Add RPM installer for Occlum and C/C++ toolchains

Makefile

@@ -83,3 +83,4 @@ clean:
 	@$(MAKE) --no-print-directory -C test clean
 	@$(MAKE) SGX_MODE=SIM --no-print-directory -C src clean
 	@$(MAKE) SGX_MODE=SIM --no-print-directory -C test clean
+	@$(MAKE) --no-print-directory -C tools/installer/rpm clean

README.md

@@ -259,6 +259,10 @@ $ OCCLUM_RELEASE_ENCLAVE=yes occlum run <prog_path> <prog_args>
 
 Ultimately, whether an enclave is running in the release mode should be checked and judged by a trusted client through remotely attesting the enclave. See the remote attestation demo [here](demos/remote_attestation).
 
+## How to Run Occlum Without Docker?
+
+One easy way to run Occlum without Docker is to use the Occlum Installer. We have prepared the RPM installer for Occlum, which can be downloaded with every release of Occlum. For more info about the installer, see [here](tools/installer/README.md).
+
 ## What is the Implementation Status?
 
 Occlum is being actively developed. We now focus on implementing more system calls and additional features required in the production environment.

deps/sefs

@@ -1 +1 @@
-Subproject commit f06c02dfc5fa91cb9be7574f1882cdab863673f1
+Subproject commit 74e9c2d2a8cea48912a297d9508182e8df9da047

src/sgxenv.mk

@@ -85,7 +85,7 @@ SGX_CFLAGS_U := $(SGX_COMMON_CFLAGS) -fPIC -Wno-attributes \
 SGX_CXXFLAGS_U := $(SGX_CFLAGS_U) -std=c++11
 
 ifneq ($(SGX_MODE), HW)
-	SGX_LFLAGS_U := $(SGX_COMMON_CFLAGS) -lpthread -L$(SGX_LIBRARY_PATH) -lsgx_urts_sim -lsgx_uae_service_sim
+	SGX_LFLAGS_U := $(SGX_COMMON_CFLAGS) -lpthread -L$(SGX_LIBRARY_PATH) -Wl,-Bstatic -lsgx_urts_sim -Wl,-Bdynamic -lsgx_uae_service_sim
 else
 	SGX_LFLAGS_U := $(SGX_COMMON_CFLAGS) -lpthread -L$(SGX_LIBRARY_PATH) -Wl,-Bstatic -lsgx_urts -Wl,-Bdynamic -lsgx_uae_service -lsgx_enclave_common
 endif

tools/installer/README.md

@@ -0,0 +1,63 @@
+# Occlum Installer
+
+## RPM Installer
+
+### How to Build
+
+To build RPM packages, a docker container with Occlum CentOS image is needed. Execute below commands under the occlum directory:
+```
+cd tools/installer/rpm
+make
+```
+and occlum rpm installer can be found under `build/rpms`.
+
+If a user wants to build his application on a platform installed with Occlum installer, toolchain installers are also needed. To build language specific toolchain installer, just run the command:
+```
+cd tools/installer/rpm
+make <language option>
+```
+Now, only `c/c++` option is supported. And the installer can be found under `build/rpms`.
+
+### How to Use
+
+RPM installer should be found together with Occlum release package at [this page](https://github.com/occlum/occlum/releases).
+To run Occlum on clean Centos 8, please follow below steps:
+
+**Step 1. Install Prerequisites**
+```
+yum install -y libcurl-devel openssl-devel fuse-devel fuse-libs autoconf automake cmake libtool make yum-utils gdb python2
+ln -s /usr/bin/python2 /usr/local/bin/python
+dnf config-manager --set-enabled PowerTools
+yum install -y ocaml ocaml-ocamlbuild
+```
+
+**Step 2. Install Intel® SGX driver and Intel® SGX PSW**
+Please follow [Intel SGX Installation Guide](https://download.01.org/intel-sgx/sgx-linux/2.9.1/docs/Intel_SGX_Installation_Guide_Linux_2.9.1_Open_Source.pdf) to install SGX driver and SGX PSW. SGX SDK is not required. Using RPM installer is recommanded.
+
+Also, UAE service libraries are needed but may not installed together with SGX PSW if SGX PSW installer is used. Go to SGX RPM local repo and run:
+```
+rpm -i libsgx-uae-service-2.9.101.2-1.el7.x86_64.rpm
+```
+
+**Step 3. Install Occlum Installer and Toolchains Installer**
+```
+rpm -i occlum-sgx-tools-*.rpm
+rpm -i occlum-"$occlum_version"-*.rpm
+rpm -i occlum-pal-*.rpm
+rpm -i occlum-platform-*.rpm
+```
+
+Toolchains are needed when compile applications and also during runtime. Choose to install the toolchain installer based on the application's language. Currently, we only supports `C/C++`. More language toolchain installers are on the way. To install `C/C++` toolchain, just run the command:
+```
+rpm -i occlum-toolchains-gcc-*.rpm
+```
+
+To make the new installed binaries and libraries work, this command must be executed:
+```
+source /etc/profile
+```
+
+Finally, you are good to go!
+
+### Build DEB Installer
+TBD

