diff --git a/API_VERSION.txt b/API_VERSION.txt new file mode 100644 index 0000000000000000000000000000000000000000..56fea8a08d2faa60fec80b40241566d3c39744f7 --- /dev/null +++ b/API_VERSION.txt @@ -0,0 +1 @@ +3.0.0 \ No newline at end of file diff --git a/HANG/TDX/README.md b/HANG/TDX/README.md index a824d8e27adf5bba4ce8d73eb31b03e23985839d..92185aad4c220f0519717256a87d490db792994c 100644 --- a/HANG/TDX/README.md +++ b/HANG/TDX/README.md @@ -7,7 +7,7 @@ This project is still in development. This project provides only one file, **Dockerfile**, as a phased result for users to try. The structure of **HANG** is as shown below: - + So users need to run both **Server side** and **Client Side** in this demo. ### Run from Dockerfile @@ -98,7 +98,7 @@ Second, users can use **docker run** to run **Client side** with new terminal: --network=hang_network --ip=172.20.0.2 \ --device=/dev/tdx_guest \ -w /home/newuser/team-half-burnt team-half-burnt:v1.0 \ - ./bazel-bin/source/exe/envoy-static -c ./HANG/TDX/envoy-demo-tls-client.yaml -l off --component-log-level upstream:error,connection:debug` + ./bazel-bin/source/exe/envoy-static -c ./HANG/TDX/envoy-demo-tls-client.yaml -l off --component-log-level upstream:debug,downstream:debug,connection:debug` **Server side** is similiar with a new terminal: `docker run -it --rm --name hang_container_server \ @@ -107,7 +107,7 @@ Second, users can use **docker run** to run **Client side** with new terminal: -w /home/newuser/team-half-burnt team-half-burnt:v1.0` This will makes users enter the container, and users need to run more in **Server side**: `nohup python3 -m http.server 80 &` -`./bazel-bin/source/exe/envoy-static -c ./HANG/TDX/envoy-demo-tls-server.yaml -l off --component-log-level upstream:error,connection:debug` +`./bazel-bin/source/exe/envoy-static -c ./HANG/TDX/envoy-demo-tls-server.yaml -l off --component-log-level upstream:debug,downstream:debug,connection:debug` Last, users can run `curl -v http://172.20.0.2:10000` in host. Then users can find the feedback of **python http.server**, which means our demo running successfully. diff --git a/README.md b/README.md index 05539b694bcc52c69d837a297a6e484f2a579fae..c9205a80d084549363804c42eba75f9e952ded6e 100644 --- a/README.md +++ b/README.md @@ -5,17 +5,6 @@ - **指导教师**: éæˆå¤ã€å¼ ä½³ - **妿 ¡**: æµ™æ±Ÿå¤§å¦ -[赛题简介](##赛题简介) -[预期特å¾](##预期特å¾) -[项目简介(åˆèµ›ï¼‰](##项目简介(åˆèµ›ï¼‰) -[项目实现(åˆèµ›ï¼‰](##项目实现(åˆèµ›ï¼‰) -- [工程文件](###工程文件) -- [demo框架](###demo框架) -- [结果演示](###结果演示) - -[构建指å—](##构建指å—) -[å‚考链接](##å‚考链接) - ## 赛题简介: ç›®å‰AIGCç±»æŽ¨ç†æœåŠ¡åž‹åº”ç”¨çˆ†ç«ï¼Œä½†ç›®å‰æ‰€æœ‰æŽ¨ç†æœåŠ¡å‡ ä¹Žéƒ½é¢ä¸´å¦‚下安全风险: 1.