diff --git a/.drone.yml b/.drone.yml index ad3b53152..679c23c30 100644 --- a/.drone.yml +++ b/.drone.yml @@ -128,7 +128,7 @@ steps: - . /root/.cargo/env - . /opt/sgxsdk/environment - mkdir -p build - - cd build && cmake -DTEST_MODE=ON .. + - cd build && cmake -DCMAKE_BUILD_TYPE=Release -DTEST_MODE=OFF .. - name: check image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9.1:0.1.0 commands: @@ -138,12 +138,7 @@ steps: image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9.1:0.1.0 commands: - . /root/.cargo/env - - cd build && cmake -DTEST_MODE=OFF .. && make VERBOSE=1 -j2 -- name: compile-test-mode - image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9.1:0.1.0 - commands: - - . /root/.cargo/env - - cd build && cmake -DTEST_MODE=ON .. && make VERBOSE=1 -j2 + - cd build && make VERBOSE=1 -j2 - name: test image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9.1:0.1.0 privileged: true @@ -161,7 +156,7 @@ steps: path: /var/run/aesmd/aesm.socket commands: - . /root/.cargo/env - - cd build && make run-tests + - cd build && make run-examples volumes: - name: isgx @@ -186,7 +181,7 @@ steps: - . /root/.cargo/env - . /opt/sgxsdk/environment - mkdir -p build - - cd build && cmake -DTEST_MODE=ON .. + - cd build && cmake -DCMAKE_BUILD_TYPE=Debug -DSGX_SIM_MODE=ON -DTEST_MODE=ON .. - name: check image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9.1:0.1.0 commands: @@ -196,9 +191,16 @@ steps: image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9.1:0.1.0 commands: - . /root/.cargo/env - - cd build && cmake -DCMAKE_BUILD_TYPE=Debug -DSGX_SIM_MODE=ON .. && make VERBOSE=1 -j2 + - cd build && make VERBOSE=1 -j2 - name: test image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9.1:0.1.0 + environment: + AS_ALGO: sgx_epid + AS_URL: https://api.trustedservices.intel.com:443 + AS_KEY: + from_secret: V5_KEY + AS_SPID: + from_secret: V5_SPID commands: - . /root/.cargo/env - cd build && make run-tests @@ -218,7 +220,7 @@ steps: - . /root/.cargo/env - . /opt/sgxsdk/environment - mkdir -p build - - cd build && cmake -DTEST_MODE=YES .. + - cd build && cmake -DCMAKE_BUILD_TYPE=Release -DSGX_SIM_MODE=ON -DTEST_MODE=OFF .. - name: check image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9.1:0.1.0 commands: @@ -228,12 +230,12 @@ steps: image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9.1:0.1.0 commands: - . /root/.cargo/env - - cd build && cmake -DSGX_SIM_MODE=ON .. && make VERBOSE=1 -j2 + - cd build && make VERBOSE=1 -j2 - name: test image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9.1:0.1.0 commands: - . /root/.cargo/env - - cd build && make run-tests + - cd build && make run-examples node: instance: mesatee-sgx diff --git a/cmake/UtilTargets.cmake b/cmake/UtilTargets.cmake index e53b32e8a..5de4258b2 100644 --- a/cmake/UtilTargets.cmake +++ b/cmake/UtilTargets.cmake @@ -38,8 +38,6 @@ if(TEST_MODE) add_custom_target( run-functional-tests COMMAND ${TEACLAVE_COMMON_ENVS} ${MT_SCRIPT_DIR}/test.sh functional) - add_custom_target(run-examples COMMAND ${TEACLAVE_COMMON_ENVS} - ${MT_SCRIPT_DIR}/test.sh example) else() add_custom_target( run-tests @@ -49,6 +47,9 @@ else() ) endif() +add_custom_target(run-examples COMMAND ${TEACLAVE_COMMON_ENVS} + ${MT_SCRIPT_DIR}/test.sh example) + add_custom_target(cov COMMAND ${TEACLAVE_COMMON_ENVS} ${MT_SCRIPT_DIR}/gen_cov.sh) diff --git