diff --git a/docker/Makefile b/docker/Makefile index 9137b352..071cf235 100644 --- a/docker/Makefile +++ b/docker/Makefile @@ -71,12 +71,21 @@ build_% : repository --tag pdo_$*:$(PDO_VERSION) \ --file '$(DOCKER_DIR)'/pdo_$*.dockerfile . +build_sgx_services : repository + docker build $(DOCKER_ARGS) \ + --build-arg PDO_VERSION=$(PDO_VERSION) \ + --build-arg SGX_MODE=HW \ + --tag pdo_services:$(PDO_VERSION) \ + --file $(DOCKER_DIR)/pdo_services.dockerfile . + # docker build dependencies build_client: build_base build_services: build_services_base build_services_base: build_base build_ccf: build_ccf_base +build_sgx_services: build_services_base + clean_% : docker rmi -f pdo_$*:$(PDO_VERSION) @@ -112,6 +121,12 @@ stop_client : # performance requirements are relatively low. # ----------------------------------------------------------------- repository : + # if an enclave signing key is available on the host, copy that under build/keys in the repo + # Note: the docker build (see PDO_ENCLAVE_CODE_SIGN_PEM in environment.sh) expects the key there + [ ! -e ${PDO_ENCLAVE_CODE_SIGN_PEM} ] ||\ + (test ${PDO_ENCLAVE_CODE_SIGN_PEM} -ef ${PDO_SGX_KEY_ROOT}/enclave_code_sign.pem || \ + cp ${PDO_ENCLAVE_CODE_SIGN_PEM} ${PDO_SGX_KEY_ROOT}/enclave_code_sign.pem) + # clone the repo git clone --single-branch --branch $(PDO_BRANCH) --recurse-submodules '$(PDO_REPO)' repository clean_repository : @@ -130,12 +145,30 @@ TEST_FILES += -f services_base.yaml TEST_FILES += -f ccf_base.yaml TEST_FILES += -f test.yaml +TEST_SGX_FILES = ${TEST_FILES} +TEST_SGX_FILES += -f test-sgx.yaml + +SGX_DEVICE_PATH=$(shell if [ -e "/dev/isgx" ]; \ + then echo "/dev/isgx"; \ + elif [ -e "/dev/sgx/enclave" ]; \ + then echo "/dev/sgx/enclave"; \ + else echo "ERROR: NO SGX DEVICE FOUND"; \ + fi) + +DOCKER_COMPOSE_SGX := env SGX_DEVICE_PATH=${SGX_DEVICE_PATH} docker-compose + build_test : repository build_services build_ccf build_client test : clean_config clean_repository build_test stop_all PDO_VERSION=$(PDO_VERSION) docker-compose $(TEST_FILES) up --abort-on-container-exit PDO_VERSION=$(PDO_VERSION) docker-compose $(TEST_FILES) down +sgx_build_test : repository build_sgx_services build_ccf build_client + +sgx_test : clean_config clean_repository sgx_build_test stop_all + PDO_VERSION=$(PDO_VERSION) $(DOCKER_COMPOSE_SGX) $(TEST_SGX_FILES) up --abort-on-container-exit + PDO_VERSION=$(PDO_VERSION) $(DOCKER_COMPOSE_SGX) $(TEST_SGX_FILES) down + # ----------------------------------------------------------------- # Cleaning is a bit interesting because the containers don't go away # unless they are told to very nicely. Until they go away they hold onto diff --git a/docker/pdo_services.dockerfile b/docker/pdo_services.dockerfile index 1bb4a139..692e6427 100644 --- a/docker/pdo_services.dockerfile +++ b/docker/pdo_services.dockerfile @@ -27,6 +27,9 @@ FROM pdo_services_base:${PDO_VERSION} # ----------------------------------------------------------------- ARG REBUILD=0 +ARG SGX_MODE=SIM +ENV SGX_MODE $SGX_MODE + ARG PDO_DEBUG_BUILD=0 ENV PDO_DEBUG_BUILD=${PDO_DEBUG_BUILD} diff --git a/docker/test-sgx.yaml b/docker/test-sgx.yaml new file mode 100644 index 00000000..049a3602 --- /dev/null +++ b/docker/test-sgx.yaml @@ -0,0 +1,27 @@ +# Copyright 2024 Intel Corporation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ------------------------------------------------------------------------------ +version: "3.4" + +services: + ccf_container: + environment: + - SGX_MODE=HW + + services_container: + volumes: + - /var/run/aesmd:/var/run/aesmd + devices: + - ${SGX_DEVICE_PATH:-/dev/isgx}:${SGX_DEVICE_PATH:-/dev/isgx} + diff --git a/docker/tools/environment.sh b/docker/tools/environment.sh index c0850b12..01fdfb98 100755 --- a/docker/tools/environment.sh +++ b/docker/tools/environment.sh @@ -44,14 +44,7 @@ fi export XFER_DIR=${XFER_DIR:-/project/pdo/xfer} -# if the container is running HW mode, then we will grab the -# SGX keys from the xfer directory; we know that the default -# keys must be overridden -if [ ${SGX_MODE} == "HW" ]; then - export PDO_SGX_KEY_ROOT=${XFER_DIR}/services/keys/sgx -else - export PDO_SGX_KEY_ROOT=${PDO_SOURCE_ROOT}/build/keys/sgx_mode_${SGX_MODE,,} -fi +export PDO_SGX_KEY_ROOT=${PDO_SOURCE_ROOT}/build/keys/sgx_mode_${SGX_MODE,,} # this variable is needed for the build for signing the # eservice and pservice enclaves diff --git a/docker/tools/run_services_tests.sh b/docker/tools/run_services_tests.sh index 773b9eaa..974252e8 100755 --- a/docker/tools/run_services_tests.sh +++ b/docker/tools/run_services_tests.sh @@ -56,7 +56,7 @@ yell check for registration # ----------------------------------------------------------------- # this probably requires additional CCF keys, need to test this if [ "$SGX_MODE" == "HW" ]; then - if [ ! -f ${XFER}/ccf/keys/memberccf_privk.pem ] ; then + if [ ! -f ${XFER_DIR}/ccf/keys/memberccf_privk.pem ] ; then die unable to locate CCF policies keys fi diff --git a/docker/tools/start_services.sh b/docker/tools/start_services.sh index 11f21926..f3c2e501 100755 --- a/docker/tools/start_services.sh +++ b/docker/tools/start_services.sh @@ -115,7 +115,7 @@ try cp ${XFER_DIR}/ccf/keys/networkcert.pem ${PDO_LEDGER_KEY_ROOT}/ yell register the enclave if necessary # ----------------------------------------------------------------- if [ "${F_REGISTER,,}" == 'yes' ]; then - if [ ! -f ${XFER}/ccf/keys/memberccf_privk.pem ] ; then + if [ ! -f ${XFER_DIR}/ccf/keys/memberccf_privk.pem ] ; then die unable to locate CCF policies keys fi