microsoft · jumaffre · Oct 26, 2022 · Oct 21, 2022 · Oct 21, 2022 · Oct 21, 2022
@@ -50,11 +50,13 @@ jobs:
       - ${{ if eq(parameters.suffix, 'Perf') }}:
           - template: push_perf_data.yml
 
+      - ${{ if eq(parameters.suffix, 'Release') }}:
+          - template: install_deb.yml
+
       - ${{ if and(eq(parameters.suffix, 'Release'), eq(parameters.target, 'SGX')) }}:
           - template: cg.yml
           - template: publish_tls_report.yml
           - template: publish_compatibility_report.yml
-          - template: install_deb.yml
           - template: install_others.yml
           - template: publish_sbom.yml
 

@@ -11,7 +11,9 @@ parameters:
       pool: 1es-dv4-focal
     SGX:
       container: sgx
-      pool: 1es-dcv2-focal
+      pool: 1es-dcdv3-focal
+    SNPCC:
+      pool: sev-snp-pool
 
   build:
     common:
@@ -20,6 +22,8 @@ parameters:
       cmake_args: "-DCOMPILE_TARGET=virtual"
     SGX:
       cmake_args: "-DCOMPILE_TARGET=sgx"
+    SNPCC:
+      cmake_args: "-DCOMPILE_TARGET=snp"
     debug:
       cmake_args: "-DCMAKE_BUILD_TYPE=Debug -DLVI_MITIGATIONS=OFF -DVERBOSE_LOGGING=ON"
     perf:
@@ -104,6 +108,26 @@ jobs:
           ctest_filter: "${{ parameters.test.release.ctest_args }}"
           depends_on: configure
 
+      - template: common.yml
+        parameters:
+          target: SNPCC
+          env: ${{ parameters.env.SNPCC }}
+          cmake_args: "${{ parameters.build.common.cmake_args }} ${{ parameters.build.release.cmake_args }} ${{ parameters.build.SNPCC.cmake_args }}"
+          suffix: "Release"
+          artifact_name: "SNPCC_Release"
+          ctest_filter: "${{ parameters.test.release.ctest_args }}"
+          depends_on: configure
+
+      - template: common.yml
+        parameters:
+          target: Virtual
+          env: ${{ parameters.env.Virtual }}
+          cmake_args: "${{ parameters.build.common.cmake_args }} ${{ parameters.build.release.cmake_args }} ${{ parameters.build.Virtual.cmake_args }}"
+          suffix: "Release"
+          artifact_name: "Virtual_Release"
+          ctest_filter: "${{ parameters.test.release.ctest_args }}"
+          depends_on: configure
+
       # Build that produces unsafe binaries for troubleshooting purposes
       - template: common.yml
         parameters:
@@ -121,4 +145,6 @@ jobs:
           depends_on:
             - Checks
             - SGX_Release
+            - Virtual_Release
+            - SNPCC_Release
             - SGX_Unsafe
@@ -14,10 +14,10 @@ jobs:
     name: "Build and Publish SGX CI Containers"
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - name: Truncate ref
-        run: echo "##[set-output name=tag;]${GITHUB_REF#refs/tags/ccf_ci_image/}"
+        run: echo "tag=${GITHUB_REF#refs/tags/ccf_ci_image/}" >> $GITHUB_OUTPUT
         id: tref
 
       - name: Build CCF CI container

@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
 

@@ -1,4 +1,4 @@
-name: "Build and Publish SGX Release Containers to ACR"
+name: "Build and Publish Release Containers to MCR"
 
 on:
   release:
@@ -7,38 +7,90 @@ on:
 env:
   ACR_REGISTRY: ccfmsrc.azurecr.io
   ACR_TOKEN_NAME: app-push-token
+  DOCKER_BUILDKIT: 1 # https://docs.docker.com/develop/develop-images/build_enhancements/
 
 jobs:
-  build:
-    name: "Build Containers"
+  build_and_publish:
+    name: "Build and publish containers for all platforms"
     runs-on: ubuntu-latest
+
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
-      - name: Truncate ref
-        run: echo "##[set-output name=tag;]${GITHUB_REF#refs/tags/ccf-}"
+      - name: Get image tag from git tag (release) or latest (branch)
+        run: |
+          if [ ${GITHUB_REF} == *"ref/tags"* ]; then
+            echo "tag=${GITHUB_REF#refs/tags/ccf-}" >> $GITHUB_OUTPUT
+          else
+            echo "tag=latest" >> $GITHUB_OUTPUT
+          fi
         id: tref
 
