general/occlum
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Remove OCCLUM_RELEASE_ENCLAVE env from user commands

Browse Source 
Also fix a bug for deployment environment.
This commit is contained in:
Hui, Chunyang 2020-09-14 07:59:58 +00:00 committed by Tate, Hongliang Tian
parent bfc0576ee7
commit 668b825ef4
2 changed files with 17 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
README.md
View File

@ -253,10 +253,11 @@ If the cause of a problem does not seem to be the app but Occlum itself, then on
By default, the `occlum build` command builds and signs enclaves in debug mode. These SGX debug-mode enclaves are intended for development and testing purposes only. For production usage, the enclaves must be signed by a key acquired from Intel (a restriction that will be lifted in the future when Flexible Launch Control is ready) and run with SGX debug support disabled.
Occlum has built-in support for both building and running enclaves in release mode. The commands are shown below:
Occlum has built-in support for both building and running enclaves in release mode.
To do that, modify `Occlum.json` [metadata]-[debuggable] field to `false`. And then run the commands below:
```
$ occlum build --sign-key <path_to/your_key.pem>
$ OCCLUM_RELEASE_ENCLAVE=yes occlum run <prog_path> <prog_args>
$ occlum run <prog_path> <prog_args>
```
Ultimately, whether an enclave is running in the release mode should be checked and judged by a trusted client through remotely attesting the enclave. See the remote attestation demo [here](demos/remote_attestation).

21
tools/occlum
View File

@ -12,7 +12,7 @@ else
occlum_sgx_env=$occlum_dir/etc/environment
fi
# For deploy environment, version header file may not exist
# For deployment environment, version header file may not exist
if [ -f "$version_header" ]; then
major_ver=`grep '\#define OCCLUM_MAJOR_VERSION' $version_header | awk '{print $3}'`
minor_ver=`grep '\#define OCCLUM_MINOR_VERSION' $version_header | awk '{print $3}'`
@ -24,10 +24,13 @@ instance_dir=`pwd`
status_file=$instance_dir/.__occlum_status
source $occlum_sgx_env
SGX_GDB="$SGX_SDK/bin/sgx-gdb"
ENCLAVE_SIGN_TOOL="$SGX_SDK/bin/x64/sgx_sign"
ENCLAVE_SIGN_KEY="$occlum_dir/etc/template/Enclave.pem"
# For deployment environment, env for sgx-sdk may not exist
if [ -f "$occlum_sgx_env" ]; then
source $occlum_sgx_env
SGX_GDB="$SGX_SDK/bin/sgx-gdb"
ENCLAVE_SIGN_TOOL="$SGX_SDK/bin/x64/sgx_sign"
ENCLAVE_SIGN_KEY="$occlum_dir/etc/template/Enclave.pem"
fi
get_enclave_debuggable_flag() {
cat "$instance_dir/Occlum.json" | \
@ -59,8 +62,6 @@ Usage:
occlum run <program_name> <program_args>
Run the user program inside an SGX enclave.
To run the enclave in SGX hardware release mode, use:
OCCLUM_RELEASE_ENCLAVE=1 occlum run <program_name> <program_args>
occlum package [<package_name>.tar.gz]
Generate a minimal, self-contained package (.tar.gz) for the Occlum instance.
@ -225,6 +226,9 @@ cmd_run() {
echo "running" > $status_file
if [ "`get_enclave_debuggable_flag`" == "False" ]; then
export OCCLUM_RELEASE_ENCLAVE=1
fi
RUST_BACKTRACE=1 "$instance_dir/build/bin/occlum-run" "$@"
echo "built" > $status_file
@ -242,6 +246,9 @@ cmd_start() {
echo "running" > $status_file
if [ "`get_enclave_debuggable_flag`" == "False" ]; then
export OCCLUM_RELEASE_ENCLAVE=1
fi
RUST_BACKTRACE=1 "$instance_dir/build/bin/occlum_exec_client" start
echo "built" > $status_file