Build production mode (#325)

* Add production build mode

* Add dev mode description

* Add production mode in docker build

* Fix src check reserved bug; Build prod mode with provided command

* Move prod_sign.sh path to scripts

* Add sgx_wl_cert_file.bin before creating enclave

* Add sgx white list file

* Move sgx white list to src dir

Makefile

@@ -3,6 +3,9 @@
 build:
 	@$(MAKE) -C src all -j8 --no-print-directory
 
+build_prod:
+	@$(MAKE) -C src all SGX_DEBUG=0 -j8 --no-print-directory
+
 build_test:
 	@$(MAKE) -C test build --no-print-directory
 	@$(MAKE) -C test install --no-print-directory

docker/build.sh

@@ -7,20 +7,24 @@ usage() {
 		echo "    $0 [options]"
     echo "Options:"
     echo "     -p publish image"
+    echo "     -m build mode(dev or prod)"
 
 	  exit 1;
 }
 
 PUBLISH=0
 
-while getopts ":hp" opt; do
+while getopts ":hpm:" opt; do
     case ${opt} in
         h )
 			      usage
             ;;
         p )
             PUBLISH=1
             ;;
+        m )
+            SWORKER_MODE=$OPTARG
+            ;;
         \? )
             echo "Invalid Option: -$OPTARG" 1>&2
             exit 1
@@ -37,7 +41,10 @@ if [ "$PUBLISH" -eq "1" ]; then
 fi
 
 make clean
-docker build -f docker/runner/Dockerfile -t $IMAGEID .
+if [ x"$SWORKER_MODE" != x"prod" ]; then
+    SWORKER_MODE="dev"
+fi
+docker build -f docker/runner/Dockerfile -t $IMAGEID --build-arg BUILD_MODE=$SWORKER_MODE .
 
 if [ "$?" -ne "0" ]; then
     echo "crust-sworker build failed!"

docker/runner/Dockerfile

@@ -1,12 +1,14 @@
 # crust sworker image
 FROM crustio/crust-sworker-env:0.6.0
 
+ARG BUILD_MODE
+
 ADD scripts /crust-sworker/scripts
 ADD src /crust-sworker/src
 ADD test /crust-sworker/test
 ADD VERSION /crust-sworker/VERSION
 ADD Makefile /crust-sworker/Makefile
 ADD buildenv.mk /crust-sworker/buildenv.mk
-RUN /crust-sworker/scripts/install.sh -d
+RUN /crust-sworker/scripts/install.sh -d -m ${BUILD_MODE}
 ADD docker/runner/start_sworker.sh /
 CMD /start_sworker.sh

docker/runner/start_sworker.sh

@@ -9,15 +9,16 @@ inteldir=/opt/intel
 echo "Starting curst sworker $version"
 source $crust_env_file
 
-echo "Wait 5 seconds for aesm service fully start"
+wait_time=10
+echo "Wait $wait_time seconds for aesm service fully start"
 /opt/intel/sgx-aesm-service/aesm/linksgx.sh
 /bin/mkdir -p /var/run/aesmd/
 /bin/chown -R aesmd:aesmd /var/run/aesmd/
 /bin/chmod 0755 /var/run/aesmd/
 /bin/chown -R aesmd:aesmd /var/opt/aesmd/
 /bin/chmod 0750 /var/opt/aesmd/
 NAME=aesm_service AESM_PATH=/opt/intel/sgx-aesm-service/aesm LD_LIBRARY_PATH=/opt/intel/sgx-aesm-service/aesm /opt/intel/sgx-aesm-service/aesm/aesm_service
-sleep 5
+sleep $wait_time
 
 ps -ef | grep aesm
 

scripts/install.sh

@@ -45,10 +45,18 @@ function installAPP()
     res=0
     cd $instdir
     make clean &>/dev/null
-    setTimeWait "$(verbose INFO "Building and installing sworker application..." h)" $SYNCFILE &
+    if [ x"$build_mode" != x"" ]; then
+        proddesc="in prod mode"
+    else
+        proddesc="in dev mode"
+    fi
+    setTimeWait "$(verbose INFO "Building and installing sworker application($proddesc)..." h)" $SYNCFILE &
     toKillPID[${#toKillPID[*]}]=$!
-    make -j$((coreNum*2)) &>$ERRFILE
+    make $build_mode SIGN_CMD=$SIGN_CMD_FILE -j$((coreNum*2)) &>$ERRFILE
     checkRes $? "quit" "success" "$SYNCFILE"
+    if [ x"$DOCKERMODLE" = x"1" ]; then
+        rm $SIGN_CMD_FILE
+    fi
     cd - &>/dev/null
 
