Allow for SNP/Virtual builds with no dependency on Open Enclave

.daily_canary

@@ -1,4 +1,4 @@
    ---     ___           ___
-  (- -)   (o =)   |     Y   &  +-- 
+  (- -)   (= =)   |     Y   &  +-- 
  (  V  ) z  x  z  O    +---=---'
 /--x-m- /--n-m---xXx--/--yY--------

CMakeLists.txt

@@ -447,7 +447,7 @@ if(COMPILE_TARGET STREQUAL "sgx")
     EXPORT ccf
     DESTINATION lib
   )
-elseif(COMPILE_TARGET STREQUAL "snp")
+elseif(COMPILE_TARGET STREQUAL "snp" AND REQUIRE_OPENENCLAVE)
   add_library(js_openenclave.snp STATIC ${CCF_DIR}/src/js/openenclave.cpp)
   add_san(js_openenclave.snp)
   target_link_libraries(js_openenclave.snp PUBLIC ccf.snp)
@@ -462,7 +462,8 @@ elseif(COMPILE_TARGET STREQUAL "snp")
     EXPORT ccf
     DESTINATION lib
   )
-elseif(COMPILE_TARGET STREQUAL "virtual")
+  set(JS_OPENENCLAVE_SNP js_openenclave.snp)
+elseif(COMPILE_TARGET STREQUAL "virtual" AND REQUIRE_OPENENCLAVE)
   add_library(js_openenclave.virtual STATIC ${CCF_DIR}/src/js/openenclave.cpp)
   add_san(js_openenclave.virtual)
   target_link_libraries(js_openenclave.virtual PUBLIC ccf.virtual)
@@ -480,6 +481,7 @@ elseif(COMPILE_TARGET STREQUAL "virtual")
     EXPORT ccf
     DESTINATION lib
   )
+  set(JS_OPENENCLAVE_VIRTUAL js_openenclave.virtual)
 endif()
 
 if(COMPILE_TARGET STREQUAL "sgx")
@@ -521,11 +523,13 @@ elseif(COMPILE_TARGET STREQUAL "virtual")
   add_warning_checks(js_generic_base.virtual)
   target_link_libraries(js_generic_base.virtual PUBLIC ccf.virtual)
   target_compile_options(js_generic_base.virtual PRIVATE ${COMPILE_LIBCXX})
-  target_compile_definitions(
-    js_openenclave.virtual
-    PUBLIC INSIDE_ENCLAVE VIRTUAL_ENCLAVE _LIBCPP_HAS_THREAD_API_PTHREAD
-           PLATFORM_VIRTUAL
-  )
+  if(REQUIRE_OPENENCLAVE)
+    target_compile_definitions(
+      js_openenclave.virtual
+      PUBLIC INSIDE_ENCLAVE VIRTUAL_ENCLAVE _LIBCPP_HAS_THREAD_API_PTHREAD
+             PLATFORM_VIRTUAL
+    )
+  endif()
   set_property(
     TARGET js_generic_base.virtual PROPERTY POSITION_INDEPENDENT_CODE ON
   )
@@ -540,8 +544,8 @@ add_ccf_app(
   js_generic
   SRCS ${CCF_DIR}/src/apps/js_generic/js_generic.cpp
   LINK_LIBS_ENCLAVE js_generic_base.enclave js_openenclave.enclave
-  LINK_LIBS_VIRTUAL js_generic_base.virtual js_openenclave.virtual
-  LINK_LIBS_SNP js_generic_base.snp js_openenclave.snp INSTALL_LIBS ON
+  LINK_LIBS_VIRTUAL js_generic_base.virtual ${JS_OPENENCLAVE_VIRTUAL}
+  LINK_LIBS_SNP js_generic_base.snp ${JS_OPENENCLAVE_SNP} INSTALL_LIBS ON
 )
 sign_app_library(
   js_generic.enclave ${CCF_DIR}/src/apps/js_generic/oe_sign.conf
@@ -685,9 +689,9 @@ elseif(COMPILE_TARGET STREQUAL "snp")
            ccfcrypto.snp
            ccf_kv.snp
            nghttp2.snp
-           ${OE_HOST_LIBRARY}
            ${CMAKE_THREAD_LIBS_INIT}
   )
+  link_openenclave_host(ccf.snp)
 
   set_property(TARGET ccf.snp PROPERTY POSITION_INDEPENDENT_CODE ON)
 
