From 1b1242f05630d461bf904a907d57b4222232b391 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Borys=20Pop=C5=82awski?= Date: Thu, 15 Dec 2022 15:19:59 +0100 Subject: [PATCH] [CI] Add new Jenkins pipeline for EDMM testing MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Borys Popławski --- .ci/lib/stage-build-sgx.jenkinsfile | 9 +++- .ci/lib/stage-test-sgx.jenkinsfile | 46 +++++++++++++------ .ci/lib/stage-test.jenkinsfile | 8 +++- .ci/linux-sgx-edmm.jenkinsfile | 30 ++++++++++++ .ci/ubuntu20.04.dockerfile | 12 +++++ CI-Examples/bash/manifest.template | 1 + CI-Examples/blender/blender.manifest.template | 1 + CI-Examples/busybox/busybox.manifest.template | 1 + .../helloworld/helloworld.manifest.template | 1 + .../lighttpd/lighttpd.manifest.template | 1 + .../memcached/memcached.manifest.template | 1 + CI-Examples/nginx/nginx.manifest.template | 1 + CI-Examples/python/python.manifest.template | 1 + .../ra-tls-mbedtls/client.manifest.template | 1 + .../ra-tls-mbedtls/server.manifest.template | 1 + .../secret_prov/client.manifest.template | 1 + .../client.manifest.template | 1 + .../secret_prov_pf/client.manifest.template | 1 + .../redis/redis-server.manifest.template | 7 +++ .../rust-hyper-http-server.manifest.template | 1 + CI-Examples/sqlite/manifest.template | 1 + libos/test/abi/x86_64/manifest.template | 1 + .../abi/x86_64/stack_arg.manifest.template | 1 + .../abi/x86_64/stack_env.manifest.template | 1 + libos/test/fs/manifest.template | 1 + libos/test/ltp/manifest.template | 1 + .../argv_from_file.manifest.template | 1 + .../argv_from_manifest.manifest.template | 1 + .../regression/attestation.manifest.template | 1 + ...tation_deprecated_syntax.manifest.template | 1 + .../bootstrap_cpp.manifest.template | 1 + .../debug_log_file.manifest.template | 1 + .../debug_log_inline.manifest.template | 1 + .../device_passthrough.manifest.template | 1 + .../env_from_file.manifest.template | 1 + .../env_from_host.manifest.template | 1 + .../env_passthrough.manifest.template | 1 + ...policy_allow_all_but_log.manifest.template | 1 + ...file_check_policy_strict.manifest.template | 1 + .../regression/host_root_fs.manifest.template | 1 + ...tname_extra_runtime_conf.manifest.template | 1 + .../regression/init_fail.manifest.template | 1 + .../regression/init_fail2.manifest.template | 1 + .../regression/large_mmap.manifest.template | 1 + libos/test/regression/manifest.template | 1 + .../multi_pthread.manifest.template | 1 + .../multi_pthread_exitless.manifest.template | 1 + .../test/regression/openmp.manifest.template | 4 +- .../shebang_test_script.manifest.template | 1 + .../regression/sysfs_common.manifest.template | 1 + libos/test/regression/test_libos.py | 3 ++ .../regression/toml_parsing.manifest.template | 1 + .../test/regression/uid_gid.manifest.template | 1 + pal/regression/Bootstrap6.manifest.template | 1 + pal/regression/Bootstrap7.manifest.template | 1 + pal/regression/File.manifest.template | 1 + pal/regression/Thread2.manifest.template | 1 + .../Thread2_exitless.manifest.template | 1 + pal/regression/manifest.template | 1 + tools/sgx/ra-tls/ra_tls_verify_dcap.c | 6 ++- 60 files changed, 158 insertions(+), 18 deletions(-) create mode 100644 .ci/linux-sgx-edmm.jenkinsfile diff --git a/.ci/lib/stage-build-sgx.jenkinsfile b/.ci/lib/stage-build-sgx.jenkinsfile index ad16dd85cb..21ffb5e001 100644 --- a/.ci/lib/stage-build-sgx.jenkinsfile +++ b/.ci/lib/stage-build-sgx.jenkinsfile @@ -16,6 +16,13 @@ stage('build') { if (env.CC == 'clang') { env.MESON_OPTIONS += ' -Dmusl=disabled' } + if (env.RA_TYPE == 'dcap') { + env.MESON_OPTIONS += ' -Ddcap=enabled' + } + + if (env.SGX_DRIVER == null) { + env.SGX_DRIVER = 'oot' + } try { sh ''' @@ -26,7 +33,7 @@ stage('build') { -Ddirect=disabled \ -Dsgx=enabled \ -Dtests=enabled \ - -Dsgx_driver=oot \ + -Dsgx_driver="$SGX_DRIVER" \ $MESON_OPTIONS ninja -vC build/ ''' diff --git a/.ci/lib/stage-test-sgx.jenkinsfile b/.ci/lib/stage-test-sgx.jenkinsfile index 71b5ccab56..eaba338b5c 100644 --- a/.ci/lib/stage-test-sgx.jenkinsfile +++ b/.ci/lib/stage-test-sgx.jenkinsfile @@ -6,6 +6,11 @@ stage('test-sgx') { .ci/check-no-syscall.sh "$GRAMINE_PKGLIBDIR"/runtime/musl/libc.so fi ''' + + if (env.RA_TYPE == null) { + env.RA_TYPE = 'epid' + } + timeout(time: 5, unit: 'MINUTES') { sh ''' cd CI-Examples/helloworld @@ -16,7 +21,7 @@ stage('test-sgx') { timeout(time: 5, unit: 'MINUTES') { sh ''' cd CI-Examples/python - make ${MAKEOPTS} RA_TYPE=epid RA_CLIENT_SPID=${ra_client_spid} + make ${MAKEOPTS} RA_TYPE=$RA_TYPE RA_CLIENT_SPID=${ra_client_spid} make ${MAKEOPTS} check ''' } @@ -107,14 +112,22 @@ stage('test-sgx') { timeout(time: 5, unit: 