diff --git a/Integrations/azure/akv-sign/Dockerfile.sign.akv.centos.template b/Integrations/azure/akv-sign/Dockerfile.sign.akv.centos.template new file mode 100644 index 0000000..9b81550 --- /dev/null +++ b/Integrations/azure/akv-sign/Dockerfile.sign.akv.centos.template @@ -0,0 +1,41 @@ +# This Dockerfile template is derived from a generic +# https://github.com/gramineproject/gsc/blob/master/templates/Dockerfile.common.sign.template + +FROM {{image}} as unsigned_image + +# Install the required packages using root user +USER root + +RUN dnf update -y \ + && dnf install -y \ + curl \ + wget \ + && /usr/bin/python3 -B -m pip install azure-keyvault-keys azure-identity tomli tomli_w + +RUN rpm --import https://packages.microsoft.com/keys/microsoft.asc +RUN dnf install -y https://packages.microsoft.com/config/rhel/8/packages-microsoft-prod.rpm +RUN dnf install -y azure-cli + +# Switch back to original app_image user +USER {{app_user}} + +RUN wget -P /gramine/app_files/ https://raw.githubusercontent.com/gramineproject/contrib/master/Integrations/azure/akv-sign/gramine-sgx-akv-sign + +RUN chmod +x /gramine/app_files/gramine-sgx-akv-sign + +RUN az login + +RUN {% block path %}export PYTHONPATH="${PYTHONPATH}:$(find /gramine/meson_build_output/lib64 -type d -path '*/site-packages')" &&{% endblock %} \ + /gramine/app_files/gramine-sgx-akv-sign \ + --url \ + --key \ + --manifest /gramine/app_files/entrypoint.manifest \ + --output /gramine/app_files/entrypoint.manifest.sgx + +RUN az logout + +# This trick removes all temporary files from the previous commands +FROM {{image}} + +COPY --from=unsigned_image /gramine/app_files/*.sig /gramine/app_files/ +COPY --from=unsigned_image /gramine/app_files/*.sgx /gramine/app_files/ diff --git a/Integrations/azure/akv-sign/Dockerfile.sign.akv.debian.template b/Integrations/azure/akv-sign/Dockerfile.sign.akv.debian.template new file mode 100644 index 0000000..858eb9a --- /dev/null +++ b/Integrations/azure/akv-sign/Dockerfile.sign.akv.debian.template @@ -0,0 +1,39 @@ +# This Dockerfile template is derived from a generic +# https://github.com/gramineproject/gsc/blob/master/templates/Dockerfile.common.sign.template + +FROM {{image}} as unsigned_image + +# Install the required packages using root user +USER root + +RUN apt-get update -y \ + && env DEBIAN_FRONTEND=noninteractive apt-get install -y \ + curl \ + wget \ + && /usr/bin/python3 -B -m pip install azure-keyvault-keys azure-identity tomli tomli_w + +RUN curl -sL https://aka.ms/InstallAzureCLIDeb | bash + +# Switch back to original app_image user +USER {{app_user}} + +RUN wget -P /gramine/app_files/ https://raw.githubusercontent.com/gramineproject/contrib/master/Integrations/azure/akv-sign/gramine-sgx-akv-sign + +RUN chmod +x /gramine/app_files/gramine-sgx-akv-sign + +RUN az login + +RUN {% block path %}export PYTHONPATH="${PYTHONPATH}:$(find /gramine/meson_build_output/lib -type d -path '*/site-packages')" &&{% endblock %} \ + /gramine/app_files/gramine-sgx-akv-sign \ + --url \ + --key \ + --manifest /gramine/app_files/entrypoint.manifest \ + --output /gramine/app_files/entrypoint.manifest.sgx + +RUN az logout + +# This trick removes all temporary files from the previous commands +FROM {{image}} + +COPY --from=unsigned_image /gramine/app_files/*.sig /gramine/app_files/ +COPY --from=unsigned_image /gramine/app_files/*.sgx /gramine/app_files/ diff --git a/Integrations/azure/akv-sign/README.md b/Integrations/azure/akv-sign/README.md index fabc0d2..b5e2ad9 100644 --- a/Integrations/azure/akv-sign/README.md +++ b/Integrations/azure/akv-sign/README.md @@ -4,9 +4,9 @@ SGX enclaves must be signed using a 3072-bit RSA key. This key needs to be protected and must not be disclosed to anyone. Typically for production deployments, you should use a key secured in a Hardware Security Module (HSM). -This directory contains a plugin to Gramine tools that enables support for -production signing of SGX enclaves using keys from Azure Key Vault (AKV) Managed -HSM. +This directory contains the plugin to Gramine tools as well as Dockerfile +templates that enable support for production signing of SGX enclaves using keys +from Azure Key Vault (AKV) Managed HSM. ## Prerequisites for SGX enclave signing @@ -32,3 +32,12 @@ The command to sign the enclave with AKV's Managed HSM looks like this: where `sgx_sign_key` is the name of the RSA private key created in the AKV's Managed HSM with Vault URL `https://myakv-mhsm.managedhsm.azure.net`. + +## Templates for use with Gramine Shielded Containers (GSC) + +This directory contains two Dockerfile templates, intended for use with GSC's +`sign-image` command. GSC `sign-image` command can take in a user supplied +Dockerfile as an argument to `--template` to sign the graminized docker image. +Please note that these are templates and the users need to update the template +with the required details to make it a self-contained Dockerfile before passing +it to `gsc sign-image` command.