Update to use 6.0.0-dev* CCF releases (#226)

.devcontainer/Dockerfile

@@ -1,4 +1,4 @@
-FROM ghcr.io/microsoft/ccf/app/dev/virtual:ccf-5.0.6
+FROM ghcr.io/microsoft/ccf/app/dev/virtual:ccf-6.0.0-dev2
 
 # Dependency of the virtual build of attested-fetch.
 RUN apt-get update && apt-get install -y libcurl4-openssl-dev

.github/workflows/build-test.yml

@@ -13,7 +13,7 @@ jobs:
   checks:
     name: Format and License Checks
     runs-on: ubuntu-20.04
-    container: ghcr.io/microsoft/ccf/app/dev/virtual:ccf-5.0.6
+    container: ghcr.io/microsoft/ccf/app/dev/virtual:ccf-6.0.0-dev2
     steps:
       - run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
       - name: Checkout repository
@@ -40,9 +40,11 @@ jobs:
             nodes: ubuntu-20.04
             options: --user root --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_PTRACE -v /lib/modules:/lib/modules:ro
             unit_tests_enabled: OFF
+        exclude:
+          - platform: { name: sgx }
     runs-on: ${{ matrix.platform.nodes }}
     container:
-      image: ghcr.io/microsoft/ccf/app/dev/${{ matrix.platform.image }}:ccf-5.0.6
+      image: ghcr.io/microsoft/ccf/app/dev/${{ matrix.platform.image }}:ccf-6.0.0-dev2
       options: ${{ matrix.platform.options }}
       env:
         # Helps to distinguish between CI and local builds.

.github/workflows/codeql.yml

@@ -17,7 +17,7 @@ jobs:
     name: Analyze
 
     runs-on: ubuntu-latest
-    container: ghcr.io/microsoft/ccf/app/dev/virtual:ccf-5.0.6
+    container: ghcr.io/microsoft/ccf/app/dev/virtual:ccf-6.0.0-dev2
 
     permissions:
       actions: read

.pipelines/pullrequest.yml

@@ -8,7 +8,7 @@ parameters: # parameters are shown up in ADO UI in a build queue time
 - name: CCF_VERSION
   displayName: Target CCF version to build for
   type: string
-  default: 5.0.6
+  default: 6.0.0-dev2
 
 variables:
   SCITT_CI: 1 # used in scitt builds and tests
@@ -147,72 +147,6 @@ extends:
       # when using custom pool image the usual container build support is not there so it 
       # need to be run manually through docker.
 
-      - job: test_sgx_with_perf
-        pool:
-          type: linux
-          isCustom: true
-          name: scitt-dc-pool
-        variables:
-          ob_outputDirectory: $(Build.SourcesDirectory)/out
-        steps:
-          - checkout: SCITT
-            path: s/
-            submodules: recursive
-            lfs: false
-          - script: |
-              docker run --rm \
-                --device /dev/sgx_enclave:/dev/sgx_enclave \
-                --device /dev/sgx_provision:/dev/sgx_provision \
-                --volume /dev/sgx:/dev/sgx \
-                --volume /var/run/docker.sock:/var/run/docker.sock \
-                --volume $(pwd):/opt/app \
-                --workdir /opt/app \
-                --env PLATFORM="sgx" \
-                --env CMAKE_BUILD_TYPE="Release" \
-                --env CCF_UNSAFE="OFF" \
-                --env BUILD_TESTS="OFF" \
-                --env ENABLE_CLANG_TIDY="OFF" \
-                --env NINJA_FLAGS="-k 0" \
-                --env CXXFLAGS="-ferror-limit=0" \
-                --env ENABLE_PERF_TESTS="true" \
-                ghcr.io/microsoft/ccf/app/dev/sgx:ccf-${{ parameters.CCF_VERSION }} /bin/bash -c '\
-                  git config --global --add safe.directory "*"; \
-                  sudo groupadd -fg $(/usr/bin/stat -Lc '%g' /dev/sgx/provision) sgx_prv; \
-                  sudo usermod -a -G sgx_prv $(whoami); \
-                  ./build.sh && \
-                  ./run_functional_tests.sh; \
-                  '
-            displayName: Build test sgx through a dev container
-
-    - stage: test_sgx_docker_build
-      jobs:
-      - job: test_sgx_docker_build
-        pool:
-          type: linux
-          isCustom: true
-          name: scitt-dc-pool
-        variables:
-          ob_outputDirectory: $(Build.SourcesDirectory)/out
-          PLATFORM: sgx
-          CXXFLAGS: -ferror-limit=0
-          NINJA_FLAGS: -k 0
-        steps:
-          - checkout: SCITT
-            path: s/
-            submodules: recursive
-            fetchTags: true
-            fetchDepth: 0
-            lfs: false
-          - script: ./docker/build.sh
-            displayName: Build sgx with Docker
-          - template: .pipelines/python.yml@self
-          - script: ./run_functional_tests.sh
-            displayName: Run Functional Tests
-            env:
-              PLATFORM: sgx
-              DOCKER: 1
-              ELEVATE_PRIVILEGES: true # needs privileged access to run did server on 443 port
-
     - stage: snp_build
       jobs:
       - job: snp_build

