ci: update to build libdogecoin seperate for host and enclave

optee, openenclave: updated to confirm password

.github/workflows/ci.yml

@@ -383,7 +383,7 @@ jobs:
                     curl https://storage.googleapis.com/git-repo-downloads/repo > /bin/repo && chmod a+x /bin/repo && \
                     mkdir -p optee && \
                     cd optee && \
-                    repo init -u https://github.com/OP-TEE/manifest.git -m nanopc-t6.xml -b master && \
+                    repo init -u https://github.com/OP-TEE/manifest.git -m qemu_v8.xml -b 4.2.0 && \
                     export FORCE_UNSAFE_CONFIGURE=1 && \
                     repo sync -j\"$(getconf _NPROCESSORS_ONLN)\" && \
                     if [[ "${{ github.ref }}" == refs/tags/* ]]; then \
@@ -433,7 +433,7 @@ jobs:
                         --subkey-version 1 && \
 
                     # Build and test the OP-TEE OS and client
-                    make -j\"$(getconf _NPROCESSORS_ONLN)\" && \
+                    make -j\"$(getconf _NPROCESSORS_ONLN)\" check && \
                     cd /src && \
                     git clone https://github.com/OP-TEE/optee_client.git && \
                     cd optee_client && \
@@ -448,22 +448,28 @@ jobs:
                     export PATH=/src/optee/toolchains/aarch64/bin:$PATH && \
                     export CC=aarch64-linux-gnu-gcc && \
 
-                    # Run the libdogecoin TA
-                    cd /src/src/optee/host && \
-                    make -j"$(getconf _NPROCESSORS_ONLN)" \
-                      CROSS_COMPILE=aarch64-linux-gnu- \
-                      LDFLAGS=\"-L/src/optee/toolchains/aarch64/lib -L/src/depends/aarch64-linux-gnu/lib -ldogecoin -lunistring\" \
-                      CFLAGS=\"-I/src/optee/toolchains/aarch64/include -I/src/src/optee/ta/include -I/src/depends/aarch64-linux-gnu/include -I/src/depends/aarch64-linux-gnu/include/ykpers-1 -I/src/depends/aarch64-linux-gnu/include/dogecoin\" && \
-
                     # Build the Trusted Application
-                    cd ../ta && \
+                    cd /src/src/optee/ta && \
                     make -j"$(getconf _NPROCESSORS_ONLN)" \
                       CROSS_COMPILE=aarch64-linux-gnu- \
                       LDFLAGS=\"-L/src/depends/aarch64-linux-gnu/lib -ldogecoin -lunistring\" \
                       CFLAGS=\"-I/src/depends/aarch64-linux-gnu/include -I/src/depends/aarch64-linux-gnu/include/dogecoin\" \
                       PLATFORM=vexpress-qemu_armv8a \
                       TA_DEV_KIT_DIR=/src/optee/optee_os/out/arm/export-ta_arm64 && \
 
+                    # Build libdogecoin for Host
+                    cd /src/ && \
+                    ./configure --prefix=/src/depends/aarch64-linux-gnu LIBS=-levent_pthreads --enable-static --disable-shared --enable-test-passwd HOST=aarch64-linux-gnu && \
+                    make -j 4 && \
+                    make install && \
+
+                    # Run the libdogecoin TA
+                    cd /src/src/optee/host && \
+                    make -j"$(getconf _NPROCESSORS_ONLN)" \
+                      CROSS_COMPILE=aarch64-linux-gnu- \
+                      LDFLAGS=\"-L/src/optee/toolchains/aarch64/lib -L/src/depends/aarch64-linux-gnu/lib -ldogecoin -lunistring\" \
+                      CFLAGS=\"-I/src/optee/toolchains/aarch64/include -I/src/src/optee/ta/include -I/src/depends/aarch64-linux-gnu/include -I/src/depends/aarch64-linux-gnu/include/ykpers-1 -I/src/depends/aarch64-linux-gnu/include/dogecoin\" && \
+
                     # Create symbolic links and prepare image
                     mkdir -p /src/optee/out/bin && \
                     cd /src/optee/out/bin && \
@@ -493,6 +499,10 @@ jobs:
               elif ([ "${{ matrix.name }}" == "x86_64-linux-openenclave" ]); then
                 make install && \
                 mkdir -p src/openenclave/build && \
+                make -j 4 -C depends HOST=x86_64-pc-linux-gnu/host && \
+                ./configure --prefix=${{ github.workspace }}/depends/x86_64-pc-linux-gnu/host --enable-test-passwd && \
+                make && \
+                make install && \
                 if [[ "${{ github.ref }}" == refs/tags/* ]]; then
                   printf "%s" "${{ secrets.OE_PRIVATE_PEM }}" > src/openenclave/build/private.pem && \
                   openssl rsa -pubout -in src/openenclave/build/private.pem -out src/openenclave/build/public.pem; \

