From 2904c898a125f384fc7d4bb75665f6e46281f696 Mon Sep 17 00:00:00 2001
From: 0xZensh <txr1883@gmail.com>
Date: Tue, 5 Nov 2024 08:46:36 +0800
Subject: [PATCH] chore: add enclave building

---
 nitro_enclave/amd64.Dockerfile       | 50 ++++++++++++++++++++++++++++
 nitro_enclave/arm64.Dockerfile       | 50 ++++++++++++++++++++++++++++
 nitro_enclave/setup.sh               | 28 ++++++++++++++++
 nitro_enclave/supervisord.conf       | 47 ++++++++++++++++++++++++++
 src/ic_tee_nitro_gateway/Cargo.toml  |  2 +-
 src/ic_tee_nitro_gateway/src/main.rs |  7 ++--
 6 files changed, 178 insertions(+), 6 deletions(-)
 create mode 100644 nitro_enclave/amd64.Dockerfile
 create mode 100644 nitro_enclave/arm64.Dockerfile
 create mode 100644 nitro_enclave/setup.sh
 create mode 100644 nitro_enclave/supervisord.conf

diff --git a/nitro_enclave/amd64.Dockerfile b/nitro_enclave/amd64.Dockerfile
new file mode 100644
index 0000000..f85437e
--- /dev/null
+++ b/nitro_enclave/amd64.Dockerfile
@@ -0,0 +1,50 @@
+# base image
+FROM --platform=amd64 rust:slim-bookworm AS builder
+
+RUN apt-get update \
+    && apt-get install -y gcc g++ libc6-dev pkg-config libssl-dev
+
+WORKDIR /src
+COPY src ./src
+COPY Cargo.toml Cargo.lock ./
+RUN cargo build --release --locked -p ic_tee_nitro_gateway
+
+FROM debian:bookworm-slim AS runtime
+
+# install dependency tools
+RUN apt-get update \
+    && apt-get install -y net-tools iptables iproute2 wget ca-certificates tzdata curl openssl \
+    && update-ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
+
+# working directory
+WORKDIR /app
+
+# supervisord to manage programs
+RUN wget -O supervisord http://public.artifacts.marlin.pro/projects/enclaves/supervisord_master_linux_amd64
+RUN chmod +x supervisord
+
+# transparent proxy component inside the enclave to enable outgoing connections
+RUN wget -O ip-to-vsock-transparent http://public.artifacts.marlin.pro/projects/enclaves/ip-to-vsock-transparent_v1.0.0_linux_amd64
+RUN chmod +x ip-to-vsock-transparent
+
+# proxy to expose attestation server outside the enclave
+RUN wget -O vsock-to-ip http://public.artifacts.marlin.pro/projects/enclaves/vsock-to-ip_v1.0.0_linux_amd64
+RUN chmod +x vsock-to-ip
+
+# dnsproxy to provide DNS services inside the enclave
+RUN wget -O dnsproxy http://public.artifacts.marlin.pro/projects/enclaves/dnsproxy_v0.72.0_linux_amd64
+RUN chmod +x dnsproxy
+
+# supervisord config
+COPY nitro_enclave/supervisord.conf /etc/supervisord.conf
+
+# setup.sh script that will act as entrypoint
+COPY nitro_enclave/setup.sh ./
+RUN chmod +x setup.sh
+
+# your custom setup goes here
+COPY --from=builder /src/target/release/ic_tee_nitro_gateway ./ic_tee_nitro_gateway
+
+# entry point
+ENTRYPOINT [ "/app/setup.sh" ]
\ No newline at end of file
diff --git a/nitro_enclave/arm64.Dockerfile b/nitro_enclave/arm64.Dockerfile
new file mode 100644
index 0000000..df0996d
--- /dev/null
+++ b/nitro_enclave/arm64.Dockerfile
@@ -0,0 +1,50 @@
+# base image
+FROM --platform=arm64 rust:slim-bookworm AS builder
+
+RUN apt-get update \
+    && apt-get install -y gcc g++ libc6-dev pkg-config libssl-dev
+
+WORKDIR /src
+COPY src ./src
+COPY Cargo.toml Cargo.lock ./
