Upgrade SGX-RA integration for 0.1.2 and Ubuntu 20.04 (#2454)

core/iwasm/libraries/lib-rats/lib_rats.cmake

@@ -23,6 +23,7 @@ include(FetchContent)
 set(RATS_BUILD_MODE "sgx"
     CACHE INTERNAL "Select build mode for librats(host|occlum|sgx｜wasm)")
 set(RATS_INSTALL_PATH  "${CMAKE_BINARY_DIR}/librats" CACHE INTERNAL "")
+set(BUILD_SAMPLES OFF)
 
 FetchContent_Declare(
     librats
@@ -34,8 +35,17 @@ if (NOT librats_POPULATED)
     message("-- Fetching librats ..")
     FetchContent_Populate(librats)
     include_directories("${librats_SOURCE_DIR}/include")
+    
+    # Prevent the propagation of the CMAKE_C_FLAGS of WAMR into librats
+    set(SAVED_CMAKE_C_FLAGS ${CMAKE_C_FLAGS})
+    set(CMAKE_C_FLAGS "")
+
+    # Import the building scripts of librats
     add_subdirectory(${librats_SOURCE_DIR} ${librats_BINARY_DIR} EXCLUDE_FROM_ALL)
 
+    # Restore the CMAKE_C_FLAGS of WAMR
+    set(CMAKE_C_FLAGS ${SAVED_CMAKE_C_FLAGS})
+
 endif()
 
 file (GLOB source_all ${LIB_RATS_DIR}/*.c)

product-mini/platforms/linux-sgx/enclave-sample/Makefile

@@ -143,10 +143,10 @@ else
 endif
 
 ifeq ($(WAMR_BUILD_LIB_RATS), 1)
-	Rats_Lib_Link_Dirs := -L$(LIB_RATS_INSTALL_DIR) -L$(LIB_RATS_INSTALL_DIR)/attesters -L$(LIB_RATS_INSTALL_DIR)/verifiers -L$(SGX_SSL)/lib64
+	Rats_Lib_Link_Dirs := -L$(LIB_RATS_INSTALL_DIR) -L$(LIB_RATS_INSTALL_DIR)/attesters -L$(LIB_RATS_INSTALL_DIR)/verifiers -L$(SGX_SSL)/lib64 -L$(VMLIB_BUILD_DIR)/external/libcbor/src/libcbor/lib -L$(LIB_RATS_INSTALL_DIR)/crypto_wrappers
 	Rats_Lib_W_Link_libs := -lattester_nullattester -lattester_sgx_ecdsa -lattester_sgx_la \
-						-lverifier_nullverifier -lverifier_sgx_ecdsa -lverifier_sgx_la -lverifier_sgx_ecdsa_qve \
+						-lverifier_nullverifier -lverifier_sgx_la -lverifier_sgx_ecdsa_qve -lcbor \
-						-lrats_lib -lsgx_tsgxssl
+						-lrats_lib -lsgx_tsgxssl -lcrypto_wrapper_nullcrypto -lcrypto_wrapper_openssl
 	Rats_Lib_NW_Link_libs := -lsgx_dcap_tvl -lsgx_tsgxssl_crypto
 endif
 

samples/sgx-ra/README.md

@@ -7,52 +7,52 @@ This sample demonstrates how to execute Remote Attestation on SGX with [librats]
 
 SGX-RA requires to have installed:
  - the WASI-SDK, located in `/opt/wasi-sdk`
- - CMake >= 3.11, which is not provided on Ubuntu 18.04 (use [Kitware APT Repository](https://apt.kitware.com/))
 
 ### Intel SGX dependencies
 
 Before starting, we need to download and install [SGX SDK](https://download.01.org/intel-sgx/latest/linux-latest/distro) and [SGX DCAP Library](https://download.01.org/intel-sgx/latest/dcap-latest) referring to this [guide](https://download.01.org/intel-sgx/sgx-dcap/1.8/linux/docs/Intel_SGX_DCAP_Linux_SW_Installation_Guide.pdf).
 
