feat: add ic_tee_logtail to debug TEE service

Cargo.toml

@@ -4,6 +4,7 @@ members = [
   "src/ic_tee_cdk",
   "src/ic_tee_cli",
   "src/ic_tee_identity",
+  "src/ic_tee_logtail",
   "src/ic_tee_nitro_attestation",
   "src/ic_tee_nitro_gateway",
 ]

nitro_enclave/setup.sh

@@ -16,9 +16,11 @@ route -n
 
 # iptables rules to route traffic to transparent proxy
 iptables -A OUTPUT -t nat -p tcp --dport 1:65535 ! -d 127.0.0.1  -j DNAT --to-destination 127.0.0.1:1200
+# redirect all traffic to port 9999 to the transparent proxy, for log server
+iptables -A OUTPUT -t nat -p tcp --dport 9999 -j DNAT --to-destination 127.0.0.1:1200
 # replace the source address with 127.0.0.1 for outgoing packets with a source of 0.0.0.0
 # ensures returning packets have 127.0.0.1 as the destination and not 0.0.0.0
-iptables -t nat -A POSTROUTING -o lo -s 0.0.0.0 -j SNAT --to-source 127.0.0.1
+iptables -A POSTROUTING -t nat -o lo -s 0.0.0.0 -j SNAT --to-source 127.0.0.1
 iptables -L -t nat -v -n
 
 # your custom setup goes here

src/ic_tee_logtail/Cargo.toml

@@ -0,0 +1,27 @@
+[package]
+name = "ic_tee_logtail"
+description = "A simple log tailing service for the TEE environment."
+publish = false
+repository = "https://github.com/ldclabs/ic-tee/tree/main/src/ic_tee_logtail"
+version.workspace = true
+edition.workspace = true
+keywords.workspace = true
+categories.workspace = true
+license.workspace = true
+
+[dependencies]
+candid = { workspace = true, features = ["value", "printer"] }
+serde_bytes = { workspace = true }
+tokio = { workspace = true }
+const-hex = { workspace = true }
+ic-agent = { workspace = true }
+ed25519-consensus = { workspace = true }
+ic_cose_types = { workspace = true }
+rand = { workspace = true }
+anyhow = "1"
+clap = { version = "=4.5", features = ["derive"] }
+pkcs8 = { version = "0.10", features = ["pem"] }
+ed25519 = { version = "2.2", features = ["pem", "pkcs8"] }
+ic_tee_cdk = { path = "../ic_tee_cdk", version = "0.1" }
+ic_tee_agent = { path = "../ic_tee_agent", version = "0.1" }
+ic_tee_nitro_attestation = { path = "../ic_tee_nitro_attestation", version = "0.1" }

src/ic_tee_logtail/README.md

@@ -0,0 +1,21 @@
+# `ic_tee_logtail`
+![License](https://img.shields.io/crates/l/ic_tee_logtail.svg)
+[![Crates.io](https://img.shields.io/crates/d/ic_tee_logtail.svg)](https://crates.io/crates/ic_tee_logtail)
+[![Test](https://github.com/ldclabs/ic-tee/actions/workflows/test.yml/badge.svg)](https://github.com/ldclabs/ic-tee/actions/workflows/test.yml)
+[![Latest Version](https://img.shields.io/crates/v/ic_tee_logtail.svg)](https://crates.io/crates/ic_tee_logtail)
+
+`ic_tee_logtail` is a simple log tailing service for the TEE environment..
+
+## Usage
+
+Install:
+```sh
+cargo install ic_tee_logtail
+# get help info
+ic_tee_logtail --help
+```
+
+## License
+Copyright © 2024 [LDC Labs](https://github.com/ldclabs).
+
+`ldclabs/ic-tee` is licensed under the MIT License. See [LICENSE](../../LICENSE-MIT) for the full license text.

src/ic_tee_logtail/src/main.rs

@@ -0,0 +1,28 @@
+use anyhow::Result;
+use clap::Parser;
+use tokio::{io, net::TcpListener};
+
+#[derive(Parser)]
+#[command(author, version, about, long_about = None)]
+pub struct Cli {
+    #[arg(long, default_value = "127.0.0.1:9999")]
+    ip_addr: String,
+}
+
+#[tokio::main]
+async fn main() -> Result<()> {
+    let cli = Cli::parse();
+    let listener = TcpListener::bind(&cli.ip_addr).await?;
+    println!("listening on {:?}", listener.local_addr()?);
+
+    loop {
+        match listener.accept().await {
+            Err(err) => println!("couldn't get client: {:?}", err),
+            Ok((mut stream, addr)) => {
+                println!("accept a client: {:?}", addr);
+                stream.readable().await?;
+                io::copy(&mut stream, &mut io::stdout()).await?;
+            }
+        }
+    }
+}

