华为云服务器Linux系统上QingTian Enclave应用的开发_云淘科技
QingTian Enclave SDK
QingTian Enclave SDK由一系列开源库组成,以便您开发自己的QingTian Enclave应用程序。其中包括QingTian安全模块(QingTian Security Module,QTSM)提供的qtsm-lib函数库。此外,SDK集成了KMS接口,该接口内置了获取证明文档及调用华为云KMS相关服务的功能。在典型使用案例里,我们描述了在QingTian Enclave调用KMS解密接口的实例。
|
类型 |
接口 |
接口描述 |
|---|---|---|
|
libqtsm接口 |
qtsm_describe_pcr |
查询指定index的PCR数据信息 |
|
qtsm_extend_pcr |
扩展指定index对应的PCR值 |
|
|
qtsm_lock_pcr |
锁定指定index的PCR数据信息 |
|
|
qtsm_lock_pcrs |
批量锁定指定index对应的PCR值 |
|
|
qtsm_get_describe |
获取qtsm信息 |
|
|
qtsm_get_attestation |
获取Attestation Doc |
|
|
qtsm_get_random |
获取硬件随机数 |
|
|
KMS接口 |
kms_generate_datakey_blocking |
生成新的密钥对,获取公钥与私钥 |
|
kms_generate_datakey_blocking_with_proxy |
集成qtproxy代理的密钥对获取接口 |
|
|
kms_gen_random_blocking |
获取随机数 |
|
|
kms_gen_random_blocking_with_proxy |
集成qtproxy代理的随机数获取接口 |
|
|
kms_decrypt_data_blocking |
解密数据 |
|
|
kms_decrypt_data_blocking_with_proxy |
集成qtproxy代理的解密数据接口 |
源码可以在开源仓库https://gitee.com/HuaweiCloudDeveloper/huawei-qingtian/tree/master/enclave免费获取,您可以基于测试示例开发自己的QingTian Enclave应用程序。
Vsock通信实例
本节主要通过vsock示例来介绍如何在Linux环境下开发QingTian Enclave应用程序。本节中提供的vsock程序只支持在Linux环境下运行。
通过该vsock程序,可以帮助开发者了解到父虚拟机和QingTian Enclave间如何进行消息传递从而实现双方交互。该vsock程序带有Server和Client参数,通过指定该参数可以指定父虚拟机或者QingTian Enclave虚拟机扮演相应角色。在该vsock程序中,客户端程序会发送一段简单的文本信息通过vsock通道传递给服务端程序,同时服务端程序会监听相应的vsock通道,一旦收到来自客户端的消息后,会将其收到的消息打印在终端界面上。
在下面介绍中,我们将说明如何让QingTian Enclave扮演服务端等待并接收来自客户端父虚拟机的hello world信息:
编写一个SocketCommunication.py程序:
#!/usr/local/env python3
import argparse
import socket
import sys
CID_DEFAULT = 3
PORT_DEFAULT = 9999
TIMEOUT = 5
BLACKLOG_DEFAULT = 5
class Client:
def __init__(self, cid, port):
self.clientAddr = (cid, port)
self.connect()
def connect(self):
self.socket = socket.socket(socket.AF_VSOCK, socket.SOCK_STREAM)
self.socket.settimeout(TIMEOUT)
print("connecting to the server")
try:
self.socket.connect(self.clientAddr)
except socket.error:
print("client's socket connection err")
sys.exit(1)
def send(self, msg):
print("client sends hello to the server")
self.socket.sendall(msg)
def disconnect(self):
self.socket.close()
def receiveData(self):
while True:
try:
message = self.socket.recv().decode()
except (socket.error, UnicodeDecodeError):
break
if message:
print(message, end = " ", flush = True)
print()
def clientHandler(args):
client = Client(args.cid, args.port)
message = "Hello world"
client.send(message.encode())
client.disconnect()
class Server:
def __init__(self, port):
self.socket = socket.socket(socket.AF_VSOCK, socket.SOCK_STREAM)
self.serverAddr = (socket.VMADDR_CID_ANY, port)
self.socket.bind(self.serverAddr)
self.socket.listen(BLACKLOG_DEFAULT)
def receiveData(self):
while True:
print("waiting for a connection")
(conn, clientAddr) = self.socket.accept()
try:
print("connection from ", clientAddr)
while True:
try:
data = conn.recv(256).decode()
except (socket.error, UnicodeDecodeError):
break
if data:
print("data: ", data)
else:
print("connection close")
break
finally:
conn.close()
def serverHandler(args):
server = Server(args.port)
server.receiveData()
def main():
parser = argparse.ArgumentParser(description = "Hello world demo", prog='SocketCommunication')
subparsers = parser.add_subparsers(description = "Communication roles")
parserClient = subparsers.add_parser("Client", description = "Client",
help = "Communicate with server using a given cid and port.")
