Skip to content

Commit

Permalink
Initial removal of SGX targets (#6426)
Browse files Browse the repository at this point in the history
Co-authored-by: Amaury Chamayou <amchamay@microsoft.com>
  • Loading branch information
maxtropets and achamayou authored Aug 16, 2024
1 parent 4bb3c1e commit 542bba8
Show file tree
Hide file tree
Showing 35 changed files with 47 additions and 721 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ File: `ci-containers-ghcr.yml`

# CI

Main continuous integration job. Builds CCF for all target platforms, runs unit, end to end and partition tests for SGX and Virtual. Run on every commit, including PRs from forks, gates merging. Also runs once a week, regardless of commits.
Main continuous integration job. Builds CCF for all target platforms, runs unit, end to end and partition tests Virtual. Run on every commit, including PRs from forks, gates merging. Also runs once a week, regardless of commits.

File: `ci.yml`
3rd party dependencies: None
Expand Down
13 changes: 0 additions & 13 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -42,10 +42,6 @@ jobs:
image: default
nodes: [self-hosted, 1ES.Pool=gha-virtual-ccf-sub]
options: --user root --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_PTRACE -v /lib/modules:/lib/modules:ro
- name: sgx
image: sgx
nodes: [self-hosted, 1ES.Pool=gha-sgx-ccf-sub]
options: --user root --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx_enclave:/dev/sgx_enclave --device /dev/sgx_provision:/dev/sgx_provision -v /dev/sgx:/dev/sgx -v /lib/modules:/lib/modules:ro
runs-on: ${{ matrix.platform.nodes }}
container:
image: ghcr.io/microsoft/ccf/ci/${{ matrix.platform.image }}:build-25-07-2024
Expand All @@ -65,15 +61,6 @@ jobs:
ninja
shell: bash

- name: "Platform SGX"
run: |
sudo groupadd -fg $(/usr/bin/stat -Lc '%g' /dev/sgx/provision) sgx_prv
sudo usermod -a -G sgx_prv $(whoami)
samples/scripts/sgxinfo.sh
cat /proc/cpuinfo | grep flags | uniq
shell: bash
if: "${{ matrix.platform.name == 'sgx' }}"

- name: "Platform SNP"
run: |
samples/scripts/snpinfo.sh
Expand Down
203 changes: 22 additions & 181 deletions CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,10 @@
# Licensed under the Apache 2.0 License.
cmake_minimum_required(VERSION 3.16)

set(ALLOWED_TARGETS "sgx;snp;virtual")
set(ALLOWED_TARGETS "snp;virtual")

set(COMPILE_TARGET
"sgx"
"snp"
CACHE STRING
"Target compilation platforms, Choose from: ${ALLOWED_TARGETS}"
)
Expand Down Expand Up @@ -76,25 +76,14 @@ endif()

option(
VERBOSE_LOGGING
"Enable verbose, potentially unsafe logging of enclave code. Affects logging level passed at run-time to end-to-end-tests, and compile-time max verbosity on SGX."
"Enable verbose, potentially unsafe logging of enclave code. Affects logging level passed at run-time to end-to-end-tests."
OFF
)
set(TEST_LOGGING_LEVEL "info")
if(VERBOSE_LOGGING)
set(TEST_LOGGING_LEVEL "trace")
endif()

# NB: Toggling VERBOSE_LOGGING on non-SGX platforms causes no build change, so
# should not cause a rebuild
if(COMPILE_TARGET STREQUAL "sgx" AND NOT VERBOSE_LOGGING)
# Disable verbose, unsafe logging of enclave code. On some platforms it is
# safe to build with this logging enabled, and then it can be disabled at
# run-time. However this run-time control is not possible on SGX, so to ensure
# a given MRENCLAVE cannot leak via debug logging it must be removed at
# build-time, with this option.
add_compile_definitions(CCF_DISABLE_VERBOSE_LOGGING)
endif()

option(USE_NULL_ENCRYPTOR "Turn off encryption of ledger updates - debug only"
OFF
)
Expand Down Expand Up @@ -134,9 +123,6 @@ include(${CMAKE_CURRENT_SOURCE_DIR}/cmake/tools.cmake)
install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/cmake/tools.cmake DESTINATION cmake)
include(${CMAKE_CURRENT_SOURCE_DIR}/cmake/ccf_app.cmake)
install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/cmake/ccf_app.cmake DESTINATION cmake)
install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/cmake/open_enclave.cmake
DESTINATION cmake
)

