Support running enclaves in SGX release mode.
* 'occlum init' does not copy signing key file any more. * 'occlum build' supports to set signing key and signing tool in args. * 'occlum run' supports to run enclave in sgx release mode.
This commit is contained in:
LI Qing
Tate, Hongliang Tian
parent
68e02962d5
commit
d8d51fcfd4
@ -8,6 +8,7 @@
|
|||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
|
#include <strings.h>
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
#include <sys/stat.h>
|
#include <sys/stat.h>
|
||||||
#include <sys/syscall.h>
|
#include <sys/syscall.h>
|
||||||
@ -113,19 +114,25 @@ static sgx_errlist_t sgx_errlist[] = {
|
|||||||
"Can't open enclave file.",
|
"Can't open enclave file.",
|
||||||
NULL
|
NULL
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
SGX_ERROR_SERVICE_INVALID_PRIVILEGE,
|
||||||
|
"Enclave has no privilege to get run in the release mode.",
|
||||||
|
"Please rebuild the Occlum enclave with a legal signing key "
|
||||||
|
"(e.g., occlum build --sign-key <key_path>), "
|
||||||
|
"to get a legal signing key, please contact Intel."
|
||||||
|
},
|
||||||
};
|
};
|
||||||
|
|
||||||
/* Check error conditions for loading enclave */
|
/* Check error conditions for loading enclave */
|
||||||
static void print_error_message(sgx_status_t ret)
|
static void print_error_message(sgx_status_t ret) {
|
||||||
{
|
|
||||||
size_t idx = 0;
|
size_t idx = 0;
|
||||||
size_t ttl = sizeof sgx_errlist/sizeof sgx_errlist[0];
|
size_t ttl = sizeof sgx_errlist/sizeof sgx_errlist[0];
|
||||||
|
|
||||||
for (idx = 0; idx < ttl; idx++) {
|
for (idx = 0; idx < ttl; idx++) {
|
||||||
if(ret == sgx_errlist[idx].err) {
|
if(ret == sgx_errlist[idx].err) {
|
||||||
|
printf("Error: %s\n", sgx_errlist[idx].msg);
|
||||||
if(NULL != sgx_errlist[idx].sug)
|
if(NULL != sgx_errlist[idx].sug)
|
||||||
printf("Info: %s\n", sgx_errlist[idx].sug);
|
printf("Info: %s\n", sgx_errlist[idx].sug);
|
||||||
printf("Error: %s\n", sgx_errlist[idx].msg);
|
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -146,6 +153,20 @@ static const char* get_enclave_absolute_path() {
|
|||||||
return (const char*)enclave_path;
|
return (const char*)enclave_path;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Get enclave debug flag according to env "OCCLUM_RELEASE_ENCLAVE" */
|
||||||
|
static int get_enclave_debug_flag() {
|
||||||
|
const char* release_enclave_val = getenv("OCCLUM_RELEASE_ENCLAVE");
|
||||||
|
if (release_enclave_val) {
|
||||||
|
if (!strcmp(release_enclave_val, "1") ||
|
||||||
|
!strcasecmp(release_enclave_val, "y") ||
|
||||||
|
!strcasecmp(release_enclave_val, "yes") ||
|
||||||
|
!strcasecmp(release_enclave_val, "true")) {
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
/* Initialize the enclave:
|
/* Initialize the enclave:
|
||||||
* Step 1: try to retrieve the launch token saved by last transaction
|
* Step 1: try to retrieve the launch token saved by last transaction
|
||||||
* Step 2: call sgx_create_enclave to initialize an enclave instance
|
* Step 2: call sgx_create_enclave to initialize an enclave instance
|
||||||
@ -192,7 +213,8 @@ static int initialize_enclave()
|
|||||||
/* Step 2: call sgx_create_enclave to initialize an enclave instance */
|
/* Step 2: call sgx_create_enclave to initialize an enclave instance */
|
||||||
/* Debug Support: set 2nd parameter to 1 */
|
/* Debug Support: set 2nd parameter to 1 */
|
||||||
const char* enclave_path = get_enclave_absolute_path();
|
const char* enclave_path = get_enclave_absolute_path();
|
||||||
ret = sgx_create_enclave(enclave_path, SGX_DEBUG_FLAG, &token, &updated, &global_eid, NULL);
|
int sgx_debug_flag = get_enclave_debug_flag();
|
||||||
|
ret = sgx_create_enclave(enclave_path, sgx_debug_flag, &token, &updated, &global_eid, NULL);
|
||||||
