Skip to content

Commit

Permalink
Migrate validator to use TDX
Browse files Browse the repository at this point in the history
  • Loading branch information
Volara committed Dec 8, 2024
1 parent a664b92 commit 3c7657b
Show file tree
Hide file tree
Showing 6 changed files with 93 additions and 283 deletions.
169 changes: 57 additions & 112 deletions .github/workflows/build-and-release.yml
View file
Original file line number Diff line number Diff line change
@@ -1,112 +1,57 @@
name: Build and Release

on:
push:
branches: [main]
pull_request:
branches: [main]

permissions:
contents: write

jobs:
build-and-release:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3

- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: "3.11"

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2

- name: Build Docker image
uses: docker/build-push-action@v4
with:
context: .
load: true
tags: |
volara-proof:${{ github.run_number }}
volara-proof:latest
cache-from: type=gha
cache-to: type=gha,mode=max

- name: Clone and set up GSC
run: |
git clone https://github.com/gramineproject/gsc.git
cd gsc
python3 -m pip install --no-cache-dir 'docker>=7.1.0' 'jinja2>=3.1.4' 'tomli>=2.0.1' 'tomli-w>=1.0.0' 'pyyaml>=6.0.2'
- name: Create signing key
run: |
echo "${{ secrets.SIGNING_KEY }}" > signing_key.pem
chmod 600 signing_key.pem
- name: Build GSC image
run: |
cd gsc
./gsc build volara-proof ../volara-proof.manifest.template -c ../config.yaml
- name: Sign GSC image
run: |
cd gsc
./gsc sign-image volara-proof ../signing_key.pem -c ../config.yaml
- name: Export GSC image to file
run: |
docker save gsc-volara-proof:latest | gzip > gsc-volara-proof-${{ github.run_number }}.tar.gz
- name: Generate verification data
run: |
cd gsc
./gsc info-image gsc-volara-proof > ../sigstruct.txt
- name: Upload image
uses: actions/upload-artifact@v3
with:
name: gsc-volara-proof-image
path: gsc-volara-proof-${{ github.run_number }}.tar.gz

- name: Upload verification data
uses: actions/upload-artifact@v3
with:
name: gsc-volara-proof-sigstruct
path: sigstruct.txt

- name: Generate release body
run: |
echo "MRSIGNER: $(grep -oP 'mr_signer = "\K[^"]*' sigstruct.txt)" >> release_body.txt
echo "MRENCLAVE: $(grep -oP 'mr_enclave = "\K[^"]*' sigstruct.txt)" >> release_body.txt
echo "Image SHA256: $(sha256sum gsc-volara-proof-${{ github.run_number }}.tar.gz | cut -d' ' -f1)" >> release_body.txt
- name: Create Release and Upload Assets
uses: softprops/action-gh-release@v1
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: v${{ github.run_number }}
name: Release v${{ github.run_number }}
body_path: release_body.txt
draft: false
prerelease: false
files: |
./gsc-volara-proof-${{ github.run_number }}.tar.gz
./sigstruct.txt
- name: Cleanup signing key
if: always()
run: |
rm -f signing_key.pem
- name: Log build result
if: always()
run: |
if [ ${{ job.status }} == "success" ]; then
echo "Build and release completed successfully"
else
echo "Build and release failed"
fi
build-and-release:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3

- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: "3.11"

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2

- name: Build Docker image
uses: docker/build-push-action@v4
with:
context: .
load: true
tags: |
volara-proof:${{ github.run_number }}
volara-proof:latest
cache-from: type=gha
cache-to: type=gha,mode=max

- name: Export image to file
run: |
docker save volara-proof:latest | gzip > volara-proof-${{ github.run_number }}.tar.gz
- name: Generate release body
run: |
echo "Image SHA256: $(sha256sum volara-proof-${{ github.run_number }}.tar.gz | cut -d' ' -f1)" >> release_body.txt
- name: Upload image
uses: actions/upload-artifact@v3
with:
name: volara-proof-image
path: volara-proof-${{ github.run_number }}.tar.gz

- name: Create Release and Upload Assets
uses: softprops/action-gh-release@v1
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: v${{ github.run_number }}
name: Release v${{ github.run_number }}
body_path: release_body.txt
draft: false
prerelease: false
files: |
./volara-proof-${{ github.run_number }}.tar.gz
- name: Log build result
if: always()
run: |
if [ ${{ job.status }} == "success" ]; then
echo "Build and release completed successfully"
else
echo "Build and release failed"
fi
2 changes: 0 additions & 2 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,6 @@ FROM python:3.12-slim
# Install any Python dependencies your application needs, e.g.:
RUN pip install --no-cache-dir requests

