# 闅愮璁$畻浣跨敤鎸囧崡

## 璇存槑

- Graphene 鏄畼鏂瑰師鏈夌殑椤圭洰鍚嶇О鍚庢潵鏇存敼涓篏ramine锛屼笅鏂囬兘鏀规垚Gramine
- Gramine 浣跨敤v1.1锛屼粨搴撳湴鍧€锛歨ttps://github.com/gramineproject/gramine
- 1.1涔嬪墠鐨勭増鏈Golang鐨勬敮鎸佷笉鍙嬪ソ锛屼笉鑳戒娇鐢�
- 妫€鏌ヨ澶囨槸鍚︽敮鎸乻gx
  - 濡傛灉璁惧涓嶆敮鎸乻gx鍙互浣跨敤simulation mode 杩愯
  - simulation mode 涓嶈兘鐢ㄤ簬鐢熶骇鐜

## 鐜閮ㄧ讲

### 鎺ㄨ崘閰嶇疆
- 绯荤粺锛歭inux  (涓嶆敮鎸亀indows,鏈枃鏁欑▼浣跨敤ubuntu20.04)
- 鍐呮牳锛� 5.11+锛堟帹鑽愪娇鐢�5.11浠ヤ笂鐗堟湰锛�
- 鍐呭瓨锛� 8G+

### Gramine 鐜閰嶇疆

瀹夎鏁欑▼锛歨ttps://gramine.readthedocs.io/en/latest/quickstart.html

### 涓嬭浇鐩稿叧浠g爜

```sh
1. git clone -b v2.2.1_private_contract --depth=1 https://git.chainmaker.org.cn/chainmaker/chainmaker-go.git
2. git clone -b v2.2.1_private_contract  --depth=1 https://git.chainmaker.org.cn/chainmaker/graphene.git
3. git clone -b v2.2.1_private_contract  --depth=1 https://git.chainmaker.org.cn/chainmaker/chainmaker-tee.git
```

### 浠g爜缂栬瘧

#### CA鍑嗗

- 鍑嗗CA
  - 鍦╰ee鐩綍涓嬬殑info_test.go鏂囦欢涓彲浠ョ敓鎴愮涓夋柟鏍笴A浠呭仛娴嬭瘯浣跨敤
  - 鎴栬嚜琛屽噯澶囩涓夋柟CA

#### 缂栬瘧Enclave-server
##### 鍑嗗 enclave-server.manifest.template鏂囦欢
``` sh

loader.preload = "file:{{ gramine.libos }}"
libos.entrypoint = "{{ entrypoint }}"
loader.log_level = "{{ log_level }}"

loader.env.LD_LIBRARY_PATH = "/lib:{{ arch_libdir }}:/usr/lib:/usr{{ arch_libdir }}"

loader.pal_internal_mem_size = "1G"
loader.insecure__use_cmdline_argv = true

sys.enable_sigterm_injection = true

fs.mount.lib.type = "chroot"
fs.mount.lib.path = "/lib"
fs.mount.lib.uri = "file:{{ gramine.runtimedir() }}"

fs.mount.lib2.type = "chroot"
fs.mount.lib2.path = "{{ arch_libdir }}"
fs.mount.lib2.uri = "file:{{ arch_libdir }}"


fs.mount.tmp.type = "chroot"
fs.mount.tmp.path = "/tmp"
fs.mount.tmp.uri = "file:/tmp"

# fs.mount.libos.path 
# fs.mount.libos.uri
# set Absolute Path
fs.mount.libos.type = "chroot"
fs.mount.libos.path = "/home/XXX/chainmaker-graphene/" # 璁剧疆缁濆璺緞
fs.mount.libos.uri = "file:/home/XXX/chainmaker-graphene/"# 璁剧疆缁濆璺緞

sgx.nonpie_binary = true
sgx.enclave_size = "16G"  #鏍规嵁鑷繁鐨勬満鍣ㄩ厤缃瀷鏀癸紝寤鸿鏈€灏忓垎閰�8G鍐呭瓨
sys.stack.size = "128M"
sgx.thread_num = 256      #鏍规嵁鏈哄櫒閰嶇疆浼樺寲璋冩暣

sgx.trusted_files = [
    "file:{{ entrypoint }}",
    "file:{{ gramine.runtimedir() }}/",
    "file:{{ arch_libdir }}/",
    "file:/usr{{ arch_libdir }}/",
    "file:/etc/mime.types",
    "file:/etc/default/apport",
]


sgx.allowed_files = [
    "file:/etc/nsswitch.conf",
    "file:/etc/ethers",
    "file:/etc/hosts",
    "file:/etc/group",
    "file:/etc/passwd",
    "file:/etc/gai.conf",
    "file:/etc/host.conf",
    "file:/etc/resolv.conf",
    "file:./configs/",
    "file:/tmp",
    "file:/home/XXX/chainmaker-graphene/",  #璁剧疆缁濆璺緞
    "file:./logs",
]
```

