From 93cd7af30e59ad9254dabe0aa212b20a6f8ef4ef Mon Sep 17 00:00:00 2001 From: Bruno Vavala Date: Fri, 10 May 2024 18:58:37 +0000 Subject: [PATCH] Make the sgx debug flag dependent on PDO_DEBUG_BUILD. If PDO_DEBUG_BUILD is not set or set to 0, the enclave is built with SGX_DEBUG_FLAG set to 0, and signed with the DisableDebug flag set to 1. So this commit adds one more step in the enclave cmake build to create the xml configuration file accordingly. Signed-off-by: Bruno Vavala --- docker/Makefile | 6 +++ docker/pdo_base.dockerfile | 2 + eservice/Makefile | 12 +++++- eservice/lib/libpdo_enclave/.gitignore | 1 + eservice/lib/libpdo_enclave/CMakeLists.txt | 19 +++++++++- ...e.config.xml => pdo_enclave.config.xml.in} | 2 +- .../lib/libpdo_enclave/prepare_enclave_xml.sh | 37 +++++++++++++++++++ .../pdo/eservice/enclave/enclave/enclave.cpp | 9 ++--- eservice/setup.py | 11 ++++-- 9 files changed, 88 insertions(+), 11 deletions(-) create mode 100644 eservice/lib/libpdo_enclave/.gitignore rename eservice/lib/libpdo_enclave/{pdo_enclave.config.xml => pdo_enclave.config.xml.in} (93%) create mode 100755 eservice/lib/libpdo_enclave/prepare_enclave_xml.sh diff --git a/docker/Makefile b/docker/Makefile index d8c08e77..1063bd39 100644 --- a/docker/Makefile +++ b/docker/Makefile @@ -24,6 +24,10 @@ # the desired PDO_SOURCE_ROOT when invoking make. PDO_SOURCE_ROOT ?= $(realpath $(dir $(abspath $(lastword $(MAKEFILE_LIST))))/../) +# PDO_DEBUG_BUILD +# The flag that determines the build type (debug or not). +PDO_DEBUG_BUILD ?= 0 + # PDO_REPO -- # The URL or path to the git repository, the default uses the current repository # though it might be reasonable to build a particular branch from the primary @@ -83,6 +87,7 @@ rebuild_services_sgx : repository $(DOCKER_COMMAND) build $(DOCKER_ARGS) \ --build-arg REBUILD=$(TIMESTAMP) \ --build-arg PDO_VERSION=$(PDO_VERSION) \ + --build-arg PDO_DEBUG_BUILD=$(PDO_DEBUG_BUILD) \ --build-arg SGX_MODE=HW \ --tag pdo_services_sgx:$(PDO_VERSION) \ --file $(DOCKER_DIR)/pdo_services.dockerfile . @@ -90,6 +95,7 @@ rebuild_services_sgx : repository build_services_sgx : $(IAS_CERTIFICATES) repository build_services_base $(DOCKER_COMMAND) build $(DOCKER_ARGS) \ --build-arg PDO_VERSION=$(PDO_VERSION) \ + --build-arg PDO_DEBUG_BUILD=$(PDO_DEBUG_BUILD) \ --build-arg SGX_MODE=HW \ --tag pdo_services_sgx:$(PDO_VERSION) \ --file $(DOCKER_DIR)/pdo_services.dockerfile . diff --git a/docker/pdo_base.dockerfile b/docker/pdo_base.dockerfile index 5be86fa7..3bf1f07b 100644 --- a/docker/pdo_base.dockerfile +++ b/docker/pdo_base.dockerfile @@ -55,9 +55,11 @@ RUN apt-get update \ software-properties-common \ swig \ tar \ + tidy \ unzip \ virtualenv \ wget \ + xml2 \ xxd \ net-tools \ dnsutils \ diff --git a/eservice/Makefile b/eservice/Makefile index 8239aee0..2251f5cb 100644 --- a/eservice/Makefile +++ b/eservice/Makefile @@ -16,6 +16,16 @@ SCRIPTDIR ?= $(dir $(abspath $(lastword $(MAKEFILE_LIST)))) SRCDIR ?= $(abspath $(SCRIPTDIR)/..) DSTDIR ?