From 85501d8993cf563af1ec386092b99c3d55ae5933 Mon Sep 17 00:00:00 2001 From: "Hui, Chunyang" Date: Thu, 30 Jul 2020 09:58:32 +0000 Subject: [PATCH] Improve implementation for `occlum build` This commit mainly accomplish two things: 1. Use makefile to manage dependencies for `occlum build`, which can save lots of time 2. Take dirs `build`, `run` outside from `.occlum`. Remove env var "OCCLUM_INSTANCE_DIR" --- README.md | 6 +- demos/embedded_mode/bench_driver/main.c | 1 - demos/gdb_support/gdb_sample_on_occlum.sh | 2 +- demos/local_attestation/AppInitiator/app.cpp | 7 +- src/exec/src/bin/occlum_exec_server.rs | 19 +- src/pal/include/occlum_pal_api.h | 14 +- src/run/main.c | 10 - test/Makefile | 2 +- tools/Makefile | 1 + tools/occlum | 232 ++++++------------- tools/occlum-gen-default-occlum-json | 4 +- tools/occlum_build.mk | 139 +++++++++++ 12 files changed, 231 insertions(+), 206 deletions(-) create mode 100644 tools/occlum_build.mk diff --git a/README.md b/README.md index d58d0a46..110e282c 100644 --- a/README.md +++ b/README.md @@ -30,12 +30,12 @@ Hello World ``` Note that the Occlum toolchain is not cross-compiling in the traditional sense: the binaries built by the Occlum toolchain is also runnable on Linux. This property makes it convenient to compile, debug, and test user programs intended for Occlum. -**Step 2. Initialize a directory as the Occlum context via `occlum init`** +**Step 2. Initialize a directory as the Occlum instance via `occlum init`** ``` $ mkdir occlum_context && cd occlum_context $ occlum init ``` -The `occlum init` command creates in the current working directory a new directory named `.occlum`, which contains the compile-time and run-time state of Occlum. Each Occlum context should be used for a single instance of an application; multiple applications or different instances of a single application should use different Occlum contexts. +The `occlum init` command creates the compile-time and run-time state of Occlum in the current working directory. Each Occlum instance directory should be used for a single instance of an application; multiple applications or different instances of a single application should use different Occlum instances. **Step 3. Generate a secure Occlum FS image and Occlum SGX enclave via `occlum build`** ``` @@ -62,7 +62,7 @@ The `occlum run` command starts up an Occlum SGX enclave, which, behind the scen ### Config Occlum -Occlum can be configured easily via a config file named `Occlum.json`, which is generated by the `occlum init` command in the Occlum context directory. The user can modify `Occlum.json` to config Occlum. A sample of `Occlum.json` is shown below. Some comments are added to provide a brief explanation. +Occlum can be configured easily via a config file named `Occlum.json`, which is generated by the `occlum init` command in the Occlum instance directory. The user can modify `Occlum.json` to config Occlum. A sample of `Occlum.json` is shown below. Some comments are added to provide a brief explanation. ```js { // Resource limits diff --git a/demos/embedded_mode/bench_driver/main.c b/demos/embedded_mode/bench_driver/main.c index 626b5722..c241b528 100644 --- a/demos/embedded_mode/bench_driver/main.c +++ b/demos/embedded_mode/bench_driver/main.c @@ -44,7 +44,6 @@ int main(int argc, char *argv[]) { // Init Occlum PAL occlum_pal_attr_t pal_attr = OCCLUM_PAL_ATTR_INITVAL; - pal_attr.instance_dir = ".occlum"; if (occlum_pal_init(&pal_attr) < 0) { return EXIT_FAILURE; } diff --git a/demos/gdb_support/gdb_sample_on_occlum.sh b/demos/gdb_support/gdb_sample_on_occlum.sh index fa6e57be..a903a50c 100755 --- a/demos/gdb_support/gdb_sample_on_occlum.sh +++ b/demos/gdb_support/gdb_sample_on_occlum.sh @@ -3,7 +3,7 @@ set -e rm -rf occlum_context && mkdir -p occlum_context cd occlum_context -# 1. Initialize a directory as the Occlum context +# 1. Initialize a directory as the Occlum instance occlum init # 2. Generate a secure Occlum FS image and Occlum SGX enclave diff --git a/demos/local_attestation/AppInitiator/app.cpp b/demos/local_attestation/AppInitiator/app.cpp index 67a4b6d0..f1da55bf 100644 --- a/demos/local_attestation/AppInitiator/app.cpp +++ b/demos/local_attestation/AppInitiator/app.cpp @@ -24,7 +24,6 @@ int main(int argc, char *argv[]) { sgx_launch_token_t token = {0}; sgx_status_t status; int exit_status = 0; - const char *occlum_instance_dir = ".occlum"; const char *cmd_path = "/bin/responder"; // Prepare cmd path and arguments const char *cmd_args[] = {NULL}; @@ -38,10 +37,8 @@ int main(int argc, char *argv[]) { } printf("succeed to load enclave %s\n", ENCLAVE_INITIATOR_NAME); - struct occlum_pal_attr attr { - .instance_dir = occlum_instance_dir, - .log_level = (const char *) getenv("OCCLUM_LOG_LEVEL"), - }; + occlum_pal_attr_t pal_attr = OCCLUM_PAL_ATTR_INITVAL; + pal_attr.log_level = (const char *) getenv("OCCLUM_LOG_LEVEL"); if (occlum_pal_init(&attr) < 0) { return EXIT_FAILURE; } diff --git a/src/exec/src/bin/occlum_exec_server.rs b/src/exec/src/bin/occlum_exec_server.rs index 24e6c068..0d946036 100644 --- a/src/exec/src/bin/occlum_exec_server.rs +++ b/src/exec/src/bin/occlum_exec_server.rs @@ -118,15 +118,11 @@ extern "C" { #[repr(C)] /// Occlum PAL attributes. Defined by occlum pal. pub struct occlum_pal_attr_t { - /// Occlum instance dir. + /// Occlum instance directory. /// - /// Specifies the path of an Occlum instance directory. Usually, this - /// directory is initialized by executing "occlum init" command, which - /// creates a hidden directory named ".occlum/". This ".occlum/" is an - /// Occlum instance directory. The name of the directory is not necesarrily - /// ".occlum"; it can be renamed to an arbitrary name. - /// - /// Mandatory field. Must not be NULL. + /// Specifies the path of an Occlum instance directory, which is usually created with the + /// `occlum new` command. The default value is "."; that is, the current working directory + /// is the Occlum instance directory. pub instance_dir: *const libc::c_char, /// Log level. /// @@ -139,12 +135,7 @@ pub struct occlum_pal_attr_t { /// Loads and initializes the Occlum enclave image fn rust_occlum_pal_init() -> Result<(), i32> { - let mut instance_dir = OsString::from("./.occlum\0"); - if let Some(val) = env::var_os("OCCLUM_INSTANCE_DIR") { - instance_dir = val; - instance_dir.push("\0"); - }; - + let instance_dir = OsString::from(".