Enable remote attestation by librats in SGX mode (#1445)
Add library librats, update SGX build scripts, add sample and update document.
This commit is contained in:
Zeuson
@ -59,6 +59,11 @@ if (NOT DEFINED WAMR_BUILD_LIBC_WASI)
|
||||
set (WAMR_BUILD_LIBC_WASI 1)
|
||||
endif ()
|
||||
|
||||
if (NOT DEFINED WAMR_BUILD_LIB_RATS)
|
||||
# Disable lib rats support by default
|
||||
set (WAMR_BUILD_LIB_RATS 0)
|
||||
endif()
|
||||
|
||||
if (NOT DEFINED WAMR_BUILD_FAST_INTERP)
|
||||
# Enable fast interpreter
|
||||
set (WAMR_BUILD_FAST_INTERP 1)
|
||||
@ -84,7 +89,7 @@ if (COLLECT_CODE_COVERAGE EQUAL 1)
|
||||
endif ()
|
||||
|
||||
set (CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -Wl,--gc-sections")
|
||||
set (CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=gnu99 -ffunction-sections -fdata-sections \
|
||||
set (CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=gnu11 -ffunction-sections -fdata-sections \
|
||||
-Wall -Wno-unused-parameter -Wno-pedantic \
|
||||
-nostdinc -fvisibility=hidden -fpie" )
|
||||
|
||||
@ -100,3 +105,15 @@ add_custom_command (
|
||||
COMMAND ${CMAKE_AR} rc libvmlib_untrusted.a untrusted/*.o)
|
||||
|
||||
add_custom_target (vmlib_untrusted ALL DEPENDS libvmlib_untrusted.a)
|
||||
|
||||
if (WAMR_BUILD_LIB_RATS EQUAL 1)
|
||||
execute_process(
|
||||
COMMAND bash -c "sed -i -E 's/^#define LIB_RATS 0 /#define LIB_RATS 1/g' ${CMAKE_CURRENT_SOURCE_DIR}/enclave-sample/Enclave/Enclave.edl"
|
||||
OUTPUT_VARIABLE cmdOutput
|
||||
)
|
||||
else()
|
||||
execute_process(
|
||||
COMMAND bash -c "sed -i -E 's/^#define LIB_RATS 1/#define LIB_RATS 0/g' ${CMAKE_CURRENT_SOURCE_DIR}/enclave-sample/Enclave/Enclave.edl"
|
||||
OUTPUT_VARIABLE cmdOutput
|
||||
)
|
||||
endif()
|
||||
|
||||
@ -3,10 +3,15 @@
|
||||
* SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
|
||||
*/
|
||||
|
||||
#define LIB_RATS 0
|
||||
|
||||
enclave {
|
||||
from "sgx_tstdc.edl" import *;
|
||||
from "sgx_pthread.edl" import *;
|
||||
from "sgx_wamr.edl" import *;
|
||||
#if LIB_RATS != 0
|
||||
from "rats.edl" import *;
|
||||
#endif
|
||||
|
||||
trusted {
|
||||
/* define ECALLs here. */
|
||||
|
||||
@ -9,6 +9,13 @@ SGX_ARCH ?= x64
|
||||
SGX_DEBUG ?= 0
|
||||
SPEC_TEST ?= 0
|
||||
|
||||
VMLIB_BUILD_DIR ?= $(CURDIR)/../build
|
||||
LIB_RATS_SRC ?= $(VMLIB_BUILD_DIR)/_deps/librats-build
|
||||
LIB_RATS := $(shell if [ -d $(LIB_RATS_SRC) ]; then echo 1; else echo 0; fi)
|
||||
|
||||
LIB_RATS_INSTALL_DIR := $(VMLIB_BUILD_DIR)/librats/lib/librats
|
||||
LIB_RATS_INCLUDE_DIR := $(VMLIB_BUILD_DIR)/librats/include
