Skip to content

refactor: expose SGX service through TEE services in compute services #666

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jbern0rd merged 1 commit into from
Nov 4, 2025
Merged

refactor: expose SGX service through TEE services in compute services #666

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 11 additions & 21 deletions src/main/java/com/iexec/worker/compute/app/AppComputeService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,12 +23,10 @@
import com.iexec.commons.containers.DockerRunFinalStatus;
import com.iexec.commons.containers.DockerRunRequest;
import com.iexec.commons.containers.DockerRunResponse;
import com.iexec.commons.containers.SgxDriverMode;
import com.iexec.commons.poco.task.TaskDescription;
import com.iexec.worker.config.WorkerConfigurationService;
import com.iexec.worker.docker.DockerService;
import com.iexec.worker.metric.ComputeDurationsService;
import com.iexec.worker.sgx.SgxService;
import com.iexec.worker.tee.TeeService;
import com.iexec.worker.tee.TeeServicesManager;
import com.iexec.worker.workflow.WorkflowError;
Expand All @@ -44,19 +42,15 @@ public class AppComputeService {
private final WorkerConfigurationService workerConfigService;
private final DockerService dockerService;
private final TeeServicesManager teeServicesManager;
private final SgxService sgxService;
private final ComputeDurationsService appComputeDurationsService;

public AppComputeService(
WorkerConfigurationService workerConfigService,
DockerService dockerService,
TeeServicesManager teeServicesManager,
SgxService sgxService,
ComputeDurationsService appComputeDurationsService) {
public AppComputeService(final WorkerConfigurationService workerConfigService,
final DockerService dockerService,
final TeeServicesManager teeServicesManager,
final ComputeDurationsService appComputeDurationsService) {
this.workerConfigService = workerConfigService;
this.dockerService = dockerService;
this.teeServicesManager = teeServicesManager;
this.sgxService = sgxService;
this.appComputeDurationsService = appComputeDurationsService;
}

Expand All @@ -67,25 +61,22 @@ public AppComputeResponse runCompute(final TaskDescription taskDescription) {
binds.add(Bind.parse(dockerService.getInputBind(chainTaskId)));
binds.add(Bind.parse(dockerService.getIexecOutBind(chainTaskId)));

final SgxDriverMode sgxDriverMode;
final List<String> env;
final HostConfig hostConfig;
if (taskDescription.requiresSgx()) {
final TeeService teeService = teeServicesManager.getTeeService(taskDescription.getTeeFramework());
env = teeService.buildComputeDockerEnv(taskDescription);
binds.addAll(teeService.getAdditionalBindings().stream().map(Bind::parse).toList());
sgxDriverMode = sgxService.getSgxDriverMode();
hostConfig = HostConfig.newHostConfig()
.withBinds(binds)
.withDevices(teeService.getDevices())
.withNetworkMode(workerConfigService.getDockerNetworkName());
} else {
env = IexecEnvUtils.getComputeStageEnvList(taskDescription);
sgxDriverMode = SgxDriverMode.NONE;
hostConfig = HostConfig.newHostConfig()
.withBinds(binds);
}

final HostConfig hostConfig = HostConfig.newHostConfig()
.withBinds(binds)
.withDevices(sgxService.getSgxDevices());
// Enclave should be able to connect to the LAS
if (taskDescription.requiresSgx()) {
hostConfig.withNetworkMode(workerConfigService.getDockerNetworkName());
}
final DockerRunRequest runRequest = DockerRunRequest.builder()
.hostConfig(hostConfig)
.chainTaskId(chainTaskId)
Expand All @@ -94,7 +85,6 @@ public AppComputeResponse runCompute(final TaskDescription taskDescription) {
.cmd(taskDescription.getDealParams().getIexecArgs())
.env(env)
.maxExecutionTime(taskDescription.getMaxExecutionTime())
.sgxDriverMode(sgxDriverMode)
.build();
final DockerRunResponse dockerResponse = dockerService.run(runRequest);
final Duration executionDuration = dockerResponse.getExecutionDuration();
Expand Down
44 changes: 17 additions & 27 deletions src/main/java/com/iexec/worker/compute/post/PostComputeService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,15 +26,13 @@
import com.iexec.commons.containers.DockerRunRequest;
import com.iexec.commons.containers.DockerRunResponse;
import com.iexec.commons.poco.task.TaskDescription;
import com.iexec.sms.api.TeeSessionGenerationResponse;
import com.iexec.sms.api.config.TeeAppProperties;
import com.iexec.sms.api.config.TeeServicesProperties;
import com.iexec.worker.compute.ComputeExitCauseService;
import com.iexec.worker.compute.ComputeStage;
import com.iexec.worker.config.WorkerConfigurationService;
import com.iexec.worker.docker.DockerService;
import com.iexec.worker.metric.ComputeDurationsService;
import com.iexec.worker.sgx.SgxService;
import com.iexec.worker.tee.TeeService;
import com.iexec.worker.tee.TeeServicesManager;
import com.iexec.worker.tee.TeeServicesPropertiesService;
Expand All @@ -47,7 +45,6 @@
import java.nio.file.attribute.BasicFileAttributes;
import java.time.Duration;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Optional;
import java.util.concurrent.atomic.AtomicBoolean;
Expand All @@ -61,23 +58,19 @@ public class PostComputeService {
private final WorkerConfigurationService workerConfigService;
private final DockerService dockerService;
private final TeeServicesManager teeServicesManager;
private final SgxService sgxService;
private final ComputeExitCauseService computeExitCauseService;
private final TeeServicesPropertiesService teeServicesPropertiesService;
private final ComputeDurationsService postComputeDurationsService;

