Update README

fixed occlum_utils library installation scripts
correct repository clone URL

.github/workflows/composite_action/hw/action.yml

@@ -87,6 +87,10 @@ runs:
     - name: Configure Occlum features
       run: |
         if [[ "${{ matrix.self_runner[2] }}" == "EDMM" ]]; then
-          docker exec ${{ env.CONTAINER_NAME }} bash -c "jq '.feature.enable_posix_shm = true | .feature.enable_edmm = true' /opt/occlum/etc/template/Occlum.json > /tmp.json && mv /tmp.json /opt/occlum/etc/template/Occlum.json"
+          if [[ "${{ matrix.self_runner[3] }}" == "IO_Uring" ]]; then
+            docker exec ${{ env.CONTAINER_NAME }} bash -c "jq '.feature.enable_posix_shm = true | .feature.enable_edmm = true | .feature.io_uring = 1' /opt/occlum/etc/template/Occlum.json > /tmp.json && mv /tmp.json /opt/occlum/etc/template/Occlum.json";
+          else
+            docker exec ${{ env.CONTAINER_NAME }} bash -c "jq '.feature.enable_posix_shm = true | .feature.enable_edmm = true' /opt/occlum/etc/template/Occlum.json > /tmp.json && mv /tmp.json /opt/occlum/etc/template/Occlum.json";
+          fi;
         fi;
       shell: bash

.github/workflows/composite_action/sim/action.yml

@@ -25,7 +25,7 @@ runs:
       shell: bash
 
     - name: Create container
-      run: docker run -itd --name=${{ inputs.container-name }} -v $GITHUB_WORKSPACE:/root/occlum occlum/occlum:${{ env.OCCLUM_VERSION }}-${{ inputs.os }}
+      run: docker run -itd --name=${{ inputs.container-name }} --privileged -v $GITHUB_WORKSPACE:/root/occlum occlum/occlum:${{ env.OCCLUM_VERSION }}-${{ inputs.os }}
       shell: bash
 
     - uses: ./.github/workflows/composite_action/prebuild
@@ -40,6 +40,14 @@ runs:
       run: docker exec ${{ inputs.container-name }} bash -c "source /opt/intel/sgxsdk/environment; cd /root/occlum; ${{ inputs.build-envs}} make install"
       shell: bash
     
+    # When there comes new features, the configuration should be enabled accordingly
+    - name: Configure Occlum features
+      run: |
+        if [[ "${{ matrix.features }}" == "IO_Uring" ]]; then
+          docker exec ${{ inputs.container-name }} bash -c "jq '.feature.io_uring = 1' /opt/occlum/etc/template/Occlum.json > /tmp.json && mv /tmp.json /opt/occlum/etc/template/Occlum.json";
+        fi;
+      shell: bash
+    
     - name: Remove occlum installation package
       run: docker exec ${{ inputs.container-name }} bash -c "cd /root/occlum; rm -rf ./build; rm -rf ./src; rm -rf ./deps"
       shell: bash

.github/workflows/demo_test.yml

@@ -14,6 +14,9 @@ concurrency:
 jobs:
   C_cpp_rust_golang_embedded_mode_support_test:
     runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        features: [Legacy, IO_Uring]
     steps:
     - name: Remove unnecessary files
       run: |
@@ -112,6 +115,9 @@ jobs:
 
   Java_support_test:
     runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        features: [Legacy, IO_Uring]
     steps:
     - name: Remove unnecessary files
       run: |
@@ -146,6 +152,9 @@ jobs:
 
   Fish_test:
     runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        features: [Legacy, IO_Uring]
     steps:
     - name: Remove unnecessary files
       run: |
@@ -177,6 +186,9 @@ jobs:
 
   Bazel_test:
     runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        features: [Legacy, IO_Uring]
     steps:
     - name: Remove unnecessary files
       run: |
@@ -213,6 +225,9 @@ jobs:
 
   Https_server_test:
     runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        features: [Legacy, IO_Uring]
     steps:
     - name: Remove unnecessary files
       run: |
@@ -246,6 +261,9 @@ jobs:
 
   Local_attestation_test:
     runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        features: [Legacy, IO_Uring]
     steps:
     - name: Remove unnecessary files
       run: |
@@ -275,6 +293,9 @@ jobs:
 
   Sqlite_test:
     runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        features: [Legacy, IO_Uring]
     steps:
     - name: Remove unnecessary files
       run: |
@@ -303,6 +324,9 @@ jobs:
 
   Xgboost_test:
     runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        features: [Legacy, IO_Uring]
     steps:
     - name: Remove unnecessary files
       run: |
@@ -334,6 +358,9 @@ jobs:
 
   Tensorflow_lite_test:
     runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        features: [Legacy, IO_Uring]
     steps:
     - name: Remove unnecessary files
       run: |
@@ -365,6 +392,9 @@ jobs:
 
   Pytorch_test:
     runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        features: [Legacy, IO_Uring]
     steps:
     - name: Remove unnecessary files
       run: |
@@ -393,6 +423,9 @@ jobs:
 
   Distributed_Pytorch_test:
     runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        features: [Legacy, IO_Uring]
     steps:
     - name: Remove unnecessary files
       run: |
@@ -431,6 +464,9 @@ jobs:
 
   Tensorflow_test:
     runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        features: [Legacy, IO_Uring]
     steps:
     - name: Remove unnecessary files
       run: |
@@ -460,6 +496,9 @@ jobs:
 # Below tests needs test image to run faster
   Grpc_musl_test:
     runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        features: [Legacy, IO_Uring]
     steps:
     - name: Remove unnecessary files
       run: |
@@ -504,6 +543,9 @@ jobs:
 
   Grpc_glibc_test:
     runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        features: [Legacy, IO_Uring]
     steps:
     - name: Remove unnecessary files
       run: |
@@ -552,6 +594,9 @@ jobs:
 
   Grpc_tls_test:
     runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        features: [Legacy, IO_Uring]
     steps:
     - name: Remove unnecessary files
       run: |
@@ -593,6 +638,9 @@ jobs:
 
   Openvino_test:
     runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        features: [Legacy, IO_Uring]
     steps:
     - name: Remove unnecessary files
       run: |
@@ -630,6 +678,9 @@ jobs:
   # Python test also needs its own image because in Alpine environment, modules are built locally and consumes a lot of time.
   Python_musl_support_test:
     runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        features: [Legacy, IO_Uring]
     steps:
     - name: Remove unnecessary files
       run: |
@@ -670,6 +721,9 @@ jobs:
   # Python glibc support test
   Python_glibc_support_test:
     runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        features: [Legacy, IO_Uring]
     steps:
     - name: Remove unnecessary files
       run: |
@@ -706,6 +760,9 @@ jobs:
   # Redis test
   Redis_support_test:
     runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        features: [Legacy, IO_Uring]
     steps:
     - name: Remove unnecessary files
       run: |
@@ -745,6 +802,9 @@ jobs:
 
   Flink_test:
     runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        features: [Legacy, IO_Uring]
     steps:
     - name: Remove unnecessary files
       run: |
@@ -797,6 +857,9 @@ jobs:
 
   Cluster_serving_test:
     runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        features: [Legacy, IO_Uring]
     steps:
     - name: Remove unnecessary files
       run: |
@@ -825,6 +888,9 @@ jobs:
 
   Enclave_RA_TLS_test:
     runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        features: [Legacy, IO_Uring]
     steps:
     - name: Remove unnecessary files
       run: |
@@ -859,6 +925,9 @@ jobs:
 
   Vault_test:
     runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        features: [Legacy, IO_Uring]
     steps:
     - name: Remove unnecessary files
       run: |
@@ -896,6 +965,9 @@ jobs:
 