tools/installer/rpm/Makefile

@@ -0,0 +1,78 @@
+CUR_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))
+PROJECT_DIR := $(CUR_DIR)/../../..
+TARGET_DIR := $(abspath $(PROJECT_DIR)/build/rpms)
+
+MAJOR_VER_NUM = $(shell grep '\#define OCCLUM_MAJOR_VERSION' $(PROJECT_DIR)/src/pal/include/occlum_version.h |  awk '{print $$3}')
+MINOR_VER_NUM = $(shell grep '\#define OCCLUM_MINOR_VERSION' $(PROJECT_DIR)/src/pal/include/occlum_version.h |  awk '{print $$3}')
+PATCH_VER_NUM = $(shell grep '\#define OCCLUM_PATCH_VERSION' $(PROJECT_DIR)/src/pal/include/occlum_version.h |  awk '{print $$3}')
+VERSION_NUM := $(MAJOR_VER_NUM).$(MINOR_VER_NUM).$(PATCH_VER_NUM)
+
+RPM_FILELIST = occlum-filelist occlum-pal-filelist occlum-platform-filelist
+EXPORT_SCRIPT = occlum-pal.sh occlum-platform.sh
+
+GCC_PATCH = toolchains/gcc/musl-cross-make-disable-download.patch
+GCC_SCRIPT = toolchains/gcc/occlum-gcc.sh
+
+SGX_TOOLS_FILELIST = tools/occlum-sgx-tools-filelist
+
+PACKAGE_DIR = /tmp
+
+.PHONY: all main main_deps c/c++ deps_c tools clean
+
+all: tools main
+
+main: main_deps
+	@mkdir -p $(TARGET_DIR)
+	@rpmbuild -ba --define '_version $(VERSION_NUM)' occlum.spec
+	@mv $$HOME/rpmbuild $$HOME/rpmbuild-occlum
+	@cp $$HOME/rpmbuild-occlum/RPMS/x86_64/*.rpm $(TARGET_DIR)
+	@echo "$$(ls $$HOME/rpmbuild-occlum/RPMS/x86_64) can be found at $(TARGET_DIR)"
+
+main_deps: $$HOME/rpmbuild/SOURCES/$(firstword $(EXPORT_SCRIPT)) $(PACKAGE_DIR)/$(VERSION_NUM).tar.gz
+
+$$HOME/rpmbuild/SOURCES/$(firstword $(EXPORT_SCRIPT)):
+	@if [ -d $$HOME/rpmbuild ]; then \
+		mv $$HOME/rpmbuild $$HOME/rpmbuild-old-$$(date +%Y%m%d-%T); fi
+	@mkdir -p $$HOME/rpmbuild/{BUILD,RPMS,SPECS,SOURCES,SRPMS}
+	@cp -t $$HOME/rpmbuild/SOURCES $(RPM_FILELIST) $(EXPORT_SCRIPT)
+
+$(PACKAGE_DIR)/$(VERSION_NUM).tar.gz:
+	@cp -r $(PROJECT_DIR) $(PACKAGE_DIR)/occlum-$(VERSION_NUM)
+	@cd $(PACKAGE_DIR)/occlum-$(VERSION_NUM); \
+		git submodule deinit -f . ; \
+		rm -rf $(PACKAGE_DIR)/occlum-$(VERSION_NUM)/build
+	@cd $(PACKAGE_DIR) && tar -cvzf "$$HOME/rpmbuild/SOURCES/$(VERSION_NUM).tar.gz" occlum-$(VERSION_NUM)
+
+c/c++: deps_c
+	@rpmbuild -ba --define '_musl_version $(VERSION_NUM)' toolchains/gcc/occlum-toolchains-gcc.spec
+	@mv $$HOME/rpmbuild $$HOME/rpmbuild-occlum-toolchains-gcc
+	@cp $$HOME/rpmbuild-occlum-toolchains-gcc/RPMS/x86_64/*.rpm $(TARGET_DIR)
+	@echo "$$(ls $$HOME/rpmbuild-occlum-toolchains-gcc/RPMS/x86_64) can be found at $(TARGET_DIR)"
+
+deps_c: $$HOME/rpmbuild/SOURCES/$(GCC_PATCH)
+$$HOME/rpmbuild/SOURCES/$(GCC_PATCH):
+	@mkdir -p $(TARGET_DIR)
+	@yum install -y rpmdevtools wget
+	@if [ -d $$HOME/rpmbuild ]; then \
+		mv $$HOME/rpmbuild $$HOME/rpmbuild-old-$$(date +%Y%m%d-%T); fi
+	@mkdir -p $$HOME/rpmbuild/{BUILD,RPMS,SPECS,SOURCES,SRPMS}
+	@MUSL_VERSION=$(VERSION_NUM) toolchains/gcc/download_sources.sh
+	@spectool -g -R --define '_musl_version $(VERSION_NUM)' toolchains/gcc/occlum-toolchains-gcc.spec
+	@cp -t $$HOME/rpmbuild/SOURCES $(GCC_PATCH) $(GCC_SCRIPT)
+
+# TODO: Occlum specific SGX related tools and libraries should be put to a different place
+tools:
+	@mkdir -p $(TARGET_DIR)
+	@if [ -d $$HOME/rpmbuild ]; then \
+		mv $$HOME/rpmbuild $$HOME/rpmbuild-old-$$(date +%Y%m%d-%T); fi
+	@mkdir -p $$HOME/rpmbuild/{BUILD,RPMS,SPECS,SOURCES,SRPMS}
+	@cp -t $$HOME/rpmbuild/SOURCES $(SGX_TOOLS_FILELIST)
+	@rpmbuild -ba tools/occlum-sgx-tools.spec
+	@mv $$HOME/rpmbuild $$HOME/rpmbuild-occlum-sgx-tools
+	@cp $$HOME/rpmbuild-occlum-sgx-tools/RPMS/x86_64/*.rpm $(TARGET_DIR)
+	@echo "$$(ls $$HOME/rpmbuild-occlum-sgx-tools/RPMS/x86_64) can be found at $(TARGET_DIR)"
+
+clean:
+	@rm -rf $(PACKAGE_DIR)/occlum-$(VERSION_NUM)
+	@rm -rf $$HOME/rpmbuild $$HOME/rpmbuild-occlum-sgx-tools $$HOME/rpmbuild-occlum-toolchains-gcc $$HOME/rpmbuild-occlum
+	@rm -rf $(TARGET_DIR)

