From 372c5929f73bec12f184c627554316415190fd42 Mon Sep 17 00:00:00 2001 From: Bruno Vavala Date: Sat, 16 Mar 2024 02:49:42 +0000 Subject: [PATCH] add makefile targets to compile for sgx in hw mode; remove SGX_MODE as a user-facing variable (the mode is explicitly indicated through makefile targets and then propagated to containers, build, and tests; update the documentation on SGX_MODE Signed-off-by: Bruno Vavala --- build/common-config.sh | 11 +--- build/keys/sgx_mode_hw/.gitignore | 3 -- build/keys/sgx_mode_sim/.gitignore | 1 - docker/Makefile | 54 ++++++++++++++----- docker/pdo_client.dockerfile | 6 +++ docker/tools/environment.sh | 7 +-- .../xfer/services/keys/sgx}/sgx_ias_key.pem | 0 .../xfer/services/keys/sgx}/sgx_spid.txt | 0 .../services/keys/sgx}/sgx_spid_api_key.txt | 0 docs/environment.md | 15 +----- docs/install.md | 15 +----- ledgers/ccf/README.md | 4 +- 12 files changed, 52 insertions(+), 64 deletions(-) delete mode 100644 build/keys/sgx_mode_hw/.gitignore delete mode 100644 build/keys/sgx_mode_sim/.gitignore rename {build/keys/sgx_mode_sim => docker/xfer/services/keys/sgx}/sgx_ias_key.pem (100%) rename {build/keys/sgx_mode_sim => docker/xfer/services/keys/sgx}/sgx_spid.txt (100%) rename {build/keys/sgx_mode_sim => docker/xfer/services/keys/sgx}/sgx_spid_api_key.txt (100%) diff --git a/build/common-config.sh b/build/common-config.sh index 44614e6a..99d5f2f5 100755 --- a/build/common-config.sh +++ b/build/common-config.sh @@ -57,15 +57,6 @@ var_set() { " env_key_sort[$i]="PDO_INTERPRETER"; i=$i+1; export PDO_INTERPRETER=${env_val[PDO_INTERPRETER]}; - env_val[SGX_MODE]="${SGX_MODE:-SIM}" - env_desc[SGX_MODE]=" - SGX_MODE determines the SGX mode of operation. When the variable is - set to 'SIM', then the SGX enclaves will be compiled for simulator - mode. When the variable is set to 'HW', the enclaves will be compiled - to run in a real SGX enclave. - " - env_key_sort[$i]="SGX_MODE"; i=$i+1; export SGX_MODE=${env_val[SGX_MODE]} - env_val[PDO_LEDGER_URL]="${PDO_LEDGER_URL:-http://127.0.0.1:6600}" env_desc[PDO_LEDGER_URL]=" PDO_LEDGER_URL is the URL is to submit transactions to the ledger. @@ -110,7 +101,7 @@ var_set() { " env_key_sort[$i]="PDO_HOSTNAME"; i=$i+1; export PDO_HOSTNAME=${env_val[PDO_HOSTNAME]} - env_val[PDO_SGX_KEY_ROOT]="${PDO_SGX_KEY_ROOT:-${SCRIPTDIR}/keys/sgx_mode_${SGX_MODE,,}}" + env_val[PDO_SGX_KEY_ROOT]="${PDO_SGX_KEY_ROOT:-${PDO_SOURCE_ROOT}/docker/xfer/services/keys/sgx}" env_desc[PDO_SGX_KEY_ROOT]=" PDO_SGX_KEY_ROOT is the root directory where SGX & IAS related keys are stored. The default points to a directory which contains values which are good diff --git a/build/keys/sgx_mode_hw/.gitignore b/build/keys/sgx_mode_hw/.gitignore deleted file mode 100644 index 1cc7a5fe..00000000 --- a/build/keys/sgx_mode_hw/.gitignore +++ /dev/null @@ -1,3 +0,0 @@ -ias_root_ca.cert -ias_signing.cert -sgx_ias_key.pem diff --git a/build/keys/sgx_mode_sim/.gitignore b/build/keys/sgx_mode_sim/.gitignore deleted file mode 100644 index e3c6f70a..00000000 --- a/build/keys/sgx_mode_sim/.gitignore +++ /dev/null @@ -1 +0,0 @@ -enclave_code_sign.pem diff --git a/docker/Makefile b/docker/Makefile index d1378d16..6434c28e 100644 --- a/docker/Makefile +++ b/docker/Makefile @@ -45,7 +45,6 @@ DOCKER_DIR ?