Merge pull request 'Update README' (#1) from noormohammedb/detee-occlum:fix_readme into main

fixed occlum_utils library installation scripts
correct repository clone URL

Reviewed-on: SGX/occlum#1
Reviewed-by: Valentyn Faychuk <valy@detee.ltd>

.github/workflows/demo_test.yml

@@ -82,8 +82,7 @@ jobs:
       run: docker exec ${{ github.job }} bash -c "cd /root/occlum/tools/toolchains/golang && ./build.sh go1.18.4_for_occlum && cd /root/occlum/demos/golang/go_sqlite/ && SGX_MODE=SIM ./run_go_sqlite_demo.sh"
 
     - name: Go Server set up and run
-      run: docker exec ${{ github.job }} bash -c "cd /root/occlum/demos/golang/web_server && occlum-go mod init web_server && occlum-go get -u -v github.com/gin-gonic/gin;
+      run: docker exec ${{ github.job }} bash -c "cd /root/occlum/demos/golang/web_server && ./build.sh;
-            occlum-go build -o web_server ./web_server.go;
             SGX_MODE=SIM ./run_golang_on_occlum.sh" &
 
     - name: Set up Golang grpc pingpong test

.github/workflows/hw_mode_test.yml

@@ -142,8 +142,7 @@ jobs:
 
     - name: Go server set up and run
       run: docker exec ${{ env.CONTAINER_NAME }} bash -c "export GO111MODULE=on;
-            cd /root/occlum/demos/golang/web_server && occlum-go mod init web_server && occlum-go get -u -v github.com/gin-gonic/gin;
+            cd /root/occlum/demos/golang/web_server && ./build.sh;
-            occlum-go build -o web_server ./web_server.go;
             ./run_golang_on_occlum.sh" &
 
     - name: Set up Golang grpc pingpong test

.gitignore

@@ -6,3 +6,9 @@ build/
 .DS_Store
 src/libos/target/
 tools/toolchains/dcap_lib/target/
+
+# Added by DeTEE
+**/target
+**/Cargo.lock
+.idea
+

README.md

@@ -64,3 +64,27 @@ Thanks go to [all these wonderful contributors to this project](CONTRIBUTORS.md)
 ## License
 
 Occlum is released under BSD License. See the copyright information [here](LICENSE).
+
+## DeTEE
+
+Occlum is a part of the DeTEE project. DeTEE is a research project that aims to provide a secure and efficient computing environment for data-intensive applications.
+
+```bash
+# Run the occlum ubuntu 20.04 docker container
+docker run --device /dev/sgx/enclave --device /dev/sgx/provision --rm --name valytest -it -v /home/vfaychuk:/root/vfaychuk occlum/occlum:latest-ubuntu20.04
+# inside the container run the following commands
+apt update && apt install -y ssh-client
+mkdir -p /root/.ssh && vim /root/.ssh/config
+#Host gitea.detee.cloud
+#     IdentityFile ~/.ssh/gitea_ed25519
+vim /root/.ssh/gitea_ed25519
+# put the server private key to download the repo
+chown -R root:root /root/.ssh
+chmod 600 /root/.ssh/gitea_ed25519
+ssh-keyscan -H gitea.detee.cloud > ~/.ssh/known_hosts
+git clone git@gitea.detee.cloud:SGX/occlum.git
+cd occlum && make submodule
+cd tools/toolchains/utils_lib/
+# following command installs the utils library which can derive sealing key of the enclave
+./build.sh
+```

demos/golang/grpc_pingpong/prepare_ping_pong.sh

@@ -54,9 +54,9 @@ fi
 if ! type "protoc-gen-go-grpc" > /dev/null 2>&1; then
 	if [[ $GOVERSION != 'go1.16.3' ]];then
 	occlum-go get google.golang.org/grpc/cmd/protoc-gen-go-grpc
-	occlum-go install google.golang.org/grpc/cmd/protoc-gen-go-grpc
+	occlum-go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.3.0
 	else
-	occlum-go get google.golang.org/grpc/cmd/protoc-gen-go-grpc
+	occlum-go get google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.3.0
 	fi
 fi
 

