Updated on 2024-10-18 GMT+08:00

Building a QingTian Enclave Image

After a QingTian Enclave application is developed, you need to build a QingTian Enclave image file (.eif) in a trusted environment. The QingTian Enclave image file contains everything required to launch a QingTian Enclave instance, including the application code, runtime dependencies, operating system, and file system. This section describes how to build a QingTian Enclave image file.

  1. Create a Docker source image.

    Package the QingTian Enclave application and its execution environment into a Docker image. For details, see QingTian Enclave Application Development on Linux.

  2. Obtain the image from the image library.

    The following uses the Ubuntu image provided in the Docker repository as an example. Obtain the image source from Docker (networking needs to be configured for query). Run the following command to query the image source:

    docker search ubuntu

    Pull the Ubuntu image locally:

    docker pull ubuntu

    After the Ubuntu image is pulled locally, run the following command:

    docker image ls

    If you use a Docker image locally, directly perform step 3 to convert the image.

  3. Convert the Docker image to a QingTian Enclave image file.

    First, use OpenSSL or other tools to create a private key (private-key.pem) and a certificate (server.pem). This operation is optional. The mandatory parameters in the *qt make-img* command are the Docker source image and the generated target QingTian Enclave image.

    # qt enclave make-img --docker-uri ubuntu --eif  /home/docker/ubuntu.eif --
    private-key  /home/docker/private-key.pem--signing-certificate  
    /home/docker/server.pem
    {     
         "digest":       "SHA384", 
         "PCR0": "b8c59692da8a5bcb739a83d15a0ceca670bd78da06cb2250ec70548f72254e674419e9888db9c0364a9b88dd58017a62"
         "PCR8": "dbf4a7f9fab7f18619b5899c407081981ad6762fb9a809da78548821b5021965423181584acd7b201703376f1133a546"
    }

    Then you have obtained a QingTian Enclave image file. You will get a set of PCR0 and PCR8. These hashes are measurements of the instance and can be used as condition keys in IAM authorization policies to implement conditional access control over KMS APIs. For details, see PCR.