general/occlum
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Improve implementation for occlum build

Browse Source 
This commit mainly accomplish two things:
1. Use makefile to manage dependencies for `occlum build`, which can save lots of time
2. Take dirs `build`, `run` outside from `.occlum`. Remove env var "OCCLUM_INSTANCE_DIR"
This commit is contained in:
Hui, Chunyang 2020-07-30 09:58:32 +00:00 committed by Tate, Hongliang Tian
parent 3f6bcec1c5
commit 85501d8993
12 changed files with 231 additions and 206 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -30,12 +30,12 @@ Hello World
``` ```
Note that the Occlum toolchain is not cross-compiling in the traditional sense: the binaries built by the Occlum toolchain is also runnable on Linux. This property makes it convenient to compile, debug, and test user programs intended for Occlum. Note that the Occlum toolchain is not cross-compiling in the traditional sense: the binaries built by the Occlum toolchain is also runnable on Linux. This property makes it convenient to compile, debug, and test user programs intended for Occlum.
**Step 2. Initialize a directory as the Occlum context via `occlum init`** **Step 2. Initialize a directory as the Occlum instance via `occlum init`**
``` ```
$ mkdir occlum_context && cd occlum_context $ mkdir occlum_context && cd occlum_context
$ occlum init $ occlum init
``` ```
The `occlum init` command creates in the current working directory a new directory named `.occlum`, which contains the compile-time and run-time state of Occlum. Each Occlum context should be used for a single instance of an application; multiple applications or different instances of a single application should use different Occlum contexts. The `occlum init` command creates the compile-time and run-time state of Occlum in the current working directory. Each Occlum instance directory should be used for a single instance of an application; multiple applications or different instances of a single application should use different Occlum instances.
**Step 3. Generate a secure Occlum FS image and Occlum SGX enclave via `occlum build`** **Step 3. Generate a secure Occlum FS image and Occlum SGX enclave via `occlum build`**
``` ```
@ -62,7 +62,7 @@ The `occlum run` command starts up an Occlum SGX enclave, which, behind the scen
### Config Occlum ### Config Occlum
Occlum can be configured easily via a config file named `Occlum.json`, which is generated by the `occlum init` command in the Occlum context directory. The user can modify `Occlum.json` to config Occlum. A sample of `Occlum.json` is shown below. Some comments are added to provide a brief explanation. Occlum can be configured easily via a config file named `Occlum.json`, which is generated by the `occlum init` command in the Occlum instance directory. The user can modify `Occlum.json` to config Occlum. A sample of `Occlum.json` is shown below. Some comments are added to provide a brief explanation.
```js ```js
{ {
// Resource limits // Resource limits

1
demos/embedded_mode/bench_driver/main.c
View File

@ -44,7 +44,6 @@ int main(int argc, char *argv[]) {
// Init Occlum PAL // Init Occlum PAL
occlum_pal_attr_t pal_attr = OCCLUM_PAL_ATTR_INITVAL; occlum_pal_attr_t pal_attr = OCCLUM_PAL_ATTR_INITVAL;
pal_attr.instance_dir = ".occlum";
if (occlum_pal_init(&pal_attr) < 0) { if (occlum_pal_init(&pal_attr) < 0) {
return EXIT_FAILURE; return EXIT_FAILURE;
} }

2
demos/gdb_support/gdb_sample_on_occlum.sh
View File

@ -3,7 +3,7 @@ set -e
rm -rf occlum_context && mkdir -p occlum_context rm -rf occlum_context && mkdir -p occlum_context
cd occlum_context cd occlum_context
# 1. Initialize a directory as the Occlum context # 1. Initialize a directory as the Occlum instance
occlum init occlum init
# 2. Generate a secure Occlum FS image and Occlum SGX enclave # 2. Generate a secure Occlum FS image and Occlum SGX enclave

7
demos/local_attestation/AppInitiator/app.cpp
View File

@ -24,7 +24,6 @@ int main(int argc, char *argv[]) {
sgx_launch_token_t token = {0}; sgx_launch_token_t token = {0};
sgx_status_t status; sgx_status_t status;
int exit_status = 0; int exit_status = 0;
const char *occlum_instance_dir = ".occlum";
const char *cmd_path = "/bin/responder"; // Prepare cmd path and arguments const char *cmd_path = "/bin/responder"; // Prepare cmd path and arguments
const char *cmd_args[] = {NULL}; const char *cmd_args[] = {NULL};
@ -38,10 +37,8 @@ int main(int argc, char *argv[]) {
} }
printf("succeed to load enclave %s\n", ENCLAVE_INITIATOR_NAME); printf("succeed to load enclave %s\n", ENCLAVE_INITIATOR_NAME);
struct occlum_pal_attr attr { occlum_pal_attr_t pal_attr = OCCLUM_PAL_ATTR_INITVAL;
.instance_dir = occlum_instance_dir, pal_attr.log_level = (const char *) getenv("OCCLUM_LOG_LEVEL");
.log_level = (const char *) getenv("OCCLUM_LOG_LEVEL"),
};
if (occlum_pal_init(&attr) < 0) { if (occlum_pal_init(&attr) < 0) {
return EXIT_FAILURE; return EXIT_FAILURE;
} }

19
src/exec/src/bin/occlum_exec_server.rs
View File

@ -118,15 +118,11 @@ extern "C" {
#[repr(C)] #[repr(C)]
/// Occlum PAL attributes. Defined by occlum pal. /// Occlum PAL attributes. Defined by occlum pal.