demos/golang/grpc_pingpong/run_ping_on_occlum.sh

@@ -19,10 +19,7 @@ occlum init
 new_json="$(jq '.resource_limits.user_space_size = "1MB" |
 	.resource_limits.user_space_max_size = "800MB" |
 	.resource_limits.kernel_space_heap_size="1MB" |
-	.resource_limits.kernel_space_heap_max_size="40MB" |
+	.resource_limits.kernel_space_heap_max_size="80MB"  ' Occlum.json)" && \
-	.resource_limits.kernel_space_stack_size="1MB" |
-	.process.default_stack_size = "1MB" |
-	.process.default_heap_size = "20MB" ' Occlum.json)" && \
 echo "${new_json}" > Occlum.json
 
 # 2. Copy program into Occlum Workspace and build

demos/golang/grpc_pingpong/run_pong_on_occlum.sh

@@ -19,10 +19,7 @@ occlum init
 new_json="$(jq '.resource_limits.user_space_size = "1MB" |
 	.resource_limits.user_space_max_size = "800MB" |
 	.resource_limits.kernel_space_heap_size="1MB" |
-	.resource_limits.kernel_space_heap_max_size="40MB" |
+	.resource_limits.kernel_space_heap_max_size="80MB" ' Occlum.json)" && \
-	.resource_limits.kernel_space_stack_size="1MB" |
-	.process.default_stack_size = "1MB" |
-	.process.default_heap_size = "20MB" ' Occlum.json)" && \
 echo "${new_json}" > Occlum.json
 
 # 2. Copy program into Occlum Workspace and build

demos/golang/web_server/README.md

@@ -2,24 +2,18 @@
 
 This project demonstrates how Occlum enables [Golang](https://golang.org) programs running in SGX enclaves, the demo program is a HTTP web server based on a widely used web framework([Gin](https://gin-gonic.com)) for Go.
 
-Step 1: Install Gin with `occlum-go`, it may take a few minutes
+Step 1: Install Gin and build Golang web server with `occlum-go`
 ```
-occlum-go mod init web_server && \
+./build.sh
-occlum-go get -u -v github.com/gin-gonic/gin
 ```
 
-Step 2: Build the Golang web server using the Occlum Golang toolchain(i.e., `occlum-go`)
+Step 2: You can run the web server demo on Occlum via
-```
-occlum-go build -o web_server ./web_server.go
-```
-
-Step 3: You can run the web server demo on Occlum via
 ```
 ./run_golang_on_occlum.sh
 ```
 The HTTP web server should now start to listen on port 8090 and serve HTTP requests.
 
-Step 4: To check whether the HTTP server works, run
+Step 3: To check whether the HTTP server works, run
 ```
 curl http://127.0.0.1:8090/ping
 ```

demos/golang/web_server/build.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+set -e
+
+rm -f go.mod
+occlum-go mod init web_server
+occlum-go mod tidy
+occlum-go get -u -v github.com/gin-gonic/gin
+occlum-go get -u -v golang.org/x/crypto@v0.23.0
+
+occlum-go build -o web_server ./web_server.go

demos/paddlepaddle/install_python_with_conda.sh

@@ -21,19 +21,7 @@ sed -i "186 i \    elif sysstr == 'occlum':\n        return True" $CORE_PY
 sed -ie "37,64d" $IMAGE_PY
 sed -i "37 i \try:\n    import cv2\nexcept ImportError:\n     cv2 = None" $IMAGE_PY
 
+
 # Download the dataset
-DATASET=$script_dir/mnist
+git clone https://github.com/fgnt/mnist.git
 
