Remove support for OOT (out-of-tree) SGX driver

Signed-off-by: Wojtek Porczyk <[email protected]>

.ci/lib/stage-build-sgx-vm.jenkinsfile

@@ -57,7 +57,6 @@ stage('build') {
                 -Ddirect=disabled \
                 -Dsgx=enabled \
                 -Dtests=enabled \
-                -Dsgx_driver=upstream \
                 $MESON_OPTIONS
             ninja -vC build/
         '''

.ci/lib/stage-build-sgx.jenkinsfile

@@ -15,19 +15,6 @@ stage('build') {
         env.MESON_OPTIONS += ' -Ddcap=enabled'
     }
 
-    if (env.SGX_DRIVER == null) {
-        env.SGX_DRIVER = 'upstream'
-    }
-    if (env.SGX_DRIVER == 'oot') {
-        sh '''
-            git clone https://github.com/intel/linux-sgx-driver.git
-            cd linux-sgx-driver
-            git checkout 276c5c6a064d22358542f5e0aa96b1c0ace5d695
-        '''
-
-        env.MESON_OPTIONS += ' -Dsgx_driver_include_path=' + env.WORKSPACE + '/linux-sgx-driver'
-    }
-
     try {
         sh '''
             meson setup build/ \
@@ -37,7 +24,6 @@ stage('build') {
                 -Ddirect=disabled \
                 -Dsgx=enabled \
                 -Dtests=enabled \
-                -Dsgx_driver="$SGX_DRIVER" \
                 $MESON_OPTIONS
             ninja -vC build/
         '''

.ci/lib/stage-clean-check.jenkinsfile

@@ -20,9 +20,6 @@ stage('clean-check') {
         # root, and keeps cache there
         rm -rf .pytest_cache
 
-        # We downloaded the OOT SGX driver during build stage
-        rm -rf linux-sgx-driver
-
         make -C libos/test/regression clean
         make -C libos/test/fs clean
 
@@ -67,7 +64,6 @@ stage('clean-check') {
      * Gramine source tree.
      */
     sh 'rm -rf "$PREFIX"'
-    sh 'rm -rf linux-sgx-driver'
     sh '''
         ./scripts/gitignore-test
     '''

.gitignore

@@ -30,9 +30,7 @@ __pycache__
 # sgx
 *.manifest.sgx
 *.sig
-*.token
 *.cached
-.output.sgx_get_token.*
 .output.sgx_sign.*
 
 # gnu global

.pylintrc

@@ -168,7 +168,6 @@ ignored-classes=
 # and thus existing member attributes cannot be deduced by static analysis. It
 # supports qualified module names, as well as Unix pattern matching.
 ignored-modules=
-    aesm_pb2,
 
 # Show a hint with possible names when a member name was not found. The aspect
 # of finding the hint is based on edit distance.

CI-Examples/.gitignore

@@ -1,7 +1,6 @@
 *.manifest
 *.manifest.sgx
 *.sig
-*.token
 *.o
 *~
 *.swp

CI-Examples/README.md

@@ -45,8 +45,8 @@ addition, your application sample should have the following elements:
   command. If your application needs extra building steps, please document them
   in the `README.md`. In addition, we ask you to provide sufficient comments in
   the `Makefile` to help users understand the build process. If your application
-  also runs on Gramine-SGX, please include the commands for signing and
-  retrieving the token in the `Makefile`.
+  also runs on Gramine-SGX, please include the command for signing in the
+  `Makefile`.
 