= $(PDO_INSTALL_ROOT) +# Set options for cmake build +# +# The build type is set to affect the SGX debug flag. +# Build type "Release" defines NDEBUG, which causes sgx_urts.h to set SGX_DEBUG_FLAG to 0. +# Build type "Debug" does not define NDEBUG, which causes sgx_urts.h to set SGX_DEBUG_FLAG to 1. +CMAKE_OPTS ?= -DCMAKE_BUILD_TYPE=Release +ifeq (${PDO_DEBUG_BUILD},1) + CMAKE_OPTS = -DCMAKE_BUILD_TYPE=Debug +endif + PY_VERSION=${shell python3 --version | sed 's/Python \(3\.[0-9]*\)\.[0-9]*/\1/'} MOD_VERSION=${shell ../bin/get_version} @@ -69,7 +79,7 @@ $(SWIG_TARGET) : $(SWIG_FILES) $(ENCLAVE_LIB) build : mkdir $@ - cd $@ && cmake .. -G "Unix Makefiles" + cd $@ && cmake .. $(CMAKE_OPTS) -G "Unix Makefiles" install: $(EGG_FILE) @ . $(abspath $(DSTDIR)/bin/activate) && \ diff --git a/eservice/lib/libpdo_enclave/.gitignore b/eservice/lib/libpdo_enclave/.gitignore new file mode 100644 index 00000000..f3f8271a --- /dev/null +++ b/eservice/lib/libpdo_enclave/.gitignore @@ -0,0 +1 @@ +pdo_enclave.config.xml diff --git a/eservice/lib/libpdo_enclave/CMakeLists.txt b/eservice/lib/libpdo_enclave/CMakeLists.txt index 9bea66ca..75d8f8dc 100644 --- a/eservice/lib/libpdo_enclave/CMakeLists.txt +++ b/eservice/lib/libpdo_enclave/CMakeLists.txt @@ -22,12 +22,26 @@ PROJECT(libpdo-enclave CXX C) FILE(GLOB PROJECT_HEADERS *.h) FILE(GLOB PROJECT_SOURCES *.cpp) FILE(GLOB PROJECT_EDL enclave.edl) -FILE(GLOB PROJECT_CONFIG *.xml) FILE(GLOB PROJECT_LDS *.lds) +SET(PROJECT_CONFIG pdo_enclave.config.xml) SGX_EDGE_TRUSTED(${PROJECT_EDL} PROJECT_EDGE_SOURCES) SET (LIBPDO_ENCLAVE_EDL ${PROJECT_EDL} PARENT_SCOPE) + +# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX +# Enclave configuration file +# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + +ADD_CUSTOM_COMMAND( + OUTPUT ${PROJECT_CONFIG} + COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/prepare_enclave_xml.sh ${CMAKE_CURRENT_SOURCE_DIR}/${PROJECT_CONFIG}.in ${PROJECT_CONFIG}) +ADD_CUSTOM_TARGET(prepare_enclave_xml DEPENDS ${PROJECT_CONFIG}) +SET_PROPERTY( + TARGET prepare_enclave_xml + APPEND + PROPERTY ADDITIONAL_CLEAN_FILES ${PROJECT_CONFIG}) + # XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX # Compile targets # XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX @@ -43,5 +57,8 @@ TARGET_LINK_LIBRARIES(${PROJECT_NAME} ${COMMON_TRUSTED_LIBS}) TARGET_LINK_LIBRARIES(${PROJECT_NAME} -Wl,--end-group) SGX_PREPARE_TRUSTED_LINK(${PROJECT_NAME}) + +# add dependency to ensure that enclave configuration file is created before post-build sgx-sign +ADD_DEPENDENCIES(${PROJECT_NAME} prepare_enclave_xml) SGX_SIGN_ENCLAVE(${PROJECT_NAME} ${PDO_SGX_KEY_ROOT}/enclave_code_sign.pem ${PROJECT_CONFIG}) SGX_DEPLOY_FILES(${PROJECT_NAME} eservice) diff --git a/eservice/lib/libpdo_enclave/pdo_enclave.config.xml b/eservice/lib/libpdo_enclave/pdo_enclave.config.xml.in similarity index 93% rename from eservice/lib/libpdo_enclave/pdo_enclave.config.xml rename to eservice/lib/libpdo_enclave/pdo_enclave.config.xml.in index c10bf1db..a2dacdde 100644 --- a/eservice/lib/libpdo_enclave/pdo_enclave.config.xml +++ b/eservice/lib/libpdo_enclave/pdo_enclave.config.xml.in @@ -23,7 +23,7 @@ limitations under the License. 