if(SAN AND LVI_MITIGATIONS)
message(
Expand All @@ -152,18 +138,6 @@ if(TSAN AND LVI_MITIGATIONS)
)
endif()

add_custom_command(
COMMAND
openenclave::oeedger8r ${CCF_DIR}/edl/ccf.edl --search-path ${OE_INCLUDEDIR}
--trusted --trusted-dir ${CCF_GENERATED_DIR} --untrusted --untrusted-dir
${CCF_GENERATED_DIR}
COMMAND mv ${CCF_GENERATED_DIR}/ccf_t.c ${CCF_GENERATED_DIR}/ccf_t.cpp
COMMAND mv ${CCF_GENERATED_DIR}/ccf_u.c ${CCF_GENERATED_DIR}/ccf_u.cpp
DEPENDS ${CCF_DIR}/edl/ccf.edl
OUTPUT ${CCF_GENERATED_DIR}/ccf_t.cpp ${CCF_GENERATED_DIR}/ccf_u.cpp
COMMENT "Generating code from EDL, and renaming to .cpp"
)

# Copy and install CCF utilities
set(CCF_UTILITIES keygenerator.sh submit_recovery_share.sh verify_quote.sh)
foreach(UTILITY ${CCF_UTILITIES})
Expand All @@ -184,7 +158,6 @@ foreach(UTILITY ${CCF_TEST_UTILITIES})
endforeach()

# Install additional utilities
install(PROGRAMS ${CCF_DIR}/samples/scripts/sgxinfo.sh DESTINATION bin)
install(PROGRAMS ${CCF_DIR}/samples/scripts/snpinfo.sh DESTINATION bin)
install(FILES ${CCF_DIR}/tests/config.jinja DESTINATION bin)

Expand All @@ -199,15 +172,7 @@ install(
USE_SOURCE_PERMISSIONS
)

if(COMPILE_TARGET STREQUAL "sgx")
# While virtual libraries need to be built for sgx for unit tests, these do
# not get installed to minimise installation size
set(INSTALL_VIRTUAL_LIBRARIES OFF)

if(CMAKE_BUILD_TYPE STREQUAL "Debug")
set(DEFAULT_ENCLAVE_TYPE debug)
endif()
elseif(COMPILE_TARGET STREQUAL "snp")
if(COMPILE_TARGET STREQUAL "snp")
set(INSTALL_VIRTUAL_LIBRARIES OFF)
else()
set(INSTALL_VIRTUAL_LIBRARIES ON)
Expand Down Expand Up @@ -268,10 +233,6 @@ list(APPEND CCHOST_SOURCES ${CCF_DIR}/src/host/main.cpp
${CCF_DIR}/src/host/env.cpp
)

if(COMPILE_TARGET STREQUAL "sgx")
list(APPEND CCHOST_SOURCES ${CCF_GENERATED_DIR}/ccf_u.cpp)
endif()

add_executable(cchost ${CCHOST_SOURCES})

add_warning_checks(cchost)
Expand All @@ -282,9 +243,7 @@ target_compile_options(
)
target_include_directories(cchost PRIVATE ${CCF_GENERATED_DIR})

if(COMPILE_TARGET STREQUAL "sgx")
target_compile_definitions(cchost PUBLIC PLATFORM_SGX)
elseif(COMPILE_TARGET STREQUAL "snp")
if(COMPILE_TARGET STREQUAL "snp")
target_compile_definitions(cchost PUBLIC PLATFORM_SNP)
elseif(COMPILE_TARGET STREQUAL "virtual")
target_compile_definitions(cchost PUBLIC PLATFORM_VIRTUAL)
Expand All @@ -294,21 +253,11 @@ target_link_libraries(
cchost PRIVATE uv ${TLS_LIBRARY} ${CMAKE_DL_LIBS} ${CMAKE_THREAD_LIBS_INIT}
${LINK_LIBCXX} ccfcrypto.host
)
if(COMPILE_TARGET STREQUAL "sgx")
target_link_libraries(cchost PRIVATE openenclave::oehost)
endif()

install(TARGETS cchost DESTINATION bin)

