Merge branch 'dev' into jax

OpenMined · Apr 10, 2024 · 0ab2320 · 0ab2320
2 parents 466c261 + cceabe6
commit 0ab2320
Show file tree

Hide file tree

Showing 37 changed files with 1,750 additions and 393 deletions.
diff --git a/notebooks/api/0.8/10-container-images.ipynb b/notebooks/api/0.8/10-container-images.ipynb
@@ -1428,7 +1428,7 @@
     "\n",
     "# Adding some sleep to allow containers to be fully removed,\n",
     "# before removing the image\n",
-    "time.sleep(10)"
+    "time.sleep(15)"
    ]
   },
   {

diff --git a/packages/grid/enclave/attestation/attestation.dockerfile b/packages/grid/enclave/attestation/attestation.dockerfile
@@ -0,0 +1,85 @@
+ARG AZ_GUEST_LIB_VERSION="1.0.5"
+ARG AZ_CLIENT_COMMIT="b613bcd"
+ARG PYTHON_VERSION="3.10"
+ARG NVTRUST_VERSION="1.3.0"
+
+
+FROM ubuntu:22.04 as builder
+ARG AZ_GUEST_LIB_VERSION
+ARG AZ_CLIENT_COMMIT
+
+# ======== [Stage 1] Install Dependencies ========== #
+
+ENV DEBIAN_FRONTEND=noninteractive
+RUN --mount=type=cache,target=/var/cache/apt/archives \
+    apt update && apt upgrade -y && \
+    apt-get  install -y \
+    build-essential \
+    libcurl4-openssl-dev \
+    libjsoncpp-dev \
+    libboost-all-dev \
+    nlohmann-json3-dev \
+    cmake \
+    wget \
+    git
+
+RUN wget https://packages.microsoft.com/repos/azurecore/pool/main/a/azguestattestation1/azguestattestation1_${AZ_GUEST_LIB_VERSION}_amd64.deb && \
+    dpkg -i azguestattestation1_${AZ_GUEST_LIB_VERSION}_amd64.deb
+
+# ======== [Stage 2] Build Attestation Client ========== #
+
+RUN git clone https://github.com/Azure/confidential-computing-cvm-guest-attestation.git && \
+    cd confidential-computing-cvm-guest-attestation && \
+    git checkout ${AZ_CLIENT_COMMIT} && \
+    cd cvm-attestation-sample-app && \
+    cmake . && make && cp ./AttestationClient /
+
+
+# ======== [Step 3] Build Final Image ========== #
+FROM python:${PYTHON_VERSION}-slim
+ARG AZ_GUEST_LIB_VERSION
+ARG NVTRUST_VERSION
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update && apt-get install -y \
+    wget \
+    git
+
+WORKDIR /app
+
+RUN wget https://packages.microsoft.com/repos/azurecore/pool/main/a/azguestattestation1/azguestattestation1_${AZ_GUEST_LIB_VERSION}_amd64.deb && \
+    dpkg -i azguestattestation1_${AZ_GUEST_LIB_VERSION}_amd64.deb
+
+COPY --from=builder /AttestationClient /app
+
+# Clone Nvidia nvtrust Repo
+RUN git clone -b v${NVTRUST_VERSION} https://github.com/NVIDIA/nvtrust.git
+
+
+# Install Nvidia Local Verifier
+RUN --mount=type=cache,target=/root/.cache \
+    cd nvtrust/guest_tools/gpu_verifiers/local_gpu_verifier && \
+    pip install .
+
+# Install Nvidia Attestation SDK
+RUN --mount=type=cache,target=/root/.cache \
+    cd nvtrust/guest_tools/attestation_sdk/dist && \
+    pip install ./nv_attestation_sdk-${NVTRUST_VERSION}-py3-none-any.whl
+
+
+COPY ./requirements.txt /app/requirements.txt
+RUN --mount=type=cache,target=/root/.cache \
+    pip install --user -r requirements.txt
+
+COPY ./start.sh /app/start.sh
+RUN chmod +x /app/start.sh
+COPY ./server /app/server
+
+# ========== [Step 4] Start  Python Web Server ========== #
+
+CMD ["sh", "-c", "/app/start.sh"]
+EXPOSE 4455
+
+# Cleanup
+RUN rm -rf /var/lib/apt/lists/* && \
+    rm -rf /app/nvtrust
diff --git a/packages/grid/enclave/attestation/enclave-development.md b/packages/grid/enclave/attestation/enclave-development.md
@@ -0,0 +1,104 @@
+# Enclave Development
+
+## Building Attestion Containers
+
+NOTE: Even on Arm machines, we build x64 images.
+As some dependent packages in the dockerfile do not have arm64 equivalent.
+It would take 10 minutes to build the image in emulation for the first time
+in Arm machines.After which , the subsequent builds would be instant.
+
+```sh
+cd packages/grid/enclave/attestation && \
+docker build -f attestation.dockerfile  . -t attestation:0.1 --platform linux/amd64
+```
+
+## Running the container in development mode
+
+```sh
+cd packages/grid/enclave/attestation && \
+docker run -it --rm -e DEV_MODE=True -p 4455:4455 -v $(pwd)/server:/app/server attestation:0.1
+```
+
+## For fetching attestation report by FastAPI
+
+### CPU Attestation
+
+```sh
+docker run -it --rm --privileged \
+  -p 4455:4455 \
+  -v /sys/kernel/security:/sys/kernel/security \
+  -v /dev/tpmrm0:/dev/tpmrm0 attestation:0.1
+```
+
+```sh
+curl localhost:4455/attest/cpu
+```
+
+### GPU Attestation
+
+#### Nvidia GPU Requirements
+
+We would need to install Nvidia Container Toolkit on host system and ensure we have CUDA Drivers installed.
+Link: https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/latest/index.html
+
+```sh
+docker run -it --rm --privileged --gpus all --runtime=nvidia \
+  -p 4455:4455 \
+  -v /sys/kernel/security:/sys/kernel/security \
+  -v /dev/tpmrm0:/dev/tpmrm0 attestation:0.1
+```
+
+```sh
+curl localhost:4455/attest/gpu
+```
+
+## For fetching attestation report directly by docker
+
+### CPU Attestation
+
+```sh
+docker run -it --rm --privileged \
+  -v /sys/kernel/security:/sys/kernel/security \
+  -v /dev/tpmrm0:/dev/tpmrm0 attestation:0.1 /bin/bash
+```
+
+In the shell run
+
+```sh
+./AttestationClient
+```
+
+This would return either True or False indicating status of attestation
+
+This could also be customized with Appraisal Policy