+RUN cargo build --release --locked -p ic_tee_nitro_gateway
+
+FROM debian:bookworm-slim AS runtime
+
+# install dependency tools
+RUN apt-get update \
+    && apt-get install -y net-tools iptables iproute2 wget ca-certificates tzdata curl openssl \
+    && update-ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
+
+# working directory
+WORKDIR /app
+
+# supervisord to manage programs
+RUN wget -O supervisord http://public.artifacts.marlin.pro/projects/enclaves/supervisord_master_linux_arm64
+RUN chmod +x supervisord
+
+# transparent proxy component inside the enclave to enable outgoing connections
+RUN wget -O ip-to-vsock-transparent http://public.artifacts.marlin.pro/projects/enclaves/ip-to-vsock-transparent_v1.0.0_linux_arm64
+RUN chmod +x ip-to-vsock-transparent
+
+# proxy to expose attestation server outside the enclave
+RUN wget -O vsock-to-ip http://public.artifacts.marlin.pro/projects/enclaves/vsock-to-ip_v1.0.0_linux_arm64
+RUN chmod +x vsock-to-ip
+
+# dnsproxy to provide DNS services inside the enclave
+RUN wget -O dnsproxy http://public.artifacts.marlin.pro/projects/enclaves/dnsproxy_v0.72.0_linux_arm64
+RUN chmod +x dnsproxy
+
+# supervisord config
+COPY nitro_enclave/supervisord.conf /etc/supervisord.conf
+
+# setup.sh script that will act as entrypoint
+COPY nitro_enclave/setup.sh ./
+RUN chmod +x setup.sh
+
+# your custom setup goes here
+COPY --from=builder /src/target/release/ic_tee_nitro_gateway ./ic_tee_nitro_gateway
+
+# entry point
+ENTRYPOINT [ "/app/setup.sh" ]
\ No newline at end of file
diff --git a/nitro_enclave/setup.sh b/nitro_enclave/setup.sh
new file mode 100644
index 0000000..1a211ab
--- /dev/null
+++ b/nitro_enclave/setup.sh
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+# setting an address for loopback
+ifconfig lo 127.0.0.1
+ifconfig
+
+# Debian: failed to initialize nft: Protocol not supported
+update-alternatives --set iptables /usr/sbin/iptables-legacy
+# update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
+# update-alternatives --set arptables /usr/sbin/arptables-legacy
+# update-alternatives --set ebtables /usr/sbin/ebtables-legacy
+
+# adding a default route
+ip route add default via 127.0.0.1 dev lo
+route -n
+
+# iptables rules to route traffic to transparent proxy
+iptables -A OUTPUT -t nat -p tcp --dport 1:65535 ! -d 127.0.0.1  -j DNAT --to-destination 127.0.0.1:1200
+# replace the source address with 127.0.0.1 for outgoing packets with a source of 0.0.0.0
+# ensures returning packets have 127.0.0.1 as the destination and not 0.0.0.0
+iptables -t nat -A POSTROUTING -o lo -s 0.0.0.0 -j SNAT --to-source 127.0.0.1
+iptables -L -t nat -v -n
+
+# your custom setup goes here
+
+# starting supervisord
+cat /etc/supervisord.conf
+/app/supervisord
diff --git a/nitro_enclave/supervisord.conf b/nitro_enclave/supervisord.conf
new file mode 100644
index 0000000..87ec024
--- /dev/null
+++ b/nitro_enclave/supervisord.conf
@@ -0,0 +1,47 @@
+[supervisord]
+loglevel=debug
+logfile=/dev/stdout
+logfile_maxbytes=0
+
+# transparent proxy component inside enclave
+[program:ip-to-vsock-transparent]
+command=/app/ip-to-vsock-transparent --vsock-addr 3:1200 --ip-addr 127.0.0.1:1200
