mirror of
https://github.com/corda/corda.git
synced 2025-01-28 15:14:48 +00:00
83d6a248a8
* ENT-970 - SGX remote attestation host * Remote attestation enclave * Client for the remote attestation host * Communicates with ISV / RA server, which in turn communicates with the Intel Attestation Service * Native library bridging the client code running on the JVM with the native bits controlling and communicating with the enclave * ENT-970 - Address comments from code review * ENT-970 - More updates addressing review comments * ENT-970 - Integrate with root Gradle project for SGX
214 lines
7.2 KiB
Makefile
214 lines
7.2 KiB
Makefile
.PHONY: info all clean \
|
|
unsigned signed-openssl signed-hsm \
|
|
obj-trusted obj-untrusted
|
|
|
|
# === GENERAL PARAMETERS ==========================================================================
|
|
|
|
SHELL = /bin/bash
|
|
MAKEFILE_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))
|
|
|
|
MODE ?= DEBUG
|
|
|
|
GRADLE_FILE = $(MAKEFILE_DIR)/../host/build.gradle
|
|
NAME = corda_sgx_ra
|
|
VERSION := $(shell sed -n "s/^version = '\([^']*\)'.*/\\1/p" $(GRADLE_FILE))
|
|
PLATFORM := $(shell uname -s | tr [:upper:] [:lower:])
|
|
|
|
OUT_DIR = $(MAKEFILE_DIR)/build
|
|
OBJ_DIR = $(MAKEFILE_DIR)/obj
|
|
|
|
ENCLAVE = $(OUT_DIR)/$(NAME)_enclave.a
|
|
ENCLAVE_SIGNED = $(OUT_DIR)/$(NAME)_enclave.so
|
|
ENCLAVE_UNSIGNED = $(OUT_DIR)/$(NAME)_enclave_unsigned.so
|
|
ENCLAVE_BLOB = $(OUT_DIR)/$(NAME)_enclave_blob.bin
|
|
|
|
ENCLAVE_OPENSSL = $(OUT_DIR)/$(NAME)_enclave_openssl.so
|
|
OPENSSL_PRIVATE_KEY = $(MAKEFILE_DIR)/../../sign_helper/selfsigning.pem
|
|
OPENSSL_PUBLIC_KEY = $(OUT_DIR)/selfsigning.public.pem
|
|
OPENSSL_SIGNATURE = $(OUT_DIR)/$(NAME)_enclave.signature.openssl.sha256
|
|
|
|
ENCLAVE_HSM = $(OUT_DIR)/$(NAME)_enclave_hsm.so
|
|
HSM_PROFILE ?= dev_sim
|
|
HSM_PUBLIC_KEY = $(OUT_DIR)/hsm.public.pem
|
|
HSM_SIGNATURE = $(OUT_DIR)/$(NAME)_enclave.signature.hsm.sha256
|
|
|
|
HSM_BUILD_DIR = $(MAKEFILE_DIR)/../../hsm-tool/build/libs/sgx-jvm
|
|
HSM_TOOL_VERSION = 1.0-SNAPSHOT
|
|
HSM_TOOL = $(HSM_BUILD_DIR)/hsm-tool-$(HSM_TOOL_VERSION).jar
|
|
|
|
# === BUILD PARAMETERS ============================================================================
|
|
|
|
CPP = g++
|
|
GRADLE = $(MAKEFILE_DIR)/../../../gradlew
|
|
|
|
CPPFLAGS_BASE = $(INC_DIRS) -Wall -fPIC
|
|
CPPFLAGS_DEBUG = $(CPPFLAGS_BASE) -g
|
|
CPPFLAGS_RELEASE = $(CPPFLAGS_BASE) -s -DNDEBUG
|
|
|
|
LDFLAGS_BASE =
|
|
LDFLAGS_DEBUG = $(LDFLAGS_BASE)
|
|
LDFLAGS_RELEASE = $(LDFLAGS_BASE) -s
|
|
|
|
# === SGX-SPECIFIC BUILD PARAMETERS ===============================================================
|
|
|
|
SGX_SDK := $(MAKEFILE_DIR)/../../linux-sgx
