feat(sgx): put all python packages into trusted_files (#1095)

* feat(sgx): support tensorflow remote attestation in list * fix(sgx): improve EPC cost * fix(sgx): fix memory leak of json_engine * fix(sgx):misspell Ps->ps * fix(sgx): fix get_token * feat(sgx): put all python packages into trusted_files
bytedance · Apr 8, 2024 · f875f10 · f875f10
1 parent 383d1a5
commit f875f10
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 12 deletions.
diff --git a/deploy/scripts/sgx/get_token.sh b/deploy/scripts/sgx/get_token.sh
@@ -1,11 +1,30 @@
 #!/bin/bash
 
-cd /gramine/CI-Examples/generate-token/
-make clean > /dev/null
-export SGX=1
-export SGX_SIGNER_KEY=/root/.config/gramine/enclave-key.pem
-make all > /dev/null
-if [ $? -eq 0 ]; then
-    gramine-sgx-get-token -s python.sig -o /dev/null
-fi
-make clean > /dev/null
+function get_token(){
+    local need_clean=0
+    cd /gramine/CI-Examples/generate-token/
+    make clean > /dev/null
+    export SGX=1
+    export SGX_SIGNER_KEY=/root/.config/gramine/enclave-key.pem
+
+    # mkdir and make
+    if [ ! -d "/gramine/leader" ] || [ ! -d "/gramine/follower" ]; then
+        mkdir -p /gramine/leader
+        mkdir -p /gramine/follower
+        need_clean=1
+    fi
+    make all > /dev/null
+    if [ $? -eq 0 ]; then
+        gramine-sgx-get-token -s python.sig -o /dev/null
+    fi
+
+    # clean
+    make clean > /dev/null
+    if [ $need_clean==1 ]; then
+        rm -rf /gramine/leader
+        rm -rf /gramine/follower
+    fi
+    cd -
+}
+
+get_token
diff --git a/sgx/gramine/CI-Examples/generate-token/python.manifest.template b/sgx/gramine/CI-Examples/generate-token/python.manifest.template
@@ -67,6 +67,9 @@ sgx.trusted_files = [
   "file:/usr/{{ arch_libdir }}/",
   "file:/etc/ssl/certs/ca-certificates.crt",
   "file:/etc/default/apport",
+  "file:/usr/local/lib/",
+  "file:{{ python.stdlib }}/",
+  "file:{{ python.distlib }}/", 
   "file:/etc/mime.types",
   "file:/gramine/leader/",
   "file:/gramine/follower/"
@@ -76,8 +79,6 @@ sgx.allowed_files = [
   "file:tensorflow_io.py",
   "file:/opt/tiger/",
   "file:/opt/meituan/",
-  "file:{{ python.stdlib }}/",
-  "file:{{ python.distlib }}/",
   "file:/usr/lib/ssl/openssl.cnf",
   "file:/usr/lib/gcc",
   "file:/etc/ethers",
@@ -99,7 +100,6 @@ sgx.allowed_files = [
   "file:/root/.keras/keras.json",
   "file:dynamic_config.json",
   "file:/usr/bin/",
-  "file:/usr/local/lib",
   "file:/lib/",
   "file:/bin/",
   "file:/data/",