Baremetal support

ansible/install_cenclave/tasks/main.yml

@@ -20,7 +20,61 @@
       - "/home/{{ ansible_user }}/.config/gramine/enclave-key.pem"
       - 3072
 
-- name: Install Cosmian Enclave CLI
-  pip:
-    name : cenclave
-    extra_args: --upgrade
+- name: Check Ubuntu version
+  ansible.builtin.debug:
+    msg: "Ubuntu version is {{ ansible_distribution_version }}"
+
+- name: Print ansible_user
+  ansible.builtin.debug:
+    msg: "Ansible user is {{ ansible_user }}"
+
+- name: Install pipx and Cosmian Enclave CLI for Ubuntu 24.04
+  block:
+    - name: Install pipx
+      ansible.builtin.apt:
+        name: pipx
+        state: latest
+
+    - name: Install Cosmian Enclave CLI using pipx
+      become: false
+      community.general.pipx:
+        name: cenclave
+        state: latest
+
+    - name: Ensure pipx is installed
+      become: false
+      ansible.builtin.command:
+        cmd: pipx ensurepath
+
+    - name: Verify cenclave is available
+      become: false
+      ansible.builtin.command:
+        cmd: cenclave --version
+      register: cenclave_version
+      ignore_errors: false
+
+    - name: Debug cenclave version
+      ansible.builtin.debug:
+        msg: "cenclave version: {{ cenclave_version.stdout }}"
+
+  when: ansible_distribution_version == "24.04"
+
+- name: Install Cosmian Enclave CLI for Ubuntu 22.04
+  block:
+    - name: Install Cosmian Enclave CLI using pip
+      ansible.builtin.pip:
+        name: cenclave
+        extra_args: --upgrade
+
+    - name: Verify cenclave is available
+      become: false
+      ansible.builtin.command:
+        cmd: cenclave --version
+      register: cenclave_version
+      ignore_errors: false
+
+    - name: Debug cenclave version
+      ansible.builtin.debug:
+        msg: "cenclave version: {{ cenclave_version.stdout }}"
+
+  when: ansible_distribution_version == "22.04"

ansible/install_pccs/handlers/main.yml

@@ -0,0 +1,11 @@
+---
+# handlers file for nginx_backend
+- name: reload_nginx
+  systemd:
+    name: nginx
+    state: reloaded
+
+- name: Restart mysql
+  service:
+    name: mysql
+    state: restarted

ansible/install_pccs/tasks/main.yml

@@ -0,0 +1,24 @@
+---
+# tasks file for pccs_deploy
+- name: Create pccs.conf
+  template:
+    src: pccs.conf.j2
+    dest: /home/{{ defined_user }}/pccs.conf
+    owner: "{{ defined_user }}"
+    group: "{{ defined_user }}"
+    mode: 0664
+
+- name: Run PCCS docker container
+  # you first need to install community.docker collection :
+  # ansible-galaxy collection install community.docker 
+  community.docker.docker_container:
+    name: pccs
+    image: ghcr.io/cosmian/pccs:1687279386
+    pull: true
+    restart_policy: always
+    detach: true
+    state: started
+    ports:
+      - "8081:8081"
+    volumes:
+      - /home/{{ defined_user }}/pccs.conf:/opt/intel/sgx-dcap-pccs/config/default.json

ansible/install_pccs/templates/pccs.conf.j2

@@ -0,0 +1,33 @@
+{
+    "HTTPS_PORT" : 8081,
+    "hosts" : "127.0.0.1",
+    "uri": "https://api.trustedservices.intel.com/sgx/certification/v4/",
+    "ApiKey" : "{{ pccs_apikey }}",
+    "proxy" : "",
+    "RefreshSchedule": "0 0 1 * * *",
+    "UserTokenHash" : "{{ pccs_usertoken_hash }}",
+    "AdminTokenHash" : "{{ pccs_admintoken_hash }}",
+    "CachingFillMode" : "REQ",
+    "LogLevel" : "info",
+    "DB_CONFIG" : "{{ pccs_db_config }}",
+    "sqlite" : {
+        "database" : "{{ pccs_sqlite_db_name }}",
+        "username" : "{{ pccs_sqlite_cr_usr }}",
+        "password" : "{{ pccs_sqlite_usr_psswd }}",
+        "options" : {
+            "host": "{{ pccs_sqlite_options_host }}",
+            "dialect": "{{ pccs_sqlite_port_dialect }}",
+            "pool": {
+                "max": {{ pccs_sqlite_port_pool_max }},
+                "min": {{ pccs_sqlite_port_pool_min }},
+                "acquire": {{ pccs_sqlite_port_pool_acquire }},
+                "idle": {{ pccs_sqlite_port_pool_idle }}
+            },
+            "define": {
+                "freezeTableName": {{ pccs_sqlite_define_freezeTableName }}
+            },
+            "logging" : {{ pccs_sqlite_logging }},
+            "storage": "{{ pccs_sqlite_storage }}"
+        }
+    }
+}

