Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add AKV Dockerfile templates for signing with gsc #20

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions Integrations/azure/akv-sign/Dockerfile.sign.akv.centos.template
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
# This Dockerfile template is derived from a generic
# https://github.com/gramineproject/gsc/blob/master/templates/Dockerfile.common.sign.template

FROM {{image}} as unsigned_image

# Install the required packages using root user
USER root

RUN dnf update -y \
&& dnf install -y \
curl \
wget \
&& /usr/bin/python3 -B -m pip install azure-keyvault-keys azure-identity tomli tomli_w

RUN rpm --import https://packages.microsoft.com/keys/microsoft.asc
RUN dnf install -y https://packages.microsoft.com/config/rhel/8/packages-microsoft-prod.rpm
RUN dnf install -y azure-cli

# Switch back to original app_image user
USER {{app_user}}

RUN wget -P /gramine/app_files/ https://raw.githubusercontent.com/gramineproject/contrib/master/Integrations/azure/akv-sign/gramine-sgx-akv-sign

RUN chmod +x /gramine/app_files/gramine-sgx-akv-sign

RUN az login

RUN {% block path %}export PYTHONPATH="${PYTHONPATH}:$(find /gramine/meson_build_output/lib64 -type d -path '*/site-packages')" &&{% endblock %} \
/gramine/app_files/gramine-sgx-akv-sign \
--url <akv_mhsm_url> \
--key <akv_sign_key> \
--manifest /gramine/app_files/entrypoint.manifest \
--output /gramine/app_files/entrypoint.manifest.sgx

RUN az logout

# This trick removes all temporary files from the previous commands
FROM {{image}}

COPY --from=unsigned_image /gramine/app_files/*.sig /gramine/app_files/
COPY --from=unsigned_image /gramine/app_files/*.sgx /gramine/app_files/
39 changes: 39 additions & 0 deletions Integrations/azure/akv-sign/Dockerfile.sign.akv.debian.template
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
# This Dockerfile template is derived from a generic
# https://github.com/gramineproject/gsc/blob/master/templates/Dockerfile.common.sign.template

FROM {{image}} as unsigned_image

# Install the required packages using root user
USER root

RUN apt-get update -y \
&& env DEBIAN_FRONTEND=noninteractive apt-get install -y \
curl \
wget \
&& /usr/bin/python3 -B -m pip install azure-keyvault-keys azure-identity tomli tomli_w

RUN curl -sL https://aka.ms/InstallAzureCLIDeb | bash

# Switch back to original app_image user
USER {{app_user}}

RUN wget -P /gramine/app_files/ https://raw.githubusercontent.com/gramineproject/contrib/master/Integrations/azure/akv-sign/gramine-sgx-akv-sign

RUN chmod +x /gramine/app_files/gramine-sgx-akv-sign

RUN az login

RUN {% block path %}export PYTHONPATH="${PYTHONPATH}:$(find /gramine/meson_build_output/lib -type d -path '*/site-packages')" &&{% endblock %} \
/gramine/app_files/gramine-sgx-akv-sign \
--url <akv_mhsm_url> \
--key <akv_sign_key> \
--manifest /gramine/app_files/entrypoint.manifest \
--output /gramine/app_files/entrypoint.manifest.sgx

RUN az logout

# This trick removes all temporary files from the previous commands
FROM {{image}}

COPY --from=unsigned_image /gramine/app_files/*.sig /gramine/app_files/
COPY --from=unsigned_image /gramine/app_files/*.sgx /gramine/app_files/
15 changes: 12 additions & 3 deletions Integrations/azure/akv-sign/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,9 @@ SGX enclaves must be signed using a 3072-bit RSA key. This key needs to be
protected and must not be disclosed to anyone. Typically for production
deployments, you should use a key secured in a Hardware Security Module (HSM).

This directory contains a plugin to Gramine tools that enables support for
production signing of SGX enclaves using keys from Azure Key Vault (AKV) Managed
HSM.
This directory contains the plugin to Gramine tools as well as Dockerfile
templates that enable support for production signing of SGX enclaves using keys
from Azure Key Vault (AKV) Managed HSM.

## Prerequisites for SGX enclave signing

Expand All @@ -32,3 +32,12 @@ The command to sign the enclave with AKV's Managed HSM looks like this:

where `sgx_sign_key` is the name of the RSA private key created in the AKV's
Managed HSM with Vault URL `https://myakv-mhsm.managedhsm.azure.net`.

## Templates for use with Gramine Shielded Containers (GSC)

This directory contains two Dockerfile templates, intended for use with GSC's
`sign-image` command. GSC `sign-image` command can take in a user supplied
Dockerfile as an argument to `--template` to sign the graminized docker image.
Please note that these are templates and the users need to update the template
with the required details to make it a self-contained Dockerfile before passing
it to `gsc sign-image` command.