Change positional args manifest and key to optional args

Documentation/index.rst

@@ -85,7 +85,7 @@ Builds an unsigned graminized Docker image of an application image called
 ``gsc-<IMAGE-NAME>-unsigned`` by compiling Gramine or relying on a prebuilt
 Gramine image.
 
-:command:`gsc build` [*OPTIONS*] <*IMAGE-NAME*> <*APP.MANIFEST*>
+:command:`gsc build` [*OPTIONS*] <*IMAGE-NAME*>
 
 .. option:: -d
 
@@ -121,13 +121,13 @@ Gramine image.
 
    Specify configuration file. Default: :file:`config.yaml`.
 
-.. option:: IMAGE-NAME
+.. option:: -m
 
-   Name of the application Docker image.
+   Manifest file (Gramine configuration).
 
-.. option:: APP.MANIFEST
+.. option:: IMAGE-NAME
 
-   Manifest file (Gramine configuration).
+   Name of the application Docker image.
 
 .. program:: gsc-sign-image
 
@@ -139,12 +139,16 @@ Docker image called ``gsc-<IMAGE-NAME>``. :command:`gsc sign-image` always
 removes intermediate Docker images, if successful or not, to ensure the removal
 of the signing key in them.
 
-:command:`gsc sign-image` [*OPTIONS*] <*IMAGE-NAME*> <*KEY-FILE*>
+:command:`gsc sign-image` [*OPTIONS*] <*IMAGE-NAME*>
 
 .. option:: -c
 
    Specify configuration file. Default: :file:`config.yaml`
 
+.. option:: -k
+
+   Key file used to sign the Intel SGX enclave
+
 .. option:: -p
 
    Provide passphrase for the enclave signing key (if applicable)
@@ -153,10 +157,6 @@ of the signing key in them.
 
    Name of the application Docker image
 
-.. option:: KEY-FILE
-
-   Used to sign the Intel SGX enclave
-
 .. program:: gsc-build-gramine
 
 :command:`gsc build-gramine` -- build Gramine-only Docker image
@@ -437,13 +437,13 @@ This example assumes that all prerequisites are installed and configured.
 
    .. code-block:: sh
 
-      ./gsc build --insecure-args python test/generic.manifest
+      ./gsc build --insecure-args --manifest test/generic.manifest python
 
 #. Sign the graminized Docker image using :command:`gsc sign-image`:
 
    .. code-block:: sh
 
-      ./gsc sign-image python enclave-key.pem
+      ./gsc sign-image --key enclave-key.pem python
 
 #. Retrieve SGX-related information from graminized image using :command:`gsc info-image`:
 

Examples/openvino/README.md

@@ -16,13 +16,14 @@ docker build --tag ubuntu20.04-openvino --file ubuntu20.04-openvino.dockerfile .
 2. Graminize the Docker image using `gsc build`:
 ```bash
 cd ../..
-./gsc build --insecure-args ubuntu20.04-openvino \
-    Examples/openvino/ubuntu20.04-openvino.manifest
+./gsc build --insecure-args \
+    --manifest Examples/openvino/ubuntu20.04-openvino.manifest \
+    ubuntu20.04-openvino
 ```
 
 3. Sign the graminized Docker image using `gsc sign-image`:
 ```bash
-./gsc sign-image ubuntu20.04-openvino enclave-key.pem
+./gsc sign-image --key enclave-key.pem ubuntu20.04-openvino
 ```
 
 ## Running the benchmark in GSC

gsc.py

@@ -220,13 +220,17 @@ def gsc_build(args):
     base_image_environment = extract_environment_from_image_config(original_image.attrs['Config'])
     base_image_dict = tomli.loads(base_image_environment)
 