if (ret != SGX_SUCCESS) {
|
if (ret != SGX_SUCCESS) {
|
||||||
print_error_message(ret);
|
print_error_message(ret);
|
||||||
if (fp != NULL) fclose(fp);
|
if (fp != NULL) fclose(fp);
|
||||||
|
|||||||
39
tools/occlum
39
tools/occlum
@ -7,14 +7,24 @@ working_dir=`pwd`
|
|||||||
context_dir="$working_dir/.occlum"
|
context_dir="$working_dir/.occlum"
|
||||||
|
|
||||||
SGX_SDK="${SGX_SDK:-/opt/intel/sgxsdk}"
|
SGX_SDK="${SGX_SDK:-/opt/intel/sgxsdk}"
|
||||||
|
ENCLAVE_SIGN_TOOL="$SGX_SDK/bin/x64/sgx_sign"
|
||||||
|
ENCLAVE_SIGN_KEY="$occlum_dir/etc/template/Enclave.pem"
|
||||||
|
|
||||||
|
exit_error() {
|
||||||
|
echo "Error: $@" >&2
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
report_arg_error() {
|
report_arg_error() {
|
||||||
echo $1
|
echo $1 >&2
|
||||||
echo ""
|
echo ""
|
||||||
echo "Usage:"
|
echo "Usage:"
|
||||||
echo " occlum init"
|
echo " occlum init"
|
||||||
echo " occlum build"
|
echo " occlum build [--sign-key <key_path>] [--sign-tool <tool_path>]"
|
||||||
echo " occlum run <program_name> <program_args>"
|
echo " occlum run <program_name> <program_args>"
|
||||||
|
echo ""
|
||||||
|
echo " Run enclave in sgx release mode:"
|
||||||
|
echo " OCCLUM_RELEASE_ENCLAVE=1 occlum run <program_name> <program_args>"
|
||||||
}
|
}
|
||||||
|
|
||||||
get_conf_default_stack_size() {
|
get_conf_default_stack_size() {
|
||||||
@ -74,8 +84,8 @@ cmd_init() {
|
|||||||
"$occlum_gcc_lib/libgcc_s.so.1" \
|
"$occlum_gcc_lib/libgcc_s.so.1" \
|
||||||
"$occlum_gcc_lib/libgomp.so.1"
|
"$occlum_gcc_lib/libgomp.so.1"
|
||||||
|
|
||||||
cp "$occlum_dir"/etc/template/* "$working_dir"/
|
cp "$occlum_dir"/etc/template/Enclave.xml "$working_dir"/
|
||||||
chmod 644 "$working_dir"/Enclave.pem
|
cp "$occlum_dir"/etc/template/Occlum.json "$working_dir"/
|
||||||
chmod 644 "$working_dir"/Enclave.xml
|
chmod 644 "$working_dir"/Enclave.xml
|
||||||
chmod 644 "$working_dir"/Occlum.json
|
chmod 644 "$working_dir"/Occlum.json
|
||||||
|
|
||||||
@ -130,13 +140,22 @@ cmd_build() {
|
|||||||
cd src/libos && \
|
cd src/libos && \
|
||||||
make clean-builtin && \
|
make clean-builtin && \
|
||||||
make "$context_dir/build/lib/libocclum.so" ONLY_REBUILD_BUILTIN=1
|
make "$context_dir/build/lib/libocclum.so" ONLY_REBUILD_BUILTIN=1
|
||||||
|
while [ -n "$1" ]; do
|
||||||
$SGX_SDK/bin/x64/sgx_sign sign \
|
case "$1" in
|
||||||
-key "$working_dir/Enclave.pem" \
|
--sign-key) [ -n "$2" ] && ENCLAVE_SIGN_KEY=$2 ; shift 2 || exit_error "empty signing key path" ;;
|
||||||
|
--sign-tool) [ -n "$2" ] && ENCLAVE_SIGN_TOOL=$2 ; shift 2 || exit_error "empty signing tool path" ;;
|
||||||
|
*) exit_error "Unknown option: $1" ;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
[ -e "$ENCLAVE_SIGN_KEY" ] || exit_error "invalid signing key path: $ENCLAVE_SIGN_KEY"
|
||||||
|
[ -e "$ENCLAVE_SIGN_TOOL" ] || exit_error "invalid signing tool path: $ENCLAVE_SIGN_TOOL"
|
||||||
|
echo "Enclave sign-tool: $ENCLAVE_SIGN_TOOL"
|
||||||
|
echo "Enclave sign-key: $ENCLAVE_SIGN_KEY"
|
||||||
|
$ENCLAVE_SIGN_TOOL sign \
|
||||||
|
-key $ENCLAVE_SIGN_KEY \
|
||||||
-config "$working_dir/Enclave.xml" \
|
-config "$working_dir/Enclave.xml" \
|
||||||
-enclave "$context_dir/build/lib/libocclum.so" \
|
-enclave "$context_dir/build/lib/libocclum.so" \
|
||||||
-out "$context_dir/build/lib/libocclum.signed.so" \
|
-out "$context_dir/build/lib/libocclum.signed.so"
|
||||||
|
|
||||||
cd "$context_dir"
|
cd "$context_dir"
|
||||||
echo "built" > status
|
echo "built" > status
|
||||||
|
|
||||||
@ -170,7 +189,7 @@ case "$cmd" in
|
|||||||
cmd_init
|
cmd_init
|
||||||
;;
|
;;
|
||||||
build)
|
build)
|
||||||
cmd_build
|
cmd_build "${@:2}"
|
||||||
;;
|
;;
|
||||||
run)
|
run)
|
||||||
cmd_run "${@:2}"
|
cmd_run "${@:2}"
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user