@@ -736,9 +740,9 @@ elseif(COMPILE_TARGET STREQUAL "virtual")
            ccfcrypto.host
            ccf_kv.host
            nghttp2.host
-           ${OE_HOST_LIBRARY}
            ${CMAKE_THREAD_LIBS_INIT}
   )
+  link_openenclave_host(ccf.virtual)
 
   set_property(TARGET ccf.virtual PROPERTY POSITION_INDEPENDENT_CODE ON)
 

cmake/ccf_app.cmake

@@ -239,6 +239,7 @@ function(add_host_library name)
   set(files ${PARSED_ARGS_UNPARSED_ARGUMENTS})
   add_library(${name} ${files})
   target_compile_options(${name} PUBLIC ${COMPILE_LIBCXX})
-  target_link_libraries(${name} PUBLIC ${LINK_LIBCXX} -lgcc ${OE_HOST_LIBRARY})
+  target_link_libraries(${name} PUBLIC ${LINK_LIBCXX} -lgcc)
+  link_openenclave_host(${name})
   set_property(TARGET ${name} PROPERTY POSITION_INDEPENDENT_CODE ON)
 endfunction()

cmake/common.cmake

@@ -9,9 +9,8 @@ function(add_unit_test name)
     ${name} PRIVATE src ${CCFCRYPTO_INC} ${CCF_DIR}/3rdparty/test
   )
   enable_coverage(${name})
-  target_link_libraries(
-    ${name} PRIVATE ${LINK_LIBCXX} ccfcrypto.host ${OE_HOST_LIBRARY}
-  )
+  target_link_libraries(${name} PRIVATE ${LINK_LIBCXX} ccfcrypto.host -pthread)
+  link_openenclave_host(${name})
   add_san(${name})
 
   add_test(NAME ${name} COMMAND ${name})

cmake/open_enclave.cmake

@@ -1,39 +1,57 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the Apache 2.0 License.
 
-if(NOT COMPILE_TARGET STREQUAL "sgx")
-  set(COMPONENT "OEHOSTVERIFY")
-endif()
+# We allow for Open Enclave (and Open Enclave HostVerify) to _not_ be installed,
+# with some limitations (e.g. virtual/snp builds cannot verify sgx attestation
+# reports). This can hopefully be removed by 5.x (see
+# https://github.com/microsoft/CCF/issues/5291).
+option(REQUIRE_OPENENCLAVE "Requires Open Enclave or HostVerify variant" ON)
+
+if(REQUIRE_OPENENCLAVE)
+  if(NOT COMPILE_TARGET STREQUAL "sgx")
+    set(COMPONENT "OEHOSTVERIFY")
+  endif()
+
+  # Find OpenEnclave package
+  find_package(OpenEnclave 0.19.0 CONFIG REQUIRED)
+
+  # As well as pulling in openenclave:: targets, this sets variables which can
+  # be used for our edge cases (eg - for virtual libraries). These do not follow
+  # the standard naming patterns, for example use OE_INCLUDEDIR rather than
+  # OpenEnclave_INCLUDE_DIRS
+  if(COMPILE_TARGET STREQUAL "sgx")
+    set(OE_TARGET_LIBC openenclave::oelibc)
+    set(OE_TARGET_ENCLAVE_AND_STD
+        openenclave::oeenclave openenclave::oelibcxx openenclave::oelibc
+        openenclave::oecryptoopenssl
+    )
 
