From ba53c10a84e6bdaaac2240d6749ffd8709c89ceb Mon Sep 17 00:00:00 2001 From: Chris Yan Date: Thu, 11 Nov 2021 13:35:27 -0800 Subject: [PATCH 1/2] Fix AMI builds Use paths for driver validation Use different host devices for Docker Signed-off-by: Chris Yan --- .../build_azure_managed_images.Jenkinsfile | 36 ++++++++-------- .../ubuntu-18.04-variables.json | 2 +- .../ubuntu-20.04-variables.json | 2 +- .jenkins/library/vars/helpers.groovy | 41 +++++++++++++++++++ .jenkins/library/vars/tests.groovy | 16 ++++++-- .../linux/intel/tasks/driver-validation.yml | 8 ++-- 6 files changed, 77 insertions(+), 28 deletions(-) diff --git a/.jenkins/infrastructure/build_azure_managed_images.Jenkinsfile b/.jenkins/infrastructure/build_azure_managed_images.Jenkinsfile index 314f0cab4a..116bf9b2dd 100644 --- a/.jenkins/infrastructure/build_azure_managed_images.Jenkinsfile +++ b/.jenkins/infrastructure/build_azure_managed_images.Jenkinsfile @@ -5,7 +5,7 @@ import java.time.* import java.time.format.DateTimeFormatter OECI_LIB_VERSION = env.OECI_LIB_VERSION ?: "master" -oe = library("OpenEnclaveCommon@${OECI_LIB_VERSION}").jenkins.common.Openenclave.new() +library "OpenEnclaveJenkinsLibrary@${params.OECI_LIB_VERSION}" GLOBAL_TIMEOUT_MINUTES = 480 @@ -59,7 +59,7 @@ def buildLinuxManagedImage(String os_type, String version, String image_id, Stri --gallery-image-definition ${os_type}-${version} \ --gallery-image-version ${gallery_image_version} """ - oe.azureEnvironment(az_cleanup_existing_image_version_script, params.OE_DEPLOY_IMAGE) + common.azureEnvironment(az_cleanup_existing_image_version_script, params.OE_DEPLOY_IMAGE) } stage("Run Packer Job") { timeout(GLOBAL_TIMEOUT_MINUTES) { @@ -69,11 +69,11 @@ def buildLinuxManagedImage(String os_type, String version, String image_id, Stri usernamePassword(credentialsId: JENKINS_USER_CREDS_ID, usernameVariable: "SSH_USERNAME", passwordVariable: "SSH_PASSWORD")]) { - def cmd = ("packer build -force " + - "-var-file=${WORKSPACE}/.jenkins/infrastructure/provision/templates/packer/azure_managed_image/${os_type}-${version}-variables.json " + - "${WORKSPACE}/.jenkins/infrastructure/provision/templates/packer/azure_managed_image/packer-${os_type}.json") - oe.exec_with_retry(10, 60) { - oe.azureEnvironment(cmd, params.OE_DEPLOY_IMAGE) + def cmd = ("""packer build -force \ + -var-file=${WORKSPACE}/.jenkins/infrastructure/provision/templates/packer/azure_managed_image/${os_type}-${version}-variables.json \ + ${WORKSPACE}/.jenkins/infrastructure/provision/templates/packer/azure_managed_image/packer-${os_type}.json""") + common.exec_with_retry(10, 60) { + common.azureEnvironment(cmd, params.OE_DEPLOY_IMAGE) } } } @@ -106,7 +106,7 @@ def buildWindowsManagedImage(String os_series, String img_name_suffix, String la ${az_login_script} az group create --name ${vm_rg_name} --location ${REGION} """ - oe.azureEnvironment(az_rg_create_script, params.OE_DEPLOY_IMAGE) + common.azureEnvironment(az_rg_create_script, params.OE_DEPLOY_IMAGE) } try { @@ -130,7 +130,7 @@ def buildWindowsManagedImage(String os_series, String img_name_suffix, String la --admin-password ${JENKINS_USER_PASSWORD} \ --image ${azure_image_id} """ - oe.azureEnvironment(provision_script, params.OE_DEPLOY_IMAGE) + common.azureEnvironment(provision_script, params.OE_DEPLOY_IMAGE) } stage("Deploy VM") { @@ -165,8 +165,8 @@ def buildWindowsManagedImage(String os_series, String img_name_suffix, String la --command-id RunPowerShellScript \ --scripts @${WORKSPACE}/.jenkins/infrastructure/provision/run-sysprep.ps1 """ - oe.exec_with_retry(10, 30) { - oe.azureEnvironment(deploy_script, params.OE_DEPLOY_IMAGE) + common.exec_with_retry(10, 30) { + common.azureEnvironment(deploy_script, params.OE_DEPLOY_IMAGE) } } @@ -179,8 +179,8 @@ def buildWindowsManagedImage(String os_series, String img_name_suffix, String la az vm deallocate --resource-group ${vm_rg_name} --name ${vm_name} az vm generalize --resource-group ${vm_rg_name} --name ${vm_name} """ - oe.exec_with_retry(10, 30) { - oe.azureEnvironment(generalize_script, params.OE_DEPLOY_IMAGE) + common.exec_with_retry(10, 30) { + common.azureEnvironment(generalize_script, params.OE_DEPLOY_IMAGE) } } } @@ -206,8 +206,8 @@ def buildWindowsManagedImage(String os_series, String img_name_suffix, String la --hyper-v-generation ${AZURE_IMAGES_MAP[os_series]["generation"]} \ --source \$VM_ID """ - oe.exec_with_retry(10, 30) { - oe.azureEnvironment(capture_script, params.OE_DEPLOY_IMAGE) + common.exec_with_retry(10, 30) { + common.azureEnvironment(capture_script, params.OE_DEPLOY_IMAGE) } } } @@ -239,8 +239,8 @@ def buildWindowsManagedImage(String os_series, String img_name_suffix, String la --target-regions ${env.REPLICATION_REGIONS.split(',').join(' ')} \ --replica-count 1 """ - oe.exec_with_retry(10, 30) { - oe.azureEnvironment(upload_script, params.OE_DEPLOY_IMAGE) + common.exec_with_retry(10, 30) { + common.azureEnvironment(upload_script, params.OE_DEPLOY_IMAGE) } } } @@ -251,7 +251,7 @@ def buildWindowsManagedImage(String os_series, String img_name_suffix, String la ${az_login_script} az group delete --name ${vm_rg_name} --yes """ - oe.azureEnvironment(az_rg_cleanup_script, params.OE_DEPLOY_IMAGE) + common.azureEnvironment(az_rg_cleanup_script, params.OE_DEPLOY_IMAGE) } } } diff --git a/.jenkins/infrastructure/provision/templates/packer/azure_managed_image/ubuntu-18.04-variables.json b/.jenkins/infrastructure/provision/templates/packer/azure_managed_image/ubuntu-18.04-variables.json index d3bcdfdf4d..d76e2e0f6a 100644 --- a/.jenkins/infrastructure/provision/templates/packer/azure_managed_image/ubuntu-18.04-variables.json +++ b/.jenkins/infrastructure/provision/templates/packer/azure_managed_image/ubuntu-18.04-variables.json @@ -6,6 +6,6 @@ "ansible_group": "linux-agents", "playbook_file_name": "oe-linux-acc-setup.yml", "base_gallery_image_version": "latest", - "base_gallery_image_name": "Ubuntu_1804_LTS_Gen2", + "base_gallery_image_name": "Ubuntu_18.04_LTS_Gen2", "base_gallery_name": "Vanilla_Images" } diff --git a/.jenkins/infrastructure/provision/templates/packer/azure_managed_image/ubuntu-20.04-variables.json b/.jenkins/infrastructure/provision/templates/packer/azure_managed_image/ubuntu-20.04-variables.json index 8382c57257..82607dc7bc 100644 --- a/.jenkins/infrastructure/provision/templates/packer/azure_managed_image/ubuntu-20.04-variables.json +++ b/.jenkins/infrastructure/provision/templates/packer/azure_managed_image/ubuntu-20.04-variables.json @@ -6,6 +6,6 @@ "ansible_group": "linux-agents", "playbook_file_name": "oe-linux-acc-setup.yml", "base_gallery_image_version": "latest", - "base_gallery_image_name": "Ubuntu_2004_LTS_Gen2", + "base_gallery_image_name": "Ubuntu_20.04_LTS_Gen2", "base_gallery_name": "Vanilla_Images" } diff --git a/.jenkins/library/vars/helpers.groovy b/.jenkins/library/vars/helpers.groovy index 269805c199..cb8a0dfa9c 100644 --- a/.jenkins/library/vars/helpers.groovy +++ b/.jenkins/library/vars/helpers.groovy @@ -87,6 +87,7 @@ def getWindowsCwd() { returnStdout: true ).trim() } + /** * Tests