From c374087f96c0c05dab6df8a0e5ad40eb3d102235 Mon Sep 17 00:00:00 2001 From: manojsalunke85 Date: Wed, 18 Aug 2021 21:59:14 +0530 Subject: [PATCH] Enable GSC for Local CI --- ci/gsc.jenkinsfile | 46 +++++++++++++ ci/linux-gsc-ubuntu18.04-release.jenkinsfile | 33 ++++++++++ gsc/Dockerfile.ubuntu18.04.build.template | 69 ++++++++++++++++++++ gsc/Dockerfile.ubuntu18.04.compile.template | 50 ++++++++++++++ 4 files changed, 198 insertions(+) create mode 100644 ci/gsc.jenkinsfile create mode 100644 ci/linux-gsc-ubuntu18.04-release.jenkinsfile create mode 100644 gsc/Dockerfile.ubuntu18.04.build.template create mode 100644 gsc/Dockerfile.ubuntu18.04.compile.template diff --git a/ci/gsc.jenkinsfile b/ci/gsc.jenkinsfile new file mode 100644 index 00000000..6547b048 --- /dev/null +++ b/ci/gsc.jenkinsfile @@ -0,0 +1,46 @@ +stage('Build') { + sh ''' + cd Tools/gsc/test + # Jenkins may automatically merge master into submitted commit (but + # maybe not): choose the original submitted commit for GSC (third + # commit in below git-log output if merged or first commit if not + # merged) + export COMMIT=`git log --pretty="%H %P" -n 1 | awk '{if(!$3) \ + {print $1} else {print $3}}'` + make TESTCASES='python3 python3-trusted-args base-python3' \ + DISTRIBUTIONS='ubuntu18.04' \ + IMAGE_SUFFIX=-${COMMIT} GRAPHENE_BRANCH=${COMMIT} + ''' +} +stage('Test') { + sh ''' + cd Tools/gsc/test + # Jenkins may automatically merge master into submitted commit (but + # maybe not): choose the original submitted commit for GSC (third + # commit in below git-log output if merged or first commit if not merged) + export COMMIT=`git log --pretty="%H %P" -n 1 | awk '{if(!$3) \ + {print $1} else {print $3}}'` + # Test Linux Pal + make test ENV_VARS='GSC_PAL=Linux' MAXTESTNUM=2 TESTCASES=python3 \ + DISTRIBUTIONS='ubuntu18.04' IMAGE_SUFFIX=-${COMMIT} + # Test Linux-SGX PAL + make test MAXTESTNUM=3 TESTCASES='python3 python3-trusted-args' \ + DISTRIBUTIONS='ubuntu18.04' IMAGE_SUFFIX=-${COMMIT} + # Test use of base Graphene Image + make test MAXTESTNUM=2 TESTCASES='python3' \ + DISTRIBUTIONS='ubuntu18.04-base' IMAGE_SUFFIX=-${COMMIT} + ''' +} +stage('Docker images cleanup') { + sh ''' + cd Tools/gsc/test + # Jenkins may automatically merge master into submitted commit (but + # maybe not): choose the original submitted commit for GSC (third + # commit in below git-log output if merged or first commit if not merged) + export COMMIT=`git log --pretty="%H %P" -n 1 | awk '{if(!$3) \ + {print $1} else {print $3}}'` + make clean TESTCASES='python3 python3-trusted-args base-python3' \ + DISTRIBUTIONS='ubuntu18.04' IMAGE_SUFFIX=-${COMMIT} + docker image prune -f + ''' +} diff --git a/ci/linux-gsc-ubuntu18.04-release.jenkinsfile b/ci/linux-gsc-ubuntu18.04-release.jenkinsfile new file mode 100644 index 00000000..0ff2d81a --- /dev/null +++ b/ci/linux-gsc-ubuntu18.04-release.jenkinsfile @@ -0,0 +1,33 @@ +node(node_label) { + env.ORIG_WKSP = env.WORKSPACE + def build_ok = true + try { + stage('checkout'){ + dir ('./') { + git url: 'https://github.com/jinengandhi-intel/graphene_local_ci.git' + } + + dir('graphene') { + git url: 'https://github.com/oscarlab/graphene.git' + } + } + + dir ("graphene") { + sh 'cp -rf $WORKSPACE/gsc/* Tools/gsc/templates/' + env.WORKSPACE = env.WORKSPACE + "/graphene" + + load '../ci/gsc.jenkinsfile' + + } + } finally { + stage('Workspace cleanup'){ + sh 'rm -rf $ORIG_WKSP/*' + } + } + + if(build_ok) { + currentBuild.result = "SUCCESS" + } else { + currentBuild.result = "FAILURE" + } +} diff --git a/gsc/Dockerfile.ubuntu18.04.build.template b/gsc/Dockerfile.ubuntu18.04.build.template new file mode 100644 index 00000000..6da18738 --- /dev/null +++ b/gsc/Dockerfile.ubuntu18.04.build.template @@ -0,0 +1,69 @@ +# Include previously-prepared Docker image with Graphene (if any) or compile Graphene from sources +{% if Graphene.Image %} +FROM gsc-{{Graphene.Image}} AS graphene +{% else %} +{% include "Dockerfile.ubuntu18.04.compile.template" %} +{% endif %} + +# Combine Graphene image with the original app