('image', help='Name of the application (base) Docker image.') -sub_sign.add_argument('key', help='Key to sign the Intel SGX enclaves inside the Docker image.') +sub_sign.add_argument('-k', '--key', + help='Key to sign the Intel SGX enclaves inside the Docker image.') sub_sign.add_argument('-p', '--passphrase', help='Passphrase for the signing key.') sub_info = subcommands.add_parser('info-image', help='Retrieve information about a graminized ' diff --git a/test/README.rst b/test/README.rst index c33f5480..2a0bac14 100644 --- a/test/README.rst +++ b/test/README.rst @@ -32,8 +32,9 @@ below commands assume that you already created the GSC configuration file docker build --tag ubuntu18.04-bash --file test/ubuntu18.04-bash.dockerfile . - ./gsc build --insecure-args ubuntu18.04-bash test/ubuntu18.04-bash.manifest - ./gsc sign-image ubuntu18.04-bash enclave-key.pem + ./gsc build --insecure-args --manifest test/ubuntu18.04-bash.manifest \ + ubuntu18.04-bash + ./gsc sign-image --key enclave-key.pem ubuntu18.04-bash ./gsc info-image gsc-ubuntu18.04-bash Test the graminized Docker image (change ``--device=/dev/sgx_enclave`` to your From 0b18783024b66550a09498f07247c50ab2d34438 Mon Sep 17 00:00:00 2001 From: Sankaranarayanan Venkatasubramanian Date: Thu, 5 Jan 2023 21:10:34 +0530 Subject: [PATCH 2/2] fixup! Update positional arguments 'manifest' and 'key' to optional arguments --- Documentation/index.rst | 2 +- gsc.py | 32 ++++++++++++++++++++------------ 2 files changed, 21 insertions(+), 13 deletions(-) diff --git a/Documentation/index.rst b/Documentation/index.rst index 94a28de9..2256437c 100644 --- a/Documentation/index.rst +++ b/Documentation/index.rst @@ -147,7 +147,7 @@ of the signing key in them. .. option:: -k - Used to sign the Intel SGX enclave + Key file used to sign the Intel SGX enclave .. option:: -p diff --git a/gsc.py b/gsc.py index 64c11790..df29bc03 100755 --- a/gsc.py +++ b/gsc.py @@ -220,13 +220,17 @@ def gsc_build(args): base_image_environment = extract_environment_from_image_config(original_image.attrs['Config']) base_image_dict = tomli.loads(base_image_environment) - user_manifest_contents = '' - if not os.path.exists(args.manifest): - raise FileNotFoundError(f'Manifest file {args.manifest} does not exist') - with open(args.manifest, 'r') as user_manifest_file: - user_manifest_contents = user_manifest_file.read() - - user_manifest_dict = tomli.loads(user_manifest_contents) + if args.manifest: + user_manifest_contents = '' + if not os.path.exists(args.manifest): + raise FileNotFoundError(f'Manifest file {args.manifest} does not exist') + with open(args.manifest, 'r') as user_manifest_file: + user_manifest_contents = user_manifest_file.read() + user_manifest_dict = tomli.loads(user_manifest_contents) + else: + print(f'A manifest file must be supplied using --manifest to build graminized Docker ' + f'image.') + sys.exit(1) # Support deprecated syntax: replace old-style TOML-dict (`sgx.trusted_files.key = "file:foo"`) # with new-style TOML-array (`sgx.trusted_files = ["file:foo"]`) in the user manifest @@ -358,10 +362,14 @@ def gsc_sign_image(args): # copy user-provided signing key and signing Bash script to our tmp build dir (to copy them # later inside Docker image) - tmp_build_key_path = tmp_build_path / 'gsc-signer-key.pem' - tmp_build_sign_path = tmp_build_path / 'sign.sh' - shutil.copyfile(os.path.abspath(args.key), tmp_build_key_path) - shutil.copy(os.path.abspath('sign.sh'), tmp_build_sign_path) + if args.key and os.path.exists(args.key): + tmp_build_key_path = tmp_build_path / 'gsc-signer-key.pem' + tmp_build_sign_path = tmp_build_path / 'sign.sh' + shutil.copyfile(os.path.abspath(args.key), tmp_build_key_path) + shutil.copy(os.path.abspath('sign.sh'), tmp_build_sign_path) + else: + print(f'A valid key file must be supplied using --key to build a signed Docker image.') + sys.exit(1) try: # `forcerm` parameter forces removal of intermediate Docker images even after unsuccessful @@ -500,10 +508,10 @@ def gsc_info_image(args): sub_sign.set_defaults(command=gsc_sign_image) sub_sign.add_argument('-c', '--config_file', type=argparse.FileType('r', encoding='UTF-8'), default='config.yaml', help='Specify configuration file.') -sub_sign.add_argument('image', help='Name of the application (base) Docker image.') sub_sign.add_argument('-k', '--key', help='Key to sign the Intel SGX enclaves inside the Docker image.') sub_sign.add_argument('-p', '--passphrase', help='Passphrase for the signing key.') +sub_sign.add_argument('image', help='Name of the application (base) Docker image.') sub_info = subcommands.add_parser('info-image', help='Retrieve information about a graminized ' 'Docker image')