-# Find OpenEnclave package
-find_package(OpenEnclave 0.19.0 CONFIG REQUIRED)
-# As well as pulling in openenclave:: targets, this sets variables which can be
-# used for our edge cases (eg - for virtual libraries). These do not follow the
-# standard naming patterns, for example use OE_INCLUDEDIR rather than
-# OpenEnclave_INCLUDE_DIRS
-
-if(COMPILE_TARGET STREQUAL "sgx")
-  set(OE_TARGET_LIBC openenclave::oelibc)
-  set(OE_TARGET_ENCLAVE_AND_STD
-      openenclave::oeenclave openenclave::oelibcxx openenclave::oelibc
-      openenclave::oecryptoopenssl
-  )
-  # These oe libraries must be linked in specific order
-  set(OE_TARGET_ENCLAVE_CORE_LIBS
-      openenclave::oeenclave openenclave::oesnmalloc openenclave::oecore
-      openenclave::oesyscall
-  )
-
-  option(LVI_MITIGATIONS "Enable LVI mitigations" ON)
-
-  function(add_lvi_mitigations name)
-    if(LVI_MITIGATIONS)
-      # Enable clang-11 built-in LVI mitigation
-      target_compile_options(${name} PRIVATE -mlvi-cfi)
-    endif()
-  endfunction()
-
-  set(OE_HOST_LIBRARY openenclave::oehost)
-else()
-  set(OE_HOST_LIBRARY openenclave::oehostverify)
+    # These oe libraries must be linked in specific order
+    set(OE_TARGET_ENCLAVE_CORE_LIBS
+        openenclave::oeenclave openenclave::oesnmalloc openenclave::oecore
+        openenclave::oesyscall
+    )
+
+    option(LVI_MITIGATIONS "Enable LVI mitigations" ON)
+
+    function(add_lvi_mitigations name)
+      if(LVI_MITIGATIONS)
+        # Enable clang-11 built-in LVI mitigation
+        target_compile_options(${name} PRIVATE -mlvi-cfi)
+      endif()
+    endfunction()
+
+    set(OE_HOST_LIBRARY openenclave::oehost)
+  else()
+    set(OE_HOST_LIBRARY openenclave::oehostverify)
+  endif()
+elseif(COMPILE_TARGET STREQUAL "sgx")
+  message(FATAL_ERROR "Open Enclave is required for SGX target")
 endif()
+
+function(link_openenclave_host name)
+  if(REQUIRE_OPENENCLAVE)
+    target_link_libraries(${name} PUBLIC ${OE_HOST_LIBRARY})
+    target_compile_definitions(${name} PUBLIC SGX_ATTESTATION_VERIFICATION)
+  endif()
+endfunction()

docker/README.md

@@ -9,5 +9,5 @@ To build a given image, run:
 
 ```bash
 $ cd CCF/
-$ docker build -t <tag> -f docker/<app_run|app_dev|ccf_ci> --build-arg="target=<sgx|snp|virtual>" .
+$ docker build -t <tag> -f docker/<app_run|app_dev|ccf_ci> --build-arg="platform=<sgx|snp|virtual>" --build-arg="clang_version=<11|15>" .
 ```

src/apps/js_generic/js_generic.cpp

@@ -14,7 +14,11 @@ namespace ccfapp
 
   std::vector<ccf::js::FFIPlugin> get_js_plugins()
   {
+#if defined(INSIDE_ENCLAVE) || defined(SGX_ATTESTATION_VERIFICATION)
     return {ccf::js::openenclave_plugin};
+#else
+    return {};
+#endif
   }
 
 } // namespace ccfapp

src/crypto/openssl/rsa_key_pair.cpp

@@ -177,7 +177,7 @@ namespace crypto
   {
     JsonWebKeyRSAPrivate jwk = {RSAPublicKey_OpenSSL::public_key_jwk_rsa(kid)};
 
-    RSA* rsa = EVP_PKEY_get0_RSA(key);
+    const RSA* rsa = EVP_PKEY_get0_RSA(key);
     if (!rsa)
     {
       throw std::logic_error("invalid RSA key");

src/crypto/openssl/rsa_public_key.cpp

@@ -168,7 +168,7 @@ namespace crypto
 
   RSAPublicKey::Components RSAPublicKey_OpenSSL::components() const
   {
-    RSA* rsa = EVP_PKEY_get0_RSA(key);
+    const RSA* rsa = EVP_PKEY_get0_RSA(key);
     if (!rsa)
     {
       throw std::logic_error("invalid RSA key");

