build: update dockerfile to use common base images

Dockerfile

@@ -1,88 +1,20 @@
 #syntax=docker/dockerfile:1.2
 
 # Base with APT packages installed
-FROM ubuntu:18.04 AS apt-base
+FROM registree/teaclave-build:latest AS builder
 
-RUN apt-get update && \
-    DEBIAN_FRONTEND=noninteractive apt-get install -y gnupg2 apt-transport-https ca-certificates curl software-properties-common build-essential automake autoconf libtool protobuf-compiler libprotobuf-dev git-core libprotobuf-c0-dev cmake pkg-config expect gdb libssl-dev llvm-dev libclang-dev clang && \
-    rm -rf /var/lib/apt/lists/* && \
-    rm -rf /var/cache/apt/archives/*
-
-#  Add SGX repository and install SGX libraries
-RUN curl -fsSL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | apt-key add - && \
-    add-apt-repository "deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu bionic main" && \
-    apt-get update  && \
-    apt-get install -y libsgx-quote-ex \
-        libsgx-enclave-common libsgx-enclave-common-dev \
-        libsgx-dcap-ql libsgx-dcap-ql-dev && \
-    rm -rf /var/lib/apt/lists/* && \
-    rm -rf /var/cache/apt/archives/* && \
-    mkdir /var/run/aesmd && \
-    mkdir /etc/init
-
-# Add Microsoft's repository and install Azure libraries
-RUN curl -fsSL  https://packages.microsoft.com/keys/microsoft.asc | apt-key add - && \
-    add-apt-repository "deb [arch=amd64] https://packages.microsoft.com/ubuntu/18.04/prod bionic main" && \
-    apt-get update  && \
-    apt-get install -y az-dcap-client && \
-    rm -rf /var/lib/apt/lists/* && \
-    rm -rf /var/cache/apt/archives/*
-
-
-# Base with the SGX and Teaclave SDKs installed
-FROM apt-base AS teaclave-base
-
-# See:
-# https://github.com/apache/incubator-teaclave-sgx-sdk/blob/master/release_notes.md
-# https://01.org/intel-software-guard-extensions/downloads
-ARG rust_toolchain=nightly-2020-10-25
-ARG sdk_bin=https://download.01.org/intel-sgx/sgx-linux/2.13/distro/ubuntu18.04-server/sgx_linux_x64_sdk_2.13.100.4.bin
-ARG teaclave_version=1.1.3
-
-# Setup the rust toolchain for building
-RUN curl 'https://static.rust-lang.org/rustup/dist/x86_64-unknown-linux-gnu/rustup-init' --output /root/rustup-init && \
-    chmod +x /root/rustup-init
-
-RUN echo '1' | /root/rustup-init --default-toolchain ${rust_toolchain}
-
-RUN echo 'source /root/.cargo/env' >> /root/.bashrc
-
-RUN /root/.cargo/bin/rustup component add rust-src rls rust-analysis clippy rustfmt && \
-    rm /root/rustup-init && rm -rf /root/.cargo/registry && rm -rf /root/.cargo/git
-
-# Install the sgx sdk
-RUN mkdir /root/sgx && \
-    curl --output /root/sgx/sdk.bin ${sdk_bin} && \
-    cd /root/sgx && \
-    chmod +x /root/sgx/sdk.bin && \
-    echo -e 'no\n/opt' | /root/sgx/sdk.bin && \
-    # echo 'source /opt/sgxsdk/environment' >> /root/.bashrc && \
-    echo 'alias start-aesm="LD_LIBRARY_PATH=/opt/intel/sgx-aesm-service/aesm /opt/intel/sgx-aesm-service/aesm/aesm_service"' >> /root/.bashrc && \
-    rm -rf /root/sgx*
-
-# Download the teaclave rust sgx sdk
-RUN mkdir /root/sgx-rust && \
-    curl -L https://github.com/apache/incubator-teaclave-sgx-sdk/archive/v${teaclave_version}.tar.gz | tar -xz -C /root/sgx-rust --strip-components=1
-
-# TODO: remove once all the code supports the later nightly toolchains
-RUN /root/.cargo/bin/rustup toolchain install nightly-2021-03-25
-
-FROM teaclave-base AS builder
 ENV SGX_SDK=/opt/sgxsdk
-WORKDIR /root
-
-COPY --from=teaclave-base /root/sgx-rust/ ./sgx-rust/
-COPY --from=teaclave-base /root/.cargo/ ./.cargo/
 
 WORKDIR /root/rtc-data
 ARG SGX_MODE=HW
 
+# TODO only copy what we need
 COPY . .
 
