From d8d51fcfd403739f769881039ada9ba94ea9eefd Mon Sep 17 00:00:00 2001
From: LI Qing <geding.lq@alibaba-inc.com>
Date: Thu, 10 Oct 2019 07:37:50 +0000
Subject: [PATCH] Support running enclaves in SGX release mode.

* 'occlum init' does not copy signing key file any more.
* 'occlum build' supports to set signing key and signing tool in args.
* 'occlum run' supports to run enclave in sgx release mode.
---
 src/pal/pal.c | 30 ++++++++++++++++++++++++++----
 tools/occlum  | 39 +++++++++++++++++++++++++++++----------
 2 files changed, 55 insertions(+), 14 deletions(-)

diff --git a/src/pal/pal.c b/src/pal/pal.c
index cd569feb..7cca922a 100644
--- a/src/pal/pal.c
+++ b/src/pal/pal.c
@@ -8,6 +8,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <strings.h>
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/syscall.h>
@@ -113,19 +114,25 @@ static sgx_errlist_t sgx_errlist[] = {
         "Can't open enclave file.",
         NULL
     },
+    {
+        SGX_ERROR_SERVICE_INVALID_PRIVILEGE,
+        "Enclave has no privilege to get run in the release mode.",
+        "Please rebuild the Occlum enclave with a legal signing key "
+        "(e.g., occlum build --sign-key <key_path>), "
+        "to get a legal signing key, please contact Intel."
+    },
 };
 
 /* Check error conditions for loading enclave */
-static void print_error_message(sgx_status_t ret)
-{
+static void print_error_message(sgx_status_t ret) {
     size_t idx = 0;
     size_t ttl = sizeof sgx_errlist/sizeof sgx_errlist[0];
 
     for (idx = 0; idx < ttl; idx++) {
         if(ret == sgx_errlist[idx].err) {
+            printf("Error: %s\n", sgx_errlist[idx].msg);
             if(NULL != sgx_errlist[idx].sug)
                 printf("Info: %s\n", sgx_errlist[idx].sug);
-            printf("Error: %s\n", sgx_errlist[idx].msg);
             break;
         }
     }
@@ -146,6 +153,20 @@ static const char* get_enclave_absolute_path() {
     return (const char*)enclave_path;
 }
 
+/* Get enclave debug flag according to env "OCCLUM_RELEASE_ENCLAVE" */
+static int get_enclave_debug_flag() {
+    const char* release_enclave_val = getenv("OCCLUM_RELEASE_ENCLAVE");
+    if (release_enclave_val) {
+        if (!strcmp(release_enclave_val, "1") ||
+            !strcasecmp(release_enclave_val, "y") ||
+            !strcasecmp(release_enclave_val, "yes") ||
+            !strcasecmp(release_enclave_val, "true")) {
+            return 0;
+        }
+    }
+    return 1;
+}
+
 /* Initialize the enclave:
  *   Step 1: try to retrieve the launch token saved by last transaction
  *   Step 2: call sgx_create_enclave to initialize an enclave instance
@@ -192,7 +213,8 @@ static int initialize_enclave()
     /* Step 2: call sgx_create_enclave to initialize an enclave instance */
     /* Debug Support: set 2nd parameter to 1 */
     const char* enclave_path = get_enclave_absolute_path();
-    ret = sgx_create_enclave(enclave_path, SGX_DEBUG_FLAG, &token, &updated, &global_eid, NULL);
+    int sgx_debug_flag = get_enclave_debug_flag();
+    ret = sgx_create_enclave(enclave_path, sgx_debug_flag, &token, &updated, &global_eid, NULL);
     if (ret != SGX_SUCCESS) {
         print_error_message(ret);
         if (fp != NULL) fclose(fp);
diff --git a/tools/occlum b/tools/occlum
index 728b565b..78c133a6 100755
--- a/tools/occlum
+++ b/tools/occlum
@@ -7,14 +7,24 @@ working_dir=`pwd`
 context_dir="$working_dir/.occlum"
 
 SGX_SDK="${SGX_SDK:-/opt/intel/sgxsdk}"
+ENCLAVE_SIGN_TOOL="$SGX_SDK/bin/x64/sgx_sign"
+ENCLAVE_SIGN_KEY="$occlum_dir/etc/template/Enclave.pem"
+
+exit_error() {
+    echo "Error: $@" >&2
+    exit 1
+}
 
 report_arg_error() {
-    echo $1
+    echo $1 >&2
     echo ""
     echo "Usage:"
     echo "    occlum init"
-    echo "    occlum build"
+    echo "    occlum build [--sign-key <key_path>] [--sign-tool <tool_path>]"
     echo "    occlum run <program_name> <program_args>"
+    echo ""
+    echo "    Run enclave in sgx release mode:"
+    echo "        OCCLUM_RELEASE_ENCLAVE=1 occlum run <program_name> <program_args>"
 }
 
 get_conf_default_stack_size() {
@@ -74,8 +84,8 @@ cmd_init() {
         "$occlum_gcc_lib/libgcc_s.so.1" \
         "$occlum_gcc_lib/libgomp.so.1"
 
-    cp "$occlum_dir"/etc/template/* "$working_dir"/
-    chmod 644 "$working_dir"/Enclave.pem
+    cp "$occlum_dir"/etc/template/Enclave.xml "$working_dir"/
+    cp "$occlum_dir"/etc/template/Occlum.json "$working_dir"/
     chmod 644 "$working_dir"/Enclave.xml
     chmod 644 "$working_dir"/Occlum.json
 
@@ -130,13 +140,22 @@ cmd_build() {
     cd src/libos && \
         make clean-builtin && \
         make "$context_dir/build/lib/libocclum.so" ONLY_REBUILD_BUILTIN=1
-
-    $SGX_SDK/bin/x64/sgx_sign sign \
-        -key "$working_dir/Enclave.pem" \
+    while [ -n "$1" ]; do
+        case "$1" in
+        --sign-key)     [ -n "$2" ] && ENCLAVE_SIGN_KEY=$2 ; shift 2 || exit_error "empty signing key path"     ;;
+        --sign-tool)    [ -n "$2" ] && ENCLAVE_SIGN_TOOL=$2 ; shift 2 || exit_error "empty signing tool path"   ;;
+        *) exit_error "Unknown option: $1"                                                                      ;;
+        esac
+    done
+    [ -e "$ENCLAVE_SIGN_KEY" ] || exit_error "invalid signing key path: $ENCLAVE_SIGN_KEY"
+    [ -e "$ENCLAVE_SIGN_TOOL" ] || exit_error "invalid signing tool path: $ENCLAVE_SIGN_TOOL"
+    echo "Enclave sign-tool: $ENCLAVE_SIGN_TOOL"
+    echo "Enclave sign-key: $ENCLAVE_SIGN_KEY"
+    $ENCLAVE_SIGN_TOOL sign \
+        -key $ENCLAVE_SIGN_KEY \
         -config "$working_dir/Enclave.xml" \
         -enclave "$context_dir/build/lib/libocclum.so" \
-        -out "$context_dir/build/lib/libocclum.signed.so" \
-
+        -out "$context_dir/build/lib/libocclum.signed.so"
     cd "$context_dir"
     echo "built" > status
 
@@ -170,7 +189,7 @@ case "$cmd" in
         cmd_init
         ;;
     build)
-        cmd_build
+        cmd_build "${@:2}"
         ;;
     run)
         cmd_run "${@:2}"