From 8c7acb5c6084a6a6860e05b623c6ee22d16c0ab0 Mon Sep 17 00:00:00 2001 From: Eddy Ashton Date: Mon, 20 Apr 2020 16:08:16 +0100 Subject: [PATCH 01/15] Compare enclave_type with "virtual", not "debug" --- tests/code_update.py | 2 +- tests/governance.py | 2 +- tests/reconfiguration.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/code_update.py b/tests/code_update.py index 5d014f10bc7..f2ba5644d69 100644 --- a/tests/code_update.py +++ b/tests/code_update.py @@ -110,7 +110,7 @@ def add(parser): ) args = infra.e2e_args.cli_args(add) - if args.enclave_type != "debug": + if args.enclave_type == "virtual": LOG.warning("Skipping code update test with virtual enclave") sys.exit() diff --git a/tests/governance.py b/tests/governance.py index fafa19eed50..5adfb950de6 100644 --- a/tests/governance.py +++ b/tests/governance.py @@ -53,7 +53,7 @@ def add(parser): args = infra.e2e_args.cli_args(add=add) - if args.enclave_type != "debug": + if args.enclave_type == "virtual": LOG.warning("This test can only run in real enclaves, skipping") sys.exit(0) diff --git a/tests/reconfiguration.py b/tests/reconfiguration.py index 57ed6e78953..ac28cc9c93d 100644 --- a/tests/reconfiguration.py +++ b/tests/reconfiguration.py @@ -48,7 +48,7 @@ def test_add_as_many_pending_nodes(network, args): @reqs.description("Add node with untrusted code version") def test_add_node_untrusted_code(network, args): - if args.enclave_type == "debug": + if args.enclave_type != "virtual": LOG.info("Adding an invalid node (unknown code id)") code_not_found_exception = None try: From 7c46cf113914ca537dd23955aee3c2989523139f Mon Sep 17 00:00:00 2001 From: Eddy Ashton Date: Mon, 20 Apr 2020 16:09:44 +0100 Subject: [PATCH 02/15] Add a RELEASE EnclaveType in C++ --- src/host/main.cpp | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/host/main.cpp b/src/host/main.cpp index 739f7794edf..05e2eab63ba 100644 --- a/src/host/main.cpp +++ b/src/host/main.cpp @@ -48,12 +48,15 @@ int main(int argc, char** argv) enum EnclaveType { + RELEASE, DEBUG, VIRTUAL }; std::vector> enclave_type_map = { - {"debug", EnclaveType::DEBUG}, {"virtual", EnclaveType::VIRTUAL}}; + {"release", EnclaveType::RELEASE}, + {"debug", EnclaveType::DEBUG}, + {"virtual", EnclaveType::VIRTUAL}}; EnclaveType enclave_type; app.add_option("-t,--enclave-type", enclave_type, "Enclave type") @@ -400,6 +403,10 @@ int main(int argc, char** argv) switch (enclave_type) { + case EnclaveType::RELEASE: + { + break; + } case EnclaveType::DEBUG: { oe_flags |= OE_ENCLAVE_FLAG_DEBUG; From 52365d9393290c86ab192a21cd92e5444847e07e Mon Sep 17 00:00:00 2001 From: Eddy Ashton Date: Mon, 20 Apr 2020 16:20:15 +0100 Subject: [PATCH 03/15] Plumb through 'release' option, as default --- sphinx/source/operators/recovery.rst | 1 - sphinx/source/operators/start_network.rst | 2 -- tests/infra/e2e_args.py | 4 ++-- tests/infra/node.py | 2 +- tests/infra/path.py | 12 +++++++----- 5 files changed, 10 insertions(+), 11 deletions(-) diff --git a/sphinx/source/operators/recovery.rst b/sphinx/source/operators/recovery.rst index d11bc281aed..edd58912a29 100644 --- a/sphinx/source/operators/recovery.rst +++ b/sphinx/source/operators/recovery.rst @@ -24,7 +24,6 @@ To initiate the first phase of the recovery protocol, one or several nodes shoul $ cchost --enclave-file /path/to/enclave_library - --enclave-type debug --node-address