 - Manifest:
   Please provide the manifest needed for running your application sample. Do not

CI-Examples/bash/Makefile

@@ -63,7 +63,7 @@ regression: all
 
 .PHONY: clean
 clean:
-	$(RM) *.manifest *.manifest.sgx *.token *.sig OUTPUT scripts/testdir/*
+	$(RM) *.manifest *.manifest.sgx *.sig OUTPUT scripts/testdir/*
 
 .PHONY: distclean
 distclean: clean

CI-Examples/blender/Makefile

@@ -65,8 +65,7 @@ check: all
 .PHONY: clean
 clean:
 	$(RM) -r \
-		$(RUN_DIR) $(DATA_DIR)/images blender.manifest blender.manifest.sgx blender.sig \
-		blender.token
+		$(RUN_DIR) $(DATA_DIR)/images blender.manifest blender.manifest.sgx blender.sig
 
 .PHONY: distclean
 distclean: clean

CI-Examples/busybox/Makefile

@@ -47,7 +47,7 @@ check: all
 
 .PHONY: clean
 clean:
-	$(RM) *.token *.sig *.manifest.sgx *.manifest OUTPUT
+	$(RM) *.sig *.manifest.sgx *.manifest OUTPUT
 
 .PHONY: distclean
 distclean: clean

CI-Examples/helloworld/Makefile

@@ -47,7 +47,7 @@ check: all
 
 .PHONY: clean
 clean:
-	$(RM) *.token *.sig *.manifest.sgx *.manifest helloworld.o helloworld OUTPUT
+	$(RM) *.sig *.manifest.sgx *.manifest helloworld.o helloworld OUTPUT
 
 .PHONY: distclean
 distclean: clean

CI-Examples/lighttpd/Makefile

@@ -108,7 +108,7 @@ start-gramine-server: all
 .PHONY: clean
 clean:
 	$(RM) \
-		*.manifest *.manifest.sgx *.token *.sig OUTPUT result-* $(CONF_FILES)
+		*.manifest *.manifest.sgx *.sig OUTPUT result-* $(CONF_FILES)
 
 .PHONY: distclean
 distclean: clean

CI-Examples/memcached/Makefile

@@ -64,7 +64,7 @@ start-gramine-server: all
 
 .PHONY: clean
 clean:
-	$(RM) *.token *.sig *.manifest.sgx *.manifest memcached .lck
+	$(RM) *.sig *.manifest.sgx *.manifest memcached .lck
 
 .PHONY: distclean
 distclean: clean

CI-Examples/nginx/Makefile

@@ -128,7 +128,7 @@ start-gramine-server: all
 
 .PHONY: clean
 clean:
-	$(RM) *.manifest *.manifest.sgx *.token *.sig OUTPUT result-* tmp nginx_args
+	$(RM) *.manifest *.manifest.sgx *.sig OUTPUT result-* tmp nginx_args
 
 .PHONY: distclean
 distclean: clean

CI-Examples/python/Makefile

@@ -48,7 +48,7 @@ endif
 
 .PHONY: clean
 clean:
-	$(RM) *.manifest *.manifest.sgx *.token *.sig OUTPUT* *.PID TEST_STDOUT TEST_STDERR
+	$(RM) *.manifest *.manifest.sgx *.sig OUTPUT* *.PID TEST_STDOUT TEST_STDERR
 	$(RM) -r scripts/__pycache__
 
 .PHONY: distclean

CI-Examples/ra-tls-mbedtls/Makefile

@@ -151,7 +151,7 @@ check_dcap_fail: app dcap
 .PHONY: clean
 clean:
 	$(RM) -r \
-		*.token *.sig *.manifest.sgx *.manifest server client *.so *.so.* OUTPUT
+		*.sig *.manifest.sgx *.manifest server client *.so *.so.* OUTPUT
 
 .PHONY: distclean
 distclean: clean

CI-Examples/ra-tls-nginx/Makefile

@@ -41,5 +41,4 @@ clean:
 	$(RM) -r \
 		*.manifest \
 		*.manifest.sgx \
-		*.sig \
-		*.token
+		*.sig

CI-Examples/ra-tls-secret-prov/Makefile

@@ -216,9 +216,9 @@ check_dcap: app dcap
 .PHONY: clean
 clean:
 	$(RM) OUTPUT
-	cd secret_prov_minimal; $(RM) client server_* *.token *.sig *.manifest.sgx *.manifest
-	cd secret_prov;         $(RM) client server_* *.token *.sig *.manifest.sgx *.manifest
-	cd secret_prov_pf;      $(RM) client server_* *.token *.sig *.manifest.sgx *.manifest
+	cd secret_prov_minimal; $(RM) client server_* *.sig *.manifest.sgx *.manifest
+	cd secret_prov;         $(RM) client server_* *.sig *.manifest.sgx *.manifest
+	cd secret_prov_pf;      $(RM) client server_* *.sig *.manifest.sgx *.manifest
 
