add sgx_mode arg to docker builds; add sgx device to docker compose t…

…ests; fix path of enclave code signing key; fix some xfer folder paths Signed-off-by: Bruno Vavala <[email protected]>
hyperledger-labs · Mar 15, 2024 · 132ba81 · 132ba81
1 parent e91a785
commit 132ba81
Show file tree

Hide file tree

Showing 6 changed files with 43 additions and 5 deletions.
diff --git a/build/Makefile b/build/Makefile
@@ -109,6 +109,7 @@ rebuild : clean-build build $(CONDITIONAL_REGISTER_TARGET)
 system-keys : ${PDO_ENCLAVE_CODE_SIGN_PEM}
 
 ${PDO_ENCLAVE_CODE_SIGN_PEM} :
+	mkdir -p ${PDO_HOME}/keys/sgx/
 	openssl genrsa -3 -out ${PDO_ENCLAVE_CODE_SIGN_PEM} 3072
 
 # SERVICES_COUNT is the number of services of each type to create

diff --git a/docker/Makefile b/docker/Makefile
@@ -45,6 +45,7 @@ DOCKER_DIR ?= ${PDO_SOURCE_ROOT}/docker
 DOCKER_USERNAME = $(LOGNAME)
 DOCKER_BUILDARGS += --build-arg UID=$(PDO_USER_UID)
 DOCKER_BUILDARGS += --build-arg GID=$(PDO_GROUP_UID)
+DOCKER_BUILDARGS += --build-arg SGX_MODE=$(SGX_MODE)
 DOCKER_ARGS = $(DOCKER_BUILDARGS)
 
 IMAGES=base client services_base services ccf_base ccf
@@ -127,11 +128,24 @@ TEST_FILES += -f services_base.yaml
 TEST_FILES += -f ccf_base.yaml
 TEST_FILES += -f test.yaml
 
+DOCKER_COMPOSE_COMMAND=docker-compose
+
+ifeq ($(SGX_MODE),HW)
+	TEST_FILES += -f test-sgx.yaml
+	SGX_DEVICE_PATH=$(shell if [ -e "/dev/isgx" ]; \
+					then echo "/dev/isgx"; \
+					elif [ -e "/dev/sgx/enclave" ]; \
+						then echo "/dev/sgx/enclave"; \
+					else echo "ERROR: NO SGX DEVICE FOUND"; \
+					fi)
+	DOCKER_COMPOSE_COMMAND := env SGX_MODE=$(SGX_MODE) SGX_DEVICE_PATH=${SGX_DEVICE_PATH} ${DOCKER_COMPOSE_COMMAND}
+endif
+
 build_test : repository build_services build_ccf build_client
 
 test : clean_config clean_repository build_test stop_all
-	PDO_VERSION=$(PDO_VERSION) docker-compose $(TEST_FILES) up --abort-on-container-exit
-	PDO_VERSION=$(PDO_VERSION) docker-compose $(TEST_FILES) down
+	PDO_VERSION=$(PDO_VERSION) $(DOCKER_COMPOSE_COMMAND) $(TEST_FILES) up --abort-on-container-exit
+	PDO_VERSION=$(PDO_VERSION) $(DOCKER_COMPOSE_COMMAND) $(TEST_FILES) down
 
 # -----------------------------------------------------------------
 # Cleaning is a bit interesting because the containers don't go away

diff --git a/docker/test-sgx.yaml b/docker/test-sgx.yaml
@@ -0,0 +1,23 @@
+# Copyright 2024 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ------------------------------------------------------------------------------
+version: "3.4"
+
+services:
+  services_container:
+    volumes:
+      - /var/run/aesmd:/var/run/aesmd
+    devices:
+      - ${SGX_DEVICE_PATH:-/dev/isgx}:${SGX_DEVICE_PATH:-/dev/isgx}
+
diff --git a/docker/tools/environment.sh b/docker/tools/environment.sh
@@ -55,7 +55,7 @@ fi
 
 # this variable is needed for the build for signing the
 # eservice and pservice enclaves
-export PDO_ENCLAVE_CODE_SIGN_PEM=${PDO_SGX_KEY_ROOT}/enclave_code_sign.pem
+export PDO_ENCLAVE_CODE_SIGN_PEM=${PDO_HOME}/keys/sgx/enclave_code_sign.pem
 
 # these are only used for configuration and registration
 # they are not used at build or run time

diff --git a/docker/tools/run_services_tests.sh b/docker/tools/run_services_tests.sh
@@ -56,7 +56,7 @@ yell check for registration
 # -----------------------------------------------------------------
 # this probably requires additional CCF keys, need to test this
 if [ "$SGX_MODE" == "HW" ]; then
-    if [ ! -f ${XFER}/ccf/keys/memberccf_privk.pem ] ; then
+    if [ ! -f ${XFER_DIR}/ccf/keys/memberccf_privk.pem ] ; then
         die unable to locate CCF policies keys
     fi
 

diff --git a/docker/tools/start_services.sh b/docker/tools/start_services.sh
@@ -115,7 +115,7 @@ try cp ${XFER_DIR}/ccf/keys/networkcert.pem ${PDO_LEDGER_KEY_ROOT}/
 yell register the enclave if necessary
 # -----------------------------------------------------------------
 if [ "${F_REGISTER,,}" == 'yes' ]; then
-    if [ ! -f ${XFER}/ccf/keys/memberccf_privk.pem ] ; then
+    if [ ! -f ${XFER_DIR}/ccf/keys/memberccf_privk.pem ] ; then
         die unable to locate CCF policies keys
     fi