     # Copy related files to install directory
@@ -59,6 +67,7 @@ function installAPP()
         cp $instdir/etc/$enclaveso $realsworkerdir/etc
     fi
     cp $srcdir/$configfile $realsworkerdir/etc
+    cp $srcdir/sgx_white_list_cert.bin $realsworkerdir/etc
     cp -r $instdir/scripts/uninstall.sh $realsworkerdir/scripts
     cp -r $instdir/scripts/utils.sh $realsworkerdir/scripts
     cp -r $instdir/VERSION $realsworkerdir
@@ -134,6 +143,7 @@ function usage()
 		echo "    $0 [options]"
     echo "Options:"
     echo "     -d for docker"
+    echo "     -m build mode(dev or prod)"
 
 	exit 1;
 }
@@ -170,6 +180,7 @@ enclaveso="enclave.signed.so"
 configfile="Config.json"
 # Crust related
 crust_env_file=$realsworkerdir/etc/environment
+SIGN_CMD_FILE=$instdir/scripts/prod_sign.sh
 
 #trap "success_exit" INT
 trap "success_exit" EXIT
@@ -182,21 +193,30 @@ fi
 
 # Cmds
 DOCKERMODLE=0
-while getopts ":hd" opt; do
+while getopts ":hdm:" opt; do
   case ${opt} in
     h )
 		usage
       ;;
     d )
        DOCKERMODLE=1
       ;;
+    m )
+       build_mode=$OPTARG
+      ;;
     \? )
       echo "Invalid Option: -$OPTARG" 1>&2
       exit 1
       ;;
   esac
 done
 
+if [ x"$build_mode" = x"prod" ]; then
+    build_mode="SGX_DEBUG=0"
+else
+    build_mode=""
+fi
+
 if ps -ef | grep -v grep | grep $PPID | grep $selfName &>/dev/null; then
     selfPID=$PPID
 fi

src/Makefile

@@ -20,15 +20,7 @@ all: .config_$(Build_Mode)_$(SGX_ARCH)
 	@$(MAKE) target
 
 ifeq ($(Build_Mode), HW_RELEASE)
-target:  $(App_Name) $(Enclave_Name) $(Test_Target)
-	@echo "The project has been built in release hardware mode."
-	@echo "Please sign the $(Enclave_Name) first with your signing key before you run the $(App_Name) to launch and access the enclave."
-	@echo "To sign the enclave use the command:"
-	@echo "   $(SGX_ENCLAVE_SIGNER) sign -key <your key> -enclave $(Enclave_Name) -out <$(Signed_Enclave_Name)> -config $(Enclave_Config_File)"
-	@echo "You can also sign the enclave using an external signing tool."
-	@echo "To build the project in simulation mode set SGX_MODE=SIM. To build the project in prerelease mode set SGX_PRERELEASE=1 and SGX_MODE=HW."
-
-
+target:  $(App_Name) $(Enclave_Name) $(Signed_Enclave_Name) $(Test_Target)
 else
 target: $(App_Name) $(Signed_Enclave_Name) $(Test_Target)
 ifeq ($(Build_Mode), HW_DEBUG)
@@ -101,8 +93,13 @@ $(Enclave_Name): enclave/Enclave_t.o $(Enclave_Cpp_Objects)
 	@echo "LINK =>  $@"
 
