diff --git a/build/__tools__/expand-config b/build/__tools__/expand-config deleted file mode 100755 index 34388460..00000000 --- a/build/__tools__/expand-config +++ /dev/null @@ -1,173 +0,0 @@ -#!/usr/bin/env python - -# Copyright 2018 Intel Corporation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -""" -Return the number of registered endpoints in the exit status -""" - -import os -import socket -import sys -import toml -from string import Template -import re - -# ----------------------------------------------------------------- -# ----------------------------------------------------------------- -def expand_expressions(text, variable_map) : - """expand expressions found in a string, an expression is given - in a ${{expr}}. For example, ${{port+5}} will expand to 7005 if - port is set to 7000 in the variable_map. - - :param string text: template text - :param dict variable_map: dictionary of variable bindings - "returns string: text with expressions evaluated. - """ - for item in re.findall(r'\${{(.*)}}', text, re.MULTILINE) : - exp = '${{%s}}' % item - val = str(eval(item, variable_map)) - text = text.replace(exp, val) - - return text - -# ----------------------------------------------------------------- -# ----------------------------------------------------------------- -def parse_configuration_file(filename, variable_map) : - """ - Parse a configuration file expanding variable references - using the Python Template library (variables are $var format) - - :param string filename: name of the configuration file - :param dict variable_map: dictionary of expansions to use - :returns dict: dictionary of configuration information - """ - - cpattern = re.compile('##.*$') - - with open(filename) as fp : - lines = fp.readlines() - - text = "" - for line in lines : - text += re.sub(cpattern, '', line) + ' ' - - if variable_map : - text = expand_expressions(text, variable_map) - text = Template(text).safe_substitute(variable_map) - - return toml.loads(text) - - -## ----------------------------------------------------------------- -try : - ContractHome = os.environ["PDO_HOME"] - LedgerURL = os.environ["PDO_LEDGER_URL"] - LedgerType = os.environ["PDO_LEDGER_TYPE"] - SPID = os.environ["PDO_SPID"] - SPID_API_KEY = os.environ["PDO_SPID_API_KEY"] -except KeyError as ke : - print("incomplete configuration, missing definition of {0}".format(str(ke))) - sys.exit(-1) - -#deduce eservice key format based on ledger type -if LedgerType == 'ccf': - EserviceKeyFormat = 'pem' -else: - print("Cannot configure eservice keys. Invalid ledger type, Must be 'ccf'" ) - sys.exit(-1) - -ContractHost = os.environ.get("PDO_HOSTNAME", os.environ.get("HOSTNAME", "localhost")) -ContractHostAddress = socket.gethostbyname(ContractHost) -ContractEtc = os.path.join(ContractHome, "etc") -ContractKeys = os.path.join(ContractHome, "keys") -ContractLogs = os.path.join(ContractHome, "logs") -ContractData = os.path.join(ContractHome, "data") -LedgerKeyRoot = os.environ.get("PDO_LEDGER_KEY_ROOT", os.path.join(ContractEtc, "keys", "ledger")) -HttpsProxy = os.environ.get("https_proxy", "") - -config_map = { - 'data' : ContractData, - 'etc' : ContractEtc, - 'home' : ContractHome, - 'host' : ContractHost, - 'host_address' : ContractHostAddress, - 'keys' : ContractKeys, - 'logs' : ContractLogs, - 'ledger' : LedgerURL, - 'ledger_type': LedgerType, - 'ledger_key_root' : LedgerKeyRoot, - 'eservice_key_format': EserviceKeyFormat, - 'proxy' : HttpsProxy, - 'spid' : SPID, - 'spid_api_key' : SPID_API_KEY -} - -# ----------------------------------------------------------------- -# ----------------------------------------------------------------- -def expand_single(options) : - filename = os.path.join(options.template_directory, options.template) - config = parse_configuration_file(filename, config_map) - - filename = os.path.join(options.output_directory, options.file) - with open(filename, 'w') as outfile: - toml.dump(config, outfile) - -# ----------------------------------------------------------------- -# ----------------------------------------------------------------- -def expand_multiple(options, n) : - node = options.file_base + str(n) - node_map = config_map.copy() - - node_map['identity'] = node - node_map['_count_'] = n - - filename = os.path.join(options.template_directory, options.template) - config = parse_configuration_file(filename, node_map) - - filename = os.path.join(options.output_directory, node + '.toml') - with open(filename, 'w') as outfile: - toml.dump(config, outfile) - -# ----------------------------------------------------------------- -# ----------------------------------------------------------------- -import argparse - -parser = argparse.ArgumentParser(description='Script to generate configuration files from a template') - -parser.add_argument('--template', help='Name of the base configuration file to use', default='template.js') -parser.add_argument('--template-directory', help='Directory in which the template configuration will be found', default='etc/templates') -parser.add_argument('--output-directory', help='Name of the directory where generated configuration files are written', default='etc') -parser.add_argument('--set', help='Specify arbitrary configuration options', nargs=2, action='append') - -subparsers = parser.add_subparsers(dest='command') -expand_parser = subparsers.add_parser('single', help='expand a template into a single file') -expand_parser.add_argument('--file', help='Base for node names', required=True) - -multi_parser = subparsers.add_parser('multiple', help='expand a template into multiple files') -multi_parser.add_argument('--file-base', help='Base for file names', required=True) -multi_parser.add_argument('--count', help='Number of validators to configure', default=9, type=int) - -options = parser.parse_args() - -if options.set : - for (k, v) in options.set : config_map[k] = v - -if options.command == 'multiple' : - for n in range(1, int(options.count)+1) : - expand_multiple(options, n) - -elif options.command == 'single' : - expand_single(options) diff --git a/build/__tools__/verify-pre-conf.sh b/build/__tools__/verify-pre-conf.sh deleted file mode 100755 index c549dce3..00000000 --- a/build/__tools__/verify-pre-conf.sh +++ /dev/null @@ -1,53 +0,0 @@ -#!/bin/bash - -# Copyright 2019 Intel Corporation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# This script performs several tests on the environment to ensure -# that it is set up correctly. It should be run prior to building - -F_VERIFIED=0 - -# ----------------------------------------------------------------- -# ----------------------------------------------------------------- -SCRIPTDIR="$(dirname $(readlink --canonicalize ${BASH_SOURCE}))" -SRCDIR="$(realpath ${SCRIPTDIR}/../..)" - -source ${SRCDIR}/bin/lib/common.sh -check_pdo_build_env - -function warn () { - recho "WARNING: $*" - F_VERIFIED=-1 -} - -# ----------------------------------------------------------------- -# CHECK ENVIRONMENT -# ----------------------------------------------------------------- - -yell --------------- CONFIG AND ENVIRONMENT PRE-CONF CHECK --------------- - -# the SPID should be a 32 byte hex string -if [[ ! "${PDO_SPID}" =~ ^[A-Fa-f0-9]{32}$ ]]; then - warn "PDO_SPID is not defined correctly, should be a a 32-byte hex key" -fi - -if [ "${SGX_MODE}" = "HW" ]; then - # the SPID_API_KEY should be a 32 byte hex string - if [[ ! "${PDO_SPID_API_KEY}" =~ ^[A-Fa-f0-9]{32}$ ]]; then - warn "PDO_SPID_API_KEY is not defined correctly, should be a a 32-byte hex key" - fi -fi - -exit $F_VERIFIED diff --git a/build/cmake/Test.cmake b/build/cmake/Test.cmake index e5b6c332..531d96c1 100644 --- a/build/cmake/Test.cmake +++ b/build/cmake/Test.cmake @@ -34,8 +34,8 @@ SET(PDO_TEST_CONTRACT --logfile ${TEST_LOG_FILE}) # NOTE: we override the default configuration here because clients -# do not