   Sofaboot_test:
     runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        features: [Legacy, IO_Uring]
     steps:
     - name: Remove unnecessary files
       run: |
@@ -936,6 +1008,9 @@ jobs:
 
   Netty_UT_test:
     runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        features: [Legacy, IO_Uring]
     steps:
     - name: Remove unnecessary files
       run: |
@@ -962,11 +1037,23 @@ jobs:
     - name: Run netty unit test demo
       run: docker exec ${{ github.job }} bash -c "cd /root/occlum/demos/netty_ut && SGX_MODE=SIM ./run_netty_ut_jdk8.sh"
 
+    - name: Check netty unit demo results
+      run: |
+        if [[ "${{ matrix.features }}" == "IO_Uring" ]]; then
+          docker exec ${{ github.job }} bash -c "cd /root/occlum/demos/netty_ut && cat netty-test-heap512m.log | grep '189 tests successful'";
+        else
+          docker exec ${{ github.job }} bash -c "cd /root/occlum/demos/netty_ut && cat netty-test-heap512m.log | grep '190 tests successful'";
+        fi
+      shell: bash
+
     - name: Clean Netty test
       run: docker exec ${{ github.job }} bash -c "cd /root/occlum/demos && rm -rf ./netty_ut"
 
   Bash_test:
     runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        features: [Legacy, IO_Uring]
     steps:
     - name: Remove unnecessary files
       run: |
@@ -995,6 +1082,9 @@ jobs:
 
   Sysbench_test:
     runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        features: [Legacy, IO_Uring]
     steps:
     - name: Remove unnecessary files
       run: |
@@ -1027,6 +1117,9 @@ jobs:
 
   Gvisor_syscalls_test:
     runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        features: [Legacy, IO_Uring]
     steps:
     - name: Remove unnecessary files
       run: |
@@ -1062,10 +1155,19 @@ jobs:
       run: docker exec $gvisor_test bash -c "git clone https://github.com/occlum/gvisor.git"
 
     - name: Run gvisor syscall test
-      run: docker exec $gvisor_test bash -c "cd /root/gvisor/occlum && SGX_MODE=SIM ./run_occlum_passed_tests.sh"
+      run: |
+        if [[ "${{ matrix.features }}" == "IO_Uring" ]]; then
+          docker exec $gvisor_test bash -c "cd /root/gvisor/occlum && SGX_MODE=SIM ./run_occlum_passed_tests.sh uring";
+        else
+          docker exec $gvisor_test bash -c "cd /root/gvisor/occlum && SGX_MODE=SIM ./run_occlum_passed_tests.sh";
+        fi;
+      shell: bash
 
   Flask_tls_test:
     runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        features: [Legacy, IO_Uring]
     steps:
     - name: Remove unnecessary files
       run: |
@@ -1108,6 +1210,9 @@ jobs:
 
   Iperf2_test:
     runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        features: [Legacy, IO_Uring]
     steps:
     - name: Remove unnecessary files
       run: |
@@ -1143,6 +1248,9 @@ jobs:
 
   Linux_LTP_test:
     runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        features: [Legacy, IO_Uring]
     steps:
     - name: Remove unnecessary files
       run: |
@@ -1175,6 +1283,9 @@ jobs:
 
   FIO_test:
     runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        features: [Legacy, IO_Uring]
     steps:
     - name: Remove unnecessary files
       run: |
@@ -1203,6 +1314,9 @@ jobs:
 
   PaddlePaddle_test:
     runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        features: [Legacy, IO_Uring]
     steps:
     - name: Remove unnecessary files
       run: |
@@ -1231,6 +1345,9 @@ jobs:
 
   RuntimeBoot_test:
     runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        features: [Legacy, IO_Uring]
     steps:
     - name: Remove unnecessary files
       run: |
@@ -1259,6 +1376,9 @@ jobs:
 
   Swtpm_test:
     runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        features: [Legacy, IO_Uring]
     steps:
     - name: Remove unnecessary files
       run: |
@@ -1293,6 +1413,9 @@ jobs:
 
   Filebench_test:
     runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        features: [Legacy, IO_Uring]
     steps:
     - uses: actions/checkout@v1
       with:

.github/workflows/hw_mode_test.yml

@@ -25,7 +25,7 @@ jobs:
     runs-on: ${{ matrix.self_runner }}
     strategy:
       matrix:
-        self_runner: [[self-hosted, SGX2-HW], [self-hosted, SGX2-HW, EDMM]]
+        self_runner: [[self-hosted, SGX2-HW], [self-hosted, SGX2-HW, EDMM, IO_Uring]]
 
     steps:
     - name: Clean before running
@@ -80,7 +80,7 @@ jobs:
     runs-on: ${{ matrix.self_runner }}
     strategy:
       matrix:
-        self_runner: [[self-hosted, SGX2-HW], [self-hosted, SGX2-HW, EDMM]]
+        self_runner: [[self-hosted, SGX2-HW], [self-hosted, SGX2-HW, EDMM, IO_Uring]]
 
     steps:
     - name: Clean before running
@@ -179,7 +179,7 @@ jobs:
     runs-on: ${{ matrix.self_runner }}
     strategy:
       matrix:
-        self_runner: [[self-hosted, SGX2-HW], [self-hosted, SGX2-HW, EDMM, PKU]]
+        self_runner: [[self-hosted, SGX2-HW], [self-hosted, SGX2-HW, EDMM, IO_Uring, PKU]]
 
     steps:
     - name: Clean before running
@@ -220,7 +220,7 @@ jobs:
 
     - name: Run hello PKU
       run: |
-        if [[ "${{ matrix.self_runner[3] }}" == "PKU" ]]; then
+        if [[ "${{ matrix.self_runner[4] }}" == "PKU" ]]; then
           docker exec ${{ env.CONTAINER_NAME }} bash -c "cd /root/occlum/demos/java && ./run_java_on_occlum.sh hello_pku"
         else
           echo "Skip PKU test"
@@ -237,7 +237,7 @@ jobs:
     runs-on: ${{ matrix.self_runner }}
     strategy:
       matrix:
-        self_runner: [[self-hosted, SGX2-HW], [self-hosted, SGX2-HW, EDMM]]
+        self_runner: [[self-hosted, SGX2-HW], [self-hosted, SGX2-HW, EDMM, IO_Uring]]
 
     steps:
     - name: Clean before running
@@ -289,7 +289,7 @@ jobs:
     runs-on: ${{ matrix.self_runner }}
     strategy:
       matrix:
-        self_runner: [[self-hosted, SGX2-HW], [self-hosted, SGX2-HW, EDMM]]
+        self_runner: [[self-hosted, SGX2-HW], [self-hosted, SGX2-HW, EDMM, IO_Uring]]
 
     steps:
     - name: Clean before running
@@ -336,7 +336,7 @@ jobs:
     runs-on: ${{ matrix.self_runner }}
     strategy:
       matrix:
-        self_runner: [[self-hosted, SGX2-HW], [self-hosted, SGX2-HW, EDMM]]
+        self_runner: [[self-hosted, SGX2-HW], [self-hosted, SGX2-HW, EDMM, IO_Uring]]
 
     steps:
     - name: Clean before running
@@ -383,7 +383,7 @@ jobs:
     runs-on: ${{ matrix.self_runner }}
     strategy:
       matrix:
-        self_runner: [[self-hosted, SGX2-HW], [self-hosted, SGX2-HW, EDMM]]
+        self_runner: [[self-hosted, SGX2-HW], [self-hosted, SGX2-HW, EDMM, IO_Uring]]
 