tools/installer/rpm/occlum-filelist

@@ -0,0 +1,11 @@
+/opt/occlum/build/bin/gen_enclave_conf
+/opt/occlum/build/bin/occlum-gen-default-occlum-json
+/opt/occlum/build/bin/occlum-protect-integrity
+/opt/occlum/build/bin/sefs-cli
+/opt/occlum/build/lib/libocclum-pal_sim.so*
+/opt/occlum/build/lib/libocclum-libos.so*
+/opt/occlum/build/lib/libocclum-libos_sim.so*
+/opt/occlum/build/lib/libsefs-cli.signed.so
+/opt/occlum/build/lib/occlum-protect-integrity.signed.so*
+/opt/occlum/etc/template/*
+/opt/occlum/include/*

tools/installer/rpm/occlum-pal-filelist

@@ -0,0 +1 @@
+/opt/occlum/build/lib/libocclum-pal.so*

tools/installer/rpm/occlum-pal.sh

@@ -0,0 +1 @@
+export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/occlum/build/lib

tools/installer/rpm/occlum-platform-filelist

@@ -0,0 +1,5 @@
+/opt/occlum/build/bin/occlum
+/opt/occlum/build/bin/occlum_build.mk
+/opt/occlum/build/bin/occlum-run
+/opt/occlum/build/bin/occlum_exec_client
+/opt/occlum/build/bin/occlum_exec_server