\0"); let mut log_level = OsString::from("off\0"); if let Some(val) = env::var_os("OCCLUM_LOG_LEVEL") { log_level = val; diff --git a/src/pal/include/occlum_pal_api.h b/src/pal/include/occlum_pal_api.h index 46c9e5a2..a8f52ecc 100644 --- a/src/pal/include/occlum_pal_api.h +++ b/src/pal/include/occlum_pal_api.h @@ -21,15 +21,11 @@ int occlum_pal_get_version(void); * Occlum PAL attributes */ typedef struct occlum_pal_attr { - // Occlum instance dir. + // Occlum instance directory. // - // Specifies the path of an Occlum instance directory. Usually, this - // directory is initialized by executing "occlum init" command, which - // creates a hidden directory named ".occlum/". This ".occlum/" is an - // Occlum instance directory. The name of the directory is not necesarrily - // ".occlum"; it can be renamed to an arbitrary name. - // - // Mandatory field. Must not be NULL. + // Specifies the path of an Occlum instance directory, which is usually created with the + // `occlum new` command. The default value is "."; that is, the current working directory + // is the Occlum instance directory. const char *instance_dir; // Log level. // @@ -41,7 +37,7 @@ typedef struct occlum_pal_attr { } occlum_pal_attr_t; #define OCCLUM_PAL_ATTR_INITVAL { \ - .instance_dir = NULL, \ + .instance_dir = ".", \ .log_level = NULL \ } diff --git a/src/run/main.c b/src/run/main.c index f9794eb0..41cc5502 100644 --- a/src/run/main.c +++ b/src/run/main.c @@ -6,15 +6,6 @@ #include #include -static const char *get_instance_dir(void) { - const char *instance_dir_from_env = (const char *) getenv("OCCLUM_INSTANCE_DIR"); - if (instance_dir_from_env != NULL) { - return instance_dir_from_env; - } else { - return "./.occlum"; - } -} - int main(int argc, char *argv[]) { // Parse arguments if (argc < 2) { @@ -34,7 +25,6 @@ int main(int argc, char *argv[]) { // Init Occlum PAL struct occlum_pal_attr attr = OCCLUM_PAL_ATTR_INITVAL; - attr.instance_dir = get_instance_dir(); attr.log_level = getenv("OCCLUM_LOG_LEVEL"); if (occlum_pal_init(&attr) < 0) { return EXIT_FAILURE; diff --git a/test/Makefile b/test/Makefile index e9f8b682..9619acd5 100644 --- a/test/Makefile +++ b/test/Makefile @@ -60,7 +60,7 @@ $(BUILD_TARGETS): %: postbuild: @cd $(BUILD_DIR)/test && \ - $(BUILD_DIR)/bin/occlum build + $(BUILD_DIR)/bin/occlum build -f ############################################################################# # Test targets diff --git a/tools/Makefile b/tools/Makefile index 4122b487..f3fd4454 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -5,6 +5,7 @@ BUILD_DIR := build all: @mkdir -p ../$(BUILD_DIR)/bin/ + @ln -s -f ../../tools/occlum_build.mk ../$(BUILD_DIR)/bin/occlum_build.mk @ln -s -f ../../tools/occlum ../$(BUILD_DIR)/bin/occlum @ln -s -f ../../tools/occlum-gen-default-occlum-json ../$(BUILD_DIR)/bin/occlum-gen-default-occlum-json @$(MAKE) --no-print-directory -C protect-integrity diff --git a/tools/occlum b/tools/occlum index 34d46b57..543f4665 100755 --- a/tools/occlum +++ b/tools/occlum @@ -2,6 +2,7 @@ this_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" occlum_dir="$( cd "$( dirname "$this_dir/../../../" )" >/dev/null 2>&1 && pwd )" +build_makefile=$occlum_dir/build/bin/occlum_build.mk if [[ "$occlum_dir" == "/opt/occlum" ]]; then version_header=$occlum_dir/include/occlum_version.h @@ -14,11 +15,9 @@ minor_ver=`grep '\#define OCCLUM_MINOR_VERSION' $version_header | awk '{print $ patch_ver=`grep '\#define OCCLUM_PATCH_VERSION' $version_header | awk '{print $3}'` occlum_version="$major_ver.$minor_ver.$patch_ver" -if [ -z $OCCLUM_INSTANCE_DIR ];then - OCCLUM_INSTANCE_DIR=".occlum" -fi -working_dir=`pwd` -context_dir="$working_dir/$OCCLUM_INSTANCE_DIR" +instance_dir=`pwd` + +status_file=$instance_dir/.