clearlinux/graphene
2
0
Fork 0
mirror of https://github.com/clearlinux/graphene.git synced 2026-05-14 11:03:40 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
3d31f2d18d1a395d76d2ee0a9fea313bedd3c842
graphene/Examples/python-simple/Makefile
Michał Kowalczyk 3d31f2d18d Introduce one, central manifest, zero-config children and constant MRENCLAVE 
This is the next part of the great loader rework, with a lot of breaking changes:

- Complete removal of the "trusted children" thing - now children
  processes can be spawned arbitrarily and from arbitrary mountpoint
  types, without any additional configuration needed.

- There's a new, required option in the manifest: `libos.entrypoint` - it
  specifies the URI to the entry binary in the first process. There's no
  need anymore to name the manifest and the first binary identically.

- On SGX, the main binary is not measured in MRENCLAVE anymore - only
  PAL, LibOS and the manifest are measured. This is enough to bind
  MRENCLAVE to a specific entrypoint user executable if wanted - it
  just has to be mounted as a trusted file.

- All Graphene SGX enclaves have now exactly the same MRENCLAVE. This is
  a hash of a "Graphene stub", which can "fork" into one of two states
  in runtime: initial process or child. The initial process creates a
  new "Graphene namespace" with a clean state, it can also be attested
  remotely (contrary to child processes). The initial process can spawn
  children processes by spawning a Graphene stub and directing it to
  start in the child mode. It then attests it locally, and if
  successful, establishes an encrypted pipe, "connects" to its own
  namespace and treats as trusted (including sending protected files
  key).

- Now, there's only one, central manifest describing the initial state
  of a Graphene instance which can be spawned from it (previously, each
  process required a separate manifest which could have different
  configuration - which wasn't actually supported and didn't make sense
  design-wise). One downside of central manifests is that all processes
  require the same enclave configuration (e.g. size), but that was
  already the case so far because of broken checkpointing code. Also,
  this is only a temporary problem, which will cease to exist after the
  introduction of EDMM.

- `sgx.static_address` was renamed to `sgx.nonpie_binary` and now has to
  be inserted manually by users (`sgx_sign` tools doesn't know about the
  binaries run inside, which can be even provided or generated in
  runtime by the user's workload).

- Caveat: the memory gap for non-PIE executables was removed because it
  requires adding a new option to the manifest to be cleanly
  implemented. This is left for some future loader rework PR.
2021-01-12 19:53:24 +01:00