鍏朵粬瀛楁鍙嚜琛屽弬鑰僪ttps://gramine.readthedocs.io/en/latest/manifest-syntax.html 杩涜璁剧疆enssl/include

- 鐢熸垚 enclave-key.pem

```
openssl genrsa -3 -out /home/XXX/chainmaker-graphene/enclave-key.pem 3072 //鏇挎崲鑷繁鐨勭洰褰�
```

- 鎵ц build.sh 鏂囦欢缂栬瘧

```shell
  sudo ./build.sh SIM //妯℃嫙妯″紡涓嬭繍琛�
  sudo ./build.sh SGX=1 DEBUG=1//纭欢妯″紡涓嬭繍琛岋紙闇€瑕乧pu鏀寔锛�
  DEBUG=1 鍙€夋ā寮�
```
#### 妯℃嫙妯″紡

- gramine-direct   ./enclave-server -module=1

#### 纭欢妯″紡

- 杩愯 gramine-sgx  ./enclave-server

#### 绛惧彂璇佷功

- 绗竴娆¢儴缃� 鍒濆鍖栧畬鎴愬悗enclave-server灏嗙敓鎴恈sr鏂囦欢
- 浣跨敤csr鏂囦欢鍦ㄧ涓夋柟CA澶勭敵璇风鍙慣EE璇佷功
- 灏嗙鍙戠殑TEE璇佷功浠EM鏍煎紡瀛樹簬鏂囦欢(in_teecert.pem)骞舵斁鍦╟hainmaker-graphene/configs鐩綍涓�
- 杩愯绋嬪簭浼氳嚜鍔ㄦ牎楠屽拰鍔犺浇TEE璇佷功

**娉細 enclave鍚姩鎴愬姛锛屼娇鐢� netstat -ntlp  鏌ヨ鏈� ./loader鐨勫崰鐢ㄦ爣璇唀nclave鍚姩鎴愬姛**

#### 楠岃瘉淇℃伅涓婇摼

- 浣跨敤浠ヤ笅[CMC](../dev/鍛戒护琛屽伐鍏�)鍛戒护璋冪敤绯荤粺鍚堢害灏嗗緱鍒扮殑report淇℃伅涓婇摼

```shell
cmc tee upload_report \
--sdk-conf-path={./testdata/sdk_config.yml(SDK閰嶇疆鏂囦欢璺緞)} \
--report={report璺緞} \
--admin-key-file-paths={key璺緞} \
--admin-crt-file-paths={璇佷功璺緞}
```

**娉細鑻nclave浠g爜鐗堟湰鍙戠敓鍙樺寲锛岄渶瑕佸啀娆℃墽琛屾楠�2灏嗘洿鏂拌繃鐨剅eport淇℃伅閲嶆柊涓婇摼**

- 灏嗙涓夋柟CA鐨勭鍚嶆牴璇佷功涓婇摼

```shell
cmc tee upload_ca_cert \
--sdk-conf-path={./testdata/sdk_config.yml(SDK閰嶇疆鏂囦欢璺緞)} \
--ca_cert={鏍硅瘉涔﹀湴鍧€} \
--admin-key-file-paths={key璺緞} \
--admin-crt-file-paths={璇佷功璺緞}
```