-[ -d $DATASET ] && exit 0
-
-TRAIN_IMAGE=train-images-idx3-ubyte.gz
-TRAIN_LABEL=train-labels-idx1-ubyte.gz
-TEST_IMAGE=t10k-images-idx3-ubyte.gz
-TEST_LABEL=t10k-labels-idx1-ubyte.gz
-URL=http://yann.lecun.com/exdb/mnist
-
-mkdir $DATASET
-wget $URL/$TRAIN_IMAGE -P $DATASET
-wget $URL/$TRAIN_LABEL -P $DATASET
-wget $URL/$TEST_IMAGE  -P $DATASET
-wget $URL/$TEST_LABEL  -P $DATASET

demos/python/flask/install_python_with_conda.sh

@@ -8,7 +8,7 @@ script_dir="$( cd "$( dirname "${BASH_SOURCE[0]}"  )" >/dev/null 2>&1 && pwd )"
 # 2. Install python and dependencies to specified position
 [ -f Miniconda3-latest-Linux-x86_64.sh ] || wget https://repo.anaconda.com/miniconda/Miniconda3-latest-Linux-x86_64.sh
 [ -d miniconda ] || bash ./Miniconda3-latest-Linux-x86_64.sh -b -p $script_dir/miniconda
-$script_dir/miniconda/bin/conda create --prefix $script_dir/python-occlum -y python=3.9.11 flask=2.2.2 flask-restful=0.3.9 jinja2=3.1.2  werkzeug
+$script_dir/miniconda/bin/conda create --prefix $script_dir/python-occlum -y python=3.9.11 flask=2.2.2 flask-restful=0.3.9 jinja2=3.1.2  werkzeug=2.3
 
 # 3. Remove miniconda and installation scripts
 rm -rf ./Miniconda3-latest-Linux-x86_64.sh $script_dir/miniconda

src/libos/Cargo.lock

@@ -12,6 +12,7 @@ dependencies = [
  "bitvec 1.0.1",
  "ctor",
  "derive_builder",
+ "errno",
  "goblin",
  "intrusive-collections",
  "itertools",
@@ -38,6 +39,7 @@ dependencies = [
  "sgx_tstd",
  "sgx_types",
  "spin 0.7.1",
+ "vdso-time",
 ]
 
 [[package]]
@@ -207,6 +209,16 @@ version = "1.8.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "90e5c1c8368803113bf0c9584fc495a58b86dc8a29edbf8fe877d21d9507e797"
 
+[[package]]
+name = "errno"
+version = "0.1.0"
+dependencies = [
+ "log",
+ "rcore-fs",
+ "serde_json",
+ "sgx_tstd",
+]
+
 [[package]]
 name = "fnv"
 version = "1.0.7"
@@ -809,6 +821,20 @@ dependencies = [
  "rand",
 ]
 
+[[package]]
+name = "vdso-time"
+version = "0.1.0"
+dependencies = [
+ "cfg-if",
+ "errno",
+ "lazy_static",
+ "log",
+ "sgx_libc",
+ "sgx_trts",
+ "sgx_tstd",
+ "sgx_types",
+]
+
 [[package]]
 name = "winapi"
 version = "0.3.9"

src/libos/Cargo.toml

@@ -41,7 +41,7 @@ modular-bitfield = "0.11.2"
 sgx_tstd = { path = "../../deps/rust-sgx-sdk/sgx_tstd" }
 
 [features]
-default = ["integrity_only_opt", "sgx_file_cache", "sgx1_exception_sim"]
+default = ["integrity_only_opt", "sgx_file_cache", "sgx1_exception_sim", "kernel_heap_monitor"]
 syscall_timing = []     # Timing for each syscall. But it has cost from more ocall.
 integrity_only_opt = [] # Clear bss only. It should be disabled if checking memory reads.
 sgx_file_cache = []     # Cache SgxFile objects. Invalidation is unimplemented.

tools/toolchains/dcap_lib/inc/occlum_dcap.h

@@ -8,18 +8,19 @@
 #include "sgx_qve_header.h"
 
 #ifdef __cplusplus
-extern "C" {
+extern "C"
+{
 #endif
 
-void *dcap_quote_open(void);
+  void *dcap_quote_open(void);
 
-uint32_t dcap_get_quote_size(void *handle);
+  uint32_t dcap_get_quote_size(void *handle);
 
-int32_t dcap_generate_quote(void *handle, uint8_t *quote_buf, const sgx_report_data_t *report_data);
+  int32_t dcap_generate_quote(void *handle, uint8_t *quote_buf, const sgx_report_data_t *report_data);
 
