chore: cleanup and nixify

* create containers with nix
* updated README.md
* added SPDX license headers

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>

bin/tee-vault-admin/Dockerfile-azure

@@ -1,85 +0,0 @@
-FROM docker.io/ubuntu:20.04 AS azuredcap
-WORKDIR /build
-ADD https://github.com/microsoft/Azure-DCAP-Client/archive/refs/tags/1.12.0.tar.gz ./Azure-DCAP-Client.tar.gz
-RUN tar -xvf Azure-DCAP-Client.tar.gz
-COPY assets/Azure-DCAP-Client.patch ./Azure-DCAP-Client.patch
-RUN set -eux; \
-    apt-get update; \
-    apt-get install -y software-properties-common; \
-    add-apt-repository ppa:team-xbmc/ppa -y; \
-    apt-get update; \
-    apt-get install -y \
-        build-essential \
-        cmake \
-        libssl-dev \
-        libcurl4-openssl-dev \
-        pkg-config \
-        nlohmann-json3-dev \
-        wget \
-        dos2unix \
-        ;
-
-WORKDIR /build/Azure-DCAP-Client-1.12.0
-RUN dos2unix src/dcap_provider.cpp && patch -p1 < ../Azure-DCAP-Client.patch
-WORKDIR /build/Azure-DCAP-Client-1.12.0/src/Linux
-RUN ./configure && make && make install
-
-FROM docker.io/rust:1-bullseye AS buildtee
-RUN curl -fsSLo /usr/share/keyrings/intel.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key \
-    && echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" > /etc/apt/sources.list.d/intel-sgx.list \
-    && apt-get update \
-    && apt-get install -y --no-install-recommends \
-        build-essential \
-        cmake \
-        rsync \
-        pkg-config \
-        libssl-dev \
-        libcurl4-openssl-dev \
-        libprotobuf-dev \
-        protobuf-compiler \
-        clang \
-        libsgx-headers \
-        libsgx-dcap-quote-verify-dev
-
-WORKDIR /opt/vault/plugins
-
-WORKDIR /build
-RUN --mount=type=bind,target=/data rsync --exclude='/.git' --filter="dir-merge,- .gitignore" --exclude "Dockerfile-*" --exclude 'tee-vault-admin.manifest.template' -av /data/ ./
-RUN --mount=type=cache,target=/usr/local/cargo/registry --mount=type=cache,target=target \
-    RUSTFLAGS="-C target-cpu=icelake-server --cfg mio_unsupported_force_waker_pipe" \
-    cargo build --locked --target x86_64-unknown-linux-gnu --release -p tee-vault-admin --bin tee-vault-admin \
-    && mv ./target/x86_64-unknown-linux-gnu/release/tee-vault-admin ./
-
-FROM docker.io/gramineproject/gramine:v1.5
-
-RUN curl -fsSLo /usr/share/keyrings/microsoft.asc https://packages.microsoft.com/keys/microsoft.asc \
-    && echo "deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft.asc] https://packages.microsoft.com/ubuntu/20.04/prod focal main" > /etc/apt/sources.list.d/msprod.list \
-    && apt-get update \
-    && apt purge -y libsgx-dcap-default-qpl \
-    && apt-get install -y az-dcap-client
-
-RUN apt purge -y libsgx-ae-qve
-#    libsgx-urts
-
-RUN rm -rf /var/lib/apt/lists/*
-
-# So we only have to use one gramine template
-RUN touch /etc/sgx_default_qcnl.conf
-
-WORKDIR /app
-
-COPY --from=buildtee /build/tee-vault-admin .
-COPY ./bin/tee-vault-admin/tee-vault-admin.manifest.template .
-COPY vault/enclave-key.pem .
-
-# The original Azure library is still delivering expired collateral, so we have to use a patched version
-COPY --from=azuredcap /usr/local/lib/libdcap_quoteprov.so /usr/lib/
-
-RUN gramine-manifest -Darch_libdir=/lib/x86_64-linux-gnu -Dexecdir=/usr/bin -Dlog_level=warning tee-vault-admin.manifest.template tee-vault-admin.manifest \
-    && gramine-sgx-sign --manifest tee-vault-admin.manifest --output tee-vault-admin.manifest.sgx --key enclave-key.pem \
-    && rm enclave-key.pem
-
-EXPOSE 8443
-
-ENTRYPOINT ["/bin/sh", "-c"]
-CMD [ "/restart_aesm.sh ; exec gramine-sgx tee-vault-admin" ]