DEVELOPMENT.md

@@ -31,21 +31,18 @@ docker run --rm -it --env PLATFORM=virtual --volume $(pwd):/opt/app --workdir /o
 
 ### Develop within a host machine
 
-It is expected that you have Ubuntu 20.04. Follow the steps below to setup your development environment, replacing `<sgx|virtual|snp>` with either one, as desired:
+It is expected that you have Ubuntu 20.04. Follow the steps below to setup your development environment, replacing `<virtual|snp>` with either one, as desired:
 
-1. Set up your host machine: 
-    - If using SGX, it is recommended that you provision a virtual machine:
-      - On Azure, provision a DC-series VM, for example, [DCsv3](https://learn.microsoft.com/en-us/azure/virtual-machines/dcv3-series)
-      - Enable running SGX enclaves: `sudo usermod -a -G sgx_prv $(whoami)`
+1. Set up your host machine:
     - If using virtual mode, running Ubuntu 20.04 on any platform (WSL, VM, etc.) is enough
     - If using SNP, you should use a machine with SNP hardware support and a platform that allows to enforce security policies for containers running on it (e.g., [Confidential Containers on AKS](https://learn.microsoft.com/en-us/azure/aks/confidential-containers-overview), [Confidential Containers on ACI](https://learn.microsoft.com/en-us/azure/container-instances/container-instances-confidential-overview))
 
 2. Install dependencies:
     ```sh
-    wget https://github.com/microsoft/CCF/archive/refs/tags/ccf-5.0.6.tar.gz
-    tar xvzf ccf-5.0.6.tar.gz
-    cd CCF-ccf-5.0.6/getting_started/setup_vm/
-    ./run.sh app-dev.yml -e ccf_ver=5.0.6 -e platform=<sgx|virtual|snp> -e clang_version=<11|15>
+    wget https://github.com/microsoft/CCF/archive/refs/tags/ccf-6.0.0-dev2.tar.gz
+    tar xvzf ccf-6.0.0-dev2.tar.gz
+    cd CCF-ccf-6.0.0-dev2/getting_started/setup_vm/
+    ./run.sh app-dev.yml -e ccf_ver=6.0.0-dev2 -e platform=<virtual|snp> -e clang_version=15
     ```
 
 ## Compiling

app/CMakeLists.txt

@@ -18,14 +18,17 @@ set(COMPILE_TARGET "sgx" CACHE STRING "Target compilation platform, either 'sgx'
 option(CCF_UNSAFE "Use CCF's unsafe variant (must be separately installed)" OFF)
 option(BUILD_TESTS "Whether to build tests" ON)
 option(ENABLE_CLANG_TIDY "Run clang-tidy on the codebase" OFF)
+# Added as option to enable Azure Linux build in 6.0.0-dev2, will eventually be removed
+# once the transition to libstdc++ is complete
+set(USE_LIBCXX ON CACHE BOOL "Use libc++ instead of libstdc++")
 
 set(ATTESTED_FETCH_MRENCLAVE_HEX "" CACHE STRING "attested-fetch MRENCLAVE (hex)")
 set(DID_WEB_RESOLVER_SCRIPT "/tmp/scitt/fetch-did-web-doc.py" CACHE STRING "Path to the DID Web resolver script")
 
 set(CMAKE_EXPORT_COMPILE_COMMANDS ON)
 
 
-find_package(ccf_${COMPILE_TARGET} 5.0.6 REQUIRED)
+find_package(ccf_${COMPILE_TARGET} 6.0.0 REQUIRED)
 
 include(${CMAKE_CURRENT_SOURCE_DIR}/cmake/version.cmake)
 include(${CMAKE_CURRENT_SOURCE_DIR}/cmake/target_link_system_libraries.cmake)

app/src/did/attested.h

@@ -7,7 +7,6 @@
 #include "did/resolver.h"
 #include "did/web/syntax.h"
 #include "generated/constants.h"
-#include "openenclave.h"
 #include "util.h"
 