parserClient.add_argument("-c", "--cid", default = CID_DEFAULT, type = int, help = "Client's Cid")
parserClient.add_argument("-p", "--port", default = PORT_DEFAULT, type = int, help = "Client's port")
parserClient.set_defaults(func = clientHandler)
parserServer = subparsers.add_parser("Server", description = "Server", help = "Listen on a given port")
parserServer.add_argument("-p", "--port", default = PORT_DEFAULT, type = int, help = "Server's Port")
parserServer.set_defaults(func = serverHandler)
if len(sys.argv) < 2:
parser.print_usage()
sys.exit(1)
args = parser.parse_args()
args.func(args)
if __name__ == "__main__":
main()
创建一个Dockerfile文件,内容如下:
#start the Docker image from ubuntu
FROM ubuntu AS base-img
WORKDIR /home/builder
# COPY vsocket example
COPY . vsocket
# install relative dependencies
RUN apt-get update && \
apt-get install python3 -y && \
apt-get install gcc -y && \
apt-get install gawk -y
# Launch a client
CMD ["python3", "/home/builder/vsocket/SocketCommunication.py","Server","-p 9999"]
构建docker镜像:
sudo docker build -t vsock-sample-client -f Dockerfile .
将docker镜像转化为QingTian Enclave镜像:
qt enclave make-img --docker-uri vsock-sample-client --eif vsock_sample.eif
使用vsock_sample.eif以debug模式启动QingTian Enclave:
qt enclave start --cpus 2 --mem 4096 --eif vsock_sample.eif --debug-mode --cid 4
然后使用qt enclave console命令查看QingTian Enclave内只读终端输出:
qt enclave console --enclave-id 0 waiting for a connection
然后另起一个父虚拟机终端,启动客户端程序:
Python3 SocketCommunication.py Client -c 4 -p 9999
当服务端程序收到来着vsock的消息后,会打印如下消息到终端上:
connection from (3, 4180219645) data: Hello world connection close waiting for a connection
libqtsm与SDK使用示例
本节主要基于开源示例代码来介绍如何在QingTian Enclave应用程序中使用libqtsm与SDK接口。本节中提供的示例程序只支持在Linux环境下运行。
安装libqtsm开发包:
yum install libqtsm-devel
获取开源示例代码,拷贝至enclave镜像创建环境中,地址如下:
https://gitee.com/HuaweiCloudDeveloper/huawei-qingtian/tree/master/enclave/qtsm
创建一个Dockerfile文件,内容如下:
# start the Docker image from ubuntu
FROM ubuntu AS base-img
WORKDIR /home/builder
# COPY libqtsm example
COPY ./qtsm qtsm_tests/
# install relative dependencies
RUN apt-get update && \
apt-get install gcc -y && \
apt-get install make -y && \
apt-get install libssl-dev -y && \
apt-get install libglib2.0-dev -y && \
apt-get install curl -y && \
apt-get install libcurl4-openssl-dev –y && \
apt-get install -y libcbor-dev && \
apt-get install -y libjson-c-dev
# build a test demo
RUN cd qtsm_tests/tests/ && \
make
RUN cp /home/builder/qtsm_tests/tests/gtest_libqtsm /root/
# Launch a client
CMD "/root/gtest_libqtsm"
构建docker镜像,将docker镜像装换为enclave镜像并启动enclave。
获取SDK接口的开源示例代码,地址如下:
https://gitee.com/HuaweiCloudDeveloper/huawei-qingtian/tree/master/enclave/qtsm-sdk-c/samples
父主题: QingTian Enclave应用开发
内容没看懂? 不太想学习?想快速解决? 有偿解决: 联系专家
