Make the sgx debug flag dependent on PDO_DEBUG_BUILD.

If PDO_DEBUG_BUILD is not set or set to 0, the enclave is built with SGX_DEBUG_FLAG set to 0, and signed with the DisableDebug flag set to 1. So this commit adds one more step in the enclave cmake build to create the xml configuration file accordingly. Signed-off-by: Bruno Vavala <[email protected]>
bvavala · May 10, 2024 · 93cd7af · 93cd7af
1 parent 5fa37a1
commit 93cd7af
Show file tree

Hide file tree

Showing 9 changed files with 88 additions and 11 deletions.
diff --git a/docker/Makefile b/docker/Makefile
@@ -24,6 +24,10 @@
 # the desired PDO_SOURCE_ROOT when invoking make.
 PDO_SOURCE_ROOT ?= $(realpath $(dir $(abspath $(lastword $(MAKEFILE_LIST))))/../)
 
+# PDO_DEBUG_BUILD
+# The flag that determines the build type (debug or not).
+PDO_DEBUG_BUILD ?= 0
+
 # PDO_REPO --
 #   The URL or path to the git repository, the default uses the current repository
 #   though it might be reasonable to build a particular branch from the primary
@@ -83,13 +87,15 @@ rebuild_services_sgx : repository
 	$(DOCKER_COMMAND) build $(DOCKER_ARGS) \
 		--build-arg REBUILD=$(TIMESTAMP) \
 		--build-arg PDO_VERSION=$(PDO_VERSION) \
+		--build-arg PDO_DEBUG_BUILD=$(PDO_DEBUG_BUILD) \
 		--build-arg SGX_MODE=HW \
 		--tag pdo_services_sgx:$(PDO_VERSION) \
 		--file $(DOCKER_DIR)/pdo_services.dockerfile .
 
 build_services_sgx : $(IAS_CERTIFICATES) repository build_services_base
 	$(DOCKER_COMMAND) build $(DOCKER_ARGS) \
 		--build-arg PDO_VERSION=$(PDO_VERSION) \
+		--build-arg PDO_DEBUG_BUILD=$(PDO_DEBUG_BUILD) \
 		--build-arg SGX_MODE=HW \
 		--tag pdo_services_sgx:$(PDO_VERSION) \
 		--file $(DOCKER_DIR)/pdo_services.dockerfile .

diff --git a/docker/pdo_base.dockerfile b/docker/pdo_base.dockerfile
@@ -55,9 +55,11 @@ RUN apt-get update \
         software-properties-common \
         swig \
         tar \
+        tidy \
         unzip \
         virtualenv \
         wget \
+        xml2 \
         xxd \
         net-tools \
         dnsutils \

diff --git a/eservice/Makefile b/eservice/Makefile
@@ -16,6 +16,16 @@ SCRIPTDIR ?= $(dir $(abspath $(lastword $(MAKEFILE_LIST))))
 SRCDIR ?= $(abspath $(SCRIPTDIR)/..)
 DSTDIR ?= $(PDO_INSTALL_ROOT)
 
+# Set options for cmake build
+#
+# The build type is set to affect the SGX debug flag.
+# Build type "Release" defines NDEBUG, which causes sgx_urts.h to set SGX_DEBUG_FLAG to 0.
+# Build type "Debug" does not define NDEBUG, which causes sgx_urts.h to set SGX_DEBUG_FLAG to 1.
+CMAKE_OPTS ?= -DCMAKE_BUILD_TYPE=Release
+ifeq (${PDO_DEBUG_BUILD},1)
+    CMAKE_OPTS = -DCMAKE_BUILD_TYPE=Debug
+endif
+
 PY_VERSION=${shell python3 --version | sed 's/Python \(3\.[0-9]*\)\.[0-9]*/\1/'}
 MOD_VERSION=${shell ../bin/get_version}
 
@@ -69,7 +79,7 @@ $(SWIG_TARGET) : $(SWIG_FILES) $(ENCLAVE_LIB)
 
 build :
 	mkdir $@
-	cd $@ && cmake .. -G "Unix Makefiles"
+	cd $@ && cmake .. $(CMAKE_OPTS) -G "Unix Makefiles"
 
 install: $(EGG_FILE)
 	@ . $(abspath $(DSTDIR)/bin/activate) && \

diff --git a/eservice/lib/libpdo_enclave/.gitignore b/eservice/lib/libpdo_enclave/.gitignore
@@ -0,0 +1 @@
+pdo_enclave.config.xml
diff --git a/eservice/lib/libpdo_enclave/CMakeLists.txt b/eservice/lib/libpdo_enclave/CMakeLists.txt
@@ -22,12 +22,26 @@ PROJECT(libpdo-enclave CXX C)
 FILE(GLOB PROJECT_HEADERS *.h)
 FILE(GLOB PROJECT_SOURCES *.cpp)
 FILE(GLOB PROJECT_EDL enclave.edl)
-FILE(GLOB PROJECT_CONFIG *.xml)
 FILE(GLOB PROJECT_LDS *.lds)
+SET(PROJECT_CONFIG pdo_enclave.config.xml)
 
 SGX_EDGE_TRUSTED(${PROJECT_EDL} PROJECT_EDGE_SOURCES)
 SET (LIBPDO_ENCLAVE_EDL ${PROJECT_EDL} PARENT_SCOPE)
 