bin/tee-vault-admin/tee-vault-admin.manifest.template

@@ -1,66 +0,0 @@
-libos.entrypoint = "/app/tee-vault-admin"
-
-[loader]
-argv = [ "/app/tee-vault-admin" ]
-entrypoint = "file:{{ gramine.libos }}"
-env.LD_LIBRARY_PATH = "/lib:{{ arch_libdir }}:/usr{{ arch_libdir }}:/lib"
-env.HOME = "/app"
-env.MALLOC_ARENA_MAX = "1"
-env.AZDCAP_DEBUG_LOG_LEVEL = "ignore"
-env.AZDCAP_COLLATERAL_VERSION = "v4"
-
-### Admin Config ###
-env.PORT  = { passthrough = true }
-
-### VAULT attestation ###
-env.VAULT_ADDR = { passthrough = true }
-env.VAULT_SGX_MRENCLAVE = { passthrough = true }
-env.VAULT_SGX_MRSIGNER = { passthrough = true }
-env.VAULT_SGX_ALLOWED_TCB_LEVELS = { passthrough = true }
-
-### DEBUG ###
-env.RUST_BACKTRACE = "1"
-env.RUST_LOG="info,tee_vault_admin=trace,teepot=trace,vault_tee_client=trace,tee_client=trace,awc=debug"
-
-[fs]
-root.uri = "file:/"
-start_dir = "/app"
-mounts = [
-  { path = "{{ execdir }}", uri = "file:{{ execdir }}" },
-  { path = "/lib", uri = "file:{{ gramine.runtimedir() }}" },
-  { path = "{{ arch_libdir }}", uri = "file:{{ arch_libdir }}" },
-  { path = "/etc", uri = "file:/etc" },
-  { type = "tmpfs", path = "/var/tmp" },
-  { type = "tmpfs", path = "/tmp" },
-  { type = "tmpfs", path = "/app/.dcap-qcnl" },
-  { type = "tmpfs", path = "/app/.az-dcap-client" },
-  { path = "/lib/libdcap_quoteprov.so", uri = "file:/lib/libdcap_quoteprov.so" },
-]
-
-[sgx]
-trusted_files = [
-  "file:/etc/ld.so.cache",
-  "file:/app/",
-  "file:{{ execdir }}/",
-  "file:{{ arch_libdir }}/",
-  "file:/usr/{{ arch_libdir }}/",
-  "file:{{ gramine.libos }}",
-  "file:{{ gramine.runtimedir() }}/",
-  "file:/usr/lib/ssl/openssl.cnf",
-  "file:/etc/ssl/",
-  "file:/etc/sgx_default_qcnl.conf",
-  "file:/lib/libdcap_quoteprov.so",
-]
-remote_attestation = "dcap"
-max_threads = 64
-edmm_enable = false
-## max enclave size
-enclave_size = "8G"
-
-[sys]
-enable_extra_runtime_domain_names_conf = true
-enable_sigterm_injection = true
-
-# possible tweak option, if problems with mio
-# currently mio is compiled with `mio_unsupported_force_waker_pipe`
-# insecure__allow_eventfd = true

