add makefile targets to compile for sgx in hw mode; remove SGX_MODE a…

…s a user-facing variable (the mode is explicitly indicated through makefile targets and then propagated to containers, build, and tests; update the documentation on SGX_MODE

Signed-off-by: Bruno Vavala <[email protected]>

build/common-config.sh

@@ -57,15 +57,6 @@ var_set() {
 	"
 	env_key_sort[$i]="PDO_INTERPRETER"; i=$i+1; export PDO_INTERPRETER=${env_val[PDO_INTERPRETER]};
 
-	env_val[SGX_MODE]="${SGX_MODE:-SIM}"
-	env_desc[SGX_MODE]="
-		SGX_MODE determines the SGX mode of operation. When the variable is
-		set to 'SIM', then the SGX enclaves will be compiled for simulator
-		mode. When the variable is set to 'HW', the enclaves will be compiled
-		to run in a real SGX enclave.
-	"
-	env_key_sort[$i]="SGX_MODE"; i=$i+1; export SGX_MODE=${env_val[SGX_MODE]}
-
 	env_val[PDO_LEDGER_URL]="${PDO_LEDGER_URL:-http://127.0.0.1:6600}"
 	env_desc[PDO_LEDGER_URL]="
 		PDO_LEDGER_URL is the URL is to submit transactions to the ledger.
@@ -110,7 +101,7 @@ var_set() {
 	"
 	env_key_sort[$i]="PDO_HOSTNAME"; i=$i+1; export PDO_HOSTNAME=${env_val[PDO_HOSTNAME]}
 
-    env_val[PDO_SGX_KEY_ROOT]="${PDO_SGX_KEY_ROOT:-${SCRIPTDIR}/keys/sgx_mode_${SGX_MODE,,}}"
+    env_val[PDO_SGX_KEY_ROOT]="${PDO_SGX_KEY_ROOT:-${PDO_SOURCE_ROOT}/docker/xfer/services/keys/sgx}"
 	env_desc[PDO_SGX_KEY_ROOT]="
 		PDO_SGX_KEY_ROOT is the root directory where SGX & IAS related keys are stored.
 		The default points to a directory which contains values which are good

docker/Makefile

@@ -45,7 +45,6 @@ DOCKER_DIR ?= ${PDO_SOURCE_ROOT}/docker
 DOCKER_USERNAME = $(LOGNAME)
 DOCKER_BUILDARGS += --build-arg UID=$(PDO_USER_UID)
 DOCKER_BUILDARGS += --build-arg GID=$(PDO_GROUP_UID)
-DOCKER_BUILDARGS += --build-arg SGX_MODE=$(SGX_MODE)
 DOCKER_ARGS = $(DOCKER_BUILDARGS)
 
 IMAGES=base client services_base services ccf_base ccf
@@ -60,21 +59,45 @@ rebuild_% : repository
 	docker build $(DOCKER_ARGS) \
 		--build-arg REBUILD=$(TIMESTAMP) \
 		--build-arg PDO_VERSION=$(PDO_VERSION) \
+		--build-arg SGX_MODE=SIM \
 		--tag pdo_$*:$(PDO_VERSION) \
 		--file $(DOCKER_DIR)/pdo_$*.dockerfile .
 
 build_% : repository
 	docker build $(DOCKER_ARGS) \
 		--build-arg PDO_VERSION=$(PDO_VERSION) \
+		--build-arg SGX_MODE=SIM \
 		--tag pdo_$*:$(PDO_VERSION) \
 		--file $(DOCKER_DIR)/pdo_$*.dockerfile .
 
+all_sgx : $(addprefix build_sgx_,$(IMAGES))
+
+rebuild_sgx_% : repository
+	docker build $(DOCKER_ARGS) \
+        --build-arg REBUILD=$(TIMESTAMP) \
+        --build-arg PDO_VERSION=$(PDO_VERSION) \
+        --build-arg SGX_MODE=HW \
+        --tag pdo_$*:$(PDO_VERSION) \
+        --file $(DOCKER_DIR)/pdo_$*.dockerfile .
+
+build_sgx_% : repository
+	docker build $(DOCKER_ARGS) \
+        --build-arg PDO_VERSION=$(PDO_VERSION) \
+        --build-arg SGX_MODE=HW \
+        --tag pdo_$*:$(PDO_VERSION) \
+        --file $(DOCKER_DIR)/pdo_$*.dockerfile .
+
 # docker build dependencies
 build_client: build_base
 build_services: build_services_base
 build_services_base: build_base
 build_ccf: build_ccf_base
 
