We use Docker to provide a consistent build environment, and have prepared a dedicated Docker image for this task. First, clone the Docker image:
git clone https://github.com/veracruz-project/veracruz-docker-image.git
Before the Docker image can be built, you neeed to have a local copy of the Veracruz git repo. Moreover, if you are building for an Intel platform, you will also need an Intel Attestation Service access token. You can get this token after creating an account here:
https://api.portal.trustedservices.intel.com/EPID-attestation
Clone the Veracruz repository:
git clone [email protected]:veracruz-project/veracruz.git --recursive
export VERACRUZ_ROOT=$PWD/veracruz
Once you have a local copy of the Veracruz source and your token:
cd veracruz-docker-image
make IAS_TOKEN=<your Intel Attestation Service token>
Note that building the Docker image will take a long time (we appreciate any suggestions on how this can be sped up!)
Optional: if you want to use the Docker BuildKit back end, which may speed
things up, then set DOCKER_BUILDKIT
, as follows:
DOCKER_BUILDKIT=1 make
Once the image has built there should be a Docker container running, called "veracruz". You can now start a shell in the newly created container:
docker exec -u <your username> -it 'veracruz' bash
You can manual build by running:
source /work/veracruz/sgx_env.sh
cd /work/veracruz/mexico-city/
make
cd /work/veracruz/sinaloa/
make
Alternatively, the sgx
built target in the top-level Veracruz Makefile will
do the same as above. Type:
make sgx
With that, all major sub-components of Veracruz (including the SDK) will be built for SGX.
Now, to run the Sinaloa tests. Simply run:
make sgx-sinaloa-test
You should see that all (7) tests pass. Now, to run the full system integration tests:
make sgx-veracruz-test
All (8) tests should pass.
In a new, different Docker bash
shell than has been used to build or test
Veracruz on SGX, first setup your local environment:
cd /work/rust-optee-trustzone-sdk/
source environment
source $CARGO_HOME/env
Now that your environment is set up, build the enclave binary by executing the
trustzone
build target in the root directory of Veracruz:
make trustzone
Everything is now built for TrustZone, and the Sinaloa and Veracruz integration tests can now be run:
make trustzone-sinaloa-test
and
make trustzone-veracruz-test
will execute both of these testsuites. You, again, should see 7 and 8 tests executing and passing, respectively.
The Veracruz Makefile exposes a build target, clean
, which recursively
invokes cargo clean
for each major subcomponent of the project. However,
sometimes this is not enough to fix a broken build environment (note that this
is common when using xargo
to build e.g. the examples, or the rest of the
SDK). In that case, it is useful to also delete the contents of the
~/.xargo
directory, in addition to the standard clean build process described
above.
Note: All of the commands below need to be run on the host operating system, not inside a Docker container.
When your Linux kernel gets updated, it does not update the SGX kernel module with it, and therefore this needs to be rebuilt and reinstalled. You can tell when this has happened by running:
sudo lsmod | grep sgx
If you get no results, you need to reinstall the SGX kernel module.
Following the directions for installing the module for your new kernel from here: https://github.com/intel/linux-sgx-driver.
Rebuild the linux-sgx-driver by running make, then:
sudo mkdir -p "/lib/modules/"`uname -r`"/kernel/drivers/intel/sgx"
sudo cp isgx.ko "/lib/modules/"`uname -r`"/kernel/drivers/intel/sgx"
sudo /sbin/depmod
sudo /sbin/modprobe isgx
Cryptographic certificates can be generated by using the following openssl
invocation:
openssl req -new -x509 -key <key filename> -sha256 -nodes -days 3650 -out <certificate filename> -config cert.conf