From a6ede6c6a572f213859f7e4aa30deb67c33fd521 Mon Sep 17 00:00:00 2001 From: Amaury Chamayou Date: Mon, 5 Aug 2024 09:07:07 +0000 Subject: [PATCH 1/3] Remove open-enclave-hostverify dependency in virtual and snp builds --- .github/workflows/codeql-analysis.yml | 2 +- CMakeLists.txt | 2 -- cmake/ccf_app.cmake | 1 - cmake/common.cmake | 1 - cmake/cpack_settings.cmake | 6 +---- cmake/open_enclave.cmake | 23 +------------------ getting_started/setup_vm/app-dev.yml | 13 +---------- getting_started/setup_vm/app-run.yml | 4 ---- getting_started/setup_vm/ccf-dev.yml | 7 +----- .../openenclave/tasks/binary_install.yml | 6 ----- .../openenclave/tasks/install_host_verify.yml | 7 ------ .../roles/openenclave/vars/common.yml | 1 - 12 files changed, 5 insertions(+), 68 deletions(-) delete mode 100644 getting_started/setup_vm/roles/openenclave/tasks/install_host_verify.yml diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index bdf22fd91bd9..3f01a8b30a2c 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -56,7 +56,7 @@ jobs: set -ex mkdir build cd build - cmake -DCOMPILE_TARGET=virtual -DREQUIRE_OPENENCLAVE=OFF -DCMAKE_BUILD_TYPE=Debug -DBUILD_TESTS=OFF -DLVI_MITIGATIONS=OFF .. + cmake -DCOMPILE_TARGET=virtual -DCMAKE_BUILD_TYPE=Debug -DBUILD_TESTS=OFF -DLVI_MITIGATIONS=OFF .. name: Run CMake - run: | diff --git a/CMakeLists.txt b/CMakeLists.txt index 56fc815ff94d..40717b16a8af 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -716,7 +716,6 @@ elseif(COMPILE_TARGET STREQUAL "snp") nghttp2.snp ${CMAKE_THREAD_LIBS_INIT} ) - link_openenclave_host(ccf.snp) set_property(TARGET ccf.snp PROPERTY POSITION_INDEPENDENT_CODE ON) @@ -767,7 +766,6 @@ elseif(COMPILE_TARGET STREQUAL "virtual") nghttp2.host ${CMAKE_THREAD_LIBS_INIT} ) - link_openenclave_host(ccf.virtual) set_property(TARGET ccf.virtual PROPERTY POSITION_INDEPENDENT_CODE ON) diff --git a/cmake/ccf_app.cmake b/cmake/ccf_app.cmake index 71fcba0e40e6..fc54a413b946 100644 --- a/cmake/ccf_app.cmake +++ b/cmake/ccf_app.cmake @@ -240,6 +240,5 @@ function(add_host_library name) add_library(${name} ${files}) target_compile_options(${name} PUBLIC ${COMPILE_LIBCXX}) target_link_libraries(${name} PUBLIC ${LINK_LIBCXX} -lgcc) - link_openenclave_host(${name}) set_property(TARGET ${name} PROPERTY POSITION_INDEPENDENT_CODE ON) endfunction() diff --git a/cmake/common.cmake b/cmake/common.cmake index c2f98c0cb74c..54ffffca9570 100644 --- a/cmake/common.cmake +++ b/cmake/common.cmake @@ -10,7 +10,6 @@ function(add_unit_test name) ) enable_coverage(${name}) target_link_libraries(${name} PRIVATE ${LINK_LIBCXX} ccfcrypto.host -pthread) - link_openenclave_host(${name}) add_san(${name}) add_test(NAME ${name} COMMAND ${name}) diff --git a/cmake/cpack_settings.cmake b/cmake/cpack_settings.cmake index a56dff24babd..099a608a053c 100644 --- a/cmake/cpack_settings.cmake +++ b/cmake/cpack_settings.cmake @@ -30,11 +30,7 @@ if(COMPILE_TARGET STREQUAL "sgx") "libc++1-11;libc++abi1-11;open-enclave (>=${OE_VERSION})" ) else() - list( - APPEND - CCF_DEB_DEPENDENCIES - "libc++1-15;libc++abi1-15;open-enclave-hostverify (>=${OE_VERSION}) | open-enclave (>=${OE_VERSION})" - ) + list(APPEND CCF_DEB_DEPENDENCIES "libc++1-15;libc++abi1-15") endif() list(JOIN CCF_DEB_DEPENDENCIES ", " CPACK_DEBIAN_PACKAGE_DEPENDS) diff --git a/cmake/open_enclave.cmake b/cmake/open_enclave.cmake index 9ccb11b38dfa..7428e3ec37a1 100644 --- a/cmake/open_enclave.cmake +++ b/cmake/open_enclave.cmake @@ -1,17 +1,7 @@ # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the Apache 2.0 License. -# We allow for Open Enclave (and Open Enclave HostVerify) to _not_ be installed, -# with some limitations (e.g. virtual/snp builds cannot verify sgx attestation -# reports). This can hopefully be removed by 5.x (see -# https://github.com/microsoft/CCF/issues/5291). -option(REQUIRE_OPENENCLAVE "Requires Open Enclave or HostVerify variant" ON) - -if(REQUIRE_OPENENCLAVE) - if(NOT COMPILE_TARGET STREQUAL "sgx") - set(COMPONENT "OEHOSTVERIFY") - endif() - +if(COMPILE_TARGET STREQUAL "sgx") # Find OpenEnclave package find_package(OpenEnclave 0.19.7 CONFIG REQUIRED) @@ -52,16 +42,5 @@ if(REQUIRE_OPENENCLAVE) endfunction() set(OE_HOST_LIBRARY openenclave::oehost) - else() - set(OE_HOST_LIBRARY openenclave::oehostverify) endif() -elseif(COMPILE_TARGET STREQUAL "sgx") - message(FATAL_ERROR "Open Enclave is required for SGX target") endif() - -function(link_openenclave_host name) - if(REQUIRE_OPENENCLAVE) - target_link_libraries(${name} PUBLIC ${OE_HOST_LIBRARY}) - target_compile_definitions(${name} PUBLIC SGX_ATTESTATION_VERIFICATION) - endif() -endfunction() diff --git a/getting_started/setup_vm/app-dev.yml b/getting_started/setup_vm/app-dev.yml index 94e6f1b278c8..30819680d29a 100644 --- a/getting_started/setup_vm/app-dev.yml +++ b/getting_started/setup_vm/app-dev.yml @@ -19,21 +19,10 @@ - import_role: name: az_dcap tasks_from: install.yml - - # If OE is already installed, we don't want to install hostverify as they are mutually - # exclusive. Non-SGX CCF builds can use either of them. - - name: Gather the package facts - ansible.builtin.package_facts: - manager: auto - import_role: name: openenclave tasks_from: binary_install.yml - when: (platform == "sgx") or ("open-enclave" in ansible_facts.packages) - - import_role: - name: openenclave - tasks_from: install_host_verify.yml - when: (platform != "sgx") and ("open-enclave" not in ansible_facts.packages) - + when: platform == "sgx" - import_role: name: ccf_build tasks_from: install.yml diff --git a/getting_started/setup_vm/app-run.yml b/getting_started/setup_vm/app-run.yml index 2de8fd1e95cf..d3c395a4c81c 100644 --- a/getting_started/setup_vm/app-run.yml +++ b/getting_started/setup_vm/app-run.yml @@ -23,10 +23,6 @@ name: openenclave tasks_from: binary_install.yml when: platform == "sgx" - - import_role: - name: openenclave - tasks_from: install_host_verify.yml - when: platform != "sgx" - import_role: name: ccf_install tasks_from: deb_install.yml diff --git a/getting_started/setup_vm/ccf-dev.yml b/getting_started/setup_vm/ccf-dev.yml index ae9c16521ec4..8e2dbd6da926 100644 --- a/getting_started/setup_vm/ccf-dev.yml +++ b/getting_started/setup_vm/ccf-dev.yml @@ -2,7 +2,6 @@ vars: platform: "sgx" clang_version: "11" - require_open_enclave: true tasks: - import_role: name: llvm_repo @@ -19,15 +18,11 @@ - import_role: name: az_dcap tasks_from: install.yml - when: require_open_enclave + when: platform == "sgx" - import_role: name: openenclave tasks_from: binary_install.yml when: platform == "sgx" - - import_role: - name: openenclave - tasks_from: install_host_verify.yml - when: platform != "sgx" and require_open_enclave - import_role: name: nodejs tasks_from: install.yml diff --git a/getting_started/setup_vm/roles/openenclave/tasks/binary_install.yml b/getting_started/setup_vm/roles/openenclave/tasks/binary_install.yml index a2672b9ee4c9..0612b8932a84 100644 --- a/getting_started/setup_vm/roles/openenclave/tasks/binary_install.yml +++ b/getting_started/setup_vm/roles/openenclave/tasks/binary_install.yml @@ -1,12 +1,6 @@ - name: Include vars include_vars: common.yml -- name: Uninstall Open Enclave Host Verify - apt: - name: open-enclave-hostverify - state: absent - become: yes - - name: Install Open Enclave apt: deb: "{{ oe_deb }}" diff --git a/getting_started/setup_vm/roles/openenclave/tasks/install_host_verify.yml b/getting_started/setup_vm/roles/openenclave/tasks/install_host_verify.yml deleted file mode 100644 index 312d6e0f8ec9..000000000000 --- a/getting_started/setup_vm/roles/openenclave/tasks/install_host_verify.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: Include vars - include_vars: common.yml - -- name: Install Open Enclave Host Verify - apt: - deb: "{{ oe_host_verify_deb }}" - become: true diff --git a/getting_started/setup_vm/roles/openenclave/vars/common.yml b/getting_started/setup_vm/roles/openenclave/vars/common.yml index 1d7f01c20215..4fb48f0ea7af 100644 --- a/getting_started/setup_vm/roles/openenclave/vars/common.yml +++ b/getting_started/setup_vm/roles/openenclave/vars/common.yml @@ -12,4 +12,3 @@ oe_build_opts: "-DLVI_MITIGATION=ControlFlow-GNU" # Binary install oe_deb: "https://github.com/openenclave/openenclave/releases/download/v{{ oe_ver }}/Ubuntu_2004_open-enclave_{{ oe_ver_ }}_amd64.deb" -oe_host_verify_deb: "https://github.com/openenclave/openenclave/releases/download/v{{ oe_ver }}/Ubuntu_2004_open-enclave-hostverify_{{ oe_ver_ }}_amd64.deb" From d1ee52a92b9f08d30641742d67a7ba69fdc5ccad Mon Sep 17 00:00:00 2001 From: Max Tropets Date: Mon, 5 Aug 2024 15:48:43 +0000 Subject: [PATCH 2/3] Make OE optional in tests --- tests/infra/e2e_args.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/infra/e2e_args.py b/tests/infra/e2e_args.py index 25419da330be..b24de68d6bc6 100644 --- a/tests/infra/e2e_args.py +++ b/tests/infra/e2e_args.py @@ -77,6 +77,7 @@ def cli_args( "--oe-binary", help="Path to Open Enclave binary folder", type=str, + nargs='?', default="/opt/openenclave/bin/", ) parser.add_argument( From 50e1d5a9d7c96d44d48cea232bb75c9c0e18f8cc Mon Sep 17 00:00:00 2001 From: Max Tropets Date: Mon, 5 Aug 2024 15:53:49 +0000 Subject: [PATCH 3/3] Fix ci checks --- tests/infra/e2e_args.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/infra/e2e_args.py b/tests/infra/e2e_args.py index b24de68d6bc6..29d7e5a335b9 100644 --- a/tests/infra/e2e_args.py +++ b/tests/infra/e2e_args.py @@ -77,7 +77,7 @@ def cli_args( "--oe-binary", help="Path to Open Enclave binary folder", type=str, - nargs='?', + nargs="?", default="/opt/openenclave/bin/", ) parser.add_argument(