remove the PDO_SPID, PDO_SPID_API_KEY and PDO_ENCLAVE_CODE_SIGN_PEM e…

…nvironment variables, so all the sgx material will not be assumed/managed under PDO_SGX_KEY_ROOT; remove enclave.toml by merging it with eservice.toml and with pservice.toml; remove configuration material (spid and api key) from the EnclaveModule; update docker makefile due to previous changes; update documentation regarding variables; move spid format check to where it's actually used/stored; update several python scripts to accept as input (and have default values for) the sgx key root folder to find the sgx collateral necessary in hw mode;

Signed-off-by: Bruno Vavala <[email protected]>

bin/lib/common_service.sh

@@ -125,7 +125,7 @@ service_start() {
 			     ${F_LOGLEVEL} 2> $EFILE > $OFILE &
             echo $! > ${F_LOGDIR}/${IDENTITY}.pid
 	else
-            ${F_SERVICE_CMD} --identity ${IDENTITY} --config ${IDENTITY}.toml enclave.toml --config-dir ${F_CONFDIR} \
+            ${F_SERVICE_CMD} --identity ${IDENTITY} --config ${IDENTITY}.toml --config-dir ${F_CONFDIR} \
                              ${F_LEDGERURL} ${F_LOGLEVEL} 2> $EFILE > $OFILE &
             echo $! > ${F_LOGDIR}/${IDENTITY}.pid
 	fi

build/Makefile

@@ -21,8 +21,8 @@ ifndef PDO_INSTALL_ROOT
 $(error Incomplete configuration, PDO_INSTALL_ROOT is not defined)
 endif
 
-ifndef PDO_ENCLAVE_CODE_SIGN_PEM
-$(error Incomplete configuration, PDO_ENCLAVE_CODE_SIGN_PEM is not defined)
+ifndef PDO_SGX_KEY_ROOT
+$(error Incomplete configuration, PDO_SGX_KEY_ROOT is not defined)
 endif
 
 ifndef SGX_MODE
@@ -43,7 +43,6 @@ SRCDIR ?= $(abspath $(SCRIPTDIR)/..)
 
 BUILD = $(abspath $(SCRIPTDIR)/__tools__/build.sh)
 VERIFY_PRE_BUILD = $(abspath $(SCRIPTDIR)/__tools__/verify-pre-build.sh)
-VERIFY_PRE_CONF = $(abspath $(SCRIPTDIR)/__tools__/verify-pre-conf.sh)
 CLEAN = $(abspath $(SCRIPTDIR)/__tools__/clean.sh)
 TESTSCRIPT = $(abspath $(SCRIPTDIR)/__tools__/run-tests.sh)
 BENCHMARKSCRIPT = $(abspath $(SCRIPTDIR)/__tools__/run-benchmarks.sh)
@@ -95,9 +94,6 @@ $(DSTDIR) :
 verify-pre-build :
 	$(VERIFY_PRE_BUILD)
 
-verify-pre-config :
-	$(VERIFY_PRE_CONF)
-
 build : $(PYTHON_DIR)
 	. $(abspath $(DSTDIR)/bin/activate) && $(BUILD)
 
@@ -106,16 +102,16 @@ verified-build : verify-pre-build
 
 rebuild : clean-build build $(CONDITIONAL_REGISTER_TARGET)
 
-system-keys : ${PDO_ENCLAVE_CODE_SIGN_PEM}
+system-keys : ${PDO_SGX_KEY_ROOT}/enclave_code_sign.pem
 
-${PDO_ENCLAVE_CODE_SIGN_PEM} :
-	openssl genrsa -3 -out ${PDO_ENCLAVE_CODE_SIGN_PEM} 3072
+${PDO_SGX_KEY_ROOT}/enclave_code_sign.pem :
+	openssl genrsa -3 -out ${PDO_SGX_KEY_ROOT}/enclave_code_sign.pem 3072
 
 # SERVICES_COUNT is the number of services of each type to create
 # First value is the number of eservices, then pservices, then
 # sservices, 5 of each is the default
 SERVICES_COUNT ?= 5 5 5
-SERVICES_CONF_TEMPLATES = $(addprefix $(SCRIPTDIR)/template/, eservice.toml pservice.toml enclave.toml)
+SERVICES_CONF_TEMPLATES = $(addprefix $(SCRIPTDIR)/template/, eservice.toml pservice.toml)
 SERVICES_CONF_TARGET = $(DSTDIR)/opt/pdo/.services_configured
 
