Port eservice build updates to pservice.

Co-authored-by: Mic Bowman <mic.bowman@intel.com>
Signed-off-by: Bruno Vavala <bruno.vavala@intel.com>

pservice/.gitignore

@@ -6,3 +6,4 @@ dist
 *.pyc
 *.so
 deps
+pdo_enclave.config.xml

pservice/lib/libpdo_enclave/CMakeLists.txt

@@ -22,8 +22,8 @@ PROJECT(libpdo-enclave C CXX)
 FILE(GLOB PROJECT_HEADERS *.h)
 FILE(GLOB PROJECT_SOURCES *.cpp)
 FILE(GLOB PROJECT_EDL enclave.edl)
-FILE(GLOB PROJECT_CONFIG *.xml)
 FILE(GLOB PROJECT_LDS *.lds)
+SET(PROJECT_CONFIG ${CMAKE_CURRENT_SOURCE_DIR}/pdo_enclave.config.xml)
 
 SGX_EDGE_TRUSTED(${PROJECT_EDL} PROJECT_EDGE_SOURCES)
 SET (LIBPDO_ENCLAVE_EDL ${PROJECT_EDL} PARENT_SCOPE)
@@ -49,5 +49,8 @@ TARGET_LINK_LIBRARIES(${PROJECT_NAME} ${COMMON_TRUSTED_LIBS})
 TARGET_LINK_LIBRARIES(${PROJECT_NAME} -Wl,--end-group)
 
 SGX_PREPARE_TRUSTED_LINK(${PROJECT_NAME})
+
+# add dependency to ensure that enclave configuration file is created before post-build sgx-sign
+SGX_CONFIGURE_ENCLAVE(${PROJECT_NAME} ${PROJECT_CONFIG})
 SGX_SIGN_ENCLAVE(${PROJECT_NAME} ${PDO_SGX_KEY_ROOT}/enclave_code_sign.pem ${PROJECT_CONFIG})
 SGX_DEPLOY_FILES(${PROJECT_NAME} pservice)

pservice/lib/libpdo_enclave/pdo_enclave.config.xml → pservice/lib/libpdo_enclave/pdo_enclave.config.xml.in

@@ -21,7 +21,7 @@ limitations under the License.
   <HeapMaxSize>0x800000</HeapMaxSize>
   <TCSNum>1</TCSNum>
   <TCSPolicy>1</TCSPolicy>
-  <DisableDebug>0</DisableDebug>
+  <DisableDebug>${DISABLE_DEBUG}</DisableDebug>
   <MiscSelect>0</MiscSelect>
   <MiscMask>0xFFFFFFFF</MiscMask>
 </EnclaveConfiguration>

pservice/pdo/pservice/enclave/enclave/enclave.cpp

@@ -356,17 +356,16 @@ namespace pdo {
                 Enclave::QuerySgxStatus();
 
                 sgx_launch_token_t token = { 0 };
-                int flags = SGX_DEBUG_FLAG;
-                pdo::error::ThrowSgxError((SGX_DEBUG_FLAG==0 ? SGX_ERROR_UNEXPECTED:SGX_SUCCESS),
-                    "SGX DEBUG flag is 0 (possible cause: wrong compile flags)");
+
+                pdo::logger::LogV(PDO_LOG_DEBUG, "LoadEnclave, SGX_DEBUG_FLAG: %d", SGX_DEBUG_FLAG);
 
                 // First attempt to load the enclave executable
                 sgx_status_t ret = SGX_SUCCESS;
-                ret = this->CallSgx([this, flags, &token] () {
+                ret = this->CallSgx([this, &token] () {
                         int updated = 0;
                         return sgx_create_enclave(
                             this->enclaveFilePath.c_str(),
-                            flags,
+                            SGX_DEBUG_FLAG,
                             &token,
                             &updated,
                             &this->enclaveId,

pservice/setup.py

@@ -36,11 +36,6 @@
 log_dir = os.path.join(install_root_dir, "logs")
 key_dir = os.path.join(install_root_dir, "keys")
 