public PostComputeService(
WorkerConfigurationService workerConfigService,
DockerService dockerService,
TeeServicesManager teeServicesManager,
SgxService sgxService,
ComputeExitCauseService computeExitCauseService,
TeeServicesPropertiesService teeServicesPropertiesService,
ComputeDurationsService postComputeDurationsService) {
public PostComputeService(final WorkerConfigurationService workerConfigService,
final DockerService dockerService,
final TeeServicesManager teeServicesManager,
final ComputeExitCauseService computeExitCauseService,
final TeeServicesPropertiesService teeServicesPropertiesService,
final ComputeDurationsService postComputeDurationsService) {
this.workerConfigService = workerConfigService;
this.dockerService = dockerService;
this.teeServicesManager = teeServicesManager;
this.sgxService = sgxService;
this.computeExitCauseService = computeExitCauseService;
this.teeServicesPropertiesService = teeServicesPropertiesService;
this.postComputeDurationsService = postComputeDurationsService;
Expand Down Expand Up @@ -162,45 +155,42 @@ public FileVisitResult visitFile(Path file, BasicFileAttributes attrs) {
}

public PostComputeResponse runTeePostCompute(final TaskDescription taskDescription) {
String chainTaskId = taskDescription.getChainTaskId();
final String chainTaskId = taskDescription.getChainTaskId();

TeeServicesProperties properties =
teeServicesPropertiesService.getTeeServicesProperties(chainTaskId);
final TeeServicesProperties properties = teeServicesPropertiesService.getTeeServicesProperties(chainTaskId);

final TeeAppProperties postComputeProperties = properties.getPostComputeProperties();
String postComputeImage = postComputeProperties.getImage();
final String postComputeImage = postComputeProperties.getImage();
if (!dockerService.getClient().isImagePresent(postComputeImage)) {
log.error("Tee post-compute image not found locally [chainTaskId:{}]",
chainTaskId);
return PostComputeResponse.builder()
.exitCauses(List.of(new WorkflowError(ReplicateStatusCause.POST_COMPUTE_IMAGE_MISSING)))
.build();
}
TeeService teeService = teeServicesManager.getTeeService(taskDescription.getTeeFramework());
List<String> env = teeService
.buildPostComputeDockerEnv(taskDescription);
List<Bind> binds = Stream.of(
Collections.singletonList(dockerService.getIexecOutBind(chainTaskId)),
final TeeService teeService = teeServicesManager.getTeeService(taskDescription.getTeeFramework());
final List<String> env = teeService.buildPostComputeDockerEnv(taskDescription);
final List<Bind> binds = Stream.of(
List.of(dockerService.getIexecOutBind(chainTaskId)),
teeService.getAdditionalBindings())
.flatMap(Collection::stream)
.map(Bind::parse)
.toList();