 $(SERVICES_CONF_TARGET) : $(PYTHON_DIR) $(SERVICE_CONF_TEMPLATES)
@@ -125,12 +121,12 @@ $(SERVICES_CONF_TARGET) : $(PYTHON_DIR) $(SERVICE_CONF_TEMPLATES)
 
 config-services : $(SERVICES_CONF_TARGET)
 
-verified-config : verify-pre-config
+verified-config :
 	${MAKE} config
 
 config : config-services config-client
 
-force-config : verify-pre-config
+force-config :
 	- rm -f $(SERVICES_CONF_TARGET) $(CLIENT_CONF_TARGET)
 	${MAKE} config
 
@@ -171,6 +167,6 @@ benchmark : $(PYTHON_DIR)
 .PHONY : all environment register system-keys
 .PHONY : build rebuild verified-build verify-pre-build
 .PHONY : clean clean-build clean-install
-.PHONY : config config-services force-config verified-config verify-pre-config
+.PHONY : config config-services force-config verified-config
 .PHONY : client build-client config-client
 .PHONY : benchmark test

build/__tools__/expand-config

@@ -76,8 +76,6 @@ try :
     ContractHome = os.environ["PDO_HOME"]
     LedgerURL = os.environ["PDO_LEDGER_URL"]
     LedgerType = os.environ["PDO_LEDGER_TYPE"]
-    SPID = os.environ["PDO_SPID"]
-    SPID_API_KEY = os.environ["PDO_SPID_API_KEY"]
 except KeyError as ke :
     print("incomplete configuration, missing definition of {0}".format(str(ke)))
     sys.exit(-1)
@@ -110,9 +108,7 @@ config_map = {
     'ledger_type': LedgerType,
     'ledger_key_root' : LedgerKeyRoot,
     'eservice_key_format': EserviceKeyFormat,
-    'proxy' : HttpsProxy,
-    'spid' : SPID,
-    'spid_api_key' : SPID_API_KEY
+    'proxy' : HttpsProxy
 }
 
 # -----------------------------------------------------------------

build/__tools__/verify-pre-build.sh

@@ -41,7 +41,6 @@ yell --------------- CONFIG AND ENVIRONMENT PRE-BUILD CHECK ---------------
 
 : "${PDO_INSTALL_ROOT:-$(warn Missing environment variable PDO_INSTALL_ROOT)}"
 : "${PDO_HOME:-$(warn Missing environment variable PDO_HOME)}"
-: "${PDO_ENCLAVE_CODE_SIGN_PEM:-$(warn Missing environment variable PDO_ENCLAVE_CODE_SIGN_PEM)}"
 ([ ! -z "${SGX_SSL}" ] && [ -f ${SGX_SSL}/include/openssl/err.h ] ) || warn "Missing or invalid environment variable SGX_SSL"
 ([ ! -z "${SGX_SDK}" ] && [ -f ${SGX_SDK}/include/sgx.h ] ) || warn "Missing or invalid environment variable SGX_SDK"
 : "${SGX_MODE:-$(warn Missing environment variable SGX_MODE, set it to HW or SIM)}"
@@ -59,8 +58,4 @@ if [ ! -d "${PDO_INSTALL_ROOT}" ]; then
     warn "PDO_INSTALL_ROOT directory does not exist"
 fi
 
-if [ ! -f "${PDO_ENCLAVE_CODE_SIGN_PEM}" ]; then
-    warn "PDO_ENCLAVE_CODE_SIGN_PEM file does not exist"
-fi
-
 exit $F_VERIFIED

build/cmake/SGX.cmake

@@ -16,10 +16,10 @@
 # Environment Variables
 ################################################################################
 
-IF (NOT DEFINED ENV{PDO_ENCLAVE_CODE_SIGN_PEM})
-  MESSAGE(FATAL_ERROR "PDO_ENCLAVE_CODE_SIGN_PEM not defined")
+IF (NOT DEFINED ENV{PDO_SGX_KEY_ROOT})
+  MESSAGE(FATAL_ERROR "PDO_SGX_KEY_ROOT not defined")
 ENDIF()
-SET(PDO_ENCLAVE_CODE_SIGN_PEM "$ENV{PDO_ENCLAVE_CODE_SIGN_PEM}")
+SET(PDO_SGX_KEY_ROOT "$ENV{PDO_SGX_KEY_ROOT}")
 