have the full configuration files (eservice1.toml and -# enclave.toml) and when running with services these are not required. +# do not have the full configuration file (eservice1.toml) and +# when running with services these are not required. SET(PDO_TEST_CONTRACT_WITH_SERVICES ${PDO_TEST_CONTRACT} --ledger ${TEST_LEDGER} diff --git a/build/common-config.sh b/build/common-config.sh index 44614e6a..eeddb520 100755 --- a/build/common-config.sh +++ b/build/common-config.sh @@ -113,37 +113,11 @@ var_set() { env_val[PDO_SGX_KEY_ROOT]="${PDO_SGX_KEY_ROOT:-${SCRIPTDIR}/keys/sgx_mode_${SGX_MODE,,}}" env_desc[PDO_SGX_KEY_ROOT]=" PDO_SGX_KEY_ROOT is the root directory where SGX & IAS related keys are stored. - The default points to a directory which contains values which are good - enough for SGX simulator mode. However, for SGX HW mode you - should provide your own version, at least for PDO_SPID and PDO_SPID_API_KEY + If SGX_MODE=SIM, the default folder contains mock files that are good for simulation mode. + If SGX_MODE=HW, the default (or custom) folder must be filled with legitimate SGX & IAS keys. " env_key_sort[$i]="PDO_SGX_KEY_ROOT"; i=$i+1; export PDO_SGX_KEY_ROOT=${env_val[PDO_SGX_KEY_ROOT]} - env_val[PDO_ENCLAVE_CODE_SIGN_PEM]="${PDO_ENCLAVE_CODE_SIGN_PEM:-${PDO_SGX_KEY_ROOT}/enclave_code_sign.pem}" - env_desc[PDO_ENCLAVE_CODE_SIGN_PEM]=" - PDO_ENCLAVE_CODE_SIGN_PEM contains the name of the file containing the key - used to sign the enclave. This key must be white-listed with IAS to work for - production-mode/default launch-control. For non-production use, in simulator or HW mode, - the key can generated by the command: - openssl genrsa -3 -out ${PDO_ENCLAVE_CODE_SIGN_PEM} 3072. - The default path points to a key which is generated during built on-demand. - " - env_key_sort[$i]="PDO_ENCLAVE_CODE_SIGN_PEM"; i=$i+1; export PDO_ENCLAVE_CODE_SIGN_PEM=${env_val[PDO_ENCLAVE_CODE_SIGN_PEM]} - - env_val[PDO_SPID]="${PDO_SPID:-$(cat ${PDO_SGX_KEY_ROOT}/sgx_spid.txt)}" - env_desc[PDO_SPID]=" - PDO_SPID is the ID that accompanies the certificate registered - with the Intel Attestation Service. This should be a 32 character - hex string. - " - env_key_sort[$i]="PDO_SPID"; i=$i+1; export PDO_SPID=${env_val[PDO_SPID]} - - env_val[PDO_SPID_API_KEY]="${PDO_SPID_API_KEY:-$(cat ${PDO_SGX_KEY_ROOT}/sgx_spid_api_key.txt)}" - env_desc[PDO_SPID_API_KEY]=" - PDO_SPID_API_KEY is API-key associated with the SPID. - " - env_key_sort[$i]="PDO_SPID_API_KEY"; i=$i+1; export PDO_SPID_API_KEY=${env_val[PDO_SPID_API_KEY]} - env_val[PDO_LEDGER_KEY_ROOT]="${PDO_LEDGER_KEY_ROOT:-${PDO_INSTALL_ROOT}/opt/pdo/etc/keys/ledger}" env_desc[PDO_LEDGER_KEY_ROOT]=" PDO_LEDGER_KEY_ROOT is the root directory where the system keys are stored @@ -173,7 +147,7 @@ print_export() { } help() { - echo 'common-config.sh -[--reset-keys|-r] [--evalable-export|-e] [--help|-h|-?] + echo 'common-config.sh [--evalable-export|-e] [--help|-h|-?] This script can be used to set the environment variables that are used in the build, installation & execution process. While the build should @@ -200,9 +174,6 @@ and before buidling it you call script as If passed the parameter --evalable-export it will return a list of export commands of the variables instead of directly exporting them to the environment. -Passing parameter --reset-keys will unset keying variables -PDO_ENCLAVE_CODE_SIGN_PEM, -PDO_SPID and PDO_SPID_API_KEY before setting variables. The list of variables set (in order they are defined, their defaults and semantics is as follows: @@ -222,16 +193,6 @@ while [[ $# > 0 ]] do opt=$1 case $opt in - --reset-keys|-r) - # ----------------------------------------------------------------- - # if you change either PDO_SGX_KEY_ROOT or PDO_LEDGER_KEY_ROOT variable - # and re-source this file you should unset all of the variables that - # depend on those variables - # ----------------------------------------------------------------- - unset