Merge pull request #675 from fortanix/raoul/rte-252-ppid_retrieval_runtime_container

[rte-252] ppid_retrieval runtime container

Author: raoulstrackx

.github/workflows/build-docker-images.yml

@@ -24,6 +24,6 @@ jobs:
       - uses: actions/checkout@v4
       - name: Build the Docker image
         run: |
-          cd intel-sgx/ppid-retrieval-tool
-          docker build -t ppid-retrieval-tool:$(date +%s) .
-          
+          cd intel-sgx/ppid-retrieval-tool/Docker
+          ./build.sh
+

intel-sgx/ppid-retrieval-tool/Docker/Dockerfile

@@ -0,0 +1,67 @@
+# Stage 0: A Intel SGX SDK container
+FROM ubuntu:24.04 AS sgx_sdk
+
+## Install user
+RUN useradd -rm -d /home/ppid-tool -s /bin/bash -g root -G sudo -u 1010 ppid-tool
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+RUN echo 'ppid-tool:ppid-tool' | chpasswd
+USER ppid-tool
+WORKDIR /home/ppid-tool
+
+## Install SGX Dev tools
+USER root
+RUN apt-get update && apt-get upgrade -y && apt-get install -y \
+    gnupg \
+    wget \
+    sudo
+
+## App build time dependencies
+RUN apt-get update
+RUN apt-get install -y build-essential
+
+WORKDIR /opt/intel
+RUN wget https://download.01.org/intel-sgx/sgx-linux/2.25/distro/ubuntu24.04-server/sgx_linux_x64_sdk_2.25.100.3.bin
+RUN chmod +x sgx_linux_x64_sdk_2.25.100.3.bin
+RUN echo 'yes' | ./sgx_linux_x64_sdk_2.25.100.3.bin
+
+## Install SGX runtime libraries
+USER root
+RUN echo 'deb [signed-by=/etc/apt/keyrings/intel-sgx-keyring.asc arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu noble main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list
+RUN wget https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key
+RUN echo 92f96f84281031d889deb81060c44325f0481aee621ae47a15ae1df4431b4a23 intel-sgx-deb.key | sha256sum -c
+RUN cat intel-sgx-deb.key | sudo tee /etc/apt/keyrings/intel-sgx-keyring.asc > /dev/null
+RUN apt-get update
+RUN apt-get install -y libsgx-urts
+
+# Stage 1: Building the ppid_retrieval tool
+FROM sgx_sdk AS ppid_retrieval_dev
+USER root
+
+WORKDIR ppid-tool
+COPY Enclave Enclave
+COPY pce pce
+COPY main.c main.c
+COPY Makefile Makefile
+
+RUN source /opt/intel/sgxsdk/environment && make
+
+ENTRYPOINT bash
+
+# Stage 2: Running the ppid_retrieval tool
+FROM ubuntu:24.04 AS ppid_retrieval
+
+# Install Intel SGX runtime
+RUN apt-get update && apt-get upgrade -y && apt-get install -y wget
+RUN echo 'deb [signed-by=/etc/apt/keyrings/intel-sgx-keyring.asc arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu noble main' | tee /etc/apt/sources.list.d/intel-sgx.list
+RUN wget https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key
+RUN echo 92f96f84281031d889deb81060c44325f0481aee621ae47a15ae1df4431b4a23 intel-sgx-deb.key | sha256sum -c
+RUN cat intel-sgx-deb.key | tee /etc/apt/keyrings/intel-sgx-keyring.asc > /dev/null
+RUN apt-get update
+RUN apt-get install -y libsgx-urts
+
+# Install ppid_retrieval tool
+COPY --from=ppid_retrieval_dev /opt/intel/ppid-tool/ppid_retrieval /ppid_retrieval
+COPY --from=ppid_retrieval_dev /opt/intel/ppid-tool/pce/libsgx_pce.signed.so.1.25.100.1 /pce/libsgx_pce.signed.so.1.25.100.1
+COPY --from=ppid_retrieval_dev /opt/intel/ppid-tool/Enclave/ppid.so /Enclave/ppid.so
+
+CMD ["/ppid_retrieval"]

intel-sgx/ppid-retrieval-tool/Docker/build.sh

@@ -0,0 +1,12 @@
+#!/bin/bash -ex
+this_dir=$(readlink -f "$(dirname "${BASH_SOURCE[0]}")")
+cd ${this_dir}
+
+docker build -t ppid_retrieval:$(cat version) -f ./Dockerfile ../
+
+set +x
+echo "Build ready, you can run the tool"
+echo ""
+echo "  docker run --device /dev/sgx ppid_retrieval:$(cat version)"
+echo ""
+echo "Note: the SGX device on your host may differ"

intel-sgx/ppid-retrieval-tool/Docker/version

@@ -0,0 +1 @@
+1.0.0

intel-sgx/ppid-retrieval-tool/Dockerfile

@@ -4,6 +4,7 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 #include <stdio.h>
+#include <string.h>
 #include <sgx_urts.h>
 #include "Enclave/ppid_u.h"
 #include "pce/pce_u.h"
@@ -13,11 +14,14 @@
 #define DEBUG_ENCLAVE 1
 #define RELEASE_ENCLAVE 0
 
-void print_decrypted_ppid(unsigned char decrypted_ppid[], size_t length) {
-    printf("Decrypted PPID: ");
+void print_decrypted_ppid(unsigned char decrypted_ppid[], size_t length, int verbose) {
+    if (verbose)
+        printf("Plaintext PPID: ");
+
     for (size_t i = 0; i < length; ++i) {
         printf("%02x", decrypted_ppid[i]); // Print each byte in hex
     }
+
     printf("\n");
 }
 
@@ -111,6 +115,10 @@ int main(int argc, char **argv)
     sgx_status_t ecall_ret = SGX_SUCCESS;
     uint8_t decrypted_ppid[DECRYPTED_PPID_LENGTH];
     sgx_enclave_id_t ppid_enclave_eid = 0;
+    int verbose = 0;
+
+    if (argc == 2)
+        verbose = (strcmp(argv[1], "-v") == 0);
 
     memset(decrypted_ppid, 0x00, DECRYPTED_PPID_LENGTH);
 
@@ -135,7 +143,7 @@ int main(int argc, char **argv)
         goto CLEANUP;
     }
 
-    print_decrypted_ppid(decrypted_ppid, sizeof(decrypted_ppid));
+    print_decrypted_ppid(decrypted_ppid, sizeof(decrypted_ppid), verbose);
 
     CLEANUP:
     if(ppid_enclave_eid != 0) {