From 1f230a2ba8d5a92788bfa6489ab1dbc806d7a724 Mon Sep 17 00:00:00 2001
From: Bruno Vavala <bruno.vavala@intel.com>
Date: Thu, 21 Mar 2024 16:22:26 +0000
Subject: [PATCH] add docker target for sgx service build; add enclave signing
 key initialization in the repository (if one exists on the host); add docker
 volumes and devices that are necessary for sgx; add docker compose yaml for
 sgx testing

Signed-off-by: Bruno Vavala <bruno.vavala@intel.com>
---
 docker/Makefile                               | 33 +++++++++++++++++++
 docker/pdo_services.dockerfile                |  3 ++
 docker/test-sgx.yaml                          | 27 +++++++++++++++
 docker/tools/environment.sh                   |  9 +----
 docker/tools/run_services_tests.sh            | 12 ++++++-
 docker/tools/start_services.sh                |  2 +-
 eservice/bin/register-with-ledger.sh          |  3 ++
 .../scripts/EServiceEnclaveInfoCLI.py         |  3 +-
 8 files changed, 80 insertions(+), 12 deletions(-)
 create mode 100644 docker/test-sgx.yaml

diff --git a/docker/Makefile b/docker/Makefile
index 9137b352..071cf235 100644
--- a/docker/Makefile
+++ b/docker/Makefile
@@ -71,12 +71,21 @@ build_% : repository
 		--tag pdo_$*:$(PDO_VERSION) \
 		--file '$(DOCKER_DIR)'/pdo_$*.dockerfile .
 
+build_sgx_services : repository
+	docker build $(DOCKER_ARGS) \
+        --build-arg PDO_VERSION=$(PDO_VERSION) \
+        --build-arg SGX_MODE=HW \
+        --tag pdo_services:$(PDO_VERSION) \
+        --file $(DOCKER_DIR)/pdo_services.dockerfile .
+
 # docker build dependencies
 build_client: build_base
 build_services: build_services_base
 build_services_base: build_base
 build_ccf: build_ccf_base
 
+build_sgx_services: build_services_base
+
 clean_% :
 	docker rmi -f pdo_$*:$(PDO_VERSION)
 
@@ -112,6 +121,12 @@ stop_client :
 # performance requirements are relatively low.
 # -----------------------------------------------------------------
 repository :
+	# if an enclave signing key is available on the host, copy that under build/keys in the repo
+	# Note: the docker build (see PDO_ENCLAVE_CODE_SIGN_PEM in environment.sh) expects the key there
+	[ ! -e ${PDO_ENCLAVE_CODE_SIGN_PEM} ] ||\
+		(test ${PDO_ENCLAVE_CODE_SIGN_PEM} -ef ${PDO_SGX_KEY_ROOT}/enclave_code_sign.pem || \
+		cp ${PDO_ENCLAVE_CODE_SIGN_PEM} ${PDO_SGX_KEY_ROOT}/enclave_code_sign.pem)
+	# clone the repo
 	git clone --single-branch --branch $(PDO_BRANCH) --recurse-submodules '$(PDO_REPO)' repository
 
 clean_repository :
@@ -130,12 +145,30 @@ TEST_FILES += -f services_base.yaml
 TEST_FILES += -f ccf_base.yaml
 TEST_FILES += -f test.yaml
 
+TEST_SGX_FILES = ${TEST_FILES}
+TEST_SGX_FILES += -f test-sgx.yaml
+
+SGX_DEVICE_PATH=$(shell if [ -e "/dev/isgx" ]; \
+				then echo "/dev/isgx"; \
+				elif [ -e "/dev/sgx/enclave" ]; \
+					then echo "/dev/sgx/enclave"; \
+				else echo "ERROR: NO SGX DEVICE FOUND"; \
+				fi)
+
+DOCKER_COMPOSE_SGX := env SGX_DEVICE_PATH=${SGX_DEVICE_PATH} docker-compose
+
 build_test : repository build_services build_ccf build_client
 
 test : clean_config clean_repository build_test stop_all
 	PDO_VERSION=$(PDO_VERSION) docker-compose $(TEST_FILES) up --abort-on-container-exit
 	PDO_VERSION=$(PDO_VERSION) docker-compose $(TEST_FILES) down
 
