mirror of
https://github.com/corda/corda.git
synced 2025-01-17 18:29:49 +00:00
c3f5ca41e1
* ENT-319 Enclave to help test Intel signing key * Update build files to allow for release builds * Strip debug information from release binaries * Move sign_helper and update references * Remove paragraph from README * Two dev modes (simulation and HSM) * Update make files to take mode and single build directory * Update reference to self-sign key * Build script: from_clean.sh * Fix bad ref to docker-minimal
220 lines
10 KiB
CMake
220 lines
10 KiB
CMake
cmake_minimum_required(VERSION 3.5)
|
|
|
|
if(NOT CMAKE_BUILD_TYPE)
|
|
set(CMAKE_BUILD_TYPE Debug ... FORCE)
|
|
endif()
|
|
|
|
if(CMAKE_BUILD_TYPE MATCHES Debug)
|
|
set(ENCLAVE_CONFIG enclave-debug.xml)
|
|
elseif(CMAKE_BUILD_TYPE MATCHES Release)
|
|
set(ENCLAVE_CONFIG enclave-release.xml)
|
|
else()
|
|
message(FATAL_ERRORO "No build type")
|
|
endif()
|
|
|
|
set(SGX_SDK ${CMAKE_CURRENT_SOURCE_DIR}/../linux-sgx)
|
|
set(SGX_LIBRARY_PATH ${SGX_SDK}/build/linux)
|
|
set(CMAKE_CXX_FLAGS_DEBUG "${CMAKE_CXX_FLAGS_DEBUG} -fvisibility=hidden -fpie -fstack-protector")
|
|
set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} -fvisibility=hidden -fpie -fstack-protector -s -DNDEBUG")
|
|
set(SGX_SIGN_TOOL ${SGX_SDK}/build/linux/sgx_sign)
|
|
set(ENCLAVE_UNSIGNED noop_enclave.unsigned.so)
|
|
set(ENCLAVE_BLOB_TO_SIGN noop_enclave_blob_to_sign.bin)
|
|
set(ENCLAVE_SIGNED_OPENSSL noop_enclave.signed.openssl.so)
|
|
set(ENCLAVE_SIGNED_HSM noop_enclave.signed.hsm.so)
|
|
set(ENCLAVE_SIGNATURE_OPENSSL noop_enclave.signature.openssl.sha256)
|
|
set(ENCLAVE_SIGNATURE_HSM noop_enclave.signature.hsm.sha256)
|
|
set(ENCLAVE_SIGSTRUCT_OPENSSL noop_enclave.sigstruct.openssl.bin)
|
|
set(ENCLAVE_SIGSTRUCT_HSM noop_enclave.sigstruct.hsm.bin)
|
|
set(ENCLAVE_SIGSTRUCT_PRETTY_OPENSSL noop_enclave.sigstruct-pretty.openssl.txt)
|
|
set(ENCLAVE_SIGSTRUCT_PRETTY_HSM noop_enclave.sigstruct-pretty.hsm.txt)
|
|
set(PRIVATE_KEY_NAME_OPENSSL ../sign_helper/selfsigning.pem)
|
|
set(PUBLIC_KEY_NAME_OPENSSL selfsigning.public.pem)
|
|
set(PUBLIC_KEY_NAME_HSM hsm.public.pem)
|
|
set(HSM_SGX_TOOL ${PROJECT_SOURCE_DIR}/../hsm-tool/build/libs/sgx-jvm/hsm-tool-1.0-SNAPSHOT.jar)
|
|
set(DEPENDENCIES_ROOT_DIR ${CMAKE_CURRENT_SOURCE_DIR}/../dependencies/root)
|
|
set(DEPENDENCIES_LIBRARY_PATH ${DEPENDENCIES_ROOT_DIR}/usr/lib/x86_64-linux-gnu CACHE STRING "")
|
|
set(SIGN_HELPER env LD_LIBRARY_PATH=${DEPENDENCIES_ROOT_DIR}/lib/x86_64-linux-gnu ${PROJECT_SOURCE_DIR}/../sign_helper/sign_helper)