'MINUTES') { sh ''' cd CI-Examples/ra-tls-mbedtls - if [ "${ra_client_spid}" != "" ] && [ "${ra_client_key}" != "" ]; \ - then \ - make check_epid RA_TYPE=epid RA_CLIENT_SPID=${ra_client_spid} \ - RA_TLS_EPID_API_KEY=${ra_client_key} RA_CLIENT_LINKABLE=0; \ - make check_epid_fail RA_TYPE=epid RA_CLIENT_SPID=${ra_client_spid} \ - RA_TLS_EPID_API_KEY=${ra_client_key} RA_CLIENT_LINKABLE=0; \ + if [ "${RA_TYPE}" = "epid" ]; then \ + if [ "${ra_client_spid}" != "" ] && [ "${ra_client_key}" != "" ]; \ + then \ + make check_epid RA_TYPE=epid RA_CLIENT_SPID=${ra_client_spid} \ + RA_TLS_EPID_API_KEY=${ra_client_key} RA_CLIENT_LINKABLE=0; \ + make check_epid_fail RA_TYPE=epid RA_CLIENT_SPID=${ra_client_spid} \ + RA_TLS_EPID_API_KEY=${ra_client_key} RA_CLIENT_LINKABLE=0; \ + else \ + echo "Failure: no ra_client_spid and/or ra_client_key!"; \ + exit 1; \ + fi \ + elif [ "${RA_TYPE}" = "dcap" ]; then \ + make check_dcap RA_TYPE=dcap; \ + make check_dcap_fail RA_TYPE=dcap; \ else \ - echo "Failure: no ra_client_spid and/or ra_client_key!"; \ + echo "Invalid RA_TYPE env variable: ${RA_TYPE}"; \ exit 1; \ fi ''' @@ -122,12 +135,19 @@ stage('test-sgx') { timeout(time: 5, unit: 'MINUTES') { sh ''' cd CI-Examples/ra-tls-secret-prov - if [ "${ra_client_spid}" != "" ] && [ "${ra_client_key}" != "" ]; \ - then \ - make check_epid RA_TYPE=epid RA_CLIENT_SPID=${ra_client_spid} \ - RA_TLS_EPID_API_KEY=${ra_client_key} RA_CLIENT_LINKABLE=0; \ + if [ "${RA_TYPE}" = "epid" ]; then \ + if [ "${ra_client_spid}" != "" ] && [ "${ra_client_key}" != "" ]; \ + then \ + make check_epid RA_TYPE=epid RA_CLIENT_SPID=${ra_client_spid} \ + RA_TLS_EPID_API_KEY=${ra_client_key} RA_CLIENT_LINKABLE=0; \ + else \ + echo "Failure: no ra_client_spid and/or ra_client_key!"; \ + exit 1; \ + fi \ + elif [ "${RA_TYPE}" = "dcap" ]; then \ + make check_dcap RA_TYPE=dcap; \ else \ - echo "Failure: no ra_client_spid and/or ra_client_key!"; \ + echo "Invalid RA_TYPE env variable: ${RA_TYPE}"; \ exit 1; \ fi ''' diff --git a/.ci/lib/stage-test.jenkinsfile b/.ci/lib/stage-test.jenkinsfile index ab77f21ecf..524bfe665a 100644 --- a/.ci/lib/stage-test.jenkinsfile +++ b/.ci/lib/stage-test.jenkinsfile @@ -1,4 +1,8 @@ stage('test') { + if (env.RA_TYPE == null) { + env.RA_TYPE = 'epid' + } + timeout(time: 15, unit: 'MINUTES') { try { sh ''' @@ -15,7 +19,7 @@ stage('test') { try { sh ''' cd libos/test/regression - RA_TYPE=epid RA_CLIENT_SPID=${ra_client_spid} gramine-test build -v + RA_TYPE=$RA_TYPE RA_CLIENT_SPID=${ra_client_spid} gramine-test build -v python3 -m pytest -v --junit-xml libos-regression.xml ''' } finally { @@ -31,7 +35,7 @@ stage('test') { cd libos/test/regression # For some unknown reason it fails without this clean on sgx-18.04 pipeline gramine-test clean - RA_TYPE=epid RA_CLIENT_SPID=${ra_client_spid} \ + RA_TYPE=$RA_TYPE RA_CLIENT_SPID=${ra_client_spid} \ gramine-test -n tests_musl.toml build -v python3 -m pytest -v --junit-xml libos-regression-musl.xml ''' diff --git a/.ci/linux-sgx-edmm.jenkinsfile b/.ci/linux-sgx-edmm.jenkinsfile new file mode 100644 index 0000000000..880e4ebf16 --- /dev/null +++ b/.ci/linux-sgx-edmm.jenkinsfile @@ -0,0 +1,30 @@ +node('sgx-edmm') { + checkout scm + + env.SGX = '1' + env.SGX_DRIVER = 'upstream' + env.EDMM = '1' + env.RA_TYPE = 'dcap' + + load '.ci/lib/config-docker.jenkinsfile' + + env.DOCKER_ARGS_SGX += ''' + --volume=/usr/include/x86_64-linux-gnu/asm/sgx.h:/usr/include/asm/sgx.h:ro + --add-host host.docker.internal:host-gateway + ''' + + docker.build( + "local:${env.BUILD_TAG}", + '-f .ci/ubuntu20.04.dockerfile .' + ).inside("${env.DOCKER_ARGS_COMMON} ${env.DOCKER_ARGS_SGX}") { + load '.ci/lib/config.jenkinsfile' + load '.ci/lib/config-release.jenkinsfile' + + load '.ci/lib/stage-lint.jenkinsfile' + load '.ci/lib/stage-clean-check-prepare.jenkinsfile' + load '.ci/lib/stage-build-sgx.jenkinsfile' + load '.ci/lib/stage-test.jenkinsfile' + load '.ci/lib/stage-test-sgx.jenkinsfile' + load '.ci/lib/stage-clean-check.jenkinsfile' + } +} diff --git a/.ci/ubuntu20.04.dockerfile b/.ci/ubuntu20.04.dockerfile index 90e522b69a..8584993cf2 100644 --- a/.ci/ubuntu20.04.dockerfile +++ b/.ci/ubuntu20.04.dockerfile @@ -72,6 +72,18 @@ RUN apt-get update && env DEBIAN_FRONTEND=noninteractive apt-get install -y \ zlib1g \ zlib1g-dev +# Needed by DCAP attestation e.g. in "CI-Examples/ra-tls-mbedtls" +RUN curl -fsSL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | apt-key add - +RUN echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' > /etc/apt/sources.list.d/intel-sgx.list +RUN apt-get update && env DEBIAN_FRONTEND=noninteractive apt-get install -y \ + libsgx-dcap-default-qpl \ + libsgx-dcap-quote-verify-dev \ + libsgx-urts + +# set up PCCS connection configuration +RUN sed -i -e 's/localhost/host.docker.internal/g' /etc/sgx_default_qcnl.conf \ + && sed -i -e 's/"use_secure_cert": true/"use_secure_cert": false/' /etc/sgx_default_qcnl.conf + # Install wrk2 benchmark. This benchmark is used in `benchmark-http.sh`. RUN git clone https://github.com/giltene/wrk2.git \ && cd wrk2 \ diff --git a/CI-Examples/bash/manifest.template b/CI-Examples/bash/manifest.template index 480abd1694..88547f0bee 100644 --- a/CI-Examples/bash/manifest.template +++ b/CI-Examples/bash/manifest.template @@ -19,6 +19,7 @@ fs.mounts = [ ] sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.nonpie_binary = true sgx.enclave_size = "512M" sgx.max_threads = 4 diff --git a/CI-Examples/blender/blender.manifest.template b/CI-Examples/blender/blender.manifest.template index 3dec9229df..429359f159 100644 --- a/CI-Examples/blender/blender.manifest.template +++ b/CI-Examples/blender/blender.manifest.template @@ -21,6 +21,7 @@ fs.mounts = [ ] sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.nonpie_binary = true sys.stack.size = "8M" sgx.enclave_size = "2048M" diff --git a/CI-Examples/busybox/busybox.manifest.template b/CI-Examples/busybox/busybox.manifest.template index 57d0337516..f2027a3045 100644 --- a/CI-Examples/busybox/busybox.manifest.template +++ b/CI-Examples/busybox/busybox.manifest.template @@ -21,6 +21,7 @@ fs.mounts = [ sys.enable_extra_runtime_domain_names_conf = true sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.remote_attestation = "{{ ra_type }}" sgx.ra_client_spid = "{{ ra_client_spid }}" diff --git a/CI-Examples/helloworld/helloworld.manifest.template b/CI-Examples/helloworld/helloworld.manifest.template index 64c908e17c..694c574e50 100644 --- a/CI-Examples/helloworld/helloworld.manifest.template +++ b/CI-Examples/helloworld/helloworld.manifest.template @@ -12,6 +12,7 @@ fs.mounts = [ ] sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.nonpie_binary = true sgx.trusted_files = [ diff --git a/CI-Examples/lighttpd/lighttpd.manifest.template b/CI-Examples/lighttpd/lighttpd.manifest.template index 4a40ed1276..c276136ac6 100644 --- a/CI-Examples/lighttpd/lighttpd.manifest.template +++ b/CI-Examples/lighttpd/lighttpd.manifest.template @@ -20,6 +20,7 @@ fs.mounts = [ ] sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.nonpie_binary = true sgx.enclave_size = "256M" sgx.max_threads = 3 diff --git a/CI-Examples/memcached/memcached.manifest.template b/CI-Examples/memcached/memcached.manifest.template index bd9a754c7b..e0436f4a4b 100644 --- a/CI-Examples/memcached/memcached.manifest.template +++ b/CI-Examples/memcached/memcached.manifest.template @@ -24,6 +24,7 @@ fs.mounts = [ ] sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.nonpie_binary = true sgx.max_threads = 16 diff --git a/CI-Examples/nginx/nginx.manifest.template b/CI-Examples/nginx/nginx.manifest.template index c4cb86b196..3f8e190918 100644 --- a/CI-Examples/nginx/nginx.manifest.template +++ b/CI-Examples/nginx/nginx.manifest.template @@ -26,6 +26,7 @@ fs.mounts = [ ] sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.nonpie_binary = true sgx.enclave_size = "512M" sgx.max_threads = 4 diff --git a/CI-Examples/python/python.manifest.template b/CI-Examples/python/python.manifest.template index cbd842b769..da1a904e32 100644 --- a/CI-Examples/python/python.manifest.template +++ b/CI-Examples/python/python.manifest.template @@ -33,6 +33,7 @@ sys.stack.size = "2M" sys.enable_extra_runtime_domain_names_conf = true sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.nonpie_binary = true sgx.enclave_size = "1G" sgx.max_threads = 32 diff --git a/CI-Examples/ra-tls-mbedtls/client.manifest.template b/CI-Examples/ra-tls-mbedtls/client.manifest.template index 127f82c63c..0e5291f76a 100644 --- a/CI-Examples/ra-tls-mbedtls/client.manifest.template +++ b/CI-Examples/ra-tls-mbedtls/client.manifest.template @@ -25,6 +25,7 @@ fs.mounts = [ sys.enable_extra_runtime_domain_names_conf = true sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.enclave_size = "512M" sgx.max_threads = 4 diff --git a/CI-Examples/ra-tls-mbedtls/server.manifest.template b/CI-Examples/ra-tls-mbedtls/server.manifest.template index f29fdf722b..c722819b27 100644 --- a/CI-Examples/ra-tls-mbedtls/server.manifest.template +++ b/CI-Examples/ra-tls-mbedtls/server.manifest.template @@ -20,6 +20,7 @@ fs.mounts = [ ] sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.remote_attestation = "{{ ra_type }}" sgx.ra_client_spid = "{{ ra_client_spid }}" diff --git a/CI-Examples/ra-tls-secret-prov/secret_prov/client.manifest.template