From f45141f85f5f2ad2415b8bede34a416a6687c30d Mon Sep 17 00:00:00 2001 From: Italo Sampaio <100376888+italo-sampaio@users.noreply.github.com> Date: Mon, 2 Dec 2024 09:47:06 -0300 Subject: [PATCH] Install SGX powHSM as a systemd service (#226) --- dist/sgx/hsm/{run => start} | 7 +++- dist/sgx/hsm/stop | 4 ++ dist/sgx/scripts/hsmsgx.service | 19 +++++++++ dist/sgx/scripts/install_service | 67 ++++++++++++++++++++++++++++++++ dist/sgx/scripts/setup | 16 ++++++++ dist/sgx/setup-new-powhsm | 20 +++++++++- 6 files changed, 131 insertions(+), 2 deletions(-) rename dist/sgx/hsm/{run => start} (81%) create mode 100755 dist/sgx/hsm/stop create mode 100644 dist/sgx/scripts/hsmsgx.service create mode 100755 dist/sgx/scripts/install_service diff --git a/dist/sgx/hsm/run b/dist/sgx/hsm/start similarity index 81% rename from dist/sgx/hsm/run rename to dist/sgx/hsm/start index 44d972af..163454d0 100755 --- a/dist/sgx/hsm/run +++ b/dist/sgx/hsm/start @@ -4,6 +4,8 @@ BINDIR=$(realpath $(dirname $0)) WORKDIR=$(realpath $BINDIR/..) DOCKER_IMAGE=powhsmsgx:runner +source $BINDIR/.env + QUIET="" echo -e "\e[96mBuilding docker image $DOCKER_IMAGE (this will take a few minutes)..." if [[ "$2" != "-v" ]]; then @@ -16,10 +18,13 @@ echo DOCKER_CNT=powhsmsgx-runner DOCKER_USER="$(id -u):$(id -g)" +HOSTNAME="SGX" +NETWORK=${NETWORK:-net_sgx} PORT=7777 DOCKER_PORT="$PORT:$PORT" -docker run -ti --rm --name $DOCKER_CNT --user $DOCKER_USER -v $WORKDIR:/hsm \ +docker run --rm --name $DOCKER_CNT --user $DOCKER_USER -v $WORKDIR:/hsm \ + --hostname $HOSTNAME --network $NETWORK \ --device=/dev/sgx_enclave:/dev/sgx_enclave \ --device=/dev/sgx_provision:/dev/sgx_provision \ -w /hsm -p$DOCKER_PORT $DOCKER_IMAGE \ diff --git a/dist/sgx/hsm/stop b/dist/sgx/hsm/stop new file mode 100755 index 00000000..65d5355b --- /dev/null +++ b/dist/sgx/hsm/stop @@ -0,0 +1,4 @@ +#!/bin/bash + +DOCKER_CNT=powhsmsgx-runner +docker stop $DOCKER_CNT diff --git a/dist/sgx/scripts/hsmsgx.service b/dist/sgx/scripts/hsmsgx.service new file mode 100644 index 00000000..18c7f7e9 --- /dev/null +++ b/dist/sgx/scripts/hsmsgx.service @@ -0,0 +1,19 @@ +[Unit] +Description=SGX powHSM +Wants=network.target +After=syslog.target network-online.target docker.service +Requires=docker.service + +[Service] +Type=simple +WorkingDirectory=$HSM_INSTALL_DIR +User=hsm +Group=hsm +ExecStart=$HSM_INSTALL_DIR/bin/start +ExecStop=$HSM_INSTALL_DIR/bin/stop +Restart=on-failure +RestartSec=10 +KillMode=mixed + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/dist/sgx/scripts/install_service b/dist/sgx/scripts/install_service new file mode 100755 index 00000000..47bfb7db --- /dev/null +++ b/dist/sgx/scripts/install_service @@ -0,0 +1,67 @@ +#!/bin/bash + +# Require superuser +if ! [ "$(id -u)" == "0" ]; then + echo -e "\e[1;31mPlease run with sudo.\e[0m" + exit 1 +fi + +if [ -z "$1" ]; then + echo -e "\e[1;31mUsage: $0 \e[0m" + exit 1 +fi + +SERVICE_UNIT=$(realpath $1) +if [ ! -f "$SERVICE_UNIT" ]; then + echo "\e[1;31mService file not found: $SERVICE_UNIT\e[0m" + exit 1 +fi + +# Extract the installation directory from the service file +INSTALL_DIR=$(grep -oP 'WorkingDirectory=\K.*' $SERVICE_UNIT) +if [ -z "$INSTALL_DIR" ]; then + echo -e "\e[1;31mCould not extract installation directory from service file.\e[0m" + exit 1 +fi + +echo -e "\e[1;32mCreating hsm user and group...