|
|
|
|
set(NOOP_ENCLAVE noop_enclave_objects)
|
|
set(SGX_SDK_INCLUDE ${SGX_SDK}/common/inc)
|
|
set(GENERATED_RPC_DIR ${CMAKE_CURRENT_BINARY_DIR}/rpc)
|
|
|
|
set(GENERATED_EDL_FILES ${GENERATED_RPC_DIR}/empty_t.c ${GENERATED_RPC_DIR}/empty_t.h ${GENERATED_RPC_DIR}/empty_u.c ${GENERATED_RPC_DIR}/empty_u.h)
|
|
add_custom_command(
|
|
OUTPUT ${GENERATED_EDL_FILES}
|
|
COMMAND edger8r --search-path ${CMAKE_CURRENT_SOURCE_DIR}/src --search-path ${SGX_SDK_INCLUDE} --trusted-dir ${GENERATED_RPC_DIR} --untrusted-dir ${GENERATED_RPC_DIR} ${CMAKE_CURRENT_SOURCE_DIR}/src/empty.edl
|
|
DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/src/empty.edl ${SGX_LIBRARY_PATH}/sgx_edger8r ${SGX_SDK_INCLUDE}
|
|
)
|
|
set_source_files_properties(${GENERATED_EDL_FILES} PROPERTIES GENERATED TRUE)
|
|
add_custom_target(
|
|
GENERATED_EDL
|
|
DEPENDS ${GENERATED_EDL_FILES}
|
|
)
|
|
|
|
add_library(${NOOP_ENCLAVE} ${CMAKE_CURRENT_SOURCE_DIR}/src/noop_enclave.cpp ${GENERATED_RPC_DIR}/empty_t.c)
|
|
add_dependencies(${NOOP_ENCLAVE} GENERATED_EDL)
|
|
set_property(TARGET ${NOOP_ENCLAVE} PROPERTY POSITION_INDEPENDENT_CODE ON)
|
|
target_include_directories(${NOOP_ENCLAVE} PUBLIC ${SGX_SDK_INCLUDE} ${SGX_SDK_INCLUDE}/tlibc ${GENERATED_RPC_DIR})
|
|
target_compile_options(${NOOP_ENCLAVE} PUBLIC -nostdinc)
|
|
|
|
add_executable(edger8r IMPORTED)
|
|
set_target_properties(edger8r PROPERTIES IMPORTED_LOCATION ${SGX_LIBRARY_PATH}/sgx_edger8r)
|
|
|
|
set(SGX_USE_HARDWARE TRUE)
|
|
|
|
if(SGX_USE_HARDWARE)
|
|
set(URTS_LIB "sgx_urts")
|
|
set(TRTS_LIB "sgx_trts")
|
|
set(SGX_SERVICE_LIB "sgx_tservice")
|
|
else()
|
|
set(URTS_LIB "sgx_urts_sim")
|
|
set(TRTS_LIB "sgx_trts_sim")
|
|
set(SGX_SERVICE_LIB "sgx_tservice_sim")
|
|
endif()
|
|
|
|
set(ENCLAVE_LINKER_FLAGS
|
|
"-Wl,--no-undefined"
|
|
"-nostdlib"
|
|
"-nodefaultlibs"
|
|
"-nostartfiles"
|
|
"-L${SGX_LIBRARY_PATH}"
|
|
"-Wl,--whole-archive"
|
|
"-l${TRTS_LIB}"
|
|
"-Wl,--no-whole-archive"
|
|
"-Wl,--start-group"
|
|
"lib${NOOP_ENCLAVE}.a"
|
|
"-lsgx_tstdc"
|
|
"-lsgx_tstdcxx"
|
|
"-lsgx_tcrypto"
|
|
"-l${SGX_SERVICE_LIB}"
|
|
"-Wl,--end-group"
|
|
"-Wl,-Bstatic"
|
|
"-Wl,-Bsymbolic"
|
|
"-Wl,--no-undefined"
|
|
"-Wl,-pie,-eenclave_entry"
|
|
"-Wl,--export-dynamic"
|
|
"-Wl,--defsym,__ImageBase=0"
|
|
"-Wl,--version-script=${CMAKE_CURRENT_SOURCE_DIR}/linkerscript.lds"
|
|
)
|
|
|
|
add_custom_command(
|
|
OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_UNSIGNED}
|
|