node_ip:node_port --rpc-address --public-rpc-address diff --git a/sphinx/source/operators/start_network.rst b/sphinx/source/operators/start_network.rst index 0cb63e6c631..857009cbc40 100644 --- a/sphinx/source/operators/start_network.rst +++ b/sphinx/source/operators/start_network.rst @@ -15,7 +15,6 @@ To create a new CCF network, the first node of the network should be started wit $ cchost --enclave-file /path/to/enclave_library - --enclave-type debug --node-address node_ip:node_port --rpc-address --public-rpc-address @@ -54,7 +53,6 @@ To add a new node to an existing opening network, other nodes should be started $ cchost --enclave-file /path/to/enclave_library - --enclave-type debug --node-address node_ip:node_port --rpc-address --public-rpc-address diff --git a/tests/infra/e2e_args.py b/tests/infra/e2e_args.py index e8880be13d2..ff18b328eee 100644 --- a/tests/infra/e2e_args.py +++ b/tests/infra/e2e_args.py @@ -35,8 +35,8 @@ def cli_args(add=lambda x: None, parser=None, accept_unknown=False): "-e", "--enclave-type", help="Enclave type", - default=os.getenv("TEST_ENCLAVE", "debug"), - choices=("debug", "virtual"), + default=os.getenv("TEST_ENCLAVE", "release"), + choices=("release", "debug", "virtual"), ) parser.add_argument( "-l", diff --git a/tests/infra/node.py b/tests/infra/node.py index cc03cbab4ff..9f737916f23 100644 --- a/tests/infra/node.py +++ b/tests/infra/node.py @@ -137,7 +137,7 @@ def _start( If self.debug is set to True, it will not actually start up the node, but will prompt the user to do so manually Raises exception if failed to prepare or start the node :param lib_name: the enclave package to load - :param enclave_type: default: debug. Choices: 'debug', 'virtual' + :param enclave_type: default: release. Choices: 'release', 'debug', 'virtual' :param workspace: directory where node is started :param label: label for this node (to differentiate nodes from different test runs) :return: void diff --git a/tests/infra/path.py b/tests/infra/path.py index 409afc5418a..3d2edb37a04 100644 --- a/tests/infra/path.py +++ b/tests/infra/path.py @@ -18,14 +18,16 @@ def mk_new(name, contents): mk(name, contents) -def build_lib_path(lib_name, enclave_type="debug"): +def build_lib_path(lib_name, enclave_type=None): VIRTUAL_EXT = ".virtual.so" SIGNED_EXT = ".enclave.so.signed" if os.path.isfile(lib_name): - if enclave_type == "virtual" and VIRTUAL_EXT not in lib_name: - raise ValueError(f"Virtual mode requires {VIRTUAL_EXT} enclave image") - elif enclave_type == "debug" and SIGNED_EXT not in lib_name: - raise ValueError(f"Real enclave requires {SIGNED_EXT} enclave image") + if enclave_type == "virtual": + if VIRTUAL_EXT not in lib_name: + raise ValueError(f"Virtual mode requires {VIRTUAL_EXT} enclave image") + else: + if SIGNED_EXT not in lib_name: + raise ValueError(f"Real enclave requires {SIGNED_EXT} enclave image") return lib_name else: ext = VIRTUAL_EXT if enclave_type == "virtual" else SIGNED_EXT From 9929d61c4c95dc8fe2b29ea78c980ed288d4fdb3 Mon Sep 17 00:00:00 2001 From: Eddy Ashton Date: Mon, 20 Apr 2020 16:27:07 +0100 Subject: [PATCH 04/15] Set -e debug for Debug builds --- cmake/common.cmake | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/cmake/common.cmake b/cmake/common.cmake index b3bd1a6c441..ea7bbc95d4d 100644 --- a/cmake/common.cmake +++ b/cmake/common.cmake @@ -117,8 +117,12 @@ if("sgx" IN_LIST COMPILE_TARGETS) set(QUOTES_ENABLED ON) endif() endif() + + if(CMAKE_BUILD_TYPE STREQUAL "Debug") + set(TEST_ENCLAVE_TYPE "-e debug") + endif() else() - set(TEST_ENCLAVE_TYPE -e virtual) + set(TEST_ENCLAVE_TYPE "-e virtual") endif() # Lua module From de866798d4f0570618da133eb3aa7bd470cc52c6 Mon Sep 17 00:00:00 2001 From: Eddy Ashton Date: Mon, 20 Apr 2020 17:03:59 +0100 Subject: [PATCH 05/15] Whoops quotes --- cmake/common.cmake | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cmake/common.cmake b/cmake/common.cmake index ea7bbc95d4d..a8536e16cd9 100644 --- a/cmake/common.cmake +++ b/cmake/common.cmake @@ -119,10 +119,10 @@ if("sgx" IN_LIST COMPILE_TARGETS) endif() if(CMAKE_BUILD_TYPE STREQUAL "Debug") - set(TEST_ENCLAVE_TYPE "-e debug") + set(TEST_ENCLAVE_TYPE -e debug) endif() else() - set(TEST_ENCLAVE_TYPE "-e virtual") + set(TEST_ENCLAVE_TYPE -e virtual) endif() # Lua module From 2e4f482502f18f703d81a07405a8e2fb4e90b8f8 Mon Sep 17 00:00:00 2001 From: Eddy Ashton Date: Tue, 21 Apr 2020 15:17:23 +0100 Subject: [PATCH 06/15] Remove Debug= lines --- samples/apps/smallbank/app/oe_sign.conf | 1 - samples/apps/txregulator/app/oe_sign.conf | 1 - src/apps/batched/oe_sign.conf | 1 - src/apps/js_generic/oe_sign.conf | 1 - src/apps/logging/oe_sign.conf | 1 - src/apps/lua_generic/oe_sign.conf | 1 - 6 files changed, 6 deletions(-) diff --git a/samples/apps/smallbank/app/oe_sign.conf b/samples/apps/smallbank/app/oe_sign.conf index c2ea4dbeb69..8d675d9e9f3 100644 --- a/samples/apps/smallbank/app/oe_sign.conf +++ b/samples/apps/smallbank/app/oe_sign.conf @@ -1,5 +1,4 @@ # Enclave settings: -Debug=1 NumHeapPages=327680 NumStackPages=1024 NumTCS=8 diff --git a/samples/apps/txregulator/app/oe_sign.conf b/samples/apps/txregulator/app/oe_sign.conf index 69255f0058a..2181cf78844 100644 --- a/samples/apps/txregulator/app/oe_sign.conf +++ b/samples/apps/txregulator/app/oe_sign.conf @@ -1,5 +1,4 @@ # Enclave settings: -Debug=1 NumHeapPages=50000 NumStackPages=1024 NumTCS=8 diff --git a/src/apps/batched/oe_sign.conf b/src/apps/batched/oe_sign.conf index 69255f0058a..2181cf78844 100644 --- a/src/apps/batched/oe_sign.conf +++ b/src/apps/batched/oe_sign.conf @@ -1,5 +1,4 @@ # Enclave settings: -Debug=1 NumHeapPages=50000 NumStackPages=1024 NumTCS=8 diff --git a/src/apps/js_generic/oe_sign.conf b/src/apps/js_generic/oe_sign.conf index 6a1fdb71275..d9fc0156dc3 100644 --- a/src/apps/js_generic/oe_sign.conf +++ b/src/apps/js_generic/oe_sign.conf @@ -1,5 +1,4 @@ # Enclave settings: -Debug=1 NumHeapPages=131072 NumStackPages=1024 NumTCS=8 diff --git a/src/apps/logging/oe_sign.conf b/src/apps/logging/oe_sign.conf index 69255f0058a..2181cf78844 100644 --- a/src/apps/logging/oe_sign.conf +++ b/src/apps/logging/oe_sign.conf @@ -1,5 +1,4 @@ # Enclave settings: -Debug=1 NumHeapPages=50000 NumStackPages=1024 NumTCS=8 diff --git a/src/apps/lua_generic/oe_sign.conf b/src/apps/lua_generic/oe_sign.conf index e454890f66d..aaab860797f 100644 --- a/src/apps/lua_generic/oe_sign.conf +++ b/src/apps/lua_generic/oe_sign.conf @@ -1,5 +1,4 @@ # Enclave settings: -Debug=1 NumHeapPages=32768 NumStackPages=1024 NumTCS=8 From 7f5106583ae1a80e76eeea11c58220e2c8ab7537 Mon Sep 17 00:00:00 2001 From: Eddy Ashton Date: Tue, 21 Apr 2020 15:45:22 +0100 Subject: [PATCH 07/15] Produce debuggable AND release libs, all the