     steps:
     - name: Clean before running
@@ -427,7 +427,7 @@ jobs:
     runs-on: ${{ matrix.self_runner }}
     strategy:
       matrix:
-        self_runner: [[self-hosted, SGX2-HW], [self-hosted, SGX2-HW, EDMM]]
+        self_runner: [[self-hosted, SGX2-HW], [self-hosted, SGX2-HW, EDMM, IO_Uring]]
 
     steps:
     - name: Clean before running
@@ -505,7 +505,7 @@ jobs:
     runs-on: ${{ matrix.self_runner }}
     strategy:
       matrix:
-        self_runner: [[self-hosted, SGX2-HW], [self-hosted, SGX2-HW, EDMM]]
+        self_runner: [[self-hosted, SGX2-HW], [self-hosted, SGX2-HW, EDMM, IO_Uring]]
 
     steps:
     - name: Clean before running
@@ -580,7 +580,7 @@ jobs:
     runs-on: ${{ matrix.self_runner }}
     strategy:
       matrix:
-        self_runner: [[self-hosted, SGX2-HW], [self-hosted, SGX2-HW, EDMM]]
+        self_runner: [[self-hosted, SGX2-HW], [self-hosted, SGX2-HW, EDMM, IO_Uring]]
 
     steps:
     - name: Clean before running
@@ -677,7 +677,7 @@ jobs:
     runs-on: ${{ matrix.self_runner }}
     strategy:
       matrix:
-        self_runner: [[self-hosted, SGX2-HW], [self-hosted, SGX2-HW, EDMM]]
+        self_runner: [[self-hosted, SGX2-HW], [self-hosted, SGX2-HW, EDMM, IO_Uring]]
 
     steps:
     - name: Clean before running
@@ -741,8 +741,15 @@ jobs:
     - name: Clone gvisor code
       run: docker exec $gvisor_test bash -c "git clone https://github.com/occlum/gvisor.git"
 
+
     - name: Run gvisor syscall test
-      run: docker exec $gvisor_test bash -c "cd /root/gvisor/occlum; ./run_occlum_passed_tests.sh"
+      run: |
+        if [[ "${{ matrix.self_runner[3] }}" == "IO_Uring" ]]; then
+          docker exec $gvisor_test bash -c "cd /root/gvisor/occlum; ./run_occlum_passed_tests.sh uring";
+        else
+          docker exec $gvisor_test bash -c "cd /root/gvisor/occlum; ./run_occlum_passed_tests.sh";
+        fi;
+      shell: bash
 
     - name: Clean the environment
       if: ${{ always() }}
@@ -834,7 +841,7 @@ jobs:
     strategy:
       matrix:
         # Tensorflow serving test requires AVX512 instruction support. Only the SGX2-HW machine has support for that.
-        self_runner: [[self-hosted, SGX2-HW], [self-hosted, SGX2-HW, EDMM]]
+        self_runner: [[self-hosted, SGX2-HW], [self-hosted, SGX2-HW, EDMM, IO_Uring]]
 
     steps:
     - name: Clean before running
@@ -920,7 +927,7 @@ jobs:
     runs-on: ${{ matrix.self_runner }}
     strategy:
       matrix:
-        self_runner: [[self-hosted, SGX2-HW], [self-hosted, SGX2-HW, EDMM]]
+        self_runner: [[self-hosted, SGX2-HW], [self-hosted, SGX2-HW, EDMM, IO_Uring]]
 
     steps:
     - name: Clean before running
@@ -960,7 +967,7 @@ jobs:
     runs-on: ${{ matrix.self_runner }}
     strategy:
       matrix:
-        self_runner: [[self-hosted, SGX2-HW], [self-hosted, SGX2-HW, EDMM]]
+        self_runner: [[self-hosted, SGX2-HW], [self-hosted, SGX2-HW, EDMM, IO_Uring]]
 
     steps:
     - name: Clean before running
@@ -1014,7 +1021,7 @@ jobs:
     runs-on: ${{ matrix.self_runner }}
     strategy:
       matrix:
-        self_runner: [[self-hosted, SGX2-HW], [self-hosted, SGX2-HW, EDMM]]
+        self_runner: [[self-hosted, SGX2-HW], [self-hosted, SGX2-HW, EDMM, IO_Uring]]
 
     steps:
     - name: Clean before running
@@ -1069,7 +1076,7 @@ jobs:
     runs-on: ${{ matrix.self_runner }}
     strategy:
       matrix:
-        self_runner: [[self-hosted, SGX2-HW], [self-hosted, SGX2-HW, EDMM]]
+        self_runner: [[self-hosted, SGX2-HW], [self-hosted, SGX2-HW, EDMM, IO_Uring]]
 
     steps:
     - name: Clean before running
@@ -1117,7 +1124,7 @@ jobs:
     runs-on: ${{ matrix.self_runner }}
     strategy:
       matrix:
-        self_runner: [[self-hosted, SGX2-HW], [self-hosted, SGX2-HW, EDMM]]
+        self_runner: [[self-hosted, SGX2-HW], [self-hosted, SGX2-HW, EDMM, IO_Uring]]
 
     steps:
     - name: Clean before running
@@ -1153,6 +1160,15 @@ jobs:
     - name: Run netty unit test demo
       run: docker exec ${{ env.CONTAINER_NAME }} bash -c "cd /root/occlum/demos/netty_ut && ./run_netty_ut_jdk8.sh"
     
+    - name: Check netty unit demo results
+      run: |
+        if [[ "${{ matrix.self_runner[3] }}" == "IO_Uring" ]]; then
+          docker exec ${{ github.job }} bash -c "cd /root/occlum/demos/netty_ut && cat netty-test-heap512m.log | grep '189 tests successful'";
+        else
+          docker exec ${{ github.job }} bash -c "cd /root/occlum/demos/netty_ut && cat netty-test-heap512m.log | grep '190 tests successful'";
+        fi
+      shell: bash
+
     - name: Clean the environment
       if: ${{ always() }}
       run: docker stop ${{ env.CONTAINER_NAME }}
@@ -1163,7 +1179,7 @@ jobs:
     runs-on: ${{ matrix.self_runner }}
     strategy:
       matrix:
-        self_runner: [[self-hosted, SGX2-HW], [self-hosted, SGX2-HW, EDMM]]
+        self_runner: [[self-hosted, SGX2-HW], [self-hosted, SGX2-HW, EDMM, IO_Uring]]
 
     steps:
     - name: Clean before running
@@ -1198,7 +1214,7 @@ jobs:
     runs-on: ${{ matrix.self_runner }}
     strategy:
       matrix:
-        self_runner: [[self-hosted, SGX2-HW], [self-hosted, SGX2-HW, EDMM]]
+        self_runner: [[self-hosted, SGX2-HW], [self-hosted, SGX2-HW, EDMM, IO_Uring]]
 
     steps:
     - name: Clean before running

.github/workflows/package_repo_setup_and_test.yml

@@ -149,25 +149,25 @@ jobs:
         aptly -no-remove snapshot merge focal-main focal-old focal-new
         aptly publish snapshot -distribution=focal focal-main
 