ansible/install_sgx_deps/tasks/main.yml

@@ -37,15 +37,26 @@
     name: aesmd
     state: stopped
 
-- name: Edit sgx_default_qcnl.conf
+- name: Determine template based on environment
   ansible.builtin.template:
-    src: sgx_default_qcnl.conf.j2
+    src: "{{ 'azure_sgx_default_qcnl.conf.j2' if ansible_facts['virtualization_role'] == 'guest' else 'baremetal_sgx_default_qcnl.conf.j2' }}"
     dest: /etc/sgx_default_qcnl.conf
     owner: root
     group: root
     mode: 0644
   tags: qcnl
 
+- name: "Edit network_setting.conf"
+  ansible.builtin.template:
+    src: network_setting.conf.j2
+    dest: /opt/intel/sgx-pck-id-retrieval-tool/network_setting.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify: restart_aesmd
+  tags: netset
+  when: ansible_facts['virtualization_type'] == 'baremetal'
+
 - name: Add aesmd user to sgx_prv group
   ansible.builtin.user:
     name: aesmd
@@ -55,4 +66,4 @@
 - name: Start AESMD
   ansible.builtin.systemd_service:
     name: aesmd
-    state: restarted
+    state: restarted

ansible/install_sgx_deps/templates/baremetal_sgx_default_qcnl.conf.j2

@@ -0,0 +1,55 @@
+{
+  // *** ATTENTION : This file is in JSON format so the keys are case sensitive. Don't change them.
+
+  //PCCS server address
+  "pccs_url": "https://localhost:8081",
+
+  // To accept insecure HTTPS certificate, set this option to false
+  "use_secure_cert": false,
+
+  // You can use the Intel PCS or another PCCS to get quote verification collateral.  Retrieval of PCK
+  // Certificates will always use the PCCS described in PCCS_URL.  When COLLATERAL_SERVICE is not defined, both
+  // PCK Certs and verification collateral will be retrieved using PCCS_URL
+  //"collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/",
+
+  // If you use a PCCS service to get the quote verification collateral, you can specify which PCCS API version is to be used.
+  // The legacy 3.0 API will return CRLs in HEX encoded DER format and the sgx_ql_qve_collateral_t.version will be set to 3.0, while
+  // the new 3.1 API will return raw DER format and the sgx_ql_qve_collateral_t.version will be set to 3.1. The PCCS_API_VERSION
+  // setting is ignored if COLLATERAL_SERVICE is set to the Intel PCS. In this case, the PCCS_API_VERSION is forced to be 3.1
+  // internally.  Currently, only values of 3.0 and 3.1 are valid.  Note, if you set this to 3.1, the PCCS use to retrieve
+  // verification collateral must support the new 3.1 APIs.
+  //"pccs_api_version": "3.1",
+
+  // Maximum retry times for QCNL. If RETRY is not defined or set to 0, no retry will be performed.
+  // It will first wait one second and then for all forthcoming retries it will double the waiting time.
+  // By using RETRY_DELAY you disable this exponential backoff algorithm
+  "retry_times": 6,
+
+  // Sleep this amount of seconds before each retry when a transfer has failed with a transient error
+  "retry_delay": 10,
+
+  // If LOCAL_PCK_URL is defined, the QCNL will try to retrieve PCK cert chain from LOCAL_PCK_URL first,
+  // and failover to PCCS_URL as in legacy mode.
+  //"local_pck_url": "http://localhost:8081",
+
+  // If LOCAL_PCK_URL is not defined, the QCNL will cache PCK certificates in memory by default.
+  // The cached PCK certificates will expire after PCK_CACHE_EXPIRE_HOURS hours.
+  "pck_cache_expire_hours": 168,
+
+  // To set cache expire time for quote verification collateral in hours
+  "verify_collateral_cache_expire_hours": 168
+
+  // You can add custom request headers and parameters to the get certificate API.
+  // But the default PCCS implementation just ignores them.
+  //,"custom_request_options" : {
+  //  "get_cert" : {
+  //    "headers": {
+  //      "head1": "value1"
+  //    },
+  //    "params": {
+  //      "param1": "value1",
+  //      "param2": "value2"
+  //    }
+  //  }
+  //}
+}