= ${PDO_SOURCE_ROOT}/docker DOCKER_USERNAME = $(LOGNAME) DOCKER_BUILDARGS += --build-arg UID=$(PDO_USER_UID) DOCKER_BUILDARGS += --build-arg GID=$(PDO_GROUP_UID) -DOCKER_BUILDARGS += --build-arg SGX_MODE=$(SGX_MODE) DOCKER_ARGS = $(DOCKER_BUILDARGS) IMAGES=base client services_base services ccf_base ccf @@ -60,21 +59,45 @@ rebuild_% : repository docker build $(DOCKER_ARGS) \ --build-arg REBUILD=$(TIMESTAMP) \ --build-arg PDO_VERSION=$(PDO_VERSION) \ + --build-arg SGX_MODE=SIM \ --tag pdo_$*:$(PDO_VERSION) \ --file $(DOCKER_DIR)/pdo_$*.dockerfile . build_% : repository docker build $(DOCKER_ARGS) \ --build-arg PDO_VERSION=$(PDO_VERSION) \ + --build-arg SGX_MODE=SIM \ --tag pdo_$*:$(PDO_VERSION) \ --file $(DOCKER_DIR)/pdo_$*.dockerfile . +all_sgx : $(addprefix build_sgx_,$(IMAGES)) + +rebuild_sgx_% : repository + docker build $(DOCKER_ARGS) \ + --build-arg REBUILD=$(TIMESTAMP) \ + --build-arg PDO_VERSION=$(PDO_VERSION) \ + --build-arg SGX_MODE=HW \ + --tag pdo_$*:$(PDO_VERSION) \ + --file $(DOCKER_DIR)/pdo_$*.dockerfile . + +build_sgx_% : repository + docker build $(DOCKER_ARGS) \ + --build-arg PDO_VERSION=$(PDO_VERSION) \ + --build-arg SGX_MODE=HW \ + --tag pdo_$*:$(PDO_VERSION) \ + --file $(DOCKER_DIR)/pdo_$*.dockerfile . + # docker build dependencies build_client: build_base build_services: build_services_base build_services_base: build_base build_ccf: build_ccf_base +build_sgx_client: build_sgx_base +build_sgx_services: build_sgx_services_base +build_sgx_services_base: build_sgx_base +build_sgx_ccf: build_sgx_ccf_base + clean_% : docker rmi -f pdo_$*:$(PDO_VERSION) @@ -130,22 +153,27 @@ TEST_FILES += -f test.yaml DOCKER_COMPOSE_COMMAND=docker-compose -ifeq ($(SGX_MODE),HW) - TEST_FILES += -f test-sgx.yaml - SGX_DEVICE_PATH=$(shell if [ -e "/dev/isgx" ]; \ - then echo "/dev/isgx"; \ - elif [ -e "/dev/sgx/enclave" ]; \ - then echo "/dev/sgx/enclave"; \ - else echo "ERROR: NO SGX DEVICE FOUND"; \ - fi) - DOCKER_COMPOSE_COMMAND := env SGX_MODE=$(SGX_MODE) SGX_DEVICE_PATH=${SGX_DEVICE_PATH} ${DOCKER_COMPOSE_COMMAND} -endif +TEST_SGX_FILES = ${TEST_FILES} +TEST_SGX_FILES += -f test-sgx.yaml +SGX_DEVICE_PATH=$(shell if [ -e "/dev/isgx" ]; \ + then echo "/dev/isgx"; \ + elif [ -e "/dev/sgx/enclave" ]; \ + then echo "/dev/sgx/enclave"; \ + else echo "ERROR: NO SGX DEVICE FOUND"; \ + fi) +DOCKER_COMPOSE_SGX := env SGX_DEVICE_PATH=${SGX_DEVICE_PATH} docker-compose build_test : repository build_services build_ccf build_client test : clean_config clean_repository build_test stop_all - PDO_VERSION=$(PDO_VERSION) $(DOCKER_COMPOSE_COMMAND) $(TEST_FILES) up --abort-on-container-exit - PDO_VERSION=$(PDO_VERSION) $(DOCKER_COMPOSE_COMMAND) $(TEST_FILES) down + PDO_VERSION=$(PDO_VERSION) docker-compose $(TEST_FILES) up --abort-on-container-exit + PDO_VERSION=$(PDO_VERSION) docker-compose $(TEST_FILES) down + +sgx_build_test : repository build_sgx_services build_sgx_ccf build_sgx_client + +sgx_test : clean_config clean_repository sgx_build_test stop_all + PDO_VERSION=$(PDO_VERSION) $(DOCKER_COMPOSE_SGX) $(TEST_SGX_FILES) up --abort-on-container-exit + PDO_VERSION=$(PDO_VERSION) $(DOCKER_COMPOSE_SGX) $(TEST_SGX_FILES) down # ----------------------------------------------------------------- # Cleaning is a bit interesting because the containers don't go away diff --git a/docker/pdo_client.dockerfile b/docker/pdo_client.dockerfile index df44ce1d..82c98653 100644 --- a/docker/pdo_client.dockerfile +++ b/docker/pdo_client.dockerfile @@ -42,6 +42,12 @@ USER $UNAME # ----------------------------------------------------------------- ARG REBUILD=0 +#sgx_mode only required because build/Makefile needs it +#but the client image does not need it +ARG SGX_MODE +RUN test -n "${SGX_MODE}" || (echo "SGX_MODE not set" && false) +ENV SGX_MODE=${SGX_MODE} + ARG PDO_DEBUG_BUILD=0 ENV PDO_DEBUG_BUILD=${PDO_DEBUG_BUILD} diff --git a/docker/tools/environment.sh b/docker/tools/environment.sh index 64e74c34..ae41f693 100755 --- a/docker/tools/environment.sh +++ b/docker/tools/environment.sh @@ -21,7 +21,6 @@ # these variables may be configured to change the behavior of the image # all should be set through the build variables in the dockerfiles. -export SGX_MODE=${SGX_MODE:-SIM} export PDO_LEDGER_TYPE=${PDO_LEDGER_TYPE:-ccf} export PDO_INTERPRETER=${PDO_INTERPRETER:-wawaka} export WASM_MEM_CONFIG=${WASM_MEM_CONFIG:-MEDIUM} @@ -47,11 +46,7 @@ export XFER_DIR=${XFER_DIR:-/project/pdo/xfer} # if the container is running HW mode, then we will grab the # SGX keys from the xfer directory; we know that the default # keys must be overridden -if [ ${SGX_MODE} == "HW" ]; then - export PDO_SGX_KEY_ROOT=${XFER_DIR}/services/keys/sgx -else - export PDO_SGX_KEY_ROOT=${PDO_SOURCE_ROOT}/build/keys/sgx_mode_${SGX_MODE,,} -fi +export PDO_SGX_KEY_ROOT=${XFER_DIR}/services/keys/sgx # this variable is needed for the build for signing the # eservice and pservice enclaves diff --git a/build/keys/sgx_mode_sim/sgx_ias_key.pem b/docker/xfer/services/keys/sgx/sgx_ias_key.pem similarity index 100% rename from build/keys/sgx_mode_sim/sgx_ias_key.pem rename to docker/xfer/services/keys/sgx/sgx_ias_key.pem diff --git a/build/keys/sgx_mode_sim/sgx_spid.txt b/docker/xfer/services/keys/sgx/sgx_spid.txt similarity index 100% rename from build/keys/sgx_mode_sim/sgx_spid.txt rename to docker/xfer/services/keys/sgx/sgx_spid.txt diff --git a/build/keys/sgx_mode_sim/sgx_spid_api_key.txt b/docker/xfer/services/keys/sgx/sgx_spid_api_key.txt similarity index 100% rename from build/keys/sgx_mode_sim/sgx_spid_api_key.txt rename to docker/xfer/services/keys/sgx/sgx_spid_api_key.txt diff --git a/docs/environment.md b/docs/environment.md index 783c51fd..e1770922 100644 --- a/docs/environment.md +++ b/docs/environment.md @@ -125,22 +125,9 @@ size is set to 2MB. When the variable is set to `LARGE`, the runtime's