+autorestart=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stdout
+stderr_logfile_maxbytes=0
+
+# DNS-over-HTTPS provider
+[program:dnsproxy]
+command=/app/dnsproxy -u https://1.1.1.1/dns-query -v
+autorestart=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stdout
+stderr_logfile_maxbytes=0
+
+[program:ic_tee_nitro_gateway-local]
+command=/app/vsock-to-ip --vsock-addr 88:8080 --ip-addr 127.0.0.1:8080
+autorestart=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stdout
+stderr_logfile_maxbytes=0
+
+[program:ic_tee_nitro_gateway-public]
+command=/app/vsock-to-ip --vsock-addr 88:443 --ip-addr 127.0.0.1:8443
+autorestart=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stdout
+stderr_logfile_maxbytes=0
+
+# your custom programs go here
+[program:ic_tee_nitro_gateway]
+command=/app/ic_tee_nitro_gateway --authentication-canister e7tgb-6aaaa-aaaap-akqfa-cai --id-scope image --session-expires-in-ms 86400000 --configuration-canister 53cyg-yyaaa-aaaap-ahpua-cai --configuration-namespace _ --configuration-upgrade-identity fbi6t-ogdrt-s4de4-sxive-x4yid-xfrk2-e6jgf-jbnuh-rzxoj-qv2qa-zae
+autorestart=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stdout
+stderr_logfile_maxbytes=0
diff --git a/src/ic_tee_nitro_gateway/Cargo.toml b/src/ic_tee_nitro_gateway/Cargo.toml
index e5db798..b3a26c9 100644
--- a/src/ic_tee_nitro_gateway/Cargo.toml
+++ b/src/ic_tee_nitro_gateway/Cargo.toml
@@ -2,7 +2,7 @@
 name = "ic_tee_nitro_gateway"
 description = "An gateway service in an AWS Nitro enclave."
 repository = "https://github.com/ldclabs/ic-tee/tree/main/src/ic_tee_nitro_gateway"
-publish = true
+publish = false
 version.workspace = true
 edition.workspace = true
 keywords.workspace = true
diff --git a/src/ic_tee_nitro_gateway/src/main.rs b/src/ic_tee_nitro_gateway/src/main.rs
index 41d66ba..4b083b1 100644
--- a/src/ic_tee_nitro_gateway/src/main.rs
+++ b/src/ic_tee_nitro_gateway/src/main.rs
@@ -53,9 +53,6 @@ struct Cli {
     #[clap(long, value_parser)]
     configuration_namespace: String,
 
-    #[clap(long, value_parser)]
-    configuration_tls: String,
-
     /// identity to upgrade
     #[clap(long, value_parser)]
     configuration_upgrade_identity: Option<String>,
@@ -209,7 +206,7 @@ async fn main() -> Result<()> {
                 tee_agent: tee_agent.clone(),
                 upstream_port: None,
             });
-        let addr: SocketAddr = "127.0.0.1:80".parse().map_err(anyhow::Error::new)?;
+        let addr: SocketAddr = "127.0.0.1:8080".parse().map_err(anyhow::Error::new)?;
         let listener = tokio::net::TcpListener::bind(&addr)
             .await
             .map_err(anyhow::Error::new)?;
@@ -259,7 +256,7 @@ async fn main() -> Result<()> {
                 tee_agent: tee_agent.clone(),
                 upstream_port: cli.upstream_port,
             });
-        let addr: SocketAddr = "127.0.0.1:443".parse().map_err(anyhow::Error::new)?;
+        let addr: SocketAddr = "127.0.0.1:8443".parse().map_err(anyhow::Error::new)?;
         let config = RustlsConfig::from_pem(tls.crt.to_vec(), tls.key.to_vec())
             .await
             .map_err(|err| anyhow::anyhow!("read tls file failed: {:?}", err))?;