# 闅愮璁$畻浣跨敤鎸囧崡 ## 璇存槑 - Graphene 鏄畼鏂瑰師鏈夌殑椤圭洰鍚嶇О鍚庢潵鏇存敼涓篏ramine锛屼笅鏂囬兘鏀规垚Gramine - Gramine 浣跨敤v1.1锛屼粨搴撳湴鍧€锛歨ttps://github.com/gramineproject/gramine - 1.1涔嬪墠鐨勭増鏈Golang鐨勬敮鎸佷笉鍙嬪ソ锛屼笉鑳戒娇鐢� - 妫€鏌ヨ澶囨槸鍚︽敮鎸乻gx - 濡傛灉璁惧涓嶆敮鎸乻gx鍙互浣跨敤simulation mode 杩愯 - simulation mode 涓嶈兘鐢ㄤ簬鐢熶骇鐜 ## 鐜閮ㄧ讲 ### 鎺ㄨ崘閰嶇疆 - 绯荤粺锛歭inux (涓嶆敮鎸亀indows,鏈枃鏁欑▼浣跨敤ubuntu20.04) - 鍐呮牳锛� 5.11+锛堟帹鑽愪娇鐢�5.11浠ヤ笂鐗堟湰锛� - 鍐呭瓨锛� 8G+ ### Gramine 鐜閰嶇疆 瀹夎鏁欑▼锛歨ttps://gramine.readthedocs.io/en/latest/quickstart.html ### 涓嬭浇鐩稿叧浠g爜 ```sh 1. git clone -b v2.2.1_private_contract --depth=1 https://git.chainmaker.org.cn/chainmaker/chainmaker-go.git 2. git clone -b v2.2.1_private_contract --depth=1 https://git.chainmaker.org.cn/chainmaker/graphene.git 3. git clone -b v2.2.1_private_contract --depth=1 https://git.chainmaker.org.cn/chainmaker/chainmaker-tee.git ``` ### 浠g爜缂栬瘧 #### CA鍑嗗 - 鍑嗗CA - 鍦╰ee鐩綍涓嬬殑info_test.go鏂囦欢涓彲浠ョ敓鎴愮涓夋柟鏍笴A浠呭仛娴嬭瘯浣跨敤 - 鎴栬嚜琛屽噯澶囩涓夋柟CA #### 缂栬瘧Enclave-server ##### 鍑嗗 enclave-server.manifest.template鏂囦欢 ``` sh loader.preload = "file:{{ gramine.libos }}" libos.entrypoint = "{{ entrypoint }}" loader.log_level = "{{ log_level }}" loader.env.LD_LIBRARY_PATH = "/lib:{{ arch_libdir }}:/usr/lib:/usr{{ arch_libdir }}" loader.pal_internal_mem_size = "1G" loader.insecure__use_cmdline_argv = true sys.enable_sigterm_injection = true fs.mount.lib.type = "chroot" fs.mount.lib.path = "/lib" fs.mount.lib.uri = "file:{{ gramine.runtimedir() }}" fs.mount.lib2.type = "chroot" fs.mount.lib2.path = "{{ arch_libdir }}" fs.mount.lib2.uri = "file:{{ arch_libdir }}" fs.mount.tmp.type = "chroot" fs.mount.tmp.path = "/tmp" fs.mount.tmp.uri = "file:/tmp" # fs.mount.libos.path # fs.mount.libos.uri # set Absolute Path fs.mount.libos.type = "chroot" fs.mount.libos.path = "/home/XXX/chainmaker-graphene/" # 