From d9abbe1ea96ab648062cad650a7284d62d51650b Mon Sep 17 00:00:00 2001 From: Dmitrii Kuvaiskii Date: Tue, 21 Sep 2021 08:14:13 -0700 Subject: [PATCH] [CI-Examples] Improve README and manifest files in RA-TLS examples Now RA-TLS libraries are installed together with the rest of Graphene (no need to build them separately and copy in some directory). So the instructions in the README became stale. Also, `LD_LIBRARY_PATH` in some manifest files were incorrect -- they were Debian/Ubuntu-specific and did not contain the `/usr/lib` dir. Signed-off-by: Dmitrii Kuvaiskii --- CI-Examples/ra-tls-mbedtls/.gitignore | 1 - CI-Examples/ra-tls-mbedtls/README.md | 20 ++++--------------- .../ra-tls-mbedtls/server.manifest.template | 2 +- CI-Examples/ra-tls-secret-prov/.gitignore | 3 --- CI-Examples/ra-tls-secret-prov/README.md | 19 ++---------------- .../secret_prov_client.manifest.template | 10 +++++++--- .../secret_prov_min_client.manifest.template | 10 +++++++--- .../secret_prov_pf_client.manifest.template | 10 +++++++--- 8 files changed, 28 insertions(+), 47 deletions(-) diff --git a/CI-Examples/ra-tls-mbedtls/.gitignore b/CI-Examples/ra-tls-mbedtls/.gitignore index 1328544d14..2b225a2cb5 100644 --- a/CI-Examples/ra-tls-mbedtls/.gitignore +++ b/CI-Examples/ra-tls-mbedtls/.gitignore @@ -3,4 +3,3 @@ /client /mbedtls /server -/libs/ diff --git a/CI-Examples/ra-tls-mbedtls/README.md b/CI-Examples/ra-tls-mbedtls/README.md index d316c73d9f..ea6e97751a 100644 --- a/CI-Examples/ra-tls-mbedtls/README.md +++ b/CI-Examples/ra-tls-mbedtls/README.md @@ -12,10 +12,10 @@ to verify the server RA-TLS certificate via `ra_tls_verify_callback()`. This example uses the RA-TLS libraries `ra_tls_attest.so` for server and `ra_tls_verify_epid.so`/ `ra_tls_verify_dcap.so` for client. These libraries are -found under `Pal/src/host/Linux-SGX/tools/ra-tls`. Additionally, mbedTLS -libraries are required to correctly run RA-TLS, the client, and the server. For -ECDSA/DCAP attestation, the DCAP software infrastructure must be installed and -work correctly on the host. +installed together with Graphene (for DCAP version, you need `meson setup ... +-Ddcap=enabled`). Additionally, mbedTLS libraries are required to correctly run +RA-TLS, the client, and the server. For ECDSA/DCAP attestation, the DCAP +software infrastructure must be installed and work correctly on the host. The current example works with both EPID (IAS) and ECDSA (DCAP) remote attestation schemes. For more documentation, refer to @@ -55,15 +55,6 @@ four additional command-line arguments (see the source code for details). # Quick Start -First, start with adding the library directory to `LD_LIBRARY_PATH`: - -```sh -export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:./libs -``` - -Remember to undo this change after finishing the tutorial (or just do everything -in a subshell). - - Normal non-RA-TLS flows; without SGX and without Graphene: ```sh @@ -97,9 +88,6 @@ kill %% - RA-TLS flows with SGX and with Graphene, ECDSA-based (DCAP) attestation: ```sh -# make sure RA-TLS DCAP libraries are built in Graphene via: -# cd graphene/Pal/src/host/Linux-SGX/tools/ra-tls && make dcap - # replace dummy values with