-      - name: Build App Dev SGX container
-        run: docker build -f docker/app_dev . --build-arg="extra_vars=--extra-vars ccf_ver=${{steps.tref.outputs.tag}}" -t $ACR_REGISTRY/public/ccf/app/dev:${{steps.tref.outputs.tag}}-sgx -t $ACR_REGISTRY/public/ccf/app/dev:lts-devcontainer
+      # SGX
+      # Note: Keep SGX lts-devcontainer tag as default dev container until 4.x
+      - name: Build App Dev sgx container
+        run: docker build -f docker/app_dev . --build-arg="platform=sgx" --build-arg="ansible_vars=ccf_ver=${{ steps.tref.outputs.tag }}" -t $ACR_REGISTRY/public/ccf/app/dev:${{ steps.tref.outputs.tag }}-sgx -t $ACR_REGISTRY/public/ccf/app/dev:lts-devcontainer
+
+      - name: Build App Run sgx container
+        run: docker build -f docker/app_run . --build-arg="platform=sgx" --build-arg="ansible_vars=ccf_ver=${{steps.tref.outputs.tag}}" -t $ACR_REGISTRY/public/ccf/app/run:${{steps.tref.outputs.tag}}-sgx
+
+      - name: Build JS App Run sgx container
+        run: docker build -f docker/app_run . --build-arg="platform=sgx" --build-arg="ansible_vars=ccf_ver=${{steps.tref.outputs.tag}}  run_js=true" -t $ACR_REGISTRY/public/ccf/app/run-js:${{steps.tref.outputs.tag}}-sgx
+
+      # SNP
+      - name: Build App Dev snp container
+        run: docker build -f docker/app_dev . --build-arg="platform=snp" --build-arg="ansible_vars=ccf_ver=${{ steps.tref.outputs.tag }}" -t $ACR_REGISTRY/public/ccf/app/dev:${{ steps.tref.outputs.tag }}-snp
 
-      - name: Build App Run SGX container
-        run: docker build -f docker/app_run . --build-arg="extra_vars=--extra-vars ccf_ver=${{steps.tref.outputs.tag}}" -t $ACR_REGISTRY/public/ccf/app/run:${{steps.tref.outputs.tag}}-sgx
+      - name: Build App Run snp container
+        run: docker build -f docker/app_run . --build-arg="platform=snp" --build-arg="ansible_vars=ccf_ver=${{steps.tref.outputs.tag}}" -t $ACR_REGISTRY/public/ccf/app/run:${{steps.tref.outputs.tag}}-snp
 
-      - name: Build JS App Run SGX container
-        run: docker build -f docker/app_run . --build-arg="extra_vars=--extra-vars ccf_ver=${{steps.tref.outputs.tag}} --extra-vars run_js=true" -t $ACR_REGISTRY/public/ccf/app/run-js:${{steps.tref.outputs.tag}}-sgx
+      - name: Build JS App Run snp container
+        run: docker build -f docker/app_run . --build-arg="platform=snp" --build-arg="ansible_vars=ccf_ver=${{steps.tref.outputs.tag}}  run_js=true" -t $ACR_REGISTRY/public/ccf/app/run-js:${{steps.tref.outputs.tag}}-snp
 