b/CI-Examples/ra-tls-secret-prov/secret_prov/client.manifest.template index 8b565e5028..a2a71e8207 100644 --- a/CI-Examples/ra-tls-secret-prov/secret_prov/client.manifest.template +++ b/CI-Examples/ra-tls-secret-prov/secret_prov/client.manifest.template @@ -20,6 +20,7 @@ sys.enable_extra_runtime_domain_names_conf = true sgx.enclave_size = "512M" sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.remote_attestation = "{{ ra_type }}" sgx.ra_client_spid = "{{ ra_client_spid }}" diff --git a/CI-Examples/ra-tls-secret-prov/secret_prov_minimal/client.manifest.template b/CI-Examples/ra-tls-secret-prov/secret_prov_minimal/client.manifest.template index c52b39780e..86d2ae6b70 100644 --- a/CI-Examples/ra-tls-secret-prov/secret_prov_minimal/client.manifest.template +++ b/CI-Examples/ra-tls-secret-prov/secret_prov_minimal/client.manifest.template @@ -24,6 +24,7 @@ sys.enable_extra_runtime_domain_names_conf = true sgx.enclave_size = "512M" sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.remote_attestation = "{{ ra_type }}" sgx.ra_client_spid = "{{ ra_client_spid }}" diff --git a/CI-Examples/ra-tls-secret-prov/secret_prov_pf/client.manifest.template b/CI-Examples/ra-tls-secret-prov/secret_prov_pf/client.manifest.template index 7827c51c60..b2838e413a 100644 --- a/CI-Examples/ra-tls-secret-prov/secret_prov_pf/client.manifest.template +++ b/CI-Examples/ra-tls-secret-prov/secret_prov_pf/client.manifest.template @@ -26,6 +26,7 @@ sys.enable_extra_runtime_domain_names_conf = true sgx.enclave_size = "512M" sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.remote_attestation = "{{ ra_type }}" sgx.ra_client_spid = "{{ ra_client_spid }}" diff --git a/CI-Examples/redis/redis-server.manifest.template b/CI-Examples/redis/redis-server.manifest.template index ae905f5a4e..b05bfc3792 100644 --- a/CI-Examples/redis/redis-server.manifest.template +++ b/CI-Examples/redis/redis-server.manifest.template @@ -70,6 +70,13 @@ sgx.debug = true # typical Redis workloads. sgx.enclave_size = "1024M" +# Enable Enclave Dynamic Memory Management (EDMM) feature based on EDMM +# environment variable. This allows for addition of pages to enclave in runtime, +# instead of allocating them upfront at startup. If this feature is enabled, +# `sgx.enclave_size` above describes a maximal enclave size and can usually be +# increased without negative consequences (it does not impact startup time). +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} + # Set maximum number of in-enclave threads (somewhat arbitrarily) to 8. Recall # that SGX v1 requires to specify the maximum number of simultaneous threads at # enclave creation time. diff --git a/CI-Examples/rust/rust-hyper-http-server.manifest.template b/CI-Examples/rust/rust-hyper-http-server.manifest.template index e2c0145579..d7fb3a2eb6 100644 --- a/CI-Examples/rust/rust-hyper-http-server.manifest.template +++ b/CI-Examples/rust/rust-hyper-http-server.manifest.template @@ -18,6 +18,7 @@ fs.mounts = [ ] sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.nonpie_binary = true sgx.trusted_files = [ diff --git a/CI-Examples/sqlite/manifest.template b/CI-Examples/sqlite/manifest.template index ba04ec629e..9f5a78d54e 100644 --- a/CI-Examples/sqlite/manifest.template +++ b/CI-Examples/sqlite/manifest.template @@ -27,6 +27,7 @@ fs.mounts = [ fs.insecure__keys.default = "ffeeddccbbaa99887766554433221100" sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.enclave_size = "256M" sgx.max_threads = 4 diff --git a/libos/test/abi/x86_64/manifest.template b/libos/test/abi/x86_64/manifest.template index ac871baa40..3ecbe34467 100644 --- a/libos/test/abi/x86_64/manifest.template +++ b/libos/test/abi/x86_64/manifest.template @@ -8,6 +8,7 @@ fs.mounts = [ sgx.nonpie_binary = true sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.max_threads = 4 sgx.trusted_files = [ diff --git a/libos/test/abi/x86_64/stack_arg.manifest.template b/libos/test/abi/x86_64/stack_arg.manifest.template index 47cb1d7fa9..c7c6edde1f 100644 --- a/libos/test/abi/x86_64/stack_arg.manifest.template +++ b/libos/test/abi/x86_64/stack_arg.manifest.template @@ -13,6 +13,7 @@ fs.mounts = [ sgx.nonpie_binary = true sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.max_threads = 4 sgx.trusted_files = [ diff --git a/libos/test/abi/x86_64/stack_env.manifest.template b/libos/test/abi/x86_64/stack_env.manifest.template index aead2512a7..368fd19fd3 100644 --- a/libos/test/abi/x86_64/stack_env.manifest.template +++ b/libos/test/abi/x86_64/stack_env.manifest.template @@ -13,6 +13,7 @@ fs.mounts = [ sgx.nonpie_binary = true sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.max_threads = 4 