|
||||
|
||||
ifeq ($(shell getconf LONG_BIT), 32)
|
||||
SGX_ARCH := x86
|
||||
else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
|
||||
@ -49,6 +56,9 @@ endif
|
||||
|
||||
App_Cpp_Files := App/App.cpp
|
||||
App_Include_Paths := -IApp -I$(SGX_SDK)/include
|
||||
ifeq ($(LIB_RATS), 1)
|
||||
App_Include_Paths += -I$(LIB_RATS_INCLUDE_DIR)
|
||||
endif
|
||||
|
||||
App_C_Flags := $(SGX_COMMON_CFLAGS) -fPIC -Wno-attributes $(App_Include_Paths)
|
||||
|
||||
@ -79,6 +89,10 @@ else
|
||||
App_Link_Flags += -lsgx_uae_service
|
||||
endif
|
||||
|
||||
ifeq ($(LIB_RATS), 1)
|
||||
App_Link_Flags += -L$(LIB_RATS_INSTALL_DIR) -lrats_u -lsgx_dcap_ql -lsgx_dcap_quoteverify -lsgx_ukey_exchange
|
||||
endif
|
||||
|
||||
App_Cpp_Objects := $(App_Cpp_Files:.cpp=.o)
|
||||
|
||||
App_Name := iwasm
|
||||
@ -105,21 +119,40 @@ Enclave_Include_Paths := -IEnclave -I$(WAMR_ROOT)/core/iwasm/include \
|
||||
-I$(SGX_SDK)/include/tlibc \
|
||||
-I$(SGX_SDK)/include/stlport
|
||||
|
||||
ifeq ($(LIB_RATS), 1)
|
||||
Enclave_Include_Paths += -I$(LIB_RATS_INCLUDE_DIR)
|
||||
endif
|
||||
|
||||
Enclave_C_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(Enclave_Include_Paths)
|
||||
ifeq ($(SPEC_TEST), 1)
|
||||
Enclave_C_Flags += -DWASM_ENABLE_SPEC_TEST=1
|
||||
else
|
||||
Enclave_C_Flags += -DWASM_ENABLE_SPEC_TEST=0
|
||||
endif
|
||||
Enclave_Cpp_Flags := $(Enclave_C_Flags) -std=c++03 -nostdinc++
|
||||
Enclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
|
||||
-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
|
||||
libvmlib.a \
|
||||
-Wl,--start-group -lsgx_tstdc -lsgx_tcxx -lsgx_pthread -l$(Crypto_Library_Name) -l$(Service_Library_Name) -Wl,--end-group \
|
||||
|
||||
ifeq ($(LIB_RATS), 1)
|
||||
Rats_Lib_Link_Dirs := -L$(LIB_RATS_INSTALL_DIR) -L$(LIB_RATS_INSTALL_DIR)/attesters -L$(LIB_RATS_INSTALL_DIR)/verifiers
|
||||
Rats_Lib_Link_libs := -lattester_nullattester -lattester_sgx_ecdsa -lattester_sgx_la \
|
||||
-lverifier_nullverifier -lverifier_sgx_ecdsa -lverifier_sgx_la -lverifier_sgx_ecdsa_qve \
|
||||
-lrats_lib
|
||||
endif
|
||||
|
||||
Enclave_Cpp_Flags := $(Enclave_C_Flags) -std=c++11 -nostdinc++
|
||||
Enclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) ${Rats_Lib_Link_Dirs} \
|
||||
-Wl,--whole-archive -l$(Trts_Library_Name) ${Rats_Lib_Link_libs} -Wl,--no-whole-archive \
|
||||
-Wl,--start-group -lsgx_tstdc -lsgx_tcxx -lsgx_pthread -lsgx_tkey_exchange -l$(Crypto_Library_Name) -l$(Service_Library_Name) -lsgx_dcap_tvl -Wl,--end-group \
|
||||
-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