memory pool size is set to 4MB. - - -## SGX Environment Variables - - -### `SGX_MODE` -(default: `SIM`) - -`SGX_MODE` determines the SGX mode of operation. When the variable is -set to `SIM`, then the SGX enclaves will be compiled for simulator -mode. When the variable is set to `HW`, the enclaves will be compiled to -run in a real SGX enclave. - ### `PDO_SGX_KEY_ROOT` -(default: `${PDO_SOURCE_ROOT}/build/keys/sgx_mode_${SGX_MODE,,}/`): +(default: `${PDO_SOURCE_ROOT}/docker/xfer/services/keys/sgx/`): `PDO_SGX_KEY_ROOT` is the root directory where SGX and IAS related keys are stored. The default points to a directory which contains values diff --git a/docs/install.md b/docs/install.md index 3943125b..f8f8b7a6 100644 --- a/docs/install.md +++ b/docs/install.md @@ -57,12 +57,7 @@ SGX can operate in either simulation mode or hardware mode. Simulation mode does not require any processor support for SGX and can be useful for development and testing. However, simulation mode does not provide any protection for confidential data and does not guarantee integrity of -execution. To use SGX in simulation mode set the `SGX_MODE` environment -variable to `SIM`: - -```bash -export SGX_MODE=SIM -``` +execution. SGX hardware mode uses capabilities for trusted execution in the processor to protect confidentiality and integrity of computation. SGX @@ -71,13 +66,6 @@ hardware mode requires processor support for SGX PDO currently relies on EPID-based SGX attestation, which is supported on all SGX-enabled hardware (including FLC-enabled hardware). -To use SGX in hardware mode set the `SGX_MODE` environment variable to -`HW`: - -```bash -export SGX_MODE=HW -``` - The remainder of this section provides information about preparing to run Private Data Objects using SGX in hardware mode. Specifically, there are steps that must be taken to enable attestation of the hardware @@ -115,7 +103,6 @@ to create the client authentication key. The key will be available from your profile page. Now organize your data as follows under the `${PDO_SGX_KEY_ROOT}` folder -(the default folder is `${PDO_SOURCE_ROOT}/build/keys/sgx_mode_${SGX_MODE,,}`, or you can define yours with `export PDO_SGX_KEY_ROOT=`): * save your SPID in `${PDO_SGX_KEY_ROOT}/sgx_spid_api_key.txt` * save your API key in `${PDO_SGX_KEY_ROOT}/sgx_spid_api_key.txt` diff --git a/ledgers/ccf/README.md b/ledgers/ccf/README.md index bdc0a9a1..f4e449f3 100644 --- a/ledgers/ccf/README.md +++ b/ledgers/ccf/README.md @@ -70,9 +70,7 @@ sudo apt-get install -y sgx-aesm-service libsgx-urts libsgx-uae-service To build the PDO TP the [PDO environment variables](../../docs/environment.md) must be set. See the PDO configuration script `common-config.sh` for -more information. Specifically, if operating PDO in `HW` mode, ensure that `SGX_MODE` -env variable is set to `HW` before building PDO TP, so that PDO TP will enforce -submission of valid attestation reports while processing enclave registration rpcs. +more information. To build and install the PDO TP, ```bash