sgx: prod scripts

2024-12-27 08:22:35 +00:00 · 2017-07-04 16:38:33 +01:00 · 2017-07-04 16:38:33 +01:00 · 11cdae32d6
commit 11cdae32d6
parent 21087cbe91
8 changed files with 95 additions and 19 deletions
--- a/sgx-jvm/Makefile
+++ b/sgx-jvm/Makefile
@ -7,7 +7,7 @@ SHELL=/bin/bash
 JDK_IMAGE=$(PWD)/jdk8u/build/linux-x86_64-normal-server-release/images/j2re-image

 .PHONY: all
-all: jvm-enclave/standalone/build/standalone_sgx_verify
+all: jvm-enclave/standalone/build/standalone_sgx_verify linux-sgx-driver/isgx.ko

 # The final binary
 jvm-enclave/standalone/build/standalone_sgx_verify: avian linux-sgx/build/linux/aesm_service
@ -34,6 +34,9 @@ $(JDK_IMAGE): jdk8u
 linux-sgx/external/ippcp_internal/inc:
 	cd linux-sgx && $(SHELL) ./download_prebuilt.sh

+linux-sgx-driver/isgx.ko:
+	$(MAKE) -C linux-sgx-driver
+
 build:
 	mkdir -p $@

@ -41,6 +44,7 @@ build:
 clean:
 	$(MAKE) -C jvm-enclave clean
 	$(MAKE) -C linux-sgx clean
+	$(MAKE) -C linux-sgx-driver clean
 	[ ! -d jdk8u ] || $(MAKE) -C jdk8u clean
 	$(MAKE) -C avian clean

--- a/sgx-jvm/noop-enclave/build_in_image.sh
+++ b/sgx-jvm/noop-enclave/build_in_image.sh
@ -1,17 +0,0 @@
-#!/bin/bash
-set -euo pipefail
-
-if [ $# -le 1 ]; then
-    echo "Usage: build_in_image.sh <DOCKER_IMAGE> <MAKEFILE OPTIONS>"
-    exit 1
-fi
-
-IMAGE=$1
-shift
-ARGUMENTS=$@
-
-DOCKER_BUILD_DIR=/tmp/corda-sgx-build
-
-GID=$(id -g $USER)
-
-exec docker run -v $PWD/../..:$DOCKER_BUILD_DIR -v $PWD/../docker-.gradle:/root/.gradle --user=$UID:$GID -it $IMAGE make -C $DOCKER_BUILD_DIR/sgx-jvm/noop-enclave $ARGUMENTS
--- a/sgx-jvm/noop-enclave/src/test.cpp
+++ b/sgx-jvm/noop-enclave/src/test.cpp
@ -140,5 +140,6 @@ int main(int argc, char **argv) {
    if (false == check_sgx_return_value(noop(enclave_id))) {
        return 1;
    }
+    puts("Enclave ran successfully!");
    return 0;
 }
--- a/sgx-jvm/run_in_image.sh
+++ b/sgx-jvm/run_in_image.sh
@ -0,0 +1,26 @@
+#!/bin/bash
+set -euo pipefail
+
+if [ $# -le 1 ]; then
+    echo "Usage: run_in_image.sh <DOCKER_IMAGE> <COMMAND>"
+    exit 1
+fi
+
+SCRIPT_DIR=$(dirname "$(readlink -f "$0")")
+
+IMAGE=$1
+shift
+ARGUMENTS=$@
+
+DOCKER_BUILD_DIR=/tmp/corda-sgx-build
+
+GID=$(id -g $USER)
+
+exec docker run \
+     -v $SCRIPT_DIR/..:$DOCKER_BUILD_DIR \
+     -v /usr/src:/usr/src \
+     -v /lib/modules:/lib/modules \
+     --user=$UID:$GID \
+     --workdir=$DOCKER_BUILD_DIR \
+     -it $IMAGE \
+     $ARGUMENTS
--- a/sgx-jvm/with_aesmd.sh
+++ b/sgx-jvm/with_aesmd.sh
@ -0,0 +1,29 @@
+#!/bin/bash
+set -euo pipefail
+
+SCRIPT_DIR=$(dirname "$(readlink -f "$0")")
+
+TIMESTAMP=$(date +%Y%m%d_%H%M%S)
+AESM_DIR=$SCRIPT_DIR/build/aesm/$TIMESTAMP
+
+mkdir -p $AESM_DIR
+
+SERVICE_FILES="aesm_service le_prod_css.bin libsgx_le.signed.so libsgx_pce.signed.so libsgx_pve.signed.so libsgx_qe.signed.so"
+
+sed -e "s:@aesm_folder@:$AESM_DIR:" $SCRIPT_DIR/linux-sgx/build/linux/aesmd.service | sed -e '/InaccessibleDirectories=/d' | sed -e "s!^\\[Service\\]![Service]\nEnvironment=LD_LIBRARY_PATH=$SCRIPT_DIR/linux-sgx/build/linux:$SCRIPT_DIR/dependencies/root/usr/lib/x86_64-linux-gnu!" > $AESM_DIR/aesmd.service
+
+for FILE in $SERVICE_FILES
+do
+    ln -s $SCRIPT_DIR/linux-sgx/build/linux/$FILE $AESM_DIR/$FILE
+done
+
+sudo systemctl --runtime link $AESM_DIR/aesmd.service
+
+function finish {
+    sudo systemctl stop aesmd
+    sudo systemctl --runtime disable aesmd
+}
+trap finish EXIT
+
+sudo systemctl start aesmd
+$@
--- a/sgx-jvm/with_hsm_simulator.sh
+++ b/sgx-jvm/with_hsm_simulator.sh
@ -0,0 +1,24 @@
+#!/bin/bash
+set -euo pipefail
+
+if [ $# -le 1 ]; then
+    echo "Usage: with_hsm_simulator.sh <UTIMACO_HSM_DIR> <COMMAND>"
+    exit 1
+fi
+
+SCRIPT_DIR=$(dirname "$(readlink -f "$0")")
+UTIMACO_HSM_DIR=$1
+shift
+
+TIMESTAMP=$(date +%Y%m%d_%H%M%S)
+SIMULATOR_RUN_DIR=$SCRIPT_DIR/build/hsm_simulator/$TIMESTAMP
+
+mkdir -p $SIMULATOR_RUN_DIR
+
+script -q -c $UTIMACO_HSM_DIR/SDK/Linux/bin/cs_sim.sh -f $SIMULATOR_RUN_DIR/stdout > /dev/null &
+
+function finish {
+    kill -- -$$
+}
+trap finish EXIT
+$@
--- a/sgx-jvm/with_isgx.sh
+++ b/sgx-jvm/with_isgx.sh
@ -0,0 +1,9 @@
+#!/bin/bash
+set -euo pipefail
+
+function finish {
+     sudo modprobe -r isgx
+}
+trap finish EXIT
+sudo modprobe isgx
+$@
--- a/sgx-jvm/with_ld_library_path.sh
+++ b/sgx-jvm/with_ld_library_path.sh
@ -3,4 +3,4 @@ set -euo pipefail

 SCRIPT_DIR=$(dirname "$(readlink -f "$0")")

-exec env LD_LIBRARY_PATH=${LD_LIBRARY_PATH:-}:$SCRIPT_DIR/linux-sgx/build/linux:$SCRIPT_DIR/dependencies/root/usr/lib/x86_64-linux-gnu $@
+env LD_LIBRARY_PATH=${LD_LIBRARY_PATH:-}:$SCRIPT_DIR/linux-sgx/build/linux:$SCRIPT_DIR/dependencies/root/usr/lib/x86_64-linux-gnu $@