Skip to content

Commit

Permalink
Install SGX powHSM as a systemd service (#226)
Browse files Browse the repository at this point in the history
  • Loading branch information
italo-sampaio authored and amendelzon committed Dec 3, 2024
1 parent c93d70d commit f45141f
Show file tree
Hide file tree
Showing 6 changed files with 131 additions and 2 deletions.
7 changes: 6 additions & 1 deletion dist/sgx/hsm/run → dist/sgx/hsm/start
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ BINDIR=$(realpath $(dirname $0))
WORKDIR=$(realpath $BINDIR/..)
DOCKER_IMAGE=powhsmsgx:runner

source $BINDIR/.env

QUIET=""
echo -e "\e[96mBuilding docker image $DOCKER_IMAGE (this will take a few minutes)..."
if [[ "$2" != "-v" ]]; then
Expand All @@ -16,10 +18,13 @@ echo

DOCKER_CNT=powhsmsgx-runner
DOCKER_USER="$(id -u):$(id -g)"
HOSTNAME="SGX"
NETWORK=${NETWORK:-net_sgx}
PORT=7777
DOCKER_PORT="$PORT:$PORT"

docker run -ti --rm --name $DOCKER_CNT --user $DOCKER_USER -v $WORKDIR:/hsm \
docker run --rm --name $DOCKER_CNT --user $DOCKER_USER -v $WORKDIR:/hsm \
--hostname $HOSTNAME --network $NETWORK \
--device=/dev/sgx_enclave:/dev/sgx_enclave \
--device=/dev/sgx_provision:/dev/sgx_provision \
-w /hsm -p$DOCKER_PORT $DOCKER_IMAGE \
Expand Down
4 changes: 4 additions & 0 deletions dist/sgx/hsm/stop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
#!/bin/bash

DOCKER_CNT=powhsmsgx-runner
docker stop $DOCKER_CNT
19 changes: 19 additions & 0 deletions dist/sgx/scripts/hsmsgx.service
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
[Unit]
Description=SGX powHSM
Wants=network.target
After=syslog.target network-online.target docker.service
Requires=docker.service

[Service]
Type=simple
WorkingDirectory=$HSM_INSTALL_DIR
User=hsm
Group=hsm
ExecStart=$HSM_INSTALL_DIR/bin/start
ExecStop=$HSM_INSTALL_DIR/bin/stop
Restart=on-failure
RestartSec=10
KillMode=mixed

[Install]
WantedBy=multi-user.target
67 changes: 67 additions & 0 deletions dist/sgx/scripts/install_service
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
#!/bin/bash

# Require superuser
if ! [ "$(id -u)" == "0" ]; then
echo -e "\e[1;31mPlease run with sudo.\e[0m"
exit 1
fi

if [ -z "$1" ]; then
echo -e "\e[1;31mUsage: $0 <service-file>\e[0m"
exit 1
fi

SERVICE_UNIT=$(realpath $1)
if [ ! -f "$SERVICE_UNIT" ]; then
echo "\e[1;31mService file not found: $SERVICE_UNIT\e[0m"
exit 1
fi

# Extract the installation directory from the service file
INSTALL_DIR=$(grep -oP 'WorkingDirectory=\K.*' $SERVICE_UNIT)
if [ -z "$INSTALL_DIR" ]; then
echo -e "\e[1;31mCould not extract installation directory from service file.\e[0m"
exit 1
fi

echo -e "\e[1;32mCreating hsm user and group...\e[0m"
if ! id -u hsm >/dev/null 2>&1; then
useradd -rm -s /bin/bash hsm || exit $?
usermod -aG docker hsm || exit $?
else
echo -e "\e[1;33mUser 'hsm' already exists. Skipping user creation.\e[0m"
fi

