[Pal/Linux-SGX] Generate gsgx.h using Meson

Signed-off-by: Paweł Marczewski <pawel@invisiblethingslab.com>

.ci/lib/stage-build-sgx.jenkinsfile

@@ -1,7 +1,9 @@
 stage('build') {
     sh '''
         cd Pal/src/host/Linux-SGX/signer/ && openssl genrsa -3 -out enclave-key.pem 3072
+    '''
 
+    sh '''
         cd /opt/intel
         git clone https://github.com/intel/linux-sgx-driver.git
         cd linux-sgx-driver
@@ -14,15 +16,10 @@ stage('build') {
         cd SGXDataCenterAttestationPrimitives
         git checkout DCAP_1.6
         # no need to build, we only need the SGX header file (sgx_oot.h)
-        # test the build with the DCAP driver v1.6 and clean up afterwards
-
-        cd "$WORKSPACE"
-        make ${MAKEOPTS} ISGX_DRIVER_PATH=/opt/intel/SGXDataCenterAttestationPrimitives/driver/linux
-        make ${MAKEOPTS} clean
     '''
 
     sh '''
-        make ${MAKEOPTS} ISGX_DRIVER_PATH=/opt/intel/linux-sgx-driver
+        make ${MAKEOPTS}
     '''
 
     env.MESON_OPTIONS = ''
@@ -33,13 +30,30 @@ stage('build') {
         env.MESON_OPTIONS += ' -Dasan=enabled'
     }
 
+    try {
+        sh '''
+            meson setup build-dcap/ \
+                --prefix="$PREFIX" \
+                --buildtype="$BUILDTYPE" \
+                -Ddirect=disabled \
+                -Dsgx=enabled \
+                -Dsgx_driver=dcap1.6 \
+                $MESON_OPTIONS
+            ninja -vC build-dcap
+        '''
+    } finally {
+        archiveArtifacts 'build-dcap/meson-logs/**/*'
+        sh 'rm -rf build-dcap'
+    }
+
     try {
         sh '''
             meson setup build/ \
                 --prefix="$PREFIX" \
                 --buildtype="$BUILDTYPE" \
                 -Ddirect=disabled \
                 -Dsgx=enabled \
+                -Dsgx_driver=oot \
                 $MESON_OPTIONS
             ninja -vC build/
             ninja -vC build/ install

Documentation/building.rst

@@ -149,28 +149,37 @@ commands::
    make
 
    # if you build gramine-sgx
-   make SGX=1 ISGX_DRIVER_PATH=<path-to-sgx-driver-sources>
-
-The path to the SGX driver sources must point to the absolute path where the SGX
-driver was downloaded or installed in the previous step. For example, for the
-DCAP version 33 of the SGX driver, you must specify
-``ISGX_DRIVER_PATH="/usr/src/sgx-1.33/"``. You can define
-``ISGX_DRIVER_PATH=""`` to use the default in-kernel driver's C header.
+   make SGX=1
 
 Running :command:`make SGX=1 sgx-tokens` in the test or regression directory
 will automatically generate the required SIGSTRUCT signatures (``.sig`` files)
 and EINITTOKENs (``.token`` files).
 
 Then install Gramine (recall that "direct" means non-SGX version)::
 
-   meson setup build/ --buildtype=release -Ddirect=enabled -Dsgx=enabled
+   meson setup build/ --buildtype=release -Ddirect=enabled -Dsgx=enabled \
+       -Dsgx_driver=<driver> -Dsgx_driver_path=<path-to-sgx-driver-sources>
    ninja -C build/
    sudo ninja -C build/ install
 
 Set ``-Ddirect=`` and ``-Dsgx=`` options to ``enabled`` or ``disabled``
 according to whether you built the corresponding PAL (the snippet assumes you
 built both).
 
+The ``-Dsgx_driver`` parameter controls which SGX driver to use:
+
+* ``upstream`` (default) for upstreamed in-kernel driver (mainline Linux kernel
+  5.11+),
+* ``dcap1.6`` for Intel DCAP version 1.6 or higher,  but below 1.10,
+* ``dcap1.10`` for Intel DCAP version 1.10 or higher,
+* ``oot`` for non-DCAP, out-of-tree version of the driver.
+
+The ``-Dsgx_driver_path`` parameter must point to the absolute path where the
+SGX driver was downloaded or installed in the previous step. For example, for
+the DCAP version 33 of the SGX driver, you must specify
+``-Dsgx_driver-path="/usr/src/sgx-1.33/"``. If this parameter is omitted,
+Gramine's build system will try to determine the right path.
+
 .. note::
 
    When installing from sources, Gramine executables are placed under

Documentation/cloud-deployment.rst

@@ -54,7 +54,7 @@ Building
 
 #. Build Gramine::
 
-       make ISGX_DRIVER_PATH=/usr/src/linux-headers-`uname -r`/arch/x86/ SGX=1
+       make SGX=1
        meson setup build/ --buildtype=release -Dsgx=enabled -Ddirect=disabled
        ninja -C build/
        sudo ninja -C build/ install