tools/installer/rpm/occlum-platform.sh

@@ -0,0 +1 @@
+export PATH="/opt/occlum/build/bin:$PATH"

tools/installer/rpm/occlum.spec

@@ -0,0 +1,94 @@
+%define centos_base_release 1
+
+%define _unpackaged_files_terminate_build 0
+%define sgxsdk_install_dir /opt/intel
+
+Name: occlum
+Version: %{_version}
+Release: %{centos_base_release}%{?dist}
+Summary: Memory-safe, multi-process library OS (LibOS) for Intel SGX
+Group: Development/Libraries
+License: BSD License
+URL: https://github.com/occlum/occlum
+Source0: https://github.com/occlum/occlum/archive/%{_version}.tar.gz
+Source10: occlum-pal.sh
+Source11: occlum-filelist
+Source12: occlum-pal-filelist
+Source13: occlum-platform-filelist
+SOURCE14: occlum-platform.sh
+
+ExclusiveArch: x86_64
+
+BuildRequires: autoconf
+BuildRequires: automake
+BuildRequires: cmake
+BuildRequires: libtool
+BuildRequires: ocaml
+BuildRequires: ocaml-ocamlbuild
+BuildRequires: python
+BuildRequires: openssl-devel
+BuildRequires: libcurl-devel
+BuildRequires: git
+BuildRequires: fuse-devel
+BuildRequires: fuse-libs
+
+%description
+Occlum is a memory-safe, multi-process library OS (LibOS) for Intel SGX.
+As a LibOS, it enables legacy applications to run on SGX with little or even no modifications of source code,
+thus protecting the confidentiality and integrity of user workloads transparently.
+
+%package pal
+Summary: Platform Abstraction Layer of Occlum enclave
+
+%description pal
+occlum-pal is the Platform Abstraction Layer of Occlum enclave.
+It provides interfaces to execute trused applications inside enclave.
+
+%package platform
+Summary: Platform Abstraction Layer command for occlum enclave
+
+%description platform
+occlum-platform contains command for occlum enclave.
+
+%prep
+%setup -q -c -n %{name}-%{_version}
+
+%build
+# build occlum
+cd %{?_builddir}/%{name}-%{_version}/occlum-%{_version}
+NOT_GIT=true make submodule
+
+%install
+# set sgxsdk env
+source %{sgxsdk_install_dir}/sgxsdk/environment
+
+cd occlum-%{_version}
+OCCLUM_RELEASE_BUILD=1 make
+OCCLUM_PREFIX=%{?buildroot}/opt/occlum make install
+
+# install occlum-pal.sh
+mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/profile.d
+install -p -m 644 %{SOURCE10} $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
+install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
+
+%files -f %{SOURCE11}
+
+%files pal -f %{SOURCE12}
+/etc/profile.d/occlum-pal.sh
+
+%files platform -f %{SOURCE13}
+/etc/profile.d/occlum-platform.sh
+
+%post pal
+echo 'Please execute command "source /etc/profile" to validate envs immediately'
+
+%post platform
+echo 'Please execute command "source /etc/profile" to validate envs immediately'
+
+%changelog
+* Mon Aug 03 2020 Chunyang Hui <sanqian.hcy@antfin.com> - 0.14.0-1
+- Integrate with Occlum
+- Remove sgxsdk installation
+
+* Mon Jul 20 2020 Chunmei Xu <xuchunmei@linux.alibaba.com> - 0.14.0-0
+- Initial commit

tools/installer/rpm/toolchains/gcc/download_sources.sh

@@ -0,0 +1,14 @@
+#! /bin/bash
+set -e
+
+yum install -y wget
+
+# Get musl-cross-make config file
+CONFIG_SUB_REV=3d5db9ebe860
+wget -O $HOME/rpmbuild/SOURCES/config.sub "http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=$CONFIG_SUB_REV"
+
+if [ ! -f "$HOME/rpmbuild/SOURCES/musl-$MUSL_VERSION.tar.gz" ]; then
+    wget -O $HOME/rpmbuild/SOURCES/musl-$MUSL_VERSION.tar.gz https://github.com/occlum/musl/archive/$MUSL_VERSION.tar.gz
+else
+    echo "musl-$MUSL_VERSION.tar.gz already exists, skipping download"
+fi

