CI: Add scripts to run samples automatically

The scripts are a mix of bash and GNU expect for flexibility, as each
sample needs to be tested in slightly different ways.

Each sample must have a test.sh script in its folder so that the CI
detects it and runs it. They are executed by run_sample.sh script,
created using run_test.sh as an example.

This commit adds several samples to the CI, but not all of them:

- The ml folder samples, for example, take far too long to be part of a
  regular CI run, and need caching of docker images, which is a task on
  its own.

- The openmp and nodejs samples seem to be broken.

.azure-pipelines/scripts/install_prerequisites.sh

@@ -9,6 +9,7 @@ sudo apt-get install -y \
     autopoint pkgconf autoconf libtool libcurl4-openssl-dev libprotobuf-dev libprotobuf-c-dev protobuf-compiler protobuf-c-compiler libssl-dev \
     ninja-build ansible "linux-headers-$(uname -r)" \
     python3 python3-setuptools python3-pip unzip dkms debhelper apt-utils pax-utils openjdk-8-jdk-headless \
+    redis-tools \
     expect \
     gdb \
     shellcheck clang-format

.azure-pipelines/scripts/run_sample.sh

@@ -0,0 +1,86 @@
+#!/bin/bash
+
+if [ -z "$SGXLKL_ROOT" ]; then
+    echo "ERROR: 'SGXLKL_ROOT' is undefined. Please export SGXLKL_ROOT=<SGX-LKL-OE> source code repository"
+    exit 1
+fi
+if [ -z "$SGXLKL_BUILD_MODE" ]; then
+    echo "ERROR: 'SGXLKL_BUILD_MODE' is undefined. Please export SGXLKL_BUILD_MODE=<mode>"
+    exit 1
+fi
+
+#shellcheck source=.azure-pipelines/scripts/junit_utils.sh
+. "$SGXLKL_ROOT/.azure-pipelines/scripts/junit_utils.sh"
+#shellcheck source=.azure-pipelines/scripts/test_utils.sh
+. "$SGXLKL_ROOT/.azure-pipelines/scripts/test_utils.sh"
+
+# Initialize the variables and test case [mandatory].
+sample_mode=$1 # clean, init or run
+run_mode=$2 # run-hw or run-sw
+
+if [[ "$sample_mode" == "clean" ]]; then
+    ./test.sh clean
+    exit $?
+fi
+
+samples_dir=$SGXLKL_ROOT/samples
+sample_name="$(realpath --relative-to="$samples_dir" "$(pwd)")"
+sample_name="${sample_name//\//-}"
+sample_name+="-($SGXLKL_BUILD_MODE)-($run_mode)-($SGXLKL_ETHREADS-ethreads)"
+sample_class=$(realpath --relative-to="$samples_dir" "$(pwd)/..")
+test_suite="sgx-lkl-oe"
+
+if [[ -z $sample_name || -z $sample_class || -z $sample_mode ]]; then
+    echo -e "\n ERROR: sample_name sample_class or sample_mode not passed \n"
+    exit 1
+fi
+
+if [[ "$sample_mode" == "init" ]]; then
+    InitializeTestCase "$sample_name" "$sample_class" "$test_suite" "$run_mode"
+fi
+
+# Get the timeout from the test module
+DEFAULT_TIMEOUT=300
+if ! timeout=$(./test.sh gettimeout 2> /dev/null); then
+    timeout=$DEFAULT_TIMEOUT
+fi
+echo "Execution timeout: $timeout"
+
+case "$run_mode" in
+    "run-hw")
+       echo "Will run tests for run-hw"
+       ;;
+    "run-sw")
+       echo "Will run tests for run-sw"
+       ;;
+    *)
+       echo "Invalid run_mode parameter: $run_mode. Valid options: run-hw/run-sw"
+       exit 1;
+       ;;
+esac
+
+if [[ $sample_mode == "init" ]]; then
+    timeout --kill-after=$((timeout + 60)) $timeout ./test.sh init
+    script_exit=$?
+elif [[ $sample_mode == "run" ]]; then
+    timeout --kill-after=$((timeout + 60)) $timeout ./test.sh run "$run_mode"
+    script_exit=$?
+else
+    echo "Invalid sample_mode parameter: $sample_mode. Valid options: clean/init/run/gettimeout"
+    exit 1
+fi
+
+if [[ "$script_exit" == "124" ]]; then
+    echo "$run_mode: TIMED OUT after $timeout secs"
+elif [[ "$script_exit" != "0" ]]; then
+    echo "$run_mode: FAILED WITH EXIT CODE: $script_exit"
+fi
+
+if [[ $sample_mode == "init" ]]; then
+    echo "Test initialization completed with EXIT CODE $script_exit"
+    return $script_exit
+fi
+
+echo "Test run completed with EXIT CODE $script_exit"
+
+exit $script_exit

