From 668b825ef41f7ed259f1c6d3048739b15489c0ca Mon Sep 17 00:00:00 2001
From: "Hui, Chunyang" <sanqian.hcy@antfin.com>
Date: Mon, 14 Sep 2020 07:59:58 +0000
Subject: [PATCH] Remove OCCLUM_RELEASE_ENCLAVE env from user commands

Also fix a bug for deployment environment.
---
 README.md    |  5 +++--
 tools/occlum | 21 ++++++++++++++-------
 2 files changed, 17 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index 00295723..44ae11d8 100644
--- a/README.md
+++ b/README.md
@@ -253,10 +253,11 @@ If the cause of a problem does not seem to be the app but Occlum itself, then on
 
 By default, the `occlum build` command builds and signs enclaves in debug mode. These SGX debug-mode enclaves are intended for development and testing purposes only. For production usage, the enclaves must be signed by a key acquired from Intel (a restriction that will be lifted in the future when Flexible Launch Control is ready) and run with SGX debug support disabled.
 
-Occlum has built-in support for both building and running enclaves in release mode. The commands are shown below:
+Occlum has built-in support for both building and running enclaves in release mode.
+To do that, modify `Occlum.json` [metadata]-[debuggable] field to `false`. And then run the commands below:
 ```
 $ occlum build --sign-key <path_to/your_key.pem>
-$ OCCLUM_RELEASE_ENCLAVE=yes occlum run <prog_path> <prog_args>
+$ occlum run <prog_path> <prog_args>
 ```
 
 Ultimately, whether an enclave is running in the release mode should be checked and judged by a trusted client through remotely attesting the enclave. See the remote attestation demo [here](demos/remote_attestation).
diff --git a/tools/occlum b/tools/occlum
index 45b00c85..88421b7c 100755
--- a/tools/occlum
+++ b/tools/occlum
@@ -12,7 +12,7 @@ else
     occlum_sgx_env=$occlum_dir/etc/environment
 fi
 
-# For deploy environment, version header file may not exist
+# For deployment environment, version header file may not exist
 if [ -f "$version_header" ]; then
     major_ver=`grep '\#define OCCLUM_MAJOR_VERSION' $version_header |  awk '{print $3}'`
     minor_ver=`grep '\#define OCCLUM_MINOR_VERSION' $version_header |  awk '{print $3}'`
@@ -24,10 +24,13 @@ instance_dir=`pwd`
 
 status_file=$instance_dir/.__occlum_status
 
-source $occlum_sgx_env
-SGX_GDB="$SGX_SDK/bin/sgx-gdb"
-ENCLAVE_SIGN_TOOL="$SGX_SDK/bin/x64/sgx_sign"
-ENCLAVE_SIGN_KEY="$occlum_dir/etc/template/Enclave.pem"
+# For deployment environment, env for sgx-sdk may not exist
+if [ -f "$occlum_sgx_env" ]; then
+    source $occlum_sgx_env
+    SGX_GDB="$SGX_SDK/bin/sgx-gdb"
+    ENCLAVE_SIGN_TOOL="$SGX_SDK/bin/x64/sgx_sign"
+    ENCLAVE_SIGN_KEY="$occlum_dir/etc/template/Enclave.pem"
+fi
 
 get_enclave_debuggable_flag() {
     cat "$instance_dir/Occlum.json" | \
@@ -59,8 +62,6 @@ Usage:
 
     occlum run <program_name> <program_args>
         Run the user program inside an SGX enclave.
-        To run the enclave in SGX hardware release mode, use:
-        OCCLUM_RELEASE_ENCLAVE=1 occlum run <program_name> <program_args>
 
     occlum package [<package_name>.tar.gz]
         Generate a minimal, self-contained package (.tar.gz) for the Occlum instance.
@@ -225,6 +226,9 @@ cmd_run() {
 
     echo "running" > $status_file
 
+    if [ "`get_enclave_debuggable_flag`" == "False" ]; then
+        export OCCLUM_RELEASE_ENCLAVE=1
+    fi
     RUST_BACKTRACE=1 "$instance_dir/build/bin/occlum-run" "$@"
 
     echo "built" > $status_file
@@ -242,6 +246,9 @@ cmd_start() {
 
     echo "running" > $status_file
 
+    if [ "`get_enclave_debuggable_flag`" == "False" ]; then
+        export OCCLUM_RELEASE_ENCLAVE=1
+    fi
     RUST_BACKTRACE=1 "$instance_dir/build/bin/occlum_exec_client" start
 
     echo "built" > $status_file