+build_sgx_client: build_sgx_base
+build_sgx_services: build_sgx_services_base
+build_sgx_services_base: build_sgx_base
+build_sgx_ccf: build_sgx_ccf_base
+
 clean_% :
 	docker rmi -f pdo_$*:$(PDO_VERSION)
 
@@ -130,22 +153,27 @@ TEST_FILES += -f test.yaml
 
 DOCKER_COMPOSE_COMMAND=docker-compose
 
-ifeq ($(SGX_MODE),HW)
-	TEST_FILES += -f test-sgx.yaml
-	SGX_DEVICE_PATH=$(shell if [ -e "/dev/isgx" ]; \
-					then echo "/dev/isgx"; \
-					elif [ -e "/dev/sgx/enclave" ]; \
-						then echo "/dev/sgx/enclave"; \
-					else echo "ERROR: NO SGX DEVICE FOUND"; \
-					fi)
-	DOCKER_COMPOSE_COMMAND := env SGX_MODE=$(SGX_MODE) SGX_DEVICE_PATH=${SGX_DEVICE_PATH} ${DOCKER_COMPOSE_COMMAND}
-endif
+TEST_SGX_FILES = ${TEST_FILES}
+TEST_SGX_FILES += -f test-sgx.yaml
+SGX_DEVICE_PATH=$(shell if [ -e "/dev/isgx" ]; \
+				then echo "/dev/isgx"; \
+				elif [ -e "/dev/sgx/enclave" ]; \
+					then echo "/dev/sgx/enclave"; \
+				else echo "ERROR: NO SGX DEVICE FOUND"; \
+				fi)
+DOCKER_COMPOSE_SGX := env SGX_DEVICE_PATH=${SGX_DEVICE_PATH} docker-compose
 
 build_test : repository build_services build_ccf build_client
 
 test : clean_config clean_repository build_test stop_all
-	PDO_VERSION=$(PDO_VERSION) $(DOCKER_COMPOSE_COMMAND) $(TEST_FILES) up --abort-on-container-exit
-	PDO_VERSION=$(PDO_VERSION) $(DOCKER_COMPOSE_COMMAND) $(TEST_FILES) down
+	PDO_VERSION=$(PDO_VERSION) docker-compose $(TEST_FILES) up --abort-on-container-exit
+	PDO_VERSION=$(PDO_VERSION) docker-compose $(TEST_FILES) down
+
+sgx_build_test : repository build_sgx_services build_sgx_ccf build_sgx_client
+
+sgx_test : clean_config clean_repository sgx_build_test stop_all
+	PDO_VERSION=$(PDO_VERSION) $(DOCKER_COMPOSE_SGX) $(TEST_SGX_FILES) up --abort-on-container-exit
+	PDO_VERSION=$(PDO_VERSION) $(DOCKER_COMPOSE_SGX) $(TEST_SGX_FILES) down
 
 # -----------------------------------------------------------------
 # Cleaning is a bit interesting because the containers don't go away

docker/pdo_client.dockerfile

@@ -42,6 +42,12 @@ USER $UNAME
 # -----------------------------------------------------------------
 ARG REBUILD=0
 
+#sgx_mode only required because build/Makefile needs it
+#but the client image does not need it
+ARG SGX_MODE
+RUN test -n "${SGX_MODE}" || (echo "SGX_MODE not set" && false)
+ENV SGX_MODE=${SGX_MODE}
+
 ARG PDO_DEBUG_BUILD=0
 ENV PDO_DEBUG_BUILD=${PDO_DEBUG_BUILD}
 

