diff --git a/.github/workflows/build_and_test.yml b/.github/workflows/build_and_test.yml index edbd32b2a0..da4c3f5d74 100644 --- a/.github/workflows/build_and_test.yml +++ b/.github/workflows/build_and_test.yml @@ -112,6 +112,16 @@ jobs: name: integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz path: integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz + - name: Delete images + run: | + if [[ "$(docker images -q integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }} 2> /dev/null)" != "" ]]; then + docker image rmi --force integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }} 2>/dev/null + fi + if [[ "$(docker images -q integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }} 2> /dev/null)" != "" ]]; then + docker image rmi --force integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }} 2>/dev/null + fi + docker images --all + clippy: runs-on: ubuntu-latest container: "integritee/integritee-dev:0.2.1" @@ -327,6 +337,12 @@ jobs: - name: Delete images run: | + if [[ "$(docker images -q integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }} 2> /dev/null)" != "" ]]; then + docker image rmi --force integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }} 2>/dev/null + fi + if [[ "$(docker images -q integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }} 2> /dev/null)" != "" ]]; then + docker image rmi --force integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }} 2>/dev/null + fi if [[ "$(docker images -q ${{ env.WORKER_IMAGE_TAG }} 2> /dev/null)" != "" ]]; then docker image rmi --force ${{ env.WORKER_IMAGE_TAG }} 2>/dev/null fi @@ -338,47 +354,141 @@ jobs: fi docker images --all - - release: - runs-on: ubuntu-latest - name: Draft Release + release-build: + runs-on: integritee-builder-sgx + name: Release Build of teeracle if: startsWith(github.ref, 'refs/tags/') needs: [build-test, integration-tests] - outputs: - release_url: ${{ steps.create-release.outputs.html_url }} - asset_upload_url: ${{ steps.create-release.outputs.upload_url }} + + strategy: + fail-fast: false + matrix: + include: + - flavor_id: teeracle + mode: teeracle + sgx_mode: HW + steps: - uses: actions/checkout@v3 - - name: Download Integritee Service - uses: actions/download-artifact@v3 - with: - name: integritee-worker-sidechain-${{ github.sha }} - path: integritee-worker-tmp + - name: Add masks + run: | + echo "::add-mask::$VAULT_TOKEN" + echo "::add-mask::$PRIVKEY_B64" + echo "::add-mask::$PRIVKEY_PASS" - - name: Download Integritee Client - uses: actions/download-artifact@v3 + - name: Set env + run: | + fingerprint=$RANDOM + echo "FINGERPRINT=$fingerprint" >> $GITHUB_ENV + if [[ ${{ matrix.sgx_mode }} == 'HW' ]]; then + echo "DOCKER_DEVICES=--device=/dev/sgx/enclave --device=/dev/sgx/provision" >> $GITHUB_ENV + echo "DOCKER_VOLUMES=--volume /var/run/aesmd:/var/run/aesmd" >> $GITHUB_ENV + else + echo "DOCKER_DEVICES=" >> $GITHUB_ENV + echo "DOCKER_VOLUMES=" >> $GITHUB_ENV + fi + echo "VAULT_TOKEN=$VAULT_TOKEN" >> "$GITHUB_ENV" + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 with: - name: integritee-client-sidechain-${{ github.sha }} - path: integritee-client-tmp + buildkitd-flags: --debug + driver: docker-container - - name: Download Enclave Signed - uses: actions/download-artifact@v3 + - name: Import secrets + uses: hashicorp/vault-action@v2 + id: import-secrets with: - name: enclave-signed-sidechain-${{ github.sha }} - path: enclave-signed-tmp + url: ${{ secrets.VAULT_URL }} + tlsSkipVerify: false + token: ${{ env.VAULT_TOKEN }} + exportEnv: false + secrets: | + ${{ secrets.VAULT_PATH }} intel_sgx_pem_base64 | PRIVKEY_B64 ; + ${{ secrets.VAULT_PATH }} password | PRIVKEY_PASS + + - name: Get secrets + env: + PRIVKEY_B64: ${{ steps.import-secrets.outputs.PRIVKEY_B64 }} + PRIVKEY_PASS: ${{ steps.import-secrets.outputs.PRIVKEY_PASS }} + run: | + echo $PRIVKEY_B64 | base64 --ignore-garbage --decode > enclave-runtime/intel_sgx.pem + echo $PRIVKEY_PASS > enclave-runtime/passfile.txt + + - name: Build Worker & Run Cargo Test + env: + DOCKER_BUILDKIT: 1 + run: > + docker build -t integritee/${{ matrix.flavor_id }}:${{ github.ref_name }} + --target deployed-worker + --build-arg WORKER_MODE_ARG=${{ matrix.mode }} --build-arg SGX_COMMERCIAL_KEY=enclave-runtime/intel_sgx.pem --build-arg SGX_PASSFILE=enclave-runtime/passfile.txt --build-arg SGX_PRODUCTION=1 --build-arg ADDITIONAL_FEATURES_ARG=${{ matrix.additional_features }} --build-arg SGX_MODE=${{ matrix.sgx_mode }} + -f build.Dockerfile . + + - name: Save released teeracle + run: | + docker image save integritee/${{ matrix.flavor_id }}:${{ github.ref_name }} | gzip > integritee-worker-${{ matrix.flavor_id }}-${{ github.ref_name }}.tar.gz + docker images --all - - name: Move service binaries - run: mv integritee-worker-tmp/integritee-service ./integritee-demo-validateer + - name: Upload teeracle image + uses: actions/upload-artifact@v3 + with: + name: integritee-worker-${{ matrix.flavor_id }}-${{ github.ref_name }}.tar.gz + path: integritee-worker-${{ matrix.flavor_id }}-${{ github.ref_name }}.tar.gz - - name: Move service client binaries - run: mv integritee-client-tmp/integritee-cli ./integritee-client + - name: Delete images + run: | + if [[ "$(docker images -q integritee/${{ matrix.flavor_id }}:${{ github.ref_name }} 2> /dev/null)" != "" ]]; then + docker image rmi --force integritee/${{ matrix.flavor_id }}:${{ github.ref_name }} 2>/dev/null + fi + docker images --all - - name: Move service client binaries - run: mv enclave-signed-tmp/enclave.signed.so ./enclave.signed.so + release: + runs-on: ubuntu-latest + name: Draft Release + if: startsWith(github.ref, 'refs/tags/') + needs: [build-test, integration-tests, release-build] + outputs: + release_url: ${{ steps.create-release.outputs.html_url }} + asset_upload_url: ${{ steps.create-release.outputs.upload_url }} + steps: + - uses: actions/checkout@v3 - - name: Create required package.json - run: test -f package.json || echo '{}' >package.json + - name: Download Worker Image + uses: actions/download-artifact@v3 + with: + name: integritee-worker-teeracle-${{ github.ref_name }}.tar.gz + path: . + + # + # Temporary comment out until we decide what to release + # + # - name: Download Integritee Service + # uses: actions/download-artifact@v3 + # with: + # name: integritee-worker-sidechain-${{ github.sha }} + # path: integritee-worker-tmp + + # - name: Download Integritee Client + # uses: actions/download-artifact@v3 + # with: + # name: integritee-client-sidechain-${{ github.sha }} + # path: integritee-client-tmp + + # - name: Download Enclave Signed + # uses: actions/download-artifact@v3 + # with: + # name: enclave-signed-sidechain-${{ github.sha }} + # path: enclave-signed-tmp + + # - name: Move service binaries + # run: mv integritee-worker-tmp/integritee-service ./integritee-demo-validateer + + # - name: Move service client binaries + # run: mv integritee-client-tmp/integritee-cli ./integritee-client + + # - name: Move service client binaries + # run: mv enclave-signed-tmp/enclave.signed.so ./enclave.signed.so - name: Changelog uses: scottbrenner/generate-changelog-action@master @@ -398,6 +508,7 @@ jobs: ${{ steps.Changelog.outputs.changelog }} draft: true files: | + integritee-worker-teeracle-${{ github.ref_name }}.tar.gz integritee-client integritee-demo-validateer enclave.signed.so diff --git a/.github/workflows/delete-release.yml b/.github/workflows/delete-release.yml index b1d0e13750..53fbdbb0f3 100644 --- a/.github/workflows/delete-release.yml +++ b/.github/workflows/delete-release.yml @@ -10,7 +10,8 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - binary: ["integritee-client", "integritee-demo-validateer"] + #binary: ["integritee-client", "integritee-demo-validateer"] + binary: ["teeracle"] steps: - uses: actions/checkout@v2 @@ -18,9 +19,13 @@ jobs: id: vars run: echo "{tag}={$GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT + - name: Get Tag + id: get_tag + run: echo ::set-output name=TAG::${GITHUB_REF/refs\/tags\//} + - name: Check output env: - RELEASE_VERSION: ${{ steps.vars.outputs.tag }} + RELEASE_VERSION: ${{ steps.get_tag.outputs.TAG }} run: | echo $RELEASE_VERSION echo ${{ steps.vars.outputs.tag }} @@ -39,7 +44,7 @@ jobs: run: | ORGANIZATION="integritee" IMAGE="${{ matrix.binary }}" - TAG="${{ steps.vars.outputs.tag }}" + TAG="${{ steps.get_tag.outputs.TAG }}" login_data() { cat < /dev/null)" != "" ]]; then + docker image rmi --force integritee/teeracle:${{ github.event.release.tag_name }} 2>/dev/null + fi + docker images --all diff --git a/Makefile b/Makefile index 5318d8deea..80dafb88ea 100755 --- a/Makefile +++ b/Makefile @@ -75,11 +75,13 @@ ifeq ($(SGX_PRODUCTION), 1) SGX_ENCLAVE_MODE = "Production Mode" SGX_ENCLAVE_CONFIG = "enclave-runtime/Enclave.config.production.xml" SGX_SIGN_KEY = $(SGX_COMMERCIAL_KEY) + SGX_SIGN_PASSFILE = $(SGX_PASSFILE) WORKER_FEATURES := --features=production,$(WORKER_MODE),$(WORKER_FEATURES),$(ADDITIONAL_FEATURES) else SGX_ENCLAVE_MODE = "Development Mode" SGX_ENCLAVE_CONFIG = "enclave-runtime/Enclave.config.xml" SGX_SIGN_KEY = "enclave-runtime/Enclave_private.pem" + SGX_SIGN_PASSFILE = "" WORKER_FEATURES := --features=default,$(WORKER_MODE),$(WORKER_FEATURES),$(ADDITIONAL_FEATURES) endif @@ -194,7 +196,22 @@ $(RustEnclave_Name): enclave enclave-runtime/Enclave_t.o $(Signed_RustEnclave_Name): $(RustEnclave_Name) @echo @echo "Signing the enclave: $(SGX_ENCLAVE_MODE)" + @echo "SGX_ENCLAVE_SIGNER: $(SGX_ENCLAVE_SIGNER)" + @echo "RustEnclave_Name: $(RustEnclave_Name)" + @echo "SGX_ENCLAVE_CONFIG: $(SGX_ENCLAVE_CONFIG)" + @echo "SGX_SIGN_PASSFILE: $(SGX_SIGN_PASSFILE)" + @echo "SGX_SIGN_KEY: $(SGX_SIGN_KEY)" + + +ifeq ($(SGX_PRODUCTION), 1) + $(SGX_ENCLAVE_SIGNER) gendata -enclave $(RustEnclave_Name) -out enclave_sig.dat -config $(SGX_ENCLAVE_CONFIG) + openssl rsa -passin file:$(SGX_SIGN_PASSFILE) -pubout -in $(SGX_SIGN_KEY) -out intel_sgx.pub + openssl dgst -sha256 -passin file:$(SGX_SIGN_PASSFILE) -sign $(SGX_SIGN_KEY) -out signature.dat enclave_sig.dat + openssl dgst -sha256 -verify intel_sgx.pub -signature signature.dat enclave_sig.dat + $(SGX_ENCLAVE_SIGNER) catsig -enclave $(RustEnclave_Name) -config $(SGX_ENCLAVE_CONFIG) -out $@ -key intel_sgx.pub -sig signature.dat -unsigned enclave_sig.dat +else $(SGX_ENCLAVE_SIGNER) sign -key $(SGX_SIGN_KEY) -enclave $(RustEnclave_Name) -out $@ -config $(SGX_ENCLAVE_CONFIG) +endif @echo "SIGN => $@" @echo @echo "Enclave is in $(SGX_ENCLAVE_MODE)" diff --git a/build.Dockerfile b/build.Dockerfile index cbb3525056..ef77069b9c 100644 --- a/build.Dockerfile +++ b/build.Dockerfile @@ -35,6 +35,9 @@ ENV CARGO_NET_GIT_FETCH_WITH_CLI true ARG SGX_MODE=SW ENV SGX_MODE=$SGX_MODE +ARG SGX_PRODUCTION=0 +ENV SGX_PRODUCTION=$SGX_PRODUCTION + ARG WORKER_FEATURES_ARG ENV WORKER_FEATURES=$WORKER_FEATURES_ARG @@ -55,6 +58,12 @@ ENV ADDITIONAL_FEATURES=$ADDITIONAL_FEATURES_ARG ARG FINGERPRINT=none +ARG SGX_COMMERCIAL_KEY=enclave-runtime/Enclave_private.pem +ENV SGX_COMMERCIAL_KEY ${SGX_COMMERCIAL_KEY} + +ARG SGX_PASSFILE +ENV SGX_PASSFILE ${SGX_PASSFILE} + WORKDIR $WORKHOME/worker COPY . . @@ -62,7 +71,7 @@ COPY . . RUN --mount=type=cache,id=cargo-registry,target=/opt/rust/registry \ --mount=type=cache,id=cargo-git,target=/opt/rust/git/db \ --mount=type=cache,id=cargo-sccache-${WORKER_MODE}${ADDITIONAL_FEATURES},target=/home/ubuntu/.cache/sccache \ - echo ${FINGERPRINT} && make && cargo test --release && sccache --show-stats + echo ${FINGERPRINT} && make && make identity && cargo test --release && sccache --show-stats ### Base Runner Stage ### The runner needs the aesmd service for the `SGX_MODE=HW`.