 IF (NOT DEFINED ENV{SGX_MODE})
   MESSAGE(FATAL_ERROR "SGX_MODE not defined")

build/cmake/Test.cmake

@@ -34,8 +34,8 @@ SET(PDO_TEST_CONTRACT
   --logfile ${TEST_LOG_FILE})
 
 # NOTE: we override the default configuration here because clients
-# do not have the full configuration files (eservice1.toml and
-# enclave.toml) and when running with services these are not required.
+# do not have the full configuration file (eservice1.toml) and
+# when running with services these are not required.
 SET(PDO_TEST_CONTRACT_WITH_SERVICES
   ${PDO_TEST_CONTRACT}
   --ledger ${TEST_LEDGER}

build/common-config.sh

@@ -113,37 +113,11 @@ var_set() {
     env_val[PDO_SGX_KEY_ROOT]="${PDO_SGX_KEY_ROOT:-${SCRIPTDIR}/keys/sgx_mode_${SGX_MODE,,}}"
 	env_desc[PDO_SGX_KEY_ROOT]="
 		PDO_SGX_KEY_ROOT is the root directory where SGX & IAS related keys are stored.
-		The default points to a directory which contains values which are good
-		enough for SGX simulator mode.  However, for SGX HW mode you
-		should provide your own version, at least for PDO_SPID and PDO_SPID_API_KEY
+		If SGX_MODE=SIM, the default folder contains mock files that are good for simulation mode.
+		If SGX_MODE=HW, the default (or custom) folder must be filled with legitimate SGX & IAS keys.
 	"
 	env_key_sort[$i]="PDO_SGX_KEY_ROOT"; i=$i+1; export PDO_SGX_KEY_ROOT=${env_val[PDO_SGX_KEY_ROOT]}
 
-	env_val[PDO_ENCLAVE_CODE_SIGN_PEM]="${PDO_ENCLAVE_CODE_SIGN_PEM:-${PDO_SGX_KEY_ROOT}/enclave_code_sign.pem}"
-	env_desc[PDO_ENCLAVE_CODE_SIGN_PEM]="
-		PDO_ENCLAVE_CODE_SIGN_PEM contains the name of the file containing the key
-		used to sign the enclave. This key must be white-listed with IAS to work for
-                production-mode/default launch-control.  For non-production use, in simulator or HW mode,
-                the key can generated by the command:
-		    openssl genrsa -3 -out ${PDO_ENCLAVE_CODE_SIGN_PEM} 3072.
-                The default path points to a key which is generated during built on-demand.
-	"
-	env_key_sort[$i]="PDO_ENCLAVE_CODE_SIGN_PEM"; i=$i+1; export PDO_ENCLAVE_CODE_SIGN_PEM=${env_val[PDO_ENCLAVE_CODE_SIGN_PEM]}
-
-	env_val[PDO_SPID]="${PDO_SPID:-$(cat ${PDO_SGX_KEY_ROOT}/sgx_spid.txt)}"
-	env_desc[PDO_SPID]="
-		PDO_SPID is the ID that accompanies the certificate registered
-		with the Intel Attestation Service. This should be a 32 character
-		hex string.
-	"
-	env_key_sort[$i]="PDO_SPID"; i=$i+1; export PDO_SPID=${env_val[PDO_SPID]}
-
-	env_val[PDO_SPID_API_KEY]="${PDO_SPID_API_KEY:-$(cat ${PDO_SGX_KEY_ROOT}/sgx_spid_api_key.txt)}"
-	env_desc[PDO_SPID_API_KEY]="
-		PDO_SPID_API_KEY is API-key associated with the SPID.
-	"
-	env_key_sort[$i]="PDO_SPID_API_KEY"; i=$i+1; export PDO_SPID_API_KEY=${env_val[PDO_SPID_API_KEY]}
-
 	env_val[PDO_LEDGER_KEY_ROOT]="${PDO_LEDGER_KEY_ROOT:-${PDO_INSTALL_ROOT}/opt/pdo/etc/keys/ledger}"
 	env_desc[PDO_LEDGER_KEY_ROOT]="
 		PDO_LEDGER_KEY_ROOT is the root directory where the system keys are stored
@@ -173,7 +147,7 @@ print_export() {
 }
 
 help() {
-    echo 'common-config.sh -[--reset-keys|-r] [--evalable-export|-e] [--help|-h|-?]
+    echo 'common-config.sh [--evalable-export|-e] [--help|-h|-?]
 