Open Enclave samples on *nix systems * @@ -513,3 +514,43 @@ def get_date(String delimiter = "") { return "Canonical:UbuntuServer:18_04-lts-gen2:latest" } } + +/* + * Determine correct Intel SGX devices to mount for Docker + * Returns in the format of --device= --device=... + * Note: This is really only necessary as Ubuntu 20.04 has SGX + * driver 1.41 and Ubuntu 18.04 has an older version + * + * @param os_type Host Operating System Distribution (e.g. Ubuntu) + * @param os_version Host Operating System Version (e.g. 20.04) + */ +def getDockerSGXDevices(String os_type, String os_version) { + def devices = [] + if ( os_type.equalsIgnoreCase('ubuntu') && os_version.equals('20.04') ) { + devices.add('/dev/sgx/provision') + devices.add('/dev/sgx/enclave') + } + else if ( os_type.equalsIgnoreCase('ubuntu') && os_version.equals('18.04') ) { + devices.add('/dev/sgx') + } + else { + error("getDockerSGXDevices(): Unknown OS (${os_type}) or version (${os_version})") + } + String returnDevices = "" + for (device in devices) { + if ( fileExists("${device}") ) { + returnDevices += " --device=${device}:${device} " + } + } + return returnDevices +} + +/** + * Returns the Ubuntu release version (E.g. "18.04") + */ +def getUbuntuReleaseVer() { + sh( + returnStdout: true, + script: 'lsb_release -rs' + ).trim() +} diff --git a/.jenkins/library/vars/tests.groovy b/.jenkins/library/vars/tests.groovy index 01e71b492d..cdbee88b10 100644 --- a/.jenkins/library/vars/tests.groovy +++ b/.jenkins/library/vars/tests.groovy @@ -98,11 +98,13 @@ def ACCContainerTest(String label, String version, List extra_cmake_args = []) { cleanWs() checkout scm def cmakeArgs = helpers.CmakeArgs("RelWithDebInfo","OFF","ON","-DLVI_MITIGATION_BINDIR=/usr/local/lvi-mitigation/bin",extra_cmake_args.join(' ')) + def devices = helpers.getDockerSGXDevices("ubuntu", helpers.getUbuntuReleaseVer()) + println("${label} running Docker container with ${devices}") def task = """ ${helpers.ninjaBuildCommand(cmakeArgs)} ${helpers.TestCommand()} """ - common.ContainerRun("oetools-${version}:${params.DOCKER_TAG}", "clang-10", task, "--cap-add=SYS_PTRACE --device /dev/sgx:/dev/sgx --volume /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket") + common.ContainerRun("oetools-${version}:${params.DOCKER_TAG}", "clang-10", task, "--cap-add=SYS_PTRACE ${devices} --volume /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket") } } } @@ -115,6 +117,8 @@ def ACCPackageTest(String label, String version, List extra_cmake_args = []) { cleanWs() checkout scm def cmakeArgs = helpers.CmakeArgs("RelWithDebInfo","OFF","ON","-DLVI_MITIGATION_BINDIR=/usr/local/lvi-mitigation/bin",extra_cmake_args.join(' ')) + def devices = helpers.getDockerSGXDevices("ubuntu", helpers.getUbuntuReleaseVer()) + println("${label} running Docker container with ${devices}") common.ContainerTasks( "oetools-${version}:${params.DOCKER_TAG}", globalvars.COMPILER, @@ -128,7 +132,7 @@ def ACCPackageTest(String label, String version, List extra_cmake_args = []) { ), helpers.TestSamplesCommand() ], - "--cap-add=SYS_PTRACE --device /dev/sgx:/dev/sgx --volume /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket" + "--cap-add=SYS_PTRACE ${devices} --volume /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket" ) } } @@ -145,6 +149,8 @@ def ACCHostVerificationTest(String version, String build_type) { cleanWs() checkout scm def cmakeArgs = "-G Ninja -DCMAKE_BUILD_TYPE=${build_type} -Wdev" + def devices = helpers.getDockerSGXDevices("ubuntu", helpers.getUbuntuReleaseVer()) + println("ACC-1804 