Enable tests in SGX HW-mode (locally)

docker/Makefile

@@ -45,6 +45,7 @@ DOCKER_BUILDARGS += --build-arg PDO_HOSTNAME=$(PDO_HOSTNAME)
 DOCKER_BUILDARGS += --build-arg PDO_LEDGER_URL=$(PDO_LEDGER_URL)
 DOCKER_BUILDARGS += --build-arg UID=$(PDO_USER_UID)
 DOCKER_BUILDARGS += --build-arg GID=$(PDO_GROUP_UID)
+DOCKER_BUILDARGS += --build-arg SGX_MODE=$(SGX_MODE)
 DOCKER_ARGS = $(DOCKER_BUILDARGS)
 
 IMAGES=base client services_base services ccf_base ccf
@@ -109,14 +110,27 @@ TEST_FILES += -f services_base.yaml
 TEST_FILES += -f ccf_base.yaml
 TEST_FILES += -f test.yaml
 
+DOCKER_COMPOSE_COMMAND=docker-compose
+
+ifeq ($(SGX_MODE),HW)
+	TEST_FILES += -f test-sgx-hw-mode.yaml
+	SGX_DEVICE_PATH=$(shell if [ -e "/dev/isgx" ]; \
+					then echo "/dev/isgx"; \
+					elif [ -e "/dev/sgx/enclave" ]; \
+						then echo "/dev/sgx/enclave"; \
+					else echo "ERROR: NO SGX DEVICE FOUND"; \
+					fi)
+	DOCKER_COMPOSE_COMMAND := env SGX_MODE=$(SGX_MODE) SGX_DEVICE_PATH=${SGX_DEVICE_PATH} ${DOCKER_COMPOSE_COMMAND}
+endif
+
 build_test : repository
 	PDO_USER_UID=$(PDO_USER_UID) PDO_GROUP_UID=$(PDO_GROUP_UID) \
-		docker-compose $(TEST_FILES) build \
+		$(DOCKER_COMPOSE_COMMAND) $(TEST_FILES) build \
 			--build-arg PDO_VERSION=$(shell cd repository; bin/get_version)
 
 test : clean_config clean_repository build_base build_services_base build_ccf_base build_test
-	docker-compose $(TEST_FILES) up --abort-on-container-exit
-	docker-compose $(TEST_FILES) down
+	$(DOCKER_COMPOSE_COMMAND) $(TEST_FILES) up --abort-on-container-exit
+	$(DOCKER_COMPOSE_COMMAND) $(TEST_FILES) down
 
 # -----------------------------------------------------------------
 # Cleaning is a bit interesting because the containers don't go away

docker/test-sgx-hw-mode.yaml

@@ -0,0 +1,26 @@
+# Copyright 2023 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ------------------------------------------------------------------------------
+version: "3.4"
+
+services:
+  services_container:
+    build:
+      args:
+        SGX_MODE: HW
+    volumes:
+      - /var/run/aesmd:/var/run/aesmd
+    devices:
+      - ${SGX_DEVICE_PATH:-/dev/isgx}:${SGX_DEVICE_PATH:-/dev/isgx}
+

docker/tools/environment.sh

@@ -56,7 +56,7 @@ fi
 
 # this variable is needed for the build for signing the
 # eservice and pservice enclaves
-export PDO_ENCLAVE_CODE_SIGN_PEM=${PDO_SGX_KEY_ROOT}/enclave_code_sign.pem
+export PDO_ENCLAVE_CODE_SIGN_PEM=/tmp/enclave_code_sign.pem
 
 # these are only used for configuration and registration
 # they are not used at build or run time

docker/tools/run_services_tests.sh

@@ -21,7 +21,8 @@ source ${PDO_HOME}/bin/lib/common.sh
 
 export PDO_HOSTNAME=localhost
 export PDO_LEDGER_ADDRESS=$(force_to_ip ${PDO_HOSTNAME})
-export PDO_LEDGER_URL="http://${PDO_LEDGER_ADDRESS}:6600"
+export PDO_LEDGER_PORT=6600
+export PDO_LEDGER_URL="http://${PDO_LEDGER_ADDRESS}:${PDO_LEDGER_PORT}"
 
 export no_proxy=$PDO_HOSTNAME,$PDO_LEDGER_ADDRESS,$no_proxy
 export NO_PROXY=$PDO_HOSTNAME,$PDO_LEDGER_ADDRESS,$NO_PROXY

eservice/bin/register-with-ledger.sh

@@ -84,11 +84,14 @@ function Register {
         VAR_BASENAME=$(grep -o 'BASENAME:.*' ${eservice_enclave_info_file} | cut -f2- -d:)
 