.azure-pipelines/scripts/run_test.sh

@@ -15,7 +15,7 @@ fi
 . "$SGXLKL_ROOT/.azure-pipelines/scripts/test_utils.sh"
 
 # Initialize the variables and test case [mandatory].
-test_mode=$1 # init or run
+test_mode=$1 # clean, init or run
 run_mode=$2 # run-hw or run-sw
 
 # make clean

.azure-pipelines/scripts/test_runner.sh

@@ -181,6 +181,7 @@ disabled_tests_file="$SGXLKL_ROOT/.azure-pipelines/other/disabled_tests.txt"
 nightly_tests_file="$SGXLKL_ROOT/.azure-pipelines/other/nightly_run_only_tests.txt"
 # test which needs not to be executed as part of CI e.g (test_name1\|test_name2...)
 test_exception_list="ltp"
+sample_exception_list="openmp\|nodejs"
 
 failure_identifiers_file="$SGXLKL_ROOT/.azure-pipelines/other/failure_identifiers.txt"
 IFS=$'\n'
@@ -191,6 +192,12 @@ if [[ $1 == "ltp1" ]]; then
 elif [[ $1 == "ltp2" ]]; then
     file_list=("tests/ltp/ltp-batch2/Makefile")
     test_group_name="ltp-batch2"
+elif [[ $1 == "samples" ]]; then
+    test_folder_name="samples"
+    test_folder_identifier="test.sh"
+    test_runner_script="$SGXLKL_ROOT/.azure-pipelines/scripts/run_sample.sh"
+    file_list=( $(find $test_folder_name -name $test_folder_identifier | grep -v "$sample_exception_list") )
+    test_group_name="samples"
 elif [[ $1 == "core" ]]; then
     file_list=( $(find $test_folder_name -name $test_folder_identifier | grep -v "$test_exception_list") )
     test_group_name="core"

.azure-pipelines/template.yml

@@ -22,6 +22,7 @@ parameters:
   - core
   - ltp1
   - ltp2
+  - samples
 - name: 'ethreads'
   type: object
   default:

samples/basic/attack/plain-docker.exp

@@ -0,0 +1,21 @@
+#!/usr/bin/expect -f
+
+# 20 min timeout
+set timeout 1200
+
+spawn rm -f mem.dum.*
+expect eof
+
+spawn docker build -t attackme .
+expect "Successfully tagged attackme:latest"
+expect eof
+
+spawn docker run --rm attackme /read_secret
+set dockerID $spawn_id
+expect -i $dockerID "Ready to be attacked..."
+
+spawn ./read_memory.sh read_secret Secret42!
+set readID $spawn_id
+expect -i $readID "Match found."
+
+send -i $dockerID -- "\r"

samples/basic/attack/read_memory.sh

@@ -21,7 +21,8 @@ sudo chown "$(id -u -n):$(id -g -n)" "$mem_file"
 
 echo "Searching memory for string \"${search_string}\" in \"${mem_file}\"..."
 
-if (strings "${mem_file}" | grep -i "${search_string}"); then
+if grep -Fxq "${search_string}" "${mem_file}"
+then
         echo Match found.
 else
         echo No match found.

samples/basic/attack/sgx.exp

@@ -0,0 +1,27 @@
+#!/usr/bin/expect -f
+
+set SGXLKL_STARTER "$env(SGXLKL_STARTER)"
+set SGXLKL_DISK_TOOL "$env(SGXLKL_DISK_TOOL)"
+
+# 20 min timeout
+set timeout 1200
+
+set REPOROOT "../../.."
+
+spawn rm -f mem.dum.*
+expect eof
+
+spawn "$SGXLKL_DISK_TOOL" create --force --docker=attackme --size 5M --encrypt --key-file rootfs.img
+expect "Succesfully created rootfs.img"
+expect eof
+
+set env(SGXLKL_HD_KEY) rootfs.img.key
+spawn "$SGXLKL_STARTER" --hw-debug rootfs.img /read_secret
+set oeID $spawn_id
+expect -i $oeID "Ready to be attacked..."
+
+spawn ./read_memory.sh sgx-lkl-run-oe Secret42!
+set readID $spawn_id
+expect -i $readID "No match found."
+
+send -i $oeID -- "\r"