璁剧疆缁濆璺緞 fs.mount.libos.uri = "file:/home/XXX/chainmaker-graphene/"# 璁剧疆缁濆璺緞 sgx.nonpie_binary = true sgx.enclave_size = "16G" #鏍规嵁鑷繁鐨勬満鍣ㄩ厤缃瀷鏀癸紝寤鸿鏈€灏忓垎閰�8G鍐呭瓨 sys.stack.size = "128M" sgx.thread_num = 256 #鏍规嵁鏈哄櫒閰嶇疆浼樺寲璋冩暣 sgx.trusted_files = [ "file:{{ entrypoint }}", "file:{{ gramine.runtimedir() }}/", "file:{{ arch_libdir }}/", "file:/usr{{ arch_libdir }}/", "file:/etc/mime.types", "file:/etc/default/apport", ] sgx.allowed_files = [ "file:/etc/nsswitch.conf", "file:/etc/ethers", "file:/etc/hosts", "file:/etc/group", "file:/etc/passwd", "file:/etc/gai.conf", "file:/etc/host.conf", "file:/etc/resolv.conf", "file:./configs/", "file:/tmp", "file:/home/XXX/chainmaker-graphene/", #璁剧疆缁濆璺緞 "file:./logs", ] ``` 鍏朵粬瀛楁鍙嚜琛屽弬鑰僪ttps://gramine.readthedocs.io/en/latest/manifest-syntax.html 杩涜璁剧疆enssl/include - 鐢熸垚 enclave-key.pem ``` openssl genrsa -3 -out /home/XXX/chainmaker-graphene/enclave-key.pem 3072 //鏇挎崲鑷繁鐨勭洰褰� ``` - 鎵ц build.sh 鏂囦欢缂栬瘧 ```shell sudo ./build.sh SIM //妯℃嫙妯″紡涓嬭繍琛� sudo ./build.sh SGX=1 DEBUG=1//纭欢妯″紡涓嬭繍琛岋紙闇€瑕乧pu鏀寔锛� DEBUG=1 鍙€夋ā寮� ``` #### 妯℃嫙妯″紡 - gramine-direct ./enclave-server -module=1 #### 纭欢妯″紡 - 杩愯 gramine-sgx ./enclave-server #### 绛惧彂璇佷功 - 绗竴娆¢儴缃� 鍒濆鍖栧畬鎴愬悗enclave-server灏嗙敓鎴恈sr鏂囦欢 - 浣跨敤csr鏂囦欢鍦ㄧ涓夋柟CA澶勭敵璇风鍙慣EE璇佷功 - 灏嗙鍙戠殑TEE璇佷功浠EM鏍煎紡瀛樹簬鏂囦欢(in_teecert.pem)骞舵斁鍦╟hainmaker-graphene/configs鐩綍涓� - 杩愯绋嬪簭浼氳嚜鍔ㄦ牎楠屽拰鍔犺浇TEE璇佷功 **娉細 enclave鍚姩鎴愬姛锛屼娇鐢� netstat -ntlp 鏌ヨ鏈� ./loader鐨勫崰鐢ㄦ爣璇唀nclave鍚姩鎴愬姛** #### 楠岃瘉淇℃伅涓婇摼 - 浣跨敤浠ヤ笅[CMC](../dev/鍛戒护琛屽伐鍏�)鍛戒护璋冪敤绯荤粺鍚堢害灏嗗緱鍒扮殑report淇℃伅涓婇摼 ```shell cmc tee upload_report \ --sdk-conf-path={./testdata/sdk_config.yml(SDK閰嶇疆鏂囦欢璺緞)} \ --report={report璺緞} \ --admin-key-file-paths={key璺緞} \ --admin-crt-file-paths={璇佷功璺緞} ``` **娉細鑻nclave浠g爜鐗堟湰鍙戠敓鍙樺寲锛岄渶瑕佸啀娆℃墽琛屾楠�2灏嗘洿鏂拌繃鐨剅eport淇℃伅閲嶆柊涓婇摼** - 