image +FROM {{app_image}} + +ENV http_proxy "http://proxy-dmz.intel.com:911" +ENV https_proxy "http://proxy-dmz.intel.com:912" + +RUN echo 'Acquire::http::proxy "http://proxy-dmz.intel.com:911/"; Acquire::https::proxy "http://proxy-dmz.intel.com:912/"; Acquire::ftp::proxy "ftp://proxy-dmz.intel.com:911/";' >> /etc/apt/apt.conf.d/proxy.conf + +RUN apt-get update \ + && env DEBIAN_FRONTEND=noninteractive apt-get install -y \ + binutils \ + libprotobuf-c-dev \ + locales \ + locales-all \ + openssl \ + python3 \ + python3-pip \ + python3-protobuf \ + && python3 -B -m pip install --proxy=http://proxy-dmz.intel.com:911 protobuf jinja2 toml>=0.10 + +{% if debug %} +RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y gdb less strace vim python3-pyelftools +{% endif %} + +RUN locale-gen en_US.UTF-8 +ENV LC_ALL en_US.UTF-8 +ENV LANG en_US.UTF-8 +ENV LANGUAGE en_US.UTF-8 + +# Copy Graphene runtime and signer tools to /graphene/meson_build_output +RUN mkdir -p /graphene/Tools \ + && mkdir -p /graphene/meson_build_output + +# TODO: remove this copy after argv_serializer becomes a part of Meson build +COPY --from=graphene /graphene/Tools/argv_serializer /graphene/Tools +COPY --from=graphene /graphene/meson_build_output /graphene/meson_build_output + +# Copy helper scripts and Graphene manifest +COPY *.py / +COPY apploader.sh / +COPY entrypoint.manifest / + +# Generate trusted arguments if required +{% if not insecure_args %} +RUN /graphene/Tools/argv_serializer {{binary}} {{binary_arguments}} "{{"\" \"".join(cmd)}}" > /trusted_argv +{% endif %} + +# Docker entrypoint/cmd typically contains only the basename of the executable so create a symlink +RUN cd / \ + && which {{binary}} | xargs ln -s || true + +# Include Meson build output directory in $PATH +ENV PATH="/graphene/meson_build_output/bin:$PATH" + +# Mark apploader.sh executable, finalize manifest, and remove intermediate scripts +RUN chmod u+x /apploader.sh \ + && python3 -B /finalize_manifest.py \ + && rm -f /finalize_manifest.py + +# Define default command +ENTRYPOINT ["/bin/bash", "/apploader.sh"] +CMD [{% if insecure_args %} "{{'", "'.join(cmd)}}" {% endif %}] diff --git a/gsc/Dockerfile.ubuntu18.04.compile.template b/gsc/Dockerfile.ubuntu18.04.compile.template new file mode 100644 index 00000000..cf504d9a --- /dev/null +++ b/gsc/Dockerfile.ubuntu18.04.compile.template @@ -0,0 +1,50 @@ +FROM ubuntu:18.04 AS graphene +ENV http_proxy "http://proxy-dmz.intel.com:911" +ENV https_proxy "http://proxy-dmz.intel.com:912" + +RUN echo 'Acquire::http::proxy "http://proxy-dmz.intel.com:911/"; Acquire::https::proxy "http://proxy-dmz.intel.com:912/"; Acquire::ftp::proxy "ftp://proxy-dmz.intel.com:911/";' >> /etc/apt/apt.conf.d/proxy.conf + +RUN env DEBIAN_FRONTEND=noninteractive apt-get update \ + && env DEBIAN_FRONTEND=noninteractive apt-get install -y \ + autoconf \ + bison \ + build-essential \ + coreutils \ + gawk \ + git \ + libcurl4-openssl-dev \ + libprotobuf-c-dev \ + meson \ + protobuf-c-compiler \ + python3 \ + python3-pip \ + python3-protobuf \ + wget \ + && python3 -B -m pip install --proxy=http://proxy-dmz.intel.com:911 toml>=0.10 + +RUN git config --global http.proxy http://proxy-dmz.intel.com:911 + +RUN git clone {{Graphene.Repository}} /graphene + +RUN cd /graphene \ + && git fetch origin {{Graphene.Branch}} \ + && git checkout {{Graphene.Branch}} + +{% if SGXDriver.Repository %} +RUN cd /graphene/Pal/src/host/Linux-SGX \ + && git clone {{SGXDriver.Repository}} linux-sgx-driver \ + && cd linux-sgx-driver \ + && git checkout {{SGXDriver.Branch}} +ENV ISGX_DRIVER_PATH "/graphene/Pal/src/host/Linux-SGX/linux-sgx-driver" +{% else %} +ENV ISGX_DRIVER_PATH "" +{% endif %} + +RUN cd /graphene \ + && make -s -j WERROR=1 SGX=1 {% if debug %} DEBUG=1 {% endif %} \ + && make -s -j WERROR=1 {% if debug %} DEBUG=1 {% endif %} \ + && meson build --prefix="/graphene/meson_build_output" \ + --buildtype={% if debug %}debug{% else %}release{% endif %} \ + -Ddirect=enabled -Dsgx=enabled \ + && ninja -C build \ + && ninja -C build install