build: added scripts for local tee/sgx development

heeckhau · heeckhau · commit a0e6643ad0a5 · 2025-04-02T15:24:32.000+02:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -304,24 +304,17 @@ jobs:
       CONTAINER_REGISTRY: ghcr.io
     if: github.ref == 'refs/heads/dev' || (startsWith(github.ref, 'refs/tags/v') && contains(github.ref, '.'))
     steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          sparse-checkout: './crates/notary/server/tee/notary-server-sgx.Dockerfile'
+
       - name: Download notary-server-sgx.zip from gramine-sgx job
         uses: actions/download-artifact@v4
         with:
           name: notary-server-sgx.zip
           path: ./notary-server-sgx
 
-      - name: Create Dockerfile
-        run: |
-          cat <<EOF > ./Dockerfile
-          FROM gramineproject/gramine:latest
-          WORKDIR /work
-          COPY ./notary-server-sgx /work
-          RUN chmod +x /work/notary-server
-          LABEL org.opencontainers.image.source=https://github.com/tlsnotary/tlsn
-          LABEL org.opencontainers.image.description="TLSNotary notary server in SGX/Gramine."
-          ENTRYPOINT ["gramine-sgx", "notary-server"]
-          EOF
-
       - name: Log in to the Container registry
         uses: docker/login-action@v2
         with:
@@ -342,7 +335,8 @@ jobs:
           push: true
           tags: ${{ steps.meta-notary-server-sgx.outputs.tags }}
           labels: ${{ steps.meta-notary-server-sgx.outputs.labels }}
-          file: ./Dockerfile
+          file: ./crates/notary/server/tee/notary-server-sgx.Dockerfile
+
   build_and_publish_notary_server_image:
     name: Build and publish notary server's image
     runs-on: ubuntu-latest
diff --git a/crates/notary/server/tee/Dockerfile.gramine-local b/crates/notary/server/tee/Dockerfile.gramine-local
@@ -0,0 +1,6 @@
+FROM --platform=linux/amd64 gramineproject/gramine:latest
+
+RUN apt update && \
+    apt install -y jq openssl zip && \
+    apt clean && \
+    rm -rf /var/lib/apt/lists/*
diff --git a/crates/notary/server/tee/notary-server-sgx.Dockerfile b/crates/notary/server/tee/notary-server-sgx.Dockerfile
@@ -0,0 +1,13 @@
+FROM gramineproject/gramine:latest
+WORKDIR /work
+
+# This copies the contents of `notary-server-sgx.zip` from the ci build step into the container.
+# This zip file can also be created locally with `run-gramine-local.sh` in the `crates/notary/server/tee` directory.
+# This zip file contains the notary-server binary and the Gramine manifest and signatures.
+COPY ./notary-server-sgx /work
+RUN chmod +x /work/notary-server
+
+LABEL org.opencontainers.image.source=https://github.com/tlsnotary/tlsn
+LABEL org.opencontainers.image.description="TLSNotary notary server in SGX/Gramine."
+
+ENTRYPOINT ["gramine-sgx", "notary-server"]
diff --git a/crates/notary/server/tee/run-gramine-local.sh b/crates/notary/server/tee/run-gramine-local.sh
@@ -0,0 +1,62 @@
+#!/bin/bash
+
+# This script is used to build and run the Gramine manifest for the Notary server in a local development environment.
+# It is intended to be run inside a Docker container with the Gramine SDK installed.
+
+# The Dockerfile used to build the container is located in the same directory as this script.
+# The Dockerfile is named "Dockerfile.gramine-local" and is used to create a container with the necessary dependencies
+# and tools to build and run the Gramine manifest.
+
+# To build the Docker image, run the following command:
+# ```
+# docker build -f Dockerfile.gramine-local -t gramine-local .
+# ```
+
+# ⚠️ This script assumes that the notary-server binary is already built (for linux/amd64) and available in the current directory.
+
+# To run the script inside the Docker container, use the following command:
+# ```
+# docker run --rm -it --platform=linux/amd64 -v "${PWD}:/app" -w /app/ gramine-local "bash -c ./run-gramine-local.sh"
+# ```
+
+set -euo pipefail
+
+echo "[*] Generating SGX signing key..."
+gramine-sgx-gen-private-key
+
+chmod +x notary-server
+
+echo "[*] Creating Gramine manifest..."
+gramine-manifest \
+    -Dlog_level=debug \
+    -Darch_libdir=/lib/x86_64-linux-gnu \
+    -Dself_exe=notary-server \
+    notary-server.manifest.template \
+    notary-server.manifest
+
+echo "[*] Signing manifest..."
+gramine-sgx-sign \
+    --manifest notary-server.manifest \
+    --output notary-server.manifest.sgx
+
+echo "[*] Viewing SIGSTRUCT..."
+gramine-sgx-sigstruct-view --verbose --output-format=json notary-server.sig >notary-server-sigstruct.json
+
+cat notary-server-sigstruct.json | jq .
+
+mr_enclave=$(jq -r ".mr_enclave" notary-server-sigstruct.json)
+mr_signer=$(jq -r ".mr_signer" notary-server-sigstruct.json)
+
+echo "=============================="
+echo "MRENCLAVE: $mr_enclave"
+echo "MRSIGNER:  $mr_signer"
+echo "=============================="
+
+zip -r notary-server-sgx.zip \
+    notary-server \
+    notary-server-sigstruct.json \
+    notary-server.sig \
+    notary-server.manifest \
+    notary-server.manifest.sgx \
+    config \
+    notary-server-sgx.md
