diff --git a/bin/tee-self-attestation-test/Dockerfile-azure b/bin/tee-self-attestation-test/Dockerfile-azure deleted file mode 100644 index 73526cb..0000000 --- a/bin/tee-self-attestation-test/Dockerfile-azure +++ /dev/null @@ -1,85 +0,0 @@ -FROM docker.io/ubuntu:20.04 AS azuredcap -WORKDIR /build -ADD https://github.com/microsoft/Azure-DCAP-Client/archive/refs/tags/1.12.0.tar.gz ./Azure-DCAP-Client.tar.gz -RUN tar -xvf Azure-DCAP-Client.tar.gz -COPY assets/Azure-DCAP-Client.patch ./Azure-DCAP-Client.patch -RUN set -eux; \ - apt-get update; \ - apt-get install -y software-properties-common; \ - add-apt-repository ppa:team-xbmc/ppa -y; \ - apt-get update; \ - apt-get install -y \ - build-essential \ - cmake \ - libssl-dev \ - libcurl4-openssl-dev \ - pkg-config \ - nlohmann-json3-dev \ - wget \ - dos2unix \ - ; - -WORKDIR /build/Azure-DCAP-Client-1.12.0 -RUN dos2unix src/dcap_provider.cpp && patch -p1 < ../Azure-DCAP-Client.patch -WORKDIR /build/Azure-DCAP-Client-1.12.0/src/Linux -RUN ./configure && make && make install - -FROM docker.io/rust:1-bullseye AS buildtee -RUN curl -fsSLo /usr/share/keyrings/intel.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key \ - && echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" > /etc/apt/sources.list.d/intel-sgx.list \ - && apt-get update \ - && apt-get install -y --no-install-recommends \ - build-essential \ - cmake \ - rsync \ - pkg-config \ - libssl-dev \ - libcurl4-openssl-dev \ - libprotobuf-dev \ - protobuf-compiler \ - clang \ - libsgx-headers \ - libsgx-dcap-quote-verify-dev - -WORKDIR /opt/vault/plugins - -WORKDIR /build -RUN --mount=type=bind,target=/data rsync --exclude='/.git' --filter="dir-merge,- .gitignore" --exclude "Dockerfile-*" --exclude 'tee-self-attestation-test.manifest.template.toml' -av /data/ ./ -RUN --mount=type=cache,target=/usr/local/cargo/registry --mount=type=cache,target=target \ - RUSTFLAGS="-C target-cpu=icelake-server --cfg mio_unsupported_force_waker_pipe" \ - cargo build --locked --target x86_64-unknown-linux-gnu --release -p tee-self-attestation-test --bin tee-self-attestation-test \ - && mv ./target/x86_64-unknown-linux-gnu/release/tee-self-attestation-test ./ - -FROM docker.io/gramineproject/gramine:v1.5 - -RUN curl -fsSLo /usr/share/keyrings/microsoft.asc https://packages.microsoft.com/keys/microsoft.asc \ - && echo "deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft.asc] https://packages.microsoft.com/ubuntu/20.04/prod focal main" > /etc/apt/sources.list.d/msprod.list \ - && apt-get update \ - && apt purge -y libsgx-dcap-default-qpl \ - && apt-get install -y az-dcap-client - -RUN apt purge -y libsgx-ae-qve -# libsgx-urts - -RUN rm -rf /var/lib/apt/lists/* - -# So we only have to use one gramine template -RUN touch /etc/sgx_default_qcnl.conf - -WORKDIR /app - -COPY --from=buildtee /build/tee-self-attestation-test . -COPY ./bin/tee-self-attestation-test/tee-self-attestation-test.manifest.template.toml . -COPY vault/enclave-key.pem . - -# The original Azure library is still delivering expired collateral, so we have to use a patched version -COPY --from=azuredcap /usr/local/lib/libdcap_quoteprov.so /usr/lib/ - -RUN gramine-manifest -Darch_libdir=/lib/x86_64-linux-gnu -Dexecdir=/usr/bin -Dlog_level=warning tee-self-attestation-test.manifest.template.toml