mirror of
				https://github.com/bytecodealliance/wasm-micro-runtime.git
				synced 2025-10-26 02:41:16 +00:00 
			
		
		
		
	Update SGX documents (#439)
This commit mainly simplifies the description about building a debug and hw mode enclave. Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com> Co-authored-by: root <root@rs1g04412.et2sqa>
This commit is contained in:
		
							parent
							
								
									a3074df21b
								
							
						
					
					
						commit
						8f4a1963fc
					
				|  | @ -17,6 +17,8 @@ cmake .. | ||||||
| make | make | ||||||
| ``` | ``` | ||||||
| 
 | 
 | ||||||
|  | **Note:** By default, the generated SGX application assumes it is signed with production key and running on simulation mode. In order to build a debug enclave on hardware-based SGX platform, execute `make SGX_DEBUG=1 SGX_MODE=HW` instead. | ||||||
|  | 
 | ||||||
| This builds two libraries required by SGX application: | This builds two libraries required by SGX application: | ||||||
|  - libvmlib.a for Enclave part |  - libvmlib.a for Enclave part | ||||||
|  - libvmlib_untrusted.a for App part |  - libvmlib_untrusted.a for App part | ||||||
|  |  | ||||||
|  | @ -2,78 +2,30 @@ | ||||||
| 
 | 
 | ||||||
| ## Build WAMR vmcore (iwasm) for Linux-SGX | ## Build WAMR vmcore (iwasm) for Linux-SGX | ||||||
| 
 | 
 | ||||||
| ### SIM Mode | Please follow [this guide](https://github.com/bytecodealliance/wasm-micro-runtime/blob/main/doc/linux_sgx.md#build-wamr-vmcore-iwasm-for-linux-sgx) to build iwasm as the prerequisite. | ||||||
| 
 | 
 | ||||||
| The default SGX mode in WAMR is the SIM mode. Build the source code and enclave example, please refer to [this guild](https://github.com/bytecodealliance/wasm-micro-runtime/blob/main/doc/linux_sgx.md#build-wamr-vmcore-iwasm-for-linux-sgx). | Then build enclave image and sign it: | ||||||
| 
 |  | ||||||
| ### HW Mode |  | ||||||
| 
 |  | ||||||
| Please do the following changes before execute [this guild](https://github.com/bytecodealliance/wasm-micro-runtime/blob/main/doc/linux_sgx.md#build-wamr-vmcore-iwasm-for-linux-sgx). |  | ||||||
| 
 |  | ||||||
| ```shell |  | ||||||
| diff --git a/product-mini/platforms/linux-sgx/enclave-sample/Makefile b/product-mini/platforms/linux-sgx/enclave-sample/Makefile |  | ||||||
| index f06b5b8..f247f3e 100644 |  | ||||||
| --- a/product-mini/platforms/linux-sgx/enclave-sample/Makefile |  | ||||||
| +++ b/product-mini/platforms/linux-sgx/enclave-sample/Makefile |  | ||||||
| @@ -4,7 +4,7 @@ |  | ||||||
|  ######## SGX SDK Settings ######## |  | ||||||
| 
 |  | ||||||
|  SGX_SDK ?= /opt/intel/sgxsdk |  | ||||||
| -SGX_MODE ?= SIM |  | ||||||
| +SGX_MODE ?= HW |  | ||||||
|  SGX_ARCH ?= x64 |  | ||||||
|  SGX_DEBUG ?= 0 |  | ||||||
|  SPEC_TEST ?= 0 |  | ||||||
| ``` |  | ||||||
| 
 |  | ||||||
| ```shell |  | ||||||
| diff --git a/product-mini/platforms/linux-sgx/enclave-sample/Makefile_minimal b/product-mini/platforms/linux-sgx/enclave-sample/Makefile_minimal |  | ||||||
| index a64d577..747d995 100644 |  | ||||||
| --- a/product-mini/platforms/linux-sgx/enclave-sample/Makefile_minimal |  | ||||||
| +++ b/product-mini/platforms/linux-sgx/enclave-sample/Makefile_minimal |  | ||||||