-    user_manifest_contents = ''
-    if not os.path.exists(args.manifest):
-        raise FileNotFoundError(f'Manifest file {args.manifest} does not exist')
-    with open(args.manifest, 'r') as user_manifest_file:
-        user_manifest_contents = user_manifest_file.read()
-
-    user_manifest_dict = tomli.loads(user_manifest_contents)
+    if args.manifest:
+        user_manifest_contents = ''
+        if not os.path.exists(args.manifest):
+            raise FileNotFoundError(f'Manifest file {args.manifest} does not exist')
+        with open(args.manifest, 'r') as user_manifest_file:
+            user_manifest_contents = user_manifest_file.read()
+        user_manifest_dict = tomli.loads(user_manifest_contents)
+    else:
+        print(f'A manifest file must be supplied using --manifest to build graminized Docker '
+              f'image.')
+        sys.exit(1)
 
     # Support deprecated syntax: replace old-style TOML-dict (`sgx.trusted_files.key = "file:foo"`)
     # with new-style TOML-array (`sgx.trusted_files = ["file:foo"]`) in the user manifest
@@ -358,10 +362,14 @@ def gsc_sign_image(args):
 
     # copy user-provided signing key and signing Bash script to our tmp build dir (to copy them
     # later inside Docker image)
-    tmp_build_key_path = tmp_build_path / 'gsc-signer-key.pem'
-    tmp_build_sign_path = tmp_build_path / 'sign.sh'
-    shutil.copyfile(os.path.abspath(args.key), tmp_build_key_path)
-    shutil.copy(os.path.abspath('sign.sh'), tmp_build_sign_path)
+    if args.key and os.path.exists(args.key):
+        tmp_build_key_path = tmp_build_path / 'gsc-signer-key.pem'
+        tmp_build_sign_path = tmp_build_path / 'sign.sh'
+        shutil.copyfile(os.path.abspath(args.key), tmp_build_key_path)
+        shutil.copy(os.path.abspath('sign.sh'), tmp_build_sign_path)
+    else:
+        print(f'A valid key file must be supplied using --key to build a signed Docker image.')
+        sys.exit(1)
 
     try:
         # `forcerm` parameter forces removal of intermediate Docker images even after unsuccessful
@@ -472,8 +480,8 @@ def gsc_info_image(args):
     help='Set build-time variables (same as "docker build --build-arg").')
 sub_build.add_argument('-c', '--config_file', type=argparse.FileType('r', encoding='UTF-8'),
     default='config.yaml', help='Specify configuration file.')
+sub_build.add_argument('-m', '--manifest', help='Manifest file to use.');
 sub_build.add_argument('image', help='Name of the application Docker image.')
-sub_build.add_argument('manifest', help='Manifest file to use.')
 
 sub_build_gramine = subcommands.add_parser('build-gramine',
     help='Build base-Gramine Docker image')
@@ -500,9 +508,10 @@ def gsc_info_image(args):
 sub_sign.set_defaults(command=gsc_sign_image)
 sub_sign.add_argument('-c', '--config_file', type=argparse.FileType('r', encoding='UTF-8'),
     default='config.yaml', help='Specify configuration file.')
-sub_sign.add_argument('image', help='Name of the application (base) Docker image.')
-sub_sign.add_argument('key', help='Key to sign the Intel SGX enclaves inside the Docker image.')
+sub_sign.add_argument('-k', '--key',
+    help='Key to sign the Intel SGX enclaves inside the Docker image.')
 sub_sign.add_argument('-p', '--passphrase', help='Passphrase for the signing key.')
+sub_sign.add_argument('image', help='Name of the application (base) Docker image.')
 
 sub_info = subcommands.add_parser('info-image', help='Retrieve information about a graminized '
                                   'Docker image')

test/README.rst

@@ -32,8 +32,9 @@ below commands assume that you already created the GSC configuration file
 
    docker build --tag ubuntu18.04-bash --file test/ubuntu18.04-bash.dockerfile .
 
-   ./gsc build --insecure-args ubuntu18.04-bash test/ubuntu18.04-bash.manifest
-   ./gsc sign-image ubuntu18.04-bash enclave-key.pem
+   ./gsc build --insecure-args --manifest test/ubuntu18.04-bash.manifest \
+        ubuntu18.04-bash
+   ./gsc sign-image --key enclave-key.pem ubuntu18.04-bash
    ./gsc info-image gsc-ubuntu18.04-bash
 
 Test the graminized Docker image (change ``--device=/dev/sgx_enclave`` to your