sgx.trusted_files = [ diff --git a/libos/test/fs/manifest.template b/libos/test/fs/manifest.template index e47e1be372..ec30856bfe 100644 --- a/libos/test/fs/manifest.template +++ b/libos/test/fs/manifest.template @@ -22,6 +22,7 @@ fs.insecure__keys.default = "ffeeddccbbaa99887766554433221100" sgx.nonpie_binary = true sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.max_threads = 16 sgx.allowed_files = [ diff --git a/libos/test/ltp/manifest.template b/libos/test/ltp/manifest.template index 13e6b3ae28..20bbe4d5ec 100644 --- a/libos/test/ltp/manifest.template +++ b/libos/test/ltp/manifest.template @@ -21,6 +21,7 @@ sys.brk.max_size = "32M" sys.stack.size = "4M" sgx.nonpie_binary = true sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.allowed_files = [ "file:/tmp", diff --git a/libos/test/regression/argv_from_file.manifest.template b/libos/test/regression/argv_from_file.manifest.template index d7b309d754..7f95168633 100644 --- a/libos/test/regression/argv_from_file.manifest.template +++ b/libos/test/regression/argv_from_file.manifest.template @@ -13,6 +13,7 @@ fs.mounts = [ sgx.nonpie_binary = true sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.allowed_files = [ "file:argv_test_input", diff --git a/libos/test/regression/argv_from_manifest.manifest.template b/libos/test/regression/argv_from_manifest.manifest.template index 73d9c95115..ee0f893ff0 100644 --- a/libos/test/regression/argv_from_manifest.manifest.template +++ b/libos/test/regression/argv_from_manifest.manifest.template @@ -20,6 +20,7 @@ fs.mounts = [ sgx.nonpie_binary = true sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.trusted_files = [ "file:{{ gramine.libos }}", diff --git a/libos/test/regression/attestation.manifest.template b/libos/test/regression/attestation.manifest.template index 9ca1e33a15..56f7df223a 100644 --- a/libos/test/regression/attestation.manifest.template +++ b/libos/test/regression/attestation.manifest.template @@ -13,6 +13,7 @@ fs.insecure__keys.default = "ffeeddccbbaa99887766554433221100" sgx.nonpie_binary = true sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.remote_attestation = "{{ env.get('RA_TYPE', 'none') }}" sgx.ra_client_spid = "{{ env.get('RA_CLIENT_SPID', '') }}" diff --git a/libos/test/regression/attestation_deprecated_syntax.manifest.template b/libos/test/regression/attestation_deprecated_syntax.manifest.template index bb2baddd89..81bc2e06bb 100644 --- a/libos/test/regression/attestation_deprecated_syntax.manifest.template +++ b/libos/test/regression/attestation_deprecated_syntax.manifest.template @@ -15,6 +15,7 @@ sgx.insecure__protected_files_key = "ffeeddccbbaa99887766554433221100" sgx.nonpie_binary = true sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.remote_attestation = true sgx.ra_client_spid = "{{ env.get('RA_CLIENT_SPID', '') }}" diff --git a/libos/test/regression/bootstrap_cpp.manifest.template b/libos/test/regression/bootstrap_cpp.manifest.template index 954dd5b294..ed91b7063e 100644 --- a/libos/test/regression/bootstrap_cpp.manifest.template +++ b/libos/test/regression/bootstrap_cpp.manifest.template @@ -16,6 +16,7 @@ fs.mounts = [ sgx.max_threads = 8 sgx.nonpie_binary = true sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.trusted_files = [ "file:{{ gramine.libos }}", diff --git a/libos/test/regression/debug_log_file.manifest.template b/libos/test/regression/debug_log_file.manifest.template index bedb056ed7..66b70b6b49 100644 --- a/libos/test/regression/debug_log_file.manifest.template +++ b/libos/test/regression/debug_log_file.manifest.template @@ -15,6 +15,7 @@ fs.mounts = [ sgx.nonpie_binary = true sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.trusted_files = [ "file:{{ gramine.libos }}", diff --git a/libos/test/regression/debug_log_inline.manifest.template b/libos/test/regression/debug_log_inline.manifest.template index 78fa16083e..fc6426681e 100644 --- a/libos/test/regression/debug_log_inline.manifest.template +++ b/libos/test/regression/debug_log_inline.manifest.template @@ -14,6 +14,7 @@ fs.mounts = [ sgx.nonpie_binary = true sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.trusted_files = [ "file:{{ gramine.libos }}", diff --git a/libos/test/regression/device_passthrough.manifest.template b/libos/test/regression/device_passthrough.manifest.template index d8465e1fa6..0ba57ead61 100644 --- a/libos/test/regression/device_passthrough.manifest.template +++ b/libos/test/regression/device_passthrough.manifest.template @@ -11,6 +11,7 @@ fs.mounts = [ sgx.nonpie_binary = true sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.trusted_files = [ "file:{{ gramine.libos }}", diff --git