Skip to content

Latest commit

 

History

History
166 lines (117 loc) · 4.21 KB

BUILD_INSTRUCTIONS.markdown

File metadata and controls

166 lines (117 loc) · 4.21 KB

Building Veracruz on Intel SGX and Arm TrustZone

Local build environment setup

We use Docker to provide a consistent build environment, and have prepared a dedicated Docker image for this task. First, clone the Docker image:

git clone https://github.com/veracruz-project/veracruz-docker-image.git

Before the Docker image can be built, you neeed to have a local copy of the Veracruz git repo. Moreover, if you are building for an Intel platform, you will also need an Intel Attestation Service access token. You can get this token after creating an account here:

https://api.portal.trustedservices.intel.com/EPID-attestation

Clone the Veracruz repository:

git clone [email protected]:veracruz-project/veracruz.git --recursive
export VERACRUZ_ROOT=$PWD/veracruz

Once you have a local copy of the Veracruz source and your token:

cd veracruz-docker-image
make IAS_TOKEN=<your Intel Attestation Service token>

Note that building the Docker image will take a long time (we appreciate any suggestions on how this can be sped up!)

Optional: if you want to use the Docker BuildKit back end, which may speed things up, then set DOCKER_BUILDKIT, as follows:

DOCKER_BUILDKIT=1 make

Once the image has built there should be a Docker container running, called "veracruz". You can now start a shell in the newly created container:

docker exec -u <your username> -it 'veracruz' bash

Instructions for SGX

You can manual build by running:

source /work/veracruz/sgx_env.sh

cd /work/veracruz/mexico-city/
make

cd /work/veracruz/sinaloa/
make

Alternatively, the sgx built target in the top-level Veracruz Makefile will do the same as above. Type:

make sgx

With that, all major sub-components of Veracruz (including the SDK) will be built for SGX.

Now, to run the Sinaloa tests. Simply run:

make sgx-sinaloa-test

You should see that all (7) tests pass. Now, to run the full system integration tests:

make sgx-veracruz-test

All (8) tests should pass.

Instructions for TrustZone

In a new, different Docker bash shell than has been used to build or test Veracruz on SGX, first setup your local environment:

cd /work/rust-optee-trustzone-sdk/
source environment
source $CARGO_HOME/env

Now that your environment is set up, build the enclave binary by executing the trustzone build target in the root directory of Veracruz:

make trustzone

Everything is now built for TrustZone, and the Sinaloa and Veracruz integration tests can now be run:

make trustzone-sinaloa-test

and

make trustzone-veracruz-test

will execute both of these testsuites. You, again, should see 7 and 8 tests executing and passing, respectively.

Cleaning a build

The Veracruz Makefile exposes a build target, clean, which recursively invokes cargo clean for each major subcomponent of the project. However, sometimes this is not enough to fix a broken build environment (note that this is common when using xargo to build e.g. the examples, or the rest of the SDK). In that case, it is useful to also delete the contents of the ~/.xargo directory, in addition to the standard clean build process described above.

What to do when your kernel version changes

Note: All of the commands below need to be run on the host operating system, not inside a Docker container.

When your Linux kernel gets updated, it does not update the SGX kernel module with it, and therefore this needs to be rebuilt and reinstalled. You can tell when this has happened by running:

sudo lsmod | grep sgx

If you get no results, you need to reinstall the SGX kernel module.

Following the directions for installing the module for your new kernel from here: https://github.com/intel/linux-sgx-driver.

Rebuild the linux-sgx-driver by running make, then:

sudo mkdir -p "/lib/modules/"`uname -r`"/kernel/drivers/intel/sgx"
sudo cp isgx.ko "/lib/modules/"`uname -r`"/kernel/drivers/intel/sgx"
sudo /sbin/depmod
sudo /sbin/modprobe isgx

Generating the certificates

Cryptographic certificates can be generated by using the following openssl invocation:

openssl req -new -x509 -key <key filename> -sha256 -nodes -days 3650 -out <certificate filename> -config cert.conf