tools/installer/rpm/toolchains/gcc/musl-cross-make-disable-download.patch

@@ -0,0 +1,65 @@
+diff --git a/Makefile b/Makefile
+index 3d688f7..9049901 100644
+--- a/Makefile
++++ b/Makefile
+@@ -57,24 +57,24 @@ distclean: clean
+ 
+ ifeq ($(SOURCES),sources)
+ 
+-$(patsubst hashes/%.sha1,$(SOURCES)/%,$(wildcard hashes/gmp*)): SITE = $(GMP_SITE)
+-$(patsubst hashes/%.sha1,$(SOURCES)/%,$(wildcard hashes/mpc*)): SITE = $(MPC_SITE)
+-$(patsubst hashes/%.sha1,$(SOURCES)/%,$(wildcard hashes/mpfr*)): SITE = $(MPFR_SITE)
+-$(patsubst hashes/%.sha1,$(SOURCES)/%,$(wildcard hashes/isl*)): SITE = $(ISL_SITE)
+-$(patsubst hashes/%.sha1,$(SOURCES)/%,$(wildcard hashes/binutils*)): SITE = $(BINUTILS_SITE)
+-$(patsubst hashes/%.sha1,$(SOURCES)/%,$(wildcard hashes/gcc*)): SITE = $(GCC_SITE)/$(basename $(basename $(notdir $@)))
+-$(patsubst hashes/%.sha1,$(SOURCES)/%,$(wildcard hashes/musl*)): SITE = $(MUSL_SITE)
+-$(patsubst hashes/%.sha1,$(SOURCES)/%,$(wildcard hashes/linux-4*)): SITE = $(LINUX_SITE)/v4.x
+-$(patsubst hashes/%.sha1,$(SOURCES)/%,$(wildcard hashes/linux-3*)): SITE = $(LINUX_SITE)/v3.x
+-$(patsubst hashes/%.sha1,$(SOURCES)/%,$(wildcard hashes/linux-2.6*)): SITE = $(LINUX_SITE)/v2.6
+-$(patsubst hashes/%.sha1,$(SOURCES)/%,$(wildcard hashes/linux-headers-*)): SITE = $(LINUX_HEADERS_SITE)
++#$(patsubst hashes/%.sha1,$(SOURCES)/%,$(wildcard hashes/gmp*)): SITE = $(GMP_SITE)
++#$(patsubst hashes/%.sha1,$(SOURCES)/%,$(wildcard hashes/mpc*)): SITE = $(MPC_SITE)
++#$(patsubst hashes/%.sha1,$(SOURCES)/%,$(wildcard hashes/mpfr*)): SITE = $(MPFR_SITE)
++#$(patsubst hashes/%.sha1,$(SOURCES)/%,$(wildcard hashes/isl*)): SITE = $(ISL_SITE)
++#$(patsubst hashes/%.sha1,$(SOURCES)/%,$(wildcard hashes/binutils*)): SITE = $(BINUTILS_SITE)
++#$(patsubst hashes/%.sha1,$(SOURCES)/%,$(wildcard hashes/gcc*)): SITE = $(GCC_SITE)/$(basename $(basename $(notdir $@)))
++#$(patsubst hashes/%.sha1,$(SOURCES)/%,$(wildcard hashes/musl*)): SITE = $(MUSL_SITE)
++#$(patsubst hashes/%.sha1,$(SOURCES)/%,$(wildcard hashes/linux-4*)): SITE = $(LINUX_SITE)/v4.x
++#$(patsubst hashes/%.sha1,$(SOURCES)/%,$(wildcard hashes/linux-3*)): SITE = $(LINUX_SITE)/v3.x
++#$(patsubst hashes/%.sha1,$(SOURCES)/%,$(wildcard hashes/linux-2.6*)): SITE = $(LINUX_SITE)/v2.6
++#$(patsubst hashes/%.sha1,$(SOURCES)/%,$(wildcard hashes/linux-headers-*)): SITE = $(LINUX_HEADERS_SITE)
+ 
+ $(SOURCES):
+ 	mkdir -p $@
+ 
+ $(SOURCES)/config.sub: | $(SOURCES)
+ 	mkdir -p $@.tmp
+-	cd $@.tmp && $(DL_CMD) $(notdir $@) "http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=$(CONFIG_SUB_REV)"
++#	cd $@.tmp && $(DL_CMD) $(notdir $@) "http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=$(CONFIG_SUB_REV)"
+ 	cd $@.tmp && touch $(notdir $@)
+ 	cd $@.tmp && sha1sum -c $(CURDIR)/hashes/$(notdir $@).$(CONFIG_SUB_REV).sha1
+ 	mv $@.tmp/$(notdir $@) $@
+@@ -82,7 +82,7 @@ $(SOURCES)/config.sub: | $(SOURCES)
+ 
+ $(SOURCES)/%: hashes/%.sha1 | $(SOURCES)
+ 	mkdir -p $@.tmp
+-	cd $@.tmp && $(DL_CMD) $(notdir $@) $(SITE)/$(notdir $@)
++#	cd $@.tmp && $(DL_CMD) $(notdir $@) $(SITE)/$(notdir $@)
+ 	cd $@.tmp && touch $(notdir $@)
+ 	cd $@.tmp && sha1sum -c $(CURDIR)/hashes/$(notdir $@).sha1
+ 	mv $@.tmp/$(notdir $@) $@
+@@ -94,11 +94,9 @@ endif
+ # Rules for extracting and patching sources, or checking them out from git.
+ 
+ musl-git-%:
+-	rm -rf $@.tmp
+-	git clone -b $(patsubst musl-git-%,%,$@) $(MUSL_REPO) $@.tmp
+-	cd $@.tmp && git fsck
+-	mv $@.tmp $@
+-
++#	rm -rf $@.tmp
++#	git clone -b $(patsubst musl-git-%,%,$@) $(MUSL_REPO) $@.tmp
++	cd $@ && git fsck
+ %.orig: $(SOURCES)/%.tar.gz
+ 	case "$@" in */*) exit 1 ;; esac
+ 	rm -rf $@.tmp

