fix(scripts): fix and refactor setup scripts

Author: hyperfinitism

.gitignore

@@ -1,4 +1,7 @@
 .DS_Store
 
+AWS_NitroEnclaves_Root-G1.zip
+root.pem
+
 target/
 debug/

Makefile

@@ -1,6 +1,6 @@
 SHELL := /bin/bash
 
-.PHONY: help setup-docker setup-nitro-cli setup-client build-enclave build-proxy build-client run-enclave run-proxy run-client terminate-enclave
+.PHONY: help setup-docker setup-nitro-cli setup-client download-root-ca build-enclave build-proxy build-client run-enclave run-proxy run-client terminate-enclave
 
 ENCLAVE_CID ?= 16
 ENCLAVE_MEMORY ?= 512
@@ -13,16 +13,17 @@ help:
 	@echo "Targets:"
 	@echo "  help              Show this help message"
 	@echo "  For Parent VM:"
-	@echo "    setup-docker      Install Docker (requires Ubuntu + sudo) for Parent VM"
-	@echo "    setup-nitro-cli   Install Nitro Enclaves Driver and CLI for Parent VM"
+	@echo "    setup-docker      Install Docker (requires Ubuntu + sudo)"
+	@echo "    setup-nitro-cli   Install Nitro Enclaves Driver and CLI"
 	@echo "    build-enclave     Build enclave Docker image and create EIF file"
 	@echo "    build-proxy       Build vsock proxy"
 	@echo "    run-enclave       Run Nitro Enclave"
 	@echo "    run-proxy         Run vsock proxy"
 	@echo "    terminate-enclave Terminate Nitro Enclave"
 	@echo "  For Client:"
-	@echo "    setup-client      Install Rust and AWS Nitro Enclaves root certificate"
+	@echo "    setup-client      Install Rust and dependencies"
 	@echo "    build-client      Build client application"
+	@echo "    download-root-ca  Download AWS Nitro Enclaves root CA certificate"
 	@echo "    run-client        Run client"
 
 setup-docker:
@@ -37,6 +38,10 @@ setup-client:
 	@echo "Running scripts/setup-client.sh"
 	@bash ./scripts/setup-client.sh
 
+download-root-ca:
+	@echo "Running scripts/download-root-ca.sh"
+	@bash ./scripts/download-root-ca.sh
+
 build-enclave:
 	@echo "Building Docker image"
 	@docker build -t rafwne-enclave ./enclave

README.md

@@ -20,15 +20,13 @@ This repository demonstrates a simple end-to-end flow against an AWS Nitro Encla
 - **Kernel**: 6.14.0-1018-aws
 - **Nitro Enclaves**: Enabled
 - **Nitro Enclaves CLI / driver**: v1.4.4
-- **Rust toolchain**: v1.90.0
 
 ### Enclave
 
 - **OS**: Ubuntu 24.04
 - **Allocated vCPUs**: 2
 - **Allocated Memory**: 512 MiB
 - **OS**: Ubuntu 24.04
-- **Rust toolchain**: v1.90.0
 
 ### Client
 
@@ -40,7 +38,7 @@ This repository demonstrates a simple end-to-end flow against an AWS Nitro Encla
 - `proxy/`: **untrusted** HTTP → vsock proxy (listens on HTTP `ip:port`, forwards to vsock `port=5000`)
 - `client/`: Client app (POSTs JSON to the proxy, verifies attestation, then calls the confidential computing API)
 
-## Quick start (all on the Parent VM)
+## Quick start
 
 Clone the repository:
 
@@ -49,17 +47,18 @@ git clone <THIS_REPOSITORY>
 cd <THIS_REPOSITORY>
 ```
 
-### 1. Parent VM setup (Ubuntu 24.04)
+### 1. Parent VM setup
 
 ```bash
 make setup-docker
 make setup-nitro-cli
 ```
 
-### 2. Client setup (this README runs it on the Parent VM)
+### 2. Client setup
 
 ```bash
 make setup-client
+make download-root-ca
 ```
 
 ### 3. Build the Enclave image and copy PCRs into `client-configs.json`

scripts/download-root-ca.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+set -e
+
+# Download AWS Nitro Enclaves root certificate
+AWS_CA_ZIP_FILE="AWS_NitroEnclaves_Root-G1.zip"
+curl -fsSL https://aws-nitro-enclaves.amazonaws.com/"$AWS_CA_ZIP_FILE" -o "$AWS_CA_ZIP_FILE"
+
+# Extract the first *.pem found inside the zip directly to ./root.pem
+CA_PEM_PATH="$(unzip -Z1 "$AWS_CA_ZIP_FILE" | grep -Ei '\.pem$' | head -n1)"
+if [ -z "$CA_PEM_PATH" ]; then
+  echo "ERROR: no .pem file found inside $AWS_CA_ZIP_FILE" >&2
+  unzip -Z1 "$AWS_CA_ZIP_FILE" >&2 || true
+  exit 1
+fi
+unzip -p "$AWS_CA_ZIP_FILE" "$CA_PEM_PATH" > ./root.pem
+chmod +r ./root.pem
+rm -f "$AWS_CA_ZIP_FILE"

scripts/setup-client.sh

@@ -8,13 +8,4 @@ sudo apt-get install -y build-essential pkg-config libssl-dev git unzip
 
 # Install Rust
 curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
-source $HOME/.cargo/env
-
-# Download AWS Nitro Enclaves root certificate
-curl https://aws-nitro-enclaves.amazonaws.com/AWS_NitroEnclaves_Root-G1.zip -o AWS_NitroEnclaves_Root-G1.zip
-unzip -o AWS_NitroEnclaves_Root-G1.zip -d .
-rm AWS_NitroEnclaves_Root-G1.zip
-
-# Make a stable filename expected by the Rust client (`root.pem`).
-#./*.pem => root.pem
-ls -la ./root.pem || cp ./*.pem root.pem
+source "$HOME/.cargo/env"

scripts/setup-nitro-cli.sh

@@ -2,7 +2,6 @@
 
 set -e
 
-USERNAME="$(whoami)"
 KERNEL_VERSION="$(uname -r)"
 
 # Install dependencies
@@ -11,7 +10,7 @@ sudo apt-get install -y build-essential git clang libclang-dev llvm-dev linux-mo
 
 # Install Rust
 curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
-source $HOME/.cargo/env
+source "$HOME/.cargo/env"
 
 # Install Nitro Enclaves driver and CLI
 git clone https://github.com/aws/aws-nitro-enclaves-cli -b v1.4.4
@@ -29,9 +28,10 @@ pushd aws-nitro-enclaves-cli
 	sudo make nitro-cli
 	sudo make vsock-proxy
 	sudo make NITRO_CLI_INSTALL_DIR=/ install
-	source ./build/install/etc/profile.d/nitro-cli-env.sh
-	echo source ./build/install/etc/profile.d/nitro-cli-env.sh >> ~/.bashrc
-	./build/install/etc/profile.d/nitro-cli-config -i
+	source /etc/profile.d/nitro-cli-env.sh
+	grep -qF 'source /etc/profile.d/nitro-cli-env.sh' "$HOME/.bashrc" \
+		|| (echo source /etc/profile.d/nitro-cli-env.sh >> "$HOME/.bashrc" && source "$HOME/.bashrc")
+	nitro-cli-config -i
 popd
 
 # Start and enable the Nitro Enclaves Allocator Service