a/libos/test/regression/env_from_file.manifest.template b/libos/test/regression/env_from_file.manifest.template index 29a8ad0c1c..01d39ddef0 100644 --- a/libos/test/regression/env_from_file.manifest.template +++ b/libos/test/regression/env_from_file.manifest.template @@ -13,6 +13,7 @@ fs.mounts = [ sgx.nonpie_binary = true sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.allowed_files = [ "file:env_test_input", diff --git a/libos/test/regression/env_from_host.manifest.template b/libos/test/regression/env_from_host.manifest.template index 878d4b6e48..7dd428f1be 100644 --- a/libos/test/regression/env_from_host.manifest.template +++ b/libos/test/regression/env_from_host.manifest.template @@ -13,6 +13,7 @@ fs.mounts = [ sgx.nonpie_binary = true sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.trusted_files = [ "file:{{ gramine.libos }}", diff --git a/libos/test/regression/env_passthrough.manifest.template b/libos/test/regression/env_passthrough.manifest.template index 7791c179d3..45c3e28a72 100644 --- a/libos/test/regression/env_passthrough.manifest.template +++ b/libos/test/regression/env_passthrough.manifest.template @@ -18,6 +18,7 @@ fs.mounts = [ sgx.nonpie_binary = true sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.trusted_files = [ "file:{{ gramine.libos }}", diff --git a/libos/test/regression/file_check_policy_allow_all_but_log.manifest.template b/libos/test/regression/file_check_policy_allow_all_but_log.manifest.template index 2bc979ea5b..ade4202dc2 100644 --- a/libos/test/regression/file_check_policy_allow_all_but_log.manifest.template +++ b/libos/test/regression/file_check_policy_allow_all_but_log.manifest.template @@ -15,6 +15,7 @@ fs.mounts = [ sgx.nonpie_binary = true sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.file_check_policy = "allow_all_but_log" diff --git a/libos/test/regression/file_check_policy_strict.manifest.template b/libos/test/regression/file_check_policy_strict.manifest.template index 0ba3206a4f..93177d9fb1 100644 --- a/libos/test/regression/file_check_policy_strict.manifest.template +++ b/libos/test/regression/file_check_policy_strict.manifest.template @@ -15,6 +15,7 @@ fs.mounts = [ sgx.nonpie_binary = true sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.file_check_policy = "strict" diff --git a/libos/test/regression/host_root_fs.manifest.template b/libos/test/regression/host_root_fs.manifest.template index df97f01272..a372baabc8 100644 --- a/libos/test/regression/host_root_fs.manifest.template +++ b/libos/test/regression/host_root_fs.manifest.template @@ -13,6 +13,7 @@ fs.mounts = [ sgx.nonpie_binary = true sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.trusted_files = [ "file:{{ gramine.libos }}", diff --git a/libos/test/regression/hostname_extra_runtime_conf.manifest.template b/libos/test/regression/hostname_extra_runtime_conf.manifest.template index ecb71146b0..0a99f03a91 100644 --- a/libos/test/regression/hostname_extra_runtime_conf.manifest.template +++ b/libos/test/regression/hostname_extra_runtime_conf.manifest.template @@ -13,6 +13,7 @@ sys.enable_extra_runtime_domain_names_conf = true sgx.debug = true sgx.nonpie_binary = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.trusted_files = [ "file:{{ gramine.libos }}", diff --git a/libos/test/regression/init_fail.manifest.template b/libos/test/regression/init_fail.manifest.template index 06af3cdb2d..13837d5aff 100644 --- a/libos/test/regression/init_fail.manifest.template +++ b/libos/test/regression/init_fail.manifest.template @@ -12,6 +12,7 @@ fs.mounts = [ sgx.nonpie_binary = true sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.trusted_files = [ "file:{{ gramine.libos }}", diff --git a/libos/test/regression/init_fail2.manifest.template b/libos/test/regression/init_fail2.manifest.template index ebc71be702..da56d8b661 100644 --- a/libos/test/regression/init_fail2.manifest.template +++ b/libos/test/regression/init_fail2.manifest.template @@ -12,6 +12,7 @@ fs.mounts = [ sgx.nonpie_binary = true sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} # this is an impossible combination of options, LibOS must fail very early in init process sgx.enclave_size = "256M" diff --git a/libos/test/regression/large_mmap.manifest.template b/libos/test/regression/large_mmap.manifest.template index 1b421469aa..36316f96d9 100644 --- a/libos/test/regression/large_mmap.manifest.template +++ b/libos/test/regression/large_mmap.manifest.template @@ -15,6 +15,7 @@ fs.mounts = [ sgx.enclave_size = "8G" sgx.nonpie_binary = true sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.allowed_files = [ "file:testfile", diff --git a/libos/test/regression/manifest.template