Skip to main content

Step 2: Build an enclave image with the server

Step 2.1: Set up the development environment

Spin up a new Docker container based on our nitro-cli image and mount the current directory using

sudo docker run --rm --privileged --name nitro-cli -v `pwd`:/mnt/my-server marlinorg/nitro-cli

Keep this terminal open till end of this page.

In a new terminal, run

sudo docker exec -it nitro-cli sh

You now have a shell with docker and nitro-cli available where you can bulid enclave images. Navigate to the directory with the rust application using

cd /mnt/my-server

Step 2.2: Prepare the image specification

You will be customizing the default image to create our own image. Therefore, create 3 files - Dockerfile, setup.sh, supervisord.conf - with contents from this page.

The Dockerfile has a line marked # your custom setup goes here for you to customize it. Copy our server by adding the following lines at the customization point

COPY ./target/x86_64-unknown-linux-musl/release/app /app/app
RUN chmod +x /app/app

Also copy the loader and requester public keys by adding

COPY ./loader.pub /app/loader.pub
COPY ./requester.pub /app/requester.pub

setup.sh does not need any customization.

supervisord.conf has a line marked # your custom programs go here for you to customize it. Add the following to start the node.js server when the enclave starts

[program:my-server]
command=/app/app --ip-addr 127.0.0.1:4000 --secret /app/id.sec --loader /app/loader.pub --requester /app/requester.pub
autorestart=true
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stdout
stderr_logfile_maxbytes=0

A proxy is also required to expose the server to the outside world using vsock. Add the following to run a proxy:

[program:my-server-proxy]
command=/app/vsock-to-ip --vsock-addr 88:4000 --ip-addr 127.0.0.1:4000
autorestart=true
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stdout
stderr_logfile_maxbytes=0

Step 2.3: Build an enclave image

In the shell opened in step 2.1, first build a docker image using

docker image build -t enclave:latest .

Then build an enclave image using

nitro-cli build-enclave --docker-uri enclave:latest --output-file enclave.eif

The command will create enclave.eif which is the enclave image file and will print measurements which should look something like

{
  "Measurements": {
    "HashAlgorithm": "Sha384 { ... }",
    "PCR0": "........",
    "PCR1": "........",
    "PCR2": "........"
  }
}