a/cmake/scripts/test.sh b/cmake/scripts/test.sh index c2b2fa910..64859a030 100755 --- a/cmake/scripts/test.sh +++ b/cmake/scripts/test.sh @@ -137,6 +137,7 @@ run_examples() { trap cleanup INT TERM ERR echo_title "examples" + mkdir -p /tmp/fusion_data pushd ${TEACLAVE_SERVICE_INSTALL_DIR} ./teaclave_authentication_service & ./teaclave_storage_service & diff --git a/services/execution/enclave/src/lib.rs b/services/execution/enclave/src/lib.rs index 77487d321..3d468695e 100644 --- a/services/execution/enclave/src/lib.rs +++ b/services/execution/enclave/src/lib.rs @@ -24,9 +24,9 @@ extern crate sgx_tstd as std; use std::prelude::v1::*; use std::untrusted::path::PathEx; -use anyhow::{ensure, Result}; +use anyhow::{anyhow, ensure, Result}; -use teaclave_attestation::verifier; +use teaclave_attestation::{verifier, AttestationConfig, RemoteAttestation}; use teaclave_binder::proto::{ ECallCommand, FinalizeEnclaveInput, FinalizeEnclaveOutput, InitEnclaveInput, InitEnclaveOutput, StartServiceInput, StartServiceOutput, @@ -43,6 +43,11 @@ mod service; mod task_file_manager; fn start_service(config: &RuntimeConfig) -> Result<()> { + let attestation_config = AttestationConfig::from_teaclave_config(&config)?; + let attested_tls_config = RemoteAttestation::new(attestation_config) + .generate_and_endorse()? + .attested_tls_config() + .ok_or_else(|| anyhow!("cannot get attested TLS config"))?; let enclave_info = EnclaveInfo::verify_and_new( &config.audit.enclave_info_bytes, AUDITOR_PUBLIC_KEYS, @@ -54,7 +59,8 @@ fn start_service(config: &RuntimeConfig) -> Result<()> { &enclave_info, AS_ROOT_CA_CERT, verifier::universal_quote_verifier, - ); + attested_tls_config, + )?; let fusion_base = config.mount.fusion_base_dir.clone(); diff --git a/services/frontend/enclave/src/lib.rs b/services/frontend/enclave/src/lib.rs index 12ce8021e..53990bbaa 100644 --- a/services/frontend/enclave/src/lib.rs +++ b/services/frontend/enclave/src/lib.rs @@ -53,7 +53,8 @@ fn start_service(config: &RuntimeConfig) -> Result<()> { .generate_and_endorse()? .attested_tls_config() .ok_or_else(|| anyhow!("cannot get attested TLS config"))?; - let server_config = SgxTrustedTlsServerConfig::from_attested_tls_config(attested_tls_config)?; + let server_config = + SgxTrustedTlsServerConfig::from_attested_tls_config(attested_tls_config.clone())?; let mut server = SgxTrustedTlsServer::::new( listen_address, @@ -66,14 +67,16 @@ fn start_service(config: &RuntimeConfig) -> Result<()> { &enclave_info, AS_ROOT_CA_CERT, verifier::universal_quote_verifier, - ); + attested_tls_config.clone(), + )?; let management_service_endpoint = create_trusted_management_endpoint( &config.internal_endpoints.management.advertised_address, &enclave_info, AS_ROOT_CA_CERT, verifier::universal_quote_verifier, - ); + attested_tls_config, + )?; let service = service::TeaclaveFrontendService::new( authentication_service_endpoint, diff --git a/services/management/enclave/src/lib.rs b/services/management/enclave/src/lib.rs index a5dbc116a..f4deec449 100644 --- a/services/management/enclave/src/lib.rs +++ b/services/management/enclave/src/lib.rs @@ -63,12 +63,13 @@ fn start_service(config: &RuntimeConfig) -> Result<()> { None => Err(anyhow!