corda/sgx-jvm/linux-sgx
Chris Rankin 04a801e0cd Squashed commit of the following: (#50)
commit 9d8046e310efe860bb9d81e977a323f3905665c1
Author: Haitao Huang <4699115+haitaohuang@users.noreply.github.com>
Date:   Sat Sep 16 11:26:45 2017 -0500

    Check and handle signal interrupts in sockets

    Signed-off-by: Haitao Huang <4699115+haitaohuang@users.noreply.github.com>

commit 960ad91a4a8ec06020273a175471def37870fda6
Author: Haitao Huang <4699115+haitaohuang@users.noreply.github.com>
Date:   Sat Sep 16 11:27:35 2017 -0500

    Add error code in oal for invalid inputs

    Signed-off-by: Haitao Huang <4699115+haitaohuang@users.noreply.github.com>

commit e22c569335c1ec8d18f7df8105a68e9b9a82e691
Author: Li, Xun <xun.li@intel.com>
Date:   Wed Sep 20 10:51:18 2017 +0800

    Update libunwind for glibc 2.26 compatibility

    libunwind should include <signal.h> explicitly.
    glibc change sys/ucontext.h as a bug fix(https://sourceware.org/git/?p=glibc.git;a=commit;h=cfed8ece799b6e6540193a14b41d9de52dc3b08f)

    Signed-off-by: Li, Xun <xun.li@intel.com>

commit 9cda5c4774b2f4fc02fd031f98057cd88d14f2e0
Merge: 94c162c98 36918f071
Author: lzha101 <lili.z.zhang@intel.com>
Date:   Wed Sep 20 09:58:29 2017 +0800

    Merge pull request #165 from corda/chrisr3-stack-protector-fix

    Ensure trts_nsp.cpp is compiled without stack protection.

    Signed-off-by: Zhang Lili lili.z.zhang@intel.com

commit 36918f071fd29c86335b0cea0e072c3f08a51eae
Author: Chris Rankin <chris.rankin@r3.com>
Date:   Tue Sep 19 07:31:57 2017 +0000

    Ensure trts_nsp.cpp is compiled without stack protection.

    Signed-off-by: Chris Rankin <chris.rankin@r3.com>

commit 94c162c98bf95a034eadb41bfa6e6a35f410a0c8
Author: Kai Mast <kaimast@cs.cornell.edu>
Date:   Mon Sep 18 04:07:19 2017 -0400

    g++7 fixes (#148)

    Signed-off-by: Li, Xun<xun.li@intel.com>

commit 8a72fed8737dc8e331889e6530925fc5a0be2ea0
Merge: 2133df2d4 635e3a370
Author: Li Xun <xun.li@intel.com>
Date:   Mon Sep 18 15:58:10 2017 +0800

    Merge pull request #159 from corda/chrisr3-gcc7-fix

    Resolve GCC 7.1 warnings about deprecated throw(std::bad_alloc) in C++11.

    Signed-off-by: Li, Xun <xun.li@intel.com>

commit 635e3a37081ad3f773a0ff24c89f1e6094034d28
Author: Chris Rankin <chris.rankin@r3.com>
Date:   Wed Sep 13 10:31:11 2017 +0100

    Resolve warnings about deprecated throw(std::bad_alloc) in C++11.
2017-09-26 10:22:55 +01:00
..
build-scripts
common Squashed commit of the following: (#50) 2017-09-26 10:22:55 +01:00
external
linux/installer
Linux_SGXEclipsePlugin
psw Squashed commit of the following: (#50) 2017-09-26 10:22:55 +01:00
SampleCode
sdk Squashed commit of the following: (#50) 2017-09-26 10:22:55 +01:00
.gitignore
buildenv.mk
CONTRIBUTING.md
download_prebuilt.sh
License.txt
Makefile
README.md

Intel(R) Software Guard Extensions for Linux* OS

linux-sgx

Introduction

Intel(R) Software Guard Extensions (Intel(R) SGX) is an Intel technology for application developers seeking to protect select code and data from disclosure or modification.

The Linux* Intel(R) SGX software stack is comprised of the Intel(R) SGX driver, the Intel(R) SGX SDK, and the Intel(R) SGX Platform Software (PSW). The Intel(R) SGX SDK and Intel(R) SGX PSW are hosted in the linux-sgx project.

The linux-sgx-driver project hosts the out-of-tree driver for the Linux* Intel(R) SGX software stack, which will be used until the driver upstreaming process is complete.