doc/enclaves.md

@@ -190,7 +190,7 @@ cd libdogecoin
 
 The SDK has several components and requires over 10GB of disk space to build. The build process can take over 30 minutes on a modern machine. Docker is used to build the SDK and client in a clean environment.
 
-### Building OP-TEE SDK and Client (NanoPC-T6)
+### Step 1 (NanoPC): Building OP-TEE SDK and Client
 
 This command builds the latest SDK and client for NanoPC-T6 (nanopc-t6.xml).  When complete, the image will be located in `/doge/libdogecoin/optee/out/nanopc-t6.img`. Burn this image to an SD card to boot the NanoPC-T6. Connect an Ethernet cable, USB keyboard and HDMI to the NanoPC-T6 and power it on. The default IP address is configured using DHCP. Login as root via ssh (e.g. `ssh [email protected]`) or using the HDMI console.
 
@@ -270,9 +270,9 @@ docker run -v "$(pwd):/src" -w /src jforissier/optee_os_ci:qemu_check /bin/bash
     make install"
 ```
 
-### Building OP-TEE SDK and Client (QEMU ARMv8)
+### Step 1 (QEMU): Building OP-TEE SDK and Client
 
-This command builds the SDK (version 3.22.0) and client for ARMv8 QEMU emulation (qemu_v8.xml). For other platforms, change the manifest file in the `repo init` command accordingly. Replace `3.22.0` with the desired version and `qemu_v8.xml` with the desired platform. Refer to the [OP-TEE documentation](https://optee.readthedocs.io/en/latest/building/index.html) for more information.
+This command builds the SDK (version 4.2.0) and client for ARMv8 QEMU emulation (qemu_v8.xml). For other platforms, change the manifest file in the `repo init` command accordingly. Replace `4.2.0` with the desired version and `qemu_v8.xml` with the desired platform. Refer to the [OP-TEE documentation](https://optee.readthedocs.io/en/latest/building/index.html) for more information.
 
 An RSA private key is generated and overwrites the default Trusted Application (TA) key. This key is used to sign the enclave binaries during development. In the Continuous Integration (CI) environment, an Actions secret is used. Subkeys are generated for testing purposes but are not used to sign the enclave binaries.
 
@@ -287,7 +287,7 @@ docker run -v "$(pwd):/src" -w /src jforissier/optee_os_ci:qemu_check /bin/bash
     curl https://storage.googleapis.com/git-repo-downloads/repo > /bin/repo && chmod a+x /bin/repo && \
     mkdir -p optee && \
     cd optee && \
-    repo init -u https://github.com/OP-TEE/manifest.git -m qemu_v8.xml -b master
+    repo init -u https://github.com/OP-TEE/manifest.git -m qemu_v8.xml -b 4.2.0
     export FORCE_UNSAFE_CONFIGURE=1 && \
     repo sync -j 4 --force-sync && \
     patch -N -F 4 /src/optee/build/common.mk < /src/src/optee/common.mk.patch && \
@@ -340,7 +340,7 @@ docker run -v "$(pwd):/src" -w /src jforissier/optee_os_ci:qemu_check /bin/bash
     # Build and test the OP-TEE OS and client
     make -j 4 check
     cd /src && \
-    git clone https://github.com/OP-TEE/optee_client.git && \
+    [ ! -d optee_client ] && git clone https://github.com/OP-TEE/optee_client.git && \
     cd optee_client && \
     mkdir -p build && \
     cd build && \
@@ -351,7 +351,7 @@ docker run -v "$(pwd):/src" -w /src jforissier/optee_os_ci:qemu_check /bin/bash
     make install"
 ```
 
-### Building OP-TEE Libdogecoin Key Manager Enclave (QEMU ARMv8 or NanoPC-T6)
+### Step 2 (QEMU or NanoPC): Building OP-TEE Libdogecoin Key Manager Enclave
 
 This command builds the OP-TEE Libdogecoin Key Manager Enclave for QEMU ARMv8 or NanoPC-T6. The enclave is built using the OP-TEE SDK and client. The enclave binary is located in `/doge/libdogecoin/optee/out/bin/libdogecoin.img`.
 
