Merge pull request #3 from acompany-develop/imamura/fix-setup-scripts

hyperfinitism · web-flow · commit fc960a1bc31a · 2026-01-28T18:06:25.000+09:00
fix(scripts): fix and refactor setup scripts
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,7 @@
 .DS_Store
 
+AWS_NitroEnclaves_Root-G1.zip
+root.pem
+
 target/
 debug/
diff --git a/Makefile b/Makefile
@@ -1,6 +1,6 @@
 SHELL := /bin/bash
 
-.PHONY: help setup-docker setup-nitro-cli setup-client build-enclave build-proxy build-client run-enclave run-proxy run-client terminate-enclave
+.PHONY: help setup-docker setup-nitro-cli setup-client download-root-ca build-enclave build-proxy build-client run-enclave run-proxy run-client terminate-enclave
 
 ENCLAVE_CID ?= 16
 ENCLAVE_MEMORY ?= 512
@@ -13,16 +13,17 @@ help:
 	@echo "Targets:"
 	@echo "  help              Show this help message"
 	@echo "  For Parent VM:"
-	@echo "    setup-docker      Install Docker (requires Ubuntu + sudo) for Parent VM"
-	@echo "    setup-nitro-cli   Install Nitro Enclaves Driver and CLI for Parent VM"
+	@echo "    setup-docker      Install Docker (requires Ubuntu + sudo)"
+	@echo "    setup-nitro-cli   Install Nitro Enclaves Driver and CLI"
 	@echo "    build-enclave     Build enclave Docker image and create EIF file"
 	@echo "    build-proxy       Build vsock proxy"
 	@echo "    run-enclave       Run Nitro Enclave"
 	@echo "    run-proxy         Run vsock proxy"
 	@echo "    terminate-enclave Terminate Nitro Enclave"
 	@echo "  For Client:"
-	@echo "    setup-client      Install Rust and AWS Nitro Enclaves root certificate"
+	@echo "    setup-client      Install Rust and dependencies"
 	@echo "    build-client      Build client application"
+	@echo "    download-root-ca  Download AWS Nitro Enclaves root CA certificate"
 	@echo "    run-client        Run client"
 
 setup-docker:
@@ -37,6 +38,10 @@ setup-client:
 	@echo "Running scripts/setup-client.sh"
 	@bash ./scripts/setup-client.sh
 
+download-root-ca:
+	@echo "Running scripts/download-root-ca.sh"
+	@bash ./scripts/download-root-ca.sh
+
 build-enclave:
 	@echo "Building Docker image"
 	@docker build -t rafwne-enclave ./enclave
diff --git a/README.md b/README.md
@@ -6,41 +6,56 @@ This repository demonstrates a simple end-to-end flow against an AWS Nitro Encla
 - **Parent VM**: An AWS EC2 instance (Ubuntu 24.04) with Nitro Enclaves enabled. Runs the Enclave and the vsock proxy.
 - **Client**: Can run on any machine, but this README assumes you run it on the Parent VM (localhost).
 
-## Tested environment (detailed)
+## Tested environments
+
+Tested on the Parent VM environments listed below. The Server (vsock proxy) runs on localhost on the Parent VM, and the Client also runs on the same Parent VM.
 
 ### Parent VM (AWS EC2)
 
+#### Ubuntu 24.04 (x86_64)
+
 - **Instance type**: `c5.xlarge`
   - vCPUs: 4
   - Memory: 8 GiB
-  - CPU arch: `x86_64`
+  - CPU arch: x86_64
 - **AMI**: Ubuntu Server 24.04 LTS
   - AMI ID: `ami-06e3c045d79fd65d9`
-- **Storage**: 64 GiB `gp3`
+- **Storage**: 64 GiB gp3
+- **Kernel**: 6.14.0-1018-aws
+- **Nitro Enclaves**: Enabled
+- **Nitro Enclaves CLI / driver**: v1.4.4
+
+#### Ubuntu 24.04 (AArch64)
+
+- **Instance type**: `m6g.xlarge`
+  - vCPUs: 4
+  - Memory: 16 GiB
+  - CPU arch: AArch64
+- **AMI**: Ubuntu Server 24.04 LTS
+  - AMI ID: `ami-01da1dbf9ea3a6ee6`
+- **Storage**: 64 GiB gp3
 - **Kernel**: 6.14.0-1018-aws
 - **Nitro Enclaves**: Enabled
 - **Nitro Enclaves CLI / driver**: v1.4.4
-- **Rust toolchain**: v1.90.0
 
 ### Enclave
 
 - **OS**: Ubuntu 24.04
 - **Allocated vCPUs**: 2
 - **Allocated Memory**: 512 MiB
-- **OS**: Ubuntu 24.04
-- **Rust toolchain**: v1.90.0
 