src/ic_tee_nitro_gateway/README.md

@@ -51,25 +51,25 @@ https://docs.aws.amazon.com/enclaves/latest/user/getting-started.html
 cargo install ic_tee_cli
 sudo nitro-cli build-enclave --docker-uri ghcr.io/ldclabs/ic_tee_nitro_gateway_enclave_amd64:latest --output-file ic_tee_nitro_gateway_enclave_amd64.eif
 # Start building the Enclave Image...
+# Using the locally available Docker image...
 # Enclave Image successfully created.
 # {
 #   "Measurements": {
 #     "HashAlgorithm": "Sha384 { ... }",
-#     "PCR0": "57787b1892dfd26b137e14f3299912ccf8879ca81c29e6d4f6f346e10084c9c77f615ef0b3f8a77a56611d4652703260",
+#     "PCR0": "349166c4a015d98b39d6cd3c3a65a5c2ed11f4414687500dd0a7310f36b31d223d0f09662fa547d449e209bc3f2c15be",
 #     "PCR1": "4b4d5b3661b3efc12920900c80e126e4ce783c522de6c02a2a5bf7af3a2b9327b86776f188e4be1c1c404a129dbda493",
-#     "PCR2": "b00df67ad3f1a255bccaa9e9f43875a0763cc825e594fb7d14514a708e3b02d6816138d210a407704b5fae8f033d7ba3"
+#     "PCR2": "7584fed461361c6e8c4f56e426f46e610b86ce8eae1cc407f221adf8f5a9053f452eefa3fbae5256e0b17e91ecd4cb3f"
 #   }
 # }
-ic_tee_cli -c e7tgb-6aaaa-aaaap-akqfa-cai identity-derive --seed 57787b1892dfd26b137e14f3299912ccf8879ca81c29e6d4f6f346e10084c9c77f615ef0b3f8a77a56611d4652703260
-# principal: 7vzhl-hr6f5-oc2w5-u7ig6-ts7wz-6b7u6-xgmw5-ye65a-wn735-nexe5-oae
+ic_tee_cli -c e7tgb-6aaaa-aaaap-akqfa-cai identity-derive --seed 349166c4a015d98b39d6cd3c3a65a5c2ed11f4414687500dd0a7310f36b31d223d0f09662fa547d449e209bc3f2c15be
+# principal: ciar7-g7nzs-66aea-eu53p-vtwhv-7aoz2-hlmrv-dzhir-gkses-pbeem-pqe
 sudo nitro-cli run-enclave --cpu-count 2 --memory 512 --enclave-cid 88 --eif-path ic_tee_nitro_gateway_enclave_amd64.eif
-# --attach-console
 # Start allocating memory...
 # Started enclave with enclave-cid: 88, memory: 512 MiB, cpu-ids: [1, 3]
 # {
 #   "EnclaveName": "ic_tee_nitro_gateway_enclave_amd64",
-#   "EnclaveID": "i-056e1ab9a31cd77a0-enc192fa599ed1cf5f",
-#   "ProcessID": 3377,
+#   "EnclaveID": "i-056e1ab9a31cd77a0-enc192fc732d6e4e41",
+#   "ProcessID": 14424,
 #   "EnclaveCID": 88,
 #   "NumberOfCPUs": 2,
 #   "CPUIDs": [
@@ -79,7 +79,7 @@ sudo nitro-cli run-enclave --cpu-count 2 --memory 512 --enclave-cid 88 --eif-pat
 #   "MemoryMiB": 512
 # }
 sudo nitro-cli describe-enclaves
-sudo nitro-cli terminate-enclave --enclave-id i-056e1ab9a31cd77a0-enc192fa599ed1cf5f
+sudo nitro-cli terminate-enclave --enclave-id i-056e1ab9a31cd77a0-enc192fc732d6e4e41
 ```
 
 

src/ic_tee_nitro_gateway/src/main.rs

@@ -13,7 +13,7 @@ use ic_tee_cdk::{to_cbor_bytes, AttestationUserRequest, SignInParams, TEEAppInfo
 use ic_tee_nitro_attestation::{parse_and_verify, AttestationRequest};
 use std::{net::SocketAddr, sync::Arc, time::Duration};
 use structured_logger::{async_json::new_writer, get_env_level, unix_ms, Builder};
-use tokio::signal;
+use tokio::{net::TcpStream, signal};
 use tokio_util::sync::CancellationToken;
 
 mod attestation;
@@ -63,11 +63,30 @@ struct Cli {
 
 #[tokio::main]
 async fn main() -> Result<()> {
-    let cli = Cli::parse();
-    Builder::with_level(&get_env_level().to_string())
-        .with_target_writer("*", new_writer(tokio::io::stdout()))
-        .init();
+    match TcpStream::connect("127.0.0.1:9999").await {
+        Ok(stream) => {
+            Builder::with_level(&get_env_level().to_string())
+                .with_target_writer("*", new_writer(stream))
+                .init();
+        }
+        Err(_) => {
+            Builder::with_level(&get_env_level().to_string())
+                .with_target_writer("*", new_writer(tokio::io::stdout()))
+                .init();
+        }
+    };
 
+    match serve().await {
+        Ok(_) => Ok(()),
+        Err(err) => {
+            log::error!(target: "server", "server error: {:?}", err);
+            Err(err)
+        }
+    }
+}
+
+async fn serve() -> Result<()> {
+    let cli = Cli::parse();
     let authentication_canister = Principal::from_text(cli.authentication_canister)
         .map_err(|err| anyhow::anyhow!("invalid authentication_canister id: {}", err))?;
     let configuration_canister = Principal::from_text(cli.configuration_canister)