mirror of
				https://github.com/matter-labs/teepot.git
				synced 2025-10-26 03:34:06 +01:00 
			
		
		
		
	
		
			
				
	
	
		
			65 lines
		
	
	
	
		
			2.8 KiB
		
	
	
	
		
			Text
		
	
	
	
	
	
			
		
		
	
	
			65 lines
		
	
	
	
		
			2.8 KiB
		
	
	
	
		
			Text
		
	
	
	
	
	
| FROM ghcr.io/matter-labs/vault-auth-tee:latest AS vault-auth-tee
 | |
| 
 | |
| FROM docker.io/rust:1-bullseye AS buildtee
 | |
| RUN curl -fsSLo /usr/share/keyrings/intel.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key \
 | |
|     && echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" > /etc/apt/sources.list.d/intel-sgx.list \
 | |
|     && apt-get update \
 | |
|     && apt-get install -y --no-install-recommends \
 | |
|         build-essential \
 | |
|         cmake \
 | |
|         rsync \
 | |
|         pkg-config \
 | |
|         libssl-dev \
 | |
|         libcurl4-openssl-dev \
 | |
|         libprotobuf-dev \
 | |
|         protobuf-compiler \
 | |
|         clang \
 | |
|         libsgx-headers \
 | |
|         libsgx-dcap-quote-verify-dev
 | |
| 
 | |
| WORKDIR /opt/vault/plugins
 | |
| COPY --from=vault-auth-tee /opt/vault/plugins/vault-auth-tee ./
 | |
| 
 | |
| WORKDIR /build
 | |
| RUN --mount=type=bind,target=/data rsync --exclude='/.git' --filter="dir-merge,- .gitignore" --exclude "Dockerfile-*" --exclude 'tee-vault-unseal.manifest.template' -av /data/ ./
 | |
| RUN sha256sum /opt/vault/plugins/vault-auth-tee | ( read a _ ; echo -n $a ) | tee assets/vault-auth-tee.sha256
 | |
| RUN --mount=type=cache,target=/usr/local/cargo/registry --mount=type=cache,target=target \
 | |
|     RUSTFLAGS="-C target-cpu=icelake-server --cfg mio_unsupported_force_waker_pipe" \
 | |
|     cargo build --locked --target x86_64-unknown-linux-gnu --release -p tee-vault-unseal --bin tee-vault-unseal \
 | |
|     && mv ./target/x86_64-unknown-linux-gnu/release/tee-vault-unseal ./
 | |
| 
 | |
| FROM docker.io/gramineproject/gramine:v1.5
 | |
| 
 | |
| RUN curl -fsSLo /usr/share/keyrings/intel.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key \
 | |
|     && echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" > /etc/apt/sources.list.d/intel-sgx.list \
 | |
|     && apt-get update \
 | |
|     && apt-get install -y --no-install-recommends \
 | |
|         libsgx-dcap-default-qpl \
 | |
|         libsgx-urts \
 | |
|         libsgx-enclave-common \
 | |
|         libsgx-dcap-quote-verify
 | |
| RUN apt purge -y libsgx-ae-qve
 | |
| RUN rm -rf /var/lib/apt/lists/*
 | |
| 
 | |
| # So we only have to use one gramine template
 | |
| RUN touch /lib/libdcap_quoteprov.so
 | |
| 
 | |
| WORKDIR /app
 | |
| 
 | |
| COPY --from=buildtee /build/tee-vault-unseal .
 | |
| COPY ./bin/tee-vault-unseal/tee-vault-unseal.manifest.template .
 | |
| COPY vault/enclave-key.pem .
 | |
| RUN mkdir -p /opt/vault/tls && rm -rf /opt/vault/tls/*
 | |
| 
 | |
| COPY assets/sgx_default_qcnl.conf.json /etc/sgx_default_qcnl.conf
 | |
| 
 | |
| RUN gramine-manifest -Darch_libdir=/lib/x86_64-linux-gnu -Dexecdir=/usr/bin -Dlog_level=warning tee-vault-unseal.manifest.template tee-vault-unseal.manifest \
 | |
|     && gramine-sgx-sign --manifest tee-vault-unseal.manifest --output tee-vault-unseal.manifest.sgx --key enclave-key.pem \
 | |
|     && rm enclave-key.pem
 | |
| 
 | |
| VOLUME /opt/vault/tls
 | |
| 
 | |
| EXPOSE 8443
 | |
| 
 | |
| ENTRYPOINT ["/bin/sh", "-c"]
 | |
| CMD [ "/restart_aesm.sh ; exec gramine-sgx tee-vault-unseal" ]
 | 