+sgx_build_test : repository build_sgx_services build_ccf build_client
+
+sgx_test : clean_config clean_repository sgx_build_test stop_all
+	PDO_VERSION=$(PDO_VERSION) $(DOCKER_COMPOSE_SGX) $(TEST_SGX_FILES) up --abort-on-container-exit
+	PDO_VERSION=$(PDO_VERSION) $(DOCKER_COMPOSE_SGX) $(TEST_SGX_FILES) down
+
 # -----------------------------------------------------------------
 # Cleaning is a bit interesting because the containers don't go away
 # unless they are told to very nicely. Until they go away they hold onto
diff --git a/docker/pdo_services.dockerfile b/docker/pdo_services.dockerfile
index 1bb4a139..692e6427 100644
--- a/docker/pdo_services.dockerfile
+++ b/docker/pdo_services.dockerfile
@@ -27,6 +27,9 @@ FROM pdo_services_base:${PDO_VERSION}
 # -----------------------------------------------------------------
 ARG REBUILD=0
 
+ARG SGX_MODE=SIM
+ENV SGX_MODE $SGX_MODE
+
 ARG PDO_DEBUG_BUILD=0
 ENV PDO_DEBUG_BUILD=${PDO_DEBUG_BUILD}
 
diff --git a/docker/test-sgx.yaml b/docker/test-sgx.yaml
new file mode 100644
index 00000000..049a3602
--- /dev/null
+++ b/docker/test-sgx.yaml
@@ -0,0 +1,27 @@
+# Copyright 2024 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ------------------------------------------------------------------------------
+version: "3.4"
+
+services:
+  ccf_container:
+    environment:
+      - SGX_MODE=HW
+
+  services_container:
+    volumes:
+      - /var/run/aesmd:/var/run/aesmd
+    devices:
+      - ${SGX_DEVICE_PATH:-/dev/isgx}:${SGX_DEVICE_PATH:-/dev/isgx}
+
diff --git a/docker/tools/environment.sh b/docker/tools/environment.sh
index c0850b12..01fdfb98 100755
--- a/docker/tools/environment.sh
+++ b/docker/tools/environment.sh
@@ -44,14 +44,7 @@ fi
 
 export XFER_DIR=${XFER_DIR:-/project/pdo/xfer}
 
-# if the container is running HW mode, then we will grab the
-# SGX keys from the xfer directory; we know that the default
-# keys must be overridden
-if [ ${SGX_MODE} == "HW" ]; then
-    export PDO_SGX_KEY_ROOT=${XFER_DIR}/services/keys/sgx
-else
-    export PDO_SGX_KEY_ROOT=${PDO_SOURCE_ROOT}/build/keys/sgx_mode_${SGX_MODE,,}
-fi
+export PDO_SGX_KEY_ROOT=${PDO_SOURCE_ROOT}/build/keys/sgx_mode_${SGX_MODE,,}
 
 # this variable is needed for the build for signing the
 # eservice and pservice enclaves
diff --git a/docker/tools/run_services_tests.sh b/docker/tools/run_services_tests.sh
index 773b9eaa..ab5d09d2 100755
--- a/docker/tools/run_services_tests.sh
+++ b/docker/tools/run_services_tests.sh
@@ -27,6 +27,16 @@ check_pdo_runtime_env
 export no_proxy=$PDO_HOSTNAME,$PDO_LEDGER_ADDRESS,$no_proxy
 export NO_PROXY=$PDO_HOSTNAME,$PDO_LEDGER_ADDRESS,$NO_PROXY
 