| @@ -4,7 +4,7 @@ |  | ||||||
|  ######## SGX SDK Settings ######## |  | ||||||
| 
 |  | ||||||
|  SGX_SDK ?= /opt/intel/sgxsdk |  | ||||||
| -SGX_MODE ?= SIM |  | ||||||
| +SGX_MODE ?= HW |  | ||||||
|  SGX_ARCH ?= x64 |  | ||||||
|  SGX_DEBUG ?= 0 |  | ||||||
|  SPEC_TEST ?= 0 |  | ||||||
| 
 |  | ||||||
| ``` |  | ||||||
| 
 |  | ||||||
| ```shell |  | ||||||
| diff --git a/product-mini/platforms/linux-sgx/enclave-sample/App/App.cpp b/product-mini/platforms/linux-sgx/enclave-sample/App/App.cpp |  | ||||||
| index c321575..3b41c30 100644 |  | ||||||
| --- a/product-mini/platforms/linux-sgx/enclave-sample/App/App.cpp |  | ||||||
| +++ b/product-mini/platforms/linux-sgx/enclave-sample/App/App.cpp |  | ||||||
| @@ -31,6 +31,7 @@ |  | ||||||
|  #define MAX_PATH 1024 |  | ||||||
| 
 |  | ||||||
|  #define TEST_OCALL_API 0 |  | ||||||
| +#define SGX_DEBUG_FLAG 1 |  | ||||||
| 
 |  | ||||||
| ``` |  | ||||||
| 
 |  | ||||||
| After building, please sign enclave.so to generate enclave.signed.so which is needed in PAL |  | ||||||
| 
 | 
 | ||||||
| ```shell | ```shell | ||||||
|  | cd enclave-sample | ||||||
|  | make | ||||||
| /opt/intel/sgxsdk/bin/x64/sgx_sign sign -key Enclave/Enclave_private.pem -enclave enclave.so -out enclave.signed.so -config Enclave/Enclave.config.xml | /opt/intel/sgxsdk/bin/x64/sgx_sign sign -key Enclave/Enclave_private.pem -enclave enclave.so -out enclave.signed.so -config Enclave/Enclave.config.xml | ||||||
| ``` | ``` | ||||||
| 
 | 
 | ||||||
|  | The generated enclave.signed.so is required by PAL. | ||||||
|  | 
 | ||||||
| --- | --- | ||||||
| 
 | 
 | ||||||
| ## Build PAL dynamically linked shared object | ## Build PAL dynamically linked shared object | ||||||
| 
 | 
 | ||||||
| To build WAMR as an Enclave Runtime for [Inclavare Containers](https://github.com/alibaba/inclavare-containers), we should implement the [PAL interface](https://github.com/alibaba/inclavare-containers/blob/master/rune/libenclave/internal/runtime/pal/spec_v2.md) in WAMR for rune to call the PAL to create the enclave with WAMR and run applications. | To build WAMR as an Enclave Runtime for [Inclavare Containers](https://github.com/alibaba/inclavare-containers), we should implement the [PAL API v2](https://github.com/alibaba/inclavare-containers/blob/master/rune/libenclave/internal/runtime/pal/spec_v2.md) in WAMR for rune to call the PAL to create the enclave with WAMR and run applications. | ||||||
| 
 | 
 | ||||||
| ```shell | ```shell | ||||||
| g++ -shared -fPIC -o libwamr-pal.so App/*.o libvmlib_untrusted.a -L/opt/intel/sgxsdk/lib64 -lsgx_urts -lpthread -lssl -lcrypto | g++ -shared -fPIC -o libwamr-pal.so App/*.o libvmlib_untrusted.a -L/opt/intel/sgxsdk/lib64 -lsgx_urts -lpthread -lssl -lcrypto | ||||||
| cp ./libwamr-pal.so /usr/lib/libwamr-pal.so | cp ./libwamr-pal.so /usr/lib/libwamr-pal.so | ||||||
| ``` | ``` | ||||||
| 
 | 
 | ||||||
| Note: `/opt/intel/sgxsdk/` is where you installed the SGX SDK | Note: Assuming `/opt/intel/sgxsdk/` is where you installed the SGX SDK. | ||||||
| 
 | 
 | ||||||
| --- | --- | ||||||
| 
 | 
 | ||||||
|  | @ -81,11 +33,17 @@ Note: `/opt/intel/sgxsdk/` is where you installed the SGX SDK | ||||||
| 
 | 
 | ||||||
