* Initial host server skeleton. * Create IASProxy project, and skeleton for attestation host. * Fix up tests * Extend attestation host skeleton, and make test ports configurable. * Enhance MockIAS to make pseManifestStatus optional. * Make IASProxy endpoints asynchronous. * Add sub-modules for challenger and for common code. * Create integration test for host's provisioning endpoint. * Flesh out attestation challenger WAR. * Package refactoring, to be more Java9 friendly. * Refactor more messages into attestation-common. * Remove our private key from the repository. * Declare an empty PSE Manifest to be invalid. * Fix basic integration test issues for challenger and host. * Integrate keystore scripts into the build properly. * Name keystore targets explicitly for Gradle. * Allow HTTP conversation between Challenger, Host and ISV using session ID. * Add MockHost for challenger's integration tests. * Reconcile HTTP port numbers between Phase1 and Phase2 components. * Remove elements that can be inherited from root project. * Add placeholder README. * Add convenient extension functions to ObjectMapper. * Extend integration test coverage for challenger/host/isv. * Catch IOException from HttpClient for challenger. * Integrate host sub-module with remote-attestation project. * Begin integrating host/enclave code from Phase I. * Rename challenger's HTTP endpoint. * Generate keystore for challenger "on the fly". * Add native JNI code for accessing the SGX enclave. * Point Gradle to the correct enclave object. * Fixes for generating a Quote for this enclave. * Return the IAS report to the challenger for verification. * Begin populating the challenger's AttestationResponse message. * Enable the challenger to pass encrypted secrets into the enclave. * Align challenger, host and isv ports. * Refactor challenger as a fat-jar application. * AttestationResponse is not shared, so refactor into challenger. * Move HttpClientContext objects into HttpClient blocks. * Remove unused Message2 and Message3 objects. * Add realistic dummy value for reportID from IAS. * Small tidy-up on attestation host. * First set of review comments. * Add missing exception message. * Update location of environment file. * Use empty mock revocation lists by default. * Improve logging and add "happy path" test for provisioning secrets. * Update Gradle files so that we can run attestation-host from IntelliJ. * The platformInfo field from IAS can be null, so allow this. Also protect other JNI pointer parameters from NPE. * Allow Gradle to build hardware enclave.
SGX Build Container and Utilities
Project Organisation
-
Containers
To pin down dependencies and simplify development and testing, we have a Docker image with all necessary compile- and run-time dependencies pre-installed. This image supports mounting of volumes for the user's home directory, code repository, and SGX SDK directory. It also exposes various ports for debuggable targets (JVM and native). To run SGX-enabled applications in hardware mode, the user must pass in a reference to the SGX kernel driver (which is done automagically if the
sx
command is used). -
Tools
sx
is a utility that simplifies running builds and tests inside the SGX container, and also provides some additional helper functions for things like generating tags databases, starting debug servers, etc.
Getting Started
To get started, run the following commands in sgx-jvm
:
> source environment
> sx help
Yielding the following output:
usage: <variables> sx <command> <options>
<command>
build build project in container (<directory> <arguments>)
containers actions related to containers
debug actions related to debugging
exec shorthand for `containers exec core`
get-started build containers and key components
help show help information
hsm actions related to the hsm simulator
logs tail application logs
reports actions related to reports
shell show information about shell commands
tags actions related to tag databases
<options>
-c colours = on | off (-C)
-d debug = on | off (-D)
-f force operation
-h hardware = on | off (-s)
-r target = release | pre-release (-p)
-s hsm profile = simulator | development hsm (-S) | production (-P)
-t tty = on | off (-T)
-v verbose output
<variables>
LINES number of lines to return from the end of the log files (default 50)
PORT port number used for connecting to the ISV (default 9080)
The first command simply sets up an alias pointing to sgx-jvm/tools/sx/sx
,
and enables Bash auto-completion for the various command options. For example:
> sx b<tab> # will expand to "sx build"
The second command shows all the available sub-commands and options.
If this is your first time using sx
, you will most likely have to build the
Docker container used for building and running the various components of the
SGX projects. To do that, run the command:
> sx get-started
This command will also set up default configuration for SGX-GDB, both inside and outside of the container, and Visual Studio Code configuration if you fancy running remote debugging sessions from an IDE.
Building Components
As an example, this section will go through the process of building the various components of the remote attestation project.
Enclave
To build the enclave and sign it with a self-signed OpenSSL certificate (for testing), run the following command:
> sx build remote-attestation/enclave clean all
This command runs make -C sgx-jvm/remote-attestation/enclave clean all
inside
the SGX container.
To build the enclave in hardware and pre-release mode, use the -h
and -p
switches like this:
> sx build -hp remote-attestation/enclave clean all
Host
Similarly, to build the host (JVM-layer), you can run the following command:
> sx build remote-attestation/host
This will run gradlew
in the host/
directory, with the necessary paths and
environment variables set.
JNI Library
This is a native library, so you can compile it either for use with software simulation or hardware.
> sx build remote-attestation/host/native # simulation, debug mode
# or:
> sx build -hp remote-attestation/host/native # hardware, pre-release mode
As part of the build, as seen in host/native/Makefile
, we run javah
on the
NativeWrapper
class to extract its JNI mapping. This mapping will be written
to wrapper.hpp
. This means that the JVM-layer needs building prior to this
step.
Running and Debugging Components
Unit Tests
The unit tests are run through Gradle inside the SGX container, with the
various paths set to necessary dependencies. For instance, we need to set the
java.library.path
and corda.sgx.enclave.path
variables to point to the JNI
library and the enclave shared object, respectively. This is all done for you
by the Gradle build script, the container, and the sx
tool.
Provided that you have built the aforementioned components, you can now run the unit tests with the following command:
> sx build remote-attestation/host unit-tests
You can open the output report by issuing the following command:
> sx reports unit-tests
Integration Tests
Similarly, you can run the integration tests with the following command:
> sx build remote-attestation/host integration-tests
This requires that the service provider (in the future challenger and IAS proxy) is running. Say that the service is running on port 12345, you can run the tests like this:
> PORT=12345 sx build remote-attestation/host integration-tests
You can open the output report by issuing the following command:
> sx reports integration-tests
If you want to explore the logs, you can use the logs
command:
> LINES=100 sx logs
Test Flow
There is also a simple attestation flow which similarly to the integration test
requires the service provider to run on a specific port. This flow can be run
with the sx build
command.
To run the simple flow without attaching a debugger, run:
> PORT=8080 sx build remote-attestation/host run
There are a few different debug targets depending on how you want to run your debugger:
-
Local
Runs
gdb
inside the Docker container (if you don't havegdb
installed on your computer):run-local
. -
Remote
Runs
gdbserver
inside the Docker container so that you can attach to it from the host computer or another machine:run-remote
. -
SGX
Runs
sgx-gdb
inside the Docker container (if you don't havesgx-gdb
installed on your computer):run-sgx
. This lets you step through enclave-code, inspect stack traces in the trusted environment, etc. Obviously, this is only possible if the program has been compiled for debug and simulation mode.
For all of the above, and for the unit and integration tests, you can attach a Java debugger remotely as well, using JDWP.
Other Tools
CTags
For the C/C++ part of the project, you might wish to construct a tags file to easily jump back and forth between symbols. You can construct this either with or without the symbols from the Linux SGX SDK:
> sx tags lean remote-attestation # Remote Attestation project only
> sx tags full remote-attestation # Include symbols from the SGX SDK
Dependencies
- Intel SGX SDK – 01org/linux-sgx
- Intel SGX Driver – 01org/linux-sgx-driver