HostConfig hostConfig = HostConfig.newHostConfig()
final HostConfig hostConfig = HostConfig.newHostConfig()
.withBinds(binds)
.withDevices(sgxService.getSgxDevices())
.withDevices(teeService.getDevices())
.withNetworkMode(workerConfigService.getDockerNetworkName());
DockerRunRequest request = DockerRunRequest.builder()
final DockerRunRequest request = DockerRunRequest.builder()
.hostConfig(hostConfig)
.chainTaskId(chainTaskId)
.containerName(getTaskTeePostComputeContainerName(chainTaskId))
.imageUri(postComputeImage)
.entrypoint(postComputeProperties.getEntrypoint())
.maxExecutionTime(taskDescription.getMaxExecutionTime())
.env(env)
.sgxDriverMode(sgxService.getSgxDriverMode())
.build();
DockerRunResponse dockerResponse = dockerService.run(request);
final DockerRunResponse dockerResponse = dockerService.run(request);
final Duration executionDuration = dockerResponse.getExecutionDuration();
if (executionDuration != null) {
postComputeDurationsService.addDurationForTask(chainTaskId, executionDuration.toMillis());
Expand Down
41 changes: 17 additions & 24 deletions src/main/java/com/iexec/worker/compute/pre/PreComputeService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@
import com.iexec.worker.config.WorkerConfigurationService;
import com.iexec.worker.docker.DockerService;
import com.iexec.worker.metric.ComputeDurationsService;
import com.iexec.worker.sgx.SgxService;
import com.iexec.worker.tee.TeeService;
import com.iexec.worker.tee.TeeServicesManager;
import com.iexec.worker.tee.TeeServicesPropertiesService;
import com.iexec.worker.workflow.WorkflowError;
Expand All @@ -40,7 +40,6 @@
import org.springframework.util.unit.DataSize;

import java.time.Duration;
import java.util.Collections;
import java.util.List;
import java.util.concurrent.TimeoutException;

Expand All @@ -51,23 +50,19 @@ public class PreComputeService {
private final DockerService dockerService;
private final TeeServicesManager teeServicesManager;
private final WorkerConfigurationService workerConfigService;
private final SgxService sgxService;
private final ComputeExitCauseService computeExitCauseService;
private final TeeServicesPropertiesService teeServicesPropertiesService;
private final ComputeDurationsService preComputeDurationsService;

public PreComputeService(
DockerService dockerService,
TeeServicesManager teeServicesManager,
WorkerConfigurationService workerConfigService,
SgxService sgxService,
ComputeExitCauseService computeExitCauseService,
TeeServicesPropertiesService teeServicesPropertiesService,
ComputeDurationsService preComputeDurationsService) {
public PreComputeService(final DockerService dockerService,
final TeeServicesManager teeServicesManager,
final WorkerConfigurationService workerConfigService,
final ComputeExitCauseService computeExitCauseService,
final TeeServicesPropertiesService teeServicesPropertiesService,
final ComputeDurationsService preComputeDurationsService) {
this.dockerService = dockerService;
this.teeServicesManager = teeServicesManager;
this.workerConfigService = workerConfigService;
this.sgxService = sgxService;
this.computeExitCauseService = computeExitCauseService;
this.teeServicesPropertiesService = teeServicesPropertiesService;
this.preComputeDurationsService = preComputeDurationsService;
Expand Down Expand Up @@ -159,38 +154,36 @@ private List<WorkflowError> getExitCauses(final String chainTaskId, final Intege
* @return pre-compute exit code
*/
private Integer prepareTeeInputData(final TaskDescription taskDescription) throws TimeoutException {
String chainTaskId = taskDescription.getChainTaskId();
final String chainTaskId = taskDescription.getChainTaskId();
log.info("Preparing tee input data [chainTaskId:{}]", chainTaskId);

TeeServicesProperties properties =
teeServicesPropertiesService.getTeeServicesProperties(chainTaskId);
final TeeServicesProperties properties = teeServicesPropertiesService.getTeeServicesProperties(chainTaskId);

// check that docker image is present
final TeeAppProperties preComputeProperties = properties.getPreComputeProperties();
String preComputeImage = preComputeProperties.getImage();
final String preComputeImage = preComputeProperties.getImage();
if (!dockerService.getClient().isImagePresent(preComputeImage)) {
log.error("Tee pre-compute image not found locally [chainTaskId:{}]", chainTaskId);
return null;
}
// run container
List<String> env = teeServicesManager.getTeeService(taskDescription.getTeeFramework())
.buildPreComputeDockerEnv(taskDescription);
List<Bind> binds = Collections.singletonList(Bind.parse(dockerService.getInputBind(chainTaskId)));
HostConfig hostConfig = HostConfig.newHostConfig()
final TeeService teeService = teeServicesManager.getTeeService(taskDescription.getTeeFramework());
final List<String> env = teeService.buildPreComputeDockerEnv(taskDescription);
final List<Bind> binds = List.of(Bind.parse(dockerService.getInputBind(chainTaskId)));
final HostConfig hostConfig = HostConfig.newHostConfig()
.withBinds(binds)
.withDevices(sgxService.getSgxDevices())
.withDevices(teeService.getDevices())
.withNetworkMode(workerConfigService.getDockerNetworkName());
DockerRunRequest request = DockerRunRequest.builder()
final DockerRunRequest request = DockerRunRequest.builder()
.hostConfig(hostConfig)
.chainTaskId(chainTaskId)
.containerName(getTeePreComputeContainerName(chainTaskId))
.imageUri(preComputeImage)
.entrypoint(preComputeProperties.getEntrypoint())
.maxExecutionTime(taskDescription.getMaxExecutionTime())
.env(env)
.sgxDriverMode(sgxService.getSgxDriverMode())
.build();
DockerRunResponse dockerResponse = dockerService.run(request);
final DockerRunResponse dockerResponse = dockerService.run(request);
final Duration executionDuration = dockerResponse.getExecutionDuration();
if (executionDuration != null) {
preComputeDurationsService.addDurationForTask(chainTaskId, executionDuration.toMillis());
Expand Down
15 changes: 6 additions & 9 deletions src/main/java/com/iexec/worker/tee/TeeService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,12 +16,12 @@