|
||||
-Wl,-pie,-eenclave_entry -Wl,--export-dynamic \
|
||||
-Wl,--defsym,__ImageBase=0
|
||||
|
||||
Enclave_Edl_Search_Path = --search-path ../Enclave \
|
||||
--search-path $(SGX_SDK)/include \
|
||||
--search-path $(WAMR_ROOT)/core/shared/platform/linux-sgx
|
||||
ifeq ($(LIB_RATS), 1)
|
||||
Enclave_Edl_Search_Path += --search-path $(LIB_RATS_INCLUDE_DIR)/librats/edl
|
||||
endif
|
||||
|
||||
|
||||
Enclave_Cpp_Objects := $(Enclave_Cpp_Files:.cpp=.o)
|
||||
|
||||
Enclave_Name := enclave.so
|
||||
@ -156,12 +189,14 @@ ifneq ($(Build_Mode), HW_RELEASE)
|
||||
endif
|
||||
|
||||
######## App Objects ########
|
||||
librats:
|
||||
ifeq ($(LIB_RATS), 1)
|
||||
@cd $(LIB_RATS_SRC) && make install
|
||||
@echo "librats build success"
|
||||
endif
|
||||
|
||||
App/Enclave_u.c: $(SGX_EDGER8R) Enclave/Enclave.edl
|
||||
@cd App && $(SGX_EDGER8R) --untrusted ../Enclave/Enclave.edl \
|
||||
--search-path ../Enclave \
|
||||
--search-path $(SGX_SDK)/include \
|
||||
--search-path $(WAMR_ROOT)/core/shared/platform/linux-sgx
|
||||
App/Enclave_u.c: $(SGX_EDGER8R) Enclave/Enclave.edl librats
|
||||
@cd App && $(SGX_EDGER8R) --untrusted ../Enclave/Enclave.edl $(Enclave_Edl_Search_Path)
|
||||
@echo "GEN => $@"
|
||||
|
||||
App/Enclave_u.o: App/Enclave_u.c
|
||||
@ -172,7 +207,7 @@ App/%.o: App/%.cpp
|
||||
@$(CXX) $(App_Cpp_Flags) -c $< -o $@
|
||||
@echo "CXX <= $<"
|
||||
|
||||
libvmlib_untrusted.a: ../build/libvmlib_untrusted.a
|
||||
libvmlib_untrusted.a: $(VMLIB_BUILD_DIR)/libvmlib_untrusted.a
|
||||
@cp $< $@
|
||||
@echo "CP $@ <= $<"
|
||||
|
||||
@ -183,11 +218,8 @@ $(App_Name): App/Enclave_u.o $(App_Cpp_Objects) libvmlib_untrusted.a
|
||||
|
||||
######## Enclave Objects ########
|
||||
|
||||
Enclave/Enclave_t.c: $(SGX_EDGER8R) Enclave/Enclave.edl
|
||||
@cd Enclave && $(SGX_EDGER8R) --trusted ../Enclave/Enclave.edl \
|
||||
--search-path ../Enclave \
|
||||
--search-path $(SGX_SDK)/include \
|
||||
--search-path $(WAMR_ROOT)/core/shared/platform/linux-sgx
|
||||
Enclave/Enclave_t.c: $(SGX_EDGER8R) Enclave/Enclave.edl librats
|
||||
@cd Enclave && $(SGX_EDGER8R) --trusted ../Enclave/Enclave.edl $(Enclave_Edl_Search_Path)
|
||||
@echo "GEN => $@"
|
||||
|
||||
Enclave/Enclave_t.o: Enclave/Enclave_t.c
|
||||
@ -198,7 +230,7 @@ Enclave/%.o: Enclave/%.cpp
|
||||
@$(CXX) $(Enclave_Cpp_Flags) -c $< -o $@
|
||||
@echo "CXX <= $<"
|
||||
|
||||
libvmlib.a: ../build/libvmlib.a
|
||||
libvmlib.a: $(VMLIB_BUILD_DIR)/libvmlib.a
|
||||
@cp $< $@
|
||||
@echo "CP $@ <= $<"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user