b/libos/test/regression/manifest.template index cb53cc4709..e93a4ff519 100644 --- a/libos/test/regression/manifest.template +++ b/libos/test/regression/manifest.template @@ -24,6 +24,7 @@ fs.mounts = [ sgx.max_threads = 16 sgx.nonpie_binary = true sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.allowed_files = [ "file:tmp/", diff --git a/libos/test/regression/multi_pthread.manifest.template b/libos/test/regression/multi_pthread.manifest.template index d9b55ac68f..47f2faaf6c 100644 --- a/libos/test/regression/multi_pthread.manifest.template +++ b/libos/test/regression/multi_pthread.manifest.template @@ -13,6 +13,7 @@ sgx.max_threads = 8 sgx.nonpie_binary = true sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.enable_stats = true sgx.trusted_files = [ diff --git a/libos/test/regression/multi_pthread_exitless.manifest.template b/libos/test/regression/multi_pthread_exitless.manifest.template index 3b1bb869f5..01e2796de0 100644 --- a/libos/test/regression/multi_pthread_exitless.manifest.template +++ b/libos/test/regression/multi_pthread_exitless.manifest.template @@ -15,6 +15,7 @@ sgx.insecure__rpc_thread_num = 8 sgx.nonpie_binary = true sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.enable_stats = true sgx.trusted_files = [ diff --git a/libos/test/regression/openmp.manifest.template b/libos/test/regression/openmp.manifest.template index a1e9c73ad0..3342c977c5 100644 --- a/libos/test/regression/openmp.manifest.template +++ b/libos/test/regression/openmp.manifest.template @@ -9,7 +9,8 @@ loader.env.LD_LIBRARY_PATH = "/lib:/usr/{{ arch_libdir }}" # the manifest options below are added only for testing, they have no significance for OpenMP sys.enable_sigterm_injection = true -sgx.preheat_enclave = true +# `sgx.preheat_enclave` is invalid with EDMM +sgx.preheat_enclave = {{ 'false' if env.get('EDMM', '0') == '1' else 'true' }} # Note that `libos.check_invalid_pointers` cannot be disabled, because LLVM's OpenMP depends on it # (by calling `sched_setaffinity` with NULL and expecting it to return either -EFAULT or -ENOSYS) @@ -24,6 +25,7 @@ fs.mounts = [ sgx.max_threads = 32 sgx.nonpie_binary = true sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.trusted_files = [ "file:{{ gramine.libos }}", diff --git a/libos/test/regression/shebang_test_script.manifest.template b/libos/test/regression/shebang_test_script.manifest.template index 2f6d39d4f9..487d7e9195 100644 --- a/libos/test/regression/shebang_test_script.manifest.template +++ b/libos/test/regression/shebang_test_script.manifest.template @@ -13,6 +13,7 @@ fs.mounts = [ sgx.max_threads = 16 sgx.nonpie_binary = true sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.trusted_files = [ "file:{{ gramine.libos }}", diff --git a/libos/test/regression/sysfs_common.manifest.template b/libos/test/regression/sysfs_common.manifest.template index 6647a2de8f..eb2c68ba3a 100644 --- a/libos/test/regression/sysfs_common.manifest.template +++ b/libos/test/regression/sysfs_common.manifest.template @@ -10,6 +10,7 @@ fs.mounts = [ sgx.nonpie_binary = true sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.trusted_files = [ "file:{{ gramine.libos }}", diff --git a/libos/test/regression/test_libos.py b/libos/test/regression/test_libos.py index ff6e6486c2..56ea450b30 100644 --- a/libos/test/regression/test_libos.py +++ b/libos/test/regression/test_libos.py @@ -7,6 +7,7 @@ import unittest from graminelibos.regression import ( + HAS_EDMM, HAS_SGX, ON_X86, USES_MUSL, @@ -535,12 +536,14 @@ def test_001_attestation_stdio(self): self.assertIn("Test local attestation... SUCCESS", stdout) self.assertIn("Test quote interface... SUCCESS", stdout) + @unittest.skipIf(HAS_EDMM, 'EDMM machines use DCAP attestation') def test_002_attestation_deprecated(self): stdout, _ = self.run_binary(['attestation_deprecated_syntax'], timeout=60) self.assertIn("Test resource leaks in attestation filesystem... SUCCESS", stdout) self.assertIn("Test local attestation... SUCCESS", stdout) self.assertIn("Test quote interface... SUCCESS", stdout) + @unittest.skipIf(HAS_EDMM, 'EDMM machines use DCAP attestation') def test_003_attestation_deprecated_stdio(self): stdout, _ = self.run_binary(['attestation_deprecated_syntax', 'test_stdio'], timeout=60) self.assertIn("Test resource leaks in attestation filesystem... SUCCESS", stdout) diff --git a/libos/test/regression/toml_parsing.manifest.template b/libos/test/regression/toml_parsing.manifest.template index 651113318e..de83e30efb 100644 --- a/libos/test/regression/toml_parsing.manifest.template +++ b/libos/test/regression/toml_parsing.manifest.template @@ -23,6 +23,7 @@ libos.check_invalid_pointers = false sgx.nonpie_binary = true sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} # the manifest options below added only so that they have any test coverage sgx.seal_key.flags_mask = "0xffffffffffffffff" diff --git a/libos/test/regression/uid_gid.manifest.template b/libos/test/regression/uid_gid.manifest.template index 18cab4c646..cfc6f76b8a 100644 --- a/libos/test/regression/uid_gid.manifest.template +++ b/libos/test/regression/uid_gid.manifest.template @@ -13,6 +13,7 @@ fs.mounts = [ sgx.nonpie_binary = true sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.trusted_files = [ "file:{{ gramine.libos }}", diff --git a/pal/regression/Bootstrap6.manifest.template b/pal/regression/Bootstrap6.manifest.template index f98b657e36..eb68fa0015 100644 --- a/pal/regression/Bootstrap6.manifest.template +++ b/pal/regression/Bootstrap6.manifest.template @@ -6,5 +6,6 @@ loader.log_level = "debug" sgx.enclave_size = "8192M" sgx.nonpie_binary = true sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.trusted_files = [ "file:{{ binary_dir }}/{{ entrypoint }}" ] diff --git a/pal/regression/Bootstrap7.manifest.template b/pal/regression/Bootstrap7.manifest.template index d29f77f792..02fb7c28ca 100644 --- a/pal/regression/Bootstrap7.manifest.template +++ b/pal/regression/Bootstrap7.manifest.template @@ -3,6 +3,7 @@ loader.entrypoint = "file:{{ binary_dir }}/{{ entrypoint }}" sgx.trusted_files = [ "file:{{ binary_dir }}/{{ entrypoint }}" ] sgx.nonpie_binary = true sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} loader.env.key1 = "na" loader.env.key2 = "na" diff --git a/pal/regression/File.manifest.template b/pal/regression/File.manifest.template index 9d31d63263..65c6e05112 100644 --- a/pal/regression/File.manifest.template +++ b/pal/regression/File.manifest.template @@ -3,6 +3,7 @@ loader.log_level = "debug" sgx.nonpie_binary = true sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.allowed_files = [ "file:{{ binary_dir }}/{{ entrypoint }}", diff --git a/pal/regression/Thread2.manifest.template b/pal/regression/Thread2.manifest.template index 44a25b2361..1561880f42 100644 --- a/pal/regression/Thread2.manifest.template +++ b/pal/regression/Thread2.manifest.template @@ -4,5 +4,6 @@ sgx.max_threads = 2 sgx.enable_stats = true sgx.nonpie_binary = true sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.trusted_files = [ "file:{{ binary_dir }}/{{ entrypoint }}" ] diff --git a/pal/regression/Thread2_exitless.manifest.template b/pal/regression/Thread2_exitless.manifest.template index a37173644c..1fd0a122d5 100644 --- a/pal/regression/Thread2_exitless.manifest.template +++ b/pal/regression/Thread2_exitless.manifest.template @@ -7,5 +7,6 @@ sgx.insecure__rpc_thread_num = 2 sgx.enable_stats = true sgx.nonpie_binary = true sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.trusted_files = [ "file:{{ binary_dir }}/{{ entrypoint }}" ] diff --git a/pal/regression/manifest.template b/pal/regression/manifest.template index 795aa9c306..630890faa1 100644 --- a/pal/regression/manifest.template +++ b/pal/regression/manifest.template @@ -3,6 +3,7 @@ loader.log_level = "debug" loader.insecure__use_cmdline_argv = true sgx.debug = true +sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.nonpie_binary = true # all tests are currently non-PIE unless overridden diff --git a/tools/sgx/ra-tls/ra_tls_verify_dcap.c b/tools/sgx/ra-tls/ra_tls_verify_dcap.c index 572b47c9de..a2adc59e84 100644 --- a/tools/sgx/ra-tls/ra_tls_verify_dcap.c +++ b/tools/sgx/ra-tls/ra_tls_verify_dcap.c @@ -119,8 +119,10 @@ int ra_tls_verify_callback(void* data, mbedtls_x509_crt* crt, int depth, uint32_ sgx_quote_t* quote; size_t quote_size; ret = extract_quote_and_verify_pubkey(crt, "e, "e_size); - if (ret < 0) + if (ret < 0) { + ERROR("extract_quote_and_verify_pubkey failed: %d\n", ret); goto out; + } /* prepare user-supplied verification parameters "allow outdated TCB"/"allow debug enclave" */ bool allow_outdated_tcb = getenv_allow_outdated_tcb(); @@ -129,6 +131,7 @@ int ra_tls_verify_callback(void* data, mbedtls_x509_crt* crt, int depth, uint32_ /* call into libsgx_dcap_quoteverify to get supplemental data size */ ret = sgx_qv_get_quote_supplemental_data_size(&supplemental_data_size); if (ret) { + ERROR("sgx_qv_get_quote_supplemental_data_size failed: %d\n", ret); ret = MBEDTLS_ERR_X509_FATAL_ERROR; goto out; } @@ -154,6 +157,7 @@ int ra_tls_verify_callback(void* data, mbedtls_x509_crt* crt, int depth, uint32_ /*p_qve_report_info=*/NULL, supplemental_data_size, supplemental_data); if (ret) { + ERROR("sgx_qv_verify_quote failed: %d\n", ret); ret = MBEDTLS_ERR_X509_CERT_VERIFY_FAILED; goto out; }