 .PHONY: distclean
 distclean: clean

CI-Examples/redis/Makefile

@@ -116,7 +116,7 @@ start-gramine-server: all
 
 .PHONY: clean
 clean:
-	$(RM) *.token *.sig *.manifest.sgx *.manifest redis-server *.rdb
+	$(RM) *.sig *.manifest.sgx *.manifest redis-server *.rdb
 
 .PHONY: distclean
 distclean: clean

CI-Examples/rust/Makefile

@@ -49,7 +49,7 @@ start-gramine-server: all
 
 .PHONY: clean
 clean:
-	$(RM) -rf *.token *.sig *.manifest.sgx *.manifest result-* OUTPUT
+	$(RM) -rf *.sig *.manifest.sgx *.manifest result-* OUTPUT
 
 .PHONY: distclean
 distclean: clean

CI-Examples/sqlite/Makefile

@@ -50,7 +50,7 @@ regression: all
 
 .PHONY: clean
 clean:
-	$(RM) *.manifest *.manifest.sgx *.token *.sig OUTPUT db/*
+	$(RM) *.manifest *.manifest.sgx *.sig OUTPUT db/*
 
 .PHONY: distclean
 distclean: clean

Documentation/conf.py

@@ -189,7 +189,6 @@
     ('manpages/gramine-manifest-check', 'gramine-manifest-check', 'Gramine manifest schema validator', [author], 1),
     ('manpages/gramine-ratls', 'gramine-ratls', 'RA-TLS wrapper', [author], 1),
     ('manpages/gramine-sgx-gen-private-key', 'gramine-sgx-gen-private-key', 'Gramine SGX key generator', [author], 1),
-    ('manpages/gramine-sgx-get-token', 'gramine-sgx-get-token', 'Gramine SGX Token generator', [author], 1),
     ('manpages/gramine-sgx-ias-request', 'gramine-sgx-ias-request', 'Submit Intel Attestation Service request', [author], 1),
     ('manpages/gramine-sgx-ias-verify-report', 'gramine-sgx-ias-verify-report', 'Verify Intel Attestation Service report', [author], 1),
     ('manpages/gramine-sgx-quote-view', 'gramine-sgx-quote-view', 'Display SGX quote', [author], 1),

Documentation/devel/building.rst

@@ -73,8 +73,8 @@ Kernel version can be checked using the following command::
        uname -r
 
 If your current kernel version is 5.11 or higher, you have a built-in SGX
-support. The driver is accessible through /dev/sgx_enclave
-and /dev/sgx_provision.
+support. The driver is accessible through :file:`/dev/sgx_enclave`
+and :file:`/dev/sgx_provision`.
 
 If your current kernel version is lower than 5.11, then you have two options:
 
@@ -132,8 +132,7 @@ To build Gramine, you need to first set up the build directory. In the root
 directory of Gramine repo, run the following command (recall that "direct" means
 non-SGX version)::
 
-   meson setup build/ --buildtype=release -Ddirect=enabled -Dsgx=enabled \
-       -Dsgx_driver=(upstream|oot) -Dsgx_driver_include_path=<path-to-sgx-driver-sources>
+   meson setup build/ --buildtype=release -Ddirect=enabled -Dsgx=enabled
 
 .. note::
 
@@ -152,25 +151,9 @@ Set ``-Ddirect=`` and ``-Dsgx=`` options to ``enabled`` or ``disabled``
 according to whether you built the corresponding PAL (the snippet assumes you
 built both).
 