pub struct occlum_pal_attr_t { pub struct occlum_pal_attr_t {
/// Occlum instance dir. /// Occlum instance directory.
/// ///
/// Specifies the path of an Occlum instance directory. Usually, this /// Specifies the path of an Occlum instance directory, which is usually created with the
/// directory is initialized by executing "occlum init" command, which /// `occlum new` command. The default value is "."; that is, the current working directory
/// creates a hidden directory named ".occlum/". This ".occlum/" is an /// is the Occlum instance directory.
/// Occlum instance directory. The name of the directory is not necesarrily
/// ".occlum"; it can be renamed to an arbitrary name.
///
/// Mandatory field. Must not be NULL.
pub instance_dir: *const libc::c_char, pub instance_dir: *const libc::c_char,
/// Log level. /// Log level.
/// ///
@ -139,12 +135,7 @@ pub struct occlum_pal_attr_t {
/// Loads and initializes the Occlum enclave image /// Loads and initializes the Occlum enclave image
fn rust_occlum_pal_init() -> Result<(), i32> { fn rust_occlum_pal_init() -> Result<(), i32> {
let mut instance_dir = OsString::from("./.occlum\0"); let instance_dir = OsString::from(".\0");
if let Some(val) = env::var_os("OCCLUM_INSTANCE_DIR") {
instance_dir = val;
instance_dir.push("\0");
};
let mut log_level = OsString::from("off\0"); let mut log_level = OsString::from("off\0");
if let Some(val) = env::var_os("OCCLUM_LOG_LEVEL") { if let Some(val) = env::var_os("OCCLUM_LOG_LEVEL") {
log_level = val; log_level = val;

14
src/pal/include/occlum_pal_api.h
View File

@ -21,15 +21,11 @@ int occlum_pal_get_version(void);
* Occlum PAL attributes * Occlum PAL attributes
*/ */
typedef struct occlum_pal_attr { typedef struct occlum_pal_attr {
// Occlum instance dir. // Occlum instance directory.
// //
// Specifies the path of an Occlum instance directory. Usually, this // Specifies the path of an Occlum instance directory, which is usually created with the
// directory is initialized by executing "occlum init" command, which // `occlum new` command. The default value is "."; that is, the current working directory
// creates a hidden directory named ".occlum/". This ".occlum/" is an // is the Occlum instance directory.
// Occlum instance directory. The name of the directory is not necesarrily
// ".occlum"; it can be renamed to an arbitrary name.
//
// Mandatory field. Must not be NULL.
const char *instance_dir; const char *instance_dir;
// Log level. // Log level.
// //
@ -41,7 +37,7 @@ typedef struct occlum_pal_attr {
} occlum_pal_attr_t; } occlum_pal_attr_t;
#define OCCLUM_PAL_ATTR_INITVAL { \ #define OCCLUM_PAL_ATTR_INITVAL { \
.instance_dir = NULL, \ .instance_dir = ".", \
.log_level = NULL \ .log_level = NULL \
} }

10
src/run/main.c
View File

@ -6,15 +6,6 @@
#include <sys/wait.h> #include <sys/wait.h>
#include <occlum_pal_api.h> #include <occlum_pal_api.h>
static const char *get_instance_dir(void) {
const char *instance_dir_from_env = (const char *) getenv("OCCLUM_INSTANCE_DIR");
if (instance_dir_from_env != NULL) {
return instance_dir_from_env;
} else {
return "./.occlum";
}
}
int main(int argc, char *argv[]) { int main(int argc, char *argv[]) {
// Parse arguments // Parse arguments
if (argc < 2) { if (argc < 2) {
@ -34,7 +25,6 @@ int main(int argc, char *argv[]) {
// Init Occlum PAL // Init Occlum PAL
struct occlum_pal_attr attr = OCCLUM_PAL_ATTR_INITVAL; struct occlum_pal_attr attr = OCCLUM_PAL_ATTR_INITVAL;