samples/basic/attack/test.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+# shellcheck source=/dev/null
+source "../../common.sh"
+
+test_mode=$1
+run_mode=$2
+
+set -e
+
+if [[ "$test_mode" == "clean" ]]; then
+    rm -f rootfs.img rootfs.img.docker rootfs.img.key
+elif [[ "$test_mode" == "init" ]]; then
+    echo "Nothing to do"
+elif [[ "$test_mode" == "run" ]]; then
+    if [[ "$run_mode" == "run-sw" ]]; then
+        ./plain-docker.exp
+    elif [[ "$run_mode" == "run-hw" ]]; then
+        ./sgx.exp
+    fi
+elif [[ "$test_mode" == "gettimeout" ]]; then
+    # 20 minutes
+    echo 1200
+fi
+
+exit 0

samples/basic/helloworld/test.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+test_mode=$1
+run_mode=$2
+
+set -e
+
+if [[ "$test_mode" == "clean" ]]; then
+    make clean
+elif [[ "$test_mode" == "init" ]]; then
+    make
+elif [[ "$test_mode" == "run" ]]; then
+    make "$run_mode"
+elif [[ "$test_mode" == "gettimeout" ]]; then
+    # Default
+    exit 1
+fi
+
+exit 0

samples/common.mk

@@ -0,0 +1,18 @@
+mkfile_dir=$(dir $(abspath $(lastword $(MAKEFILE_LIST))))
+SGXLKL_ROOT=$(realpath $(mkfile_dir)..)
+
+ifeq (${SGXLKL_PREFIX},)
+	export SGXLKL_STARTER=${SGXLKL_ROOT}/build/sgx-lkl-run-oe
+	export SGXLKL_DISK_TOOL=${SGXLKL_ROOT}/tools/sgx-lkl-disk
+	export SGXLKL_DOCKER_TOOL=${SGXLKL_ROOT}/tools/sgx-lkl-docker
+	export SGXLKL_CFG_TOOL=${SGXLKL_ROOT}/tools/sgx-lkl-cfg
+	export SGXLKL_GDB=${SGXLKL_ROOT}/tools/gdb/sgx-lkl-gdb
+	export SGXLKL_JAVA_RUN=${SGXLKL_ROOT}/tools/sgx-lkl-java
+else
+	export SGXLKL_STARTER=${SGXLKL_PREFIX}/bin/sgx-lkl-run-oe
+	export SGXLKL_DISK_TOOL=${SGXLKL_PREFIX}/bin/sgx-lkl-disk
+	export SGXLKL_DOCKER_TOOL=${SGXLKL_PREFIX}/bin/sgx-lkl-docker
+	export SGXLKL_CFG_TOOL=${SGXLKL_PREFIX}/bin/sgx-lkl-cfg
+	export SGXLKL_GDB=${SGXLKL_PREFIX}/bin/sgx-lkl-gdb
+	export SGXLKL_JAVA_RUN=${SGXLKL_PREFIX}/bin/sgx-lkl-java
+endif

samples/common.sh

@@ -0,0 +1,18 @@
+samples_dir=$(dirname $(realpath "$BASH_SOURCE"))
+SGXLKL_ROOT=$(realpath "${samples_dir}/..")
+
+if [[ -z "${SGXLKL_PREFIX}" ]]; then
+	export SGXLKL_STARTER=${SGXLKL_ROOT}/build/sgx-lkl-run-oe
+	export SGXLKL_DISK_TOOL=${SGXLKL_ROOT}/tools/sgx-lkl-disk
+	export SGXLKL_DOCKER_TOOL=${SGXLKL_ROOT}/tools/sgx-lkl-docker
+	export SGXLKL_CFG_TOOL=${SGXLKL_ROOT}/tools/sgx-lkl-cfg
+	export SGXLKL_GDB=${SGXLKL_ROOT}/tools/gdb/sgx-lkl-gdb
+	export SGXLKL_JAVA_RUN=${SGXLKL_ROOT}/tools/sgx-lkl-java
+else
+	export SGXLKL_STARTER=${SGXLKL_PREFIX}/bin/sgx-lkl-run-oe
+	export SGXLKL_DISK_TOOL=${SGXLKL_PREFIX}/bin/sgx-lkl-disk
+	export SGXLKL_DOCKER_TOOL=${SGXLKL_PREFIX}/bin/sgx-lkl-docker
+	export SGXLKL_CFG_TOOL=${SGXLKL_PREFIX}/bin/sgx-lkl-cfg
+	export SGXLKL_GDB=${SGXLKL_PREFIX}/bin/sgx-lkl-gdb
+	export SGXLKL_JAVA_RUN=${SGXLKL_PREFIX}/bin/sgx-lkl-java
+fi

