From 0b5390d554d51011ad94c8dd4aa864eef7c1dbed Mon Sep 17 00:00:00 2001 From: Bruno Vavala Date: Fri, 19 Jan 2024 06:32:00 +0000 Subject: [PATCH] enable hw mode tests Signed-off-by: Bruno Vavala --- docker/Makefile | 20 +++++++++++--- docker/test-sgx-hw-mode.yaml | 26 ++++++++++++++++++ docker/tools/environment.sh | 2 +- docker/tools/run_services_tests.sh | 3 ++- eservice/bin/register-with-ledger.sh | 5 +++- ...enclave_attestation_verification_policy.py | 27 +++++++++++++++---- 6 files changed, 72 insertions(+), 11 deletions(-) create mode 100644 docker/test-sgx-hw-mode.yaml diff --git a/docker/Makefile b/docker/Makefile index 45a9e44c..93cad1ac 100644 --- a/docker/Makefile +++ b/docker/Makefile @@ -45,6 +45,7 @@ DOCKER_BUILDARGS += --build-arg PDO_HOSTNAME=$(PDO_HOSTNAME) DOCKER_BUILDARGS += --build-arg PDO_LEDGER_URL=$(PDO_LEDGER_URL) DOCKER_BUILDARGS += --build-arg UID=$(PDO_USER_UID) DOCKER_BUILDARGS += --build-arg GID=$(PDO_GROUP_UID) +DOCKER_BUILDARGS += --build-arg SGX_MODE=$(SGX_MODE) DOCKER_ARGS = $(DOCKER_BUILDARGS) IMAGES=base client services_base services ccf_base ccf @@ -109,14 +110,27 @@ TEST_FILES += -f services_base.yaml TEST_FILES += -f ccf_base.yaml TEST_FILES += -f test.yaml +DOCKER_COMPOSE_COMMAND=docker-compose + +ifeq ($(SGX_MODE),HW) + TEST_FILES += -f test-sgx-hw-mode.yaml + SGX_DEVICE_PATH=$(shell if [ -e "/dev/isgx" ]; \ + then echo "/dev/isgx"; \ + elif [ -e "/dev/sgx/enclave" ]; \ + then echo "/dev/sgx/enclave"; \ + else echo "ERROR: NO SGX DEVICE FOUND"; \ + fi) + DOCKER_COMPOSE_COMMAND := env SGX_MODE=$(SGX_MODE) SGX_DEVICE_PATH=${SGX_DEVICE_PATH} ${DOCKER_COMPOSE_COMMAND} +endif + build_test : repository PDO_USER_UID=$(PDO_USER_UID) PDO_GROUP_UID=$(PDO_GROUP_UID) \ - docker-compose $(TEST_FILES) build \ + $(DOCKER_COMPOSE_COMMAND) $(TEST_FILES) build \ --build-arg PDO_VERSION=$(shell cd repository; bin/get_version) test : clean_config clean_repository build_base build_services_base build_ccf_base build_test - docker-compose $(TEST_FILES) up --abort-on-container-exit - docker-compose $(TEST_FILES) down + $(DOCKER_COMPOSE_COMMAND) $(TEST_FILES) up --abort-on-container-exit + $(DOCKER_COMPOSE_COMMAND) $(TEST_FILES) down # ----------------------------------------------------------------- # Cleaning is a bit interesting because the containers don't go away diff --git a/docker/test-sgx-hw-mode.yaml b/docker/test-sgx-hw-mode.yaml new file mode 100644 index 00000000..fb0ea2a2 --- /dev/null +++ b/docker/test-sgx-hw-mode.yaml @@ -0,0 +1,26 @@ +# Copyright 2023 Intel Corporation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ------------------------------------------------------------------------------ +version: "3.4" + +services: + services_container: + build: + args: + SGX_MODE: HW + volumes: + - /var/run/aesmd:/var/run/aesmd + devices: + - ${SGX_DEVICE_PATH:-/dev/isgx}:${SGX_DEVICE_PATH:-/dev/isgx} + diff --git a/docker/tools/environment.sh b/docker/tools/environment.sh index 41313b96..ce664b13 100755 --- a/docker/tools/environment.sh +++ b/docker/tools/environment.sh @@ -56,7 +56,7 @@ fi # this variable is needed for the build for signing the # eservice and pservice enclaves -export PDO_ENCLAVE_CODE_SIGN_PEM=${PDO_SGX_KEY_ROOT}/enclave_code_sign.pem +export PDO_ENCLAVE_CODE_SIGN_PEM=/tmp/enclave_code_sign.pem # these are only used for configuration and registration # they are not used at build or run time diff --git a/docker/tools/run_services_tests.sh b/docker/tools/run_services_tests.sh index b1a2c949..333fd506 100755 --- a/docker/tools/run_services_tests.sh +++ b/docker/tools/run_services_tests.sh @@ -21,7 +21,8 @@ source ${PDO_HOME}/bin/lib/common.sh export PDO_HOSTNAME=localhost export PDO_LEDGER_ADDRESS=$(force_to_ip ${PDO_HOSTNAME}) -export PDO_LEDGER_URL="http://${PDO_LEDGER_ADDRESS}:6600" +export PDO_LEDGER_PORT=6600 +export PDO_LEDGER_URL="http://${PDO_LEDGER_ADDRESS}:${PDO_LEDGER_PORT}" export no_proxy=$PDO_HOSTNAME,$PDO_LEDGER_ADDRESS,$no_proxy export NO_PROXY=$PDO_HOSTNAME,$PDO_LEDGER_ADDRESS,$NO_PROXY diff --git a/eservice/bin/register-with-ledger.sh b/eservice/bin/register-with-ledger.sh index 7b34ffe8..35fc7973 100755 --- a/eservice/bin/register-with-ledger.sh +++ b/eservice/bin/register-with-ledger.sh @@ -84,11 +84,14 @@ function Register { VAR_BASENAME=$(grep -o 'BASENAME:.