bin/tee-vault-unseal/Dockerfile-azure

@@ -1,92 +0,0 @@
-FROM ghcr.io/matter-labs/vault-auth-tee:latest AS vault-auth-tee
-
-FROM docker.io/ubuntu:20.04 AS azuredcap
-WORKDIR /build
-ADD https://github.com/microsoft/Azure-DCAP-Client/archive/refs/tags/1.12.0.tar.gz ./Azure-DCAP-Client.tar.gz
-RUN tar -xvf Azure-DCAP-Client.tar.gz
-COPY assets/Azure-DCAP-Client.patch ./Azure-DCAP-Client.patch
-RUN set -eux; \
-    apt-get update; \
-    apt-get install -y software-properties-common; \
-    add-apt-repository ppa:team-xbmc/ppa -y; \
-    apt-get update; \
-    apt-get install -y \
-        build-essential \
-        cmake \
-        libssl-dev \
-        libcurl4-openssl-dev \
-        pkg-config \
-        nlohmann-json3-dev \
-        wget \
-        dos2unix \
-        ;
-
-WORKDIR /build/Azure-DCAP-Client-1.12.0
-RUN dos2unix src/dcap_provider.cpp && patch -p1 < ../Azure-DCAP-Client.patch
-WORKDIR /build/Azure-DCAP-Client-1.12.0/src/Linux
-RUN ./configure && make && make install
-
-FROM docker.io/rust:1-bullseye AS buildtee
-RUN curl -fsSLo /usr/share/keyrings/intel.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key \
-    && echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" > /etc/apt/sources.list.d/intel-sgx.list \
-    && apt-get update \
-    && apt-get install -y --no-install-recommends \
-        build-essential \
-        cmake \
-        rsync \
-        pkg-config \
-        libssl-dev \
-        libcurl4-openssl-dev \
-        libprotobuf-dev \
-        protobuf-compiler \
-        clang \
-        libsgx-headers \
-        libsgx-dcap-quote-verify-dev
-
-WORKDIR /opt/vault/plugins
-COPY --from=vault-auth-tee /opt/vault/plugins/vault-auth-tee ./
-
-WORKDIR /build
-RUN --mount=type=bind,target=/data rsync --exclude='/.git' --filter="dir-merge,- .gitignore" --exclude "Dockerfile-*" --exclude 'tee-vault-unseal.manifest.template' -av /data/ ./
-RUN sha256sum /opt/vault/plugins/vault-auth-tee | ( read a _ ; echo -n $a ) | tee assets/vault-auth-tee.sha256
-RUN --mount=type=cache,target=/usr/local/cargo/registry --mount=type=cache,target=target \
-    RUSTFLAGS="-C target-cpu=icelake-server --cfg mio_unsupported_force_waker_pipe" \
-    cargo build --locked --target x86_64-unknown-linux-gnu --release -p tee-vault-unseal --bin tee-vault-unseal \
-    && mv ./target/x86_64-unknown-linux-gnu/release/tee-vault-unseal ./
-
-FROM docker.io/gramineproject/gramine:v1.5
-
-RUN curl -fsSLo /usr/share/keyrings/microsoft.asc https://packages.microsoft.com/keys/microsoft.asc \
-    && echo "deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft.asc] https://packages.microsoft.com/ubuntu/20.04/prod focal main" > /etc/apt/sources.list.d/msprod.list \
-    && apt-get update \
-    && apt purge -y libsgx-dcap-default-qpl \
-    && apt-get install -y az-dcap-client
-
-RUN apt purge -y libsgx-ae-qve
-#    libsgx-urts
-
-RUN rm -rf /var/lib/apt/lists/*
-
-# So we only have to use one gramine template
-RUN touch /etc/sgx_default_qcnl.conf
-
-WORKDIR /app
-
-COPY --from=buildtee /build/tee-vault-unseal .
-COPY ./bin/tee-vault-unseal/tee-vault-unseal.manifest.template .
-COPY vault/enclave-key.pem .
-RUN mkdir -p /opt/vault/tls && rm -rf /opt/vault/tls/*
-
-# The original Azure library is still delivering expired collateral, so we have to use a patched version
-COPY --from=azuredcap /usr/local/lib/libdcap_quoteprov.so /usr/lib/
-
-RUN gramine-manifest -Darch_libdir=/lib/x86_64-linux-gnu -Dexecdir=/usr/bin -Dlog_level=warning tee-vault-unseal.manifest.template tee-vault-unseal.manifest \
-    && gramine-sgx-sign --manifest tee-vault-unseal.manifest --output tee-vault-unseal.manifest.sgx --key enclave-key.pem \
-    && rm enclave-key.pem
-
-VOLUME /opt/vault/tls
-
-EXPOSE 8443
-
-ENTRYPOINT ["/bin/sh", "-c"]
-CMD [ "/restart_aesm.sh ; exec gramine-sgx tee-vault-unseal" ]