tee-self-attestation-test.manifest \ - && gramine-sgx-sign --manifest tee-self-attestation-test.manifest --output tee-self-attestation-test.manifest.sgx --key enclave-key.pem \ - && rm enclave-key.pem - -EXPOSE 8443 - -ENTRYPOINT ["/bin/sh", "-c"] -CMD [ "/restart_aesm.sh ; exec gramine-sgx tee-self-attestation-test" ] diff --git a/bin/tee-self-attestation-test/Dockerfile-intel b/bin/tee-self-attestation-test/Dockerfile-intel deleted file mode 100644 index c30f99f..0000000 --- a/bin/tee-self-attestation-test/Dockerfile-intel +++ /dev/null @@ -1,58 +0,0 @@ -FROM docker.io/rust:1-bullseye AS buildtee -RUN curl -fsSLo /usr/share/keyrings/intel.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key \ - && echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" > /etc/apt/sources.list.d/intel-sgx.list \ - && apt-get update \ - && apt-get install -y --no-install-recommends \ - build-essential \ - cmake \ - rsync \ - pkg-config \ - libssl-dev \ - libcurl4-openssl-dev \ - libprotobuf-dev \ - protobuf-compiler \ - clang \ - libsgx-headers \ - libsgx-dcap-quote-verify-dev - -WORKDIR /opt/vault/plugins - -WORKDIR /build -RUN --mount=type=bind,target=/data rsync --exclude='/.git' --filter="dir-merge,- .gitignore" --exclude "Dockerfile-*" --exclude 'tee-vault-admin.manifest.template' -av /data/ ./ -RUN --mount=type=cache,target=/usr/local/cargo/registry --mount=type=cache,target=target \ - RUSTFLAGS="-C target-cpu=icelake-server --cfg mio_unsupported_force_waker_pipe" \ - cargo build --locked --target x86_64-unknown-linux-gnu --release -p tee-self-attestation-test --bin tee-self-attestation-test \ - && mv ./target/x86_64-unknown-linux-gnu/release/tee-self-attestation-test ./ - -FROM docker.io/gramineproject/gramine:v1.5 - -RUN curl -fsSLo /usr/share/keyrings/intel.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key \ - && echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" > /etc/apt/sources.list.d/intel-sgx.list \ - && apt-get update \ - && apt-get install -y --no-install-recommends \ - libsgx-dcap-default-qpl \ - libsgx-urts \ - libsgx-enclave-common \ - libsgx-dcap-quote-verify -RUN apt purge -y libsgx-ae-qve -RUN rm -rf /var/lib/apt/lists/* - -# So we only have to use one gramine template -RUN touch /lib/libdcap_quoteprov.so - -WORKDIR /app - -COPY --from=buildtee /build/tee-self-attestation-test . -COPY ./bin/tee-self-attestation-test/tee-self-attestation-test.template.toml . -COPY vault/enclave-key.pem . - -COPY assets/sgx_default_qcnl.conf.json /etc/sgx_default_qcnl.conf - -RUN gramine-manifest -Darch_libdir=/lib/x86_64-linux-gnu -Dexecdir=/usr/bin -Dlog_level=warning tee-self-attestation-test.template.toml tee-self-attestation-test.manifest \ - && gramine-sgx-sign --manifest tee-self-attestation-test.manifest --output tee-self-attestation-test.manifest.sgx --key enclave-key.pem \ - && rm enclave-key.pem - -EXPOSE 8443 - -ENTRYPOINT ["/bin/sh", "-c"] -CMD [ "exec gramine-sgx tee-self-attestation-test" ] diff --git a/bin/tee-stress-client/Dockerfile-azure b/bin/tee-stress-client/Dockerfile-azure deleted file mode 100644 index 56ac72e..0000000 --- a/bin/tee-stress-client/Dockerfile-azure +++ /dev/null @@ -1,85 +0,0 @@ -FROM docker.io/ubuntu:20.04 AS azuredcap -WORKDIR /build -ADD