-    # - name: Update apt repo for Ubuntu 22.04
+    - name: Update apt repo for Ubuntu 22.04
-    #   run: |
-    #     export PATH=/usr/local/bin/aptly_1.5.0_linux_amd64:$PATH
-    #     aptly -architectures="amd64" -keyring=/etc/apt/trusted.gpg mirror create jammy-mirror https://occlum.io/occlum-package-repos/debian jammy main
-    #     aptly -keyring=/etc/apt/trusted.gpg mirror update jammy-mirror
-    #     aptly snapshot create jammy-old from mirror jammy-mirror
-    #     aptly -distribution='jammy' -architectures=amd64 repo create deb-jammy-new
-    #     aptly repo add deb-jammy-new $GITHUB_WORKSPACE/jammy-debs/*
-    #     aptly snapshot create jammy-new from repo deb-jammy-new
-    #     aptly -no-remove snapshot merge jammy-main jammy-old jammy-new
-    #     aptly publish snapshot -distribution=jammy jammy-main
-
-    - name: Update apt repo for Ubuntu 22.04 for first time
       run: |
         export PATH=/usr/local/bin/aptly_1.5.0_linux_amd64:$PATH
+        aptly -architectures="amd64" -keyring=/etc/apt/trusted.gpg mirror create jammy-mirror https://occlum.io/occlum-package-repos/debian jammy main
+        aptly -keyring=/etc/apt/trusted.gpg mirror update jammy-mirror
+        aptly snapshot create jammy-old from mirror jammy-mirror
         aptly -distribution='jammy' -architectures=amd64 repo create deb-jammy-new
         aptly repo add deb-jammy-new $GITHUB_WORKSPACE/jammy-debs/*
         aptly snapshot create jammy-new from repo deb-jammy-new
-        aptly publish snapshot -distribution=jammy jammy-new
+        aptly -no-remove snapshot merge jammy-main jammy-old jammy-new
+        aptly publish snapshot -distribution=jammy jammy-main
+
+    # - name: Update apt repo for Ubuntu 22.04 for first time
+    #   run: |
+    #     export PATH=/usr/local/bin/aptly_1.5.0_linux_amd64:$PATH
+    #     aptly -distribution='jammy' -architectures=amd64 repo create deb-jammy-new
+    #     aptly repo add deb-jammy-new $GITHUB_WORKSPACE/jammy-debs/*
+    #     aptly snapshot create jammy-new from repo deb-jammy-new
+    #     aptly publish snapshot -distribution=jammy jammy-new
 
     - name: Update Git repo
       run: |

.gitignore

@@ -6,3 +6,9 @@ build/
 .DS_Store
 src/libos/target/
 tools/toolchains/dcap_lib/target/
+
+# Added by DeTEE
+**/target
+**/Cargo.lock
+.idea
+

README.md

@@ -64,3 +64,27 @@ Thanks go to [all these wonderful contributors to this project](CONTRIBUTORS.md)
 ## License
 
 Occlum is released under BSD License. See the copyright information [here](LICENSE).
+
+## DeTEE
+
+Occlum is a part of the DeTEE project. DeTEE is a research project that aims to provide a secure and efficient computing environment for data-intensive applications.
+
+```bash
+# Run the occlum ubuntu 20.04 docker container
+docker run --device /dev/sgx/enclave --device /dev/sgx/provision --rm --name valytest -it -v /home/vfaychuk:/root/vfaychuk occlum/occlum:latest-ubuntu20.04
+# inside the container run the following commands
+apt update && apt install -y ssh-client
+mkdir -p /root/.ssh && vim /root/.ssh/config
+#Host gitea.detee.cloud
+#     IdentityFile ~/.ssh/gitea_ed25519
+vim /root/.ssh/gitea_ed25519
+# put the server private key to download the repo
+chown -R root:root /root/.ssh
+chmod 600 /root/.ssh/gitea_ed25519
+ssh-keyscan -H gitea.detee.cloud > ~/.ssh/known_hosts
+git clone git@gitea.detee.cloud:SGX/occlum.git
+cd occlum && make submodule
+cd tools/toolchains/utils_lib/
+# following command installs the utils library which can derive sealing key of the enclave
+./build.sh
+```

demos/netty_ut/run_netty_ut_jdk8.sh

@@ -50,7 +50,6 @@ run_netty_ut() {
         -cp /usr/lib/netty/netty-testsuite-4.1.51.Final.jar:/usr/lib/netty/netty-all-4.1.51.Final.jar:/usr/lib/netty/xz-1.5.jar:/usr/lib/netty/hamcrest-library-1.3.jar:/usr/lib/netty/logback-classic-1.1.7.jar \
         --scan-class-path > netty-test-heap512m.log || true
     cat netty-test-heap512m.log
-    cat netty-test-heap512m.log | grep "190 tests successful"
 }       
 
 run_netty_ut

deps/rust-sgx-sdk

@@ -1 +1 @@
-Subproject commit 81384ce4d10c67eea5e1ba4ea332087940c1836b
+Subproject commit 67af3f726726c27d6207e8da8b92922f4b513137

deps/sefs

@@ -1 +1 @@
-Subproject commit a4b47b5ac8204f7b1f74a58493a7a6b408c7cf35
+Subproject commit 30bc4e02c153c092eca37affdb9c7610411a377f

deps/sefs-cli_hyper.patch

@@ -1,5 +1,17 @@
+From 21b67e210670f6c7cb7e88d9900699ac52b0c3b1 Mon Sep 17 00:00:00 2001
+From: ClawSeven <zehuan97@gmail.com>
+Date: Tue, 23 Jul 2024 10:47:12 +0800
+Subject: [PATCH] Adapt hyper patch with updated sdk
+
+---
+ sefs-cli/Makefile                   | 42 ++++++++++++++++++++---------
+ sefs-cli/app/build.rs               |  4 +++
+ sefs-cli/enclave/Enclave.config.xml |  1 +
+ sefs-cli/enclave/Enclave.lds        |  3 +++
+ 4 files changed, 38 insertions(+), 12 deletions(-)
+
 diff --git a/sefs-cli/Makefile b/sefs-cli/Makefile
-index f0eeb8c..8c6fae0 100644
+index f0eeb8c..50b9917 100644
 --- a/sefs-cli/Makefile
 +++ b/sefs-cli/Makefile
 @@ -14,13 +14,19 @@ endif
@@ -31,12 +43,14 @@ index f0eeb8c..8c6fae0 100644
  ######## Enclave Settings ########
  
 -ifneq ($(SGX_MODE), HW)
+-	Trts_Library_Name := sgx_trts_sim
+-	Service_Library_Name := sgx_tservice_sim
 +ifeq ($(SGX_MODE), HW)
 +	Trts_Library_Name := sgx_trts
 +	Service_Library_Name := sgx_tservice
 +else ifeq ($(SGX_MODE), SIM)
- 	Trts_Library_Name := sgx_trts_sim
++   Trts_Library_Name := sgx_trts_sim
- 	Service_Library_Name := sgx_tservice_sim
++   Service_Library_Name := sgx_tservice_sim
 +else ifeq ($(SGX_MODE), HYPER)
 +	Trts_Library_Name := sgx_trts_hyper
 +	Service_Library_Name := sgx_tservice_hyper
@@ -48,12 +62,14 @@ index f0eeb8c..8c6fae0 100644
  	-Wl,--version-script=enclave/Enclave.lds
  
 -ifneq ($(SGX_MODE), HW)
+-	RustEnclave_Name := lib/libsefs-cli_sim.so
+-	App_Name := bin/sefs-cli_sim
 +ifeq ($(SGX_MODE), HW)
 +	RustEnclave_Name := lib/libsefs-cli.so
 +	App_Name := bin/sefs-cli
 +else ifeq ($(SGX_MODE), SIM)
- 	RustEnclave_Name := lib/libsefs-cli_sim.so
++   RustEnclave_Name := lib/libsefs-cli_sim.so
- 	App_Name := bin/sefs-cli_sim
++   App_Name := bin/sefs-cli_sim
 +else ifeq ($(SGX_MODE), HYPER)
 +	RustEnclave_Name := lib/libsefs-cli_hyper.so
 +	App_Name := bin/sefs-cli_hyper
@@ -72,25 +88,20 @@ index f0eeb8c..8c6fae0 100644
  