COMMAND ${CMAKE_CXX_COMPILER} -o ${ENCLAVE_UNSIGNED} ${ENCLAVE_LINKER_FLAGS}
|
|
DEPENDS ${NOOP_ENCLAVE} ${SGX_LIBRARY_PATH}
|
|
)
|
|
|
|
|
|
add_executable(sgx_sign IMPORTED)
|
|
set_target_properties(sgx_sign PROPERTIES IMPORTED_LOCATION ${SGX_SIGN_TOOL})
|
|
|
|
add_custom_command(
|
|
OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN}
|
|
COMMAND sgx_sign gendata -enclave ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_UNSIGNED} -out ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN} -config ${CMAKE_CURRENT_SOURCE_DIR}/${ENCLAVE_CONFIG}
|
|
DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_UNSIGNED}
|
|
)
|
|
|
|
# outputs the unsigned enclave and the blob to sign
|
|
add_custom_target(unsigned DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_UNSIGNED} ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN})
|
|
|
|
# OPENSSL ENCLAVE
|
|
add_custom_command(
|
|
OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${PUBLIC_KEY_NAME_OPENSSL}
|
|
COMMAND openssl rsa -in ${CMAKE_CURRENT_SOURCE_DIR}/${PRIVATE_KEY_NAME_OPENSSL} -pubout -out ${CMAKE_CURRENT_BINARY_DIR}/${PUBLIC_KEY_NAME_OPENSSL}
|
|
)
|
|
|
|
add_custom_command(
|
|
OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNATURE_OPENSSL}
|
|
COMMAND openssl dgst -sha256 -sign ${CMAKE_CURRENT_SOURCE_DIR}/${PRIVATE_KEY_NAME_OPENSSL} -out ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNATURE_OPENSSL} ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN}
|
|
DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN}
|
|
)
|
|
|
|
add_custom_command(
|
|
OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_OPENSSL}
|
|
COMMAND sgx_sign catsig -enclave ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_UNSIGNED} -key ${CMAKE_CURRENT_BINARY_DIR}/${PUBLIC_KEY_NAME_OPENSSL} -sig ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNATURE_OPENSSL} -unsigned ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN} -config ${CMAKE_CURRENT_SOURCE_DIR}/${ENCLAVE_CONFIG} -out ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_OPENSSL}
|
|
DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNATURE_OPENSSL} ${CMAKE_CURRENT_BINARY_DIR}/${PUBLIC_KEY_NAME_OPENSSL}
|
|
)
|
|
|
|
add_custom_target(signed-openssl DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_OPENSSL})
|
|
# /OPENSSL ENCLAVE
|
|
|
|
|
|
# HSM ENCLAVE
|
|
add_custom_command(
|
|
OUTPUT ${HSM_SGX_TOOL}
|
|
COMMAND ./gradlew sgx-jvm/hsm-tool:jar
|
|
WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/../..