*' ${eservice_enclave_info_file} | cut -f2- -d:) : "${PDO_LEDGER_URL:?Registration failed! PDO_LEDGER_URL environment variable not set}" + : "${PDO_LEDGER_ADDRESS:?Registration failed! PDO_LEDGER_ADDRESS environment variable not set}" + : "${PDO_LEDGER_PORT:?Registration failed! PDO_LEDGER_PORT environment variable not set}" : "PDO_IAS_KEY_PEM" "${PDO_IAS_KEY_PEM:?Registration failed! PDO_IAS_KEY_PEM environment variable not set}" if [ ${PDO_LEDGER_TYPE} == "ccf" ]; then try ${SRCDIR}/ledgers/ccf/scripts/register_enclave_attestation_verification_policy.py --logfile __screen__ --loglevel INFO \ - --check_attestation --mrenclave ${VAR_MRENCLAVE} --basename ${VAR_BASENAME} --ias-public-key "$(cat $PDO_IAS_KEY_PEM)" + --check-attestation --mrenclave ${VAR_MRENCLAVE} --basename ${VAR_BASENAME} --ias-public-key "$(cat $PDO_IAS_KEY_PEM)" \ + --interface ${PDO_LEDGER_ADDRESS} --port ${PDO_LEDGER_PORT} else die unsupported ledger ${PDO_LEDGER_TYPE} fi diff --git a/ledgers/ccf/scripts/register_enclave_attestation_verification_policy.py b/ledgers/ccf/scripts/register_enclave_attestation_verification_policy.py index de3a5ab7..7a415d9a 100755 --- a/ledgers/ccf/scripts/register_enclave_attestation_verification_policy.py +++ b/ledgers/ccf/scripts/register_enclave_attestation_verification_policy.py @@ -29,6 +29,20 @@ ## ----------------------------------------------------------------- ContractHome = os.environ.get("PDO_HOME") or os.path.realpath("/opt/pdo") CCF_Keys = os.environ.get("PDO_LEDGER_KEY_ROOT") or os.path.join(ContractHome, "ccf", "keys") +XFER_Dir = os.environ.get("XFER_DIR") or os.path.realpath("/opt/pdo") +CCF_XFER_Keys = os.path.join(XFER_Dir, "ccf", "keys") + +# ----------------------------------------------------------------- +def locate_ccf_keys(): + for keys_path in [CCF_Keys, CCF_XFER_Keys] : + # let's try to find one + #kp = os.path.join(keys_path, "networkcert.pem") + kp = os.path.join(keys_path, "memberccf_cert.pem") + if os.path.exists(kp) : + LOG.info('ccf keys located in {}'.format(keys_path)) + return keys_path + + return None # ----------------------------------------------------------------- def register_enclave_attestation_policy(client, options): @@ -55,8 +69,6 @@ def register_enclave_attestation_policy(client, options): # ----------------------------------------------------------------- def Main() : - default_output = os.path.join(CCF_Keys, 'ledger_authority.pem') - parser = argparse.ArgumentParser(description='Fetch the ledger authority key from a CCF server') parser.add_argument( @@ -95,17 +107,22 @@ def Main() : LOG.add(options.logfile) # ----------------------------------------------------------------- - network_cert = os.path.join(CCF_Keys, "networkcert.pem") + keys_path = locate_ccf_keys() + if not keys_path: + LOG.error('cannot locate CCF keys') + sys.exit(-1) + + network_cert = os.path.join(keys_path, "networkcert.pem") if not os.path.exists(network_cert) : LOG.error('network certificate ({}) does not exist'.format(network_cert)) sys.exit(-1) - member_cert = os.path.join(CCF_Keys, "{}_cert.pem".format(options.member_name)) + member_cert = os.path.join(keys_path, "{}_cert.pem".format(options.member_name)) if not os.path.exists(member_cert) : LOG.error('member certificate ({}) does not exist'.format(member_cert)) sys.exit(-1) - member_key = os.path.join(CCF_Keys, "{}_privk.pem".format(options.member_name)) + member_key = os.path.join(keys_path, "{}_privk.pem".format(options.member_name)) if not os.path.exists(member_key) : LOG.error('member key ({}) does not exist'.format(member_key)) sys.exit(-1)