https://github.com/microsoft/Azure-DCAP-Client/archive/refs/tags/1.12.0.tar.gz ./Azure-DCAP-Client.tar.gz -RUN tar -xvf Azure-DCAP-Client.tar.gz -COPY assets/Azure-DCAP-Client.patch ./Azure-DCAP-Client.patch -RUN set -eux; \ - apt-get update; \ - apt-get install -y software-properties-common; \ - add-apt-repository ppa:team-xbmc/ppa -y; \ - apt-get update; \ - apt-get install -y \ - build-essential \ - cmake \ - libssl-dev \ - libcurl4-openssl-dev \ - pkg-config \ - nlohmann-json3-dev \ - wget \ - dos2unix \ - ; - -WORKDIR /build/Azure-DCAP-Client-1.12.0 -RUN dos2unix src/dcap_provider.cpp && patch -p1 < ../Azure-DCAP-Client.patch -WORKDIR /build/Azure-DCAP-Client-1.12.0/src/Linux -RUN ./configure && make && make install - -FROM docker.io/rust:1-bullseye AS buildtee -RUN curl -fsSLo /usr/share/keyrings/intel.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key \ - && echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" > /etc/apt/sources.list.d/intel-sgx.list \ - && apt-get update \ - && apt-get install -y --no-install-recommends \ - build-essential \ - cmake \ - rsync \ - pkg-config \ - libssl-dev \ - libcurl4-openssl-dev \ - libprotobuf-dev \ - protobuf-compiler \ - clang \ - libsgx-headers \ - libsgx-dcap-quote-verify-dev - -WORKDIR /opt/vault/plugins - -WORKDIR /build -RUN --mount=type=bind,target=/data rsync --exclude='/.git' --filter="dir-merge,- .gitignore" --exclude "Dockerfile-*" --exclude 'tee-stress-client.manifest.template' -av /data/ ./ -RUN --mount=type=cache,target=/usr/local/cargo/registry --mount=type=cache,target=target \ - RUSTFLAGS="-C target-cpu=icelake-server --cfg mio_unsupported_force_waker_pipe" \ - cargo build --locked --target x86_64-unknown-linux-gnu --release -p tee-stress-client --bin tee-stress-client \ - && mv ./target/x86_64-unknown-linux-gnu/release/tee-stress-client ./ - -FROM docker.io/gramineproject/gramine:v1.5 - -RUN curl -fsSLo /usr/share/keyrings/microsoft.asc https://packages.microsoft.com/keys/microsoft.asc \ - && echo "deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft.asc] https://packages.microsoft.com/ubuntu/20.04/prod focal main" > /etc/apt/sources.list.d/msprod.list \ - && apt-get update \ - && apt purge -y libsgx-dcap-default-qpl \ - && apt-get install -y az-dcap-client - -RUN apt purge -y libsgx-ae-qve -# libsgx-urts - -RUN rm -rf /var/lib/apt/lists/* - -# So we only have to use one gramine template -RUN touch /etc/sgx_default_qcnl.conf - -WORKDIR /app - -COPY --from=buildtee /build/tee-stress-client . -COPY ./bin/tee-stress-client/tee-stress-client.manifest.template . -COPY vault/enclave-key.pem . - -# The original Azure library is still delivering expired collateral, so we have to use a patched version -COPY --from=azuredcap /usr/local/lib/libdcap_quoteprov.so /usr/lib/ - -RUN gramine-manifest -Darch_libdir=/lib/x86_64-linux-gnu -Dexecdir=/usr/bin -Dlog_level=warning tee-stress-client.manifest.template tee-stress-client.manifest \ - && gramine-sgx-sign --manifest tee-stress-client.manifest --output tee-stress-client.manifest.sgx --key enclave-key.pem \ - && rm enclave-key.pem - -EXPOSE 8443 - -ENTRYPOINT ["/bin/sh", "-c"] -CMD [ "/restart_aesm.sh ; exec gramine-sgx tee-stress-client" ] diff --git a/bin/tee-stress-client/Dockerfile-intel b/bin/tee-stress-client/Dockerfile-intel deleted file mode 100644 index 4f84bc3..0000000 --- a/bin/tee-stress-client/Dockerfile-intel +++ /dev/null @@ -1,58 +0,0 @@ -FROM docker.io/rust:1-bullseye AS buildtee -RUN curl -fsSLo /usr/share/keyrings/intel.