Use EGo configure-qpl tool to configure DCAP in container (#34)

* Use Intel DCAP QPL by default * Update node version in docker image * Remove obsolete dcap configmap from helm chart * Bump images to v0.7.0 * Update README --------- Signed-off-by: Daniel Weiße <[email protected]>
edgelesssys · Jun 18, 2024 · 61059c7 · 61059c7
1 parent 8d47953
commit 61059c7
Show file tree

Hide file tree

Showing 9 changed files with 42 additions and 98 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,18 +1,16 @@
-# syntax=docker/dockerfile:experimental
-
 FROM alpine/git:latest AS pull
 COPY . /emojivoto
 
-FROM ghcr.io/edgelesssys/ego-deploy:latest AS emoji_base
+FROM ghcr.io/edgelesssys/ego-deploy:v1.5.3 AS emoji_base
 RUN apt-get update && \
     apt-get install -y --no-install-recommends curl dnsutils iptables jq nghttp2 && \
     apt clean && \
     apt autoclean
 COPY ./start.sh /start.sh
 
-FROM ghcr.io/edgelesssys/ego-dev:latest AS emoji_build
+FROM ghcr.io/edgelesssys/ego-dev:v1.5.3 AS emoji_build
 WORKDIR /node
-RUN curl -sL https://deb.nodesource.com/setup_10.x -o nodesource_setup.sh && \
+RUN curl -sL https://deb.nodesource.com/setup_16.x -o nodesource_setup.sh && \
     bash nodesource_setup.sh
 RUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - && \
     echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list
@@ -35,7 +33,7 @@ RUN --mount=type=secret,id=signingkey,dst=/emojivoto/emojivoto-web/private.pem,r
     --mount=type=secret,id=signingkey,dst=/emojivoto/emojivoto-voting-svc/private.pem,required=true \
     ego env make build
 
-FROM ghcr.io/edgelesssys/ego-dev:latest AS patch_build
+FROM ghcr.io/edgelesssys/ego-dev:v1.5.3 AS patch_build
 RUN apt update && apt install -y wget tar unzip
 ARG GEN_GO_VER=1.28.1
 ARG GEN_GO_GRPC_VER=1.2.0

diff --git a/README.md b/README.md
@@ -65,7 +65,7 @@ Confidential emojivoto is build as a confidential computing application:
         Assuming you have a PCCS reachable at `https://localhost:8081/sgx/certification/v3/`, install MarbleRun using the following command:
 
         ```bash
-        marblerun install --dcap-qpl=intel --dcap-pccs-url="https://host.minikube.internal:8081/sgx/certification/v3/" --dcap-secure-cert="FALSE"
+        marblerun install --dcap-pccs-url="https://host.minikube.internal:8081/sgx/certification/v3/" --dcap-secure-cert="FALSE"
         ```
 
         See [our docs](https://docs.edgeless.systems/marblerun/deployment/kubernetes#dcap-configuration) for more information on how to configure MarbleRun for generic SGX environments.
@@ -230,12 +230,11 @@ Confidential emojivoto is build as a confidential computing application:
 
         ```bash
         helm install -f ./kubernetes/sgx_values.yaml emojivoto ./kubernetes --create-namespace -n emojivoto \
-            --set dcap.qpl=intel \
             --set dcap.pccsUrl="https://host.minikube.internal:8081/sgx/certification/v3/" \
             --set dcap.useSecureCert="FALSE"
         ```
 
-        The values for `dcap.qpl` and `dcap.useSecureCert` should be the same as the values for the flags `--dcap-pccs-url` and `--dcap-secure-cert` used when installing MarbleRun.
+        The values for `dcap.pccsUrl` and `dcap.useSecureCert` should be the same as the values for the flags `--dcap-pccs-url` and `--dcap-secure-cert` used when installing MarbleRun.
 
     * Otherwise
 
@@ -285,13 +284,13 @@ Confidential emojivoto is build as a confidential computing application:
     To upload the "Update Manifest" we need to authenticate ourselves to the Coordinator using the previously created admin key and certificate:
 
     ```bash
-    marblerun manifest update tools/update-manifest.json $MARBLERUN --cert admin_certificate.crt --key admin_private.key [--insecure]
+    marblerun manifest update apply tools/update-manifest.json $MARBLERUN --cert admin_certificate.crt --key admin_private.key [--insecure]
     ```
 
     We can now update the image used by the emojivoto voting Statefulset:
 
     ```bash
-    kubectl set image -n emojivoto statefulset/voting voting-svc=ghcr.io/edgelesssys/emojivoto/voting-svc:v0.5.0-fix
+    kubectl set image -n emojivoto statefulset/voting voting-svc=ghcr.io/edgelesssys/emojivoto/voting-svc:v0.7.0-fix
     ```
 