108 lines
3.8 KiB
Makefile
Raw Blame History

# Use one of the following commands to build the manifest for Python3:
#
# - make Building for Linux
# - make DEBUG=1 Building for Linux (with Graphene debug output)
# - make SGX=1 Building for SGX
# - make SGX=1 DEBUG=1 Building for SGX (with Graphene debug output)
#
# Use `make clean` to remove Graphene-generated files.
include ../../Scripts/Makefile.configs
# Python constants are declared in Makefile.python
include ../../Scripts/Makefile.python
# Relative path to Graphene root
GRAPHENEDIR ?= ../..
SGX_SIGNER_KEY ?= $(GRAPHENEDIR)/Pal/src/host/Linux-SGX/signer/enclave-key.pem
ifeq ($(DEBUG),1)
GRAPHENEDEBUG = inline
else
GRAPHENEDEBUG = none
endif
UBUNTU_VER = $(shell lsb_release --short --id)$(shell lsb_release --short --release)
.PHONY: all
all: python.manifest pal_loader
ifeq ($(SGX),1)
all: python.manifest.sgx python.sig python.token
endif
# Define the python libraries which are dynamically loaded.
PY_LIBS = $(PYTHONHOME)/lib-dynload/_hashlib.cpython-$(PYTHONSHORTVERSION)m-$(PYTHON_ARCH_LONG).so \
$(PYTHONHOME)/lib-dynload/_ctypes.cpython-$(PYTHONSHORTVERSION)m-$(PYTHON_ARCH_LONG).so \
$(PYTHONHOME)/lib-dynload/_ssl.cpython-$(PYTHONSHORTVERSION)m-$(PYTHON_ARCH_LONG).so \
$(PYTHONHOME)/lib-dynload/_bz2.cpython-$(PYTHONSHORTVERSION)m-$(PYTHON_ARCH_LONG).so \
$(PYTHONHOME)/lib-dynload/_lzma.cpython-$(PYTHONSHORTVERSION)m-$(PYTHON_ARCH_LONG).so \
$(PYTHONHOME)/lib-dynload/_json.cpython-$(PYTHONSHORTVERSION)m-$(PYTHON_ARCH_LONG).so
ifeq ($(SGX),1)
PY_LIBS += $(PYTHONDISTHOME)/apt_pkg.cpython-$(PYTHONSHORTVERSION)m-$(PYTHON_ARCH_LONG).so
endif
ifeq ($(PYTHONSHORTVERSION),35)
PYTHON_TRUSTED_SCRIPTS = sgx.trusted_files.python21 = \\\"file:$(PYTHONHOME)/_sysconfigdata.py\\\"\\n \
sgx.trusted_files.python22 = \\\"file:$(PYTHONHOME)/plat-$(PYTHON_ARCH_LONG)/_sysconfigdata_m.py\\\"\\n
else
PYTHON_TRUSTED_SCRIPTS = sgx.trusted_files.python21 = \\\"file:$(PYTHONHOME)/_sysconfigdata_m_linux_$(PYTHON_ARCH_LONG).py\\\"\\n
endif
# Generate manifest rules for Python dependencies.
# We'll duplicate some Glibc libraries (which Graphene provides in a customized version), but
# there's no harm in this.
.INTERMEDIATE: trusted-libs
trusted-libs: ../common_tools/get_deps.sh
../common_tools/get_deps.sh $(PY_LIBS) > $@
python.manifest: python.manifest.template trusted-libs
(sed -e 's|$$(GRAPHENEDIR)|'"$(GRAPHENEDIR)"'|g' \
-e 's|$$(GRAPHENEDEBUG)|'"$(GRAPHENEDEBUG)"'|g' \
-e 's|$$(PYTHONDISTHOME)|'"$(PYTHONDISTHOME)"'|g' \
-e 's|$$(PYTHONHOME)|'"$(PYTHONHOME)"'|g' \
-e 's|$$(PYTHONEXEC)|'"$(PYTHONEXEC)"'|g' \
-e 's|$$(PYTHONSHORTVERSION)|'"$(PYTHONSHORTVERSION)"'|g' \
-e 's|$$(PYTHON_ARCH_LONG)|'"$(PYTHON_ARCH_LONG)"'|g' \
-e 's|$$(PYTHON_TRUSTED_SCRIPTS)|'"$(PYTHON_TRUSTED_SCRIPTS)"'|g' \
-e 's|$$(ARCH_LIBDIR)|'"$(ARCH_LIBDIR)"'|g' \
-e 's|$$(ARCH_LONG)|'"$(ARCH_LONG)"'|g' \
$<; \
cat trusted-libs) > $@
# Python manifests for SGX:
# Generating the SGX-specific manifest (python.manifest.sgx), the enclave signature,
# and the token for enclave initialization.
python.manifest.sgx: python.manifest
$(GRAPHENEDIR)/Pal/src/host/Linux-SGX/signer/pal-sgx-sign \
-libpal $(GRAPHENEDIR)/Runtime/libpal-Linux-SGX.so \
-key $(SGX_SIGNER_KEY) \
-manifest $< \
-output $@
python.sig: python.manifest.sgx
python.token: python.sig
$(GRAPHENEDIR)/Pal/src/host/Linux-SGX/signer/pal-sgx-get-token -output $@ -sig $<
pal_loader:
ln -s $(GRAPHENEDIR)/Runtime/pal_loader $@
.PHONY: check
check: all
./run-tests.sh > OUTPUT_TEST 2> /dev/null
@grep -q "Success 1/3" OUTPUT_TEST
@grep -q "Success 2/3" OUTPUT_TEST
@grep -q "Success 3/3" OUTPUT_TEST
@rm OUTPUT_TEST
.PHONY: clean
clean:
$(RM) *.manifest *.manifest.sgx *.token *.sig pal_loader OUTPUT* *.PID
$(RM) -r scripts/__pycache__
.PHONY: distclean
distclean: clean
Reference in New Issue View Git Blame Copy Permalink