-The ``-Dsgx_driver`` parameter controls which SGX driver to use:
-
-* ``upstream`` (default) for upstreamed in-kernel driver (mainline Linux kernel
-  5.11+),
-* ``oot`` for non-DCAP, out-of-tree version of the driver.
-
-The ``-Dsgx_driver_include_path`` parameter must point to the absolute path
-where the SGX driver was downloaded or installed in the previous step. For
-example, for the OOT driver installed at the default path, you can specify
-``-Dsgx_driver_include_path="/opt/intel/linux-sgx-driver"``. If this parameter
-is omitted, Gramine's build system will try to determine the right path, so,
-it's usually not needed.
-
-.. note::
-
-   If you have a DCAP driver installed on the system (e.g. on 18.04 Azure),
-   then you can still use the upstream driver and specify the `upstream header
-   file <https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/plain/arch/x86/include/uapi/asm/sgx.h?h=v5.11>`__.
-   This is because the DCAP and the upstream drivers have compatible APIs.
+Since Gramine 1.9, we only support upstream, in-kernel driver and the
+``-Dsgx_driver`` option, as well as associated ``-Dsgx_driver_include_path`` and
+``-Dsgx_driver_device`` options, are gone.
 
 Set ``-Dlibc`` option to ``musl`` if you wish to build musl instead of glibc
 (which is built by default), or to ``none`` if you do not want to build any
@@ -303,8 +286,8 @@ Protect this key and do not disclose it to anyone::
 
 After signing the application's manifest, users may ship the application and
 Gramine binaries, along with an SGX-specific manifest (``.manifest.sgx``
-extension), the SIGSTRUCT signature file (``.sig`` extension), and the
-EINITTOKEN file (``.token`` extension) to execute on another SGX-enabled host.
+extension), the SIGSTRUCT signature file (``.sig`` extension) to execute on
+another SGX-enabled host.
 
 Advanced: building without network access
 -----------------------------------------
@@ -352,7 +335,7 @@ Proceed with compiling and installing as usual.
 ::
 
     meson setup build/ --prefix=/usr --wrap-mode=nodownload \
-        -Ddirect=enabled -Dsgx=enabled -Dsgx_driver=upstream
+        -Ddirect=enabled -Dsgx=enabled
     meson compile -C build/
     meson install -C build/
 

Documentation/manpages/gramine.rst

@@ -26,14 +26,3 @@ Options
 .. option:: --version
 
    Show version and exit.
-
-Environment variables
-=====================
-
-.. envvar:: GRAMINE_NO_AUTO_GET_TOKEN
-
-   If not empty, for out-of-tree EPID driver :command:`gramine-sgx` will not
-   automatically generate EINITTOKEN.
-
-   On upstream/DCAP driver the token is never generated and this variable has no
-   effect.

Documentation/python/api.rst

@@ -7,7 +7,7 @@ Python API
 Introduction
 ------------
 
-We expose a Python API for manifest, SIGSTRUCT and SGX token management.
+We expose a Python API for manifest and SIGSTRUCT management.
 
 Examples
 --------
@@ -37,18 +37,6 @@ To create a |~| signed SIGSTRUCT file from a manifest::
     with open('path_to_sigstruct', 'wb') as f:
         f.write(sigstruct.to_bytes())
 
-To create a |~| SGX token file from a |~| signed SIGSTRUCT file::
-
-    from graminelibos import Sigstruct, get_token
-
-    with open('path_to_sigstruct', 'rb') as f:
-        sigstruct = Sigstruct.from_bytes(f.read())
-
-    token = get_token(sigstruct)
-
-    with open('path_to_token_file', 'wb') as f:
-        f.write(token)
-
 API Reference
 -------------
 
@@ -65,4 +53,3 @@ API Reference
      :members:
   .. autofunction:: graminelibos.get_tbssigstruct
   .. autofunction:: graminelibos.sign_with_local_key
-  .. autofunction:: graminelibos.get_token

debian/control

@@ -10,7 +10,7 @@ Build-Depends: debhelper-compat (= 13),
  libcurl4-openssl-dev (>= 7.58),
  libprotobuf-c-dev,
  libsgx-dcap-quote-verify-dev,
- linux-libc-dev (>= 5.11) | linux-headers-amd64 (>= 5.11),
+ linux-libc-dev (>= 5.11),
  meson (>= 0.56),
  nasm,
  ninja-build (>= 1.8),