-uint32_t dcap_get_supplemental_data_size(void *handle);
+  uint32_t dcap_get_supplemental_data_size(void *handle);
 
-int32_t dcap_verify_quote(void *handle,
+  int32_t dcap_verify_quote(void *handle,
                             const uint8_t *quote_buf,
                             uint32_t quote_size,
                             uint32_t *collateral_expiration_status,
@@ -27,12 +28,12 @@ int32_t dcap_verify_quote(void *handle,
                             uint32_t supplemental_data_size,
                             uint8_t *supplemental_data);
 
+  // int32_t dcap_generate_key(void *handle, sgx_key_128bit_t *key, const sgx_key_request_t *key_request);
 
-void dcap_quote_close(void *handle);
+  void dcap_quote_close(void *handle);
 
 #ifdef __cplusplus
 }
 #endif
 
 #endif
-

tools/toolchains/dcap_lib/src/lib.rs

@@ -67,17 +67,39 @@ pub extern "C" fn dcap_verify_quote(
     let dcap = unsafe { &mut *(handle as *mut DcapQuote) };
 
     let mut verify_arg = IoctlVerDCAPQuoteArg {
-        quote_buf: quote_buf,
+        quote_buf,
-        quote_size: quote_size,
+        quote_size,
-        collateral_expiration_status: collateral_expiration_status,
+        collateral_expiration_status,
-        quote_verification_result: quote_verification_result,
+        quote_verification_result,
-        supplemental_data_size: supplemental_data_size,
+        supplemental_data_size,
-        supplemental_data: supplemental_data,
+        supplemental_data,
     };
 
     dcap.verify_quote(&mut verify_arg).unwrap_or(-1)
 }
 
+/*
+#[no_mangle]
+pub extern "C" fn dcap_generate_key(
+    handle: *mut c_void,
+    key: *mut sgx_key_128bit_t,
+    key_request: *const sgx_key_request_t,
+) -> i32 {
+    if handle.is_null() {
+        return -1;
+    }
+
+    let dcap = unsafe { &mut *(handle as *mut DcapQuote) };
+
+    let mut key_arg = IoctlGetKeyArg {
+        key_request,
+        key
+    };
+
+    dcap.generate_key(&mut key_arg).unwrap_or(-1)
+}
+ */
+
 #[no_mangle]
 pub extern "C" fn dcap_quote_close(handle: *mut c_void) {
     if handle.is_null() {

tools/toolchains/dcap_lib/src/occlum_dcap.rs

@@ -5,6 +5,7 @@ const SGXIOC_GET_DCAP_QUOTE_SIZE: u64 = 0x80047307;
 const SGXIOC_GEN_DCAP_QUOTE: u64 = 0xc0187308;
 const SGXIOC_GET_DCAP_SUPPLEMENTAL_SIZE: u64 = 0x80047309;
 const SGXIOC_VER_DCAP_QUOTE: u64 = 0xc030730a;
+// const SGXIOC_CMD_NUM_KEY: u64 = 0xc010730b;
 
 cfg_if::cfg_if! {
     if #[cfg(target_env = "musl")] {
@@ -12,11 +13,13 @@ cfg_if::cfg_if! {
         const IOCTL_GEN_DCAP_QUOTE: i32 = SGXIOC_GEN_DCAP_QUOTE as i32;
         const IOCTL_GET_DCAP_SUPPLEMENTAL_SIZE: i32 = SGXIOC_GET_DCAP_SUPPLEMENTAL_SIZE as i32;
         const IOCTL_VER_DCAP_QUOTE: i32 = SGXIOC_VER_DCAP_QUOTE as i32;
+        // const IOCTL_CMD_NUM_KEY: i32 = SGXIOC_CMD_NUM_KEY as i32;
     } else {
         const IOCTL_GET_DCAP_QUOTE_SIZE: u64 = SGXIOC_GET_DCAP_QUOTE_SIZE;
         const IOCTL_GEN_DCAP_QUOTE: u64 = SGXIOC_GEN_DCAP_QUOTE;
         const IOCTL_GET_DCAP_SUPPLEMENTAL_SIZE: u64 = SGXIOC_GET_DCAP_SUPPLEMENTAL_SIZE;
         const IOCTL_VER_DCAP_QUOTE: u64 = SGXIOC_VER_DCAP_QUOTE;
+        // const IOCTL_CMD_NUM_KEY: u64 = SGXIOC_CMD_NUM_KEY;
     }
 }
 