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key \ - && echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" > /etc/apt/sources.list.d/intel-sgx.list \ - && apt-get update \ - && apt-get install -y --no-install-recommends \ - build-essential \ - cmake \ - rsync \ - pkg-config \ - libssl-dev \ - libcurl4-openssl-dev \ - libprotobuf-dev \ - protobuf-compiler \ - clang \ - libsgx-headers \ - libsgx-dcap-quote-verify-dev - -WORKDIR /opt/vault/plugins - -WORKDIR /build -RUN --mount=type=bind,target=/data rsync --exclude='/.git' --filter="dir-merge,- .gitignore" --exclude "Dockerfile-*" --exclude 'tee-stress-client.manifest.template' -av /data/ ./ -RUN --mount=type=cache,target=/usr/local/cargo/registry --mount=type=cache,target=target \ - RUSTFLAGS="-C target-cpu=icelake-server --cfg mio_unsupported_force_waker_pipe" \ - cargo build --locked --target x86_64-unknown-linux-gnu --release -p tee-stress-client --bin tee-stress-client \ - && mv ./target/x86_64-unknown-linux-gnu/release/tee-stress-client ./ - -FROM docker.io/gramineproject/gramine:v1.5 - -RUN curl -fsSLo /usr/share/keyrings/intel.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key \ - && echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" > /etc/apt/sources.list.d/intel-sgx.list \ - && apt-get update \ - && apt-get install -y --no-install-recommends \ - libsgx-dcap-default-qpl \ - libsgx-urts \ - libsgx-enclave-common \ - libsgx-dcap-quote-verify -RUN apt purge -y libsgx-ae-qve -RUN rm -rf /var/lib/apt/lists/* - -# So we only have to use one gramine template -RUN touch /lib/libdcap_quoteprov.so - -WORKDIR /app - -COPY --from=buildtee /build/tee-stress-client . -COPY ./bin/tee-stress-client/tee-stress-client.manifest.template . -COPY vault/enclave-key.pem . - -COPY assets/sgx_default_qcnl.conf.json /etc/sgx_default_qcnl.conf - -RUN gramine-manifest -Darch_libdir=/lib/x86_64-linux-gnu -Dexecdir=/usr/bin -Dlog_level=warning tee-stress-client.manifest.template tee-stress-client.manifest \ - && gramine-sgx-sign --manifest tee-stress-client.manifest --output tee-stress-client.manifest.sgx --key enclave-key.pem \ - && rm enclave-key.pem - -EXPOSE 8443 - -ENTRYPOINT ["/bin/sh", "-c"] -CMD [ "/restart_aesm.sh ; exec gramine-sgx tee-stress-client" ] diff --git a/bin/tee-vault-admin/Dockerfile-intel b/bin/tee-vault-admin/Dockerfile-intel deleted file mode 100644 index 6e8d21e..0000000 --- a/bin/tee-vault-admin/Dockerfile-intel +++ /dev/null @@ -1,58 +0,0 @@ -FROM docker.io/rust:1-bullseye AS buildtee -RUN curl -fsSLo /usr/share/keyrings/intel.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key \ - && echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" > /etc/apt/sources.list.d/intel-sgx.list \ - && apt-get update \ - && apt-get install -y --no-install-recommends \ - build-essential \ - cmake \ - rsync \ - pkg-config \ - libssl-dev \ - libcurl4-openssl-dev \ - libprotobuf-dev \ - protobuf-compiler \ - clang \ - libsgx-headers \ - libsgx-dcap-quote-verify-dev - -WORKDIR /opt/vault/plugins - -WORKDIR /build -RUN --mount=type=bind,target=/data