PDO_ENCLAVE_CODE_SIGN_PEM - unset PDO_SPID - unset PDO_SPID_API_KEY - ;; --evalable-export|-e) is_sourced=0 ;; diff --git a/build/template/enclave.toml b/build/template/enclave.toml deleted file mode 100644 index 11b7aaa7..00000000 --- a/build/template/enclave.toml +++ /dev/null @@ -1,35 +0,0 @@ -# Copyright 2018 Intel Corporation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# -------------------------------------------------- -# EnclaveModule -- configuration of the SGX contract enclave -# -------------------------------------------------- -[EnclaveModule] - -# Number of available enclave workers to service requests -num_of_enclaves = '7' - -# spid is a 32-digit hex string tied to the enclave implementation -spid = '${spid}' - -# ias_url is the URL of the Intel Attestation Service (IAS) server. The -# example server is for debug enclaves only, -# the production url is without the trailing '/dev' -ias_url = 'https://api.trustedservices.intel.com/sgx/dev' - -# proxy configuration .. -https_proxy = '${proxy}' - -# spid_api_key is a 32-digit hex string tied to the SPID -spid_api_key = '${spid_api_key}' diff --git a/docs/environment.md b/docs/environment.md index 783c51fd..3e652f14 100644 --- a/docs/environment.md +++ b/docs/environment.md @@ -49,10 +49,6 @@ If passed the parameter `--evalable-export` the script will return a list of export commands of the variables instead of directly exporting them to the environment. -Passing parameter `--reset-keys` will unset key variables -`PDO_ENCLAVE_CODE_SIGN_PEM`, -`PDO_SPID` and `PDO_SPID_API_KEY` before setting variables. - ## Generic Environment Variables @@ -143,58 +139,12 @@ run in a real SGX enclave. (default: `${PDO_SOURCE_ROOT}/build/keys/sgx_mode_${SGX_MODE,,}/`): `PDO_SGX_KEY_ROOT` is the root directory where SGX and IAS related keys -are stored. The default points to a directory which contains values -which are good enough for SGX simulator mode. However, for SGX HW mode -you should provide your own version, at least for `PDO_SPID` and -`PDO_SPID_API_KEY`. See [SGX section](install.md#SGX) of the -[BUILD document](install.md) for more information. - - -### `PDO_ENCLAVE_CODE_SIGN_PEM` -(default: `${PDO_SGX_KEY_ROOT}/enclave_code_sign.pem`): +are stored. If SGX_MODE=SIM, the default folder contains mock files that +are good for simulation mode. If SGX_MODE=HW, the default (or custom) +folder must be filled with legitimate SGX & IAS keys. +See [SGX section](install.md#SGX) of the [BUILD document](install.md) +for more information. -`PDO_ENCLAVE_CODE_SIGN_PEM` contains the name of the file containing the -key used to sign the enclave. If you wish to use PDO for production, -this key must be white-listed with IAS. For development, testing, and -other non-production uses, whether in simulator or hardware mode, the -key can generated by the command: - -```bash - openssl genrsa -3 -out ${PDO_ENCLAVE_CODE_SIGN_PEM} 3072. -``` - -The default path points to a key which is automatically generated during -the build. - - -### `PDO_SPID` -(default: `DEADBEEF00000000DEADBEEF00000000`) - -`PDO_SPID` is the ID that accompanies the certificate registered with -the Intel Attestation Service. This should be a 32 character hex -string. If the variable is unset, the configuration script -`common-config.sh` will pull the value from the file -`${PDO_SGX_KEY_ROOT}/sgx_spid.txt`. - -The default value will work for SGX simulation mode. See -[SGX section](install.md#SGX) of the [BUILD document](install.md) for -instructions to create the SPID to support SGX hardware mode. - - -### `PDO_SPID_API_KEY` -(default `deadbeef00000000deadbeef00000000`) - -`PDO_SPID_API_KEY` is the key used to authenticate IAS client -requests. This should be a 32 character hex string. -If the variable is unset, the configuration script -`common-config.sh` will pull the value from the file -`${PDO_SGX_KEY_ROOT}/sgx_spid_api_key.txt`. - -The