-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathMakefile
250 lines (210 loc) · 8.9 KB
/
Makefile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
#
# This file is based on the Graphene example file for nginx.
#
# Building the manifest for Erlang:
#
# - make Building for Linux
# - make DEBUG=1 Building for Linux, with Graphene debug output
# - make SGX=1 Building for SGX
# - make SGX=1 DEBUG=1 Building for SGX, with Graphene debug output
#
# Use `make clean` to remove Graphene-generated files.
#
# Use `make distclean` to further remove the Erlang tarball, source code,
# and installation.
THIS_DIR := $(dir $(lastword $(MAKEFILE_LIST)))
INSTALL_DIR ?= $(THIS_DIR)install
ERLANG_SRC ?= $(THIS_DIR)otp_src_22.3
ERLANG_CHECKSUM ?= 5c35b952808fa933ca95a9d259818aee27cb17ca96067da0fda2f035259ee612
BIN_DIR ?= $(INSTALL_DIR)/lib/erlang/erts-10.7/bin
ERLEXEC_EXECUTABLE ?= $(BIN_DIR)/erlexec
# ERLANG_EXECUTABLES ?= $(BIN_DIR)/beam.smp $(ERLANG_MAIN_EXECUTABLE)
BEAMSMP_EXECUTABLE ?= $(BIN_DIR)/beam.smp
# Mirrors for downloading the Erlang source code
ERLANG_MIRRORS ?= \
http://erlang.org/download/
# Relative path to Graphene root
GRAPHENEDIR ?= $(THIS_DIR)../..
SGX_SIGNER_KEY ?= $(GRAPHENEDIR)/Pal/src/host/Linux-SGX/signer/enclave-key.pem
ifeq ($(DEBUG),1)
GRAPHENEDEBUG = inline
else
GRAPHENEDEBUG = none
endif
.PHONY: all
all: $(BIN_DIR)/erlexec hello.beam erlexec.manifest \
beam.smp.manifest \
erl_child_setup.manifest \
pal_loader
ifeq ($(SGX),1)
# order matters, do beam first, then erlexec
all: erl_child_setup.manifest.sgx erl_child_setup.sig erl_child_setup.token \
beam.smp.manifest.sgx beam.smp.sig beam.smp.token \
erlexec.manifest.sgx erlexec.sig erlexec.token
endif
# The make targets for downloading and compiling the Erlang source code, and
# installing the binaries.
$(BIN_DIR)/erlexec: $(ERLANG_SRC)/configure
cd $(ERLANG_SRC) && ./configure --prefix=$(abspath $(INSTALL_DIR))
cd $(ERLANG_SRC) && $(MAKE)
cd $(ERLANG_SRC) && $(MAKE) install
$(ERLANG_SRC)/configure: $(ERLANG_SRC).tar.gz
tar -mxzf $<
$(ERLANG_SRC).tar.gz:
$(GRAPHENEDIR)/Scripts/download --output $@ --sha256 $(ERLANG_CHECKSUM) $(foreach mirror,$(ERLANG_MIRRORS),--url $(mirror)/$(ERLANG_SRC).tar.gz)