src/enclave/verify.h

@@ -5,7 +5,7 @@
 #if defined(INSIDE_ENCLAVE) && !defined(VIRTUAL_ENCLAVE)
 #  include <openenclave/attestation/verifier.h>
 #  include <openenclave/enclave.h>
-#else
+#elif defined(SGX_ATTESTATION_VERIFICATION)
 #  include <openenclave/host_verify.h>
 #endif
 #include "ccf/ds/ccf_exception.h"
@@ -14,16 +14,20 @@ namespace ccf
 {
   void initialize_verifiers()
   {
+#if defined(INSIDE_ENCLAVE) || defined(SGX_ATTESTATION_VERIFICATION)
     auto rc = oe_verifier_initialize();
     if (rc != OE_OK)
     {
       throw ccf::ccf_oe_verifier_init_error(fmt::format(
         "Failed to initialise evidence verifier: {}", oe_result_str(rc)));
     }
+#endif
   }
 
   void shutdown_verifiers()
   {
+#if defined(INSIDE_ENCLAVE) || defined(SGX_ATTESTATION_VERIFICATION)
     oe_verifier_shutdown();
+#endif
   }
 }

src/kv/kv_types.h

@@ -3,6 +3,7 @@
 #pragma once
 
 #include "ccf/claims_digest.h"
+#include "ccf/crypto/hash_bytes.h"
 #include "ccf/crypto/pem.h"
 #include "ccf/ds/nonstd.h"
 #include "ccf/entity_id.h"
@@ -12,7 +13,6 @@
 #include "ccf/tx_id.h"
 #include "enclave/consensus_type.h"
 #include "enclave/reconfiguration_type.h"
-#include "node/identity.h"
 #include "serialiser_declare.h"
 
 #include <array>

src/node/historical_queries_utils.cpp

@@ -6,6 +6,7 @@
 #include "ccf/rpc_context.h"
 #include "ccf/service/tables/service.h"
 #include "kv/kv_types.h"
+#include "node/identity.h"
 #include "node/tx_receipt_impl.h"
 
 namespace ccf

src/node/rpc/jwt_management.h

@@ -5,12 +5,15 @@
 #include "ccf/crypto/verifier.h"
 #include "ccf/service/tables/jwt.h"
 
-#include <openenclave/attestation/verifier.h>
+#if defined(INSIDE_ENCLAVE) || defined(SGX_ATTESTATION_VERIFICATION)
+#  include <openenclave/attestation/verifier.h>
+#endif
+
 #include <set>
 #include <sstream>
 #if defined(INSIDE_ENCLAVE) && !defined(VIRTUAL_ENCLAVE)
 #  include <openenclave/enclave.h>
-#else
+#elif defined(SGX_ATTESTATION_VERIFICATION)
 #  include <openenclave/host_verify.h>
 #endif
 
@@ -33,6 +36,7 @@ namespace ccf
       });
   }
 
+#if defined(INSIDE_ENCLAVE) || defined(SGX_ATTESTATION_VERIFICATION)
   static oe_result_t oe_verify_attestation_certificate_with_evidence_cb(
     oe_claim_t* claims, size_t claims_length, void* arg)
   {
@@ -46,6 +50,7 @@ namespace ccf
     }
     return OE_OK;
   }
+#endif
 
   static bool set_jwt_public_signing_keys(
     kv::Tx& tx,
@@ -114,11 +119,16 @@ namespace ccf
         issuer_metadata.key_filter == JwtIssuerKeyFilter::SGX ||
         has_key_policy_sgx_claims)
       {
+#if defined(INSIDE_ENCLAVE) || defined(SGX_ATTESTATION_VERIFICATION)
         oe_verify_attestation_certificate_with_evidence(
           der.data(),
           der.size(),
           oe_verify_attestation_certificate_with_evidence_cb,
           &claims);
+#else
+        LOG_FAIL_FMT("{}: SGX claims not supported", log_prefix);
+        return false;
+#endif
       }
 
       if (

src/node/test/history.cpp

@@ -4,6 +4,8 @@
 
 #include "ccf/app_interface.h"
 #include "ccf/service/tables/nodes.h"
+#include "crypto/certs.h"
+#include "ds/x509_time_fmt.h"
 #include "kv/kv_types.h"
 #include "kv/store.h"
 #include "kv/test/null_encryptor.h"