bin/tee-vault-unseal/tee-vault-unseal.manifest.template

@@ -1,62 +0,0 @@
-libos.entrypoint = "/app/tee-vault-unseal"
-
-[loader]
-argv = [ "/app/tee-vault-unseal" ]
-entrypoint = "file:{{ gramine.libos }}"
-env.LD_LIBRARY_PATH = "/lib:{{ arch_libdir }}:/usr{{ arch_libdir }}:/lib"
-env.HOME = "/app"
-env.MALLOC_ARENA_MAX = "1"
-env.AZDCAP_DEBUG_LOG_LEVEL = "ignore"
-env.AZDCAP_COLLATERAL_VERSION = "v4"
-
-### Required configuration ###
-env.ALLOWED_TCB_LEVELS = { passthrough = true }
-env.VAULT_ADDR = { passthrough = true }
-
-### DEBUG ###
-env.RUST_BACKTRACE = "1"
-env.RUST_LOG="info,tee_vault_unseal=trace,teepot=trace,awc=debug"
-
-[fs]
-root.uri = "file:/"
-start_dir = "/app"
-mounts = [
-  { path = "{{ execdir }}", uri = "file:{{ execdir }}" },
-  { path = "/lib", uri = "file:{{ gramine.runtimedir() }}" },
-  { path = "{{ arch_libdir }}", uri = "file:{{ arch_libdir }}" },
-  { path = "/etc", uri = "file:/etc" },
-  { type = "tmpfs", path = "/var/tmp" },
-  { type = "tmpfs", path = "/tmp" },
-  { type = "tmpfs", path = "/app/.dcap-qcnl" },
-  { type = "tmpfs", path = "/app/.az-dcap-client" },
-  { type = "encrypted", path = "/opt/vault/tls", uri = "file:/opt/vault/tls", key_name = "_sgx_mrsigner" },
-  { path = "/lib/libdcap_quoteprov.so", uri = "file:/lib/libdcap_quoteprov.so" },
-]
-
-[sgx]
-trusted_files = [
-  "file:/etc/ld.so.cache",
-  "file:/app/",
-  "file:{{ execdir }}/",
-  "file:{{ arch_libdir }}/",
-  "file:/usr/{{ arch_libdir }}/",
-  "file:{{ gramine.libos }}",
-  "file:{{ gramine.runtimedir() }}/",
-  "file:/usr/lib/ssl/openssl.cnf",
-  "file:/etc/ssl/",
-  "file:/etc/sgx_default_qcnl.conf",
-  "file:/lib/libdcap_quoteprov.so",
-]
-remote_attestation = "dcap"
-max_threads = 64
-edmm_enable = false
-## max enclave size
-enclave_size = "2G"
-
-[sys]
-enable_extra_runtime_domain_names_conf = true
-enable_sigterm_injection = true
-
-# possible tweak option, if problems with mio
-# currently mio is compiled with `mio_unsupported_force_waker_pipe`
-# insecure__allow_eventfd = true