attr.instance_dir = get_instance_dir();
attr.log_level = getenv("OCCLUM_LOG_LEVEL"); attr.log_level = getenv("OCCLUM_LOG_LEVEL");
if (occlum_pal_init(&attr) < 0) { if (occlum_pal_init(&attr) < 0) {
return EXIT_FAILURE; return EXIT_FAILURE;

2
test/Makefile
View File

@ -60,7 +60,7 @@ $(BUILD_TARGETS): %:
postbuild: postbuild:
@cd $(BUILD_DIR)/test && \ @cd $(BUILD_DIR)/test && \
$(BUILD_DIR)/bin/occlum build $(BUILD_DIR)/bin/occlum build -f
############################################################################# #############################################################################
# Test targets # Test targets

1
tools/Makefile
View File

@ -5,6 +5,7 @@ BUILD_DIR := build
all: all:
@mkdir -p ../$(BUILD_DIR)/bin/ @mkdir -p ../$(BUILD_DIR)/bin/
@ln -s -f ../../tools/occlum_build.mk ../$(BUILD_DIR)/bin/occlum_build.mk
@ln -s -f ../../tools/occlum ../$(BUILD_DIR)/bin/occlum @ln -s -f ../../tools/occlum ../$(BUILD_DIR)/bin/occlum
@ln -s -f ../../tools/occlum-gen-default-occlum-json ../$(BUILD_DIR)/bin/occlum-gen-default-occlum-json @ln -s -f ../../tools/occlum-gen-default-occlum-json ../$(BUILD_DIR)/bin/occlum-gen-default-occlum-json
@$(MAKE) --no-print-directory -C protect-integrity @$(MAKE) --no-print-directory -C protect-integrity

230
tools/occlum
View File

@ -2,6 +2,7 @@
this_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" this_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
occlum_dir="$( cd "$( dirname "$this_dir/../../../" )" >/dev/null 2>&1 && pwd )" occlum_dir="$( cd "$( dirname "$this_dir/../../../" )" >/dev/null 2>&1 && pwd )"
build_makefile=$occlum_dir/build/bin/occlum_build.mk
if [[ "$occlum_dir" == "/opt/occlum" ]]; then if [[ "$occlum_dir" == "/opt/occlum" ]]; then
version_header=$occlum_dir/include/occlum_version.h version_header=$occlum_dir/include/occlum_version.h
@ -14,11 +15,9 @@ minor_ver=`grep '\#define OCCLUM_MINOR_VERSION' $version_header | awk '{print $
patch_ver=`grep '\#define OCCLUM_PATCH_VERSION' $version_header | awk '{print $3}'` patch_ver=`grep '\#define OCCLUM_PATCH_VERSION' $version_header | awk '{print $3}'`
occlum_version="$major_ver.$minor_ver.$patch_ver" occlum_version="$major_ver.$minor_ver.$patch_ver"
if [ -z $OCCLUM_INSTANCE_DIR ];then instance_dir=`pwd`
OCCLUM_INSTANCE_DIR=".occlum"
fi status_file=$instance_dir/.__occlum_status
working_dir=`pwd`
context_dir="$working_dir/$OCCLUM_INSTANCE_DIR"
SGX_SDK="${SGX_SDK:-/opt/intel/sgxsdk}" SGX_SDK="${SGX_SDK:-/opt/intel/sgxsdk}"
SGX_GDB="$SGX_SDK/bin/sgx-gdb" SGX_GDB="$SGX_SDK/bin/sgx-gdb"
@ -36,10 +35,13 @@ report_arg_error() {
cat <<EOF cat <<EOF
Usage: Usage:
occlum init occlum init
Initialize a directory as the Occlum context Initialize a directory as the Occlum instance
occlum build [--sign-key <key_path>] [--sign-tool <tool_path>] occlum build [--sign-key <key_path>] [--sign-tool <tool_path>] [-f/--force]
Generate a secure Occlum FS image and Occlum SGX enclave. Build and sign an Occlum SGX enclave (.so) and generate its associated secure FS image
according to the user-provided image directory and Occlum.json config file.
The whole building process is incremental: the building artifacts are built only when needed.
To force rebuilding all artifacts, give the [-f/--force] flag.
occlum run <program_name> <program_args> occlum run <program_name> <program_args>
Run the user program inside an SGX enclave. Run the user program inside an SGX enclave.