+
+To retrieve JWT from Microsoft Azure Attestation (MAA)
+
+```sh
+./AttestationClient -o token
+```
+
+### For GPU Attestation
+
+```sh
+docker run -it --rm --privileged --gpus all --runtime=nvidia \
+  -v /sys/kernel/security:/sys/kernel/security \
+  -v /dev/tpmrm0:/dev/tpmrm0 attestation:0.1 /bin/bash
+```
+
+Invoke python shell
+In the python shell run
+
+```python3
+from nv_attestation_sdk import attestation
+
+
+NRAS_URL="https://nras.attestation.nvidia.com/v1/attest/gpu"
+client = attestation.Attestation()
+client.set_name("thisNode1")
+client.set_nonce("931d8dd0add203ac3d8b4fbde75e115278eefcdceac5b87671a748f32364dfcb")
+print ("[RemoteGPUTest] node name :", client.get_name())
+
+client.add_verifier(attestation.Devices.GPU, attestation.Environment.REMOTE, NRAS_URL, "")
+client.attest()
+```
diff --git a/packages/grid/enclave/attestation/requirements.txt b/packages/grid/enclave/attestation/requirements.txt
@@ -0,0 +1,3 @@
+fastapi==0.110.0
+loguru==0.7.2
+uvicorn[standard]==0.27.1
diff --git a/packages/grid/enclave/attestation/server/cpu_attestation.py b/packages/grid/enclave/attestation/server/cpu_attestation.py
@@ -0,0 +1,20 @@
+# stdlib
+import subprocess
+
+# third party
+from loguru import logger
+
+
+def attest_cpu() -> str:
+    # Fetch report from Micrsoft Attestation library
+    cpu_report = subprocess.run(
+        ["/app/AttestationClient"], capture_output=True, text=True
+    )
+    logger.debug(f"Stdout: {cpu_report.stdout}")
+    logger.debug(f"Stderr: {cpu_report.stderr}")
+
+    logger.info("Attestation Return Code: {}", cpu_report.returncode)
+    if cpu_report.returncode == 0 and cpu_report.stdout == "true":
+        return "True"
+
+    return "False"
diff --git a/packages/grid/enclave/attestation/server/gpu_attestation.py b/packages/grid/enclave/attestation/server/gpu_attestation.py
@@ -0,0 +1,21 @@
+# third party
+from loguru import logger
+from nv_attestation_sdk import attestation
+
+NRAS_URL = "https://nras.attestation.nvidia.com/v1/attest/gpu"
+
+
+def attest_gpu() -> str:
+    # Fetch report from Nvidia Attestation SDK
+    client = attestation.Attestation("Attestation Node")
+
+    # TODO: Add the ability to generate nonce later.
+    logger.info("[RemoteGPUTest] node name : {}", client.get_name())
+
+    client.add_verifier(
+        attestation.Devices.GPU, attestation.Environment.REMOTE, NRAS_URL, ""
+    )
+    gpu_report = client.attest()
+    logger.info("[RemoteGPUTest] report : {}, {}", gpu_report, type(gpu_report))
+
+    return str(gpu_report)
diff --git a/packages/grid/enclave/attestation/server/main.py b/packages/grid/enclave/attestation/server/main.py
@@ -0,0 +1,38 @@
+# stdlib
+import os
+import sys
+
+# third party
+from fastapi import FastAPI
+from loguru import logger
+
+# relative
+from .cpu_attestation import attest_cpu
+from .gpu_attestation import attest_gpu
+from .models import CPUAttestationResponseModel
+from .models import GPUAttestationResponseModel
+from .models import ResponseModel
+
+# Logging Configuration
+log_level = os.getenv("APP_LOG_LEVEL", "INFO").upper()
+logger.remove()
+logger.add(sys.stderr, colorize=True, level=log_level)
+
+app = FastAPI(title="Attestation API")
+
+
+@app.get("/", response_model=ResponseModel)
+async def read_root() -> ResponseModel:
+    return ResponseModel(message="Server is running")
+
+
+@app.get("/attest/cpu", response_model=CPUAttestationResponseModel)
+async def attest_cpu_endpoint() -> CPUAttestationResponseModel:
+    cpu_attest_res = attest_cpu()
+    return CPUAttestationResponseModel(result=cpu_attest_res)
+
+
+@app.get("/attest/gpu", response_model=GPUAttestationResponseModel)
+async def attest_gpu_endpoint() -> GPUAttestationResponseModel:
+    gpu_attest_res = attest_gpu()
+    return GPUAttestationResponseModel(result=gpu_attest_res)
diff --git a/packages/grid/enclave/attestation/server/models.py b/packages/grid/enclave/attestation/server/models.py
@@ -0,0 +1,16 @@
+# third party
+from pydantic import BaseModel
+
+
+class ResponseModel(BaseModel):
+    message: str
+
+
+class CPUAttestationResponseModel(BaseModel):
+    result: str
+    vendor: str | None = None  # Hardware Manufacturer
+
+
+class GPUAttestationResponseModel(BaseModel):
+    result: str
+    vendor: str | None = None  # Hardware Manufacturer
diff --git a/packages/grid/enclave/attestation/start.sh b/packages/grid/enclave/attestation/start.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+set -e
+export PATH="/root/.local/bin:${PATH}"
+
+APP_MODULE=server.main:app
+APP_LOG_LEVEL=${APP_LOG_LEVEL:-info}
+UVICORN_LOG_LEVEL=${UVICORN_LOG_LEVEL:-info}
+HOST=${HOST:-0.0.0.0}
+PORT=${PORT:-4455}
+RELOAD=""
+
+if [[ ${DEV_MODE} == "True" ]];
+then
+    echo "DEV_MODE Enabled"
+    RELOAD="--reload"
+fi
+
+
+exec uvicorn $RELOAD --host $HOST --port $PORT --log-level $UVICORN_LOG_LEVEL "$APP_MODULE"
diff --git a/packages/grid/helm/syft/templates/NOTES.txt b/packages/grid/helm/syft/templates/NOTES.txt
@@ -95,7 +95,7 @@
             "action": "add"
         }
     },
-    "SyncView": {
+    "SyncTableObject": {
         "1": {
             "version": 1,
             "hash": "4e87744e86cd7781e3d5cf4618e63516f3d26309a4da919033dacc5ed338d76d",