# HTTP parser
if(COMPILE_TARGET STREQUAL "sgx")
add_enclave_library_c(http_parser.enclave "${HTTP_PARSER_SOURCES}")
install(
TARGETS http_parser.enclave
EXPORT ccf
DESTINATION lib
)
elseif(COMPILE_TARGET STREQUAL "snp")
if(COMPILE_TARGET STREQUAL "snp")
add_library(http_parser.snp "${HTTP_PARSER_SOURCES}")
set_property(TARGET http_parser.snp PROPERTY POSITION_INDEPENDENT_CODE ON)
install(
Expand Down Expand Up @@ -353,19 +302,9 @@ set(CCF_JS_SOURCES
${CCF_DIR}/src/js/registry.cpp
)

if(COMPILE_TARGET STREQUAL "sgx")
add_enclave_library(ccf_js.enclave "${CCF_JS_SOURCES}")
target_link_libraries(ccf_js.enclave PUBLIC ccfcrypto.enclave quickjs.enclave)
# JS extension observes jwt_management.h header where this definition is
# required
target_compile_definitions(ccf_js.enclave PUBLIC SGX_ATTESTATION_VERIFICATION)
add_warning_checks(ccf_js.enclave)
install(
TARGETS ccf_js.enclave
EXPORT ccf
DESTINATION lib
)
elseif(COMPILE_TARGET STREQUAL "snp")
set(OE_BINDIR "")

if(COMPILE_TARGET STREQUAL "snp")
add_host_library(ccf_js.snp "${CCF_JS_SOURCES}")
add_san(ccf_js.snp)
target_link_libraries(ccf_js.snp PUBLIC ccfcrypto.snp quickjs.snp)
Expand Down Expand Up @@ -395,15 +334,7 @@ set(CCF_KV_SOURCES
${CCF_DIR}/src/kv/untyped_map_diff.cpp
)

if(COMPILE_TARGET STREQUAL "sgx")
add_enclave_library(ccf_kv.enclave "${CCF_KV_SOURCES}")
add_warning_checks(ccf_kv.enclave)
install(
TARGETS ccf_kv.enclave
EXPORT ccf
DESTINATION lib
)
elseif(COMPILE_TARGET STREQUAL "snp")
if(COMPILE_TARGET STREQUAL "snp")
add_host_library(ccf_kv.snp "${CCF_KV_SOURCES}")
add_san(ccf_kv.snp)
add_warning_checks(ccf_kv.snp)
Expand All @@ -426,23 +357,7 @@ if(INSTALL_VIRTUAL_LIBRARIES)
endif()

# CCF endpoints libs
if(COMPILE_TARGET STREQUAL "sgx")
add_enclave_library(ccf_endpoints.enclave "${CCF_ENDPOINTS_SOURCES}")
target_include_directories(
ccf_endpoints.enclave PRIVATE ${CCF_DIR}/src/endpoints
)
target_link_libraries(
ccf_endpoints.enclave
PUBLIC qcbor.enclave t_cose.enclave http_parser.enclave ccfcrypto.enclave
ccf_kv.enclave
)
add_warning_checks(ccf_endpoints.enclave)
install(
TARGETS ccf_endpoints.enclave
EXPORT ccf
DESTINATION lib
)
elseif(COMPILE_TARGET STREQUAL "snp")
if(COMPILE_TARGET STREQUAL "snp")
add_host_library(ccf_endpoints.snp "${CCF_ENDPOINTS_SOURCES}")
target_include_directories(ccf_endpoints.snp PRIVATE ${CCF_DIR}/src/endpoints)
target_link_libraries(
Expand Down Expand Up @@ -497,16 +412,7 @@ set(CCF_NETWORK_TEST_ARGS
)

set(JS_GENERIC_SOURCES ${CCF_DIR}/src/apps/js_generic/js_generic_base.cpp)
if(COMPILE_TARGET STREQUAL "sgx")
add_enclave_library(js_generic_base.enclave ${JS_GENERIC_SOURCES})
target_link_libraries(js_generic_base.enclave PUBLIC ccf.enclave)
add_lvi_mitigations(js_generic_base.enclave)
install(
TARGETS js_generic_base.enclave
EXPORT ccf
DESTINATION lib
)
elseif(COMPILE_TARGET STREQUAL "snp")
if(COMPILE_TARGET STREQUAL "snp")
add_library(js_generic_base.snp STATIC ${JS_GENERIC_SOURCES})
add_san(js_generic_base.snp)
add_warning_checks(js_generic_base.snp)
Expand Down Expand Up @@ -545,10 +451,6 @@ add_ccf_app(
LINK_LIBS_VIRTUAL js_generic_base.virtual
LINK_LIBS_SNP js_generic_base.snp INSTALL_LIBS ON
)
sign_app_library(
js_generic.enclave ${CCF_DIR}/src/apps/js_generic/oe_sign.conf
${CMAKE_CURRENT_BINARY_DIR}/signing_key.pem INSTALL_LIBS ON
)
# SNIPPET_END: JS generic application