| To Build a WAMR application, please refer to [this guide](https://github.com/bytecodealliance/wasm-micro-runtime/blob/main/doc/build_wasm_app.md#build-wasm-applications) | To Build a WAMR application, please refer to [this guide](https://github.com/bytecodealliance/wasm-micro-runtime/blob/main/doc/build_wasm_app.md#build-wasm-applications) | ||||||
| 
 | 
 | ||||||
| To run a WAMR application with Intel SGX enclave by `rune`, please compile the `.wasm` file to `.aot` file, refer to [this guide](https://github.com/bytecodealliance/wasm-micro-runtime/blob/main/doc/build_wasm_app.md#compile-wasm-to-aot-module)  | To run a WAMR application with Intel SGX enclave by `rune`, please refer to [this guide](https://github.com/bytecodealliance/wasm-micro-runtime#build-wamrc-aot-compiler) to generate wamrc AoT compiler, and then refer to [this guide](https://github.com/bytecodealliance/wasm-micro-runtime/blob/main/doc/build_wasm_app.md#compile-wasm-to-aot-module) to compile the `.wasm` file to `.aot` file. | ||||||
|  | 
 | ||||||
|  | Note: the AoT file must be generated using --size-level=1 to set a bigger code size, e.g, | ||||||
|  | 
 | ||||||
|  | ```shell | ||||||
|  | wamrc --size-level=1 -o test.aot test.wasm | ||||||
|  | ``` | ||||||
| 
 | 
 | ||||||
| --- | --- | ||||||
| 
 | 
 | ||||||
| ## Build WAMR container image | ## Build WAMR docker image | ||||||
| 
 | 
 | ||||||
| Under the `enclave-sample` directory, to create the WAMR docker images to load the `enclave.signed.so` and target application wasm files, please type the following commands to create a `Dockerfile`: | Under the `enclave-sample` directory, to create the WAMR docker images to load the `enclave.signed.so` and target application wasm files, please type the following commands to create a `Dockerfile`: | ||||||
| 
 | 
 | ||||||
|  | @ -99,13 +57,13 @@ RUN mkdir -p /run/rune | ||||||
| WORKDIR /run/rune | WORKDIR /run/rune | ||||||
| 
 | 
 | ||||||
| COPY enclave.signed.so . | COPY enclave.signed.so . | ||||||
| COPY ${wasm_app1.aot} . | COPY ${wasm_app.aot} . | ||||||
| #COPY ${wasm_app2.aot} . | #COPY ${wasm_app2.aot} . | ||||||
| #... | #... | ||||||
| EOF | EOF | ||||||
| ``` | ``` | ||||||
| 
 | 
 | ||||||
|  For ubuntu: | For ubuntu: | ||||||
| 
 | 
 | ||||||
| ```shell | ```shell | ||||||
| cat > Dockerfile <<EOF | cat > Dockerfile <<EOF | ||||||
|  | @ -115,15 +73,15 @@ RUN mkdir -p /run/rune | ||||||
| WORKDIR /run/rune | WORKDIR /run/rune | ||||||
| 
 | 
 | ||||||
| COPY enclave.signed.so . | COPY enclave.signed.so . | ||||||
| COPY ${wasm_app1.aot} . | COPY ${wasm_app.aot} . | ||||||
| #COPY ${wasm_app2.aot} . | #COPY ${wasm_app.aot} . | ||||||
| #... | #... | ||||||
| EOF | EOF | ||||||
| ``` | ``` | ||||||
| 
 | 
 | ||||||
| `${wasm_app.aot}` files are the applications you want to run in WAMR.  | where `${wasm_app.aot}` files are the other applications you want to run in WAMR. | ||||||
| 
 | 
 | ||||||
| Then build the WAMR container image with the command: | Then build the WAMR docker image with the command: | ||||||
| 
 | 
 | ||||||
| ```shell | ```shell | ||||||
| docker build . -t wamr-app | docker build . -t wamr-app | ||||||
|  | @ -139,7 +97,7 @@ The following guide provides the steps to run WAMR with Docker and OCI Runtime ` | ||||||