|
|
include $(MAKEFILE_DIR)/sgx.mk
|
|
|
|
SGX_CONFIG = $(MAKEFILE_DIR)/config/$(SGX_MODE_NAME).xml
|
|
RPC_DIR = $(MAKEFILE_DIR)/rpc
|
|
|
|
# === MODE-SPECIFIC BUILD PARAMETERS ==============================================================
|
|
|
|
ifeq ($(subst release,RELEASE,$(MODE)),RELEASE)
|
|
CPPFLAGS = $(CPPFLAGS_RELEASE) $(SGX_CPPFLAGS_RELEASE) -I$(RPC_DIR)
|
|
LDFLAGS = $(LDFLAGS_RELEASE) $(SGX_LDFLAGS_RELEASE)
|
|
else
|
|
CPPFLAGS = $(CPPFLAGS_DEBUG) $(SGX_CPPFLAGS_DEBUG) -I$(RPC_DIR)
|
|
LDFLAGS = $(LDFLAGS_DEBUG) $(SGX_LDFLAGS_DEBUG)
|
|
endif
|
|
|
|
# === ENCLAVE SOURCES AND OUTPUTS =================================================================
|
|
|
|
ENCLAVE_SOURCES = $(wildcard *.cpp)
|
|
ENCLAVE_OBJECTS = $(addprefix $(OBJ_DIR)/, $(ENCLAVE_SOURCES:.cpp=.o))
|
|
|
|
TGEN_SOURCES = $(addprefix $(RPC_DIR)/, enclave_t.c)
|
|
TGEN_HEADERS = $(TGEN_SOURCES:.c=.h)
|
|
TGEN_OBJECTS = $(patsubst $(RPC_DIR)/%,$(OBJ_DIR)/%,$(TGEN_SOURCES:.c=.o))
|
|
|
|
UGEN_SOURCES = $(addprefix $(RPC_DIR)/, enclave_u.c)
|
|
UGEN_HEADERS = $(UGEN_SOURCES:.c=.h)
|
|
UGEN_OBJECTS = $(patsubst $(RPC_DIR)/%,$(OBJ_DIR)/%,$(UGEN_SOURCES:.c=.o))
|
|
|
|
# === PSEUDO TARGETS ==============================================================================
|
|
|
|
info: # Show available targets
|
|
@echo "Build Targets:"
|
|
@sed -n 's/^\([a-z-]*\): .*# \(.*\)$$/ \1 - \2/p' Makefile | expand -t24 | sort
|
|
@echo
|
|
@echo "Configuration:"
|
|
@echo " HSM_PROFILE = dev_sim (or dev_hsm, prod)"
|
|
@echo " MODE = DEBUG (or RELEASE)"
|
|
@echo " SGX_DEBUG_MODE = TRUE (or FALSE)"
|
|
@echo " SGX_IS_PRERELEASE = FALSE (or TRUE)"
|
|
@echo " SGX_USE_HARDWARE = FALSE (or TRUE)"
|
|
@echo
|
|
|
|
all: $(ENCLAVE) signed-openssl # Build enclave (self-signed using OpenSSL)
|
|
|
|
clean: # Clean build files
|
|
@$(RM) -rf $(OUT_DIR)
|
|
@$(RM) -rf $(OBJ_DIR)
|
|
@$(RM) -rf $(RPC_DIR)
|
|
|
|
# === SIGNING =====================================================================================
|
|
|
|
mode: # Show state of SGX specific build variables
|
|
@echo "SGX_MODE: $(SGX_MODE)"
|
|
@echo "SGX_DEBUG: $(SGX_DEBUG)"
|
|
@echo "SGX_PRERELEASE: $(SGX_PRERELEASE)"
|
|
@echo "HSM_PROFILE: $(HSM_PROFILE)"
|
|
|
|
unsigned: $(ENCLAVE_BLOB) # Construct an unsigned enclave
|
|
|
|
signed-openssl: $(ENCLAVE_OPENSSL) # Construct a self-signed enclave using OpenSSL
|
|
|
|
signed-hsm: $(ENCLAVE_HSM) # Construct an enclave signed by an HSM
|
|
mev_sim|dev_hsm|prod)
|
|
|
|
$(ENCLAVE_UNSIGNED): $(ENCLAVE)
|
|
@echo "Using mode=$(MODE), config=$(SGX_CONFIG)"
|
|
$(CPP) -o $(ENCLAVE_UNSIGNED) $(LDFLAGS)
|
|
|
|
$(ENCLAVE_BLOB): $(ENCLAVE_UNSIGNED)