 This script can be used to set the environment variables that are used
 in the build, installation & execution process. While the build should
@@ -200,9 +174,6 @@ and before buidling it you call script as
 If passed the parameter --evalable-export it will
 return a list of export commands of the variables
 instead of directly exporting them to the environment.
-Passing parameter --reset-keys will unset keying variables
-PDO_ENCLAVE_CODE_SIGN_PEM,
-PDO_SPID and PDO_SPID_API_KEY before setting variables.
 
 The list of variables set (in order they are defined, their defaults
 and semantics is as follows:
@@ -222,16 +193,6 @@ while [[ $# > 0 ]]
 do
     opt=$1
     case $opt in
-        --reset-keys|-r)
-	    # -----------------------------------------------------------------
-	    # if you change either PDO_SGX_KEY_ROOT or PDO_LEDGER_KEY_ROOT variable
-            # and re-source this file you should unset all of the variables that
-            # depend on those variables
-	    # -----------------------------------------------------------------
-	    unset PDO_ENCLAVE_CODE_SIGN_PEM
-	    unset PDO_SPID
-	    unset PDO_SPID_API_KEY
-            ;;
         --evalable-export|-e)
 	    is_sourced=0
 	    ;;

build/keys/sgx_mode_sim/sgx_spid.txt

@@ -1 +1 @@
-DEADBEEF00000000DEADBEEF00000000
+DEADBEEF00000000DEADBEEF00000000

build/keys/sgx_mode_sim/sgx_spid_api_key.txt

@@ -1 +1 @@
-deadbeef00000000deadbeef00000000
+deadbeef00000000deadbeef00000000

build/template/eservice.toml

@@ -72,3 +72,20 @@ DataPath = "${data}"
 # BaseName is the root of the name used to store data
 # about the enclave. A 'enc' extension will be added
 BaseName = "${identity}"
+
+# --------------------------------------------------
+# EnclaveModule -- configuration of the SGX contract enclave
+# --------------------------------------------------
+[EnclaveModule]
+
+# Number of available enclave workers to service requests
+num_of_enclaves = '7'
+
+# ias_url is the URL of the Intel Attestation Service (IAS) server.  The
+# example server is for debug enclaves only,
+# the production url is without the trailing '/dev'
+ias_url = 'https://api.trustedservices.intel.com/sgx/dev'
+
+# proxy configuration ..
+https_proxy = '${proxy}'
+

build/template/pservice.toml

@@ -68,3 +68,20 @@ DataPath = "${data}"
 # BaseName is the root of the name used to store data
 # about the enclave. A 'enc' extension will be added
 BaseName = "${identity}"
+
+# --------------------------------------------------
+# EnclaveModule -- configuration of the SGX contract enclave
+# --------------------------------------------------
+[EnclaveModule]
+
+# Number of available enclave workers to service requests
+num_of_enclaves = '7'
+
+# ias_url is the URL of the Intel Attestation Service (IAS) server.  The
+# example server is for debug enclaves only,
+# the production url is without the trailing '/dev'
+ias_url = 'https://api.trustedservices.intel.com/sgx/dev'
+
+# proxy configuration ..
+https_proxy = '${proxy}'
+

common/tests/crypto/trusted/enclave/CMakeLists.txt

@@ -41,4 +41,4 @@ TARGET_LINK_LIBRARIES(${PROJECT_NAME} ${COMMON_TRUSTED_LIBS})
 TARGET_LINK_LIBRARIES(${PROJECT_NAME} -Wl,--end-group)
 
 SGX_PREPARE_TRUSTED_LINK(${PROJECT_NAME})
-SGX_SIGN_ENCLAVE(${PROJECT_NAME} ${PDO_ENCLAVE_CODE_SIGN_PEM} ${ENCLAVE_CONFIG})
+SGX_SIGN_ENCLAVE(${PROJECT_NAME} ${PDO_SGX_KEY_ROOT}/enclave_code_sign.pem ${ENCLAVE_CONFIG})