  ######## App Objects ########
 diff --git a/sefs-cli/app/build.rs b/sefs-cli/app/build.rs
-index 4bf4c0a..96391ac 100644
+index 6d54f91..a523baf 100644
 --- a/sefs-cli/app/build.rs
 +++ b/sefs-cli/app/build.rs
-@@ -14,6 +14,7 @@ fn main() {
+@@ -29,6 +29,10 @@ fn main() {
-     match is_sim.as_ref() {
+             println!("cargo:rustc-link-lib=dylib=sgx_urts");
-         "SW" | "SIM" => println!("cargo:rustc-link-lib=static=sgx_urts_sim_with_se_event"),
+             println!("cargo:rustc-link-lib=dylib=sgx_uae_service");
-         "HW" => println!("cargo:rustc-link-lib=dylib=sgx_urts"),
+         }
-+        "HYPER" => println!("cargo:rustc-link-lib=static=sgx_urts_hyper_with_se_event"),
++        "HYPER" => {
-         _ => println!("cargo:rustc-link-lib=dylib=sgx_urts"), // Treat undefined as HW
++            println!("cargo:rustc-link-lib=dylib=sgx_urts_hyper");
-     }
++            println!("cargo:rustc-link-lib=dylib=sgx_uae_service_hyper");
- 
++        }
-@@ -21,6 +22,7 @@ fn main() {
+         _ => {
-     match is_sim.as_ref() {
+             println!("cargo:rustc-link-lib=dylib=sgx_urts");
-         "SW" | "SIM" => println!("cargo:rustc-link-lib=dylib=sgx_uae_service_sim"),
+             println!("cargo:rustc-link-lib=dylib=sgx_uae_service");
-         "HW" => println!("cargo:rustc-link-lib=dylib=sgx_uae_service"),
-+        "HYPER" => println!("cargo:rustc-link-lib=dylib=sgx_uae_service_hyper"),
-         _ => println!("cargo:rustc-link-lib=dylib=sgx_uae_service"), // Treat undefined as HW
-     }
- 
 diff --git a/sefs-cli/enclave/Enclave.config.xml b/sefs-cli/enclave/Enclave.config.xml
 index 109fcd2..e69f2b6 100644
 --- a/sefs-cli/enclave/Enclave.config.xml
@@ -119,3 +130,6 @@ index 92bebf2..d93532c 100644
      local:
          *;
  };
+-- 
+2.25.1
+

src/libos/src/util/sgx/dcap/quote_verifier.rs

@@ -7,7 +7,7 @@ pub struct QuoteVerifier {
 
 // The latest QvE ISVSVN from Intel PCS.
 // It should be updated when a newer QvE is released.
-const QVE_ISVSVN_THRESHOLD: sgx_isv_svn_t = 5;
+const QVE_ISVSVN_THRESHOLD: sgx_isv_svn_t = 7;
 
 impl QuoteVerifier {
     pub fn new() -> Option<Self> {

tools/docker/Dockerfile.ubuntu20.04

@@ -86,8 +86,8 @@ RUN curl https://sh.rustup.rs -sSf | \
     cargo -V
 
 # Install SGX PSW
-ARG PSW_VERSION=2.20.100.4
+ARG PSW_VERSION=2.21.100.1
-ARG DCAP_VERSION=1.17.100.4
+ARG DCAP_VERSION=1.18.100.1
 RUN apt-get update && aptitude install -y \
         libsgx-launch-dev=$PSW_VERSION-focal1 \
         libsgx-epid-dev=$PSW_VERSION-focal1 \
@@ -125,7 +125,7 @@ RUN apt-get update && aptitude install -y \
 
 # Install SGX SDK
 WORKDIR /tmp
-RUN git clone -b sgx_2.20_for_occlum https://github.com/occlum/linux-sgx && \
+RUN git clone -b sgx_2.21_for_occlum https://github.com/occlum/linux-sgx && \
     mkdir /etc/init && \
     cd linux-sgx && \
     make preparation && \

tools/docker/Dockerfile.ubuntu20.04-rt

@@ -3,9 +3,9 @@ LABEL maintainer="Qi Zheng <huaiqing.zq@antgroup.com>"
 
 # Install SGX DCAP and Occlum runtime
 ENV APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1
-ARG PSW_VERSION=2.20.100.4
+ARG PSW_VERSION=2.21.100.1
-ARG DCAP_VERSION=1.17.100.4
+ARG DCAP_VERSION=1.18.100.1
-ARG OCCLUM_VERSION=0.30.0
+ARG OCCLUM_VERSION=0.31.0
 RUN apt update && DEBIAN_FRONTEND="noninteractive" apt install -y --no-install-recommends gnupg wget ca-certificates jq && \
     echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | tee /etc/apt/sources.list.d/intel-sgx.list && \
     wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | apt-key add - && \
@@ -27,7 +27,7 @@ RUN apt update && DEBIAN_FRONTEND="noninteractive" apt install -y --no-install-r
         libsgx-qe3-logic=$DCAP_VERSION-focal1 \
         libsgx-dcap-default-qpl=$DCAP_VERSION-focal1 \
         libsgx-dcap-quote-verify=$DCAP_VERSION-focal1 \
-        occlum-runtime=$OCCLUM_VERSION-1 \
+        occlum-runtime=$OCCLUM_VERSION-focal-1 \
         && \
     apt clean && \
     rm -rf /var/lib/apt/lists/*
@@ -35,7 +35,7 @@ RUN apt update && DEBIAN_FRONTEND="noninteractive" apt install -y --no-install-r
 COPY docker-entrypoint.sh /usr/local/bin/
 
 ENV PATH="/opt/occlum/build/bin:/usr/local/occlum/bin:$PATH"
-# This PCCS value could be updated by env passed from user by below entryp
+# This PCCS value could be updated by env passed from user by below entrypoint
 ENV PCCS_URL="https://localhost:8081/sgx/certification/v3/"
 ENV USE_SECURE_CERT=true
 

tools/docker/Dockerfile.ubuntu22.04

@@ -86,8 +86,8 @@ RUN curl https://sh.rustup.rs -sSf | \
     cargo -V
 
 # Install SGX PSW
-ARG PSW_VERSION=2.20.100.4
+ARG PSW_VERSION=2.21.100.1
-ARG DCAP_VERSION=1.17.100.4
+ARG DCAP_VERSION=1.18.100.1
 RUN apt-get update && aptitude install -y \
         libsgx-launch-dev=$PSW_VERSION-jammy1 \
         libsgx-epid-dev=$PSW_VERSION-jammy1 \
@@ -125,7 +125,7 @@ RUN apt-get update && aptitude install -y \
 
 # Install SGX SDK
 WORKDIR /tmp
-RUN git clone -b sgx_2.20_for_occlum https://github.com/occlum/linux-sgx && \
+RUN git clone -b sgx_2.21_for_occlum https://github.com/occlum/linux-sgx && \
     mkdir /etc/init && \
     cd linux-sgx && \
     make preparation && \
@@ -188,9 +188,9 @@ COPY --from=alpine /etc/ssl/certs/java/cacerts $JDK8_PATH/jre/lib/security/cacer
 WORKDIR /root/occlum/tools/toolchains
 RUN cd dcap_lib && ./build.sh && cd .. && rm -rf dcap_lib
 
-# # Install AECS Client library
+# Install AECS Client library
-# WORKDIR /root/occlum/tools/toolchains
+WORKDIR /root/occlum/tools/toolchains
-# RUN cd aecs_client && ./build.sh && cd .. && rm -rf aecs_client
+RUN cd aecs_client && ./build.sh && cd .. && rm -rf aecs_client
 
