diff --git a/doc/linux_sgx.md b/doc/linux_sgx.md index a28f3596..935a35ac 100644 --- a/doc/linux_sgx.md +++ b/doc/linux_sgx.md @@ -17,6 +17,8 @@ cmake .. make ``` +**Note:** By default, the generated SGX application assumes it is signed with production key and running on simulation mode. In order to build a debug enclave on hardware-based SGX platform, execute `make SGX_DEBUG=1 SGX_MODE=HW` instead. + This builds two libraries required by SGX application: - libvmlib.a for Enclave part - libvmlib_untrusted.a for App part diff --git a/product-mini/platforms/linux-sgx/enclave-sample/App/README.md b/product-mini/platforms/linux-sgx/enclave-sample/App/README.md index 49ec39a2..ee2cf492 100644 --- a/product-mini/platforms/linux-sgx/enclave-sample/App/README.md +++ b/product-mini/platforms/linux-sgx/enclave-sample/App/README.md @@ -2,78 +2,30 @@ ## Build WAMR vmcore (iwasm) for Linux-SGX -### SIM Mode +Please follow [this guide](https://github.com/bytecodealliance/wasm-micro-runtime/blob/main/doc/linux_sgx.md#build-wamr-vmcore-iwasm-for-linux-sgx) to build iwasm as the prerequisite. -The default SGX mode in WAMR is the SIM mode. Build the source code and enclave example, please refer to [this guild](https://github.com/bytecodealliance/wasm-micro-runtime/blob/main/doc/linux_sgx.md#build-wamr-vmcore-iwasm-for-linux-sgx). - -### HW Mode - -Please do the following changes before execute [this guild](https://github.com/bytecodealliance/wasm-micro-runtime/blob/main/doc/linux_sgx.md#build-wamr-vmcore-iwasm-for-linux-sgx). - -```shell -diff --git a/product-mini/platforms/linux-sgx/enclave-sample/Makefile b/product-mini/platforms/linux-sgx/enclave-sample/Makefile -index f06b5b8..f247f3e 100644 ---- a/product-mini/platforms/linux-sgx/enclave-sample/Makefile -+++ b/product-mini/platforms/linux-sgx/enclave-sample/Makefile -@@ -4,7 +4,7 @@ - ######## SGX SDK Settings ######## - - SGX_SDK ?= /opt/intel/sgxsdk --SGX_MODE ?= SIM -+SGX_MODE ?= HW - SGX_ARCH ?= x64 - SGX_DEBUG ?= 0 - SPEC_TEST ?= 0 -``` - -```shell -diff --git a/product-mini/platforms/linux-sgx/enclave-sample/Makefile_minimal b/product-mini/platforms/linux-sgx/enclave-sample/Makefile_minimal -index a64d577..747d995 100644 ---- a/product-mini/platforms/linux-sgx/enclave-sample/Makefile_minimal -+++ b/product-mini/platforms/linux-sgx/enclave-sample/Makefile_minimal -@@ -4,7 +4,7 @@ - ######## SGX SDK Settings ######## - - SGX_SDK ?= /opt/intel/sgxsdk --SGX_MODE ?= SIM -+SGX_MODE ?= HW - SGX_ARCH ?= x64 - SGX_DEBUG ?= 0 - SPEC_TEST ?= 0 - -``` - -```shell -diff --git a/product-mini/platforms/linux-sgx/enclave-sample/App/App.cpp b/product-mini/platforms/linux-sgx/enclave-sample/App/App.cpp -index c321575..3b41c30 100644 ---- a/product-mini/platforms/linux-sgx/enclave-sample/App/App.cpp -+++ b/product-mini/platforms/linux-sgx/enclave-sample/App/App.cpp -@@ -31,6 +31,7 @@ - #define MAX_PATH 1024 - - #define TEST_OCALL_API 0 -+#define SGX_DEBUG_FLAG 1 - -``` - -After building, please sign enclave.so to generate enclave.signed.so which is needed in PAL +Then build enclave image and sign it: ```shell +cd enclave-sample +make /opt/intel/sgxsdk/bin/x64/sgx_sign sign -key Enclave/Enclave_private.pem -enclave enclave.so -out enclave.signed.so -config Enclave/Enclave.config.xml ``` +The generated enclave.signed.so is required by PAL. + --- ## Build PAL dynamically linked shared object -To build WAMR as an Enclave Runtime for [Inclavare Containers](https://github.com/alibaba/inclavare-containers), we should implement the [PAL interface](https://github.com/alibaba/inclavare-containers/blob/master/rune/libenclave/internal/runtime/pal/spec_v2.md) in WAMR for rune to call the PAL to create the enclave with WAMR and run applications. +To build WAMR as an Enclave Runtime for [Inclavare Containers](https://github.com/alibaba/inclavare-containers), we should implement the [PAL API v2](https://github.com/alibaba/inclavare-containers/blob/master/rune/libenclave/internal/runtime/pal/spec_v2.md) in WAMR for rune to call the PAL to create the enclave with WAMR and run applications. ```shell g++ -shared -fPIC -o libwamr-pal.so App/*.o libvmlib_untrusted.a -L/opt/intel/sgxsdk/lib64 -lsgx_urts -lpthread -lssl -lcrypto cp ./libwamr-pal.so /usr/lib/libwamr-pal.so ``` -Note: `/opt/intel/sgxsdk/` is where you installed the SGX SDK +Note: Assuming `/opt/intel/sgxsdk/` is where you installed the SGX SDK. --- @@ -81,11 +33,17 @@ Note: `/opt/intel/sgxsdk/` is where you installed the SGX SDK To Build a WAMR application, please refer to [this guide](https://github.com/bytecodealliance/wasm-micro-runtime/blob/main/doc/build_wasm_app.md#build-wasm-applications) -To run a WAMR application with Intel SGX enclave by `rune`, please compile the `.wasm` file to `.aot` file, refer to [this guide](https://github.com/bytecodealliance/wasm-micro-runtime/blob/main/doc/build_wasm_app.md#compile-wasm-to-aot-module) +To run a WAMR application with Intel SGX enclave by `rune`, please refer to [this guide](https://github.com/bytecodealliance/wasm-micro-runtime#build-wamrc-aot-compiler) to generate wamrc AoT compiler, and then refer to [this guide](https://github.com/bytecodealliance/wasm-micro-runtime/blob/main/doc/build_wasm_app.md#compile-wasm-to-aot-module) to compile the `.wasm` file to `.aot` file. + +Note: the AoT file must be generated using --size-level=1 to set a bigger code size, e.g, + +```shell +wamrc --size-level=1 -o test.aot test.wasm +``` --- -## Build WAMR container image +## Build WAMR docker image Under the `enclave-sample` directory, to create the WAMR docker images to load the `enclave.signed.so` and target application wasm files, please type the following commands to create a `Dockerfile`: @@ -99,13 +57,13 @@ RUN mkdir -p /run/rune WORKDIR /run/rune COPY enclave.signed.so . -COPY ${wasm_app1.aot} . +COPY ${wasm_app.aot} . #COPY ${wasm_app2.aot} . #... EOF ``` - For ubuntu: +For ubuntu: ```shell cat > Dockerfile <