docker/tools/environment.sh

@@ -21,7 +21,6 @@
 
 # these variables may be configured to change the behavior of the image
 # all should be set through the build variables in the dockerfiles.
-export SGX_MODE=${SGX_MODE:-SIM}
 export PDO_LEDGER_TYPE=${PDO_LEDGER_TYPE:-ccf}
 export PDO_INTERPRETER=${PDO_INTERPRETER:-wawaka}
 export WASM_MEM_CONFIG=${WASM_MEM_CONFIG:-MEDIUM}
@@ -47,11 +46,7 @@ export XFER_DIR=${XFER_DIR:-/project/pdo/xfer}
 # if the container is running HW mode, then we will grab the
 # SGX keys from the xfer directory; we know that the default
 # keys must be overridden
-if [ ${SGX_MODE} == "HW" ]; then
-    export PDO_SGX_KEY_ROOT=${XFER_DIR}/services/keys/sgx
-else
-    export PDO_SGX_KEY_ROOT=${PDO_SOURCE_ROOT}/build/keys/sgx_mode_${SGX_MODE,,}
-fi
+export PDO_SGX_KEY_ROOT=${XFER_DIR}/services/keys/sgx
 
 # this variable is needed for the build for signing the
 # eservice and pservice enclaves

docs/environment.md

@@ -125,22 +125,9 @@ size is set to 2MB.
 When the variable is set to `LARGE`, the runtime's memory
 pool size is set to 4MB.
 
-<!-- -------------------------------------------------- -->
-<!-- -------------------------------------------------- -->
-## SGX Environment Variables
-
-<!-- -------------------------------------------------- -->
-### `SGX_MODE`
-(default: `SIM`)
-
-`SGX_MODE` determines the SGX mode of operation. When the variable is
-set to `SIM`, then the SGX enclaves will be compiled for simulator
-mode. When the variable is set to `HW`, the enclaves will be compiled to
-run in a real SGX enclave.
-
 <!-- -------------------------------------------------- -->
 ### `PDO_SGX_KEY_ROOT`
-(default: `${PDO_SOURCE_ROOT}/build/keys/sgx_mode_${SGX_MODE,,}/`):
+(default: `${PDO_SOURCE_ROOT}/docker/xfer/services/keys/sgx/`):
 
 `PDO_SGX_KEY_ROOT` is the root directory where SGX and IAS related keys
 are stored. The default points to a directory which contains values

docs/install.md

@@ -57,12 +57,7 @@ SGX can operate in either simulation mode or hardware mode. Simulation
 mode does not require any processor support for SGX and can be useful
 for development and testing. However, simulation mode does not provide
 any protection for confidential data and does not guarantee integrity of
-execution. To use SGX in simulation mode set the `SGX_MODE` environment
-variable to `SIM`:
-
-```bash
-export SGX_MODE=SIM
-```
+execution.
 
 SGX hardware mode uses capabilities for trusted execution in the
 processor to protect confidentiality and integrity of computation. SGX
@@ -71,13 +66,6 @@ hardware mode requires processor support for SGX
 PDO currently relies on EPID-based SGX attestation, which is supported
 on all SGX-enabled hardware (including FLC-enabled hardware).
 
-To use SGX in hardware mode set the `SGX_MODE` environment variable to
-`HW`:
-
-```bash
-export SGX_MODE=HW
-```
-
 The remainder of this section provides information about preparing to run
 Private Data Objects using SGX in hardware mode. Specifically, there
 are steps that must be taken to enable attestation of the hardware
@@ -115,7 +103,6 @@ to create the client authentication key. The key will be available from
 your profile page.
 
 Now organize your data as follows under the `${PDO_SGX_KEY_ROOT}` folder
-(the default folder is `${PDO_SOURCE_ROOT}/build/keys/sgx_mode_${SGX_MODE,,}`,
 or you can define yours with `export PDO_SGX_KEY_ROOT=<your folder>`):
 * save your SPID in `${PDO_SGX_KEY_ROOT}/sgx_spid_api_key.txt`
 * save your API key in `${PDO_SGX_KEY_ROOT}/sgx_spid_api_key.txt`

ledgers/ccf/README.md

@@ -70,9 +70,7 @@ sudo apt-get install -y sgx-aesm-service libsgx-urts libsgx-uae-service
 
 To build the PDO TP the [PDO environment variables](../../docs/environment.md)
 must be set. See the PDO configuration script `common-config.sh` for
-more information. Specifically, if operating PDO in `HW` mode, ensure that `SGX_MODE`
-env variable is set to `HW` before building PDO TP, so that PDO TP will enforce
-submission of valid attestation reports while processing enclave registration rpcs.
+more information.
 
 To build and install the PDO TP,
 ```bash