ansible/install_sgx_deps/templates/network_setting.conf.j2

@@ -0,0 +1,28 @@
+# #############################################################
+# PCCS server address
+# support V3 version PCCS
+#PCCS_URL=https://localhost:8081/sgx/certification/v3/platforms
+# support V4 version PCCS
+PCCS_URL=https://{{ __pccs }}/sgx/certification/v4/platforms
+# To accept insecure HTTPS cert, set this option to FALSE
+#USE_SECURE_CERT=TRUE
+###############################################################
+
+
+###############################################################
+# when access pccs, user need provide the token
+user_token={{ __usertoken }}
+###############################################################
+
+
+###############################################################
+# Proxy settings:proxy type could be the following three types
+# direct: means no proxy used
+# default: system default proxy will be used
+# manual: when this type was selected, user need provide the proxy_url
+
+proxy_type=direct
+#proxy_type    = default
+#proxy_type  = manual
+#proxy_url   = http://proxy_url:proxy_port
+###############################################################

ansible/main.yml

@@ -1,9 +1,30 @@
+
 ---
+
 - name: Cosmian Enclave installation on Ubuntu
   hosts: all
   become: true
+  pre_tasks:
+    - name: Check if the machine is bare-metal
+      ansible.builtin.set_fact:
+        is_baremetal: "{{ ansible_facts['virtualization_type'] == 'kvm' }}"
+
   roles:
     - update_ubuntu
-    - install_sgx_deps
     - install_docker
-    - install_cenclave
+    - install_sgx_deps
+
+  tasks:
+
+    - name: Include role install_pccs for bare-metal only
+      ansible.builtin.include_role:
+        name: install_pccs
+      when: is_baremetal
+
+    - name: Always include install_cenclave role
+      ansible.builtin.include_role:
+        name: install_cenclave
+
+    - name: Run validation_test
+      ansible.builtin.include_role:
+        name: validation_test

ansible/tasks/main.yml

@@ -0,0 +1,41 @@
+---
+# tasks file for install_docker
+
+- name: Add official Docker APT repository
+  block:
+    - name: Download Docker GPG public key
+      ansible.builtin.apt_key:
+        state: present
+        url: https://download.docker.com/linux/ubuntu/gpg 
+        keyring: /etc/apt/trusted.gpg.d/docker.gpg
+
+    - name: Add Docker APT repository
+      ansible.builtin.apt_repository:
+        repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/docker.gpg] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable"
+        state: present
+        filename: docker
+        update_cache: yes
+
+- name: Install Docker packages
+  apt:
+    name: "{{ item }}"
+    state: latest
+    update_cache: yes
+  loop:
+    - docker-ce
+    - docker-ce-cli
+    - containerd.io
+    - docker-compose-plugin
+  tags: dockinstall
+
+- name: Start Docker
+  service:
+    name: docker
+    state: started
+    enabled: yes
+
+- name: Add user to group docker
+  user:
+    name: "{{ ansible_user }}"
+    groups: docker
+    append: yes

ansible/validation_test/tasks/main.yml

@@ -0,0 +1,49 @@
+---
+# roles/validation_test/tasks/main.yml
+
+- name: Set Docker socket
+  set_fact:
+    ansible_docker_extra_args: "-H unix:///var/run/docker.sock"
+
+- name: Pull Docker image
+  community.docker.docker_image:
+    name: ghcr.io/cosmian/gramine-minimal
+    tag: "20241202140525"
+    source: pull
+
+- name: Run Docker container
+  community.docker.docker_container:
+    name: gramine_minimal
+    image: ghcr.io/cosmian/gramine-minimal:20241202140525
+    devices:
+      - /dev/sgx_enclave
+      - /dev/sgx_provision
+    volumes:
+      - /var/run/aesmd:/var/run/aesmd/
+    state: started
+    interactive: yes
+    tty: yes
+  register: docker_container_info
+
+- name: Wait for the container to be ready
+  command: docker logs gramine_minimal
+  register: docker_logs
+  retries: 15
+  delay: 3
+  until: "'Hello World' in docker_logs.stdout"
+
+- name: Capture the output of the Docker container
+  debug:
+    msg: "Hello World found in the output"
+
+# Clean
+- name: Stop and remove the container
+  community.docker.docker_container:
+    name: gramine_minimal
+    state: absent
+
+- name: Remove Docker image
+  community.docker.docker_image:
+    name: ghcr.io/cosmian/gramine-minimal
+    tag: "20241202140525"
+    state: absent