your MRENCLAVE, MRSIGNER, etc! make clean make app dcap diff --git a/CI-Examples/ra-tls-mbedtls/server.manifest.template b/CI-Examples/ra-tls-mbedtls/server.manifest.template index 3e398962f4..cb2614e000 100644 --- a/CI-Examples/ra-tls-mbedtls/server.manifest.template +++ b/CI-Examples/ra-tls-mbedtls/server.manifest.template @@ -4,7 +4,7 @@ loader.preload = "file:{{ graphene.libos }}" libos.entrypoint = "server" loader.log_level = "{{ log_level }}" -loader.env.LD_LIBRARY_PATH = "/lib:/lib/x86_64-linux-gnu" +loader.env.LD_LIBRARY_PATH = "/lib:{{ arch_libdir }}:/usr{{ arch_libdir }}" loader.insecure__use_cmdline_argv = true diff --git a/CI-Examples/ra-tls-secret-prov/.gitignore b/CI-Examples/ra-tls-secret-prov/.gitignore index 9c267d6503..5e3d0166dd 100644 --- a/CI-Examples/ra-tls-secret-prov/.gitignore +++ b/CI-Examples/ra-tls-secret-prov/.gitignore @@ -1,9 +1,6 @@ /*.tar.gz /OUTPUT /files/input.txt -/libs/ -/mbedtls -/pf_crypt /secret_prov_client /secret_prov_min_client /secret_prov_pf_client diff --git a/CI-Examples/ra-tls-secret-prov/README.md b/CI-Examples/ra-tls-secret-prov/README.md index ca92b67ff6..4b06707c8c 100644 --- a/CI-Examples/ra-tls-secret-prov/README.md +++ b/CI-Examples/ra-tls-secret-prov/README.md @@ -5,8 +5,8 @@ minimal server and clients written against the Secret Provisioning library. This example uses the Secret Provisioning libraries `secret_prov_attest.so` for clients and `secret_prov_verify_epid.so`/`secret_prov_verify_dcap.so` for -server. These libraries can be found under -`Pal/src/host/Linux-SGX/tools/ra-tls`. Additionally, mbedTLS libraries are +server. These libraries are installed together with Graphene (for DCAP version, +you need `meson setup ... -Ddcap=enabled`). Additionally, mbedTLS libraries are required. For ECDSA/DCAP attestation, the DCAP software infrastructure must be installed and work correctly on the host. @@ -54,18 +54,6 @@ build time. # Quick Start -Please make sure that the corresponding RA-TLS libraries (EPID or DCAP versions) -are built. - -First, start with adding the library directory to `LD_LIBRARY_PATH`: - -```sh -export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:./libs -``` - -Remember to undo this change after finishing the tutorial (or just do everything -in a subshell). - - Secret Provisioning flows, EPID-based (IAS) attestation: ```sh @@ -89,9 +77,6 @@ kill %% - Secret Provisioning flows, ECDSA-based (DCAP) attestation: ```sh -# make sure RA-TLS DCAP libraries are built in Graphene via: -# cd graphene/Pal/src/host/Linux-SGX/tools/ra-tls && make dcap - make app dcap files/input.txt RA_TLS_ALLOW_OUTDATED_TCB_INSECURE=1 ./secret_prov_server_dcap & diff --git a/CI-Examples/ra-tls-secret-prov/secret_prov_client.manifest.template b/CI-Examples/ra-tls-secret-prov/secret_prov_client.manifest.template index 0c84b8790e..bdf3cf7a16 100644 --- a/CI-Examples/ra-tls-secret-prov/secret_prov_client.manifest.template +++ b/CI-Examples/ra-tls-secret-prov/secret_prov_client.manifest.template @@ -4,7 +4,7 @@ loader.preload = "file:{{ graphene.libos }}" libos.entrypoint = "secret_prov_client" loader.log_level = "{{ log_level }}" -loader.env.LD_LIBRARY_PATH = "/lib:/lib/x86_64-linux-gnu" +loader.env.LD_LIBRARY_PATH = "/lib:{{ arch_libdir }}:/usr{{ arch_libdir }}" loader.insecure__use_cmdline_argv = true @@ -13,8 +13,12 @@ fs.mount.lib.path = "/lib" fs.mount.lib.uri = "file:{{ graphene.runtimedir() }}" fs.mount.lib2.type = "chroot" -fs.mount.lib2.path = "/lib/x86_64-linux-gnu" -fs.mount.lib2.uri = "file:/lib/x86_64-linux-gnu" +fs.mount.lib2.path = "{{ arch_libdir }}" +fs.mount.lib2.uri = "file:{{ arch_libdir }}" + +fs.mount.lib3.type = "chroot" +fs.mount.lib3.path = "/usr{{ arch_libdir }}" +fs.mount.lib3.uri = "file:/usr{{ arch_libdir }}" fs.mount.etc.type = "chroot" fs.mount.etc.path = "/etc" diff --git a/CI-Examples/ra-tls-secret-prov/secret_prov_min_client.manifest.template b/CI-Examples/ra-tls-secret-prov/secret_prov_min_client.manifest.template index 222267b351..b422d584e4 100644 --- a/CI-Examples/ra-tls-secret-prov/secret_prov_min_client.manifest.template +++ b/CI-Examples/ra-tls-secret-prov/secret_prov_min_client.manifest.template @@ -4,7 +4,7 @@ loader.preload = "file:{{ graphene.libos }}" libos.entrypoint = "secret_prov_min_client" loader.log_level = "{{ log_level }}" -loader.env.LD_LIBRARY_PATH = "/lib:/lib/x86_64-linux-gnu" +loader.env.LD_LIBRARY_PATH = "/lib:{{ arch_libdir }}:/usr{{ arch_libdir }}" loader.env.LD_PRELOAD = "libsecret_prov_attest.so" loader.env.SECRET_PROVISION_CONSTRUCTOR = "1" loader.env.SECRET_PROVISION_CA_CHAIN_PATH = "certs/test-ca-sha256.crt" @@ -17,8 +17,12 @@ fs.mount.lib.path = "/lib" fs.mount.lib.uri = "file:{{ graphene.runtimedir() }}" fs.mount.lib2.type = "chroot" -fs.mount.lib2.path = "/lib/x86_64-linux-gnu" -fs.mount.lib2.uri = "file:/lib/x86_64-linux-gnu" +fs.mount.lib2.path = "{{ arch_libdir }}" +fs.mount.lib2.uri = "file:{{ arch_libdir }}" + +fs.mount.lib3.type = "chroot" +fs.mount.lib3.path = "/usr{{ arch_libdir }}" +fs.mount.lib3.uri = "file:/usr{{ arch_libdir }}" fs.mount.etc.type = "chroot" fs.mount.etc.path = "/etc" diff --git a/CI-Examples/ra-tls-secret-prov/secret_prov_pf_client.manifest.template b/CI-Examples/ra-tls-secret-prov/secret_prov_pf_client.manifest.template index ae54d3bff6..7eb1f2cd17 100644 --- a/CI-Examples/ra-tls-secret-prov/secret_prov_pf_client.manifest.template +++ b/CI-Examples/ra-tls-secret-prov/secret_prov_pf_client.manifest.template @@ -4,7 +4,7 @@ loader.preload = "file:{{ graphene.libos }}" libos.entrypoint = "secret_prov_pf_client" loader.log_level = "{{ log_level }}" -loader.env.LD_LIBRARY_PATH = "/lib:/lib/x86_64-linux-gnu" +loader.env.LD_LIBRARY_PATH = "/lib:{{ arch_libdir }}:/usr{{ arch_libdir }}" loader.env.LD_PRELOAD = "libsecret_prov_attest.so" loader.env.SECRET_PROVISION_CONSTRUCTOR = "1" loader.env.SECRET_PROVISION_SET_PF_KEY = "1" @@ -18,8 +18,12 @@ fs.mount.lib.path = "/lib" fs.mount.lib.uri = "file:{{ graphene.runtimedir() }}" fs.mount.lib2.type = "chroot" -fs.mount.lib2.path = "/lib/x86_64-linux-gnu" -fs.mount.lib2.uri = "file:/lib/x86_64-linux-gnu" +fs.mount.lib2.path = "{{ arch_libdir }}" +fs.mount.lib2.uri = "file:{{ arch_libdir }}" + +fs.mount.lib3.type = "chroot" +fs.mount.lib3.path = "/usr{{ arch_libdir }}" +fs.mount.lib3.uri = "file:/usr{{ arch_libdir }}" fs.mount.etc.type = "chroot" fs.mount.etc.path = "/etc"