 # Install GRPC RATLS
 WORKDIR /root/occlum/tools/toolchains
@@ -200,8 +200,8 @@ RUN cd grpc_ratls && ./build.sh && cd .. && rm -rf grpc_ratls && rm -rf /tmp/grp
 WORKDIR /root
 RUN cd occlum && \
     source /opt/intel/sgxsdk/environment && \
-    OCCLUM_NO_INIT_RA_AECS=1 make submodule && \
+    make submodule && \
-    OCCLUM_RELEASE_BUILD=1 OCCLUM_NO_INIT_RA_AECS=1 make install && \
+    OCCLUM_RELEASE_BUILD=1 make install && \
     cp -r demos /root/demos && \
     rm -rf /root/occlum
 

tools/docker/Dockerfile.ubuntu22.04-rt

@@ -1,26 +1,16 @@
-ARG OCCLUM_DEV_IMG=occlum/occlum:0.30.1-test-ubuntu22.04
-FROM $OCCLUM_DEV_IMG as base
-
-# Download the Occlum source
-ARG OCCLUM_BRANCH=0.30.1-dev
-WORKDIR /root
-RUN git clone -b $OCCLUM_BRANCH https://github.com/occlum/occlum
-
-# Build Occlum debian packages
-WORKDIR /root/occlum/tools/installer/deb
-RUN make && make musl-gcc && GLIBC_VERSION=2.35 make glibc
-
-
 FROM ubuntu:22.04
 LABEL maintainer="Qi Zheng <huaiqing.zq@antgroup.com>"
 
 # Install SGX DCAP and PSW
 ENV APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1
-ARG PSW_VERSION=2.20.100.4
+ARG PSW_VERSION=2.21.100.1
-ARG DCAP_VERSION=1.17.100.4
+ARG DCAP_VERSION=1.18.100.1
+ARG OCCLUM_VERSION=0.31.0
 RUN apt update && DEBIAN_FRONTEND="noninteractive" apt install -y --no-install-recommends gnupg wget ca-certificates jq && \
     echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | tee /etc/apt/sources.list.d/intel-sgx.list && \
     wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | apt-key add - && \
+    echo 'deb [arch=amd64] https://occlum.io/occlum-package-repos/debian jammy main' | tee /etc/apt/sources.list.d/occlum.list && \
+    wget -qO - https://occlum.io/occlum-package-repos/debian/public.key | apt-key add - && \
     apt update && apt install -y --no-install-recommends \
         libsgx-launch=$PSW_VERSION-jammy1 \
         libsgx-epid=$PSW_VERSION-jammy1 \
@@ -37,14 +27,11 @@ RUN apt update && DEBIAN_FRONTEND="noninteractive" apt install -y --no-install-r
         libsgx-qe3-logic=$DCAP_VERSION-jammy1 \
         libsgx-dcap-default-qpl=$DCAP_VERSION-jammy1 \
         libsgx-dcap-quote-verify=$DCAP_VERSION-jammy1 \
+        occlum-runtime=$OCCLUM_VERSION-jammy-1 \
         && \
     apt clean && \
     rm -rf /var/lib/apt/lists/*
 
-# Only runtime deb package is required for occlum run
-COPY --from=base /tmp/deb_build/occlum-runtime_*.deb /tmp
-RUN cd /tmp && dpkg -i *.deb && rm -rf *.deb
-
 COPY docker-entrypoint.sh /usr/local/bin/
 
 ENV PATH="/opt/occlum/build/bin:/usr/local/occlum/bin:$PATH"

tools/protect-integrity/Makefile

@@ -53,9 +53,9 @@ endif
 ######## App Settings ########
 
 ifneq ($(SGX_MODE), HW)
-	# Tools are built in simulation mode by default and should be built with sgx_urts_sim_with_se_event
+	# Tools are built in simulation mode by default and should be built with sgx_urts_sim
 	# to resolve undefined symbols
-	URTS_LIBRARY_NAME := sgx_urts_sim_with_se_event
+	URTS_LIBRARY_NAME := sgx_urts_sim
 else
 	URTS_LIBRARY_NAME := sgx_urts
 endif

tools/toolchains/aecs_client/build.sh

@@ -3,12 +3,13 @@ set -e
 
 script_dir="$( cd "$( dirname "${BASH_SOURCE[0]}"  )" >/dev/null 2>&1 && pwd )"
 INSTALL_DIR=/opt/occlum/toolchains/aecs_client
+OCCLUM_INSTALL_DIR=/usr/local/occlum/x86_64-linux-gnu/lib
 AECS_DIR=${script_dir}/enclave-configuration-service
 
 # Default TEE TYPE is SGX2, also support HYPERENCLAVE
 TEETYPE=${1:-SGX2}
 
-git clone -b v2.0.0 https://github.com/SOFAEnclave/enclave-configuration-service.git
+git clone -b occlum-init-ra https://github.com/occlum/enclave-configuration-service.git
 
 pushd ${AECS_DIR}
 git submodule update --init --recursive
@@ -22,7 +23,9 @@ echo "Move AECS client libraries to toolchain path"
 mkdir -p ${INSTALL_DIR}
 cp ./build/out/libaecs_client.so ${INSTALL_DIR}/
 cp ./build/out/libual.so ${INSTALL_DIR}/
-cp /usr/local/occlum/x86_64-linux-gnu/lib/libcurl_static.a ${INSTALL_DIR}/
+cp $OCCLUM_INSTALL_DIR/libcurl_static.a ${INSTALL_DIR}/
+[ -f $OCCLUM_INSTALL_DIR/libssl.so ] && cp $OCCLUM_INSTALL_DIR/libssl.so* ${INSTALL_DIR}/
+[ -f $OCCLUM_INSTALL_DIR/libcrypto.so ] && cp $OCCLUM_INSTALL_DIR/libcrypto.so* ${INSTALL_DIR}/
 popd
 
 # Clean up

tools/toolchains/dcap_lib/inc/occlum_dcap.h

@@ -8,31 +8,32 @@
 #include "sgx_qve_header.h"
 
 #ifdef __cplusplus
-extern "C" {
+extern "C"
+{
 #endif
 
-void *dcap_quote_open(void);
+  void *dcap_quote_open(void);
 
-uint32_t dcap_get_quote_size(void *handle);
+  uint32_t dcap_get_quote_size(void *handle);
 
-int32_t dcap_generate_quote(void *handle, uint8_t *quote_buf, const sgx_report_data_t *report_data);
+  int32_t dcap_generate_quote(void *handle, uint8_t *quote_buf, const sgx_report_data_t *report_data);
 
-uint32_t dcap_get_supplemental_data_size(void *handle);
+  uint32_t dcap_get_supplemental_data_size(void *handle);
 
-int32_t dcap_verify_quote(void *handle,
+  int32_t dcap_verify_quote(void *handle,
-                          const uint8_t *quote_buf,
+                            const uint8_t *quote_buf,
-                          uint32_t quote_size,
+                            uint32_t quote_size,
-                          uint32_t *collateral_expiration_status,
+                            uint32_t *collateral_expiration_status,
-                          sgx_ql_qv_result_t *quote_verification_result,
+                            sgx_ql_qv_result_t *quote_verification_result,
-                          uint32_t supplemental_data_size,
+                            uint32_t supplemental_data_size,
-                          uint8_t *supplemental_data);
+                            uint8_t *supplemental_data);
 
+  // int32_t dcap_generate_key(void *handle, sgx_key_128bit_t *key, const sgx_key_request_t *key_request);
 