("cannot get enclave attribute of {}", service)), }) .collect::>()?; - let server_config = SgxTrustedTlsServerConfig::from_attested_tls_config(attested_tls_config)? - .attestation_report_verifier( - accepted_enclave_attrs, - AS_ROOT_CA_CERT, - verifier::universal_quote_verifier, - )?; + let server_config = + SgxTrustedTlsServerConfig::from_attested_tls_config(attested_tls_config.clone())? + .attestation_report_verifier( + accepted_enclave_attrs, + AS_ROOT_CA_CERT, + verifier::universal_quote_verifier, + )?; let mut server = SgxTrustedTlsServer::::new( listen_address, @@ -80,7 +81,8 @@ fn start_service(config: &RuntimeConfig) -> Result<()> { &enclave_info, AS_ROOT_CA_CERT, verifier::universal_quote_verifier, - ); + attested_tls_config, + )?; let service = service::TeaclaveManagementService::new(storage_service_endpoint)?; match server.start(service) { diff --git a/services/scheduler/enclave/src/lib.rs b/services/scheduler/enclave/src/lib.rs index 93b5943d7..9cd60deed 100644 --- a/services/scheduler/enclave/src/lib.rs +++ b/services/scheduler/enclave/src/lib.rs @@ -66,12 +66,13 @@ fn start_service(config: &RuntimeConfig) -> Result<()> { None => Err(anyhow!("cannot get enclave attribute of {}", service)), }) .collect::>()?; - let server_config = SgxTrustedTlsServerConfig::from_attested_tls_config(attested_tls_config)? - .attestation_report_verifier( - accepted_enclave_attrs, - AS_ROOT_CA_CERT, - verifier::universal_quote_verifier, - )?; + let server_config = + SgxTrustedTlsServerConfig::from_attested_tls_config(attested_tls_config.clone())? + .attestation_report_verifier( + accepted_enclave_attrs, + AS_ROOT_CA_CERT, + verifier::universal_quote_verifier, + )?; let mut server = SgxTrustedTlsServer::::new( @@ -85,7 +86,8 @@ fn start_service(config: &RuntimeConfig) -> Result<()> { &enclave_info, AS_ROOT_CA_CERT, verifier::universal_quote_verifier, - ); + attested_tls_config, + )?; let service = service::TeaclaveSchedulerService::new(storage_service_endpoint)?; match server.start(service) { diff --git a/services/utils/service_enclave_utils/src/lib.rs b/services/utils/service_enclave_utils/src/lib.rs index 51e9fa1c4..0faba96c3 100644 --- a/services/utils/service_enclave_utils/src/lib.rs +++ b/services/utils/service_enclave_utils/src/lib.rs @@ -23,7 +23,9 @@ extern crate sgx_tstd as std; use log::debug; use log::error; use std::backtrace; +use std::sync::{Arc, SgxRwLock as RwLock}; use teaclave_attestation::verifier::AttestationReportVerificationFn; +use teaclave_attestation::AttestedTlsConfig; use teaclave_rpc::config::SgxTrustedTlsClientConfig; use teaclave_rpc::endpoint::Endpoint; use teaclave_types::EnclaveInfo; @@ -77,19 +79,21 @@ macro_rules! impl_create_trusted_endpoint_fn { enclave_info: &EnclaveInfo, as_root_ca_cert: &[u8], verifier: AttestationReportVerificationFn, - ) -> Endpoint { + attested_tls_config: Arc>, + ) -> anyhow::Result { let service_enclave_attrs = enclave_info .get_enclave_attr($enclave_attr) .expect("enclave_info"); - let service_client_config = SgxTrustedTlsClientConfig::new() - .attestation_report_verifier( - vec![service_enclave_attrs], - as_root_ca_cert, - verifier, - ); + let service_client_config = + SgxTrustedTlsClientConfig::from_attested_tls_config(attested_tls_config)? + .attestation_report_verifier( + vec![service_enclave_attrs], + as_root_ca_cert, + verifier, + ); let service_address = &advertised_address; - Endpoint::new(service_address).config(service_client_config) + Ok(Endpoint::new(service_address).config(service_client_config)) } }; }