tools/installer/rpm/toolchains/gcc/occlum-gcc.sh

@@ -0,0 +1 @@
+export PATH="$PATH:/usr/local/occlum/bin"

tools/installer/rpm/toolchains/gcc/occlum-toolchains-gcc.spec

@@ -0,0 +1,127 @@
+%define centos_base_release 1
+
+%define GCC_VER 8.3.0
+%define TARGET x86_64-linux-musl
+%define INSTALL_DIR /opt/occlum/toolchains/gcc
+
+# to skip no build id error
+%undefine _missing_build_ids_terminate_build
+
+Name: occlum-toolchains-gcc
+Version: %{_musl_version}
+Release: %{centos_base_release}%{?dist}
+Summary: occlum toolchains gcc
+
+Group: Development/Libraries
+License: BSD License
+URL: https://github.com/occlum/occlum
+Source0: https://github.com/occlum/occlum/archive/%{_musl_version}.tar.gz
+Source1: https://github.com/richfelker/musl-cross-make/archive/v0.9.9.tar.gz
+Source2: https://ftp.gnu.org/pub/gnu/gcc/gcc-%{GCC_VER}/gcc-%{GCC_VER}.tar.xz
+Source3: config.sub
+Source4: https://ftp.gnu.org/pub/gnu/binutils/binutils-2.33.1.tar.xz
+Source5: https://ftp.gnu.org/pub/gnu/gmp/gmp-6.1.2.tar.bz2
+Source6: https://ftp.gnu.org/pub/gnu/mpc/mpc-1.1.0.tar.gz
+Source7: https://ftp.gnu.org/pub/gnu/mpfr/mpfr-4.0.2.tar.bz2
+Source8: https://ftp.barfooze.de/pub/sabotage/tarballs/linux-headers-4.19.88.tar.xz
+# Get Source9 from download script
+Source9: musl-%{_musl_version}.tar.gz
+Source10: occlum-gcc.sh
+
+Patch0: musl-cross-make-disable-download.patch
+
+ExclusiveArch: x86_64
+
+BuildRequires: git
+BuildRequires: devtoolset-9-gcc-c++
+
+%description
+Occlum toolchains gcc
+
+%prep
+%setup -q -c -n %{name}-%{version}
+%setup -q -T -D -a 1
+
+# This patch replaces syscall instruction with libc's syscall wrapper
+cp occlum-%{version}/tools/toolchains/gcc/0014-libgomp-*.diff musl-cross-make-0.9.9/patches/gcc-%{GCC_VER}/
+
+pushd musl-cross-make-0.9.9
+mkdir -p sources/gcc-%{GCC_VER}.tar.xz.tmp && cp %{SOURCE2} sources/gcc-%{GCC_VER}.tar.xz.tmp
+mkdir -p sources/config.sub.tmp && cp %{SOURCE3} sources/config.sub.tmp
+mkdir -p sources/binutils-2.33.1.tar.xz.tmp && cp %{SOURCE4} sources/binutils-2.33.1.tar.xz.tmp
+mkdir -p sources/gmp-6.1.2.tar.bz2.tmp && cp %{SOURCE5} sources/gmp-6.1.2.tar.bz2.tmp
+mkdir -p sources/mpc-1.1.0.tar.gz.tmp && cp %{SOURCE6} sources/mpc-1.1.0.tar.gz.tmp