         : "${PDO_LEDGER_URL:?Registration failed! PDO_LEDGER_URL environment variable not set}"
+        : "${PDO_LEDGER_ADDRESS:?Registration failed! PDO_LEDGER_ADDRESS environment variable not set}"
+        : "${PDO_LEDGER_PORT:?Registration failed! PDO_LEDGER_PORT environment variable not set}"
         : "PDO_IAS_KEY_PEM" "${PDO_IAS_KEY_PEM:?Registration failed! PDO_IAS_KEY_PEM environment variable not set}"
 
         if [ ${PDO_LEDGER_TYPE} == "ccf" ]; then
             try ${SRCDIR}/ledgers/ccf/scripts/register_enclave_attestation_verification_policy.py --logfile __screen__ --loglevel INFO \
-                --check_attestation --mrenclave ${VAR_MRENCLAVE} --basename  ${VAR_BASENAME} --ias-public-key "$(cat $PDO_IAS_KEY_PEM)"
+                --check-attestation --mrenclave ${VAR_MRENCLAVE} --basename  ${VAR_BASENAME} --ias-public-key "$(cat $PDO_IAS_KEY_PEM)" \
+                --interface ${PDO_LEDGER_ADDRESS} --port ${PDO_LEDGER_PORT}
         else
             die unsupported ledger ${PDO_LEDGER_TYPE}
         fi

ledgers/ccf/scripts/register_enclave_attestation_verification_policy.py

@@ -29,6 +29,20 @@
 ## -----------------------------------------------------------------
 ContractHome = os.environ.get("PDO_HOME") or os.path.realpath("/opt/pdo")
 CCF_Keys = os.environ.get("PDO_LEDGER_KEY_ROOT") or os.path.join(ContractHome, "ccf", "keys")
+XFER_Dir = os.environ.get("XFER_DIR") or os.path.realpath("/opt/pdo")
+CCF_XFER_Keys = os.path.join(XFER_Dir, "ccf", "keys")
+
+# -----------------------------------------------------------------
+def locate_ccf_keys():
+    for keys_path in [CCF_Keys, CCF_XFER_Keys] :
+        # let's try to find one
+        #kp = os.path.join(keys_path, "networkcert.pem")
+        kp = os.path.join(keys_path, "memberccf_cert.pem")
+        if os.path.exists(kp) :
+            LOG.info('ccf keys located in {}'.format(keys_path))
+            return keys_path
+
+    return None
 
 # -----------------------------------------------------------------
 def register_enclave_attestation_policy(client, options):
@@ -55,8 +69,6 @@ def register_enclave_attestation_policy(client, options):
 
 # -----------------------------------------------------------------
 def Main() :
-    default_output = os.path.join(CCF_Keys, 'ledger_authority.pem')
-
     parser = argparse.ArgumentParser(description='Fetch the ledger authority key from a CCF server')
 
     parser.add_argument(
@@ -95,17 +107,22 @@ def Main() :
         LOG.add(options.logfile)
 
     # -----------------------------------------------------------------
-    network_cert = os.path.join(CCF_Keys, "networkcert.pem")
+    keys_path = locate_ccf_keys()
+    if not keys_path:
+        LOG.error('cannot locate CCF keys')
+        sys.exit(-1)
+
+    network_cert = os.path.join(keys_path, "networkcert.pem")
     if not os.path.exists(network_cert) :
         LOG.error('network certificate ({}) does not exist'.format(network_cert))
         sys.exit(-1)
 
-    member_cert = os.path.join(CCF_Keys, "{}_cert.pem".format(options.member_name))
+    member_cert = os.path.join(keys_path, "{}_cert.pem".format(options.member_name))
     if not os.path.exists(member_cert) :
         LOG.error('member certificate ({}) does not exist'.format(member_cert))
         sys.exit(-1)
 
-    member_key = os.path.join(CCF_Keys, "{}_privk.pem".format(options.member_name))
+    member_key = os.path.join(keys_path, "{}_privk.pem".format(options.member_name))
     if not os.path.exists(member_key) :
         LOG.error('member key ({}) does not exist'.format(member_key))
         sys.exit(-1)