Skip to content

Commit

Permalink
consolidate sgx targets/dependencies and use the sgx_ prefix consiste…
Browse files Browse the repository at this point in the history
…ntly; check definitions of PDO_ENCLAVE_CODE_SIGN_PEM and PDO_SGX_KEY_ROOT at build time, but avoid making these mandatory; add user-friendly logs and error logs

Signed-off-by: Bruno Vavala <[email protected]>
  • Loading branch information
bvavala committed Mar 26, 2024
1 parent 257d7d0 commit 1c45bf4
Show file tree
Hide file tree
Showing 2 changed files with 42 additions and 14 deletions.
54 changes: 41 additions & 13 deletions docker/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ build_% : repository
--tag pdo_$*:$(PDO_VERSION) \
--file '$(DOCKER_DIR)'/pdo_$*.dockerfile .

build_sgx_services : repository
sgx_build_services : repository build_services_base
docker build $(DOCKER_ARGS) \
--build-arg PDO_VERSION=$(PDO_VERSION) \
--build-arg SGX_MODE=HW \
Expand All @@ -84,8 +84,6 @@ build_services: build_services_base
build_services_base: build_base
build_ccf: build_ccf_base

build_sgx_services: build_services_base

clean_% :
docker rmi -f pdo_$*:$(PDO_VERSION)

Expand Down Expand Up @@ -121,11 +119,22 @@ stop_client :
# performance requirements are relatively low.
# -----------------------------------------------------------------
repository :
# if an enclave signing key is available on the host, copy that under build/keys in the repo
# If an enclave signing key is available on the host, copy that under build/keys in the repo
# Note: the docker build (see PDO_ENCLAVE_CODE_SIGN_PEM in environment.sh) expects the key there
[ ! -e ${PDO_ENCLAVE_CODE_SIGN_PEM} ] ||\
(test ${PDO_ENCLAVE_CODE_SIGN_PEM} -ef ${PDO_SGX_KEY_ROOT}/enclave_code_sign.pem || \
cp ${PDO_ENCLAVE_CODE_SIGN_PEM} ${PDO_SGX_KEY_ROOT}/enclave_code_sign.pem)
if [ ! -z "${PDO_ENCLAVE_CODE_SIGN_PEM}" ]; then \
if [ -z "${PDO_SGX_KEY_ROOT}" ]; then \
echo "Error: PDO_SGX_KEY_ROOT must be defined to transfer the enclave signing key in docker"; exit 1; \
fi ;\
if [ -e ${PDO_ENCLAVE_CODE_SIGN_PEM} ]; then \
echo "Enclave code signing key: using ${PDO_ENCLAVE_CODE_SIGN_PEM}"; \
(test ${PDO_ENCLAVE_CODE_SIGN_PEM} -ef ${PDO_SGX_KEY_ROOT}/enclave_code_sign.pem || \
cp ${PDO_ENCLAVE_CODE_SIGN_PEM} ${PDO_SGX_KEY_ROOT}/enclave_code_sign.pem); \
else \
echo "Enclave code signing key: unavailable, a new one will be generated"; \
fi \
else \
echo "Enclave code signing key: PDO_ENCLAVE_CODE_SIGN_PEM undefined, a new one will be generated"; \
fi
# clone the repo
git clone --single-branch --branch $(PDO_BRANCH) --recurse-submodules '$(PDO_REPO)' repository

Expand Down Expand Up @@ -163,14 +172,33 @@ test : clean_config clean_repository build_test stop_all
PDO_VERSION=$(PDO_VERSION) docker-compose $(TEST_FILES) up --abort-on-container-exit
PDO_VERSION=$(PDO_VERSION) docker-compose $(TEST_FILES) down

sgx_build_test : repository build_sgx_services build_ccf build_client
sgx_build_test : repository sgx_build_services build_ccf build_client

sgx_keys :
# test for key availability and make keys available to the container through xfer
test -f ${PDO_SGX_KEY_ROOT}/sgx_spid_api_key.txt
test -f ${PDO_SGX_KEY_ROOT}/sgx_spid.txt
test -f ${PDO_SGX_KEY_ROOT}/sgx_ias_key.pem
cp ${PDO_SGX_KEY_ROOT}/* '$(DOCKER_DIR)'/xfer/services/keys/sgx/
# check for collateral in PDO_SGX_KEY_ROOT and copy that in xfer
# or, copy anything in the default folder to xfer
if [ ! -z "${PDO_SGX_KEY_ROOT}" ]; then \
echo "Checking for source SGX collateral in ${PDO_SGX_KEY_ROOT}"; \
if [ ! -f ${PDO_SGX_KEY_ROOT}/sgx_spid_api_key.txt ] || \
[ ! -f ${PDO_SGX_KEY_ROOT}/sgx_spid.txt ] || \
[ ! -f ${PDO_SGX_KEY_ROOT}/sgx_ias_key.pem ]; then \
echo "Error: check PDO_SGX_KEY_ROOT and SGX collateral in it"; exit 1; \
fi ;\
echo "Copying source SGX collateral to docker"; \
cp ${PDO_SGX_KEY_ROOT}/* '$(DOCKER_DIR)'/xfer/services/keys/sgx/; \
else \
echo "PDO_SGX_KEY_ROOT undefined, rsync default folder to docker"; \
rsync -r ${PDO_SOURCE_ROOT}/build/keys/sgx_mode_hw/ '$(DOCKER_DIR)'/xfer/services/keys/sgx/; \
fi

# test collateral availability in xfer (possibly, but not necessarily, after the copy above)
@echo "Checking for SGX collateral in docker"
if [ ! -f '$(DOCKER_DIR)'/xfer/services/keys/sgx/sgx_spid_api_key.txt ] || \
[ ! -f '$(DOCKER_DIR)'/xfer/services/keys/sgx/sgx_spid.txt ] || \
[ ! -f '$(DOCKER_DIR)'/xfer/services/keys/sgx/sgx_ias_key.pem ]; then \
echo "Error: SGX collateral not docker-ready -- set PDO_SGX_KEY_ROOT and check collateral"; exit 1; \
fi
@echo "SGX collateral is docker-ready"

sgx_test : clean_config clean_repository sgx_build_test stop_all sgx_keys
PDO_VERSION=$(PDO_VERSION) $(DOCKER_COMPOSE_SGX) $(TEST_SGX_FILES) up --abort-on-container-exit
Expand Down
2 changes: 1 addition & 1 deletion docker/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@ on how to use the client container.
For the contract enclave to run in SGX hardware mode, the `pdo_services`
image must be built using the following target:
```bash
make build_sgx_services
make sgx_build_services
```
Inside the `pdo_services` images, the `SGX_MODE` environment variable
can help distinguish the build type.
Expand Down

0 comments on commit 1c45bf4

Please sign in to comment.