# Erlang dependencies (generate from ldd):
#
# For SGX, the manifest needs to list all the libraries loaded during the
# execution, so that the signer can include the file checksums.
#
# The dependencies are generated from the ldd results.
# We need to replace Glibc dependencies with Graphene-specific Glibc. The Glibc
# binaries are already listed in the manifest template, so we can skip them
# from the ldd results
GLIBC_DEPS = linux-vdso /lib64/ld-linux-x86-64 libc libm librt libdl libutil libpthread
# Listing all the Erlang dependencies, besides Glibc libraries
.INTERMEDIATE: erlexec-ldd
erlexec-ldd: $(BIN_DIR)/erlexec
@echo erlexec ldd analysis
@for F in $^; do \
ldd $$F >> $@ || exit 1; done
.INTERMEDIATE: beam_smp-ldd
beam_smp-ldd: $(BIN_DIR)/beam.smp
@echo beam.smp ldd analysis
@for F in $^; do \
ldd $$F >> $@ || exit 1; done
.INTERMEDIATE: erl_child_setup-ldd
erl_child_setup-ldd: $(BIN_DIR)/erl_child_setup
@echo erl_child_setup ldd analysis
@for F in $^; do \
ldd $$F >> $@ || exit 1; done
.INTERMEDIATE: erlexec-deps
erlexec-deps: erlexec-ldd
@echo erlexec library dependancy extraction
@cat $< | awk '{if ($$2 =="=>") {split($$1,s,/\./); print s[1]}}' \
| sort | uniq | grep -v -x $(patsubst %,-e %,$(GLIBC_DEPS)) > $@
.INTERMEDIATE: beam_smp-deps
beam_smp-deps: beam_smp-ldd
@echo beam.smp library dependancy extraction
@cat $< | awk '{if ($$2 =="=>") {split($$1,s,/\./); print s[1]}}' \
| sort | uniq | grep -v -x $(patsubst %,-e %,$(GLIBC_DEPS)) > $@
.INTERMEDIATE: erl_child_setup-deps
erl_child_setup-deps: erl_child_setup-ldd
@echo erl_child_setup library dependancy extraction
@cat $< | awk '{if ($$2 =="=>") {split($$1,s,/\./); print s[1]}}' \
| sort | uniq | grep -v -x $(patsubst %,-e %,$(GLIBC_DEPS)) > $@
# Generating manifest rules for Erlang dependencies
.INTERMEDIATE: erlexec-trusted-libs
erlexec-trusted-libs: erlexec-deps
@echo erlexec trusted library generation
@BINFILE="$(BIN_DIR)/erlexec" && \
for F in `cat erlexec-deps`; do \
P=`ldd $$BINFILE | grep $$F | awk '{print $$3; exit}'`; \
N=`echo $$F | tr --delete '-'`; \
echo -n "sgx.trusted_files.$$N = file:$$P\\\\n"; \
done > $@
.INTERMEDIATE: beam_smp-trusted-libs
beam_smp-trusted-libs: beam_smp-deps
@echo beam.smp trusted library generation
@BINFILE="$(BIN_DIR)/beam.smp" && \
for F in `cat beam_smp-deps`; do \
P=`ldd $$BINFILE | grep $$F | awk '{print $$3; exit}'`; \
N=`echo $$F | tr --delete '-'`; \
echo -n "sgx.trusted_files.$$N = file:$$P\\\\n"; \
done > $@
.INTERMEDIATE: erl_child_setup-trusted-libs
erl_child_setup-trusted-libs: erl_child_setup-deps
@echo erl_child_setup trusted library generation
@BINFILE="$(BIN_DIR)/erl_child_setup" && \
for F in `cat erl_child_setup-deps`; do \
P=`ldd $$BINFILE | grep $$F | awk '{print $$3; exit}'`; \
N=`echo $$F | tr --delete '-'`; \
echo -n "sgx.trusted_files.$$N = file:$$P\\\\n"; \
done > $@
# Original which won't work because erlexec-trusted-libs output an empty list
#erlexec.manifest: erlexec.manifest.template erlexec-trusted-libs
# sed -e 's|$$(GRAPHENEDIR)|'"$(GRAPHENEDIR)"'|g' \
# -e 's|$$(GRAPHENEDEBUG)|'"$(GRAPHENEDEBUG)"'|g' \
# -e 's|$$(INSTALL_DIR)|'"$(INSTALL_DIR)"'|g' \
# -e 's|$$(INSTALL_DIR_ABSPATH)|'"$(abspath $(INSTALL_DIR))"'|g' \
# -e 's|$$(ERLANG_TRUSTED_LIBS)|'"`cat erlexec-trusted-libs`"'|g' \
# $< > $@
erlexec.manifest: erlexec.manifest.template
@echo creating erlexec.manifest from template
sed -e 's|$$(GRAPHENEDIR)|'"$(GRAPHENEDIR)"'|g' \