-void dcap_quote_close(void *handle);
+  void dcap_quote_close(void *handle);
 
 #ifdef __cplusplus
 }
 #endif
 
 #endif
-

tools/toolchains/dcap_lib/src/lib.rs

@@ -67,17 +67,39 @@ pub extern "C" fn dcap_verify_quote(
     let dcap = unsafe { &mut *(handle as *mut DcapQuote) };
 
     let mut verify_arg = IoctlVerDCAPQuoteArg {
-        quote_buf: quote_buf,
+        quote_buf,
-        quote_size: quote_size,
+        quote_size,
-        collateral_expiration_status: collateral_expiration_status,
+        collateral_expiration_status,
-        quote_verification_result: quote_verification_result,
+        quote_verification_result,
-        supplemental_data_size: supplemental_data_size,
+        supplemental_data_size,
-        supplemental_data: supplemental_data,
+        supplemental_data,
     };
 
     dcap.verify_quote(&mut verify_arg).unwrap_or(-1)
 }
 
+/*
+#[no_mangle]
+pub extern "C" fn dcap_generate_key(
+    handle: *mut c_void,
+    key: *mut sgx_key_128bit_t,
+    key_request: *const sgx_key_request_t,
+) -> i32 {
+    if handle.is_null() {
+        return -1;
+    }
+
+    let dcap = unsafe { &mut *(handle as *mut DcapQuote) };
+
+    let mut key_arg = IoctlGetKeyArg {
+        key_request,
+        key
+    };
+
+    dcap.generate_key(&mut key_arg).unwrap_or(-1)
+}
+ */
+
 #[no_mangle]
 pub extern "C" fn dcap_quote_close(handle: *mut c_void) {
     if handle.is_null() {

tools/toolchains/dcap_lib/src/occlum_dcap.rs

@@ -5,6 +5,7 @@ const SGXIOC_GET_DCAP_QUOTE_SIZE: u64 = 0x80047307;
 const SGXIOC_GEN_DCAP_QUOTE: u64 = 0xc0187308;
 const SGXIOC_GET_DCAP_SUPPLEMENTAL_SIZE: u64 = 0x80047309;
 const SGXIOC_VER_DCAP_QUOTE: u64 = 0xc030730a;
+// const SGXIOC_CMD_NUM_KEY: u64 = 0xc010730b;
 
 cfg_if::cfg_if! {
     if #[cfg(target_env = "musl")] {
@@ -12,11 +13,13 @@ cfg_if::cfg_if! {
         const IOCTL_GEN_DCAP_QUOTE: i32 = SGXIOC_GEN_DCAP_QUOTE as i32;
         const IOCTL_GET_DCAP_SUPPLEMENTAL_SIZE: i32 = SGXIOC_GET_DCAP_SUPPLEMENTAL_SIZE as i32;
         const IOCTL_VER_DCAP_QUOTE: i32 = SGXIOC_VER_DCAP_QUOTE as i32;
+        // const IOCTL_CMD_NUM_KEY: i32 = SGXIOC_CMD_NUM_KEY as i32;
     } else {
         const IOCTL_GET_DCAP_QUOTE_SIZE: u64 = SGXIOC_GET_DCAP_QUOTE_SIZE;
         const IOCTL_GEN_DCAP_QUOTE: u64 = SGXIOC_GEN_DCAP_QUOTE;
         const IOCTL_GET_DCAP_SUPPLEMENTAL_SIZE: u64 = SGXIOC_GET_DCAP_SUPPLEMENTAL_SIZE;
         const IOCTL_VER_DCAP_QUOTE: u64 = SGXIOC_VER_DCAP_QUOTE;
+        // const IOCTL_CMD_NUM_KEY: u64 = SGXIOC_CMD_NUM_KEY;
     }
 }
 
@@ -41,6 +44,16 @@ pub struct IoctlVerDCAPQuoteArg {
     pub supplemental_data: *mut u8,                         // Output (optional)
 }
 
+/*
+// Copy from occlum/src/libos/src/fs/dev_fs/dev_sgx/mod.rs
+//#[allow(dead_code)]
+#[repr(C)]
+pub struct IoctlGetKeyArg {
+    pub key_request: *const sgx_key_request_t, // Input
+    pub key: *mut sgx_key_128bit_t,            // Output
+}
+ */
+
 pub struct DcapQuote {
     fd: c_int,
     quote_size: u32,
@@ -122,6 +135,19 @@ impl DcapQuote {
         }
     }
 
+    /*
+    pub fn generate_key(&mut self, key_arg: *mut IoctlGetKeyArg) -> Result<i32, Error> {
+        let ret = unsafe { libc::ioctl(self.fd, IOCTL_CMD_NUM_KEY, key_arg) };
+        if ret < 0 {
+            let os_err = Error::last_os_error();
+            println!("OS error: {os_err:?}");
+            Err(os_err)
+        } else {
+            Ok(0)
+        }
+    }
+     */
+
     pub fn close(&mut self) {
         unsafe { libc::close(self.fd) };
     }

tools/toolchains/dcap_lib/src/prelude.rs

@@ -4,5 +4,9 @@ pub use std::io::Error;
 
 // Defined in "occlum/deps/rust-sgx-sdk/sgx_types"
 pub use sgx_types::{
-    sgx_ql_qv_result_t, sgx_quote3_t, sgx_quote_header_t, sgx_report_body_t, sgx_report_data_t,
+    sgx_ql_qv_result_t,
+    sgx_quote3_t,
+    sgx_quote_header_t,
+    sgx_report_body_t,
+    sgx_report_data_t, // sgx_key_request_t, sgx_key_128bit_t,
 };

tools/toolchains/utils_lib/Cargo.toml

@@ -0,0 +1,22 @@
+[package]
+name = "occlum_utils"
+version = "0.1.0"
+authors = ["Zheng, Qi <huaiqing.zq@antgroup.com>"]
+edition = "2021"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+sgx_types = { path = "../../../deps/rust-sgx-sdk/sgx_types" }
+libc = "0.2"
+cfg-if = "1.0.0"
+
+[lib]
+crate-type = ["cdylib", "rlib", "staticlib"]
+
+
+[[example]]
+name = "generate_key"
+
+[dev-dependencies]
+occlum_dcap = { path = "../dcap_lib" }

tools/toolchains/utils_lib/build.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+set -e
+
+INSTALL_DIR=/opt/occlum/toolchains/utils_lib
+SONAME=libocclum_utils.so.0.1.0
+
+function build_lib() {
+    if [[ $1 == "musl" ]]; then
+        echo "*** Build and install musl-libc utils ***"
+        CARGO=occlum-cargo
+        TARGET_PATH=target/x86_64-unknown-linux-musl/release
+        LIB_PATH=${INSTALL_DIR}/musl/
+    else
+        echo "*** Build and install glibc utils ***"
+        CARGO=cargo
+        TARGET_PATH=target/release
+        LIB_PATH=${INSTALL_DIR}/glibc/
+    fi
+
+    # cargo build libs and rust example
+    $CARGO clean
+    $CARGO rustc --release  -- -Clink-arg=-Wl,-soname,$SONAME
+    $CARGO build --release  --examples
+
+    # Copy files
+    mkdir -p ${LIB_PATH}
+    cp ${TARGET_PATH}/libocclum_utils.a ${LIB_PATH}
+    # cp ${TARGET_PATH}/examples/generate_key ${LIB_PATH}  # Not used as library
+
+    # Create SO links
+    pushd ${TARGET_PATH}
+    strip libocclum_utils.so
+    mv libocclum_utils.so $SONAME
+    ln -s $SONAME libocclum_utils.so
+    popd
+    cp -Pf ${TARGET_PATH}/libocclum_utils.so* ${LIB_PATH}
+}
+
+build_lib musl
+build_lib glibc
+
+cp -r inc ${INSTALL_DIR}/