+mkdir -p sources/mpfr-4.0.2.tar.bz2.tmp && cp %{SOURCE7} sources/mpfr-4.0.2.tar.bz2.tmp
+mkdir -p sources/linux-headers-4.19.88.tar.xz.tmp && cp %{SOURCE8} sources/linux-headers-4.19.88.tar.xz.tmp
+tar xf %{SOURCE9}
+%patch0 -p1
+popd
+
+%build
+source /opt/rh/devtoolset-9/enable
+cd musl-cross-make-0.9.9
+cat > config.mak <<EOF
+TARGET = %{TARGET}
+COMMON_CONFIG += CFLAGS="-fPIC" CXXFLAGS="-fPIC" LDFLAGS="-pie"
+GCC_VER = %{GCC_VER}
+MUSL_VER = %{_musl_version}
+EOF
+make %{?_smp_mflags}
+
+%install
+mkdir -p %{buildroot}%{INSTALL_DIR}
+cd musl-cross-make-0.9.9
+make install OUTPUT=%{buildroot}%{INSTALL_DIR}
+
+# Generate the wrappers for executables
+cat > %{buildroot}%{INSTALL_DIR}/bin/occlum-gcc <<EOF
+#!/bin/bash
+%{INSTALL_DIR}/bin/%{TARGET}-gcc -fPIC -pie -Wl,-rpath,%{INSTALL_DIR}/%{TARGET}/lib "\$@"
+EOF
+
+cat > %{buildroot}%{INSTALL_DIR}/bin/occlum-g++ <<EOF
+#!/bin/bash
+%{INSTALL_DIR}/bin/%{TARGET}-g++ -fPIC -pie -Wl,-rpath,%{INSTALL_DIR}/%{TARGET}/lib "\$@"
+EOF
+
+cat > %{buildroot}%{INSTALL_DIR}/bin/occlum-ld <<EOF
+#!/bin/bash
+%{INSTALL_DIR}/bin/%{TARGET}-ld -pie -rpath %{INSTALL_DIR}/%{TARGET}/lib "\$@"
+EOF
+
+chmod +x %{buildroot}%{INSTALL_DIR}/bin/occlum-gcc
+chmod +x %{buildroot}%{INSTALL_DIR}/bin/occlum-g++
+chmod +x %{buildroot}%{INSTALL_DIR}/bin/occlum-ld
+
+mkdir -p %{buildroot}/lib
+pushd %{buildroot}/lib
+ln -sf %{INSTALL_DIR}/%{TARGET}/lib/libc.so ld-musl-x86_64.so.1
+popd
+mkdir -p %{buildroot}/usr/local
+pushd %{buildroot}/usr/local
+ln -sf %{INSTALL_DIR} occlum
+popd
+pushd %{buildroot}%{INSTALL_DIR}/bin
+ln -sf %{INSTALL_DIR}/bin/x86_64-linux-musl-gcc-ar occlum-ar
+ln -sf %{INSTALL_DIR}/bin/x86_64-linux-musl-strip occlum-strip
+popd
+
+# install occlum-gcc.sh
+mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/profile.d
+install -p -m 644 %{SOURCE10} $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
+
+%files
+/opt/occlum/toolchains/gcc/*
+/usr/local/occlum
+/lib/ld-musl-x86_64.so.1
+/etc/profile.d/occlum-gcc.sh
+
+%post
+echo 'Please execute command "source /etc/profile" to validate envs immediately'
+
+%changelog
+* Wed Aug 05 2020 Chunyang Hui <sanqian.hcy@antfin.com> - 0.14.0-1
+- Integrate with Occlum
+
+* Mon Jul 20 2020 Chunmei Xu <xuchunmei@linux.alibaba.com> - 0.14.0-0
+- Package init