+      # Virtual
+      - name: Build App Dev virtual container
+        run: docker build -f docker/app_dev . --build-arg="platform=virtual" --build-arg="ansible_vars=ccf_ver=${{ steps.tref.outputs.tag }}" -t $ACR_REGISTRY/public/ccf/app/dev:${{ steps.tref.outputs.tag }}-virtual
+
+      - name: Build App Run virtual container
+        run: docker build -f docker/app_run . --build-arg="platform=virtual" --build-arg="ansible_vars=ccf_ver=${{steps.tref.outputs.tag}}" -t $ACR_REGISTRY/public/ccf/app/run:${{steps.tref.outputs.tag}}-virtual
+
+      - name: Build JS App Run virtual container
+        run: docker build -f docker/app_run . --build-arg="platform=virtual" --build-arg="ansible_vars=ccf_ver=${{steps.tref.outputs.tag}}  run_js=true" -t $ACR_REGISTRY/public/ccf/app/run-js:${{steps.tref.outputs.tag}}-virtual
+
+      # Publish
       - name: Log in
         run: docker login -u $ACR_TOKEN_NAME -p ${{ secrets.ACR_APP_PUSH_TOKEN_PASSWORD }} $ACR_REGISTRY
 
-      - name: Push App Dev SGX container
+      ## SGX
+      - name: Push App Dev sgx container
         run: docker push $ACR_REGISTRY/public/ccf/app/dev:${{steps.tref.outputs.tag}}-sgx
 
-      - name: Push App Run SGX container
+        # Note: Keep SGX lts-devcontainer tag as default dev container until 4.x
+      - name: Push App Dev sgx container
+        run: docker push $ACR_REGISTRY/public/ccf/app/dev:lts-devcontainer
+
+      - name: Push App Run sgx container
         run: docker push $ACR_REGISTRY/public/ccf/app/run:${{steps.tref.outputs.tag}}-sgx
 
-      - name: Push JS App Run SGX container
+      - name: Push JS App Run sgx container
         run: docker push $ACR_REGISTRY/public/ccf/app/run-js:${{steps.tref.outputs.tag}}-sgx
 
-      - name: Push App Dev SGX devcontainer
-        run: docker push $ACR_REGISTRY/public/ccf/app/dev:lts-devcontainer
+      ## SNP
+      - name: Push App Dev snp container
+        run: docker push $ACR_REGISTRY/public/ccf/app/dev:${{steps.tref.outputs.tag}}-snp
+
+      - name: Push App Run snp container
+        run: docker push $ACR_REGISTRY/public/ccf/app/run:${{steps.tref.outputs.tag}}-snp
+
+      - name: Push JS App Run snp container
+        run: docker push $ACR_REGISTRY/public/ccf/app/run-js:${{steps.tref.outputs.tag}}-snp
+
+        ## Virtual
+      - name: Push App Dev virtual container
+        run: docker push $ACR_REGISTRY/public/ccf/app/dev:${{steps.tref.outputs.tag}}-virtual
+
+      - name: Push App Run virtual container
+        run: docker push $ACR_REGISTRY/public/ccf/app/run:${{steps.tref.outputs.tag}}-virtual
+
+      - name: Push JS App Run virtual container
+        run: docker push $ACR_REGISTRY/public/ccf/app/run-js:${{steps.tref.outputs.tag}}-virtual
@@ -5,7 +5,7 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
-## Unreleased
+## [3.0.0-rc0]
 
 ### Removed
 
@@ -1737,3 +1737,4 @@ Initial pre-release
 [3.0.0-dev4]: https://github.com/microsoft/CCF/releases/tag/ccf-3.0.0-dev4
 [3.0.0-dev6]: https://github.com/microsoft/CCF/releases/tag/ccf-3.0.0-dev6
 [3.0.0-dev7]: https://github.com/microsoft/CCF/releases/tag/ccf-3.0.0-dev7
+[3.0.0-rc0]: https://github.com/microsoft/CCF/releases/tag/ccf-3.0.0-rc0
@@ -266,10 +266,8 @@ if(COMPILE_TARGET STREQUAL "sgx")
   target_compile_definitions(cchost PUBLIC PLATFORM_SGX)
 elseif(COMPILE_TARGET STREQUAL "snp")
   target_compile_definitions(cchost PUBLIC PLATFORM_SNP)
-  target_include_directories(cchost PRIVATE ${OE_INCLUDEDIR})
 elseif(COMPILE_TARGET STREQUAL "virtual")
   target_compile_definitions(cchost PUBLIC PLATFORM_VIRTUAL)
-  target_include_directories(cchost PRIVATE ${OE_INCLUDEDIR})
 endif()
 
 target_link_libraries(

@@ -8,19 +8,27 @@ set(CPACK_RESOURCE_FILE_LICENSE "${CCF_DIR}/LICENSE")
 set(CPACK_PACKAGE_VERSION ${CCF_RELEASE_VERSION})
 set(CPACK_PACKAGING_INSTALL_PREFIX ${CMAKE_INSTALL_PREFIX})
 