__occlum_status SGX_SDK="${SGX_SDK:-/opt/intel/sgxsdk}" SGX_GDB="$SGX_SDK/bin/sgx-gdb" @@ -36,10 +35,13 @@ report_arg_error() { cat <] [--sign-tool ] - Generate a secure Occlum FS image and Occlum SGX enclave. + occlum build [--sign-key ] [--sign-tool ] [-f/--force] + Build and sign an Occlum SGX enclave (.so) and generate its associated secure FS image + according to the user-provided image directory and Occlum.json config file. + The whole building process is incremental: the building artifacts are built only when needed. + To force rebuilding all artifacts, give the [-f/--force] flag. occlum run Run the user program inside an SGX enclave. @@ -51,54 +53,9 @@ Usage: EOF } -get_conf_root_fs_mac() { - LD_LIBRARY_PATH="$SGX_SDK/sdk_libs" \ - "$occlum_dir/build/bin/occlum-protect-integrity" show-mac "$context_dir/build/mount/__ROOT/metadata" -} - -get_conf_default_stack_size() { - cat "$working_dir/Occlum.json" | \ - python -c "import sys, json; print json.load(sys.stdin)['process']['default_stack_size']" -} - -get_conf_default_heap_size() { - cat "$working_dir/Occlum.json" | \ - python -c "import sys, json; print json.load(sys.stdin)['process']['default_heap_size']" -} - -get_conf_default_mmap_size() { - cat "$working_dir/Occlum.json" | \ - python -c "import sys, json; print json.load(sys.stdin)['process']['default_mmap_size']" -} - -get_conf_user_space_size() { - cat "$working_dir/Occlum.json" | \ - python -c "import sys, json; print json.load(sys.stdin)['resource_limits']['user_space_size']" -} - -get_conf_env() { - cat "$working_dir/Occlum.json" | \ - python -c "import sys, json; print json.dumps(json.load(sys.stdin)['env'])" -} - -get_conf_entry_points() { - cat "$working_dir/Occlum.json" | \ - python -c "import sys, json; print json.dumps(json.load(sys.stdin)['entry_points'])" -} - -get_occlum_conf_file_mac() { - LD_LIBRARY_PATH="$SGX_SDK/sdk_libs" \ - "$occlum_dir/build/bin/occlum-protect-integrity" show-mac "$context_dir/build/Occlum.json.protected" -} - -parse_occlum_user_space_size() { - local size_with_unit=`get_conf_user_space_size` - numfmt --from=iec ${size_with_unit::-1} -} - check_has_init() { - if [ ! -d "$context_dir" ]; then - echo "Error: the current working directory is not initialized as an Occlum context. Need to run \"occlum init\" first." + if [ ! -f "$status_file" ]; then + echo "Error: the current working directory is not initialized as an Occlum instance. Need to run \"occlum init\" first." exit 1 fi } @@ -106,7 +63,7 @@ check_has_init() { check_has_built() { check_has_init - if [ ! -d "$context_dir/run/mount/__ROOT" ]; then + if [ ! -d "$instance_dir/run/mount/__ROOT" ]; then echo "Error: the Occlum image and enclave are not built yet. Need to run \"occlum build\" first." exit 1 fi @@ -114,16 +71,14 @@ check_has_built() { cmd_init() { - if [ -d "$context_dir" ]; then - echo "Error: the current working directory has been initialized as an Occlum context" + if [ -f "$status_file" ]; then + echo "Error: the current working directory has been initialized as an Occlum instance" exit 1 fi - mkdir "$context_dir" - cd "$context_dir" - echo "initialized" > status + echo "initialized" > $status_file - cd "$working_dir" + cd "$instance_dir" mkdir -p image mkdir -p image/bin mkdir -p image/lib @@ -139,10 +94,10 @@ cmd_init() { "$occlum_gcc_lib/libgcc_s.so.1" \ "$occlum_gcc_lib/libgomp.so.1" - cp "$occlum_dir"/etc/template/Occlum.json "$working_dir"/ - chmod 644 "$working_dir"/Occlum.json + cp "$occlum_dir"/etc/template/Occlum.json "$instance_dir"/ + chmod 644 "$instance_dir"/Occlum.json - echo "Initialized an Occlum context in $working_dir" + echo "$instance_dir initialized as an Occlum instance" } cmd_build() { @@ -155,7 +110,8 @@ cmd_build() { case "$1" in --sign-key) [ -n "$2" ] && ENCLAVE_SIGN_KEY=$2 ; shift 2 || exit_error "empty signing key path" ;; --sign-tool) [ -n "$2" ] && ENCLAVE_SIGN_TOOL=$2 ; shift 2 || exit_error "empty signing tool path" ;; - --sgx-mode) [[ -n "$2" && "$2" != "HW" ]] && export SGX_MODE=SIM; shift 2 || exit_error "empty sgx mode";; + --sgx-mode) [[ -n "$2" && "$2" != "HW" ]] && export SGX_MODE=SIM ; shift 2 || exit_error "empty sgx mode";; + --force | -f) MAKE_OPTION="--always-make" ; shift ;; *) exit_error "Unknown option: $1" ;; esac done @@ -173,61 +129,27 @@ cmd_build() { echo "SGX mode: HW" fi - cd "$context_dir" - echo "building" > status + # If sgx mode is changed, build thoroughly again + if [[ -n $SGX_MODE && "$SGX_MODE" != "HW" ]]; then + if [ "$(cat $instance_dir/.sgx_mode 2>/dev/null)" != "SIM" ]; then + MAKE_OPTION="--always-make" + fi + else + #HW mode + if [ "$(cat $instance_dir/.sgx_mode 2>/dev/null)" != "HW" ]; then + MAKE_OPTION="--always-make" + fi + fi - rm -rf build - rm -rf run + rm -rf "$instance_dir/run" - mkdir -p build/bin - ln -s $occlum_dir/build/bin/occlum-run $context_dir/build/bin/occlum-run - mkdir -p build/lib - cp "$occlum_dir/build/lib/$pal_lib.$occlum_version" build/lib/ - cd build/lib && ln -sf "$pal_lib.$occlum_version" "libocclum-pal.so.$major_ver" && \ - ln -sf "libocclum-pal.so.$major_ver" libocclum-pal.so && cd - + occlum_dir=$occlum_dir instance_dir=$instance_dir pal_lib=$pal_lib major_ver=$major_ver \ + occlum_version=$occlum_version libos_lib=$libos_lib ENCLAVE_SIGN_KEY=$ENCLAVE_SIGN_KEY \ + ENCLAVE_SIGN_TOOL=$ENCLAVE_SIGN_TOOL \ + make -f $build_makefile $MAKE_OPTION - mkdir -p build/mount/ - cd "$occlum_dir/build/bin/" && \ - LD_LIBRARY_PATH="$SGX_SDK/sdk_libs" ./sefs-cli \ - --integrity-only \ - "$context_dir/build/mount/__ROOT" \ - "$working_dir/image" \ - zip - - export OCCLUM_CONF_ROOT_FS_MAC=`get_conf_root_fs_mac` - export OCCLUM_CONF_USER_SPACE_SIZE=`get_conf_user_space_size` - export OCCLUM_CONF_DEFAULT_STACK_SIZE=`get_conf_default_stack_size` - export OCCLUM_CONF_DEFAULT_HEAP_SIZE=`get_conf_default_heap_size` - export OCCLUM_CONF_DEFAULT_MMAP_SIZE=`get_conf_default_mmap_size` - export OCCLUM_CONF_ENV=`get_conf_env` - export OCCLUM_CONF_ENTRY_POINTS=`get_conf_entry_points` - cd "$context_dir/build" - "$occlum_dir/build/bin/occlum-gen-default-occlum-json"\ - > "Occlum.json" - LD_LIBRARY_PATH="$SGX_SDK/sdk_libs" "$occlum_dir/build/bin/occlum-protect-integrity" protect Occlum.json - - export OCCLUM_BUILTIN_CONF_FILE_MAC=`get_occlum_conf_file_mac` - echo "EXPORT => OCCLUM_BUILTIN_CONF_FILE_MAC = $OCCLUM_BUILTIN_CONF_FILE_MAC" - export OCCLUM_BUILTIN_VM_USER_SPACE_SIZE=`parse_occlum_user_space_size` - echo "EXPORT => OCCLUM_BUILTIN_VM_USER_SPACE_SIZE = $OCCLUM_BUILTIN_VM_USER_SPACE_SIZE" - - cd $context_dir/build/lib && \ - cp "$occlum_dir/build/lib/$libos_lib.$occlum_version" . && ln -sf "$libos_lib.$occlum_version" "libocclum-libos.so.$major_ver" && \ - ln -sf "libocclum-libos.so.