samples/containers/alpine/test.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+test_mode=$1
+
+set -e
+
+if [[ "$test_mode" == "clean" ]]; then
+    make clean
+elif [[ "$test_mode" == "init" ]]; then
+    echo "Nothing to do"
+elif [[ "$test_mode" == "run" ]]; then
+    make
+elif [[ "$test_mode" == "gettimeout" ]]; then
+    # Default
+    exit 1
+fi
+
+exit 0

samples/containers/encrypted/Makefile

@@ -1,5 +1,4 @@
-
-SGXLKL_ROOT=../../..
+include ../../common.mk
 
 CC_APP=/usr/bin/python3
 CC_APP_CMDLINE=${CC_APP} -c 'print("Hello SGX World from Encrypted Confidential Container!")'
@@ -39,10 +38,6 @@ ifeq ($(SGXLKL_VERBOSE),)
 	SGXLKL_ENV_APP_CONFIG+=${VERBOSE_OPTS}
 endif
 
-SGXLKL_STARTER=$(SGXLKL_ROOT)/build/sgx-lkl-run-oe
-SGXLKL_DISK_TOOL=${SGXLKL_ROOT}/tools/sgx-lkl-disk
-SGXLKL_GDB=${SGXLKL_ROOT}/tools/gdb/sgx-lkl-gdb
-
 .DELETE_ON_ERROR:
 .PHONY: all clean run run-hw-verity run-sw-verity run-hw-integrity run-sw-integrity
 

samples/containers/encrypted/test.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+test_mode=$1
+run_mode=$2
+
+set -e
+
+if [[ "$test_mode" == "clean" ]]; then
+    make clean
+elif [[ "$test_mode" == "init" ]]; then
+    make
+elif [[ "$test_mode" == "run" ]]; then
+    make "$run_mode"-verity
+    # TODO: This doesn't work
+    #make "$run_mode"-integrity
+elif [[ "$test_mode" == "gettimeout" ]]; then
+    # 20 minutes
+    echo 1200
+fi
+
+exit 0

samples/containers/redis/Makefile

@@ -1,15 +1,12 @@
+include ../../common.mk
 
 PROG=/usr/bin/redis-server
 
 DISK_IMAGE=sgxlkl-redis.img
 IMAGE_SIZE=128M
 
-SGXLKL_ROOT=../../..
-
 ENCLAVE_CMD=${PROG} --bind 10.0.1.1
 
-SGXLKL_STARTER=$(SGXLKL_ROOT)/build/sgx-lkl-run-oe
-
 SGXLKL_ENV=\
 SGXLKL_TAP=sgxlkl_tap0
 
@@ -19,9 +16,6 @@ SGXLKL_ENV+=\
    SGXLKL_TRACE_HOST_SYSCALL=0 SGXLKL_TRACE_LKL_SYSCALL=0 SGXLKL_TRACE_MMAP=0
 endif
 
-SGXLKL_DISK_TOOL=${SGXLKL_ROOT}/tools/sgx-lkl-disk
-SGXLKL_GDB=${SGXLKL_ROOT}/tools/gdb/sgx-lkl-gdb
-
 .DELETE_ON_ERROR:
 .PHONY: all clean
 

samples/containers/redis/README.md

@@ -1,6 +1,9 @@
 Running Redis with SGX-LKL-OE
 =============================
 
+0. Make sure that you have installed ``redis-cli``. In Ubuntu, the package that
+   contains it is called ``redis-tools``.
+
 1. Ensure that you have set up netoworking and TLS support by running `tools/sgx-lkl-setup`.
 
 2. Build the Redis file sytem image:

samples/containers/redis/run-hw.exp

@@ -0,0 +1,16 @@
+#!/usr/bin/expect -f
+
+# 20 min timeout
+set timeout 1200
+
+spawn make run-hw
+set serverID $spawn_id
+expect -i $serverID "Ready to accept connections"
+
+spawn ./run-redis-client.sh
+set clientID $spawn_id
+expect -i $clientID "Test succeeded"
+
+send -i $serverID -- ""
+
+exit 0