rsync --exclude='/.git' --filter="dir-merge,- .gitignore" --exclude "Dockerfile-*" --exclude 'tee-vault-admin.manifest.template' -av /data/ ./ -RUN --mount=type=cache,target=/usr/local/cargo/registry --mount=type=cache,target=target \ - RUSTFLAGS="-C target-cpu=icelake-server --cfg mio_unsupported_force_waker_pipe" \ - cargo build --locked --target x86_64-unknown-linux-gnu --release -p tee-vault-admin --bin tee-vault-admin \ - && mv ./target/x86_64-unknown-linux-gnu/release/tee-vault-admin ./ - -FROM docker.io/gramineproject/gramine:v1.5 - -RUN curl -fsSLo /usr/share/keyrings/intel.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key \ - && echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" > /etc/apt/sources.list.d/intel-sgx.list \ - && apt-get update \ - && apt-get install -y --no-install-recommends \ - libsgx-dcap-default-qpl \ - libsgx-urts \ - libsgx-enclave-common \ - libsgx-dcap-quote-verify -RUN apt purge -y libsgx-ae-qve -RUN rm -rf /var/lib/apt/lists/* - -# So we only have to use one gramine template -RUN touch /lib/libdcap_quoteprov.so - -WORKDIR /app - -COPY --from=buildtee /build/tee-vault-admin . -COPY ./bin/tee-vault-admin/tee-vault-admin.manifest.template . -COPY vault/enclave-key.pem . - -COPY assets/sgx_default_qcnl.conf.json /etc/sgx_default_qcnl.conf - -RUN gramine-manifest -Darch_libdir=/lib/x86_64-linux-gnu -Dexecdir=/usr/bin -Dlog_level=warning tee-vault-admin.manifest.template tee-vault-admin.manifest \ - && gramine-sgx-sign --manifest tee-vault-admin.manifest --output tee-vault-admin.manifest.sgx --key enclave-key.pem \ - && rm enclave-key.pem - -EXPOSE 8443 - -ENTRYPOINT ["/bin/sh", "-c"] -CMD [ "/restart_aesm.sh ; exec gramine-sgx tee-vault-admin" ] diff --git a/bin/tee-vault-unseal/Dockerfile-intel b/bin/tee-vault-unseal/Dockerfile-intel deleted file mode 100644 index 870b3ab..0000000 --- a/bin/tee-vault-unseal/Dockerfile-intel +++ /dev/null @@ -1,65 +0,0 @@ -FROM ghcr.io/matter-labs/vault-auth-tee:latest AS vault-auth-tee - -FROM docker.io/rust:1-bullseye AS buildtee -RUN curl -fsSLo /usr/share/keyrings/intel.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key \ - && echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" > /etc/apt/sources.list.d/intel-sgx.list \ - && apt-get update \ - && apt-get install -y --no-install-recommends \ - build-essential \ - cmake \ - rsync \ - pkg-config \ - libssl-dev \ - libcurl4-openssl-dev \ - libprotobuf-dev \ - protobuf-compiler \ - clang \ - libsgx-headers \ - libsgx-dcap-quote-verify-dev - -WORKDIR /opt/vault/plugins -COPY --from=vault-auth-tee /opt/vault/plugins/vault-auth-tee ./ - -WORKDIR /build -RUN --mount=type=bind,target=/data rsync --exclude='/.git' --filter="dir-merge,- .gitignore" --exclude "Dockerfile-*" --exclude 'tee-vault-unseal.manifest.template' -av /data/ ./ -RUN sha256sum /opt/vault/plugins/vault-auth-tee | ( read a _ ; echo -n $a ) | tee assets/vault-auth-tee.sha256 -RUN --mount=type=cache,target=/usr/local/cargo/registry --mount=type=cache,target=target \ - RUSTFLAGS="-C target-cpu=icelake-server --cfg mio_unsupported_force_waker_pipe" \ - cargo build --locked --target x86_64-unknown-linux-gnu --release -p tee-vault-unseal --bin tee-vault-unseal \ - && mv ./target/x86_64-unknown-linux-gnu/release/tee-vault-unseal ./ - -FROM docker.io/gramineproject/gramine:v1.5 - -RUN curl -fsSLo /usr/share/keyrings/intel.