 #include <algorithm>
@@ -117,49 +116,7 @@ namespace scitt::did
   static void verify_openenclave_attestation(
     const AttestedResolution& resolution)
   {
-    if (
-      !resolution.evidence.has_value() || !resolution.endorsements.has_value())
-    {
-      throw AttestedResolutionError(
-        "Evidence or endorsements missing from attestation");
-    }
-
-    // Verify evidence and extract claims.
-    oe::VerifyEvidenceResult evidence_result;
-    try
-    {
-      evidence_result = oe::verify_evidence(
-        oe::OE_UUID_SGX_ECDSA, *resolution.evidence, *resolution.endorsements);
-    }
-    catch (const std::exception& e)
-    {
-      throw AttestedResolutionError(
-        fmt::format("Failed to verify Open Enclave evidence: {}", e.what()));
-    }
-
-    // Match MRENCLAVE claim against known value.
-    auto mrenclave = evidence_result.claims.at("unique_id");
-
-    std::vector<uint8_t> expected_mrenclave =
-      ccf::ds::from_hex(ATTESTED_FETCH_MRENCLAVE_HEX);
-    if (mrenclave != expected_mrenclave)
-    {
-      throw AttestedResolutionError("MRENCLAVE does not match expected value");
-    }
-
-    // Match sgx_report_data custom claim against hash of format and data.
-    auto sgx_report_data = evidence_result.custom_claims.at("sgx_report_data");
-    auto format_hash = ccf::crypto::Sha256Hash(to_string(resolution.format));
-    auto data_hash = ccf::crypto::Sha256Hash(resolution.data);
-    auto computed_sgx_report_data =
-      ccf::crypto::Sha256Hash(format_hash, data_hash);
-    auto computed_sgx_report_data_vec = std::vector<uint8_t>(
-      computed_sgx_report_data.h.begin(), computed_sgx_report_data.h.end());
-    if (sgx_report_data != computed_sgx_report_data_vec)
-    {
-      throw AttestedResolutionError(
-        "SGX report data does not match computed hash");
-    }
+    throw AttestedResolutionError("Open Enclave attestation is not supported");
   }
 
   static DidResolutionResult verify_attested_resolution(
@@ -180,7 +137,8 @@ namespace scitt::did
         break;
 #else
       case EvidenceFormat::ATTESTED_FETCH_OE_SGX_ECDSA_V2:
-        verify_openenclave_attestation(resolution);
+        throw AttestedResolutionError(
+          "Open Enclave attestation is not supported");
         break;
 #endif
 

build.sh

@@ -66,7 +66,6 @@ CC="$CC" CXX="$CXX" \
     -DCOMPILE_TARGET="${PLATFORM}" \
     -DCCF_UNSAFE="${CCF_UNSAFE}" \
     -DBUILD_TESTS="${BUILD_TESTS}" \
-    -DLVI_MITIGATIONS=OFF \
     -DCMAKE_INSTALL_PREFIX=$install_dir \
     -DENABLE_CLANG_TIDY="${ENABLE_CLANG_TIDY}" \
     "$root_dir/app"

docker/snp.Dockerfile

@@ -1,4 +1,4 @@
-ARG CCF_VERSION=5.0.6
+ARG CCF_VERSION=6.0.0-dev2
 FROM ghcr.io/microsoft/ccf/app/dev/snp:ccf-${CCF_VERSION}  as builder
 ARG CCF_VERSION
 ARG SCITT_VERSION_OVERRIDE

docker/virtual.Dockerfile

@@ -1,4 +1,4 @@
-ARG CCF_VERSION=5.0.6
+ARG CCF_VERSION=6.0.0-dev2
 FROM ghcr.io/microsoft/ccf/app/dev/virtual:ccf-${CCF_VERSION}  as builder
 ARG CCF_VERSION
 ARG SCITT_VERSION_OVERRIDE

docs/reproducibility.md

@@ -39,13 +39,13 @@ To reproduce the same measurement do a docker build locally using the expected b
 
     ```
     $ cat docker/enclave.Dockerfile | grep CCF_VERSION=
-    ARG CCF_VERSION=5.0.6
+    ARG CCF_VERSION=6.0.0-dev2
     ```
 
 - Run a build inside of the CCF docker image and make sure to use a specific path (`__w/1/s`) to the sources as this is where our Azure build server copies the sources before building. If the build was done somewhere else, make sure to obtain the required path value:
 
     ```sh
-    $ export CCF_VERSION="5.0.6"
+    $ export CCF_VERSION="6.0.0-dev2"
     $ docker run -it --rm \
         -w /__w/1/s -v $(pwd):/__w/1/s \
         -v /var/run/docker.sock:/var/run/docker.sock \

pyscitt/setup.py

@@ -25,7 +25,7 @@
     },
     python_requires=">=3.8",
     install_requires=[
-        "ccf==5.0.6",
+        "ccf==6.0.0-dev2",
         "cryptography==43.*",  # needs to match ccf
         "httpx",
         "cbor2==5.4.*",

test/requirements.txt

@@ -3,5 +3,5 @@ httpx
 pytest
 loguru
 aiotools
-ccf==5.0.6
+ccf==6.0.0-dev2
 cryptography==43.*