Note This repository includes a subset of the Intel(R) Integrated Performance Primitives (IPP) Cryptography library under external/crypto_px. It is provided as reference implementation for the cryptographic primitives used in SDK and PSW. The primitives are written in pure C and are not optimized for performance. Instructions are provided below for building the SDK and PSW with both precompiled optimized IPP binaries and the non-optimized source code version.

License

See License.txt for details.

Contributing

See CONTRIBUTING.md for details.

Documentation

Build and Install the Intel(R) SGX Driver

Follow the instructions in the linux-sgx-driver project to build and install the Intel(R) SGX driver.

Build the Intel(R) SGX SDK and Intel(R) SGX PSW Package

Prerequisites:

  • Ensure that you have one of the following required operating systems:

    • Ubuntu* Desktop-16.04-LTS 64bits
    • Red Hat Enterprise Linux Server release 7.3 64bits
    • CentOS 7.3.1611 64bits
  • Use the following command(s) to install the required tools to build the Intel(R) SGX SDK:

    • On Ubuntu 16.04:
      $ sudo apt-get install build-essential ocaml automake autoconf libtool wget python
    
    • On Red Hat Enterprise Linux 7.3 and CentOS 7.3:
      $ sudo yum groupinstall 'Development Tools'
      $ sudo yum install ocaml wget python
    
  • Use the following command to install additional required tools to build the Intel(R) SGX PSW:

    • On Ubuntu 16.04:
      $ sudo apt-get install libssl-dev libcurl4-openssl-dev protobuf-compiler libprotobuf-dev
    
    • On Red Hat Enterprise Linux 7.3 and CentOS 7.3:
      $ sudo yum install openssl-devel libcurl-devel protobuf-compiler protobuf-devel
    
  • Use the script download_prebuilt.sh inside source code package to download prebuilt binaries to prebuilt folder
    You may need set an https proxy for the wget tool used by the script (such as export https_proxy=http://test-proxy:test-port)

  $ ./download_prebuilt.sh

Build the Intel(R) SGX SDK and Intel(R) SGX PSW

The following steps describe how to build the Intel(R) SGX SDK and PSW. You can build the project according to your requirements.

  • To build both Intel(R) SGX SDK and PSW with default configuration, enter the following command:
  $ make  

You can find the tools and libraries generated in the build/linux directory.
Note: You can also go to the sdk folder and use the make command to build the Intel(R) SGX SDK component only. However, building the PSW component is dependent on the result of building the Intel(R) SGX SDK.

  • The default build uses precompiled optimized libraries, which are downloaded by the script ./download_prebuilt.sh. You can also use the non-optimized source code version implementation instead by entering the following command:
  $ make USE_OPT_LIBS=0
  • To build Intel(R) SGX SDK and PSW with debug information, enter the following command:
  $ make DEBUG=1
  • To clean the files generated by previous make command, enter the following command:
  $ make clean
  • The build above uses prebuilt Intel(R) Architecture Enclaves(LE/PvE/QE/PCE/PSE-OP/PSE-PR) and applet(PSDA) - the files psw/ae/data/prebuilt/libsgx_*.signed.so and psw/ae/data/prebuilt/PSDA.dalp, which have been signed by Intel in advance. To build those enclaves by yourself (without a signature), first you need to build both Intel(R) SGX SDK and PSW with the default configuration. After that, you can build each Architecture Enclave by using the make command from the corresponding folder:
  $ cd psw/ae/le
  $ make

Build the Intel(R) SGX SDK Installer

To build the Intel(R) SGX SDK installer, enter the following command:

$ make sdk_install_pkg

You can find the generated Intel(R) SGX SDK installer sgx_linux_x64_sdk_${version}.bin located under linux/installer/bin/, where ${version} refers to the version number.

Note: The above command builds the Intel(R) SGX SDK with default configuration firstly and then generates the target SDK Installer. To build the Intel(R) SGX SDK Installer with debug information kept in the tools and libraries, enter the following command:

$ make sdk_install_pkg DEBUG=1

Build the Intel(R) SGX PSW Installer

To build the Intel(R) SGX PSW installer, enter the following command:

$ make psw_install_pkg

You can find the generated Intel(R) SGX PSW installer sgx_linux_x64_psw_${version}.bin located under linux/installer/bin/, where ${version} refers to the version number.