Documentation/quickstart.rst

@@ -72,7 +72,8 @@ descriptions in :doc:`building`.
           python3-pip python3-protobuf wget
       python3 -m pip install 'meson>=0.55' 'toml>=0.10'
       make
-      make ISGX_DRIVER_PATH="" SGX=1                  # this assumes Linux 5.11+
+      make SGX=1
+      # this assumes Linux 5.11+
       meson setup build/ --buildtype=release -Ddirect=enabled -Dsgx=enabled
       ninja -C build/
       sudo ninja -C build/ install

Pal/src/host/Linux-SGX/.gitignore

@@ -1,8 +1,3 @@
-/asm-offsets.h
-/generated-offsets.s
-/generated_offsets.py
-/gsgx.h
-/pal-sgx
 /quote/aesm.pb-c.c
 /quote/aesm.pb-c.h
 

Pal/src/host/Linux-SGX/Makefile

@@ -2,7 +2,7 @@ include ../../../../Scripts/Makefile.configs
 include ../../../../Scripts/Makefile.rules
 
 .PHONY: all
-all: gdb_integration/sgx_gdb.so quote/aesm.pb-c.c quote/aesm.pb-c.h gsgx.h
+all: gdb_integration/sgx_gdb.so quote/aesm.pb-c.c quote/aesm.pb-c.h
 
 gdb_integration/sgx_gdb.so: CFLAGS =
 CFLAGS-gdb_integration/sgx_gdb.so = -shared -Wall -fPIC -O2 -std=c11
@@ -14,12 +14,8 @@ quote/aesm.pb-c.c quote/aesm.pb-c.h: quote/aesm.proto
 	@echo [ host/Linux-SGX/quote/aesm.pb-c.h ]
 	@protoc-c --c_out=. $<
 
-gsgx.h: gsgx.h.in
-	./link-intel-driver.py --input $< --output $@
-
 CLEAN_FILES += gdb_integration/sgx_gdb.so
 CLEAN_FILES += quote/aesm.pb-c.c quote/aesm.pb-c.h
-CLEAN_FILES += gsgx.h
 
 .PHONY: clean
 clean:

Pal/src/host/Linux-SGX/gsgx.h.in

@@ -13,7 +13,20 @@
 #include <linux/stddef.h>
 #include <linux/types.h>
 
-#include "@DRIVER_SGX_H@"
+#include <@CONFIG_SGX_DRIVER_HEADER@>
+
+#mesondefine CONFIG_SGX_DRIVER_UPSTREAM
+#mesondefine CONFIG_SGX_DRIVER_DCAP_1_6
+#mesondefine CONFIG_SGX_DRIVER_DCAP_1_10
+#mesondefine CONFIG_SGX_DRIVER_OOT
+
+#mesondefine CONFIG_SGX_DRIVER_DEVICE
+
+#if defined(CONFIG_SGX_DRIVER_DCAP_1_6) || defined(CONFIG_SGX_DRIVER_DCAP_1_10)
+#define SGX_DCAP 1
+#endif
+
+#define ISGX_FILE CONFIG_SGX_DRIVER_DEVICE
 
 #define GSGX_FILE  "/dev/gsgx"
 
@@ -48,8 +61,4 @@
 #define SGX_INVALID_LICENSE     SGX_INVALID_EINITTOKEN
 #endif
 
-#define ISGX_FILE "@ISGX_FILE@"
-
-@DEFINE_DCAP@
-
 #endif /* __ARCH_GSGX_H__ */

Pal/src/host/Linux-SGX/meson.build

@@ -1,17 +1,23 @@
 
 # TODO: We still depend on Makefile to generate some files used in this build:
 #
-# - gsgx.h
 # - quote/aesm.pb-c.[ch]
 # - sgx_integration/sgx_gdb.so
 
+gsgx_h = configure_file(
+    input: 'gsgx.h.in',
+    output: 'gsgx.h',
+    configuration: conf_sgx,
+)
+
 sgx_inc = [
     includes_pal_common,
     include_directories(
         '.',
         '../../../include/arch/@0@/Linux'.format(host_machine.cpu_family()),
         '../../../include/host/Linux-common',
         'protected-files',
+        sgx_driver_include_path,
     ),
 ]
 
@@ -29,6 +35,8 @@ cflags_pal_sgx = [
 # possible to generate this list from `sgx_inc`.
 sgx_inc_i = [
     '-I@0@'.format(meson.current_source_dir()),
+    '-I@0@'.format(meson.current_build_dir()),
+    '-I@0@'.format(sgx_driver_include_path),
     '-I@0@'.format(join_paths(meson.current_source_dir(),
                               'protected-files')),
     '-I@0@'.format(join_paths(meson.current_source_dir(),
@@ -119,6 +127,7 @@ libpal_sgx = shared_library('pal',
     pal_sgx_asm_offsets,
     pal_common_sources,
     pal_linux_common_sources_enclave,
+    gsgx_h,
 
     include_directories: sgx_inc,
 
@@ -172,6 +181,7 @@ executable('loader',
     'sgx_thread.c',
     pal_linux_common_sources_urts,
     pal_sgx_asm_offsets,
+    gsgx_h,
 
     include_directories: sgx_inc,
     c_args: [