From d7e1ebab9bd51e3d39b51f0f44fcc81b924b7e33 Mon Sep 17 00:00:00 2001 From: Davis Benny Date: Wed, 9 Apr 2025 12:18:55 +0530 Subject: [PATCH 1/4] Add ManifestError exception class for error handling Signed-off-by: Davis Benny --- finalize_manifest.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/finalize_manifest.py b/finalize_manifest.py index bae7f5d7..0d931154 100755 --- a/finalize_manifest.py +++ b/finalize_manifest.py @@ -16,6 +16,12 @@ import tomli import tomli_w +class ManifestError(Exception): + """Thrown at errors in manifest parsing and handling. + + Contains a string with error description. + """ + def is_utf8(filename_bytes): try: filename_bytes.decode('UTF-8') @@ -41,8 +47,6 @@ def expand_trusted_files(trusted_files): file_path = uri2path(uri) if file_path.exists(): expanded_files.append({'uri': uri, 'sha256': compute_sha256(file_path)}) - else: - raise ManifestError(f'File not found: {file_path}') return expanded_files def extract_files_from_user_manifest(manifest): From 35e643089258000230019ea9ab67df871bcbba7d Mon Sep 17 00:00:00 2001 From: Davis Benny Date: Tue, 15 Apr 2025 10:17:42 +0530 Subject: [PATCH 2/4] Add directory handling in expand_trusted_files Signed-off-by: Davis Benny --- finalize_manifest.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/finalize_manifest.py b/finalize_manifest.py index 0d931154..15773686 100755 --- a/finalize_manifest.py +++ b/finalize_manifest.py @@ -46,7 +46,13 @@ def expand_trusted_files(trusted_files): for uri in trusted_files: file_path = uri2path(uri) if file_path.exists(): - expanded_files.append({'uri': uri, 'sha256': compute_sha256(file_path)}) + if file_path.is_dir(): + for root, _, files in os.walk(file_path): + for file in files: + full_path = pathlib.Path(root) / file + expanded_files.append({'uri': f'file:{full_path}', 'sha256': compute_sha256(full_path)}) + else: + expanded_files.append({'uri': uri, 'sha256': compute_sha256(file_path)}) return expanded_files def extract_files_from_user_manifest(manifest): From 4b499f880ef851caa261d01cee4884394f182c25 Mon Sep 17 00:00:00 2001 From: Davis Benny Date: Wed, 16 Apr 2025 15:25:31 +0530 Subject: [PATCH 3/4] Reusing gramine-manifest tool Signed-off-by: Davis Benny --- finalize_manifest.py | 34 +--------------------- templates/Dockerfile.common.build.template | 2 ++ 2 files changed, 3 insertions(+), 33 deletions(-) diff --git a/finalize_manifest.py b/finalize_manifest.py index 15773686..d5e0d4ff 100755 --- a/finalize_manifest.py +++ b/finalize_manifest.py @@ -16,12 +16,6 @@ import tomli import tomli_w -class ManifestError(Exception): - """Thrown at errors in manifest parsing and handling. - - Contains a string with error description. - """ - def is_utf8(filename_bytes): try: filename_bytes.decode('UTF-8') @@ -29,32 +23,6 @@ def is_utf8(filename_bytes): except UnicodeError: return False -def uri2path(uri): - if not uri.startswith('file:'): - raise ManifestError(f'Unsupported URI type: {uri}') - return pathlib.Path(uri[len('file:'):]) - -def compute_sha256(filename): - sha256 = hashlib.sha256() - with open(filename, 'rb') as f: - for byte_block in iter(lambda: f.read(128 * sha256.block_size), b''): - sha256.update(byte_block) - return sha256.hexdigest() - -def expand_trusted_files(trusted_files): - expanded_files = [] - for uri in trusted_files: - file_path = uri2path(uri) - if file_path.exists(): - if file_path.is_dir(): - for root, _, files in os.walk(file_path): - for file in files: - full_path = pathlib.Path(root) / file - expanded_files.append({'uri': f'file:{full_path}', 'sha256': compute_sha256(full_path)}) - else: - expanded_files.append({'uri': uri, 'sha256': compute_sha256(file_path)}) - return expanded_files - def extract_files_from_user_manifest(manifest): files = [] @@ -173,7 +141,7 @@ def main(args=None): if 'allow_all_but_log' not in rendered_manifest_dict['sgx'].get('file_check_policy', ''): trusted_files = generate_trusted_files(args.dir, already_added_files) - rendered_manifest_dict['sgx']['trusted_files'] = expand_trusted_files(trusted_files + already_added_files) + rendered_manifest_dict['sgx'].setdefault('trusted_files', []).extend(trusted_files) else: print(f'\t[from inside Docker container] Skipping trusted files generation. This image must not be used in production.') diff --git a/templates/Dockerfile.common.build.template b/templates/Dockerfile.common.build.template index 7b36c3b0..033c71b8 100644 --- a/templates/Dockerfile.common.build.template +++ b/templates/Dockerfile.common.build.template @@ -62,6 +62,8 @@ RUN chmod u+x /gramine/app_files/apploader.sh \ && rm -f /gramine/app_files/finalize_manifest.py RUN {% block path %}{% endblock %} \ + && gramine-manifest /gramine/app_files/entrypoint.manifest \ + /gramine/app_files/entrypoint.manifest \ && gramine-manifest-check /gramine/app_files/entrypoint.manifest # Define default command From a428822fd1204fe9237744f85c6d9d26ac23206d Mon Sep 17 00:00:00 2001 From: Davis Benny Date: Wed, 30 Apr 2025 00:40:14 +0530 Subject: [PATCH 4/4] Addressing review comments Signed-off-by: Davis Benny --- templates/Dockerfile.common.build.template | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/templates/Dockerfile.common.build.template b/templates/Dockerfile.common.build.template index 033c71b8..feb4b26d 100644 --- a/templates/Dockerfile.common.build.template +++ b/templates/Dockerfile.common.build.template @@ -63,8 +63,7 @@ RUN chmod u+x /gramine/app_files/apploader.sh \ RUN {% block path %}{% endblock %} \ && gramine-manifest /gramine/app_files/entrypoint.manifest \ - /gramine/app_files/entrypoint.manifest \ - && gramine-manifest-check /gramine/app_files/entrypoint.manifest + /gramine/app_files/entrypoint.manifest # Define default command ENTRYPOINT ["/bin/bash", "/gramine/app_files/apploader.sh"]