Note: The above command builds the Intel(R) SGX SDK and PSW with default configuration firstly and then generates the target PSW Installer. To build the Intel(R) SGX PSW Installer with debug information kept in the tools and libraries, enter the following command:

$ make psw_install_pkg DEBUG=1

Install the Intel(R) SGX SDK

Prerequisites

  • Ensure that you have one of the following operating systems:
    • Ubuntu* Desktop-16.04-LTS 64bits
    • Red Hat Enterprise Linux Server release 7.3 64bits
    • CentOS 7.3.1611 64bits
  • Use the following command to install the required tool to use Intel(R) SGX SDK:
    • On Ubuntu 16.04:
      $ sudo apt-get install build-essential python
    
    • On Red Hat Enterprise Linux 7.3 and CentOS 7.3:
       $ sudo yum groupinstall 'Development Tools'
       $ sudo yum install python 
    

Install the Intel(R) SGX SDK

To install the Intel(R) SGX SDK, invoke the installer, as follows:

$ cd linux/installer/bin
$ ./sgx_linux_x64_sdk_${version}.bin 

Test the Intel(R) SGX SDK Package with the Code Samples

  • Compile and run each code sample in Simulation mode to make sure the package works well:
  $ cd SampleCode/LocalAttestation
  $ make SGX_MODE=SIM
  $ ./app

Use similar commands for other sample codes.

Compile and Run the Code Samples in the Hardware Mode

If you use an Intel SGX hardware enabled machine, you can run the code samples in Hardware mode. Ensure that you install Intel(R) SGX driver and Intel(R) SGX PSW installer on the machine.
See the earlier topic, Build and Install the Intel(R) SGX Driver, for information on how to install the Intel(R) SGX driver.
See the later topic, Install Intel(R) SGX PSW, for information on how to install the PSW package.

  • Compile and run each code sample in Hardware mode, debug build, as follows:
  $ cd SampleCode/LocalAttestation
  $ make
  $ ./app

Use similar commands for other code samples.

Install the Intel(R) SGX PSW

Prerequisites

  • Ensure that you have one of the following operating systems:
    • Ubuntu* Desktop-16.04-LTS 64bits
    • Red Hat Enterprise Linux Server release 7.3 64bits
    • CentOS 7.3.1611 64bits
  • Ensure that you have a system with the following required hardware:
    • 6th Generation Intel(R) Core(TM) Processor or newer
  • Configure the system with the Intel SGX hardware enabled option and install Intel(R) SGX driver in advance.
    See the earlier topic, Build and Install the Intel(R) SGX Driver, for information on how to install the Intel(R) SGX driver.
  • Install the library using the following command:
    • On Ubuntu 16.04:
      $ sudo apt-get install libssl-dev libcurl4-openssl-dev libprotobuf-dev
    
    • On Red Hat Enterprise Linux 7.3 and CentOS 7.3:
      $ sudo yum install openssl-devel libcurl-devel protobuf-devel
    
  • To use Trusted Platform Service functions:
    Ensure mei_me driver is enabled and /dev/mei0 exists.
    Download iclsClient and install it using the following commands:
    • On Ubuntu 16.04:
      $ sudo apt-get install alien
      $ sudo alien --scripts iclsClient-1.45.449.12-1.x86_64.rpm
      $ sudo dpkg -i iclsclient_1.45.449.12-2_amd64.deb
    
    • On Red Hat Enterprise Linux 7.3 and CentOS 7.3:
      $ sudo yum install iclsClient-1.45.449.12-1.x86_64.rpm
    
    Download source code from dynamic-application-loader-host-interface project. In the source code folder, build and install the JHI service using the following commands:
    • On Ubuntu 16.04:
      $ sudo apt-get install uuid-dev libxml2-dev cmake pkg-config
      $ cmake .;make;sudo make install;sudo systemctl enable jhi
    
    • On Red Hat Enterprise Linux 7.3 and CentOS 7.3:
      $ sudo yum install libuuid-devel libxml2-devel cmake pkgconfig
      $ cmake .;make;sudo make install;sudo ldconfig;sudo systemctl enable jhi
    

Install the Intel(R) SGX PSW

To install the Intel(R) SGX PSW, invoke the installer with root privilege:

$ cd linux/installer/bin
$ sudo ./sgx_linux_x64_psw_${version}.bin

Start or Stop aesmd Service

The Intel(R) SGX PSW installer installs an aesmd service in your machine, which is running in a special linux account aesmd.
To stop the service: $ sudo service aesmd stop
To start the service: $ sudo service aesmd start
To restart the service: $ sudo service aesmd restart

Configure the Proxy for aesmd Service

The aesmd service uses the HTTP protocol to initialize some services.
If a proxy is required for the HTTP protocol, you may need to manually set up the proxy for the aesmd service.
You should manually edit the file /etc/aesmd.conf (refer to the comments in the file) to set the proxy for the aesmd service.
After you configure the proxy, you need to restart the service to enable the proxy.