-e 's|$$(GRAPHENEDEBUG)|'"$(GRAPHENEDEBUG)"'|g' \
-e 's|$$(INSTALL_DIR)|'"$(INSTALL_DIR)"'|g' \
-e 's|$$(INSTALL_DIR_ABSPATH)|'"$(abspath $(INSTALL_DIR))"'|g' \
-e 's|$$(ERLANG_TRUSTED_LIBS)||g' \
$< > $@
beam.smp.manifest: beam.smp.manifest.template beam_smp-trusted-libs
@echo creating beam.smp.manifest from template
sed -e 's|$$(GRAPHENEDIR)|'"$(GRAPHENEDIR)"'|g' \
-e 's|$$(GRAPHENEDEBUG)|'"$(GRAPHENEDEBUG)"'|g' \
-e 's|$$(INSTALL_DIR)|'"$(INSTALL_DIR)"'|g' \
-e 's|$$(INSTALL_DIR_ABSPATH)|'"$(abspath $(INSTALL_DIR))"'|g' \
-e 's|$$(ERLANG_TRUSTED_LIBS)|'"`cat beam_smp-trusted-libs`"'|g' \
$< > $@
# Original which won't work because erl_child_setup-trusted-libs output an empty list
#erl_child_setup.manifest: erl_child_setup.manifest.template erl_child_setup-trusted-libs
# @echo creating erl_child_setup.manifest from template
# sed -e 's|$$(GRAPHENEDIR)|'"$(GRAPHENEDIR)"'|g' \
# -e 's|$$(GRAPHENEDEBUG)|'"$(GRAPHENEDEBUG)"'|g' \
# -e 's|$$(INSTALL_DIR)|'"$(INSTALL_DIR)"'|g' \
# -e 's|$$(INSTALL_DIR_ABSPATH)|'"$(abspath $(INSTALL_DIR))"'|g' \
# -e 's|$$(ERLANG_TRUSTED_LIBS)|'"`cat erl_child_setup-trusted-libs`"'|g' \
# $< > $@
erl_child_setup.manifest: erl_child_setup.manifest.template
@echo creating erl_child_setup.manifest from template
sed -e 's|$$(GRAPHENEDIR)|'"$(GRAPHENEDIR)"'|g' \
-e 's|$$(GRAPHENEDEBUG)|'"$(GRAPHENEDEBUG)"'|g' \
-e 's|$$(INSTALL_DIR)|'"$(INSTALL_DIR)"'|g' \
-e 's|$$(INSTALL_DIR_ABSPATH)|'"$(abspath $(INSTALL_DIR))"'|g' \
-e 's|$$(ERLANG_TRUSTED_LIBS)||g' \
$< > $@
# Generating the SGX-specific manifest (erlexec.manifest.sgx), the enclave signature,
# and the token for enclave initialization.
erlexec.manifest.sgx: erlexec.manifest
@echo creating erlexec sgx manifest
$(GRAPHENEDIR)/Pal/src/host/Linux-SGX/signer/pal-sgx-sign \
-libpal $(GRAPHENEDIR)/Runtime/libpal-Linux-SGX.so \
-key $(SGX_SIGNER_KEY) \
-manifest $< -output $@
beam.smp.manifest.sgx: beam.smp.manifest
@echo creating beam.smp sgx manifest
$(GRAPHENEDIR)/Pal/src/host/Linux-SGX/signer/pal-sgx-sign \
-libpal $(GRAPHENEDIR)/Runtime/libpal-Linux-SGX.so \
-key $(SGX_SIGNER_KEY) \
-manifest $< -output $@
erl_child_setup.manifest.sgx: erl_child_setup.manifest
@echo creating erl_child_setup sgx manifest
$(GRAPHENEDIR)/Pal/src/host/Linux-SGX/signer/pal-sgx-sign \
-libpal $(GRAPHENEDIR)/Runtime/libpal-Linux-SGX.so \
-key $(SGX_SIGNER_KEY) \
-manifest $< -output $@
erlexec.sig: erlexec.manifest.sgx
beam.smp.sig: beam.smp.manifest.sgx
erl_child_setup.sig: erl_child_setup.manifest.sgx
erlexec.token: erlexec.sig
@echo creating erlexec signatures
$(GRAPHENEDIR)/Pal/src/host/Linux-SGX/signer/pal-sgx-get-token \
-output erlexec.token -sig erlexec.sig
beam.smp.token: beam.smp.sig
@echo creating beam.smp signatures
$(GRAPHENEDIR)/Pal/src/host/Linux-SGX/signer/pal-sgx-get-token \
-output beam.smp.token -sig beam.smp.sig
erl_child_setup.token: erl_child_setup.sig
@echo creating erl_child_setup signatures
$(GRAPHENEDIR)/Pal/src/host/Linux-SGX/signer/pal-sgx-get-token \
-output erl_child_setup.token -sig erl_child_setup.sig
hello.beam: hello.erl
$(INSTALL_DIR)/bin/erlc $<
# Extra executables
pal_loader:
ln -s $(GRAPHENEDIR)/Runtime/pal_loader $@
.PHONY: clean
clean:
$(RM) *.manifest *.manifest.sgx *.token *.sig pal_loader OUTPUT result-* beam_smp-ldd erlexec-ldd erl_child_setup-ldd tmp hello.beam
.PHONY: distclean
distclean: clean
$(RM) -r $(ERLANG_SRC).tar.gz $(ERLANG_SRC) $(INSTALL_DIR)