+
+# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+# Enclave configuration file
+# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+ADD_CUSTOM_COMMAND(
+    OUTPUT ${PROJECT_CONFIG}
+    COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/prepare_enclave_xml.sh ${CMAKE_CURRENT_SOURCE_DIR}/${PROJECT_CONFIG}.in ${PROJECT_CONFIG})
+ADD_CUSTOM_TARGET(prepare_enclave_xml DEPENDS ${PROJECT_CONFIG})
+SET_PROPERTY(
+    TARGET prepare_enclave_xml
+    APPEND
+    PROPERTY ADDITIONAL_CLEAN_FILES ${PROJECT_CONFIG})
+
 # XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 # Compile targets
 # XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
@@ -43,5 +57,8 @@ TARGET_LINK_LIBRARIES(${PROJECT_NAME} ${COMMON_TRUSTED_LIBS})
 TARGET_LINK_LIBRARIES(${PROJECT_NAME} -Wl,--end-group)
 
 SGX_PREPARE_TRUSTED_LINK(${PROJECT_NAME})
+
+# add dependency to ensure that enclave configuration file is created before post-build sgx-sign
+ADD_DEPENDENCIES(${PROJECT_NAME} prepare_enclave_xml)
 SGX_SIGN_ENCLAVE(${PROJECT_NAME} ${PDO_SGX_KEY_ROOT}/enclave_code_sign.pem ${PROJECT_CONFIG})
 SGX_DEPLOY_FILES(${PROJECT_NAME} eservice)
diff --git a/...lib/libpdo_enclave/pdo_enclave.config.xml → .../libpdo_enclave/pdo_enclave.config.xml.in b/...lib/libpdo_enclave/pdo_enclave.config.xml → .../libpdo_enclave/pdo_enclave.config.xml.in
@@ -23,7 +23,7 @@ limitations under the License.
   <ReservedMemExecutable>1</ReservedMemExecutable>
   <TCSNum>2</TCSNum>
   <TCSPolicy>1</TCSPolicy>
-  <DisableDebug>0</DisableDebug>
+  <DisableDebug>placeholder for !PDO_DEBUG_BUILD</DisableDebug>
   <MiscSelect>0</MiscSelect>
   <MiscMask>0xFFFFFFFF</MiscMask>
 </EnclaveConfiguration>
diff --git a/eservice/lib/libpdo_enclave/prepare_enclave_xml.sh b/eservice/lib/libpdo_enclave/prepare_enclave_xml.sh
@@ -0,0 +1,37 @@
+#!/bin/bash
+#
+# Copyright 2024 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This script produces the XML configuration file for signing the enclave.
+
+# The script only updates the DisableDebug (0/1 resp.) field based on PDO_DEBUG_BUILD (1/0 resp).
+# If the variable is not set, the default value of 0 is assumed, so DisableDebug is set to 1.
+
+if [ $# != 2 ]; then
+    echo "$(basename $0) <config xml template> <output config xml>"
+    echo "Config XML template and output file paths are required"
+    exit 1
+fi
+
+if [ ${PDO_DEBUG_BUILD:-0} = 0 ]; then
+    DISABLE_DEBUG=1
+else
+    DISABLE_DEBUG=0
+fi
+
+xml2 < $1 | \
+    sed '/\/EnclaveConfiguration\/DisableDebug/ s/\<placeholder for !PDO_DEBUG_BUILD\>/'${DISABLE_DEBUG}'/' | \
+    2xml | tidy -xml -i -q > $2
+
diff --git a/eservice/pdo/eservice/enclave/enclave/enclave.cpp b/eservice/pdo/eservice/enclave/enclave/enclave.cpp
@@ -432,17 +432,16 @@ namespace pdo {
                 Enclave::QuerySgxStatus();
 
                 sgx_launch_token_t token = { 0 };
-                int flags = SGX_DEBUG_FLAG;
-                pdo::error::ThrowSgxError((SGX_DEBUG_FLAG==0 ? SGX_ERROR_UNEXPECTED:SGX_SUCCESS),
-                    "SGX DEBUG flag is 0 (possible cause: wrong compile flags)");
+
+                pdo::logger::LogV(PDO_LOG_DEBUG, "LoadEnclave, SGX_DEBUG_FLAG: %d", SGX_DEBUG_FLAG);
 
                 // First attempt to load the enclave executable
                 sgx_status_t ret = SGX_SUCCESS;
-                ret = this->CallSgx([this, flags, &token] () {
+                ret = this->CallSgx([this, &token] () {
                         int updated = 0;
                         return sgx_create_enclave(
                             this->enclaveFilePath.c_str(),
-                            flags,
+                            SGX_DEBUG_FLAG,
                             &token,
                             &updated,
                             &this->enclaveId,

diff --git a/eservice/setup.py b/eservice/setup.py
@@ -59,7 +59,7 @@
 ## -----------------------------------------------------------------
 ## set up the contract enclave
 ## -----------------------------------------------------------------
-debug_flag = os.environ.get('PDO_DEBUG_BUILD',0)
+debug_flag = os.environ.get('PDO_DEBUG_BUILD', False) in ("1")
 
 module_path = 'pdo/eservice/enclave'
 module_src_path = os.path.join(script_dir, module_path)
@@ -132,6 +132,12 @@
     ('SGX_SIMULATOR', SGX_SIMULATOR_value)
 ]
 
+# When the debug flag (PDO_DEBUG_BUILD) is set, we set the EDEBUG define
+# This ensures that the SGX SDK in sgx_urts.h sets the SGX_DEBUG_FLAG to 1.
+# Otherwise the SDK sets it to 0.
+if debug_flag :
+    compile_defs.append(('EDEBUG', None))
+
 swig_flags = ['-c++', '-threads']
 
 enclave_module = Extension(
@@ -142,8 +148,7 @@
     libraries = libraries,
     include_dirs = include_dirs,
     library_dirs = library_dirs,
-    define_macros = compile_defs,
-    undef_macros = ['NDEBUG', 'EDEBUG']
+    define_macros = compile_defs
     )
 
 ## -----------------------------------------------------------------