     Updating the manifest will invalidate MarbleRun's certificate chain so that the existing services will not accept old versions of the updated voting service anymore. Hence, we need to restart the other services to obtain a fresh certificate chain:
@@ -340,7 +339,7 @@ Confidential emojivoto is build as a confidential computing application:
         Luckily we provided a recovery key when we first set the manifest. We can now decrypt the recovery secret we received from the coordinator:
 
         ```bash
-        cat recovery.json | jq -r '.RecoverySecrets.recoveryKey1' | base64 -d > recovery_key_encrypted
+        jq -r '.RecoverySecrets.recoveryKey1' -r recovery.json | base64 -d > recovery_key_encrypted
         openssl pkeyutl -inkey recovery_priv.key -in recovery_key_encrypted -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -decrypt -out recovery_key_decrypted
         ```
 
@@ -428,10 +427,11 @@ ego env make build
 Build docker images:
 
 ```bash
-docker buildx build --secret id=signingkey,src=<path to private.pem> --target release_web --tag ghcr.io/edgelesssys/emojivoto/web:latest . --label org.opencontainers.image.source=https://github.com/edgelesssys/emojivoto.git
-docker buildx build --secret id=signingkey,src=<path to private.pem> --target release_emoji_svc --tag ghcr.io/edgelesssys/emojivoto/emoji-svc:latest . --label org.opencontainers.image.source=https://github.com/edgelesssys/emojivoto.git
-docker buildx build --secret id=signingkey,src=<path to private.pem> --target release_voting_svc --tag ghcr.io/edgelesssys/emojivoto/voting-svc:latest . --label org.opencontainers.image.source=https://github.com/edgelesssys/emojivoto.git
-docker buildx build --secret id=signingkey,src=<path to private.pem> --target release_voting_update --tag ghcr.io/edgelesssys/emojivoto/voting-svc:latest-fix . --label org.opencontainers.image.source=https://github.com/edgelesssys/emojivoto.git
+export DOCKER_BUILDKIT=1
+docker build --secret id=signingkey,src=<path to private.pem> --target release_web --tag ghcr.io/edgelesssys/emojivoto/web:latest . --label org.opencontainers.image.source=https://github.com/edgelesssys/emojivoto.git
+docker build --secret id=signingkey,src=<path to private.pem> --target release_emoji_svc --tag ghcr.io/edgelesssys/emojivoto/emoji-svc:latest . --label org.opencontainers.image.source=https://github.com/edgelesssys/emojivoto.git
+docker build --secret id=signingkey,src=<path to private.pem> --target release_voting_svc --tag ghcr.io/edgelesssys/emojivoto/voting-svc:latest . --label org.opencontainers.image.source=https://github.com/edgelesssys/emojivoto.git
+docker build --secret id=signingkey,src=<path to private.pem> --target release_voting_update --tag ghcr.io/edgelesssys/emojivoto/voting-svc:latest-fix . --label org.opencontainers.image.source=https://github.com/edgelesssys/emojivoto.git
 ```
 
 ## License

diff --git a/kubernetes/nosgx_values.yaml b/kubernetes/nosgx_values.yaml
@@ -8,16 +8,14 @@ simulation:
 
 resourceInjection: "disabled"
 
-dcap: {}
-
 web:
   image: ghcr.io/edgelesssys/emojivoto/web
-  imageVersion: v0.6.0
+  imageVersion: v0.7.0
 
 emoji:
   image: ghcr.io/edgelesssys/emojivoto/emoji-svc
-  imageVersion: v0.6.0
+  imageVersion: v0.7.0
 
 voting:
   image: ghcr.io/edgelesssys/emojivoto/voting-svc
-  imageVersion: v0.6.0
+  imageVersion: v0.7.0
diff --git a/kubernetes/sgx_values.yaml b/kubernetes/sgx_values.yaml
@@ -13,18 +13,17 @@ simulation:
 resourceInjection: "enabled"
 
 dcap:
-  qpl: "azure"
-  pccsUrl: "https://localhost:8081/sgx/certification/v3/"
-  useSecureCert: "TRUE"
+  pccsUrl: ""
+  useSecureCert: ""
 
 web:
   image: ghcr.io/edgelesssys/emojivoto/web
-  imageVersion: v0.6.0
+  imageVersion: v0.7.0
 
 emoji:
   image: ghcr.io/edgelesssys/emojivoto/emoji-svc
-  imageVersion: v0.6.0
+  imageVersion: v0.7.0
 