package com.iexec.worker.tee;

import com.github.dockerjava.api.model.Device;
import com.iexec.commons.poco.chain.WorkerpoolAuthorization;
import com.iexec.commons.poco.task.TaskDescription;
import com.iexec.sms.api.SmsClientCreationException;
import com.iexec.sms.api.TeeSessionGenerationError;
import com.iexec.sms.api.TeeSessionGenerationResponse;
import com.iexec.worker.sgx.SgxService;
import com.iexec.worker.sms.SmsService;
import com.iexec.worker.sms.TeeSessionGenerationException;
import com.iexec.worker.workflow.WorkflowError;
Expand All @@ -36,24 +36,17 @@

@Slf4j
public abstract class TeeService {
private final SgxService sgxService;
private final SmsService smsService;
protected final TeeServicesPropertiesService teeServicesPropertiesService;

private final Map<String, TeeSessionGenerationResponse> teeSessions = new ConcurrentHashMap<>();

protected TeeService(final SgxService sgxService,
final SmsService smsService,
protected TeeService(final SmsService smsService,
final TeeServicesPropertiesService teeServicesPropertiesService) {
this.sgxService = sgxService;
this.smsService = smsService;
this.teeServicesPropertiesService = teeServicesPropertiesService;
}

public boolean isTeeEnabled() {
return sgxService.isSgxEnabled();
}

public List<WorkflowError> areTeePrerequisitesMetForTask(final String chainTaskId) {
if (!isTeeEnabled()) {
return List.of(new WorkflowError(TEE_NOT_SUPPORTED));
Expand Down Expand Up @@ -98,6 +91,8 @@ public TeeSessionGenerationResponse getTeeSession(final String chainTaskId) {
return teeSessions.get(chainTaskId);
}

public abstract boolean isTeeEnabled();

/**
* Start any required service(s) to use TEE with selected technology for given task.
*
Expand All @@ -114,6 +109,8 @@ public TeeSessionGenerationResponse getTeeSession(final String chainTaskId) {

public abstract Collection<String> getAdditionalBindings();

public abstract List<Device> getDevices();

// region Purge

/**
Expand Down
22 changes: 18 additions & 4 deletions src/main/java/com/iexec/worker/tee/gramine/TeeGramineService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@

package com.iexec.worker.tee.gramine;

import com.github.dockerjava.api.model.Device;
import com.iexec.common.lifecycle.purge.Purgeable;
import com.iexec.commons.poco.task.TaskDescription;
import com.iexec.sms.api.TeeSessionGenerationResponse;
Expand All @@ -38,10 +39,18 @@ public class TeeGramineService extends TeeService implements Purgeable {
private static final String SPS_SESSION_ENV_VAR = "session";
private static final String AESMD_SOCKET = "/var/run/aesmd/aesm.socket";

public TeeGramineService(SgxService sgxService,
SmsService smsService,
TeeServicesPropertiesService teeServicesPropertiesService) {
super(sgxService, smsService, teeServicesPropertiesService);
private final SgxService sgxService;

public TeeGramineService(final SgxService sgxService,
final SmsService smsService,
final TeeServicesPropertiesService teeServicesPropertiesService) {
super(smsService, teeServicesPropertiesService);
this.sgxService = sgxService;
}

@Override
public boolean isTeeEnabled() {
return sgxService.isSgxEnabled();
}

@Override
Expand Down Expand Up @@ -72,6 +81,11 @@ public Collection<String> getAdditionalBindings() {
return bindings;
}

@Override
public List<Device> getDevices() {
return sgxService.getSgxDevices();
}

private List<String> getDockerEnv(final TeeSessionGenerationResponse session) {
return List.of(
SPS_URL_ENV_VAR + "=" + session.getSecretProvisioningUrl(),
Expand Down
Loading