灏嗙涓夋柟CA鐨勭鍚嶆牴璇佷功涓婇摼 ```shell cmc tee upload_ca_cert \ --sdk-conf-path={./testdata/sdk_config.yml(SDK閰嶇疆鏂囦欢璺緞)} \ --ca_cert={鏍硅瘉涔﹀湴鍧€} \ --admin-key-file-paths={key璺緞} \ --admin-crt-file-paths={璇佷功璺緞} ``` #### 缂栬瘧闅愮璁$畻缃戝叧 ```sh cd ../gateway go build main.go ./main start ``` #### 闅愮璁$畻缃戝叧閰嶇疆config.yml ```yaml # 鏈嶅姟閰嶇疆淇℃伅 settings: # web鏈嶅姟閰嶇疆淇℃伅 application: domain: localhost:9090 host: 0.0.0.0 ishttps: false # 鏄惁鍚敤https name: sgx # 鏈嶅姟鍚嶇О port: "8081" # 鏈嶅姟绔彛鍙� concurrency: 10 # 鏈€澶у苟鍙戞暟 # SDK瀹㈡埛绔厤缃俊鎭� config: capaths: # 鏍硅瘉涔﹁矾寰勶紝鏀寔澶氫釜 - cert/ca chainid: chain1 # 閾綢D conncnt: 1 # 鑺傜偣杩炴帴鏁� nodeaddr: 127.0.0.1:12301 # 鑺傜偣鍦板潃锛屾牸寮忥細127.0.0.1:12301 orgid: wx-org1.chainmaker.org # 褰掑睘缁勭粐 tlshostname: consensus1.tls.wx-org1.chainmaker.org # TLS Hostname usercttpath: cert/client1.tls.crt # 瀹㈡埛绔敤鎴风閽ヨ矾寰� userkeypath: cert/client1.tls.key # 瀹㈡埛绔敤鎴疯瘉涔� # 鏃ュ織閰嶇疆淇℃伅 log: compress: 1 # 鏄惁浣跨敤gzip鍘嬬缉锛岄粯璁や笉鍘嬬缉 level: debug # 鏃ュ織绛夌骇,榛樿Info localtime: 1 # 鏃ュ織鏃堕棿鎴虫槸鍚︿负鏈湴鏃堕棿鎴筹紝榛樿UTC鏃堕棿 maxage: 30 # 鏈€闀夸繚瀛樺ぉ鏁帮紝榛樿涓嶅垹闄� maxbackups: 300 # 鏈€澶氬浠藉嚑涓� maxsize: 1024 # 鏃ュ織鏂囦欢澶у皬锛岄粯璁�100M path: ./logs/gateway.log # 鏃ュ織鏂囦欢鍚� # https 閰嶇疆淇℃伅 ssl: key: keystring # 璇佷功key pem: temp/pem.pem # 璇佷功 #grpc杩炴帴姹犻厤缃� internalClient: targeturl: ":50053" #绔彛 initcapacity: 20 #鍒濆鍖栬繛鎺ユ暟 maxcapacity: 300 #鏈€澶ц繛鎺ユ暟 dialtimeout: 2 #鎷ㄥ彿瓒呮椂鏃堕棿 idletimeout: 6 #绌洪棽瓒呮椂鏃堕棿 readtimeout: 5 #璇昏秴鏃舵椂闂� writetimeout: 5 #鍐欒秴鏃舵椂闂� internalServer: port: ":50052" #璁块棶server绔彛 ``` ## 闅愮璁$畻缃戝叧鎺ュ彛 缃戝叧鏄敤鎴疯皟鐢ㄩ殣绉佸悎绾︾殑鍏ュ彛锛屽綋鍓嶄娇鐢╤ttp鎺ュ彛鏂瑰紡杩涜璋冪敤銆傜綉鍏虫彁渚涚殑鎺ュ彛涓昏鍖呮嫭杩滅▼璇佹槑銆侀儴缃插悎绾﹀拰璋冪敤鍚堢害涓変釜鎺ュ彛銆傛墍鏈夋帴鍙g殑璇锋眰method鍧囦娇鐢╬ost鏂瑰紡銆備娇鐢ㄦ柟寮忓弬鑰冪ず渚嬶紝鎻忚堪濡備笅锛� ### 绀轰緥鍙傝€� 璇峰弬鑰僩ateway/service/tools/main.go ### 閮ㄧ讲鍚堢害鎺ュ彛 鎺ュ彛鍦板潃锛歨ttp://x.x.x.x:port/private/deploy锛屽叾涓瓁.x.x.x:port涓烘湇鍔″湴鍧€锛岀敤鎴峰彲浠ュ湪閰嶇疆閲屾寚瀹氥€� ### 