+set(CPACK_DEBIAN_PACKAGE_VERSION "${CCF_RELEASE_VERSION}-${COMPILE_TARGET}")
+
 if(CCF_VERSION_SUFFIX)
   set(CPACK_DEBIAN_PACKAGE_VERSION
-      "${CCF_RELEASE_VERSION}~${CCF_VERSION_SUFFIX}"
-  )
-  message(
-    STATUS "Debian package will include suffix: ${CPACK_DEBIAN_PACKAGE_VERSION}"
+      "${CPACK_DEBIAN_PACKAGE_VERSION}~${CCF_VERSION_SUFFIX}"
   )
 endif()
 
-# CPack variables for Debian packages
-set(CPACK_DEBIAN_PACKAGE_DEPENDS
-    "open-enclave (>=0.18.2), libuv1 (>= 1.34.2), libc++1-10, libc++abi1-10, openssl (>=1.1.1)"
+message(STATUS "Debian package version: ${CPACK_DEBIAN_PACKAGE_VERSION}")
+
+set(CCF_DEB_BASE_DEPENDENCIES
+    "libuv1 (>= 1.34.2);libc++1-10;libc++abi1-10;openssl (>=1.1.1)"
 )
+set(CCF_DEB_DEPENDENCIES ${CCF_DEB_BASE_DEPENDENCIES})
+
+if(COMPILE_TARGET STREQUAL "sgx")
+  list(APPEND CCF_DEB_DEPENDENCIES "open-enclave (>=0.18.2)")
+endif()
+
+list(JOIN CCF_DEB_DEPENDENCIES ", " CPACK_DEBIAN_PACKAGE_DEPENDS)
+
 set(CPACK_DEBIAN_FILE_NAME DEB-DEFAULT)
 
 include(CPack)
@@ -8,5 +8,5 @@ To build a given image, run:
 
 ```bash
 $ cd CCF/
-$ docker build -t <tag> -f docker/<app_run|app_dev|ccf_ci> .
+$ docker build -t <tag> -f docker/<app_run|app_dev|ccf_ci> --build-arg="target=<sgx|snp|virtual>" .
 ```
@@ -1,33 +1,34 @@
-# Application Continuous Integration image
-# Contains a CCF release, compile toolchain and Azure CLI tooling
+# Application Development image
+# Contains a CCF release for platform and toolchain for target platform
 
-FROM ubuntu:20.04
+ARG platform=sgx
 
-ARG extra_vars
+# SGX
+FROM ubuntu:20.04 AS base-sgx
 
-RUN echo "APT::Acquire::Retries \"5\";" | tee /etc/apt/apt.conf.d/80-retries
+WORKDIR /
+COPY ./docker/sgx_deps_pin.sh /
+RUN ./sgx_deps_pin.sh && rm /sgx_deps_pin.sh
+
+# SNP
+FROM ubuntu:20.04 AS base-snp
 
-# Work-around for https://github.com/intel/linux-sgx/issues/395
-RUN mkdir -p /etc/init
+# Virtual
+FROM ubuntu:20.04 AS base-virtual
 
-ENV UBUNTU=focal
-ENV PSW_VERSION=2.17.100
-RUN if [ -z "$PSW_VERSION" ]; then echo "Please set PSW_VERSION (e.g. 2.11)." >&2; exit 1; fi
+# Final dev image
+FROM base-${platform} AS final
 
-RUN apt-get update && apt-get install -y wget gnupg
+ARG platform=sgx
+ARG ansible_vars
 