tools/toolchains/utils_lib/examples/generate_key.rs

@@ -0,0 +1,64 @@
+use occlum_utils::*;
+use sgx_types::{
+    sgx_attributes_t, sgx_key_id_t, sgx_misc_select_t, SGX_KEYPOLICY_MRSIGNER, SGX_KEYSELECT_SEAL,
+    SGX_KEY_REQUEST_RESERVED2_BYTES, TSEAL_DEFAULT_FLAGSMASK, TSEAL_DEFAULT_MISCMASK,
+};
+
+use occlum_dcap::{sgx_quote_header_t, sgx_report_body_t, sgx_report_data_t, DcapQuote};
+
+fn main() {
+    let handle = utils_ioctl_open();
+
+    let dcap_handle = unsafe { &mut *(handle as *mut DcapQuote) };
+
+    let quote_size = dcap_handle.get_quote_size().unwrap_or_default();
+
+    let mut quote_buf: Vec<u8> = vec![0; quote_size as usize];
+    let report_str = "utils demo sample";
+
+    let mut report_data = sgx_report_data_t::default();
+    report_data.d[..report_str.len()].copy_from_slice(report_str.as_bytes());
+
+    let report_data = report_data as sgx_report_data_t;
+
+    let _ = dcap_handle
+        .generate_quote(quote_buf.as_mut_ptr(), &report_data)
+        .unwrap();
+
+    println!("===============================");
+
+    dbg!(&quote_buf);
+
+    let report_body_offset = std::mem::size_of::<sgx_quote_header_t>();
+    let report_body: *const sgx_report_body_t = (quote_buf[report_body_offset..]).as_ptr() as _;
+    let report_body: sgx_report_body_t = unsafe { *report_body };
+
+    let key_policy = SGX_KEYPOLICY_MRSIGNER;
+
+    let attribute_mask = sgx_attributes_t {
+        flags: TSEAL_DEFAULT_FLAGSMASK,
+        xfrm: 0,
+    };
+
+    let misc_mask: sgx_misc_select_t = TSEAL_DEFAULT_MISCMASK;
+
+    let key_id = sgx_key_id_t::default();
+
+    let mut key = sgx_key_128bit_t::default();
+    let key_request = sgx_key_request_t {
+        key_name: SGX_KEYSELECT_SEAL,
+        key_policy,
+        isv_svn: report_body.isv_svn,
+        reserved1: 0_u16,
+        cpu_svn: report_body.cpu_svn,
+        attribute_mask,
+        key_id,
+        misc_mask,
+        config_svn: report_body.config_svn,
+        reserved2: [0_u8; SGX_KEY_REQUEST_RESERVED2_BYTES],
+    };
+
+    utils_gen_key(handle, &mut key, &key_request);
+
+    dbg!(&key);
+}

tools/toolchains/utils_lib/inc/occlum_utils.h

@@ -0,0 +1,25 @@
+#ifndef _OCCLUM_UTILS_H
+#define _OCCLUM_UTILS_H
+
+#include <stdint.h>
+#include <stdlib.h>
+
+#include "sgx_report.h"
+#include "sgx_qve_header.h"
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+  void *utils_ioctl_open(void);
+
+  int32_t utils_gen_key(void *handle, sgx_key_128bit_t *key, const sgx_key_request_t *key_request);
+
+  void utils_ioctl_close(void *handle);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif

tools/toolchains/utils_lib/rust-toolchain

@@ -0,0 +1 @@
+nightly-2022-10-22

tools/toolchains/utils_lib/src/lib.rs

@@ -0,0 +1,42 @@
+mod occlum_utils;
+mod prelude;
+
+pub use crate::occlum_utils::*;
+pub use crate::prelude::*;
+
+#[no_mangle]
+pub extern "C" fn utils_ioctl_open() -> *mut c_void {
+    if let Ok(fd) = UtilsIoctl::new() {
+        Box::into_raw(Box::new(fd)) as *mut c_void
+    } else {
+        std::ptr::null_mut::<u8>() as *mut c_void
+    }
+}
+
+#[no_mangle]
+pub extern "C" fn utils_gen_key(
+    handle: *mut c_void,
+    key: *mut sgx_key_128bit_t,
+    key_request: *const sgx_key_request_t,
+) -> i32 {
+    if handle.is_null() {
+        return -1;
+    }
+
+    let ioctl_dev = unsafe { &mut *(handle as *mut UtilsIoctl) };
+
+    let mut key_arg = IoctlGetKeyArg { key_request, key };
+
+    ioctl_dev.generate_key(&mut key_arg).unwrap_or(-1)
+}
+
+#[no_mangle]
+pub extern "C" fn utils_ioctl_close(handle: *mut c_void) {
+    if handle.is_null() {
+        return;
+    }
+
+    let ioctl_dev = unsafe { &mut *(handle as *mut UtilsIoctl) };
+
+    ioctl_dev.close();
+}

tools/toolchains/utils_lib/src/occlum_utils.rs

@@ -0,0 +1,59 @@
+use crate::prelude::*;
+use std::ffi::CString;
+
+const SGXIOC_CMD_NUM_KEY: u64 = 0xc010730b;
+
+cfg_if::cfg_if! {
+    if #[cfg(target_env = "musl")] {
+        const IOCTL_CMD_NUM_KEY: i32 = SGXIOC_CMD_NUM_KEY as i32;
+    } else {
+        const IOCTL_CMD_NUM_KEY: u64 = SGXIOC_CMD_NUM_KEY;
+    }
+}
+
+// Copy from occlum/src/libos/src/fs/dev_fs/dev_sgx/mod.rs
+#[repr(C)]
+pub struct IoctlGetKeyArg {
+    pub key_request: *const sgx_key_request_t, // Input
+    pub key: *mut sgx_key_128bit_t,            // Output
+}
+
+pub struct UtilsIoctl {
+    fd: c_int,
+    // for backward compatibility with DcapQuote
+    _quote_size: u32,
+    _supplemental_size: u32,
+}
+
+impl UtilsIoctl {
+    pub fn new() -> Result<Self, Error> {
+        let path = CString::new("/dev/sgx").unwrap();
+        let fd = unsafe { libc::open(path.as_ptr(), O_RDONLY) };
+        if fd > 0 {
+            Ok(Self {
+                fd,
+                _quote_size: 0,
+                _supplemental_size: 0,
+            })
+        } else {
+            let os_err = Error::last_os_error();
+            println!("OS error: {os_err:?}");
+            Err(os_err)
+        }
+    }
+
+    pub(crate) fn generate_key(&mut self, key_arg: *mut IoctlGetKeyArg) -> Result<i32, Error> {
+        let ret = unsafe { libc::ioctl(self.fd, IOCTL_CMD_NUM_KEY, key_arg) };
+        if ret < 0 {
+            let os_err = Error::last_os_error();
+            println!("OS error: {os_err:?}");
+            Err(os_err)
+        } else {
+            Ok(0)
+        }
+    }
+
+    pub fn close(&mut self) {
+        unsafe { libc::close(self.fd) };
+    }
+}

tools/toolchains/utils_lib/src/prelude.rs

@@ -0,0 +1,6 @@
+pub use libc::{c_int, c_void, close, ioctl, open, O_RDONLY};
+pub use std::boxed::Box;
+pub use std::io::Error;
+
+// Defined in "occlum/deps/rust-sgx-sdk/sgx_types"
+pub use sgx_types::{sgx_key_128bit_t, sgx_key_request_t};