$major_ver" libocclum-libos.so - echo -e "$OCCLUM_BUILTIN_CONF_FILE_MAC\c" > temp_mac_file && \ - objcopy --update-section .builtin_config=temp_mac_file libocclum-libos.so.$major_ver && \ - rm temp_mac_file - - $occlum_dir/build/bin/gen_enclave_conf -i "$working_dir/Occlum.json" -o "$context_dir/build/Enclave.xml" - - $ENCLAVE_SIGN_TOOL sign \ - -key $ENCLAVE_SIGN_KEY \ - -config "$context_dir/build/Enclave.xml" \ - -enclave "$context_dir/build/lib/libocclum-libos.so.$major_ver" \ - -out "$context_dir/build/lib/libocclum-libos.signed.so" - rm -f "$context_dir/build/Enclave.xml" - cd "$context_dir" - echo "built" > status + cd "$instance_dir" + echo "built" > $status_file if [[ -n $SGX_MODE && "$SGX_MODE" != "HW" ]]; then echo "SIM" > .sgx_mode @@ -235,11 +157,8 @@ cmd_build() { echo "HW" > .sgx_mode fi - mkdir -p "$context_dir/run/mount/__ROOT" - mkdir -p "$context_dir/run/mount/tmp" - - ln -s $occlum_dir/build/bin/occlum_exec_client $context_dir/build/bin/occlum_exec_client - ln -s $occlum_dir/build/bin/occlum_exec_server $context_dir/build/bin/occlum_exec_server + mkdir -p "$instance_dir/run/mount/__ROOT" + mkdir -p "$instance_dir/run/mount/tmp" echo "Built the Occlum image and enclave successfully" } @@ -247,95 +166,90 @@ cmd_build() { cmd_run() { check_has_built - SGX_MODE=$(cat $context_dir/.sgx_mode) + SGX_MODE=$(cat $instance_dir/.sgx_mode) if [[ -n $SGX_MODE && "$SGX_MODE" != "HW" ]]; then - export LD_LIBRARY_PATH="$context_dir/build/lib:$SGX_SDK/sdk_libs/" + export LD_LIBRARY_PATH="$instance_dir/build/lib:$SGX_SDK/sdk_libs/" else - export LD_LIBRARY_PATH="$context_dir/build/lib" + export LD_LIBRARY_PATH="$instance_dir/build/lib" fi - cd "$working_dir" - echo "running" > "$context_dir/status" + echo "running" > $status_file - RUST_BACKTRACE=1 "$context_dir/build/bin/occlum-run" "$@" + RUST_BACKTRACE=1 "$instance_dir/build/bin/occlum-run" "$@" - echo "built" > "$context_dir/status" + echo "built" > $status_file } cmd_start() { check_has_built - SGX_MODE=$(cat $context_dir/.sgx_mode) + SGX_MODE=$(cat $instance_dir/.sgx_mode) if [[ -n $SGX_MODE && "$SGX_MODE" != "HW" ]]; then - export LD_LIBRARY_PATH="$context_dir/build/lib:$SGX_SDK/sdk_libs/" + export LD_LIBRARY_PATH="$instance_dir/build/lib:$SGX_SDK/sdk_libs/" else - export LD_LIBRARY_PATH="$context_dir/build/lib" + export LD_LIBRARY_PATH="$instance_dir/build/lib" fi - cd "$working_dir" - echo "running" > "$context_dir/status" + echo "running" > $status_file - RUST_BACKTRACE=1 "$context_dir/build/bin/occlum_exec_client" start + RUST_BACKTRACE=1 "$instance_dir/build/bin/occlum_exec_client" start - echo "built" > "$context_dir/status" + echo "built" > $status_file } cmd_exec() { check_has_built - SGX_MODE=$(cat $context_dir/.sgx_mode) + SGX_MODE=$(cat $instance_dir/.sgx_mode) if [[ -n $SGX_MODE && "$SGX_MODE" != "HW" ]]; then - export LD_LIBRARY_PATH="$context_dir/build/lib:$SGX_SDK/sdk_libs/" + export LD_LIBRARY_PATH="$instance_dir/build/lib:$SGX_SDK/sdk_libs/" else - export LD_LIBRARY_PATH="$context_dir/build/lib" + export LD_LIBRARY_PATH="$instance_dir/build/lib" fi - cd "$working_dir" - echo "running" > "$context_dir/status" + echo "running" > "$status_file" - RUST_BACKTRACE=1 "$context_dir/build/bin/occlum_exec_client" exec -- "$@" + RUST_BACKTRACE=1 "$instance_dir/build/bin/occlum_exec_client" exec -- "$@" - echo "built" > "$context_dir/status" + echo "built" > "$status_file" } cmd_stop() { check_has_built - SGX_MODE=$(cat $context_dir/.sgx_mode) + SGX_MODE=$(cat $instance_dir/.sgx_mode) if [[ -n $SGX_MODE && "$SGX_MODE" != "HW" ]]; then - export LD_LIBRARY_PATH="$context_dir/build/lib:$SGX_SDK/sdk_libs/" + export LD_LIBRARY_PATH="$instance_dir/build/lib:$SGX_SDK/sdk_libs/" else - export LD_LIBRARY_PATH="$context_dir/build/lib" + export LD_LIBRARY_PATH="$instance_dir/build/lib" fi - cd "$working_dir" - echo "running" > "$context_dir/status" + echo "running" > "$status_file" - RUST_BACKTRACE=1 "$context_dir/build/bin/occlum_exec_client" stop -t 0 + RUST_BACKTRACE=1 "$instance_dir/build/bin/occlum_exec_client" stop -t 0 - echo "built" > "$context_dir/status" + echo "built" > "$status_file" } cmd_gdb() { check_has_built - SGX_MODE=$(cat $context_dir/.sgx_mode) + SGX_MODE=$(cat $instance_dir/.sgx_mode) if [[ -n $SGX_MODE && "$SGX_MODE" != "HW" ]]; then - export LD_LIBRARY_PATH="$context_dir/build/lib:$SGX_SDK/sdk_libs/" + export LD_LIBRARY_PATH="$instance_dir/build/lib:$SGX_SDK/sdk_libs/" else - export LD_LIBRARY_PATH="$context_dir/build/lib" + export LD_LIBRARY_PATH="$instance_dir/build/lib" fi - cd "$working_dir" - echo "debugging" > "$context_dir/status" + echo "debugging" > "$status_file" - OCCLUM_GDB=1 $SGX_GDB --args "$context_dir/build/bin/occlum-run" "$@" + OCCLUM_GDB=1 $SGX_GDB --args "$instance_dir/build/bin/occlum-run" "$@" - echo "built" > "$context_dir/status" + echo "built" > "$status_file" } cmd_status() { - cat "$context_dir/status" + cat "$status_file" } set -e diff --git a/tools/occlum-gen-default-occlum-json b/tools/occlum-gen-default-occlum-json index 6ed7800d..789062aa 100755 --- a/tools/occlum-gen-default-occlum-json +++ b/tools/occlum-gen-default-occlum-json @@ -1,8 +1,6 @@ #!/bin/bash -if [ -z $OCCLUM_INSTANCE_DIR ];then - OCCLUM_INSTANCE_DIR=".occlum" -fi +OCCLUM_INSTANCE_DIR="." cat </dev/null || true) + IMAGE_FILES := $(shell find $(IMAGE) -type f 2>/dev/null || true) +endif + +SHELL:=/bin/bash + +define get_conf_root_fs_mac + LD_LIBRARY_PATH="$(SGX_SDK)/sdk_libs" \ + "$(occlum_dir)/build/bin/occlum-protect-integrity" show-mac "$(instance_dir)/build/mount/__ROOT/metadata" +endef + +define get_conf_default_stack_size + cat "$(JSON_CONF)" | \ + python -c "import sys, json; print json.load(sys.stdin)['process']['default_stack_size']" +endef + +define get_conf_default_heap_size + cat "$(JSON_CONF)" | \ + python -c "import sys, json; print json.load(sys.stdin)['process']['default_heap_size']" +endef + +define get_conf_default_mmap_size + cat "$(JSON_CONF)" | \ + python -c "import sys, json; print json.load(sys.stdin)['process']['default_mmap_size']" ['resource_limits']['user_space_size'] +endef + +define get_conf_user_space_size + cat "$(JSON_CONF)" | \ + python -c "import sys, json; print json.load(sys.stdin)['resource_limits']['user_space_size']" +endef + +define get_conf_env + cat "$(JSON_CONF)" | \ + python -c "import sys, json; print json.dumps(json.load(sys.stdin)['env'])" +endef + +define get_conf_entry_points + cat "$(JSON_CONF)" | \ + python -c "import sys, json; print json.dumps(json.load(sys.stdin)['entry_points'])" +endef + +define get_occlum_conf_file_mac + LD_LIBRARY_PATH="$(SGX_SDK)/sdk_libs" \ + "$(occlum_dir)/build/bin/occlum-protect-integrity" show-mac "$(instance_dir)/build/Occlum.json.protected" +endef + +define