DEFAULT_NETWORK="net_sgx"
while true; do
echo -e "\e[1;32mEnter the name of the docker network to be created: [$DEFAULT_NETWORK]\e[0m"
read -p "> " NETWORK
if [ -z "$NETWORK" ]; then
NETWORK=$DEFAULT_NETWORK
fi
echo -e "\e[1;33mThe docker network will be named '$NETWORK'. Proceed? [Y/n]\e[0m"
read -p "> " proceed
if [[ "Y" == "$proceed" ]] || [[ "y" == "$proceed" ]] || [ -z "$proceed" ]; then
break
fi
done

echo -e "\e[1;32mCreating $NETWORK network...\e[0m"
docker network rm $NETWORK 2> /dev/null
docker network create $NETWORK &> /dev/null
echo "NETWORK=$NETWORK" >> $INSTALL_DIR/.env || exit $?

echo -e "\e[1;32mSetting permisions...\e[0m"
chown -R root:hsm $INSTALL_DIR || exit $?
chmod 664 $INSTALL_DIR/*.dat $INSTALL_DIR/.env || exit $?

echo -e "\e[1;32mCreating service...\e[0m"
cp $SERVICE_UNIT /etc/systemd/system/hsmsgx.service
systemctl daemon-reload || exit $?
echo -e "\e[1;32mEnabling service...\e[0m"
systemctl enable hsmsgx.service || exit $?
echo -e "\e[1;32mEStarting service...\e[0m"
systemctl start hsmsgx.service || exit $?
echo -e "\e[1;32mService started.\e[0m"
echo -e "\e[1;32mTo check the status of the service, run 'systemctl status hsmsgx.service'.\e[0m"
exit 0
16 changes: 16 additions & 0 deletions dist/sgx/scripts/setup
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,12 @@ EXPORT_DIR="$ROOT_DIR/export"
PUBLIC_KEY_FILE="$EXPORT_DIR/public-keys.txt"
PUBLIC_KEY_FILE_JSON="$EXPORT_DIR/public-keys.json"

# HSM scripts directory
SCRIPTS_DIR=$ROOT_DIR/scripts

# Directory where the finalized systemd service unit will be saved
SERVICE_DIR=$ROOT_DIR/service

function checkHsmBinaries() {
# Check for HSM binary files
FILES="$HSMBIN_DIR/hsmsgx $HSMBIN_DIR/hsmsgx_enclave.signed"
Expand Down Expand Up @@ -96,6 +102,15 @@ function selectInstallationDir() {
done
}

function createServiceUnit() {
rm -rf $SERVICE_DIR
mkdir $SERVICE_DIR

cp $SCRIPTS_DIR/hsmsgx.service $SERVICE_DIR
# Replace the $HSM_INSTALL_DIR token in the script with the actual installation directory
sed -i "s|\$HSM_INSTALL_DIR|$INSTALL_DIR|g" $SERVICE_DIR/hsmsgx.service
}

function installPowHsm() {
mkdir $REAL_INSTALL_DIR/bin
cp -R $HSMBIN_DIR/* $REAL_INSTALL_DIR/bin
Expand Down Expand Up @@ -134,6 +149,7 @@ checkForPinFile
checkHsmBinaries
expandBinaries
selectInstallationDir
createServiceUnit
echo
echo -e "\e[1;32mInstalling the powHSM...\e[0m"
installPowHsm
Expand Down
20 changes: 19 additions & 1 deletion dist/sgx/setup-new-powhsm
Original file line number Diff line number Diff line change
@@ -1,3 +1,21 @@
#!/bin/bash

$(dirname $0)/scripts/run_with_docker ./scripts/setup $1
# Require superuser, since we need to install a service in the host
if ! [ "$(id -u)" == "0" ]; then
echo -e "\e[1;32mPlease run with sudo.\e[0m"
exit 1
fi

ROOT_DIR=$(realpath $(dirname $0))
$ROOT_DIR/scripts/run_with_docker ./scripts/setup $1
if [ $? -ne 0 ]; then
echo -e "\e[1;31m Error during the powhsm setup, aborting \e[0m"
exit 1
fi

$ROOT_DIR/scripts/install_service $ROOT_DIR/service/hsmsgx.service
if [ $? -ne 0 ]; then
echo -e "\e[1;31m Error during the powhsm service installation, aborting \e[0m"
exit 1
fi
echo -e "\e[1;32mHSM SGX setup done.\e[0m"

0 comments on commit f45141f

Please sign in to comment.