running Docker container with ${devices}") println("Generating certificates and reports ...") def task = """ ${helpers.ninjaBuildCommand(cmakeArgs)} @@ -161,7 +167,7 @@ def ACCHostVerificationTest(String version, String build_type) { ../../../output/bin/oeutil gen --format sgx_ecdsa --quote-proc out --verify popd """ - common.ContainerRun("oetools-${version}:${params.DOCKER_TAG}", "clang-10", task, "--cap-add=SYS_PTRACE --device /dev/sgx:/dev/sgx --volume /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket") + common.ContainerRun("oetools-${version}:${params.DOCKER_TAG}", "clang-10", task, "--cap-add=SYS_PTRACE ${devices} --volume /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket") def ec_cert_created = fileExists 'build/tests/host_verify/host/sgx_cert_ec.der' def rsa_cert_created = fileExists 'build/tests/host_verify/host/sgx_cert_rsa.der' @@ -245,6 +251,8 @@ def ACCHostVerificationPackageTest(String version, String build_type) { cleanWs() checkout scm def cmakeArgs = "-G Ninja -DCMAKE_BUILD_TYPE=${build_type} -Wdev" + def devices = helpers.getDockerSGXDevices("ubuntu", helpers.getUbuntuReleaseVer()) + println("ACC-1804 running Docker container with ${devices}") println("Generating certificates and reports ...") def task = """ ${helpers.ninjaBuildCommand(cmakeArgs)} @@ -261,7 +269,7 @@ def ACCHostVerificationPackageTest(String version, String build_type) { ../../../output/bin/oeutil gen --format sgx_ecdsa --quote-proc out --verify popd """ - common.ContainerRun("oetools-${version}:${params.DOCKER_TAG}", "clang-10", task, "--cap-add=SYS_PTRACE --device /dev/sgx:/dev/sgx --volume /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket") + common.ContainerRun("oetools-${version}:${params.DOCKER_TAG}", "clang-10", task, "--cap-add=SYS_PTRACE ${devices} --volume /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket") def ec_cert_created = fileExists 'build/tests/host_verify/host/sgx_cert_ec.der' def rsa_cert_created = fileExists 'build/tests/host_verify/host/sgx_cert_rsa.der' diff --git a/scripts/ansible/roles/linux/intel/tasks/driver-validation.yml b/scripts/ansible/roles/linux/intel/tasks/driver-validation.yml index 0d142e51bc..14c78e0bb3 100644 --- a/scripts/ansible/roles/linux/intel/tasks/driver-validation.yml +++ b/scripts/ansible/roles/linux/intel/tasks/driver-validation.yml @@ -10,7 +10,7 @@ include_vars: file: "{{ ansible_distribution | lower }}/{{ ansible_distribution_release | lower }}.yml" -- name: Load default driver - modprobe: - name: intel_sgx - state: present +- name: Check default driver files + stat: + path: "{{ item }}" + loop: "{{ intel_dcap_driver_files }}" From 236e3a044ccb25aa48055f3e1f2ad24e0e113a80 Mon Sep 17 00:00:00 2001 From: Amaury Chamayou Date: Tue, 23 Nov 2021 15:19:21 +0000 Subject: [PATCH 2/2] Effectively zero TLS section on thread cleanup Signed-off-by: Amaury Chamayou --- enclave/core/sgx/threadlocal.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/enclave/core/sgx/threadlocal.c b/enclave/core/sgx/threadlocal.c index dcec5016bb..feb6e125c7 100644 --- a/enclave/core/sgx/threadlocal.c +++ b/enclave/core/sgx/threadlocal.c @@ -420,7 +420,11 @@ oe_result_t oe_thread_local_cleanup(oe_sgx_td_t* td) // (i.e., tls_start is NULL when tdata and tbss are zero). oe_allocator_thread_cleanup(); if (tls_start) - oe_memset_s(tls_start, (uint64_t)(fs - tls_start), 0, 0); + oe_memset_s( + tls_start, + (uint64_t)(fs - tls_start), + 0, + (uint64_t)(fs - tls_start)); return OE_OK; }