Address comments #2

.idea/compiler.xml

@@ -75,6 +75,8 @@
       <module name="samples_test" target="1.8" />
       <module name="sandbox_main" target="1.8" />
       <module name="sandbox_test" target="1.8" />
+      <module name="sgx-jvm_hsm-tool_main" target="1.8" />
+      <module name="sgx-jvm_hsm-tool_test" target="1.8" />
       <module name="sgx-jvm_main" target="1.8" />
       <module name="sgx-jvm_sgx-signtool_main" target="1.8" />
       <module name="sgx-jvm_sgx-signtool_test" target="1.8" />

sgx-jvm/hsm-tool/src/main/kotlin/com/r3cev/sgx/config/ToolConfig.kt

@@ -10,7 +10,7 @@ import java.nio.file.Paths
 import kotlin.system.exitProcess
 
 enum class Mode {
-    GenerateKey,
+    GenerateSgxKey,
     Sign
 }
 
@@ -33,6 +33,7 @@ data class ToolConfig(val config: Config) {
         } catch (e: Exception) {
             println(e.message)
             parser.printHelpOn(System.out)
+            printModeHelp()
             exitProcess(1)
         }
 
@@ -93,7 +94,10 @@ data class ToolConfig(val config: Config) {
                 requireNotNull(signatureOutputPath)
                 requireNotNull(publicKeyOutputPath)
             }
-            Mode.GenerateKey -> {
+            Mode.GenerateSgxKey -> {
+                require(sourcePath == null)
+                require(signatureOutputPath == null)
+                require(publicKeyOutputPath == null)
             }
         }
     }
@@ -113,3 +117,13 @@ data class ToolConfig(val config: Config) {
     }
 
 }
+
+fun printModeHelp() {
+    val message = listOf(
+            "This tool may be run in two modes, --mode=GenerateSgxKey and --mode=Sign.",
+            "Both may take --profile as an argument to indicate what HSM profile to use (see sgxtool.cfg)",
+            "--mode=Sign expects --sourcePath={path to blob to sign}, --signatureOutputPath={path to result signature} and --publicKeyOutputPath={path to output public key}.",
+            "Providing any of these arguments in --mode=GenerateSgxKey results in an error."
+    )
+    println(message.joinToString("\n"))
+}

sgx-jvm/hsm-tool/src/main/kotlin/com/r3cev/sgx/hsmtool/Main.kt

@@ -47,7 +47,7 @@ fun sign(config: ToolConfig) {
     }
 }
 
-fun generateKey(config: ToolConfig) {
+fun generateSgxKey(config: ToolConfig) {
     val generateFlag = if (config.overwriteKey) {
         println("!!! WARNING: OVERWRITING KEY NAMED ${config.keyName} !!!")
         CryptoServerCXI.FLAG_OVERWRITE
@@ -102,7 +102,7 @@ fun main(args: Array<String>) {
     try {
         when (config.mode) {
             Mode.Sign -> sign(config)
-            Mode.GenerateKey -> generateKey(config)
+            Mode.GenerateSgxKey -> generateSgxKey(config)
         }
         println("Done!")
     } catch (exception: Throwable) {

sgx-jvm/noop-enclave/CMakeLists.txt

@@ -142,7 +142,7 @@ add_custom_target(signed-hsm DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNE
 # HSM KEY
 add_custom_command(
     OUTPUT __generate-key-hsm-dummy__
-    COMMAND java -jar ${HSM_SGX_TOOL} --mode=GenerateKey --profile=\${PROFILE} \$\(shell bash -c '[[ \${OVERWRITE} = "true" ]] && echo "--overwriteKey"' \)
+    COMMAND java -jar ${HSM_SGX_TOOL} --mode=GenerateSgxKey --profile=\${PROFILE} \$\(shell bash -c '[[ \${OVERWRITE} = "true" ]] && echo "--overwriteKey"' \)
 )
 add_custom_target(generate-key-hsm DEPENDS __generate-key-hsm-dummy__)
 # /HSM KEY

sgx-jvm/noop-enclave/README.md

@@ -10,17 +10,28 @@ How to run
 
 The following Makefile targets execute different steps in the signing process and output into build/
 
-`make unsigned` will build the unsigned enclave (noop\_enclave.unsigned.so).
+
+* `make unsigned` will build the unsigned enclave (noop\_enclave.unsigned.so).
+
 
 The following targets use OpenSSL instead of the HSM:
-`make signed-openssl` will sign the unsigned enclave with openssl using selfsigning.pem (noop\_enclave.signed.openssl.so).
-`make sigstruct-openssl` will extract the SIGSTRUCT into a blob as well as a pretty printed txt from the openssl signed enclave (noop\_enclave.sigstruct.openssl.bin, noop\_enclave.sigstruct-pretty.openssl.txt).
+
+* `make signed-openssl` will sign the unsigned enclave with openssl using selfsigning.pem (noop\_enclave.signed.openssl.so).
+
+* `make sigstruct-openssl` will extract the SIGSTRUCT into a blob as well as a pretty printed txt from the openssl signed enclave (noop\_enclave.sigstruct.openssl.bin, noop\_enclave.sigstruct-pretty.openssl.txt).
+
 
 The following targets use the HSM. They require an extra `PROFILE=[dev|prod]` argument to indicate whether to use a local HSM simulator or the real thing.
-`make generate-key-hsm PROFILE=[dev|prod] [OVERWRITE=true]` will generate a fresh key for the profile. By default this will not overwrite an existing key, for that pass in MODE=overwrite.
-`make signed-hsm PROFILE=[dev|prod]` will sign the unsigned enclave with the HSM. This target requires authentication (noop\_enclave.signed.hsm.so).
-`make sigstruct-hsm PROFILE=[dev|prod]` will extract the SIGSTRUCT into a blob as well as a pretty printed txt from the HSM signed enclave (noop\_enclave.sigstruct.hsm.bin, noop\_enclave.sigstruct-pretty.hsm.txt).
 
-`make noop_test` will create a test binary that loads an enclave and runs the noop ECALL inside it. For example:
-`./build/noop_test ./build/noop_enclave.signed.openssl.so`
-will run the noop ECALL using the openssl signed enclave.
+* `make generate-key-hsm PROFILE=[dev|prod] [OVERWRITE=true]` will generate a fresh key for the profile. By default this will not overwrite an existing key, for that pass in OVERWRITE=true.
+
+* `make signed-hsm PROFILE=[dev|prod]` will sign the unsigned enclave with the HSM. This target requires authentication (noop\_enclave.signed.hsm.so).
+
+* `make sigstruct-hsm PROFILE=[dev|prod]` will extract the SIGSTRUCT into a blob as well as a pretty printed txt from the HSM signed enclave (noop\_enclave.sigstruct.hsm.bin, noop\_enclave.sigstruct-pretty.hsm.txt).
+
+
+* `make noop_test` will create a test binary that loads an enclave and runs the noop ECALL inside it. For example:
+
+  `./build/noop_test ./build/noop_enclave.signed.openssl.so`
+
+  will run the noop ECALL using the openssl signed enclave.