Merge pull request #5496 from oasisprotocol/ptrus/feature/aesmd-docke…

…r-pcs

docker/aesmd: Build epid and pcs versions of the AESMD docker image

.changelog/5496.feature.md

@@ -0,0 +1 @@
+Build EPID and DCAP versions of the AESMD docker image

.github/workflows/docker.yml

@@ -100,15 +100,31 @@ jobs:
             org.opencontainers.image.created=${{ steps.determine_tag.outputs.created }}
             org.opencontainers.image.revision=${{ github.sha }}
 
-      - name: "Rebuild ghcr.io/oasisprotocol/aesmd:${{ steps.determine_tag.outputs.tag }}"
+      - name: "Rebuild ghcr.io/oasisprotocol/aesmd-dcap:${{ steps.determine_tag.outputs.tag }}"
         uses: docker/build-push-action@v4
         with:
           context: docker/aesmd
           file: docker/aesmd/Dockerfile
-          tags: ghcr.io/oasisprotocol/aesmd:${{ steps.determine_tag.outputs.tag }}
+          tags: ghcr.io/oasisprotocol/aesmd-dcap:${{ steps.determine_tag.outputs.tag }}
           pull: true
           push: true
           provenance: false
+          build-args: MODE=dcap
+          labels: |
+            org.opencontainers.image.source=${{ github.event.repository.html_url }}
+            org.opencontainers.image.created=${{ steps.determine_tag.outputs.created }}
+            org.opencontainers.image.revision=${{ github.sha }}
+
+      - name: "Rebuild ghcr.io/oasisprotocol/aesmd-epid:${{ steps.determine_tag.outputs.tag }}"
+        uses: docker/build-push-action@v4
+        with:
+          context: docker/aesmd
+          file: docker/aesmd/Dockerfile
+          tags: ghcr.io/oasisprotocol/aesmd-epid:${{ steps.determine_tag.outputs.tag }}
+          pull: true
+          push: true
+          provenance: false
+          build-args: MODE=epid
           labels: |
             org.opencontainers.image.source=${{ github.event.repository.html_url }}
             org.opencontainers.image.created=${{ steps.determine_tag.outputs.created }}
@@ -136,12 +152,23 @@ jobs:
           prune-untagged: true
           prune-tags-regexes: ^pr-
 
-      - name: Prune old ghcr.io/oasisprotocol/aesmd images
+      - name: Prune old ghcr.io/oasisprotocol/aesmd-dcap images
+        uses: vlaurin/action-ghcr-prune@v0.5.0
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          organization: oasisprotocol
+          container: aesmd-dcap
+          keep-younger-than: 7 # days
+          keep-last: 2
+          prune-untagged: true
+          prune-tags-regexes: ^pr-
+
+      - name: Prune old ghcr.io/oasisprotocol/aesmd-epid images
         uses: vlaurin/action-ghcr-prune@v0.5.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           organization: oasisprotocol
-          container: aesmd
+          container: aesmd-epid
           keep-younger-than: 7 # days
           keep-last: 2
           prune-untagged: true

docker/aesmd/Dockerfile

@@ -1,13 +1,23 @@
 FROM ubuntu:22.04
 
+ARG MODE=dcap
+
 ARG DEBIAN_FRONTEND=noninteractive
 
 RUN apt-get update -qq && apt-get install -qq curl lsb-release gpg
 
 ADD intel-sgx-deb.asc /etc/apt/trusted.gpg.d
 
-RUN echo "deb https://download.01.org/intel-sgx/sgx_repo/ubuntu $(lsb_release -cs) main" > /etc/apt/sources.list.d/intel-sgx.list && \
-    apt-get update -qq && apt-get install -qq sgx-aesm-service libsgx-aesm-launch-plugin libsgx-aesm-epid-plugin
+RUN echo "deb https://download.01.org/intel-sgx/sgx_repo/ubuntu $(lsb_release -cs) main" > /etc/apt/sources.list.d/intel-sgx.list
+
+RUN if [ "$MODE" = "dcap" ] ; then \
+        apt-get update -qq && apt-get install -qq sgx-aesm-service libsgx-aesm-ecdsa-plugin libsgx-aesm-quote-ex-plugin libsgx-dcap-default-qpl && \
+        sed -i 's|"pccs_url": ".*"|"pccs_url": "https://api.trustedservices.intel.com/sgx/certification/v4/"|' /etc/sgx_default_qcnl.conf; \
+    elif [ "$MODE" = "epid" ]; then \
+        apt-get update -qq && apt-get install -qq sgx-aesm-service libsgx-aesm-launch-plugin libsgx-aesm-epid-plugin; \
+    else \
+        echo "Invalid mode: $MODE" && exit 1; \
+    fi
 
 ENV AESM_PATH=/opt/intel/sgx-aesm-service/aesm
 ENV LD_LIBRARY_PATH=/opt/intel/sgx-aesm-service/aesm