def build(source_code, *, docker_build_progress=False):
"""Build an enclave binary for the given source code.
The source code is expected to contain a file :file:`.auditee.yml`,
which instructs how to build the enclave. The supported builders
are ``nix-build`` and ``docker``.
Parameters
----------
source_code: str
Local file path to the source code where the enclave to be built
is located.
Raises
------
IOError:
If the ``.auditee.yml`` file is not found.
Returns
-------
str
File path to the enclave binary that was built.
"""
source_code_path = pathlib.Path(source_code).resolve()
auditee_file = source_code_path.joinpath(".auditee.yml")
with open(auditee_file) as f:
auditee_config = yaml.safe_load(f)
enclave_build_config = auditee_config["enclaves"][0]
# Get absolute path of enclave config
# enclave_config = source_code_path.joinpath(enclave_build_config["enclave_config"])
build_config = enclave_build_config["build"]
builder = build_config["builder"]
build_kwargs = build_config["build_kwargs"]
os.chdir(source_code_path)
if builder == "docker":
docker.build(
output={
"type": "local",
"dest": "/tmp/out"
},
progress=docker_build_progress,
**build_kwargs,
)
elif builder == "nix-build":
popenargs = [builder, build_kwargs.get("file", "default.nix")]
returncode = subprocess.run(popenargs).returncode
if returncode != 0:
raise RuntimeError(f"Error building enclave with {builder}")
os.chdir("..")
return source_code_path.joinpath(build_config["output_dir"],
build_config["enclave_file"])
def build_autobahn_testsuite() -> Generator[None, None, None]:
try:
docker.build(
file="tests/autobahn/Dockerfile.autobahn",
tags=["autobahn-testsuite"],
context_path=".",
)
except DockerException:
pytest.skip(msg="The docker daemon is not running.")
try:
yield
finally:
docker.image.remove(x="autobahn-testsuite")
def _verify_mrenclave(
signed_enclave,
enclave_config,
*,
ias_report=None,
unsigned_enclave_filename="Enclave.so",
docker_build_attrs,
):
"""Verifies if the MRENCLAVE of the provided signed enclave matches
with the one obtained when rebuilding the enclave from source, and
the one in the IAS report.
Example
-------
docker_build_attrs = {'target': 'export-stage'}
"""
context_path = docker_build_attrs.pop("context_path", ".")
output = docker_build_attrs.pop("output", {"type": "local", "dest": "out"})
# target="export-stage", output={"type": "local", "dest": "out"}
docker.build(context_path, output=output, **docker_build_attrs)
unsigned_enclave = pathlib.Path(
output["dest"]).joinpath(unsigned_enclave_filename)
signing_key = pathlib.Path(__file__).parent.resolve().joinpath(
"signing_key.pem")
dev_sigstruct = Sigstruct.from_enclave_file(signed_enclave)
out = "/tmp/audit_enclave.signed.so"
sgx_sign(unsigned_enclave, key=signing_key, out=out, config=enclave_config)
auditor_sigstruct = Sigstruct.from_enclave_file(out)
if not ias_report:
print(
f"\nsigned enclave MRENCLAVE: \t\t{term.bold}{dev_sigstruct.mrenclave.hex()}{term.normal}"
)
print(
f"built-from-source enclave MRENCLAVE: \t\t{term.bold}{auditor_sigstruct.mrenclave.hex()}{term.normal}\n"
)
if auditor_sigstruct.mrenclave == dev_sigstruct.mrenclave:
print(f"{term.green}MRENCLAVE match!{term.normal}")
else:
print(f"{term.red}MRENCLAVE do not match!{term.normal}")
return auditor_sigstruct.mrenclave == dev_sigstruct.mrenclave
raise NotImplementedError
def build_image_running(python_code) -> Image:
with tempfile.TemporaryDirectory() as tmpdir:
tmpdir = Path(tmpdir)
(tmpdir / "file.py").write_text(python_code)
(tmpdir / "Dockerfile").write_text(f"""
FROM python:{sys.version_info[0]}.{sys.version_info[1]}
COPY file.py /file.py
CMD python /file.py
""")
return docker.build(tmpdir, tags="some_image", load=True)
def test_buildx_build_aliases(tmp_path):
(tmp_path / "Dockerfile").write_text(dockerfile_content1)
docker.build(tmp_path)
docker.image.build(tmp_path)