parse_occlum_user_space_size + size_with_unit=$$($(get_conf_user_space_size)); echo $${size_with_unit:0:-1} | numfmt --from=iec +endef + + +.PHONY : all + +all: $(SIGNED_ENCLAVE) $(BIN_LINKS) $(LIB_LINKS) + +$(SIGNED_ENCLAVE): $(LIBOS) + @echo "Signing the enclave..." + @$(occlum_dir)/build/bin/gen_enclave_conf -i "$(instance_dir)/Occlum.json" -o "$(instance_dir)/build/Enclave.xml" + + @$(ENCLAVE_SIGN_TOOL) sign \ + -key $(ENCLAVE_SIGN_KEY) \ + -config "$(instance_dir)/build/Enclave.xml" \ + -enclave "$(instance_dir)/build/lib/libocclum-libos.so.$(major_ver)" \ + -out "$(instance_dir)/build/lib/libocclum-libos.signed.so" + +$(LIBOS): $(instance_dir)/build/Occlum.json.protected + @echo "Building libOS..." + @export OCCLUM_BUILTIN_CONF_FILE_MAC=`$(get_occlum_conf_file_mac)` ; \ + echo "EXPORT => OCCLUM_BUILTIN_CONF_FILE_MAC = $$OCCLUM_BUILTIN_CONF_FILE_MAC" ; \ + export OCCLUM_BUILTIN_VM_USER_SPACE_SIZE=$$($(parse_occlum_user_space_size)) ; \ + echo "EXPORT => OCCLUM_BUILTIN_VM_USER_SPACE_SIZE = $$OCCLUM_BUILTIN_VM_USER_SPACE_SIZE" ; \ + cd $(instance_dir)/build/lib && \ + cp "$(occlum_dir)/build/lib/$(libos_lib).$(occlum_version)" . && ln -sf "$(libos_lib).$(occlum_version)" "libocclum-libos.so.$(major_ver)" && \ + ln -sf "libocclum-libos.so.$(major_ver)" libocclum-libos.so ; \ + echo -e "$$OCCLUM_BUILTIN_CONF_FILE_MAC\c" > temp_mac_file && \ + objcopy --update-section .builtin_config=temp_mac_file libocclum-libos.so && \ + rm temp_mac_file + +$(instance_dir)/build/Occlum.json.protected: $(instance_dir)/build/Occlum.json + @cd "$(instance_dir)/build" ; \ + LD_LIBRARY_PATH="$(SGX_SDK)/sdk_libs" "$(occlum_dir)/build/bin/occlum-protect-integrity" protect Occlum.json ; + +$(instance_dir)/build/Occlum.json: $(SECURE_IMAGE) $(JSON_CONF) | $(instance_dir)/build/lib + @export OCCLUM_CONF_ROOT_FS_MAC=`$(get_conf_root_fs_mac)` ; \ + export OCCLUM_CONF_USER_SPACE_SIZE=`$(get_conf_user_space_size)` ; \ + export OCCLUM_CONF_DEFAULT_STACK_SIZE=`$(get_conf_default_stack_size)` ; \ + export OCCLUM_CONF_DEFAULT_HEAP_SIZE=`$(get_conf_default_heap_size)` ; \ + export OCCLUM_CONF_DEFAULT_MMAP_SIZE=`$(get_conf_default_mmap_size)` ; \ + export OCCLUM_CONF_ENV="`$(get_conf_env)`" ; \ + export OCCLUM_CONF_ENTRY_POINTS=`$(get_conf_entry_points)` ; \ + cd "$(instance_dir)/build" ; \ + "$(occlum_dir)/build/bin/occlum-gen-default-occlum-json" > "Occlum.json" + +$(BIN_LINKS): $(instance_dir)/build/bin/%: $(occlum_dir)/build/bin/% | $(instance_dir)/build/bin + @ln -sf $< $@ + +$(instance_dir)/build/bin: + @mkdir -p build/bin + +$(instance_dir)/build/lib/libocclum-pal.so: +$(instance_dir)/build/lib/libocclum-pal.so.0: | $(instance_dir)/build/lib + @cp "$(occlum_dir)/build/lib/$(pal_lib).$(occlum_version)" build/lib/ + @cd build/lib && ln -sf "$(pal_lib).$(occlum_version)" "libocclum-pal.so.$(major_ver)" && \ + ln -sf "libocclum-pal.so.$(major_ver)" libocclum-pal.so + +$(instance_dir)/build/lib: + @mkdir -p build/lib + +# If image dir not exist, just use the secure Occlum FS image +ifneq ($(wildcard $(IMAGE)/. ),) +$(SECURE_IMAGE): $(IMAGE) $(IMAGE_DIRS) $(IMAGE_FILES) + @echo "Building new image..." + + @rm -rf build/mount + + @mkdir -p build/mount/ + @cd "$(occlum_dir)/build/bin/" && \ + LD_LIBRARY_PATH="$(SGX_SDK)/sdk_libs" ./sefs-cli \ + --integrity-only \ + "$(instance_dir)/build/mount/__ROOT" \ + "$(instance_dir)/image" \ + zip +endif