#### 缂栬瘧闅愮璁$畻缃戝叧

```sh
cd ../gateway
go build main.go
./main start
```
#### 闅愮璁$畻缃戝叧閰嶇疆config.yml

```yaml
# 鏈嶅姟閰嶇疆淇℃伅
settings:
   # web鏈嶅姟閰嶇疆淇℃伅
   application:
      domain: localhost:9090
      host: 0.0.0.0
      ishttps: false # 鏄惁鍚敤https
      name: sgx      # 鏈嶅姟鍚嶇О
      port: "8081"   # 鏈嶅姟绔彛鍙�
      concurrency: 10  # 鏈€澶у苟鍙戞暟
   # SDK瀹㈡埛绔厤缃俊鎭�
   config:
      capaths: # 鏍硅瘉涔﹁矾寰勶紝鏀寔澶氫釜
         - cert/ca
      chainid: chain1  # 閾綢D
      conncnt: 1  # 鑺傜偣杩炴帴鏁�
      nodeaddr: 127.0.0.1:12301  # 鑺傜偣鍦板潃锛屾牸寮忥細127.0.0.1:12301
      orgid: wx-org1.chainmaker.org # 褰掑睘缁勭粐
      tlshostname: consensus1.tls.wx-org1.chainmaker.org  # TLS Hostname
      usercttpath: cert/client1.tls.crt  # 瀹㈡埛绔敤鎴风閽ヨ矾寰�
      userkeypath: cert/client1.tls.key  # 瀹㈡埛绔敤鎴疯瘉涔�
   # 鏃ュ織閰嶇疆淇℃伅
   log:
      compress: 1  # 鏄惁浣跨敤gzip鍘嬬缉锛岄粯璁や笉鍘嬬缉
      level: debug # 鏃ュ織绛夌骇,榛樿Info
      localtime: 1  # 鏃ュ織鏃堕棿鎴虫槸鍚︿负鏈湴鏃堕棿鎴筹紝榛樿UTC鏃堕棿
      maxage: 30 #  鏈€闀夸繚瀛樺ぉ鏁帮紝榛樿涓嶅垹闄�
      maxbackups: 300 # 鏈€澶氬浠藉嚑涓�
      maxsize: 1024 # 鏃ュ織鏂囦欢澶у皬锛岄粯璁�100M
      path: ./logs/gateway.log # 鏃ュ織鏂囦欢鍚�
   # https 閰嶇疆淇℃伅
   ssl:
      key: keystring  # 璇佷功key
      pem: temp/pem.pem # 璇佷功
   #grpc杩炴帴姹犻厤缃�
 internalClient:
    targeturl: ":50053"  #绔彛
    initcapacity: 20     #鍒濆鍖栬繛鎺ユ暟
    maxcapacity: 300     #鏈€澶ц繛鎺ユ暟
    dialtimeout: 2       #鎷ㄥ彿瓒呮椂鏃堕棿
    idletimeout: 6       #绌洪棽瓒呮椂鏃堕棿
    readtimeout: 5       #璇昏秴鏃舵椂闂�
    writetimeout: 5      #鍐欒秴鏃舵椂闂�
  internalServer:
    port: ":50052"       #璁块棶server绔彛

```
## 闅愮璁$畻缃戝叧鎺ュ彛

缃戝叧鏄敤鎴疯皟鐢ㄩ殣绉佸悎绾︾殑鍏ュ彛锛屽綋鍓嶄娇鐢╤ttp鎺ュ彛鏂瑰紡杩涜璋冪敤銆傜綉鍏虫彁渚涚殑鎺ュ彛涓昏鍖呮嫭杩滅▼璇佹槑銆侀儴缃插悎绾﹀拰璋冪敤鍚堢害涓変釜鎺ュ彛銆傛墍鏈夋帴鍙g殑璇锋眰method鍧囦娇鐢╬ost鏂瑰紡銆備娇鐢ㄦ柟寮忓弬鑰冪ず渚嬶紝鎻忚堪濡備笅锛�

### 绀轰緥鍙傝€�

璇峰弬鑰僩ateway/service/tools/main.go

### 閮ㄧ讲鍚堢害鎺ュ彛

鎺ュ彛鍦板潃锛歨ttp://x.x.x.x:port/private/deploy锛屽叾涓瓁.x.x.x:port涓烘湇鍔″湴鍧€锛岀敤鎴峰彲浠ュ湪閰嶇疆閲屾寚瀹氥€�

### 鎵ц闅愮璁$畻鎺ュ彛

鎺ュ彛鍦板潃锛歨ttp://x.x.x.x:port/private/compute锛屽叾涓瓁.x.x.x:port涓烘湇鍔″湴鍧€锛岀敤鎴峰彲浠ュ湪閰嶇疆閲屾寚瀹氥€�

### 杩滅▼璇佹槑鎺ュ彛

鎺ュ彛鍦板潃锛歨ttp://x.x.x.x:port/private/remote_attestation锛屽叾涓瓁.x.x.x:port涓烘湇鍔″湴鍧€锛岀敤鎴峰彲浠ュ湪閰嶇疆閲屾寚瀹氥€�

## 闄勫綍鈥斺€旀帹鑽愮殑鏀寔闅愮鍚堢害鐨勬湇鍔″櫒CPU鍨嬪彿

| CPU搴忓垪鍙� | 鍨嬪彿鍙婃弿杩�                                                                | SGX Enclave鏈€澶ч鐣欏唴瀛� |
| --------- | ------------------------------------------------------------------------- | ----------------------- |
| 6354      | Ice Lake SP XCC Intel Xeon Gold 6345 18c 205W 3.0GHz                      | 64GB                    |
| 8360Y     | Ice Lake SP XCC Intel Xeon Platinum 8360Y 36c 250W 2.4GHz                 | 64GB                    |
| 6348      | Ice Lake SP XCC Intel Xeon Gold 6348 28c 235W 2.6GHz                      | 64GB                    |
| 8380      | Ice Lake SP XCC Intel Xeon 8380 40c 270W 2.3GHz                           | 512GB                   |
| 8368      | Ice Lake SP XCC Intel Xeon Platinum 8368 38c 270W 2.4GHz                  | 512GB                   |
| 8368Q     | Ice Lake SP XCC Intel Xeon Platinum 8368Q 38c 270W 2.6GHz (liquid cooled) | 512GB                   |
| 8358      | Ice Lake SP XCC Intel Xeon Platinum 8358 32c 250W 2.6GHz                  | 64GB                    |
| 8358P     | Ice Lake SP XCC Intel Xeon Platinum 8358P 32c 240W 2.6GHz                 | 8GB                     |
| 8352V     | Ice Lake SP XCC Intel Xeon Platinum 8352V 36c 195W 2.1GHz                 | 8GB                     |
| 8351N     | Ice Lake SP XCC Intel Xeon Platinum 8351N 36c 225W 2.4GHz                 | 64GB                    |
| 6314U     | Ice Lake SP XCC Intel Xeon Gold 6314U 32c 205W 2.3GHz                     | 64GB                    |
| 6338      | Ice Lake SP XCC Intel Xeon Gold 6338 32c 205W 2.0GHz                      | 64GB                    |
| 6338N     | Ice Lake SP XCC Intel Xeon Gold 6338N 32c 185W 2.2GHz                     | 64GB                    |
| 8352Y     | Ice Lake SP XCC Intel Xeon Platinum 8352Y 32c 205W 2.2GHz                 | 64GB                    |
| 8352S     | Ice Lake SP XCC Intel Xeon Platinum 8352S 32c 205W 2.2GHz                 | 512GB                   |
| 6330      | Ice Lake SP XCC Intel Xeon Gold 6330 28c 205W 2.0GHz                      | 64GB                    |
| 6330N     | Ice Lake SP XCC Intel Xeon Gold 6330N 28c 165W 2.2GHz                     | 64GB                    |
| 6346      | Ice Lake SP XCC Intel Xeon Gold 6346 16c 205W 3.1GHz                      | 64GB                    |