time --- cmake/ccf_app.cmake | 39 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 38 insertions(+), 1 deletion(-) diff --git a/cmake/ccf_app.cmake b/cmake/ccf_app.cmake index 1ce54cd68e7..07fb7fb5631 100644 --- a/cmake/ccf_app.cmake +++ b/cmake/ccf_app.cmake @@ -38,11 +38,48 @@ find_package(OpenEnclave 0.8 CONFIG REQUIRED) # Sign a built enclave library with oesign function(sign_app_library name app_oe_conf_path enclave_sign_key_path) if(TARGET ${name}) + # Produce a debuggable variant. This doesn't need to be 'signed', but oesign + # also stamps the other config (heap size etc) which _are_ needed + set(DEBUG_CONF_NAME ${CMAKE_CURRENT_BINARY_DIR}/${name}.debuggable.conf) + + # Need to put in a temp folder, as oesign has a fixed output path, so multiple calls + # will force unnecessary rebuild + set(TMP_FOLDER ${CMAKE_CURRENT_BINARY_DIR}/${name}_tmp) + add_custom_command( + OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/lib${name}.so.debuggable + COMMAND + cp ${app_oe_conf_path} ${DEBUG_CONF_NAME} + COMMAND + echo "Debug=1" >> ${DEBUG_CONF_NAME} + COMMAND + mkdir -p ${TMP_FOLDER} + COMMAND + ln -s ${CMAKE_CURRENT_BINARY_DIR}/lib${name}.so ${TMP_FOLDER}/lib${name}.so + COMMAND + openenclave::oesign sign -e ${TMP_FOLDER}/lib${name}.so -c + ${DEBUG_CONF_NAME} -k ${enclave_sign_key_path} + COMMAND mv ${TMP_FOLDER}/lib${name}.so ${CMAKE_CURRENT_BINARY_DIR}/lib${name}.so.debuggable + DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/lib${name}.so ${app_oe_conf_path} + ${enclave_sign_key_path} + ) + + add_custom_target( + ${name}_debuggable ALL + DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/lib${name}.so.debuggable + ) + + # Produce a releaseable signed variant. This is NOT debuggable - oegdb cannot + # be attached + set(SIGNED_CONF_NAME ${CMAKE_CURRENT_BINARY_DIR}/${name}.signed.conf) add_custom_command( OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/lib${name}.so.signed + COMMAND + cp ${app_oe_conf_path} ${SIGNED_CONF_NAME} + COMMAND + echo "Debug=0" >> ${SIGNED_CONF_NAME} COMMAND openenclave::oesign sign -e ${CMAKE_CURRENT_BINARY_DIR}/lib${name}.so -c - ${app_oe_conf_path} -k ${enclave_sign_key_path} + ${SIGNED_CONF_NAME} -k ${enclave_sign_key_path} DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/lib${name}.so ${app_oe_conf_path} ${enclave_sign_key_path} ) From fdc78b05b3bff78dc30cad3d0bcb2cdf3c7e4820 Mon Sep 17 00:00:00 2001 From: Eddy Ashton Date: Tue, 21 Apr 2020 15:58:34 +0100 Subject: [PATCH 08/15] Mangle correct extension for debuggable libs --- tests/infra/path.py | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/tests/infra/path.py b/tests/infra/path.py index 3d2edb37a04..fe0894fb63c 100644 --- a/tests/infra/path.py +++ b/tests/infra/path.py @@ -19,18 +19,20 @@ def mk_new(name, contents): def build_lib_path(lib_name, enclave_type=None): - VIRTUAL_EXT = ".virtual.so" - SIGNED_EXT = ".enclave.so.signed" + if enclave_type == "virtual": + ext = ".virtual.so" + mode = "Virtual mode" + elif enclave_type == "debug": + ext = ".enclave.so.debuggable" + mode = "Debuggable enclave" + else: + ext = ".enclave.so.signed" + mode = "Real enclave" if os.path.isfile(lib_name): - if enclave_type == "virtual": - if VIRTUAL_EXT not in lib_name: - raise ValueError(f"Virtual mode requires {VIRTUAL_EXT} enclave image") - else: - if SIGNED_EXT not in lib_name: - raise ValueError(f"Real enclave requires {SIGNED_EXT} enclave image") + if ext not in lib_name: + raise ValueError(f"{mode} requires {ext} enclave image") return lib_name else: - ext = VIRTUAL_EXT if enclave_type == "virtual" else SIGNED_EXT # Make sure relative paths include current directory. Absolute paths will be unaffected return os.path.join(".", os.path.normpath(f"{lib_name}{ext}")) From 4369457a76288017cd91df66961702607353a06f Mon Sep 17 00:00:00 2001 From: Eddy Ashton Date: Tue, 21 Apr 2020 16:06:11 +0100 Subject: [PATCH 09/15] Copy correct file, remove temp dir --- cmake/ccf_app.cmake | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/cmake/ccf_app.cmake b/cmake/ccf_app.cmake index 07fb7fb5631..e7ece928dc4 100644 --- a/cmake/ccf_app.cmake +++ b/cmake/ccf_app.cmake @@ -58,7 +58,9 @@ function(sign_app_library name app_oe_conf_path enclave_sign_key_path) COMMAND openenclave::oesign sign -e ${TMP_FOLDER}/lib${name}.so -c ${DEBUG_CONF_NAME} -k ${enclave_sign_key_path} - COMMAND mv ${TMP_FOLDER}/lib${name}.so ${CMAKE_CURRENT_BINARY_DIR}/lib${name}.so.debuggable + COMMAND mv ${TMP_FOLDER}/lib${name}.so.signed ${CMAKE_CURRENT_BINARY_DIR}/lib${name}.so.debuggable + COMMAND + rm -rf ${TMP_FOLDER} DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/lib${name}.so ${app_oe_conf_path} ${enclave_sign_key_path} ) From 3975a00bdbddfb4cce1299fba551c4763220ebaf Mon Sep 17 00:00:00 2001 From: Eddy Ashton Date: Tue, 21 Apr 2020 16:07:26 +0100 Subject: [PATCH 10/15] cmake-format --- cmake/ccf_app.cmake | 40 +++++++++++++++++----------------------- 1 file changed, 17 insertions(+), 23 deletions(-) diff --git a/cmake/ccf_app.cmake b/cmake/ccf_app.cmake index e7ece928dc4..9973adca334 100644 --- a/cmake/ccf_app.cmake +++ b/cmake/ccf_app.cmake @@ -42,25 +42,21 @@ function(sign_app_library name app_oe_conf_path enclave_sign_key_path) # also stamps the other config (heap size etc) which _are_ needed set(DEBUG_CONF_NAME ${CMAKE_CURRENT_BINARY_DIR}/${name}.debuggable.conf) - # Need to put in a temp folder, as oesign has a fixed output path, so multiple calls - # will force unnecessary rebuild - set(TMP_FOLDER ${CMAKE_CURRENT_BINARY_DIR}/${name}_tmp) + # Need to put in a temp folder, as oesign has a fixed output path, so + # multiple calls will force unnecessary rebuild + set(TMP_FOLDER ${CMAKE_CURRENT_BINARY_DIR}/${name}_tmp) add_custom_command( OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/lib${name}.so.debuggable - COMMAND - cp ${app_oe_conf_path} ${DEBUG_CONF_NAME} - COMMAND - echo "Debug=1" >> ${DEBUG_CONF_NAME} - COMMAND - mkdir -p ${TMP_FOLDER} - COMMAND - ln -s ${CMAKE_CURRENT_BINARY_DIR}/lib${name}.so ${TMP_FOLDER}/lib${name}.so - COMMAND - openenclave::oesign sign -e ${TMP_FOLDER}/lib${name}.so -c - ${DEBUG_CONF_NAME} -k ${enclave_sign_key_path} - COMMAND mv ${TMP_FOLDER}/lib${name}.so.signed ${CMAKE_CURRENT_BINARY_DIR}/lib${name}.so.debuggable - COMMAND - rm -rf ${TMP_FOLDER} + COMMAND cp ${app_oe_conf_path} ${DEBUG_CONF_NAME} + COMMAND echo "Debug=1" >> ${DEBUG_CONF_NAME} + COMMAND mkdir -p ${TMP_FOLDER} + COMMAND ln -s ${CMAKE_CURRENT_BINARY_DIR}/lib${name}.so + ${TMP_FOLDER}/lib${name}.so + COMMAND openenclave::oesign sign -e ${TMP_FOLDER}/lib${name}.so -c + ${DEBUG_CONF_NAME} -k ${enclave_sign_key_path} + COMMAND mv ${TMP_FOLDER}/lib${name}.so.signed + ${CMAKE_CURRENT_BINARY_DIR}/lib${name}.so.debuggable + COMMAND rm -rf ${TMP_FOLDER} DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/lib${name}.so ${app_oe_conf_path} ${enclave_sign_key_path} ) @@ -70,15 +66,13 @@ function(sign_app_library name app_oe_conf_path enclave_sign_key_path) DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/lib${name}.so.debuggable ) - # Produce a releaseable signed variant. This is NOT debuggable - oegdb cannot - # be attached + # Produce a releaseable signed variant. This is NOT debuggable - oegdb + # cannot be attached set(SIGNED_CONF_NAME ${CMAKE_CURRENT_BINARY_DIR}/${name}.signed.conf) add_custom_command( OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/lib${name}.so.signed - COMMAND - cp ${app_oe_conf_path} ${SIGNED_CONF_NAME} - COMMAND - echo "Debug=0" >> ${SIGNED_CONF_NAME} + COMMAND cp ${app_oe_conf_path} ${SIGNED_CONF_NAME} + COMMAND echo "Debug=0" >> ${SIGNED_CONF_NAME} COMMAND openenclave::oesign sign -e ${CMAKE_CURRENT_BINARY_DIR}/lib${name}.so -c ${SIGNED_CONF_NAME} -k ${enclave_sign_key_path} From 36bfc448f50043befa15e48ca1a33ce715ecda1d Mon Sep 17 00:00:00 2001 From: Eddy Ashton Date: Tue, 21 Apr 2020 16:07:58 +0100 Subject: [PATCH 11/15] Clarity --- cmake/ccf_app.cmake | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmake/ccf_app.cmake b/cmake/ccf_app.cmake index 9973adca334..50893dfe576 100644 --- a/cmake/ccf_app.cmake +++ b/cmake/ccf_app.cmake @@ -43,7 +43,7 @@ function(sign_app_library name app_oe_conf_path enclave_sign_key_path) set(DEBUG_CONF_NAME ${CMAKE_CURRENT_BINARY_DIR}/${name}.debuggable.conf) # Need to put in a temp folder, as oesign has a fixed output path, so - # multiple calls will force unnecessary rebuild + # multiple calls will force unnecessary rebuilds set(TMP_FOLDER ${CMAKE_CURRENT_BINARY_DIR}/${name}_tmp) add_custom_command( OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/lib${name}.so.debuggable From f66ab94cbed3a83dcc57108b94d0d99a6c128dad Mon Sep 17 00:00:00 2001 From: Eddy Ashton Date: Tue, 21 Apr 2020 16:18:30 +0100 Subject: [PATCH 12/15] Add docs --- sphinx/source/developers/build_app.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/sphinx/source/developers/build_app.rst b/sphinx/source/developers/build_app.rst index dc61e3d6cc4..3bacb932bf2 100644 --- a/sphinx/source/developers/build_app.rst +++ b/sphinx/source/developers/build_app.rst @@ -62,3 +62,8 @@ Running the Application $ cchost --enclave-file liblua_generic.signed.so [args] .. note:: When deploying the ``lua_generic`` application, members should also :ref:`register the Lua application ` before the network is opened to users. + +Debugging +--------- + +To connect a debugger to a CCF node, the configuration passed to `oesign sign` must have debugging enabled (``Debug=1``). This should be disabled for production enclaves, to ensure confidentiality is maintained. If using the ``sign_app_library`` function defined in ``ccf_app.cmake``, 2 variants will be produced for each enclave. ``name.enclave.so.debuggable`` will have debugging enabled (meaning a debugger may be attached - the optimisation level is handled indepdently), while ``name.enclave.so.signed`` produces a final debugging-disabled enclave. The produced binaries are otherwise identical. From 9500e8cd4c8f5ed2b73f34fc07093267424aa8e4 Mon Sep 17 00:00:00 2001 From: Eddy Ashton Date: Tue, 21 Apr 2020 16:25:41 +0100 