@@ -361,9 +361,10 @@ docker run --privileged -v "$(pwd):/src" -w /src jforissier/optee_os_ci:qemu_che
     apt-get update && \
     apt-get install -y autoconf automake libtool-bin build-essential curl python3 valgrind g++-aarch64-linux-gnu qemu-user-static qemu-user && \
 
+    # Build libdogecoin for Host
     make -j 4 -C depends HOST=aarch64-linux-gnu && \
     ./autogen.sh && \
-    ./configure --prefix=/src/depends/aarch64-linux-gnu LIBS=-levent_pthreads --enable-static --disable-shared --enable-test-passwd --enable-optee CFLAGS=-U_FORTIFY_SOURCE HOST=aarch64-linux-gnu && \
+    ./configure --prefix=/src/depends/aarch64-linux-gnu LIBS=-levent_pthreads --enable-static --disable-shared --enable-test-passwd HOST=aarch64-linux-gnu && \
     make -j 4 && \
     make install && \
 
@@ -377,8 +378,14 @@ docker run --privileged -v "$(pwd):/src" -w /src jforissier/optee_os_ci:qemu_che
       LDFLAGS=\"-L/src/optee/toolchains/aarch64/lib -L/src/depends/aarch64-linux-gnu/lib -ldogecoin -lunistring\" \
       CFLAGS=\"-I/src/optee/toolchains/aarch64/include -I/src/src/optee/ta/include -I/src/depends/aarch64-linux-gnu/include -I/src/depends/aarch64-linux-gnu/include/ykpers-1 -I/src/depends/aarch64-linux-gnu/include/dogecoin\" && \
 
+    # Build libdogecoin for OP-TEE
+    cd /src/ && \
+    ./configure --prefix=/src/depends/aarch64-linux-gnu LIBS=-levent_pthreads --enable-static --disable-shared --enable-test-passwd --enable-optee CFLAGS=-U_FORTIFY_SOURCE HOST=aarch64-linux-gnu && \
+    make -j 4 && \
+    make install && \
+
     # Build the Enclave
-    cd ../ta && \
+    cd /src/src/optee/ta && \
     make -j 4 \
       CROSS_COMPILE=aarch64-linux-gnu- \
       LDFLAGS=\"-L/src/depends/aarch64-linux-gnu/lib -ldogecoin -lunistring\" \
@@ -414,7 +421,7 @@ docker run --privileged -v "$(pwd):/src" -w /src jforissier/optee_os_ci:qemu_che
     exit"
 ```
 
-### Running OP-TEE Libdogecoin Key Manager Enclave (on NanoPC-T6)
+### Step 3 (NanoPC): Running OP-TEE Libdogecoin Key Manager Enclave
 
 Use scp to copy the /doge/libdogecoin/optee/out/bin/libdogecoin.img to the NanoPC-T6 (e.g. `scp /doge/libdogecoin/optee/out/bin/libdogecoin.img [email protected]:/root/`). Then, SSH into the NanoPC-T6 and run the following commands:
 
@@ -426,7 +433,7 @@ cp /media/libdogecoin/62d95dc0-7fc2-4cb3-a7f3-c13ae4e633c4.ta /lib/optee_armtz/
 ./optee_libdogecoin -c generate_mnemonic
 ```
 