\e[0m" +if ! id -u hsm >/dev/null 2>&1; then + useradd -rm -s /bin/bash hsm || exit $? + usermod -aG docker hsm || exit $? +else + echo -e "\e[1;33mUser 'hsm' already exists. Skipping user creation.\e[0m" +fi + +DEFAULT_NETWORK="net_sgx" +while true; do + echo -e "\e[1;32mEnter the name of the docker network to be created: [$DEFAULT_NETWORK]\e[0m" + read -p "> " NETWORK + if [ -z "$NETWORK" ]; then + NETWORK=$DEFAULT_NETWORK + fi + echo -e "\e[1;33mThe docker network will be named '$NETWORK'. Proceed? [Y/n]\e[0m" + read -p "> " proceed + if [[ "Y" == "$proceed" ]] || [[ "y" == "$proceed" ]] || [ -z "$proceed" ]; then + break + fi +done + +echo -e "\e[1;32mCreating $NETWORK network...\e[0m" +docker network rm $NETWORK 2> /dev/null +docker network create $NETWORK &> /dev/null +echo "NETWORK=$NETWORK" >> $INSTALL_DIR/.env || exit $? + +echo -e "\e[1;32mSetting permisions...\e[0m" +chown -R root:hsm $INSTALL_DIR || exit $? +chmod 664 $INSTALL_DIR/*.dat $INSTALL_DIR/.env || exit $? + +echo -e "\e[1;32mCreating service...\e[0m" +cp $SERVICE_UNIT /etc/systemd/system/hsmsgx.service +systemctl daemon-reload || exit $? +echo -e "\e[1;32mEnabling service...\e[0m" +systemctl enable hsmsgx.service || exit $? +echo -e "\e[1;32mEStarting service...\e[0m" +systemctl start hsmsgx.service || exit $? +echo -e "\e[1;32mService started.\e[0m" +echo -e "\e[1;32mTo check the status of the service, run 'systemctl status hsmsgx.service'.\e[0m" +exit 0 diff --git a/dist/sgx/scripts/setup b/dist/sgx/scripts/setup index b118e26f..2170614d 100755 --- a/dist/sgx/scripts/setup +++ b/dist/sgx/scripts/setup @@ -35,6 +35,12 @@ EXPORT_DIR="$ROOT_DIR/export" PUBLIC_KEY_FILE="$EXPORT_DIR/public-keys.txt" PUBLIC_KEY_FILE_JSON="$EXPORT_DIR/public-keys.json" +# HSM scripts directory +SCRIPTS_DIR=$ROOT_DIR/scripts + +# Directory where the finalized systemd service unit will be saved +SERVICE_DIR=$ROOT_DIR/service + function checkHsmBinaries() { # Check for HSM binary files FILES="$HSMBIN_DIR/hsmsgx $HSMBIN_DIR/hsmsgx_enclave.signed" @@ -96,6 +102,15 @@ function selectInstallationDir() { done } +function createServiceUnit() { + rm -rf $SERVICE_DIR + mkdir $SERVICE_DIR + + cp $SCRIPTS_DIR/hsmsgx.service $SERVICE_DIR + # Replace the $HSM_INSTALL_DIR token in the script with the actual installation directory + sed -i "s|\$HSM_INSTALL_DIR|$INSTALL_DIR|g" $SERVICE_DIR/hsmsgx.service +} + function installPowHsm() { mkdir $REAL_INSTALL_DIR/bin cp -R $HSMBIN_DIR/* $REAL_INSTALL_DIR/bin @@ -134,6 +149,7 @@ checkForPinFile checkHsmBinaries expandBinaries selectInstallationDir +createServiceUnit echo echo -e "\e[1;32mInstalling the powHSM...\e[0m" installPowHsm diff --git a/dist/sgx/setup-new-powhsm b/dist/sgx/setup-new-powhsm index 1398782a..67dd81ba 100755 --- a/dist/sgx/setup-new-powhsm +++ b/dist/sgx/setup-new-powhsm @@ -1,3 +1,21 @@ #!/bin/bash -$(dirname $0)/scripts/run_with_docker ./scripts/setup $1 +# Require superuser, since we need to install a service in the host +if ! [ "$(id -u)" == "0" ]; then + echo -e "\e[1;32mPlease run with sudo.\e[0m" + exit 1 +fi + +ROOT_DIR=$(realpath $(dirname $0)) +$ROOT_DIR/scripts/run_with_docker ./scripts/setup $1 +if [ $? -ne 0 ]; then + echo -e "\e[1;31m Error during the powhsm setup, aborting \e[0m" + exit 1 +fi + +$ROOT_DIR/scripts/install_service $ROOT_DIR/service/hsmsgx.service +if [ $? -ne 0 ]; then + echo -e "\e[1;31m Error during the powhsm service installation, aborting \e[0m" + exit 1 +fi +echo -e "\e[1;32mHSM SGX setup done.\e[0m"