@ -51,54 +53,9 @@ Usage:
EOF EOF
} }
get_conf_root_fs_mac() {
LD_LIBRARY_PATH="$SGX_SDK/sdk_libs" \
"$occlum_dir/build/bin/occlum-protect-integrity" show-mac "$context_dir/build/mount/__ROOT/metadata"
}
get_conf_default_stack_size() {
cat "$working_dir/Occlum.json" | \
python -c "import sys, json; print json.load(sys.stdin)['process']['default_stack_size']"
}
get_conf_default_heap_size() {
cat "$working_dir/Occlum.json" | \
python -c "import sys, json; print json.load(sys.stdin)['process']['default_heap_size']"
}
get_conf_default_mmap_size() {
cat "$working_dir/Occlum.json" | \
python -c "import sys, json; print json.load(sys.stdin)['process']['default_mmap_size']"
}
get_conf_user_space_size() {
cat "$working_dir/Occlum.json" | \
python -c "import sys, json; print json.load(sys.stdin)['resource_limits']['user_space_size']"
}
get_conf_env() {
cat "$working_dir/Occlum.json" | \
python -c "import sys, json; print json.dumps(json.load(sys.stdin)['env'])"
}
get_conf_entry_points() {
cat "$working_dir/Occlum.json" | \
python -c "import sys, json; print json.dumps(json.load(sys.stdin)['entry_points'])"
}
get_occlum_conf_file_mac() {
LD_LIBRARY_PATH="$SGX_SDK/sdk_libs" \
"$occlum_dir/build/bin/occlum-protect-integrity" show-mac "$context_dir/build/Occlum.json.protected"
}
parse_occlum_user_space_size() {
local size_with_unit=`get_conf_user_space_size`
numfmt --from=iec ${size_with_unit::-1}
}
check_has_init() { check_has_init() {
if [ ! -d "$context_dir" ]; then if [ ! -f "$status_file" ]; then
echo "Error: the current working directory is not initialized as an Occlum context. Need to run \"occlum init\" first." echo "Error: the current working directory is not initialized as an Occlum instance. Need to run \"occlum init\" first."
exit 1 exit 1
fi fi
} }
@ -106,7 +63,7 @@ check_has_init() {
check_has_built() { check_has_built() {
check_has_init check_has_init
if [ ! -d "$context_dir/run/mount/__ROOT" ]; then if [ ! -d "$instance_dir/run/mount/__ROOT" ]; then
echo "Error: the Occlum image and enclave are not built yet. Need to run \"occlum build\" first." echo "Error: the Occlum image and enclave are not built yet. Need to run \"occlum build\" first."
exit 1 exit 1
fi fi
@ -114,16 +71,14 @@ check_has_built() {
cmd_init() { cmd_init() {
if [ -d "$context_dir" ]; then if [ -f "$status_file" ]; then
echo "Error: the current working directory has been initialized as an Occlum context" echo "Error: the current working directory has been initialized as an Occlum instance"
exit 1 exit 1
fi fi
mkdir "$context_dir"
cd "$context_dir" echo "initialized" > $status_file
echo "initialized" > status
cd "$working_dir" cd "$instance_dir"
mkdir -p image mkdir -p image
mkdir -p image/bin mkdir -p image/bin
mkdir -p image/lib mkdir -p image/lib
@ -139,10 +94,10 @@ cmd_init() {
"$occlum_gcc_lib/libgcc_s.so.1" \ "$occlum_gcc_lib/libgcc_s.so.1" \
"$occlum_gcc_lib/libgomp.so.1" "$occlum_gcc_lib/libgomp.so.1"
cp "$occlum_dir"/etc/template/Occlum.json "$working_dir"/ cp "$occlum_dir"/etc/template/Occlum.json "$instance_dir"/
chmod 644 "$working_dir"/Occlum.json chmod 644 "$instance_dir"/Occlum.json
echo "Initialized an Occlum context in $working_dir" echo "$instance_dir initialized as an Occlum instance"
} }
cmd_build() { cmd_build() {
@ -156,6 +111,7 @@ cmd_build() {
--sign-key) [ -n "$2" ] && ENCLAVE_SIGN_KEY=$2 ; shift 2 || exit_error "empty signing key path" ;; --sign-key) [ -n "$2" ] && ENCLAVE_SIGN_KEY=$2 ; shift 2 || exit_error "empty signing key path" ;;
