diff --git a/Cargo.lock b/Cargo.lock index 12940fc..1f056af 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1687,6 +1687,27 @@ dependencies = [ "serde_bytes", ] +[[package]] +name = "ic_tee_logtail" +version = "0.1.1" +dependencies = [ + "anyhow", + "candid", + "clap", + "const-hex", + "ed25519", + "ed25519-consensus", + "ic-agent", + "ic_cose_types", + "ic_tee_agent", + "ic_tee_cdk", + "ic_tee_nitro_attestation", + "pkcs8", + "rand", + "serde_bytes", + "tokio", +] + [[package]] name = "ic_tee_nitro_attestation" version = "0.1.1" diff --git a/Cargo.toml b/Cargo.toml index 37edb15..2d9ec30 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -4,6 +4,7 @@ members = [ "src/ic_tee_cdk", "src/ic_tee_cli", "src/ic_tee_identity", + "src/ic_tee_logtail", "src/ic_tee_nitro_attestation", "src/ic_tee_nitro_gateway", ] diff --git a/nitro_enclave/setup.sh b/nitro_enclave/setup.sh index 7534a01..773f7fb 100644 --- a/nitro_enclave/setup.sh +++ b/nitro_enclave/setup.sh @@ -16,9 +16,11 @@ route -n # iptables rules to route traffic to transparent proxy iptables -A OUTPUT -t nat -p tcp --dport 1:65535 ! -d 127.0.0.1 -j DNAT --to-destination 127.0.0.1:1200 +# redirect all traffic to port 9999 to the transparent proxy, for log server +iptables -A OUTPUT -t nat -p tcp --dport 9999 -j DNAT --to-destination 127.0.0.1:1200 # replace the source address with 127.0.0.1 for outgoing packets with a source of 0.0.0.0 # ensures returning packets have 127.0.0.1 as the destination and not 0.0.0.0 -iptables -t nat -A POSTROUTING -o lo -s 0.0.0.0 -j SNAT --to-source 127.0.0.1 +iptables -A POSTROUTING -t nat -o lo -s 0.0.0.0 -j SNAT --to-source 127.0.0.1 iptables -L -t nat -v -n # your custom setup goes here diff --git a/src/ic_tee_logtail/Cargo.toml b/src/ic_tee_logtail/Cargo.toml new file mode 100644 index 0000000..39834f4 --- /dev/null +++ b/src/ic_tee_logtail/Cargo.toml @@ -0,0 +1,27 @@ +[package] +name = "ic_tee_logtail" +description = "A simple log tailing service for the TEE environment." +publish = false +repository = "https://github.com/ldclabs/ic-tee/tree/main/src/ic_tee_logtail" +version.workspace = true +edition.workspace = true +keywords.workspace = true +categories.workspace = true +license.workspace = true + +[dependencies] +candid = { workspace = true, features = ["value", "printer"] } +serde_bytes = { workspace = true } +tokio = { workspace = true } +const-hex = { workspace = true } +ic-agent = { workspace = true } +ed25519-consensus = { workspace = true } +ic_cose_types = { workspace = true } +rand = { workspace = true } +anyhow = "1" +clap = { version = "=4.5", features = ["derive"] } +pkcs8 = { version = "0.10", features = ["pem"] } +ed25519 = { version = "2.2", features = ["pem", "pkcs8"] } +ic_tee_cdk = { path = "../ic_tee_cdk", version = "0.1" } +ic_tee_agent = { path = "../ic_tee_agent", version = "0.1" } +ic_tee_nitro_attestation = { path = "../ic_tee_nitro_attestation", version = "0.1" } diff --git a/src/ic_tee_logtail/README.md b/src/ic_tee_logtail/README.md