@@ -41,6 +44,16 @@ pub struct IoctlVerDCAPQuoteArg {
     pub supplemental_data: *mut u8,                         // Output (optional)
 }
 
+/*
+// Copy from occlum/src/libos/src/fs/dev_fs/dev_sgx/mod.rs
+//#[allow(dead_code)]
+#[repr(C)]
+pub struct IoctlGetKeyArg {
+    pub key_request: *const sgx_key_request_t, // Input
+    pub key: *mut sgx_key_128bit_t,            // Output
+}
+ */
+
 pub struct DcapQuote {
     fd: c_int,
     quote_size: u32,
@@ -122,6 +135,19 @@ impl DcapQuote {
         }
     }
 
+    /*
+    pub fn generate_key(&mut self, key_arg: *mut IoctlGetKeyArg) -> Result<i32, Error> {
+        let ret = unsafe { libc::ioctl(self.fd, IOCTL_CMD_NUM_KEY, key_arg) };
+        if ret < 0 {
+            let os_err = Error::last_os_error();
+            println!("OS error: {os_err:?}");
+            Err(os_err)
+        } else {
+            Ok(0)
+        }
+    }
+     */
+
     pub fn close(&mut self) {
         unsafe { libc::close(self.fd) };
     }

tools/toolchains/dcap_lib/src/prelude.rs

@@ -4,5 +4,9 @@ pub use std::io::Error;
 
 // Defined in "occlum/deps/rust-sgx-sdk/sgx_types"
 pub use sgx_types::{
-    sgx_ql_qv_result_t, sgx_quote3_t, sgx_quote_header_t, sgx_report_body_t, sgx_report_data_t,
+    sgx_ql_qv_result_t,
+    sgx_quote3_t,
+    sgx_quote_header_t,
+    sgx_report_body_t,
+    sgx_report_data_t, // sgx_key_request_t, sgx_key_128bit_t,
 };

tools/toolchains/utils_lib/Cargo.toml

@@ -0,0 +1,22 @@
+[package]
+name = "occlum_utils"
+version = "0.1.0"
+authors = ["Zheng, Qi <huaiqing.zq@antgroup.com>"]
+edition = "2021"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+sgx_types = { path = "../../../deps/rust-sgx-sdk/sgx_types" }
+libc = "0.2"
+cfg-if = "1.0.0"
+
+[lib]
+crate-type = ["cdylib", "rlib", "staticlib"]
+
+
+[[example]]
+name = "generate_key"
+
+[dev-dependencies]
+occlum_dcap = { path = "../dcap_lib" }

tools/toolchains/utils_lib/build.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+set -e
+
+INSTALL_DIR=/opt/occlum/toolchains/utils_lib
+SONAME=libocclum_utils.so.0.1.0
+
+function build_lib() {
+    if [[ $1 == "musl" ]]; then
+        echo "*** Build and install musl-libc utils ***"
+        CARGO=occlum-cargo
+        TARGET_PATH=target/x86_64-unknown-linux-musl/release
+        LIB_PATH=${INSTALL_DIR}/musl/
+    else
+        echo "*** Build and install glibc utils ***"
+        CARGO=cargo
+        TARGET_PATH=target/release
+        LIB_PATH=${INSTALL_DIR}/glibc/
+    fi
+
+    # cargo build libs and rust example
+    $CARGO clean
+    $CARGO rustc --release  -- -Clink-arg=-Wl,-soname,$SONAME
+    $CARGO build --release  --examples
+
+    # Copy files
+    mkdir -p ${LIB_PATH}
+    cp ${TARGET_PATH}/libocclum_utils.a ${LIB_PATH}
+    # cp ${TARGET_PATH}/examples/generate_key ${LIB_PATH}  # Not used as library
+
+    # Create SO links
+    pushd ${TARGET_PATH}
+    strip libocclum_utils.so
+    mv libocclum_utils.so $SONAME
+    ln -s $SONAME libocclum_utils.so
+    popd
+    cp -Pf ${TARGET_PATH}/libocclum_utils.so* ${LIB_PATH}
+}
+
+build_lib musl
+build_lib glibc
+
+cp -r inc ${INSTALL_DIR}/