-The following commands are an example of the SGX environment installation on Ubuntu 18.04.
+The following commands are an example of the SGX environment installation on Ubuntu 20.04.
 ``` shell
 # Set your platform, you can get the platforms list on
 # https://download.01.org/intel-sgx/latest/linux-latest/distro
 $ cd $HOME
-$ SGX_PLATFORM=ubuntu18.04-server
+$ OS_PLATFORM=ubuntu20.04
-$ SGX_SDK_VERSION=2.17.100.3
+$ SGX_PLATFORM=$OS_PLATFORM-server
+$ SGX_RELEASE_VERSION=1.17
 $ SGX_DRIVER_VERSION=1.41
+$ SGX_SDK_VERSION=2.20.100.4
 
 # install the dependencies
 $ sudo apt-get update
-$ sudo apt-get install -y dkms
+$ sudo apt-get install -y build-essential ocaml automake autoconf libtool wget python3 libssl-dev dkms zip cmake
+$ sudo update-alternatives --install /usr/bin/python python /usr/bin/python3 1
 
 # install SGX Driver
-$ wget https://download.01.org/intel-sgx/latest/linux-latest/distro/$SGX_PLATFORM/sgx_linux_x64_driver_$SGX_DRIVER_VERSION.bin
+$ wget https://download.01.org/intel-sgx/sgx-dcap/$SGX_RELEASE_VERSION/linux/distro/$SGX_PLATFORM/sgx_linux_x64_driver_$SGX_DRIVER_VERSION.bin
 $ chmod +x sgx_linux_x64_driver_$SGX_DRIVER_VERSION.bin
 $ sudo ./sgx_linux_x64_driver_$SGX_DRIVER_VERSION.bin
 
 # install SGX SDK
-$ wget https://download.01.org/intel-sgx/latest/linux-latest/distro/$SGX_PLATFORM/sgx_linux_x64_sdk_$SGX_SDK_VERSION.bin
+$ wget https://download.01.org/intel-sgx/sgx-dcap/$SGX_RELEASE_VERSION/linux/distro/$SGX_PLATFORM/sgx_linux_x64_sdk_$SGX_SDK_VERSION.bin
 $ chmod +x sgx_linux_x64_sdk_$SGX_SDK_VERSION.bin
-$ sudo ./sgx_linux_x64_sdk_$SGX_SDK_VERSION.bin
+$ sudo ./sgx_linux_x64_sdk_$SGX_SDK_VERSION.bin --prefix /opt/intel
 
 # install SGX DCAP Library
-$ echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu bionic main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list > /dev/null
+$ echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list
-$ wget -O - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add -
+$ wget -O - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add
 $ sudo apt-get update
-$ sudo apt-get install -y libsgx-uae-service libsgx-dcap-default-qpl-dev libsgx-dcap-ql-dev libsgx-dcap-quote-verify-dev
+$ sudo apt-get install -y libsgx-epid libsgx-quote-ex libsgx-dcap-ql libsgx-enclave-common-dev libsgx-dcap-ql-dev libsgx-dcap-default-qpl-dev libsgx-dcap-quote-verify-dev
 
 # install SGX SSL Library
 $ git clone https://github.com/intel/linux-sgx.git
 $ cd linux-sgx && make preparation
-$ sudo cp external/toolset/{current_distr}/* /usr/local/bin
+$ sudo cp external/toolset/$OS_PLATFORM/* /usr/local/bin
 $ # Verify that the paths are correctly set
 $ which ar as ld objcopy objdump ranlib
 $ cd ../
 $ git clone https://github.com/intel/intel-sgx-ssl.git
-$ wget https://www.openssl.org/source/openssl-1.1.1q.tar.gz
+$ wget https://www.openssl.org/source/openssl-1.1.1v.tar.gz -O intel-sgx-ssl/openssl_source/openssl-1.1.1v.tar.gz
-$ cp openssl-1.1.1q.tar.gz intel-sgx-ssl/openssl_source
-$ rm -f openssl-1.1.1q.tar.gz
 $ cd intel-sgx-ssl/Linux
 $ source /opt/intel/sgxsdk/environment
 $ make all
@@ -70,7 +70,7 @@ sudo usermod -a -G sgx_prv <username>
 
 Intel DCAP connects to Intel PCS to download the attestation collateral for SGX-enabled machines.
 Intel provides a [quick install guide](https://www.intel.com/content/www/us/en/developer/articles/guide/intel-software-guard-extensions-data-center-attestation-primitives-quick-install-guide.html) to set up a simplified environment.
-This section summarizes the commands to issue for setting up a working environment on Ubuntu 18.04.
+This section summarizes the commands to issue for setting up a working environment on Ubuntu 20.04.
 
 ### Subscribe to Intel PCS Web services
 
@@ -86,11 +86,9 @@ Intel provides an implementation of the cache mechanism.
 The following commands set up Intel PCCS.
 ```shell
 # install Node.js
-$ curl -o setup.sh -sL https://deb.nodesource.com/setup_14.x
+$ curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash - && sudo apt-get install -y nodejs
-$ chmod a+x setup.sh
-$ sudo ./setup.sh
 # install PCCS software
-$ sudo apt-get install -y cracklib-runtime sqlite3 python build-essential
+$ sudo apt-get install -y cracklib-runtime
 $ sudo apt-get install -y sgx-dcap-pccs
 ```
 
@@ -160,9 +158,10 @@ Adapt the configuration file of `PCKIDRetrievalTool` located in `/opt/intel/sgx-
 Save your changes and run the provisioning tool.
 
 ```shell
-$ PCKIDRetrievalTool
+$ sudo PCKIDRetrievalTool
-Intel(R) Software Guard Extensions PCK Cert ID Retrieval Tool Version 1.14.100.3
+Intel(R) Software Guard Extensions PCK Cert ID Retrieval Tool Version 1.17.100.4
 
+Registration status has been set to completed status.
 the data has been sent to cache server successfully and pckid_retrieval.csv has been generated successfully!
 ```