 $(Signed_Enclave_Name): $(Enclave_Name)
+ifneq ($(Build_Mode), HW_RELEASE)
 	@$(SGX_ENCLAVE_SIGNER) sign -key enclave/EnclavePrivate.pem -enclave $(Enclave_Name) -out $@ -config $(Enclave_Config_File)
 	@echo "SIGN =>  $@"
+else
+	@. ../scripts/prod_sign.sh
+	@echo "PROD SIGN =>  $@"
+endif
 
 
 ######## Test Objects ########

src/app/include/Resource.h

@@ -8,6 +8,7 @@
 
 #define CRUST_INST_DIR      "/opt/crust/crust-sworker/" VERSION
 #define ENCLAVE_FILE_PATH   CRUST_INST_DIR "/etc/enclave.signed.so"
+#define SGX_WL_FILE_PATH    CRUST_INST_DIR "/etc/sgx_white_list_cert.bin"
 
 // For work report
 // REPORT_INTERVAL_BLCOK_NUMBER_UPPER_LIMIT < REPORT_SLOT

src/app/process/Process.cpp

@@ -75,6 +75,17 @@ bool initialize_enclave()
     }
 
     // ----- Launch the enclave ----- //
+    uint8_t *p_wl_data = NULL;
+    size_t wl_data_size = 0;
+    if (CRUST_SUCCESS == get_file(SGX_WL_FILE_PATH, &p_wl_data, &wl_data_size))
+    {
+        sgx_status_t reg_ret = sgx_register_wl_cert_chain(p_wl_data, wl_data_size);
+        if (SGX_SUCCESS != reg_ret)
+        {
+            p_log->debug("Encounter problem when registering local white list cert.\n");
+        }
+        free(p_wl_data);
+    }
     ret = sgx_create_enclave(ENCLAVE_FILE_PATH, SGX_DEBUG_FLAG, NULL, NULL, &global_eid, NULL);
     if (ret != SGX_SUCCESS)
     {

src/app/process/Srd.cpp

@@ -179,7 +179,7 @@ void srd_check_reserved(void)
         long del_space = 0;
         if ((long)avail_space < srd_reserved_space)
         {
-            del_space = std::min((long)(srd_reserved_space - avail_space), (long)srd_info_json["assigned"].ToInt());
+            del_space = std::min((long)(srd_reserved_space - avail_space), (long)srd_info_json[WL_SRD_COMPLETE].ToInt());
         }
 
         // Do remove

src/app/process/WorkReport.cpp

@@ -164,7 +164,7 @@ void work_report_loop(void)
                 p_log->warn("Block height expired.\n");
                 break;
             case CRUST_FIRST_WORK_REPORT_AFTER_REPORT:
-                p_log->warn("Can't generate work report for the first four times after restart\n");
+                p_log->warn("Can't generate work report for the first time after restart\n");
                 break;
             case CRUST_SERVICE_UNAVAILABLE:
                 p_log->warn("Can't generate work report. You have meaningful files, please start ipfs or use delete interface to remove those files\n");

src/enclave/validator/Validator.cpp

@@ -359,6 +359,7 @@ void validate_meaningful_file()
                 }
                 else
                 {
+                    log_err("Get file(%s) block failed! Error code:%lx\n", root_cid.c_str(), crust_status);
                     deleted_idx_us.insert(file_idx);
                 }
                 break;
@@ -468,12 +469,12 @@ crust_status_t validate_real_file(uint8_t *p_sealed_data, size_t sealed_data_siz
         // Get related IPFS file data piece
         size_t got_piece_size = 0;
         crust_status = storage_ipfs_get_block(piece_cid.c_str(), &p_got_piece_data, &got_piece_size);
-        sgx_sha256_hash_t got_piece_hash;
-        sgx_sha256_msg(p_got_piece_data, got_piece_size, &got_piece_hash);
         if (CRUST_SUCCESS != crust_status)
         {
             break;
         }
+        sgx_sha256_hash_t got_piece_hash;
+        sgx_sha256_msg(p_got_piece_data, got_piece_size, &got_piece_hash);
         // Compare data piece
         if (memcmp(p_real_piece_data, p_got_piece_data, real_piece_size) != 0)
         {