-
Notifications
You must be signed in to change notification settings - Fork 211
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Run release enclaves without OE DEBUG flag #1083
Conversation
release_enclaves@7524 aka 20200422.5 vs master ewma over 50 builds from 7138 to 7499 |
@eddyashton could you check what the Debug flag in oe_sign.conf does and whether it makes sense to keep it? It feels like at least the samples should do away with it if we're defaulting to release, which I agree is a sensible choice. Given that change, I would suggest adding a "Debugging" entry in the documentation near the sample explaining the various places where Debug info can be turned on/off. |
I wonder whether the auto-produced test command in python should include |
@jumaffre that crossed my mind, but unless the .so is built at least with symbols, and possible signed with Debug=1, I'm not sure if that would help at all, so it's tempting to keep it simple. |
The Debug flag in
So if we want to allow optional debugging, this has to be enabled. Maybe there's no harm in building enclaves where this is an option? If we want to disallow it in A naive @jumaffre - I'd rather not add special case modifications to the test commands. Pausing and pretty-printing a command is a convenience, but it should also be possible to paste the commands from a 'real' run and get equivalent results. If we tweak the command slightly and it works one way but not the other, we're just introducing subtle complications. I'm leaning towards building debuggable enclaves all the time (at least as far as "you can attach gdb to it", and its just as useless without symbols as for any other app), but running most of our real-looking/recommended tests without this OE flag. Lets discuss further at standup. |
@@ -54,7 +53,6 @@ To add a new node to an existing opening network, other nodes should be started | |||
|
|||
$ cchost |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we have a Debug/Debugging section that says "if you are going to be debugging, pass this flag and make sure the config has X, and be aware of the fact that your security guarantees are null and void", perhaps with a link to doc that exists about oegdb if any (or mention oegdb otherwise).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for updating the doc!
Previously all of our non-virtual runs used
OE_ENCLAVE_FLAG_DEBUG
. OE documentation on this is as follows:This PR adds a
release
option, plumbed through Python and intocchost
, which will launch a real OE enclave without this flag.Impact:
--enclave-type debug
inDebug
builds,--enclave-type release
otherwise), so we should know if either fails to launch. Of course this doesn't test that we can actually attachoegdb
to a debug build, and conversely if only therelease
build fails we have few tools to work out why...Debug
builds won't be debuggable with the auto-produced test commands. I think if you're editing these lines to pass them throughoegdb
, its easy to add--enclave-type debug
manually when you want it, and anyway there's little to see if you're not in aDebug
build