diff --git a/packages/hagrid/.bumpversion.cfg b/packages/hagrid/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.3.114
+current_version = 0.3.115
 tag = False
 tag_name = {new_version}
 commit = True

diff --git a/packages/hagrid/hagrid/manifest_template.yml b/packages/hagrid/hagrid/manifest_template.yml
@@ -1,9 +1,9 @@
 manifestVersion: 0.1
-hagrid_version: 0.3.114
+hagrid_version: 0.3.115
 syft_version: 0.8.7-beta.1
 dockerTag: 0.8.7-beta.1
 baseUrl: https://raw.githubusercontent.com/OpenMined/PySyft/
-hash: 6503b79943cbdf27c701e0a2d3f9308f4f3a76a4
+hash: a2f8839726edd94a5759407d63c900e77bb3b466
 target_dir: ~/.hagrid/PySyft/
 files:
   grid:

diff --git a/packages/hagrid/hagrid/version.py b/packages/hagrid/hagrid/version.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 # HAGrid Version
-__version__ = "0.3.114"
+__version__ = "0.3.115"
 
 if __name__ == "__main__":
     print(__version__)
diff --git a/packages/hagrid/setup.py b/packages/hagrid/setup.py
@@ -5,7 +5,7 @@
 from setuptools import find_packages
 from setuptools import setup
 
-__version__ = "0.3.114"
+__version__ = "0.3.115"
 
 DATA_FILES = {"img": ["hagrid/img/*.png"], "hagrid": ["*.yml"]}