RUN mkdir /sealed && chmod 777 /sealed

WORKDIR /app

COPY . /app
Expand Down
113 changes: 35 additions & 78 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,110 +28,64 @@ This template provides a basic structure for building proof tasks that:
}
```

The project is designed to work with [Gramine](https://gramine.readthedocs.io/en/latest/), a lightweight library OS that enables running unmodified applications in secure enclaves, such as Intel SGX (Software Guard Extensions). This allows the code to run in a trusted execution environment, ensuring confidentiality and integrity of the computation.
The project is designed to work with Intel TDX (Trust Domain Extensions), providing hardware-level isolation and security guarantees for confidential computing workloads.

## Project Structure

- `volara_proof/`: Contains the main proof logic
- `my_proof/`: Contains the main proof logic
- `proof.py`: Implements the proof generation logic
- `__main__.py`: Entry point for the proof execution
- `models/`: Data models for the proof system
- `demo/`: Contains sample input and output for testing
- `.github/workflows/`: CI/CD pipeline for building and releasing
- `Dockerfile`: Defines the container image for the proof task
- `volara-proof.manifest.template`: Gramine manifest template for running securely in an Intel SGX enclave
- `config.yaml`: Configuration file for Gramine Shielded Containers (GSC)
- `requirements.txt`: Python package dependencies

## Getting Started

To use this template:

1. Fork this repository
2. Modify the `volara_proof/proof.py` file to implement your specific proof logic
3. Update the `volara-proof.manifest.template` if you need to add any additional files or change the configuration
2. Modify the `my_proof/proof.py` file to implement your specific proof logic
3. Update the project dependencies in `requirements.txt` if needed
4. Commit your changes and push to your repository

## Customizing the Proof Logic

The main proof logic is implemented in `volara_proof/proof.py`. To customize it, update the `Proof.generate()` function to change how input files are processed.
The main proof logic is implemented in `my_proof/proof.py`. To customize it, update the `Proof.generate()` function to change how input files are processed.

The proof can be configured using environment variables. When running in an enclave, the environment variables must be defined in the `volara-proof.manifest.template` file as well. The following environment variables are used for this demo proof:
The proof can be configured using environment variables:

- `COOKIES`: The cookies for the data contributor
- `USER_EMAIL`: The email address of the data contributor, to verify data ownership

If you want to use a language other than Python, you can modify the Dockerfile to install the necessary dependencies and build the proof task in the desired language.

## Local Development

To run the proof locally, without Gramine, you can use Docker:
To run the proof locally for testing, you can use Docker:

```
docker build -t volara-proof .
```bash
docker build -t my-proof .
docker run \
--rm \
--volume $(pwd)/demo/sealed:/sealed \
--volume $(pwd)/demo/input:/input \
--volume $(pwd)/demo/output:/output \
--env [email protected] \
volara-proof
--rm \
--volume $(pwd)/input:/input \
--volume $(pwd)/output:/output \
--env [email protected] \
my-proof
```

## Building and Releasing

This template includes a GitHub Actions workflow that automatically:

1. Builds a Docker image with your code
2. Creates a Gramine-shielded container (GSC) image
3. Publishes the GSC image as a GitHub release

**Important:** To use this workflow, you must generate a signing key and add it to your GitHub secrets. Follow these steps:

1. Generate a signing key (see instructions below)
2. Add the key as a GitHub secret named `SIGNING_KEY`
3. Push your changes to the `main` branch or create a pull request

### Generating the Gramine Signing Key (Required)

Before building and signing your graminized Docker image, you must generate a signing key. This key is crucial for creating secure SGX enclaves. Here's how to generate it:

1. If you have Gramine installed:

```
gramine-sgx-gen-private-key enclave-key.pem
```

2. If you don't have Gramine, use OpenSSL:

```
openssl genrsa -3 -out enclave-key.pem 3072
```
## Running with Intel TDX

After generating the key:
Intel TDX (Trust Domain Extensions) provides hardware-based memory encryption and integrity protection for virtual machines. To run this container in a TDX-enabled environment, follow your infrastructure provider's specific instructions for deploying confidential containers.

1. Keep this key secure, as it will be used to sign your enclaves.
2. Add the contents of `enclave-key.pem` as a GitHub secret named `SIGNING_KEY`.
Common volume mounts and environment variables:

This key is essential for the `gsc sign-image` step in the GSC workflow.

## Running with SGX

Intel SGX (Software Guard Extensions) is a set of security-related instruction codes built into modern Intel CPUs. It allows parts of a program to be executed in a secure enclave, isolated from the rest of the system.

To load a released image with docker, copy the URL from the release and run:

```
curl -L https://address/of/gsc-volara-proof.tar.gz | docker load
```

To run the image:

```
```bash
docker run \
--rm \
--volume /gsc-volara-proof/input:/input \
--volume /gsc-volara-proof/output:/output \
--device /dev/sgx_enclave:/dev/sgx_enclave \
--volume /var/run/aesmd:/var/run/aesmd \
--volume /mnt/gsc-volara-proof/sealed:/sealed \
--env [email protected] \
gsc-volara-proof
--rm \
--volume /path/to/input:/input \
--volume /path/to/output:/output \
--env [email protected] \
my-proof
```

Remember to populate the `/input` directory with the files you want to process.
Expand All @@ -140,10 +94,13 @@ Remember to populate the `/input` directory with the files you want to process.

This template leverages several security features:

1. **Secure Enclaves**: The proof runs inside an SGX enclave, isolating it from the rest of the system.
2. **Encrypted Storage**: The `/sealed` directory is automatically encrypted/decrypted by Gramine, providing secure storage for sensitive data.
3. **Input/Output Isolation**: Input and output directories are mounted separately, ensuring clear data flow boundaries.
4. **Minimal Attack Surface**: The Gramine manifest limits the files and resources accessible to the enclave, reducing potential vulnerabilities.
1. **Hardware-based Isolation**: The proof runs inside a TDX-protected environment, isolating it from the rest of the system
2. **Input/Output Isolation**: Input and output directories are mounted separately, ensuring clear data flow boundaries
3. **Minimal Container**: Uses a minimal Python base image to reduce attack surface

## Customization

Feel free to modify any part of this template to fit your specific needs. The goal is to provide a starting point that can be easily adapted to various proof tasks.

## Contributing

Expand Down
55 changes: 0 additions & 55 deletions config.yaml
View file

This file was deleted.

Loading

0 comments on commit 3c7657b

Please sign in to comment.