--sign-tool) [ -n "$2" ] && ENCLAVE_SIGN_TOOL=$2 ; shift 2 || exit_error "empty signing tool path" ;; --sign-tool) [ -n "$2" ] && ENCLAVE_SIGN_TOOL=$2 ; shift 2 || exit_error "empty signing tool path" ;;
--sgx-mode) [[ -n "$2" && "$2" != "HW" ]] && export SGX_MODE=SIM ; shift 2 || exit_error "empty sgx mode";; --sgx-mode) [[ -n "$2" && "$2" != "HW" ]] && export SGX_MODE=SIM ; shift 2 || exit_error "empty sgx mode";;
--force | -f) MAKE_OPTION="--always-make" ; shift ;;
*) exit_error "Unknown option: $1" ;; *) exit_error "Unknown option: $1" ;;
esac esac
done done
@ -173,61 +129,27 @@ cmd_build() {
echo "SGX mode: HW" echo "SGX mode: HW"
fi fi
cd "$context_dir" # If sgx mode is changed, build thoroughly again
echo "building" > status if [[ -n $SGX_MODE && "$SGX_MODE" != "HW" ]]; then
if [ "$(cat $instance_dir/.sgx_mode 2>/dev/null)" != "SIM" ]; then
MAKE_OPTION="--always-make"
fi
else
#HW mode
if [ "$(cat $instance_dir/.sgx_mode 2>/dev/null)" != "HW" ]; then
MAKE_OPTION="--always-make"
fi
fi
rm -rf build rm -rf "$instance_dir/run"
rm -rf run
mkdir -p build/bin occlum_dir=$occlum_dir instance_dir=$instance_dir pal_lib=$pal_lib major_ver=$major_ver \
ln -s $occlum_dir/build/bin/occlum-run $context_dir/build/bin/occlum-run occlum_version=$occlum_version libos_lib=$libos_lib ENCLAVE_SIGN_KEY=$ENCLAVE_SIGN_KEY \
mkdir -p build/lib ENCLAVE_SIGN_TOOL=$ENCLAVE_SIGN_TOOL \
cp "$occlum_dir/build/lib/$pal_lib.$occlum_version" build/lib/ make -f $build_makefile $MAKE_OPTION
cd build/lib && ln -sf "$pal_lib.$occlum_version" "libocclum-pal.so.$major_ver" && \
ln -sf "libocclum-pal.so.$major_ver" libocclum-pal.so && cd -
mkdir -p build/mount/ cd "$instance_dir"
cd "$occlum_dir/build/bin/" && \ echo "built" > $status_file
LD_LIBRARY_PATH="$SGX_SDK/sdk_libs" ./sefs-cli \
--integrity-only \
"$context_dir/build/mount/__ROOT" \
"$working_dir/image" \
zip
export OCCLUM_CONF_ROOT_FS_MAC=`get_conf_root_fs_mac`
export OCCLUM_CONF_USER_SPACE_SIZE=`get_conf_user_space_size`
export OCCLUM_CONF_DEFAULT_STACK_SIZE=`get_conf_default_stack_size`
export OCCLUM_CONF_DEFAULT_HEAP_SIZE=`get_conf_default_heap_size`
export OCCLUM_CONF_DEFAULT_MMAP_SIZE=`get_conf_default_mmap_size`
export OCCLUM_CONF_ENV=`get_conf_env`
export OCCLUM_CONF_ENTRY_POINTS=`get_conf_entry_points`
cd "$context_dir/build"
"$occlum_dir/build/bin/occlum-gen-default-occlum-json"\
> "Occlum.json"
LD_LIBRARY_PATH="$SGX_SDK/sdk_libs" "$occlum_dir/build/bin/occlum-protect-integrity" protect Occlum.json
export OCCLUM_BUILTIN_CONF_FILE_MAC=`get_occlum_conf_file_mac`
echo "EXPORT => OCCLUM_BUILTIN_CONF_FILE_MAC = $OCCLUM_BUILTIN_CONF_FILE_MAC"
export OCCLUM_BUILTIN_VM_USER_SPACE_SIZE=`parse_occlum_user_space_size`
echo "EXPORT => OCCLUM_BUILTIN_VM_USER_SPACE_SIZE = $OCCLUM_BUILTIN_VM_USER_SPACE_SIZE"
cd $context_dir/build/lib && \
cp "$occlum_dir/build/lib/$libos_lib.$occlum_version" . && ln -sf "$libos_lib.$occlum_version" "libocclum-libos.so.$major_ver" && \
ln -sf "libocclum-libos.so.$major_ver" libocclum-libos.so
echo -e "$OCCLUM_BUILTIN_CONF_FILE_MAC\c" > temp_mac_file && \
objcopy --update-section .builtin_config=temp_mac_file libocclum-libos.so.$major_ver && \
rm temp_mac_file
$occlum_dir/build/bin/gen_enclave_conf -i "$working_dir/Occlum.json" -o "$context_dir/build/Enclave.xml"
$ENCLAVE_SIGN_TOOL sign \
-key $ENCLAVE_SIGN_KEY \
-config "$context_dir/build/Enclave.xml" \
-enclave "$context_dir/build/lib/libocclum-libos.so.$major_ver" \
-out "$context_dir/build/lib/libocclum-libos.signed.so"
rm -f "$context_dir/build/Enclave.xml"
cd "$context_dir"
echo "built" > status
if [[ -n $SGX_MODE && "$SGX_MODE" != "HW" ]]; then if [[ -n $SGX_MODE && "$SGX_MODE" != "HW" ]]; then