install(DIRECTORY ${CCF_DIR}/samples/apps/logging/js
Expand Down Expand Up @@ -632,54 +534,8 @@ set(CCF_IMPL_SOURCE
${CCF_DIR}/src/enclave/thread_local.cpp ${CCF_DIR}/src/node/quote.cpp
)

if(COMPILE_TARGET STREQUAL "sgx")
# enclave version
add_enclave_library(
ccf.enclave ${CCF_IMPL_SOURCE} ${CCF_GENERATED_DIR}/ccf_t.cpp
)

# PLATFORM_SGX to initialise Open Enclave SGX enclave creation and
# SGX_ATTESTATION_VERIFICATION to verify SGX attestation reports.
target_compile_definitions(
ccf.enclave PUBLIC PLATFORM_SGX SGX_ATTESTATION_VERIFICATION
)

add_warning_checks(ccf.enclave)

target_include_directories(
ccf.enclave SYSTEM
PUBLIC
$<BUILD_INTERFACE:${CCF_GENERATED_DIR}>
$<INSTALL_INTERFACE:include/ccf/> #< This contains the private headers
#< which are currently under src, and
#< should be removed or renamed
$<INSTALL_INTERFACE:include/>
$<INSTALL_INTERFACE:include/3rdparty/>
)

target_link_libraries(
ccf.enclave
PUBLIC http_parser.enclave
sss.enclave
ccf_js.enclave
ccf_endpoints.enclave
ccfcrypto.enclave
ccf_kv.enclave
nghttp2.enclave
)

add_lvi_mitigations(ccf.enclave)

install(
TARGETS ccf.enclave
EXPORT ccf
DESTINATION lib
)

add_dependencies(ccf ccf.enclave)

# Same as virtual for the time being but will diverge soon
elseif(COMPILE_TARGET STREQUAL "snp")
# Same as virtual for the time being but will diverge soon
if(COMPILE_TARGET STREQUAL "snp")

# SNP version
add_library(ccf.snp STATIC ${CCF_IMPL_SOURCE})
Expand Down Expand Up @@ -831,16 +687,6 @@ install(FILES samples/constitutions/default/apply.js DESTINATION bin)
install(FILES tests/start_network.py DESTINATION bin)
install(FILES tests/requirements.txt DESTINATION bin)

# Generate an ephemeral signing key
add_custom_command(
OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/signing_key.pem
COMMAND openssl genrsa -out ${CMAKE_CURRENT_BINARY_DIR}/signing_key.pem -3
3072
)
add_custom_target(
signing_key ALL DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/signing_key.pem
)

# Add sample apps
add_subdirectory(${CCF_DIR}/samples)

Expand Down Expand Up @@ -1134,17 +980,14 @@ if(BUILD_TESTS)
PROPERTY ENVIRONMENT "ASAN_OPTIONS=alloc_dealloc_mismatch=0"
)

if(NOT UNSAFE_VERSION)
# Unsafe builds do not follow normal version conventions
add_test(NAME versionifier_test
COMMAND ${PYTHON}
${CMAKE_SOURCE_DIR}/python/src/ccf/_versionifier.py
)
add_test(NAME versionifier_test
COMMAND ${PYTHON}
${CMAKE_SOURCE_DIR}/python/src/ccf/_versionifier.py
)

add_test(NAME github_version_lts_test
COMMAND ${PYTHON} ${CMAKE_SOURCE_DIR}/tests/infra/github.py
)
endif()
add_test(NAME github_version_lts_test
COMMAND ${PYTHON} ${CMAKE_SOURCE_DIR}/tests/infra/github.py
)
endif()

if(NOT TSAN)
Expand Down Expand Up @@ -1463,9 +1306,7 @@ if(BUILD_TESTS)
list(APPEND LTS_TEST_ARGS --check-ledger-compatibility)
endif()

if(NOT UNSAFE_VERSION AND NOT SAN)
# Unsafe builds do not follow normal version conventions LTS nodes may
# also require different runtime libraries
if(NOT SAN)
add_e2e_test(
NAME lts_compatibility
PYTHON_SCRIPT ${CMAKE_SOURCE_DIR}/tests/lts_compatibility.py
Expand Down
Loading

0 comments on commit 542bba8

Please sign in to comment.