tools/installer/rpm/tools/occlum-sgx-tools-filelist

@@ -0,0 +1,7 @@
+/opt/intel/sgxsdk/lib64/libsgx_uae_service_sim.so
+/opt/intel/sgxsdk/sdk_libs/libsgx_uae_service_sim.so
+/opt/intel/sgxsdk/lib64/libsgx_ptrace.so
+/opt/intel/sgxsdk/lib64/gdb-sgx-plugin/*
+/opt/intel/sgxsdk/bin/sgx-gdb
+/opt/intel/sgxsdk/bin/x64/sgx_sign
+/opt/intel/sgxsdk/environment

tools/installer/rpm/tools/occlum-sgx-tools.spec

@@ -0,0 +1,29 @@
+%define centos_base_release 1
+
+Name: occlum-sgx-tools
+Version: 0.14.0
+Release: %{centos_base_release}%{?dist}
+Summary: Occlum sgx tools
+
+Group: Development/Libraries
+License: BSD License
+URL: https://github.com/occlum/occlum
+Source0: occlum-sgx-tools-filelist
+
+ExclusiveArch: x86_64
+
+%description
+Occlum sgx tools used during `occlum build` and `occlum gdb`
+
+%prep
+mkdir -p %{?buildroot}
+cp --parents /opt/intel/sgxsdk/lib64/{libsgx_ptrace.so,libsgx_uae_service_sim.so} %{?buildroot}
+cp --parents /opt/intel/sgxsdk/lib64/gdb-sgx-plugin/* %{?buildroot}
+cp --parents /opt/intel/sgxsdk/{bin/sgx-gdb,bin/x64/sgx_sign,environment,sdk_libs/libsgx_uae_service_sim.so} %{?buildroot}
+
+%files
+%files -f %{SOURCE0}
+
+%changelog
+* Wed Aug 05 2020 Chunyang Hui <sanqian.hcy@antfin.com> - 0.14.0-1
+- Package init

tools/protect-integrity/Makefile

@@ -53,7 +53,9 @@ endif
 ######## App Settings ########
 
 ifneq ($(SGX_MODE), HW)
-	URTS_LIBRARY_NAME := sgx_urts_sim
+	# Tools are built in simulation mode by default and should be built with sgx_urts_sim_with_se_event
+	# to resolve undefined symbols
+	URTS_LIBRARY_NAME := sgx_urts_sim_with_se_event
 else
 	URTS_LIBRARY_NAME := sgx_urts
 endif
@@ -78,7 +80,9 @@ else
 endif
 
 APP_CPP_FLAGS := $(APP_C_FLAGS) -std=c++11
-APP_LINK_FLAGS := $(SGX_COMMON_CFLAGS) -L$(SGX_LIBRARY_PATH) -l$(URTS_LIBRARY_NAME) -lsgx_uprotected_fs -lpthread
+APP_LINK_FLAGS := $(SGX_COMMON_CFLAGS) -lpthread -L$(SGX_LIBRARY_PATH) -Wl,-Bstatic -l$(URTS_LIBRARY_NAME) -Wl,-Bdynamic
+
+APP_LINK_FLAGS += -lsgx_uprotected_fs -ldl -lcrypto
 
 ifneq ($(SGX_MODE), HW)
 	APP_LINK_FLAGS += -lsgx_uae_service_sim

tools/toolchains/gcc/build.sh

@@ -17,7 +17,7 @@ cd ${BUILD_DIR}
 # Download musl-cross-make project
 git clone https://github.com/richfelker/musl-cross-make
 cd musl-cross-make
-git checkout d969dea983a2cc54a1e0308a0cdeb6c3307e4bfa
+git checkout v0.9.9
 
 # Let musl-cross-make build for x86-64 Linux
 TARGET=x86_64-linux-musl