echo "SIM" > .sgx_mode echo "SIM" > .sgx_mode
@ -235,11 +157,8 @@ cmd_build() {
echo "HW" > .sgx_mode echo "HW" > .sgx_mode
fi fi
mkdir -p "$context_dir/run/mount/__ROOT" mkdir -p "$instance_dir/run/mount/__ROOT"
mkdir -p "$context_dir/run/mount/tmp" mkdir -p "$instance_dir/run/mount/tmp"
ln -s $occlum_dir/build/bin/occlum_exec_client $context_dir/build/bin/occlum_exec_client
ln -s $occlum_dir/build/bin/occlum_exec_server $context_dir/build/bin/occlum_exec_server
echo "Built the Occlum image and enclave successfully" echo "Built the Occlum image and enclave successfully"
} }
@ -247,95 +166,90 @@ cmd_build() {
cmd_run() { cmd_run() {
check_has_built check_has_built
SGX_MODE=$(cat $context_dir/.sgx_mode) SGX_MODE=$(cat $instance_dir/.sgx_mode)
if [[ -n $SGX_MODE && "$SGX_MODE" != "HW" ]]; then if [[ -n $SGX_MODE && "$SGX_MODE" != "HW" ]]; then
export LD_LIBRARY_PATH="$context_dir/build/lib:$SGX_SDK/sdk_libs/" export LD_LIBRARY_PATH="$instance_dir/build/lib:$SGX_SDK/sdk_libs/"
else else
export LD_LIBRARY_PATH="$context_dir/build/lib" export LD_LIBRARY_PATH="$instance_dir/build/lib"
fi fi
cd "$working_dir" echo "running" > $status_file
echo "running" > "$context_dir/status"
RUST_BACKTRACE=1 "$context_dir/build/bin/occlum-run" "$@" RUST_BACKTRACE=1 "$instance_dir/build/bin/occlum-run" "$@"
echo "built" > "$context_dir/status" echo "built" > $status_file
} }
cmd_start() { cmd_start() {
check_has_built check_has_built
SGX_MODE=$(cat $context_dir/.sgx_mode) SGX_MODE=$(cat $instance_dir/.sgx_mode)
if [[ -n $SGX_MODE && "$SGX_MODE" != "HW" ]]; then if [[ -n $SGX_MODE && "$SGX_MODE" != "HW" ]]; then
export LD_LIBRARY_PATH="$context_dir/build/lib:$SGX_SDK/sdk_libs/" export LD_LIBRARY_PATH="$instance_dir/build/lib:$SGX_SDK/sdk_libs/"
else else
export LD_LIBRARY_PATH="$context_dir/build/lib" export LD_LIBRARY_PATH="$instance_dir/build/lib"
fi fi
cd "$working_dir" echo "running" > $status_file
echo "running" > "$context_dir/status"
RUST_BACKTRACE=1 "$context_dir/build/bin/occlum_exec_client" start RUST_BACKTRACE=1 "$instance_dir/build/bin/occlum_exec_client" start
echo "built" > "$context_dir/status" echo "built" > $status_file
} }
cmd_exec() { cmd_exec() {
check_has_built check_has_built
SGX_MODE=$(cat $context_dir/.sgx_mode) SGX_MODE=$(cat $instance_dir/.sgx_mode)
if [[ -n $SGX_MODE && "$SGX_MODE" != "HW" ]]; then if [[ -n $SGX_MODE && "$SGX_MODE" != "HW" ]]; then
export LD_LIBRARY_PATH="$context_dir/build/lib:$SGX_SDK/sdk_libs/" export LD_LIBRARY_PATH="$instance_dir/build/lib:$SGX_SDK/sdk_libs/"
else else
export LD_LIBRARY_PATH="$context_dir/build/lib" export LD_LIBRARY_PATH="$instance_dir/build/lib"
fi fi
cd "$working_dir" echo "running" > "$status_file"
echo "running" > "$context_dir/status"
RUST_BACKTRACE=1 "$context_dir/build/bin/occlum_exec_client" exec -- "$@" RUST_BACKTRACE=1 "$instance_dir/build/bin/occlum_exec_client" exec -- "$@"
echo "built" > "$context_dir/status" echo "built" > "$status_file"
} }
cmd_stop() { cmd_stop() {
check_has_built check_has_built
SGX_MODE=$(cat $context_dir/.sgx_mode) SGX_MODE=$(cat $instance_dir/.sgx_mode)
if [[ -n $SGX_MODE && "$SGX_MODE" != "HW" ]]; then if [[ -n $SGX_MODE && "$SGX_MODE" != "HW" ]]; then
export LD_LIBRARY_PATH="$context_dir/build/lib:$SGX_SDK/sdk_libs/" export LD_LIBRARY_PATH="$instance_dir/build/lib:$SGX_SDK/sdk_libs/"
else else
export LD_LIBRARY_PATH="$context_dir/build/lib" export LD_LIBRARY_PATH="$instance_dir/build/lib"
fi fi
cd "$working_dir" echo "running" > "$status_file"
echo "running" > "$context_dir/status"