 voting:
   image: ghcr.io/edgelesssys/emojivoto/voting-svc
-  imageVersion: v0.6.0
+  imageVersion: v0.7.0
diff --git a/kubernetes/templates/emoji.yml b/kubernetes/templates/emoji.yml
@@ -36,10 +36,12 @@ spec:
             configMapKeyRef:
               name: oe-config
               key: OE_SIMULATION
-        {{ if .Values.dcap  }}
-        - name: DCAP_LIBRARY
-          value: "{{ .Values.dcap.qpl }}"
-        {{ end }}
+        {{- if .Values.dcap }}
+        - name: PCCS_URL
+          value: {{ .Values.dcap.pccsUrl }}
+        - name: PCCS_USE_SECURE_CERT
+          value: {{ .Values.dcap.useSecureCert }}
+        {{- end }}
         image: {{ .Values.emoji.image }}:{{ .Values.emoji.imageVersion }}
         imagePullPolicy: {{ .Values.imagePullPolicy }}
         name: emoji-svc
@@ -53,21 +55,10 @@ spec:
         volumeMounts:
         - name: emoji-data
           mountPath: /emoji-svc/data
-        {{ if .Values.dcap }}
-        - name: dcap-conf
-          mountPath: /etc/sgx_default_qcnl.conf
-          subPath: sgx_default_qcnl.conf
-        {{ end }}
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      volumes:
-      {{ if .Values.dcap }}
-      - name: dcap-conf
-        configMap:
-          name: emojivoto-dcap-config
-      {{ end }}
   volumeClaimTemplates:
   - metadata:
       name: emoji-data

diff --git a/kubernetes/templates/sgx-qcnl.yaml b/kubernetes/templates/sgx-qcnl.yaml
diff --git a/kubernetes/templates/voting.yml b/kubernetes/templates/voting.yml
@@ -36,10 +36,12 @@ spec:
             configMapKeyRef:
               name: oe-config
               key: OE_SIMULATION
-        {{ if .Values.dcap  }}
-        - name: DCAP_LIBRARY
-          value: "{{ .Values.dcap.qpl }}"
-        {{ end }}
+        {{- if .Values.dcap }}
+        - name: PCCS_URL
+          value: {{ .Values.dcap.pccsUrl }}
+        - name: PCCS_USE_SECURE_CERT
+          value: {{ .Values.dcap.useSecureCert }}
+        {{- end }}
         image: {{ .Values.voting.image }}:{{ .Values.voting.imageVersion }}
         imagePullPolicy: {{ .Values.imagePullPolicy }}
         name: voting-svc
@@ -53,21 +55,10 @@ spec:
         volumeMounts:
         - name: voting-data
           mountPath: /voting-svc/data
-        {{ if .Values.dcap }}
-        - name: dcap-conf
-          mountPath: /etc/sgx_default_qcnl.conf
-          subPath: sgx_default_qcnl.conf
-        {{ end }}
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      volumes:
-      {{ if .Values.dcap }}
-      - name: dcap-conf
-        configMap:
-          name: emojivoto-dcap-config
-      {{ end }}
   volumeClaimTemplates:
   - metadata:
       name: voting-data

diff --git a/kubernetes/templates/web.yml b/kubernetes/templates/web.yml
@@ -36,10 +36,12 @@ spec:
             configMapKeyRef:
               name: oe-config
               key: OE_SIMULATION
-        {{ if .Values.dcap  }}
-        - name: DCAP_LIBRARY
-          value: "{{ .Values.dcap.qpl }}"
-        {{ end }}
+        {{- if .Values.dcap }}
+        - name: PCCS_URL
+          value: {{ .Values.dcap.pccsUrl }}
+        - name: PCCS_USE_SECURE_CERT
+          value: {{ .Values.dcap.useSecureCert }}
+        {{- end }}
         image: {{ .Values.web.image }}:{{ .Values.web.imageVersion }}
         imagePullPolicy: {{ .Values.imagePullPolicy }}
         name: web-svc
@@ -53,21 +55,10 @@ spec:
         volumeMounts:
         - name: web-data
           mountPath: /web-svc/data
-        {{ if .Values.dcap }}
-        - name: dcap-conf
-          mountPath: /etc/sgx_default_qcnl.conf
-          subPath: sgx_default_qcnl.conf
-        {{ end }}
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      volumes:
-      {{ if .Values.dcap }}
-      - name: dcap-conf
-        configMap:
-          name: emojivoto-dcap-config
-      {{ end }}
   volumeClaimTemplates:
   - metadata:
       name: web-data

diff --git a/start.sh b/start.sh
@@ -1,14 +1,4 @@
 #!/usr/bin/bash
 
-if [[ "${DCAP_LIBRARY}" == "intel" ]]
-then
-    # rename the library installed by az-dcap-client
-    mv /usr/lib/libdcap_quoteprov.so /usr/lib/libdcap_quoteprov.so.azure
-    # create a link to the intel quote provider library
-    ln -s /usr/lib/x86_64-linux-gnu/dcap/libdcap_quoteprov.so.intel /usr/lib/x86_64-linux-gnu/libdcap_quoteprov.so
-    ln -s /usr/lib/x86_64-linux-gnu/dcap/libdcap_quoteprov.so.intel /usr/lib/x86_64-linux-gnu/libdcap_quoteprov.so.1
-else
-    export AZDCAP_DEBUG_LOG_LEVEL="${AZDCAP_DEBUG_LOG_LEVEL:=ERROR}"
-fi
-
-ego marblerun ${1}
+configure-qpl
+exec ego marblerun ${1}