鎵ц闅愮璁$畻鎺ュ彛 鎺ュ彛鍦板潃锛歨ttp://x.x.x.x:port/private/compute锛屽叾涓瓁.x.x.x:port涓烘湇鍔″湴鍧€锛岀敤鎴峰彲浠ュ湪閰嶇疆閲屾寚瀹氥€� ### 杩滅▼璇佹槑鎺ュ彛 鎺ュ彛鍦板潃锛歨ttp://x.x.x.x:port/private/remote_attestation锛屽叾涓瓁.x.x.x:port涓烘湇鍔″湴鍧€锛岀敤鎴峰彲浠ュ湪閰嶇疆閲屾寚瀹氥€� ## 闄勫綍鈥斺€旀帹鑽愮殑鏀寔闅愮鍚堢害鐨勬湇鍔″櫒CPU鍨嬪彿 | CPU搴忓垪鍙� | 鍨嬪彿鍙婃弿杩� | SGX Enclave鏈€澶ч鐣欏唴瀛� | | --------- | ------------------------------------------------------------------------- | ----------------------- | | 6354 | Ice Lake SP XCC Intel Xeon Gold 6345 18c 205W 3.0GHz | 64GB | | 8360Y | Ice Lake SP XCC Intel Xeon Platinum 8360Y 36c 250W 2.4GHz | 64GB | | 6348 | Ice Lake SP XCC Intel Xeon Gold 6348 28c 235W 2.6GHz | 64GB | | 8380 | Ice Lake SP XCC Intel Xeon 8380 40c 270W 2.3GHz | 512GB | | 8368 | Ice Lake SP XCC Intel Xeon Platinum 8368 38c 270W 2.4GHz | 512GB | | 8368Q | Ice Lake SP XCC Intel Xeon Platinum 8368Q 38c 270W 2.6GHz (liquid cooled) | 512GB | | 8358 | Ice Lake SP XCC Intel Xeon Platinum 8358 32c 250W 2.6GHz | 64GB | | 8358P | Ice Lake SP XCC Intel Xeon Platinum 8358P 32c 240W 2.6GHz | 8GB | | 8352V | Ice Lake SP XCC Intel Xeon Platinum 8352V 36c 195W 2.1GHz | 8GB | | 8351N | Ice Lake SP XCC Intel Xeon Platinum 8351N 36c 225W 2.4GHz | 64GB | | 6314U | Ice Lake SP XCC Intel Xeon Gold 6314U 32c 205W 2.3GHz | 64GB | | 6338 | Ice Lake SP XCC Intel Xeon Gold 6338 32c 205W 2.0GHz | 64GB | | 6338N | Ice Lake SP XCC Intel Xeon Gold 6338N 32c 185W 2.2GHz | 64GB | | 8352Y | Ice Lake SP XCC Intel Xeon Platinum 8352Y 32c 205W 2.2GHz | 64GB | | 8352S | Ice Lake SP XCC Intel Xeon Platinum 8352S 32c 205W 2.2GHz | 512GB | | 6330 | Ice Lake SP XCC Intel Xeon Gold 6330 28c 205W 2.0GHz | 64GB | | 6330N | Ice Lake SP XCC Intel Xeon Gold 6330N 28c 165W 2.2GHz | 64GB | | 6346 | Ice Lake SP XCC Intel Xeon Gold 6346 16c 205W 3.1GHz | 64GB |