-# Use the APT preference file to pin sgx packages to specific versions
-# Reference https://manpages.debian.org/buster/apt/apt_preferences.5.en.html
-# Download the pref file from https://download.01.org/intel-sgx/sgx_repo/ubuntu/apt_preference_files/
-# Assuming file name to follow *sgx_<PSW_VERSION>_${UBUNTU}_custom_version.cfg convention
-RUN ["/bin/bash", "-c", "wget -r -l1 --no-parent -nd -A *sgx_$(echo ${PSW_VERSION//./_})_${UBUNTU}_custom_version.cfg https://download.01.org/intel-sgx/sgx_repo/ubuntu/apt_preference_files/"]
-RUN ["/bin/bash", "-c", "mv *sgx_$(echo ${PSW_VERSION//./_})_${UBUNTU}_custom_version.cfg /etc/apt/preferences.d/intel-sgx.pref"]
+RUN echo "APT::Acquire::Retries \"5\";" | tee /etc/apt/apt.conf.d/80-retries
 
-COPY getting_started/setup_vm/ /setup_vm/
+COPY getting_started/setup_vm/ /tmp/setup_vm/
 RUN apt update \
     && apt install -y ansible software-properties-common bsdmainutils dnsutils \
-    && cd setup_vm \
-    && ansible-playbook app-dev.yml $extra_vars \
+    && cd /tmp/setup_vm \
+    && ansible-playbook app-dev.yml --extra-vars "$ansible_vars" --extra-vars "platform=${platform}" \
     && rm -rf /tmp/* \
     && apt remove -y ansible software-properties-common \
     && apt -y autoremove \

@@ -1,33 +1,34 @@
 # Application Runtime image
-# Contains the cchost binary and its runtime dependencies
+# Contains the cchost binary and its runtime dependencies for target platform
 
-FROM ubuntu:20.04
+ARG platform=sgx
 
-ARG extra_vars
+# SGX
+FROM ubuntu:20.04 AS base-sgx
 
-RUN echo "APT::Acquire::Retries \"5\";" | tee /etc/apt/apt.conf.d/80-retries
+WORKDIR /
+COPY ./docker/sgx_deps_pin.sh /
+RUN ./sgx_deps_pin.sh && rm ./sgx_deps_pin.sh
+
+# SNP
+FROM ubuntu:20.04 AS base-snp
 
-# Work-around for https://github.com/intel/linux-sgx/issues/395
-RUN mkdir -p /etc/init
+# Virtual
+FROM ubuntu:20.04 AS base-virtual
 
-ENV UBUNTU=focal
-ENV PSW_VERSION=2.17.100
-RUN if [ -z "$PSW_VERSION" ]; then echo "Please set PSW_VERSION (e.g. 2.11)." >&2; exit 1; fi
+# Final runtime image
+FROM base-${platform} AS final
 
-RUN apt-get update && apt-get install -y wget gnupg
+ARG platform=sgx
+ARG ansible_vars
 
-# Use the APT preference file to pin sgx packages to specific versions
-# Reference https://manpages.debian.org/buster/apt/apt_preferences.5.en.html
-# Download the pref file from https://download.01.org/intel-sgx/sgx_repo/ubuntu/apt_preference_files/
-# Assuming file name to follow *sgx_<PSW_VERSION>_${UBUNTU}_custom_version.cfg convention
-RUN ["/bin/bash", "-c", "wget -r -l1 --no-parent -nd -A *sgx_$(echo ${PSW_VERSION//./_})_${UBUNTU}_custom_version.cfg https://download.01.org/intel-sgx/sgx_repo/ubuntu/apt_preference_files/"]
-RUN ["/bin/bash", "-c", "mv *sgx_$(echo ${PSW_VERSION//./_})_${UBUNTU}_custom_version.cfg /etc/apt/preferences.d/intel-sgx.pref"]
+RUN echo "APT::Acquire::Retries \"5\";" | tee /etc/apt/apt.conf.d/80-retries
 
-COPY getting_started/setup_vm/ /setup_vm/
+COPY getting_started/setup_vm/ /tmp/setup_vm/
 RUN apt update \
     && apt install -y ansible software-properties-common curl bsdmainutils dnsutils \
-    && cd setup_vm \
-    && ansible-playbook app-run.yml $extra_vars \
+    && cd /tmp/setup_vm \
+    && ansible-playbook app-run.yml --extra-vars "$ansible_vars" --extra-vars "platform=${platform}" \
     && rm -rf /tmp/* \
     && apt remove -y ansible software-properties-common curl \
     && apt -y autoremove \