RUST_BACKTRACE=1 "$context_dir/build/bin/occlum_exec_client" stop -t 0 RUST_BACKTRACE=1 "$instance_dir/build/bin/occlum_exec_client" stop -t 0
echo "built" > "$context_dir/status" echo "built" > "$status_file"
} }
cmd_gdb() { cmd_gdb() {
check_has_built check_has_built
SGX_MODE=$(cat $context_dir/.sgx_mode) SGX_MODE=$(cat $instance_dir/.sgx_mode)
if [[ -n $SGX_MODE && "$SGX_MODE" != "HW" ]]; then if [[ -n $SGX_MODE && "$SGX_MODE" != "HW" ]]; then
export LD_LIBRARY_PATH="$context_dir/build/lib:$SGX_SDK/sdk_libs/" export LD_LIBRARY_PATH="$instance_dir/build/lib:$SGX_SDK/sdk_libs/"
else else
export LD_LIBRARY_PATH="$context_dir/build/lib" export LD_LIBRARY_PATH="$instance_dir/build/lib"
fi fi
cd "$working_dir" echo "debugging" > "$status_file"
echo "debugging" > "$context_dir/status"
OCCLUM_GDB=1 $SGX_GDB --args "$context_dir/build/bin/occlum-run" "$@" OCCLUM_GDB=1 $SGX_GDB --args "$instance_dir/build/bin/occlum-run" "$@"
echo "built" > "$context_dir/status" echo "built" > "$status_file"
} }
cmd_status() { cmd_status() {
cat "$context_dir/status" cat "$status_file"
} }
set -e set -e

4
tools/occlum-gen-default-occlum-json
View File

@ -1,8 +1,6 @@
#!/bin/bash #!/bin/bash
if [ -z $OCCLUM_INSTANCE_DIR ];then OCCLUM_INSTANCE_DIR="."
OCCLUM_INSTANCE_DIR=".occlum"
fi
cat <<EOF cat <<EOF
{ {

139
tools/occlum_build.mk Normal file
View File

@ -0,0 +1,139 @@
SGX_SDK ?= /opt/intel/sgxsdk
IMAGE := $(instance_dir)/image
SECURE_IMAGE := $(instance_dir)/build/mount/__ROOT/metadata
JSON_CONF := $(instance_dir)/Occlum.json
LIBOS := $(instance_dir)/build/lib/$(libos_lib).$(occlum_version)
SIGNED_ENCLAVE := $(instance_dir)/build/lib/libocclum-libos.signed.so
BIN_LINKS := occlum_exec_client occlum_exec_server occlum-run
BIN_LINKS := $(addprefix $(instance_dir)/build/bin/, $(BIN_LINKS))
LIB_LINKS := libocclum-pal.so.$(major_ver) libocclum-pal.so
LIB_LINKS := $(addprefix $(instance_dir)/build/lib/, $(LIB_LINKS))
ifneq (, $(wildcard $(IMAGE)/. ))
IMAGE_DIRS := $(shell find $(IMAGE) -type d 2>/dev/null || true)
IMAGE_FILES := $(shell find $(IMAGE) -type f 2>/dev/null || true)
endif
SHELL:=/bin/bash
define get_conf_root_fs_mac
LD_LIBRARY_PATH="$(SGX_SDK)/sdk_libs" \
"$(occlum_dir)/build/bin/occlum-protect-integrity" show-mac "$(instance_dir)/build/mount/__ROOT/metadata"
endef
define get_conf_default_stack_size
cat "$(JSON_CONF)" | \
python -c "import sys, json; print json.load(sys.stdin)['process']['default_stack_size']"
endef
define get_conf_default_heap_size
cat "$(JSON_CONF)" | \
python -c "import sys, json; print json.load(sys.stdin)['process']['default_heap_size']"
endef
define get_conf_default_mmap_size
cat "$(JSON_CONF)" | \
python -c "import sys, json; print json.load(sys.stdin)['process']['default_mmap_size']" ['resource_limits']['user_space_size']
endef
define get_conf_user_space_size
cat "$(JSON_CONF)" | \
python -c "import sys, json; print json.load(sys.stdin)['resource_limits']['user_space_size']"
endef
define get_conf_env
cat "$(JSON_CONF)" | \
python -c "import sys, json; print json.dumps(json.load(sys.stdin)['env'])"
endef
define get_conf_entry_points
cat "$(JSON_CONF)" | \
python -c "import sys, json; print json.dumps(json.load(sys.stdin)['entry_points'])"
endef
define get_occlum_conf_file_mac
LD_LIBRARY_PATH="$(SGX_SDK)/sdk_libs" \
"$(occlum_dir)/build/bin/occlum-protect-integrity" show-mac "$(instance_dir)/build/Occlum.json.protected"
endef
define parse_occlum_user_space_size
size_with_unit=$$($(get_conf_user_space_size)); echo $${size_with_unit:0:-1} | numfmt --from=iec
endef
.PHONY : all
all: $(SIGNED_ENCLAVE) $(BIN_LINKS) $(LIB_LINKS)
$(SIGNED_ENCLAVE): $(LIBOS)
@echo "Signing the enclave..."