default value will work for SGX simulation mode. See -[SGX section](install.md#SGX) of the [BUILD document](install.md) for -instructions to create the API key to support SGX hardware mode. - - ## Ledger Environment Variables diff --git a/eservice/etc/sample_eservice.toml b/eservice/etc/sample_eservice.toml deleted file mode 100644 index 2b772af7..00000000 --- a/eservice/etc/sample_eservice.toml +++ /dev/null @@ -1,96 +0,0 @@ -# Copyright 2018 Intel Corporation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# -------------------------------------------------- -# EnclaveService -- general information about the enclave service -# -------------------------------------------------- -[EnclaveService] - # Identity is a string used to identify the service in log files -Identity = "${identity}" -HttpPort = 7100 -Host = "localhost" - - # Max number of threads for processing WSGI requests -WorkerThreads = 8 - # Suggested number of threads for processing other requests -ReactorThreads = 8 - -# -------------------------------------------------- -# StorageService -- information about the associated storage service -# -------------------------------------------------- -[StorageService] -URL = "http://localhost:7200" -BlockStore = "${data}/${identity}.mdb" - -# -------------------------------------------------- -# Ledger -- ledger configuration -# -------------------------------------------------- -[Ledger] -# LedgerURL is used to submit the registration transaction should -# the enclave require registration -LedgerType = "${ledger_type}" -LedgerURL = "${ledger}" -Organization = "Widgets R Us" - -# -------------------------------------------------- -# Logging -- configuration of service logging -# -------------------------------------------------- -[Logging] -LogLevel = "INFO" -LogFile = "${logs}/${identity}.log" - -# -------------------------------------------------- -# Keys -- configuration for retrieving service keys -# -------------------------------------------------- -[Key] -# Keys are used to sign the registration transaction -# should it be required -SearchPath = [ ".", "./keys", "${keys}" ] -FileName = "${identity}_private.pem" - -# -------------------------------------------------- -# EnclaveData -- configuration of sealed storage for the enclave -# -------------------------------------------------- -[EnclaveData] -# DataPath is the directory where sealed storage is saved if -# it needs to be created for this enclave -DataPath = "${data}" - -# BaseName is the root of the name used to store data -# about the enclave. A 'enc' extension will be added -BaseName = "${identity}" - -# -------------------------------------------------- -# EnclaveModule -- configuration of the SGX contract enclave -# -------------------------------------------------- -[EnclaveModule] - -# Number of available enclave workers to service requests -num_of_enclaves = '7' - -# block_store_file_name is the path where persistent state data is stored -# This is safe to share between eservice's -block_store_file_name = "${data}/blockstore.mdb" - -# spid is a 32-digit hex string tied to the enclave implementation -spid = 'DEADBEEF00000000DEADBEEF00000000' - -# ias_url is the URL of the Intel Attestation Service (IAS) server. The -# example server is for debug enclaves only, -# the production url is without the trailing '/dev' -ias_url = 'https://api.trustedservices.intel.com/sgx/dev' -https_proxy = '' - -# spid_api_key is a 32-digit hex string tied to the SPID -spid_api_key = 'DEADBEEF00000000DEADBEEF00000000' diff --git a/eservice/setup.py b/eservice/setup.py index f9fe59da..9427bf07 100644 --- a/eservice/setup.py +++ b/eservice/setup.py @@ -46,9 +46,7 @@ 'bin/es-start.sh', 'bin/es-stop.sh', 'bin/es-status.sh', ]), (dat_dir, []), - (etc_dir, [ - 'etc/sample_eservice.toml', - ]), + (etc_dir, []), (log_dir, []), (key_dir, []), ('lib', [ os.path.join(script_dir, 'deps/bin/libpdo-enclave.signed.so')])