-### Running OP-TEE Libdogecoin Key Manager Enclave (in QEMU ARMv8)
+### Step 3 (QEMU): Running OP-TEE Libdogecoin Key Manager Enclave
 
 ```sh
 docker run --privileged -v /dev/bus/usb:/dev/bus/usb -it -v "$(pwd):/src" -w /src jforissier/optee_os_ci:qemu_check /bin/bash -c "\
@@ -513,11 +520,16 @@ docker run --device /dev/sgx_enclave:/dev/sgx_enclave --device /dev/sgx_provisio
   apt-get install -y autoconf automake libtool-bin build-essential curl python3 valgrind python3-dev python3-dbg pkg-config && \
   cd /src && \
   make -j 4 -C depends HOST=x86_64-pc-linux-gnu && \
+  make -j 4 -C depends HOST=x86_64-pc-linux-gnu/host && \
   ./autogen.sh && \
   ./configure --prefix=/src/depends/x86_64-pc-linux-gnu --enable-openenclave --enable-test-passwd CFLAGS=-U_FORTIFY_SOURCE && \
   make && \
   make install && \
 
+  ./configure --prefix=/src/depends/x86_64-pc-linux-gnu/host --enable-test-passwd && \
+  make && \
+  make install && \
+
   # Set up the OpenEnclave environment and build the enclave
   apt-get install -y wget gnupg2 cmake && \
   echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | tee /etc/apt/sources.list.d/intel-sgx.list && \

src/openenclave/host/CMakeLists.txt

@@ -18,9 +18,9 @@ endif ()
 
 target_include_directories(
   host PRIVATE # Needed for the generated file libdogecoin_u.h
-                          ${CMAKE_CURRENT_BINARY_DIR} /usr/local/include /usr/local/include/dogecoin /usr/include/ykpers-1 ${CMAKE_SOURCE_DIR}/../../depends/x86_64-pc-linux-gnu/include/ ${CMAKE_SOURCE_DIR}/../../depends/x86_64-pc-linux-gnu/include/dogecoin/ ${CMAKE_SOURCE_DIR}/../../depends/x86_64-pc-linux-gnu/include/ykpers-1 ${CMAKE_SOURCE_DIR}/../../src/libevent/build/include)
+                          ${CMAKE_CURRENT_BINARY_DIR} /usr/local/include /usr/local/include/dogecoin /usr/include/ykpers-1 ${CMAKE_SOURCE_DIR}/../../depends/x86_64-pc-linux-gnu/host/include/ ${CMAKE_SOURCE_DIR}/../../depends/x86_64-pc-linux-gnu/host/include/dogecoin/ ${CMAKE_SOURCE_DIR}/../../depends/x86_64-pc-linux-gnu/host/include/ykpers-1 ${CMAKE_SOURCE_DIR}/../../src/libevent/build/include)
 
 # Add search paths to find the enclave libraries.
-target_link_directories(host PRIVATE ${CMAKE_SOURCE_DIR}../../ ${CMAKE_SOURCE_DIR}/../../src/libevent/build/lib ${CMAKE_SOURCE_DIR}/../../depends/x86_64-pc-linux-gnu/lib)
+target_link_directories(host PRIVATE ${CMAKE_SOURCE_DIR}../../ ${CMAKE_SOURCE_DIR}/../../src/libevent/build/lib ${CMAKE_SOURCE_DIR}/../../depends/x86_64-pc-linux-gnu/host/lib)
 
 target_link_libraries(host openenclave::oehost "libdogecoin.a" "libevent.a" "libunistring.a" "libykpers-1.so" "libyubikey.so" "libusb-1.0.so")

src/openenclave/host/host.c

@@ -458,6 +458,10 @@ int main(int argc, char* argv[])
                 fprintf(stderr, "Password cannot be empty\n");
                 goto exit;
             }
+            if (strcmp (password, getpass("Confirm password: ")) != 0) {
+                fprintf(stderr, "Password mismatch\n");
+                goto exit;
+            }
         }
 
         MNEMONIC mnemonic = {0};

src/optee/host/main.c

@@ -821,6 +821,10 @@ int main(int argc, const char* argv[])
                 fprintf(stderr, "Password cannot be empty\n");
                 goto exit;
             }
+            if (strcmp (password, getpass("Confirm password: ")) != 0) {
+                fprintf(stderr, "Password mismatch\n");
+                goto exit;
+            }
         }
 
         TEEC_Result res = generate_mnemonic(&ctx, shared_secret, password, flags, mnemonic, entropy_size);