@$(occlum_dir)/build/bin/gen_enclave_conf -i "$(instance_dir)/Occlum.json" -o "$(instance_dir)/build/Enclave.xml"
@$(ENCLAVE_SIGN_TOOL) sign \
-key $(ENCLAVE_SIGN_KEY) \
-config "$(instance_dir)/build/Enclave.xml" \
-enclave "$(instance_dir)/build/lib/libocclum-libos.so.$(major_ver)" \
-out "$(instance_dir)/build/lib/libocclum-libos.signed.so"
$(LIBOS): $(instance_dir)/build/Occlum.json.protected
@echo "Building libOS..."
@export OCCLUM_BUILTIN_CONF_FILE_MAC=`$(get_occlum_conf_file_mac)` ; \
echo "EXPORT => OCCLUM_BUILTIN_CONF_FILE_MAC = $$OCCLUM_BUILTIN_CONF_FILE_MAC" ; \
export OCCLUM_BUILTIN_VM_USER_SPACE_SIZE=$$($(parse_occlum_user_space_size)) ; \
echo "EXPORT => OCCLUM_BUILTIN_VM_USER_SPACE_SIZE = $$OCCLUM_BUILTIN_VM_USER_SPACE_SIZE" ; \
cd $(instance_dir)/build/lib && \
cp "$(occlum_dir)/build/lib/$(libos_lib).$(occlum_version)" . && ln -sf "$(libos_lib).$(occlum_version)" "libocclum-libos.so.$(major_ver)" && \
ln -sf "libocclum-libos.so.$(major_ver)" libocclum-libos.so ; \
echo -e "$$OCCLUM_BUILTIN_CONF_FILE_MAC\c" > temp_mac_file && \
objcopy --update-section .builtin_config=temp_mac_file libocclum-libos.so && \
rm temp_mac_file
$(instance_dir)/build/Occlum.json.protected: $(instance_dir)/build/Occlum.json
@cd "$(instance_dir)/build" ; \
LD_LIBRARY_PATH="$(SGX_SDK)/sdk_libs" "$(occlum_dir)/build/bin/occlum-protect-integrity" protect Occlum.json ;
$(instance_dir)/build/Occlum.json: $(SECURE_IMAGE) $(JSON_CONF) | $(instance_dir)/build/lib
@export OCCLUM_CONF_ROOT_FS_MAC=`$(get_conf_root_fs_mac)` ; \
export OCCLUM_CONF_USER_SPACE_SIZE=`$(get_conf_user_space_size)` ; \
export OCCLUM_CONF_DEFAULT_STACK_SIZE=`$(get_conf_default_stack_size)` ; \
export OCCLUM_CONF_DEFAULT_HEAP_SIZE=`$(get_conf_default_heap_size)` ; \
export OCCLUM_CONF_DEFAULT_MMAP_SIZE=`$(get_conf_default_mmap_size)` ; \
export OCCLUM_CONF_ENV="`$(get_conf_env)`" ; \
export OCCLUM_CONF_ENTRY_POINTS=`$(get_conf_entry_points)` ; \
cd "$(instance_dir)/build" ; \
"$(occlum_dir)/build/bin/occlum-gen-default-occlum-json" > "Occlum.json"
$(BIN_LINKS): $(instance_dir)/build/bin/%: $(occlum_dir)/build/bin/% | $(instance_dir)/build/bin
@ln -sf $< $@
$(instance_dir)/build/bin:
@mkdir -p build/bin
$(instance_dir)/build/lib/libocclum-pal.so:
$(instance_dir)/build/lib/libocclum-pal.so.0: | $(instance_dir)/build/lib
@cp "$(occlum_dir)/build/lib/$(pal_lib).$(occlum_version)" build/lib/
@cd build/lib && ln -sf "$(pal_lib).$(occlum_version)" "libocclum-pal.so.$(major_ver)" && \
ln -sf "libocclum-pal.so.$(major_ver)" libocclum-pal.so
$(instance_dir)/build/lib:
@mkdir -p build/lib
# If image dir not exist, just use the secure Occlum FS image
ifneq ($(wildcard $(IMAGE)/. ),)
$(SECURE_IMAGE): $(IMAGE) $(IMAGE_DIRS) $(IMAGE_FILES)
@echo "Building new image..."
@rm -rf build/mount
@mkdir -p build/mount/
@cd "$(occlum_dir)/build/bin/" && \
LD_LIBRARY_PATH="$(SGX_SDK)/sdk_libs" ./sefs-cli \
--integrity-only \
"$(instance_dir)/build/mount/__ROOT" \
"$(instance_dir)/image" \
zip
endif