This is the repository for the Docker container used for developing Veracruz. Veracruz is an open-source runtime for collaborative privacy-preserving compute. The main Veracruz repository can be found here.
Veracruz is an adopted project of the Confidential Compute Consortium (CCC).
- AWS Nitro Enclaves
- Linux (no TEE technology used)
- Docker: We use Docker to provide a consistent build environment. Follow this guide to install Docker if necessary.
- Enable Docker squash experimental feature: The tests are done on a linux machine. To enable docker experimental features on another OS.
We use the
squash
docker experimental feature to help reduce the Veracruz docker image size, to enable this feature:- run:
sudo service docker stop
- copy the following in
/etc/docker/daemon.json
{ "experimental": true }
- run:
sudo service docker start
- run:
Once all the necessary requirements are available, run the following commands:
-
Clone the Veracruz repository: This will pull the docker submodule
git clone --recursive https://github.com/veracruz-project/veracruz.git export VERACRUZ_ROOT=$PWD/veracruz
-
Once you have a local copy of the Veracruz source:
cd veracruz/docker
The following instructions depend on the platform you're building for. (SGX, Arm TZ)
Note that building the Docker image will take a long time (we appreciate any suggestions on how this can be sped up!)
-
make nitro-base
-
make linux-base
-
For AWS Nitro Enclaves:
make nitro-run
Or, for Linux:
make linux-run
There should be a Docker container running called "veracruz__". To verify that it's running, run:
docker ps
You can now start a shell in the newly created container: For Nitro:
make nitro-exec
For Linux:
make linux-exec
Once inside the container, set up your local environment.
Now, to build the binaries:
cd workspaces/
make nitro
and to run the tests:
cd workspaces/nitro-host/
make test-server
make veracruz-test
Once inside the container, build the binaries:
cd workspaces/
make linux
and to run the tests:
cd workspaces/linux-host/
make test-server
make veracruz-test
The Veracruz Makefile exposes a build target, clean
, which recursively
invokes cargo clean
for each major subcomponent of the project. However,
sometimes this is not enough to fix a broken build environment (note that this
is common when using xargo
to build e.g. the examples, or the rest of the
SDK). In that case, it is useful to also delete the contents of the
~/.xargo
directory, in addition to the standard clean build process described
above.
Cryptographic certificates can be generated by using the following openssl
invocation:
openssl req -new -x509 -key <key filename> -sha256 -nodes -days 3650 -out <certificate filename> -config cert.conf