+# -----------------------------------------------------------------
+yell copy sgx keys
+# -----------------------------------------------------------------
+# this collateral *must* be copied before configuring the services
+# as it will be included in the service/enclave toml files
+[ -z "$(ls -A ${XFER_DIR}/services/keys/sgx/)" ] ||\
+    cp ${XFER_DIR}/services/keys/sgx/* ${PDO_SGX_KEY_ROOT}
+# refresh the environment variables (necessary for SGX-related ones)
+source /project/pdo/tools/environment.sh
+
 # -----------------------------------------------------------------
 yell configure services for host $PDO_HOSTNAME and ledger $PDO_LEDGER_URL
 # -----------------------------------------------------------------
@@ -56,7 +66,7 @@ yell check for registration
 # -----------------------------------------------------------------
 # this probably requires additional CCF keys, need to test this
 if [ "$SGX_MODE" == "HW" ]; then
-    if [ ! -f ${XFER}/ccf/keys/memberccf_privk.pem ] ; then
+    if [ ! -f ${XFER_DIR}/ccf/keys/memberccf_privk.pem ] ; then
         die unable to locate CCF policies keys
     fi
 
diff --git a/docker/tools/start_services.sh b/docker/tools/start_services.sh
index 11f21926..f3c2e501 100755
--- a/docker/tools/start_services.sh
+++ b/docker/tools/start_services.sh
@@ -115,7 +115,7 @@ try cp ${XFER_DIR}/ccf/keys/networkcert.pem ${PDO_LEDGER_KEY_ROOT}/
 yell register the enclave if necessary
 # -----------------------------------------------------------------
 if [ "${F_REGISTER,,}" == 'yes' ]; then
-    if [ ! -f ${XFER}/ccf/keys/memberccf_privk.pem ] ; then
+    if [ ! -f ${XFER_DIR}/ccf/keys/memberccf_privk.pem ] ; then
         die unable to locate CCF policies keys
     fi
 
diff --git a/eservice/bin/register-with-ledger.sh b/eservice/bin/register-with-ledger.sh
index fdd85526..988e7cef 100755
--- a/eservice/bin/register-with-ledger.sh
+++ b/eservice/bin/register-with-ledger.sh
@@ -71,9 +71,11 @@ function Store {
         --spid ${SPID} \
         --save ${eservice_enclave_info_file} \
         --loglevel warn \
+        --logfile __screen__ \
         --identity ${ESERVICE_IDENTITY} \
         --config ${ESERVICE_TOML} ${ENCLAVE_TOML} \
         --config-dir ${ETCDIR}
+    yell Enclave info are ready
 }
 
 # Registers MR_ENCLAVE & BASENAMES with Ledger
@@ -88,6 +90,7 @@ function Register {
         : "PDO_IAS_KEY_PEM" "${PDO_IAS_KEY_PEM:?Registration failed! PDO_IAS_KEY_PEM environment variable not set}"
 
         if [ ${PDO_LEDGER_TYPE} == "ccf" ]; then
+            yell Register enclave with CCF ledger
             source ${PDO_INSTALL_ROOT}/bin/activate
             try ${PDO_INSTALL_ROOT}/bin/ccf_set_expected_sgx_measurements \
                 --logfile __screen__ --loglevel INFO --mrenclave ${VAR_MRENCLAVE} \
diff --git a/eservice/pdo/eservice/scripts/EServiceEnclaveInfoCLI.py b/eservice/pdo/eservice/scripts/EServiceEnclaveInfoCLI.py
index 7a6b977f..722b19d1 100644
--- a/eservice/pdo/eservice/scripts/EServiceEnclaveInfoCLI.py
+++ b/eservice/pdo/eservice/scripts/EServiceEnclaveInfoCLI.py
@@ -37,8 +37,7 @@ def GetBasename(spid, save_path, config) :
     while True :
         try :
             logger.debug('initialize the enclave')
-            enclave_config = {}
-            info = pdo_enclave_helper.get_enclave_service_info(spid, config=enclave_config)
+            info = pdo_enclave_helper.get_enclave_service_info(spid)
 
             logger.info('save MR_ENCLAVE and MR_BASENAME to %s', save_path)
             with open(save_path, "w") as file :