-sgx_mode_env = os.environ.get('SGX_MODE', None)
-if not sgx_mode_env or (sgx_mode_env != "SIM" and sgx_mode_env != "HW"):
-    print("error: SGX_MODE value must be HW or SIM, current value is: ", sgx_mode_env)
-    sys.exit(2)
-
 data_files = [
     (bin_dir, ['bin/ps-start.sh', 'bin/ps-stop.sh', 'bin/ps-status.sh']),
     (dat_dir, []),
@@ -57,6 +52,18 @@
 ## -----------------------------------------------------------------
 ## set up the PService enclave
 ## -----------------------------------------------------------------
+debug_flag_env = os.environ.get('PDO_DEBUG_BUILD', '0')
+if debug_flag_env not in ['0', '1'] :
+    print(f'error: PDO_DEBUG_BUILD must be 0 or 1, current value is {debug_flag_env}')
+    sys.exit(2)
+debug_flag = debug_flag_env == '1'
+
+sgx_mode_env = os.environ.get('SGX_MODE', 'SIM').upper()
+if sgx_mode_env not in ['SIM', 'HW'] :
+    print(f'error: SGX_MODE value must be HW or SIM, current value is {sgx_mode_env}')
+    sys.exit(2)
+sgx_simulator_flag = sgx_mode_env == 'SIM'
+
 module_path = 'pdo/pservice/enclave'
 module_src_path = os.path.join(script_dir, module_path)
 
@@ -67,6 +74,12 @@
     '-Wno-unused-variable',
 ]
 
+# by default the extension class adds '-O2' to the compile
+# flags, this lets us override since these are appended to
+# the compilation switches
+if debug_flag :
+    compile_args += ['-g']
+
 include_dirs = [
     module_src_path,
     os.path.join(script_dir, 'build', module_path),
@@ -86,16 +99,12 @@
     'updo-common'
 ]
 
-if sgx_mode_env == "HW":
-    libraries.append('sgx_urts')
-    libraries.append('sgx_uae_service')
-    SGX_SIMULATOR_value = '0'
-if sgx_mode_env == "SIM":
-    libraries.append('sgx_urts_sim')
-    libraries.append('sgx_uae_service_sim')
-    SGX_SIMULATOR_value = '1'
+if sgx_simulator_flag :
+    libraries += ['sgx_urts_sim', 'sgx_uae_service_sim']
+else :
+    libraries += ['sgx_urts', 'sgx_uae_service']
 
-libraries.append('sgx_usgxssl')
+libraries += ['sgx_usgxssl']
 
 module_files = [
     os.path.join(module_src_path, 'pdo_enclave_internal.i'),
@@ -109,20 +118,34 @@
     os.path.join(module_src_path, 'secret_info.cpp')
 ]
 
+compile_defs = [
+    ('_UNTRUSTED_', 1),
+    ('PDO_DEBUG_BUILD', 1 if debug_flag else 0),
+    ('SGX_SIMULATOR', 1 if sgx_simulator_flag else 0),
+]
+
+compile_undefs = []
+
+# When the debug flag (PDO_DEBUG_BUILD) is set, we set the EDEBUG define
+# This ensures that the SGX SDK in sgx_urts.h sets the SGX_DEBUG_FLAG to 1.
+# Otherwise the SDK sets it to 0.
+if debug_flag :
+    compile_defs += [('NDEBUG', 1), ('EDEBUG', 1)]
+else :
+    compile_undefs += ['NDEBUG', 'EDEBUG']
+
+swig_flags = ['-c++']
+
 enclave_module = Extension(
     'pdo.pservice.enclave._pdo_enclave_internal',
     module_files,
-    swig_opts = ['-c++'],
+    swig_opts = swig_flags,
     extra_compile_args = compile_args,
     libraries = libraries,
     include_dirs = include_dirs,
     library_dirs = library_dirs,
-    define_macros = [
-                        ('_UNTRUSTED_', 1),
-                        ('PDO_DEBUG_BUILD', os.environ.get('PDO_DEBUG_BUILD',0)),
-                        ('SGX_SIMULATOR', SGX_SIMULATOR_value)
-                    ],
-    undef_macros = ['NDEBUG', 'EDEBUG']
+    define_macros = compile_defs,
+    undef_macros = compile_undefs,
     )
 
 ## -----------------------------------------------------------------