1 2 1 - 0 + placeholder for !PDO_DEBUG_BUILD 0 0xFFFFFFFF diff --git a/eservice/lib/libpdo_enclave/prepare_enclave_xml.sh b/eservice/lib/libpdo_enclave/prepare_enclave_xml.sh new file mode 100755 index 00000000..31deb07c --- /dev/null +++ b/eservice/lib/libpdo_enclave/prepare_enclave_xml.sh @@ -0,0 +1,37 @@ +#!/bin/bash +# +# Copyright 2024 Intel Corporation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This script produces the XML configuration file for signing the enclave. + +# The script only updates the DisableDebug (0/1 resp.) field based on PDO_DEBUG_BUILD (1/0 resp). +# If the variable is not set, the default value of 0 is assumed, so DisableDebug is set to 1. + +if [ $# != 2 ]; then + echo "$(basename $0) " + echo "Config XML template and output file paths are required" + exit 1 +fi + +if [ ${PDO_DEBUG_BUILD:-0} = 0 ]; then + DISABLE_DEBUG=1 +else + DISABLE_DEBUG=0 +fi + +xml2 < $1 | \ + sed '/\/EnclaveConfiguration\/DisableDebug/ s/\/'${DISABLE_DEBUG}'/' | \ + 2xml | tidy -xml -i -q > $2 + diff --git a/eservice/pdo/eservice/enclave/enclave/enclave.cpp b/eservice/pdo/eservice/enclave/enclave/enclave.cpp index a6b9c35b..e17b8e39 100644 --- a/eservice/pdo/eservice/enclave/enclave/enclave.cpp +++ b/eservice/pdo/eservice/enclave/enclave/enclave.cpp @@ -432,17 +432,16 @@ namespace pdo { Enclave::QuerySgxStatus(); sgx_launch_token_t token = { 0 }; - int flags = SGX_DEBUG_FLAG; - pdo::error::ThrowSgxError((SGX_DEBUG_FLAG==0 ? SGX_ERROR_UNEXPECTED:SGX_SUCCESS), - "SGX DEBUG flag is 0 (possible cause: wrong compile flags)"); + + pdo::logger::LogV(PDO_LOG_DEBUG, "LoadEnclave, SGX_DEBUG_FLAG: %d", SGX_DEBUG_FLAG); // First attempt to load the enclave executable sgx_status_t ret = SGX_SUCCESS; - ret = this->CallSgx([this, flags, &token] () { + ret = this->CallSgx([this, &token] () { int updated = 0; return sgx_create_enclave( this->enclaveFilePath.c_str(), - flags, + SGX_DEBUG_FLAG, &token, &updated, &this->enclaveId, diff --git a/eservice/setup.py b/eservice/setup.py index 9427bf07..9f100538 100644 --- a/eservice/setup.py +++ b/eservice/setup.py @@ -59,7 +59,7 @@ ## ----------------------------------------------------------------- ## set up the contract enclave ## ----------------------------------------------------------------- -debug_flag = os.environ.get('PDO_DEBUG_BUILD',0) +debug_flag = os.environ.get('PDO_DEBUG_BUILD', False) in ("1") module_path = 'pdo/eservice/enclave' module_src_path = os.path.join(script_dir, module_path) @@ -132,6 +132,12 @@ ('SGX_SIMULATOR', SGX_SIMULATOR_value) ] +# When the debug flag (PDO_DEBUG_BUILD) is set, we set the EDEBUG define +# This ensures that the SGX SDK in sgx_urts.h sets the SGX_DEBUG_FLAG to 1. +# Otherwise the SDK sets it to 0. +if debug_flag : + compile_defs.append(('EDEBUG', None)) + swig_flags = ['-c++', '-threads'] enclave_module = Extension( @@ -142,8 +148,7 @@ libraries = libraries, include_dirs = include_dirs, library_dirs = library_dirs, - define_macros = compile_defs, - undef_macros = ['NDEBUG', 'EDEBUG'] + define_macros = compile_defs ) ## -----------------------------------------------------------------