提交 2df0d0c8 编写于 作者: Y YiLin.Li

ra-tls: Update README.md to keep consistent with 0.4.0

Signed-off-by: NYilin Li <YiLin.Li@linux.alibaba.com>
上级 62f0bb3c
# Configure SGX RA settings # Before you start
``` shell - Refer to [this guide](https://github.com/alibaba/inclavare-containers#rune) to build `rune` from scratch.
- Register a `SPID` and `Subscription Key` of [IAS](https://api.portal.trustedservices.intel.com/EPID-attestation). After the registration, Intel will respond with a SPID which is needed to communicate with IAS.
# Run stub with Docker
## Configure SGX RA settings
```shell
export SPID=<hex string> export SPID=<hex string>
export EPID_SUBSCRIPTION_KEY=<hex string> export EPID_SUBSCRIPTION_KEY=<hex string>
export QUOTE_TYPE=<SGX_LINKABLE_SIGNATURE | SGX_UNLINKABLE_SIGNATURE> export QUOTE_TYPE=<SGX_LINKABLE_SIGNATURE | SGX_UNLINKABLE_SIGNATURE>
``` ```
# Build Stub Enclave ## Install dependency
``` shell ```shell
cd "${path_to_inclavare_containers}/stub-enclave" yum install -y patch autoconf automake libtool
make
sudo make install
``` ```
# Build Docker images ## Build liberpal-stub
## Prepare the materials ```shell
``` shell cd "${path_to_inclavare_containers}/ra-tls"
mkdir lib make
cp /usr/lib/x86_64-linux-gnu/libsgx_urts.so lib cp pal/liberpal-stub.so /usr/lib
cp /usr/lib/x86_64-linux-gnu/libsgx_uae_service.so lib
cp /usr/lib/x86_64-linux-gnu/libsgx_enclave_common.so.1 lib
cp /usr/lib/x86_64-linux-gnu/libprotobuf.so.10 lib
cp /lib/x86_64-linux-gnu/libseccomp.so.2 lib
``` ```
## Dockerfile # Build stub container image
``` shell ```shell
cd "${path_to_inclavare_containers}/ra-tls/stub-enclave"
cat >Dockerfile <<EOF
FROM ubuntu:18.04 FROM ubuntu:18.04
RUN mkdir -p /run/rune/stub-enclave RUN mkdir -p /run/rune/stub-enclave
WORKDIR /run/rune WORKDIR /run/rune
COPY lib /lib
COPY liberpal-stub.so .
COPY Wolfssl_Enclave.signed.so stub-enclave COPY Wolfssl_Enclave.signed.so stub-enclave
EOF
docker build -t stub-enclave .
```
# Run stub container image with rune
## Configure OCI runtime
Refer to [this guide](https://github.com/alibaba/inclavare-containers/blob/master/rune/libenclave/internal/runtime/pal/skeleton/README.md#configure-oci-runtime) to configure OCI runtime in dockerd config file.
## Run stub container image with rune
```shell
docker run -it --rm --runtime=rune -e ENCLAVE_TYPE=intelSgx \
-e ENCLAVE_RUNTIME_PATH=/usr/lib/liberpal-stub.so \
-e ENCLAVE_RUNTIME_ARGS=stub-enclave stub-enclave
```
# Run stub OCI bundle
## Create stub bundle
In order to use `rune` you must have your container image in the format of an OCI bundle. If you have Docker installed you can use its `export` method to acquire a root filesystem from an existing stub-enclave Docker container image.
RUN ldconfig ```shell
# create the top most bundle directory
cd "$HOME/rune_workdir"
mkdir rune-container
cd rune-container
# create the rootfs directory
mkdir rootfs
# export stub-enclave image via Docker into the rootfs directory
docker export $(docker create stub-enclave) | sudo tar -C rootfs -xvf -
``` ```
``` shell After a root filesystem is populated you just generate a spec in the format of a config.json file inside your bundle. `rune` provides a spec command which is similar to `runc` to generate a template file that you are then able to edit.
docker build -t ${stub-enclave-image} .
```shell
rune spec
``` ```
# run stub-enclave images with rune To find features and documentation for fields in the spec please refer to the [specs](https://github.com/opencontainers/runtime-spec) repository.
``` shell
docker run -it --rm --runtime=rune -e ENCLAVE_TYPE=intelSgx \ In order to run the stub-enclave bundle with `rune`, you need to configure enclave runtime as following:
-e ENCLAVE_RUNTIME_PATH=/lib/liberpal-stub.so \ ```json
-e ENCLAVE_RUNTIME_ARGS=stub-enclave ${stub-enclave-image} "annotations": {
"enclave.type": "intelSgx",
"enclave.runtime.path": "/usr/lib/liberpal-stub.so",
"enclave.runtime.args": "stub-enclave"
}
```
where:
- @enclave.type: specify the type of enclave hardware to use, such as intelSgx.
- @enclave.runtime.path: specify the path to enclave runtime to launch.
- @enclave.runtime.args: specify the specific arguments to enclave runtime, seperated by the comma.
## Run stub
Assuming you have an OCI bundle from the previous step you can execute the container in this way.
```shell
cd "$HOME/rune_workdir/rune-container"
sudo rune run stub-enclave-container
``` ```
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册