Subject: [PATCH 13/15] Mention cchost arg --- sphinx/source/developers/build_app.rst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/sphinx/source/developers/build_app.rst b/sphinx/source/developers/build_app.rst index 3bacb932bf2..1fec3d84703 100644 --- a/sphinx/source/developers/build_app.rst +++ b/sphinx/source/developers/build_app.rst @@ -67,3 +67,9 @@ Debugging --------- To connect a debugger to a CCF node, the configuration passed to `oesign sign` must have debugging enabled (``Debug=1``). This should be disabled for production enclaves, to ensure confidentiality is maintained. If using the ``sign_app_library`` function defined in ``ccf_app.cmake``, 2 variants will be produced for each enclave. ``name.enclave.so.debuggable`` will have debugging enabled (meaning a debugger may be attached - the optimisation level is handled indepdently), while ``name.enclave.so.signed`` produces a final debugging-disabled enclave. The produced binaries are otherwise identical. + +Additionally, the `cchost` binary must be told that the enclave type is debug: + +.. code-block:: bash + + $ cchost --enclave-file liblua_generic.enclave.so.debuggable --enclave-type debug [args] From 9c7476d57b56e9d013a60f98fc4930b5971259a4 Mon Sep 17 00:00:00 2001 From: Eddy Ashton Date: Tue, 21 Apr 2020 16:26:42 +0100 Subject: [PATCH 14/15] De-editorialise --- cmake/ccf_app.cmake | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmake/ccf_app.cmake b/cmake/ccf_app.cmake index 50893dfe576..43332af124f 100644 --- a/cmake/ccf_app.cmake +++ b/cmake/ccf_app.cmake @@ -38,7 +38,7 @@ find_package(OpenEnclave 0.8 CONFIG REQUIRED) # Sign a built enclave library with oesign function(sign_app_library name app_oe_conf_path enclave_sign_key_path) if(TARGET ${name}) - # Produce a debuggable variant. This doesn't need to be 'signed', but oesign + # Produce a debuggable variant. This doesn't need to be signed, but oesign # also stamps the other config (heap size etc) which _are_ needed set(DEBUG_CONF_NAME ${CMAKE_CURRENT_BINARY_DIR}/${name}.debuggable.conf) From 630716fdeaacf9199ace7c5fcb90ed6371c3978d Mon Sep 17 00:00:00 2001 From: Eddy Ashton Date: Wed, 22 Apr 2020 11:32:04 +0100 Subject: [PATCH 15/15] Use enclave_type to build lib paths everywhere --- tests/code_update.py | 4 +++- tests/governance.py | 7 ++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/tests/code_update.py b/tests/code_update.py index f2ba5644d69..824a1e16553 100644 --- a/tests/code_update.py +++ b/tests/code_update.py @@ -37,7 +37,9 @@ def run(args): new_node = network.create_and_trust_node(args.package, "localhost", args) assert new_node - new_code_id = get_code_id(infra.path.build_lib_path(args.patched_file_name)) + new_code_id = get_code_id( + infra.path.build_lib_path(args.patched_file_name, args.enclave_type) + ) LOG.info(f"Adding a node with unsupported code id {new_code_id}") code_not_found_exception = None diff --git a/tests/governance.py b/tests/governance.py index 5adfb950de6..4a1cf9b5b07 100644 --- a/tests/governance.py +++ b/tests/governance.py @@ -31,7 +31,12 @@ def run(args): mrenclave = primary_quote["mrenclave"] oed = subprocess.run( - [args.oesign, "dump", "-e", infra.path.build_lib_path(args.package)], + [ + args.oesign, + "dump", + "-e", + infra.path.build_lib_path(args.package, args.enclave_type), + ], capture_output=True, check=True, )