 RUN --mount=type=cache,target=/root/.cargo/registry \
     --mount=type=cache,target=/root/.cargo/git \
     . /root/.cargo/env && cargo fetch
-    
+
 RUN --mount=type=cache,target=/root/.cargo/registry \
     --mount=type=cache,target=/root/.cargo/git \
     --mount=type=cache,sharing=private,target=/root/rtc-data/target \
@@ -91,23 +23,28 @@ RUN --mount=type=cache,target=/root/.cargo/registry \
     mkdir /root/out && \
     cp target/release/http_server /root/out/http_server
 
-FROM teaclave-base AS runsw
+FROM registree/teaclave-build:latest AS runsw
 
 WORKDIR /root/rtc-data
 COPY --from=builder /root/rtc-data/rtc_data_service/http_server/config ./config
 COPY --from=builder /root/out/http_server ./http_server
-COPY --from=builder /root/rtc-data/rtc_data_enclave/build/bin/enclave.signed.so ./enclave.signed.so
+COPY --from=builder /root/rtc-data/rtc_data_enclave/build/bin/enclave.signed.so ./data_enclave.signed.so
+COPY --from=builder /root/rtc-data/rtc_auth_enclave/build/bin/enclave.signed.so ./auth_enclave.signed.so
+COPY --from=builder /root/rtc-data/rtc_exec_enclave/build/bin/enclave.signed.so ./exec_enclave.signed.so
 
 EXPOSE 8080
 
 CMD ["./http_server"]
 
-FROM apt-base AS runhw
+FROM registree/sgx-run:latest AS runhw
 
 WORKDIR /root/rtc-data
+
 COPY --from=builder /root/rtc-data/rtc_data_service/http_server/config ./config
 COPY --from=builder /root/out/http_server ./http_server
-COPY --from=builder /root/rtc-data/rtc_data_enclave/build/bin/enclave.signed.so ./enclave.signed.so
+COPY --from=builder /root/rtc-data/rtc_data_enclave/build/bin/enclave.signed.so ./data_enclave.signed.so
+COPY --from=builder /root/rtc-data/rtc_auth_enclave/build/bin/enclave.signed.so ./auth_enclave.signed.so
+COPY --from=builder /root/rtc-data/rtc_exec_enclave/build/bin/enclave.signed.so ./exec_enclave.signed.so
 
 EXPOSE 8080
 

rtc_data_service/http_server/config/default.toml

@@ -10,6 +10,12 @@ debug = false
 lib_path = "/root/rtc-data/rtc_auth_enclave/build/bin/enclave.signed.so"
 attestation_provider_url = "https://sharedeus.eus.attest.azure.net"
 
+[exec_enclave]
+debug = false
+# Relative to the binary
+lib_path = "/root/rtc-data/rtc_exec_enclave/build/bin/enclave.signed.so"
+attestation_provider_url = "https://sharedeus.eus.attest.azure.net"
+
 [http_server]
 host = "127.0.0.1"
 port = "8080"

rtc_data_service/http_server/config/production.toml

@@ -1,6 +1,16 @@
 [data_enclave]
 debug = false
-lib_path = "enclave.signed.so"
+lib_path = "data_enclave.signed.so"
+attestation_provider_url = "https://sharedeus.eus.attest.azure.net"
+
+[auth_enclave]
+debug = false
+lib_path = "auth_enclave.signed.so"
+attestation_provider_url = "https://sharedeus.eus.attest.azure.net"
+
+[exec_enclave]
+debug = false
+lib_path = "exec_enclave.signed.so"
 attestation_provider_url = "https://sharedeus.eus.attest.azure.net"
 
 [http_server]
@@ -13,4 +23,4 @@ port_https = "443"
 client_cert_path = "/root/tls/cloudflare_client_cert.pem"
 # Cloudflare generated orgin certificate
 server_cert_path = "/root/tls/server_cert.pem"
-priv_key_path = "/root/tls/privkey-pkcs8.pem"
+priv_key_path = "/root/tls/privkey.pem"

runbuild.sh

@@ -4,4 +4,6 @@
 which cargo >/dev/null || . "$HOME/.cargo/env"
 
 cargo build --release
-cd rtc_data_enclave && make
+cd rtc_data_enclave && make && cd ..
+cd rtc_auth_enclave && make && cd ..
+cd rtc_exec_enclave && make && cd ..