大模型所在系统的安全问题,将导致大é‡é«˜åº¦æœºå¯†å’Œæ•感的è®ç»ƒæ•°æ®ï¼ˆå¦‚个人éšç§æ•°æ®å’Œä¼ä¸šæ•°æ®ï¼‰ä»¥åŠé«˜ä»·å€¼çš„æ¨¡åž‹å‚æ•°ä¿¡æ¯è¢«æ³„露。 @@ -35,17 +24,17 @@ TEE安全å¯ä¿¡ç½‘关组件应满足: é¢„æœŸç›®æ ‡ï¼š 在尽å¯èƒ½å°‘ç”šè‡³æ— éœ€ä¿®æ”¹æŽ¨ç†æœåŠ¡ï¼ˆä½œä¸ºC/S模型ä¸çš„Server)和推ç†å®¢æˆ·ç«¯ï¼ˆä½œä¸ºC/S模型ä¸çš„Client,通常为REST API或Web UIå‰ç«¯ç‰å½¢å¼ï¼‰çš„å‰æä¸‹ï¼Œè®¾è®¡å¹¶å®žçŽ°ä¸€ä¸ªTEE网关,实现安全å¯ä¿¡çš„通信框架,ä¸ä»…ä¿è¯æŽ¨ç†å®¢æˆ·ç«¯å’ŒæŽ¨ç†æœåŠ¡ä¹‹é—´çš„é€šä¿¡å†…å®¹å®‰å…¨ï¼Œè¿˜èƒ½åŸºäºŽTEEè¿œç¨‹è¯æ˜Žè¿‡ç¨‹éªŒè¯è¿è¡Œåœ¨TEEå†…çš„æŽ¨ç†æœåŠ¡çš„å¯ä¿¡åº¦ã€‚ -## 项目简介(åˆèµ›ï¼‰ï¼š -é’ˆå¯¹èµ›é¢˜ç›®æ ‡ï¼Œæˆ‘ä»¬é€‰æ‹©åœ¨[envoyå¼€æºç½‘å…³](https://github.com/envoyproxy/envoy)版本1.28.0-dev(commit 706fe7871ab5fe631406db1e0fe5af1c4d0eb1b8ï¼‰çš„åŸºç¡€ä¸Šè¿›è¡Œæ”¹é€ ï¼Œç”±äºŽèµ›é¢˜å‚考给出的[RATS-TLS技术](https://github.com/inclavare-containers)å¹¶ä¸é€‚用于envoyç½‘å…³æ”¹é€ ï¼Œæ‰€ä»¥é€‰æ‹©äº†inclavare-containers下的[librats](https://github.com/inclavare-containers/librats)作为技术支æŒè¿›è¡Œå¼•入,将librats技术è¿ç”¨åœ¨ç½‘关上,并对其进行envoyçš„é€‚é…æ”¹é€ ï¼ŒåŒæ—¶ä¿®æ”¹envoyçš„transport socket上下文,将TEEè¿œç¨‹è¯æ˜Žä¸ŽTLS相结åˆï¼Œå®žçŽ°ç½‘å…³ä¹‹é—´å¯ä¿¡ä¿¡é“的建立。 +## 项目简介: +é’ˆå¯¹èµ›é¢˜ç›®æ ‡ï¼Œæˆ‘ä»¬é€‰æ‹©åœ¨[envoyå¼€æºç½‘å…³ 版本1.28.0-dev](https://github.com/inclavare-containers/envoy_librats/tree/706fe7871ab5fe631406db1e0fe5af1c4d0eb1b8)çš„åŸºç¡€ä¸Šè¿›è¡Œæ”¹é€ ï¼Œç”±äºŽèµ›é¢˜å‚考给出的[RATS-TLS技术](https://github.com/inclavare-containers)å¹¶ä¸é€‚用于envoyç½‘å…³æ”¹é€ ï¼Œæ‰€ä»¥é€‰æ‹©äº†inclavare-containers下的[librats](https://github.com/inclavare-containers/librats)作为技术支æŒè¿›è¡Œå¼•入,将librats技术è¿ç”¨åœ¨ç½‘关上,并对其进行envoyçš„é€‚é…æ”¹é€ ï¼ŒåŒæ—¶ä¿®æ”¹envoyçš„transport socket上下文,将TEEè¿œç¨‹è¯æ˜Žä¸ŽTLS相结åˆï¼Œå®žçŽ°ç½‘å…³ä¹‹é—´å¯ä¿¡ä¿¡é“的建立。 -## 项目实现(åˆèµ›ï¼‰ï¼š -我们将项目命å为HANG,å–自Heterogeneous Authentication Network Gateway,旨在使用网关技术,满足在å„ç§åœºæ™¯ä¸‹ï¼ˆåŒ…括但ä¸é™äºŽAIGC)的C/S模型通信需求,在ä¸ä¿®æ”¹Client serviceå’ŒServer service的情况下,完æˆå¯¹å¯ä¿¡ä¿¡é“的建立并基于TEEè¿œç¨‹è¯æ˜ŽéªŒè¯å¤„于Serverç«¯ç«¯æŽ¨ç†æœåŠ¡å¯ä¿¡åº¦ã€‚é¡¹ç›®åŒæ—¶åšåˆ°äº†ï¼š -[x] 项目的TLSé€šä¿¡åŸºäºŽè¿œç¨‹è¯æ˜Žï¼ŒC端å¯ä»¥éªŒè¯S端身份信æ¯å’Œæ•°æ®å®Œæ•´æ€§ã€‚ -[x] 项目使用开æºçš„libratsä½œä¸ºè¿œç¨‹è¯æ˜Žç»„件,在envoyä¸ä¿®æ”¹TLS并完æˆè¿œç¨‹è¯æ˜Ž -[x] 项目支æŒSGX与TDXå¹³å°è¿›è¡Œæž„建,项目基于TDX进行演示,SGXåŒç† -[x] 项目的C/Sç«¯å„æœ‰ä¸€ä¸ªç½‘关,在网关之间完æˆå¯ä¿¡ä¿¡é“的建立 -[x] 项目的客户端和æœåŠ¡ç«¯åŸºäºŽpythonå’Œcurl完æˆäº†demoæ¼”ç¤ºï¼ŒåŒæ—¶æä¾›äº†å®Œæ•´çš„æž„建方案和æ¥éª¤æŒ‡å— -[x] å¯ä»¥ä»Ždockerfileã€dockerhubã€source三个层é¢å®Œæˆé¡¹ç›®çš„æž„建 +## 项目实现: +我们将项目命å为HANG,å–自Heterogeneous Authentication Network Gateway,旨在使用网关技术,满足在å„ç§åœºæ™¯ä¸‹ï¼ˆåŒ…括但ä¸é™äºŽAIGC)的C/S模型通信需求,在ä¸ä¿®æ”¹Client serviceå’ŒServer service的情况下,完æˆå¯¹å¯ä¿¡ä¿¡é“的建立并基于TEEè¿œç¨‹è¯æ˜ŽéªŒè¯å¤„于Serverç«¯æŽ¨ç†æœåŠ¡å¯ä¿¡åº¦ã€‚é¡¹ç›®åŒæ—¶åšåˆ°äº†ï¼š +- [x] 项目的TLSé€šä¿¡åŸºäºŽè¿œç¨‹è¯æ˜Žï¼ŒC端å¯ä»¥éªŒè¯S端身份信æ¯å’Œæ•°æ®å®Œæ•´æ€§ã€‚ +- [x] 项目使用开æºçš„libratsä½œä¸ºè¿œç¨‹è¯æ˜Žç»„件,在envoyä¸ä¿®æ”¹TLS并完æˆè¿œç¨‹è¯æ˜Ž +- [x] 项目支æŒSGX与TDXå¹³å°è¿›è¡Œæž„建,项目基于TDX进行演示,SGXåŒç† +- [x] 项目的C/Sç«¯å„æœ‰ä¸€ä¸ªç½‘关,在网关之间完æˆå¯ä¿¡ä¿¡é“的建立 +- [x] 项目的客户端和æœåŠ¡ç«¯åŸºäºŽpythonå’Œcurl完æˆäº†demoæ¼”ç¤ºï¼ŒåŒæ—¶æä¾›äº†å®Œæ•´çš„æž„建方案和æ¥éª¤æŒ‡å— +- [x] å¯ä»¥ä»Ždockerfileã€dockerhubã€source三个层é¢å®Œæˆé¡¹ç›®çš„æž„建 ### 工程文件: 项目对envoyæºç 围绕transport socketå’Œsecret相关进行了部分æºç æ”¹é€ å’Œå¢žåŠ ï¼Œæ¶‰åŠåˆ°çš„æ–‡ä»¶åŒ…括: @@ -91,7 +80,7 @@ TEE安全å¯ä¿¡ç½‘关组件应满足: ### demo框架: HANG结构图如下所示: - + HANG过程如下: 1.C端å‘S端å‘起请求链接,通过å‘C端网关å‘起请求(demoä¸ä½¿ç”¨curl指令) 2.C端网关会将请求åå‘代ç†åˆ°S端网关 @@ -107,16 +96,16 @@ HANG过程如下: 详è§[HANG/TDX/README.md](HANG/TDX/README.md) ## å‚考链接 -https://github.com/envoyproxy/envoy -https://github.com/inclavare-containers/librats -https://openanolis.cn/sig/coco -https://github.com/inclavare-containers/rats-tls +- https://github.com/envoyproxy/envoy +- https://github.com/inclavare-containers/librats +- https://openanolis.cn/sig/coco +- https://github.com/inclavare-containers/rats-tls # Introduction of HANG This project aims to combine **Librats** and **Envoy**. We introduce **Librats** into **Envoy** to struct a new network gateway architecture based on TEE, which is called **HANG**.(Heterogeneous Authentication Network Gateway) User can find the building instructions in **/HANG/TDX**. -HANG based on open source project [envoy 1.28.0-dev](https://github.com/envoyproxy/envoy) and [librats](https://github.com/inclavare-containers/librats). +HANG based on open source project [envoy 1.28.0-dev](https://github.com/inclavare-containers/envoy_librats/tree/706fe7871ab5fe631406db1e0fe5af1c4d0eb1b8) and [librats](https://github.com/inclavare-containers/librats). Based on envoy source code, this project migrate librats to envoy. Detailed infomation please see commit log to find. \ No newline at end of file diff --git a/VERSION.txt b/VERSION.txt new file mode 100644 index 0000000000000000000000000000000000000000..3489271e65996d49fa7ba0ab5fa8f2edc9b68876 --- /dev/null +++ b/VERSION.txt @@ -0,0 +1 @@ +1.28.0-dev \ No newline at end of file