-### Client
+### Test configuration
 
-- Ran on the same Parent VM (localhost).
+- **Server (vsock proxy)**: Runs on localhost (`127.0.0.1`) on the Parent VM
+- **Client**: Runs on the same Parent VM
 
 ## Architecture
 
 - `enclave/`: Enclave application (listens on vsock `port=5000`)
 - `proxy/`: **untrusted** HTTP → vsock proxy (listens on HTTP `ip:port`, forwards to vsock `port=5000`)
 - `client/`: Client app (POSTs JSON to the proxy, verifies attestation, then calls the confidential computing API)
 
-## Quick start (all on the Parent VM)
+## Quick start
 
 Clone the repository:
 
@@ -49,17 +64,18 @@ git clone <THIS_REPOSITORY>
 cd <THIS_REPOSITORY>
 ```
 
-### 1. Parent VM setup (Ubuntu 24.04)
+### 1. Parent VM setup
 
 ```bash
 make setup-docker
 make setup-nitro-cli
 ```
 
-### 2. Client setup (this README runs it on the Parent VM)
+### 2. Client setup
 
 ```bash
 make setup-client
+make download-root-ca
 ```
 
 ### 3. Build the Enclave image and copy PCRs into `client-configs.json`
diff --git a/scripts/download-root-ca.sh b/scripts/download-root-ca.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+set -e
+
+# Download AWS Nitro Enclaves root certificate
+AWS_CA_ZIP_FILE="AWS_NitroEnclaves_Root-G1.zip"
+curl -fsSL https://aws-nitro-enclaves.amazonaws.com/"$AWS_CA_ZIP_FILE" -o "$AWS_CA_ZIP_FILE"
+
+# Extract the first *.pem found inside the zip directly to ./root.pem
+CA_PEM_PATH="$(unzip -Z1 "$AWS_CA_ZIP_FILE" | grep -Ei '\.pem$' | head -n1)"
+if [ -z "$CA_PEM_PATH" ]; then
+  echo "ERROR: no .pem file found inside $AWS_CA_ZIP_FILE" >&2
+  unzip -Z1 "$AWS_CA_ZIP_FILE" >&2 || true
+  exit 1
+fi
+unzip -p "$AWS_CA_ZIP_FILE" "$CA_PEM_PATH" > ./root.pem
+chmod +r ./root.pem
+rm -f "$AWS_CA_ZIP_FILE"
diff --git a/scripts/setup-client.sh b/scripts/setup-client.sh
@@ -8,13 +8,4 @@ sudo apt-get install -y build-essential pkg-config libssl-dev git unzip
 
 # Install Rust
 curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
-source $HOME/.cargo/env
-
-# Download AWS Nitro Enclaves root certificate
-curl https://aws-nitro-enclaves.amazonaws.com/AWS_NitroEnclaves_Root-G1.zip -o AWS_NitroEnclaves_Root-G1.zip
-unzip -o AWS_NitroEnclaves_Root-G1.zip -d .
-rm AWS_NitroEnclaves_Root-G1.zip
-
-# Make a stable filename expected by the Rust client (`root.pem`).
-#./*.pem => root.pem
-ls -la ./root.pem || cp ./*.pem root.pem
+source "$HOME/.cargo/env"
diff --git a/scripts/setup-nitro-cli.sh b/scripts/setup-nitro-cli.sh
@@ -2,7 +2,6 @@
 
 set -e
 
-USERNAME="$(whoami)"
 KERNEL_VERSION="$(uname -r)"
 
 # Install dependencies
@@ -11,7 +10,7 @@ sudo apt-get install -y build-essential git clang libclang-dev llvm-dev linux-mo
 
 # Install Rust
 curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
-source $HOME/.cargo/env
+source "$HOME/.cargo/env"
 
 # Install Nitro Enclaves driver and CLI
 git clone https://github.com/aws/aws-nitro-enclaves-cli -b v1.4.4
@@ -29,9 +28,12 @@ pushd aws-nitro-enclaves-cli
 	sudo make nitro-cli
 	sudo make vsock-proxy
 	sudo make NITRO_CLI_INSTALL_DIR=/ install
-	source ./build/install/etc/profile.d/nitro-cli-env.sh
-	echo source ./build/install/etc/profile.d/nitro-cli-env.sh >> ~/.bashrc
-	./build/install/etc/profile.d/nitro-cli-config -i
+	source /etc/profile.d/nitro-cli-env.sh
+	grep -qF 'source /etc/profile.d/nitro-cli-env.sh' "$HOME/.bashrc" \
+		|| echo 'source /etc/profile.d/nitro-cli-env.sh' >> "$HOME/.bashrc"
+	set +e
+	( nitro-cli-config -i ) || echo "nitro-cli-config failed with exit code $?"
+	set -e
 popd
 
 # Start and enable the Nitro Enclaves Allocator Service