tools/toolchains/utils_lib/examples/generate_key.rs

@@ -0,0 +1,64 @@
+use occlum_utils::*;
+use sgx_types::{
+    sgx_attributes_t, sgx_key_id_t, sgx_misc_select_t, SGX_KEYPOLICY_MRSIGNER, SGX_KEYSELECT_SEAL,
+    SGX_KEY_REQUEST_RESERVED2_BYTES, TSEAL_DEFAULT_FLAGSMASK, TSEAL_DEFAULT_MISCMASK,
+};
+
+use occlum_dcap::{sgx_quote_header_t, sgx_report_body_t, sgx_report_data_t, DcapQuote};
+
+fn main() {
+    let handle = utils_ioctl_open();
+
+    let dcap_handle = unsafe { &mut *(handle as *mut DcapQuote) };
+
+    let quote_size = dcap_handle.get_quote_size().unwrap_or_default();
+
+    let mut quote_buf: Vec<u8> = vec![0; quote_size as usize];
+    let report_str = "utils demo sample";
+
+    let mut report_data = sgx_report_data_t::default();
+    report_data.d[..report_str.len()].copy_from_slice(report_str.as_bytes());
+
+    let report_data = report_data as sgx_report_data_t;
+
+    let _ = dcap_handle
+        .generate_quote(quote_buf.as_mut_ptr(), &report_data)
+        .unwrap();
+
+    println!("===============================");
+
+    dbg!(&quote_buf);
+
+    let report_body_offset = std::mem::size_of::<sgx_quote_header_t>();
+    let report_body: *const sgx_report_body_t = (quote_buf[report_body_offset..]).as_ptr() as _;
+    let report_body: sgx_report_body_t = unsafe { *report_body };
+
+    let key_policy = SGX_KEYPOLICY_MRSIGNER;
+
+    let attribute_mask = sgx_attributes_t {
+        flags: TSEAL_DEFAULT_FLAGSMASK,
+        xfrm: 0,
+    };
+
+    let misc_mask: sgx_misc_select_t = TSEAL_DEFAULT_MISCMASK;
+
+    let key_id = sgx_key_id_t::default();
+
+    let mut key = sgx_key_128bit_t::default();
+    let key_request = sgx_key_request_t {
+        key_name: SGX_KEYSELECT_SEAL,
+        key_policy,
+        isv_svn: report_body.isv_svn,
+        reserved1: 0_u16,
+        cpu_svn: report_body.cpu_svn,
+        attribute_mask,
+        key_id,
+        misc_mask,
+        config_svn: report_body.config_svn,
+        reserved2: [0_u8; SGX_KEY_REQUEST_RESERVED2_BYTES],
+    };
+
+    utils_gen_key(handle, &mut key, &key_request);
+
+    dbg!(&key);
+}

tools/toolchains/utils_lib/inc/occlum_utils.h

@@ -0,0 +1,25 @@
+#ifndef _OCCLUM_UTILS_H
+#define _OCCLUM_UTILS_H
+
+#include <stdint.h>
+#include <stdlib.h>
+
+#include "sgx_report.h"
+#include "sgx_qve_header.h"
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+  void *utils_ioctl_open(void);
+
+  int32_t utils_gen_key(void *handle, sgx_key_128bit_t *key, const sgx_key_request_t *key_request);
+
+  void utils_ioctl_close(void *handle);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif

tools/toolchains/utils_lib/rust-toolchain

@@ -0,0 +1 @@
+nightly-2022-10-22

tools/toolchains/utils_lib/src/lib.rs

@@ -0,0 +1,42 @@
+mod occlum_utils;
+mod prelude;
+
+pub use crate::occlum_utils::*;
+pub use crate::prelude::*;
+
+#[no_mangle]
+pub extern "C" fn utils_ioctl_open() -> *mut c_void {
+    if let Ok(fd) = UtilsIoctl::new() {
+        Box::into_raw(Box::new(fd)) as *mut c_void
+    } else {
+        std::ptr::null_mut::<u8>() as *mut c_void
+    }
+}
+
+#[no_mangle]
+pub extern "C" fn utils_gen_key(
+    handle: *mut c_void,
+    key: *mut sgx_key_128bit_t,
+    key_request: *const sgx_key_request_t,
+) -> i32 {
+    if handle.is_null() {
+        return -1;
+    }
+
+    let ioctl_dev = unsafe { &mut *(handle as *mut UtilsIoctl) };
+
+    let mut key_arg = IoctlGetKeyArg { key_request, key };
+
+    ioctl_dev.generate_key(&mut key_arg).unwrap_or(-1)
+}
+
+#[no_mangle]
+pub extern "C" fn utils_ioctl_close(handle: *mut c_void) {
+    if handle.is_null() {
+        return;
+    }
+
+    let ioctl_dev = unsafe { &mut *(handle as *mut UtilsIoctl) };
+
+    ioctl_dev.close();
+}

tools/toolchains/utils_lib/src/occlum_utils.rs

@@ -0,0 +1,59 @@
+use crate::prelude::*;
+use std::ffi::CString;
+
+const SGXIOC_CMD_NUM_KEY: u64 = 0xc010730b;
+
+cfg_if::cfg_if! {
+    if #[cfg(target_env = "musl")] {
+        const IOCTL_CMD_NUM_KEY: i32 = SGXIOC_CMD_NUM_KEY as i32;
+    } else {
+        const IOCTL_CMD_NUM_KEY: u64 = SGXIOC_CMD_NUM_KEY;
+    }
+}
+
+// Copy from occlum/src/libos/src/fs/dev_fs/dev_sgx/mod.rs
+#[repr(C)]
+pub struct IoctlGetKeyArg {
+    pub key_request: *const sgx_key_request_t, // Input
+    pub key: *mut sgx_key_128bit_t,            // Output
+}
+
+pub struct UtilsIoctl {
+    fd: c_int,
+    // for backward compatibility with DcapQuote
+    _quote_size: u32,
+    _supplemental_size: u32,
+}
+
+impl UtilsIoctl {
+    pub fn new() -> Result<Self, Error> {
+        let path = CString::new("/dev/sgx").unwrap();
+        let fd = unsafe { libc::open(path.as_ptr(), O_RDONLY) };
+        if fd > 0 {
+            Ok(Self {
+                fd,
+                _quote_size: 0,
+                _supplemental_size: 0,
+            })
+        } else {
+            let os_err = Error::last_os_error();
+            println!("OS error: {os_err:?}");
+            Err(os_err)
+        }
+    }
+
+    pub(crate) fn generate_key(&mut self, key_arg: *mut IoctlGetKeyArg) -> Result<i32, Error> {
+        let ret = unsafe { libc::ioctl(self.fd, IOCTL_CMD_NUM_KEY, key_arg) };
+        if ret < 0 {
+            let os_err = Error::last_os_error();
+            println!("OS error: {os_err:?}");
+            Err(os_err)
+        } else {
+            Ok(0)
+        }
+    }
+
+    pub fn close(&mut self) {
+        unsafe { libc::close(self.fd) };
+    }
+}

tools/toolchains/utils_lib/src/prelude.rs

@@ -0,0 +1,6 @@
+pub use libc::{c_int, c_void, close, ioctl, open, O_RDONLY};
+pub use std::boxed::Box;
+pub use std::io::Error;
+
+// Defined in "occlum/deps/rust-sgx-sdk/sgx_types"
+pub use sgx_types::{sgx_key_128bit_t, sgx_key_request_t};