|
|
$(SGX_SIGNER) gendata \
|
|
-enclave $(ENCLAVE_UNSIGNED) \
|
|
-out $(ENCLAVE_BLOB) \
|
|
-config $(SGX_CONFIG)
|
|
|
|
$(ENCLAVE_OPENSSL): $(ENCLAVE_BLOB) $(OPENSSL_PUBLIC_KEY) $(OPENSSL_SIGNATURE)
|
|
$(SGX_SIGNER) catsig \
|
|
-enclave $(ENCLAVE_UNSIGNED) \
|
|
-key $(OPENSSL_PUBLIC_KEY) \
|
|
-sig $(OPENSSL_SIGNATURE) \
|
|
-unsigned $(ENCLAVE_BLOB) \
|
|
-config $(SGX_CONFIG) \
|
|
-out $(ENCLAVE_OPENSSL)
|
|
@cp $(ENCLAVE_OPENSSL) $(ENCLAVE_SIGNED)
|
|
|
|
$(OPENSSL_PUBLIC_KEY): $(OPENSSL_PRIVATE_KEY)
|
|
openssl rsa \
|
|
-in $(OPENSSL_PRIVATE_KEY) \
|
|
-pubout -out $(OPENSSL_PUBLIC_KEY)
|
|
|
|
$(OPENSSL_SIGNATURE): $(OPENSSL_PRIVATE_KEY) $(ENCLAVE_BLOB)
|
|
openssl dgst \
|
|
-sha256 \
|
|
-sign $(OPENSSL_PRIVATE_KEY) \
|
|
-out $(OPENSSL_SIGNATURE) \
|
|
$(ENCLAVE_BLOB)
|
|
|
|
$(ENCLAVE_HSM): $(ENCLAVE_BLOB) $(HSM_PUBLIC_KEY) $(HSM_SIGNATURE)
|
|
$(SGX_SIGNER) catsig \
|
|
-enclave $(ENCLAVE_UNSIGNED) \
|
|
-key $(HSM_PUBLIC_KEY) \
|
|
-sig $(HSM_SIGNATURE) \
|
|
-unsigned $(ENCLAVE_BLOB) \
|
|
-config $(SGX_CONFIG) \
|
|
-out $(ENCLAVE_HSM)
|
|
@cp $(ENCLAVE_HSM) $(ENCLAVE_SIGNED)
|
|
|
|
$(HSM_PUBLIC_KEY) $(HSM_SIGNATURE): $(HSM_TOOL) $(ENCLAVE_BLOB)
|
|
@echo "Using HSM profile=$(HSM_PROFILE)"
|
|
java -jar $(HSM_TOOL) \
|
|
--mode=Sign \
|
|
--source=$(ENCLAVE_BLOB) \
|
|
--pubkey=$(HSM_PUBLIC_KEY) \
|
|
--signature=$(HSM_SIGNATURE) \
|
|
--profile=$(HSM_PROFILE)
|
|
|
|
$(HSM_TOOL):
|
|
$(GRADLE) sgx-hsm-tool:jar
|
|
|
|
# === ENCLAVE =====================================================================================
|
|
|
|
obj-trusted: $(TGEN_OBJECTS) # Object files for trusted zone
|
|
|
|
obj-untrusted: $(UGEN_OBJECTS) # Object files for untrusted zone
|
|
|
|
$(ENCLAVE): $(TGEN_OBJECTS) $(ENCLAVE_OBJECTS) | $(OUT_DIR)
|
|
ar qc $@ $^
|
|
ranlib $@
|
|
|
|
$(TGEN_SOURCES) $(TGEN_HEADERS) $(UGEN_SOURCES) $(UGEN_HEADERS): enclave.edl | $(RPC_DIR)
|
|
$(SGX_EDGER8R) \
|
|
--search-path $(SGX_INC_DIR) \
|
|
--trusted-dir $(RPC_DIR) \
|
|
--untrusted-dir $(RPC_DIR) \
|
|
enclave.edl
|
|
|
|
$(ENCLAVE_OBJECTS): $(ENCLAVE_SOURCES) | $(OBJ_DIR)
|
|
|
|
$(TGEN_OBJECTS): $(TGEN_SOURCES)
|
|
|
|
$(UGEN_OBJECTS): $(UGEN_SOURCES)
|
|
|
|
$(OBJ_DIR)/%.o: $(RPC_DIR)/%.c
|
|
@mkdir -p $(@D)
|
|
$(CPP) $(CPPFLAGS) $(SGX_DEBUG_FLAGS) $(SGX_DEFS) -o $@ -c $<
|
|
|
|
$(OBJ_DIR)/%.o: %.cpp
|
|
@mkdir -p $(@D)
|
|
$(CPP) $(CPPFLAGS) $(SGX_DEBUG_FLAGS) $(SGX_DEFS) -o $@ -c $<
|
|
|
|
# === BUILD DIRECTORIES ===========================================================================
|
|
|
|
$(OUT_DIR):
|
|
@mkdir -p $(OUT_DIR)
|
|
|
|
$(OBJ_DIR):
|
|
@mkdir -p $(OBJ_DIR)
|
|
|
|
$(RPC_DIR):
|
|
@mkdir -p $(RPC_DIR)
|