new file mode 100644 index 0000000..d172afc --- /dev/null +++ b/src/ic_tee_logtail/README.md @@ -0,0 +1,21 @@ +# `ic_tee_logtail` +![License](https://img.shields.io/crates/l/ic_tee_logtail.svg) +[![Crates.io](https://img.shields.io/crates/d/ic_tee_logtail.svg)](https://crates.io/crates/ic_tee_logtail) +[![Test](https://github.com/ldclabs/ic-tee/actions/workflows/test.yml/badge.svg)](https://github.com/ldclabs/ic-tee/actions/workflows/test.yml) +[![Latest Version](https://img.shields.io/crates/v/ic_tee_logtail.svg)](https://crates.io/crates/ic_tee_logtail) + +`ic_tee_logtail` is a simple log tailing service for the TEE environment.. + +## Usage + +Install: +```sh +cargo install ic_tee_logtail +# get help info +ic_tee_logtail --help +``` + +## License +Copyright © 2024 [LDC Labs](https://github.com/ldclabs). + +`ldclabs/ic-tee` is licensed under the MIT License. See [LICENSE](../../LICENSE-MIT) for the full license text. \ No newline at end of file diff --git a/src/ic_tee_logtail/src/main.rs b/src/ic_tee_logtail/src/main.rs new file mode 100644 index 0000000..c46aa7c --- /dev/null +++ b/src/ic_tee_logtail/src/main.rs @@ -0,0 +1,28 @@ +use anyhow::Result; +use clap::Parser; +use tokio::{io, net::TcpListener}; + +#[derive(Parser)] +#[command(author, version, about, long_about = None)] +pub struct Cli { + #[arg(long, default_value = "127.0.0.1:9999")] + ip_addr: String, +} + +#[tokio::main] +async fn main() -> Result<()> { + let cli = Cli::parse(); + let listener = TcpListener::bind(&cli.ip_addr).await?; + println!("listening on {:?}", listener.local_addr()?); + + loop { + match listener.accept().await { + Err(err) => println!("couldn't get client: {:?}", err), + Ok((mut stream, addr)) => { + println!("accept a client: {:?}", addr); + stream.readable().await?; + io::copy(&mut stream, &mut io::stdout()).await?; + } + } + } +} diff --git a/src/ic_tee_nitro_gateway/README.md b/src/ic_tee_nitro_gateway/README.md index 5160ebc..35d6fbf 100644 --- a/src/ic_tee_nitro_gateway/README.md +++ b/src/ic_tee_nitro_gateway/README.md @@ -51,25 +51,25 @@ https://docs.aws.amazon.com/enclaves/latest/user/getting-started.html cargo install ic_tee_cli sudo nitro-cli build-enclave --docker-uri ghcr.io/ldclabs/ic_tee_nitro_gateway_enclave_amd64:latest --output-file ic_tee_nitro_gateway_enclave_amd64.eif # Start building the Enclave Image... +# Using the locally available Docker image... # Enclave Image successfully created. # { # "Measurements": { # "HashAlgorithm": "Sha384 { ... }", -# "PCR0": "57787b1892dfd26b137e14f3299912ccf8879ca81c29e6d4f6f346e10084c9c77f615ef0b3f8a77a56611d4652703260", +# "PCR0": "349166c4a015d98b39d6cd3c3a65a5c2ed11f4414687500dd0a7310f36b31d223d0f09662fa547d449e209bc3f2c15be", # "PCR1": "4b4d5b3661b3efc12920900c80e126e4ce783c522de6c02a2a5bf7af3a2b9327b86776f188e4be1c1c404a129dbda493", -# "PCR2": "b00df67ad3f1a255bccaa9e9f43875a0763cc825e594fb7d14514a708e3b02d6816138d210a407704b5fae8f033d7ba3" +# "PCR2": "7584fed461361c6e8c4f56e426f46e610b86ce8eae1cc407f221adf8f5a9053f452eefa3fbae5256e0b17e91ecd4cb3f" # } # } -ic_tee_cli -c e7tgb-6aaaa-aaaap-akqfa-cai identity-derive --seed 57787b1892dfd26b137e14f3299912ccf8879ca81c29e6d4f6f346e10084c9c77f615ef0b3f8a77a56611d4652703260 -# principal: 7vzhl-hr6f5-oc2w5-u7ig6-ts7wz-6b7u6-xgmw5-ye65a-wn735-nexe5-oae +ic_tee_cli -c e7tgb-6aaaa-aaaap-akqfa-cai identity-derive --seed 349166c4a015d98b39d6cd3c3a65a5c2ed11f4414687500dd0a7310f36b31d223d0f09662fa547d449e209bc3f2c15be +# principal: ciar7-g7nzs-66aea-eu53p-vtwhv-7aoz2-hlmrv-dzhir-gkses-pbeem-pqe sudo nitro-cli run-enclave --cpu-count 2 --memory 512 --enclave-cid 88 --eif-path ic_tee_nitro_gateway_enclave_amd64.eif -# --attach-console # Start allocating memory... # Started enclave with enclave-cid: 88, memory: 512 MiB, cpu-ids: [1, 3] # { # "EnclaveName": "ic_tee_nitro_gateway_enclave_amd64", -# "EnclaveID": "i-056e1ab9a31cd77a0-enc192fa599ed1cf5f", -# "ProcessID": 3377, +# "EnclaveID": "i-056e1ab9a31cd77a0-enc192fc732d6e4e41", +# "ProcessID": 14424, # "EnclaveCID": 88, # "NumberOfCPUs": 2, # "CPUIDs": [ @@ -79,7 +79,7 @@ sudo nitro-cli run-enclave --cpu-count 2 --memory 512 --enclave-cid 88 --eif-pat # "MemoryMiB": 512 # } sudo nitro-cli describe-enclaves -sudo nitro-cli terminate-enclave --enclave-id i-056e1ab9a31cd77a0-enc192fa599ed1cf5f +sudo nitro-cli terminate-enclave --enclave-id i-056e1ab9a31cd77a0-enc192fc732d6e4e41 ``` diff --git a/src/ic_tee_nitro_gateway/src/main.rs b/src/ic_tee_nitro_gateway/src/main.rs index c448fe7..5312c7d 100644 --- a/src/ic_tee_nitro_gateway/src/main.rs +++ b/src/ic_tee_nitro_gateway/src/main.rs @@ -13,7 +13,7 @@ use ic_tee_cdk::{to_cbor_bytes, AttestationUserRequest, SignInParams, TEEAppInfo use ic_tee_nitro_attestation::{parse_and_verify, AttestationRequest}; use std::{net::SocketAddr, sync::Arc, time::Duration}; use structured_logger::{async_json::new_writer, get_env_level, unix_ms, Builder}; -use tokio::signal; +use tokio::{net::TcpStream, signal}; use tokio_util::sync::CancellationToken; mod attestation; @@ -63,11 +63,30 @@ struct Cli { #[tokio::main] async fn main() -> Result<()> { - let cli = Cli::parse(); - Builder::with_level(&get_env_level().to_string()) - .with_target_writer("*", new_writer(tokio::io::stdout())) - .init(); + match TcpStream::connect("127.0.0.1:9999").await { + Ok(stream) => { + Builder::with_level(&get_env_level().to_string()) + .with_target_writer("*", new_writer(stream)) + .init(); + } + Err(_) => { + Builder::with_level(&get_env_level().to_string()) + .with_target_writer("*", new_writer(tokio::io::stdout())) + .init(); + } + }; + match serve().await { + Ok(_) => Ok(()), + Err(err) => { + log::error!(target: "server", "server error: {:?}", err); + Err(err) + } + } +} + +async fn serve() -> Result<()> { + let cli = Cli::parse(); let authentication_canister = Principal::from_text(cli.authentication_canister) .map_err(|err| anyhow::anyhow!("invalid authentication_canister id: {}", err))?; let configuration_canister = Principal::from_text(cli.configuration_canister)