| 
 | 
 | ||||||
| ### Requirements | ### Requirements | ||||||
| 
 | 
 | ||||||
| - Ensure that you have one of the following required operating systems to build a WAMR container image: | - Ensure that you have one of the following required operating systems to build a WAMR docker image: | ||||||
| 
 | 
 | ||||||
|   - CentOS 8.1 |   - CentOS 8.1 | ||||||
|   - Ubuntu 18.04-server |   - Ubuntu 18.04-server | ||||||
|  | @ -152,6 +110,8 @@ The following guide provides the steps to run WAMR with Docker and OCI Runtime ` | ||||||
|     rpm -i libsgx-uae-service-2.11.100.2-1.el8.x86_64.rpm |     rpm -i libsgx-uae-service-2.11.100.2-1.el8.x86_64.rpm | ||||||
|     ``` |     ``` | ||||||
| 
 | 
 | ||||||
|  | - The simplest way to install `rune` is to download a pre-built binary from [Inclavare Containers release page](https://github.com/alibaba/inclavare-containers/releases). | ||||||
|  | 
 | ||||||
| ### Configuring OCI Runtime rune for Docker | ### Configuring OCI Runtime rune for Docker | ||||||
| 
 | 
 | ||||||
| Add the assocated configuration for `rune` in dockerd config file, e.g, `/etc/docker/daemon.json`, on your system. | Add the assocated configuration for `rune` in dockerd config file, e.g, `/etc/docker/daemon.json`, on your system. | ||||||
|  | @ -160,7 +120,7 @@ Add the assocated configuration for `rune` in dockerd config file, e.g, `/etc/do | ||||||
| { | { | ||||||
| 	"runtimes": { | 	"runtimes": { | ||||||
| 		"rune": { | 		"rune": { | ||||||
| 			"path": "/usr/bin/rune", | 			"path": "/usr/local/bin/rune", | ||||||
| 			"runtimeArgs": [] | 			"runtimeArgs": [] | ||||||
| 		} | 		} | ||||||
| 	} | 	} | ||||||
|  | @ -181,7 +141,7 @@ The expected result would be: | ||||||
| Runtimes: rune runc | Runtimes: rune runc | ||||||
| ``` | ``` | ||||||
| 
 | 
 | ||||||
| ### Run WAMR container image | ### Run WAMR docker image | ||||||
| 
 | 
 | ||||||
| You need to specify a set of parameters to `docker run` to run: | You need to specify a set of parameters to `docker run` to run: | ||||||
| 
 | 
 | ||||||
|  | @ -190,7 +150,7 @@ docker run -it --rm --runtime=rune \ | ||||||
|   -e ENCLAVE_TYPE=intelSgx \ |   -e ENCLAVE_TYPE=intelSgx \ | ||||||
|   -e ENCLAVE_RUNTIME_PATH=/usr/lib/libwamr-pal.so \ |   -e ENCLAVE_RUNTIME_PATH=/usr/lib/libwamr-pal.so \ | ||||||
|   -e ENCLAVE_RUNTIME_ARGS=debug \ |   -e ENCLAVE_RUNTIME_ARGS=debug \ | ||||||
|   wamr-app |   wamr-app /run/rune/${wasm_app.aot} | ||||||
| ``` | ``` | ||||||
| 
 | 
 | ||||||
| where: | where: | ||||||
|  | @ -201,6 +161,6 @@ where: | ||||||
| 
 | 
 | ||||||
| --- | --- | ||||||
| 
 | 
 | ||||||
| ## (Optional) Run WAMR bundle for Rune | ## (Optional) Run WAMR bundle for rune | ||||||
| 
 | 
 | ||||||
| Please refer to [this guide](https://github.com/leyao-daily/wasm-micro-runtime/blob/main/product-mini/platforms/linux-sgx/enclave-sample/App/wamr-bundle.md) | Please refer to [this guide](https://github.com/leyao-daily/wasm-micro-runtime/blob/main/product-mini/platforms/linux-sgx/enclave-sample/App/wamr-bundle.md). This is optional, and suits for the developer in most cases. | ||||||
|  |  | ||||||
		Loading…
	
		Reference in New Issue
	
	Block a user
	 Jia Zhang
						Jia Zhang