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key \ - && echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" > /etc/apt/sources.list.d/intel-sgx.list \ - && apt-get update \ - && apt-get install -y --no-install-recommends \ - libsgx-dcap-default-qpl \ - libsgx-urts \ - libsgx-enclave-common \ - libsgx-dcap-quote-verify -RUN apt purge -y libsgx-ae-qve -RUN rm -rf /var/lib/apt/lists/* - -# So we only have to use one gramine template -RUN touch /lib/libdcap_quoteprov.so - -WORKDIR /app - -COPY --from=buildtee /build/tee-vault-unseal . -COPY ./bin/tee-vault-unseal/tee-vault-unseal.manifest.template . -COPY vault/enclave-key.pem . -RUN mkdir -p /opt/vault/tls && rm -rf /opt/vault/tls/* - -COPY assets/sgx_default_qcnl.conf.json /etc/sgx_default_qcnl.conf - -RUN gramine-manifest -Darch_libdir=/lib/x86_64-linux-gnu -Dexecdir=/usr/bin -Dlog_level=warning tee-vault-unseal.manifest.template tee-vault-unseal.manifest \ - && gramine-sgx-sign --manifest tee-vault-unseal.manifest --output tee-vault-unseal.manifest.sgx --key enclave-key.pem \ - && rm enclave-key.pem - -VOLUME /opt/vault/tls - -EXPOSE 8443 - -ENTRYPOINT ["/bin/sh", "-c"] -CMD [ "/restart_aesm.sh ; exec gramine-sgx tee-vault-unseal" ] diff --git a/bin/verify-attestation/Dockerfile b/bin/verify-attestation/Dockerfile deleted file mode 100644 index 627902a..0000000 --- a/bin/verify-attestation/Dockerfile +++ /dev/null @@ -1,46 +0,0 @@ -FROM docker.io/rust:1-bullseye AS buildtee -RUN curl -fsSLo /usr/share/keyrings/intel.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key \ - && echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" > /etc/apt/sources.list.d/intel-sgx.list \ - && apt-get update \ - && apt-get install -y --no-install-recommends \ - build-essential \ - cmake \ - rsync \ - pkg-config \ - libssl-dev \ - libcurl4-openssl-dev \ - libprotobuf-dev \ - protobuf-compiler \ - clang \ - libsgx-headers \ - libsgx-dcap-quote-verify-dev - -WORKDIR /opt/vault/plugins - -WORKDIR /build -RUN --mount=type=bind,target=/data rsync --exclude='/.git' --filter="dir-merge,- .gitignore" --exclude "Dockerfile-*" --exclude 'tee-vault-admin.manifest.template' -av /data/ ./ -RUN --mount=type=cache,target=/usr/local/cargo/registry --mount=type=cache,target=target \ - RUSTFLAGS="-C target-cpu=icelake-server --cfg mio_unsupported_force_waker_pipe" \ - cargo build --locked --target x86_64-unknown-linux-gnu --release -p verify-attestation --bin verify-attestation \ - && mv ./target/x86_64-unknown-linux-gnu/release/verify-attestation ./ - -FROM docker.io/ubuntu:20.04 - -RUN apt-get update \ - && apt-get install -y curl - -RUN curl -fsSLo /usr/share/keyrings/intel.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key \ - && echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" > /etc/apt/sources.list.d/intel-sgx.list \ - && apt-get update \ - && apt-get install -y --no-install-recommends \ - libsgx-dcap-default-qpl \ - libsgx-urts \ - libsgx-enclave-common \ - libsgx-dcap-quote-verify -RUN apt purge -y libsgx-ae-qve -RUN rm -rf /var/lib/apt/lists/* - -COPY --from=buildtee /build/verify-attestation /bin/verify-attestation - -ENTRYPOINT ["/bin/sh", "-c"] -CMD [ "verify-attestation" ]