|
|
DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/../hsm-tool/src
|
|
)
|
|
|
|
add_custom_command(
|
|
OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${PUBLIC_KEY_NAME_HSM} ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNATURE_HSM}
|
|
COMMAND java -jar ${HSM_SGX_TOOL} --mode=Sign --source=${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN} --pubkey=${CMAKE_CURRENT_BINARY_DIR}/${PUBLIC_KEY_NAME_HSM} --signature=${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNATURE_HSM} --profile=\${PROFILE}
|
|
DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN} ${HSM_SGX_TOOL}
|
|
)
|
|
|
|
add_custom_command(
|
|
OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_HSM}
|
|
COMMAND sgx_sign catsig -enclave ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_UNSIGNED} -key ${CMAKE_CURRENT_BINARY_DIR}/${PUBLIC_KEY_NAME_HSM} -sig ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNATURE_HSM} -unsigned ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_BLOB_TO_SIGN} -config ${CMAKE_CURRENT_SOURCE_DIR}/${ENCLAVE_CONFIG} -out ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_HSM}
|
|
DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNATURE_HSM} ${CMAKE_CURRENT_BINARY_DIR}/${PUBLIC_KEY_NAME_HSM}
|
|
)
|
|
|
|
add_custom_target(signed-hsm DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_HSM})
|
|
# /HSM ENCLAVE
|
|
|
|
# HSM KEY
|
|
add_custom_command(
|
|
OUTPUT __generate-key-hsm-dummy__
|
|
COMMAND java -jar ${HSM_SGX_TOOL} --mode=GenerateSgxKey --profile=\${PROFILE}
|
|
)
|
|
add_custom_target(generate-key-hsm DEPENDS __generate-key-hsm-dummy__)
|
|
# /HSM KEY
|
|
|
|
# HSM KEY OVERWRITE
|
|
add_custom_command(
|
|
OUTPUT __generate-key-hsm-overwrite-dummy__
|
|
COMMAND java -jar ${HSM_SGX_TOOL} --mode=GenerateSgxKey --profile=\${PROFILE} --overwriteKey
|
|
)
|
|
add_custom_target(generate-key-hsm-overwrite DEPENDS __generate-key-hsm-overwrite-dummy__)
|
|
# /HSM KEY OVERWRITE
|
|
|
|
# OPENSSL SIGSTRUCT
|
|
add_custom_command(
|
|
OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_OPENSSL}
|
|
COMMAND ${SIGN_HELPER} get-css -in ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_OPENSSL} -out ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_OPENSSL}
|
|
DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_OPENSSL}
|
|
)
|
|
add_custom_command(
|
|
OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_PRETTY_OPENSSL}
|
|
COMMAND ${SIGN_HELPER} print-css -in ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_OPENSSL} > ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_PRETTY_OPENSSL}
|
|
DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_OPENSSL}
|
|
)
|
|
add_custom_target(sigstruct-openssl DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_OPENSSL} ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_PRETTY_OPENSSL})
|
|
# /OPENSSL SIGSTRUCT
|
|
|
|
# HSM SIGSTRUCT
|
|
add_custom_command(
|
|
OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_HSM}
|
|
COMMAND ${SIGN_HELPER} get-css -in ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_HSM} -out ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_HSM}
|
|
DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGNED_HSM}
|
|
)
|
|
add_custom_command(
|
|
OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_PRETTY_HSM}
|
|
COMMAND ${SIGN_HELPER} print-css -in ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_HSM} > ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_PRETTY_HSM}
|
|
DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_HSM}
|
|
)
|
|
add_custom_target(sigstruct-hsm DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_HSM} ${CMAKE_CURRENT_BINARY_DIR}/${ENCLAVE_SIGSTRUCT_PRETTY_HSM})
|
|
# /HSM SIGSTRUCT
|
|
|
|
# test
|
|
add_library(urtslib SHARED IMPORTED)
|
|
set_target_properties(urtslib PROPERTIES IMPORTED_LOCATION ${SGX_LIBRARY_PATH}/lib${URTS_LIB}.so)
|
|
|
|
set(THREADS_PREFER_PTHREAD_FLAG ON)
|
|
find_package(Threads REQUIRED)
|
|
|
|
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wall -g")
|
|
link_directories(${DEPENDENCIES_LIBRARY_PATH})
|
|
add_executable(noop_test src/test.cpp ${GENERATED_RPC_DIR}/empty_u.c)
|
|
target_include_directories(noop_test PUBLIC ${SGX_SDK_INCLUDE} ${GENERATED_RPC_DIR})
|
|
target_link_libraries(noop_test urtslib Threads::Threads)
|