Skip to content

Commit

Permalink
ci: update to build libdogecoin seperate for host and enclave
Browse files Browse the repository at this point in the history
  • Loading branch information
@edtubbs
edtubbs committed Jan 14, 2025
1 parent 412c8f7 commit f1b013d
Show file tree
Hide file tree
Showing 3 changed files with 45 additions and 22 deletions.
31 changes: 21 additions & 10 deletions .github/workflows/ci.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -383,7 +383,7 @@ jobs:
curl https://storage.googleapis.com/git-repo-downloads/repo > /bin/repo && chmod a+x /bin/repo && \
mkdir -p optee && \
cd optee && \
repo init -u https://github.com/OP-TEE/manifest.git -m nanopc-t6.xml -b master && \
repo init -u https://github.com/OP-TEE/manifest.git -m qemu_v8.xml -b 4.2.0 && \
export FORCE_UNSAFE_CONFIGURE=1 && \
repo sync -j\"$(getconf _NPROCESSORS_ONLN)\" && \
if [[ "${{ github.ref }}" == refs/tags/* ]]; then \
Expand Down Expand Up @@ -433,7 +433,7 @@ jobs:
--subkey-version 1 && \
# Build and test the OP-TEE OS and client
make -j\"$(getconf _NPROCESSORS_ONLN)\" && \
make -j\"$(getconf _NPROCESSORS_ONLN)\" check && \
cd /src && \
git clone https://github.com/OP-TEE/optee_client.git && \
cd optee_client && \
Expand All @@ -448,22 +448,28 @@ jobs:
export PATH=/src/optee/toolchains/aarch64/bin:$PATH && \
export CC=aarch64-linux-gnu-gcc && \
# Run the libdogecoin TA
cd /src/src/optee/host && \
make -j"$(getconf _NPROCESSORS_ONLN)" \
CROSS_COMPILE=aarch64-linux-gnu- \
LDFLAGS=\"-L/src/optee/toolchains/aarch64/lib -L/src/depends/aarch64-linux-gnu/lib -ldogecoin -lunistring\" \
CFLAGS=\"-I/src/optee/toolchains/aarch64/include -I/src/src/optee/ta/include -I/src/depends/aarch64-linux-gnu/include -I/src/depends/aarch64-linux-gnu/include/ykpers-1 -I/src/depends/aarch64-linux-gnu/include/dogecoin\" && \
# Build the Trusted Application
cd ../ta && \
cd /src/src/optee/ta && \
make -j"$(getconf _NPROCESSORS_ONLN)" \
CROSS_COMPILE=aarch64-linux-gnu- \
LDFLAGS=\"-L/src/depends/aarch64-linux-gnu/lib -ldogecoin -lunistring\" \
CFLAGS=\"-I/src/depends/aarch64-linux-gnu/include -I/src/depends/aarch64-linux-gnu/include/dogecoin\" \
PLATFORM=vexpress-qemu_armv8a \
TA_DEV_KIT_DIR=/src/optee/optee_os/out/arm/export-ta_arm64 && \
# Build libdogecoin for Host
cd /src/ && \
./configure --prefix=/src/depends/aarch64-linux-gnu LIBS=-levent_pthreads --enable-static --disable-shared --enable-test-passwd HOST=aarch64-linux-gnu && \
make -j 4 && \
make install && \
# Run the libdogecoin TA
cd /src/src/optee/host && \
make -j"$(getconf _NPROCESSORS_ONLN)" \
CROSS_COMPILE=aarch64-linux-gnu- \
LDFLAGS=\"-L/src/optee/toolchains/aarch64/lib -L/src/depends/aarch64-linux-gnu/lib -ldogecoin -lunistring\" \
CFLAGS=\"-I/src/optee/toolchains/aarch64/include -I/src/src/optee/ta/include -I/src/depends/aarch64-linux-gnu/include -I/src/depends/aarch64-linux-gnu/include/ykpers-1 -I/src/depends/aarch64-linux-gnu/include/dogecoin\" && \
# Create symbolic links and prepare image
mkdir -p /src/optee/out/bin && \
cd /src/optee/out/bin && \
Expand Down Expand Up @@ -491,6 +497,11 @@ jobs:
umount /src/optee/out-br/mnt && \
exit"
elif ([ "${{ matrix.name }}" == "x86_64-linux-openenclave" ]); then
make install && \
make -j 4 -C depends HOST=x86_64-pc-linux-gnu/host && \
make clean && \
./configure --prefix=/src/depends/x86_64-pc-linux-gnu/host --enable-test-passwd && \
make && \
make install && \
mkdir -p src/openenclave/build && \
if [[ "${{ github.ref }}" == refs/tags/* ]]; then
Expand Down
32 changes: 22 additions & 10 deletions doc/enclaves.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -190,7 +190,7 @@ cd libdogecoin

The SDK has several components and requires over 10GB of disk space to build. The build process can take over 30 minutes on a modern machine. Docker is used to build the SDK and client in a clean environment.

### Building OP-TEE SDK and Client (NanoPC-T6)
### Step 1 (NanoPC): Building OP-TEE SDK and Client

This command builds the latest SDK and client for NanoPC-T6 (nanopc-t6.xml). When complete, the image will be located in `/doge/libdogecoin/optee/out/nanopc-t6.img`. Burn this image to an SD card to boot the NanoPC-T6. Connect an Ethernet cable, USB keyboard and HDMI to the NanoPC-T6 and power it on. The default IP address is configured using DHCP. Login as root via ssh (e.g. `ssh [email protected]`) or using the HDMI console.

Expand Down Expand Up @@ -270,9 +270,9 @@ docker run -v "$(pwd):/src" -w /src jforissier/optee_os_ci:qemu_check /bin/bash
make install"
```

### Building OP-TEE SDK and Client (QEMU ARMv8)
### Step 1 (QEMU): Building OP-TEE SDK and Client

This command builds the SDK (version 3.22.0) and client for ARMv8 QEMU emulation (qemu_v8.xml). For other platforms, change the manifest file in the `repo init` command accordingly. Replace `3.22.0` with the desired version and `qemu_v8.xml` with the desired platform. Refer to the [OP-TEE documentation](https://optee.readthedocs.io/en/latest/building/index.html) for more information.
This command builds the SDK (version 4.2.0) and client for ARMv8 QEMU emulation (qemu_v8.xml). For other platforms, change the manifest file in the `repo init` command accordingly. Replace `4.2.0` with the desired version and `qemu_v8.xml` with the desired platform. Refer to the [OP-TEE documentation](https://optee.readthedocs.io/en/latest/building/index.html) for more information.

An RSA private key is generated and overwrites the default Trusted Application (TA) key. This key is used to sign the enclave binaries during development. In the Continuous Integration (CI) environment, an Actions secret is used. Subkeys are generated for testing purposes but are not used to sign the enclave binaries.

Expand All @@ -287,7 +287,7 @@ docker run -v "$(pwd):/src" -w /src jforissier/optee_os_ci:qemu_check /bin/bash
curl https://storage.googleapis.com/git-repo-downloads/repo > /bin/repo && chmod a+x /bin/repo && \
mkdir -p optee && \
cd optee && \
repo init -u https://github.com/OP-TEE/manifest.git -m qemu_v8.xml -b master
repo init -u https://github.com/OP-TEE/manifest.git -m qemu_v8.xml -b 4.2.0
export FORCE_UNSAFE_CONFIGURE=1 && \
repo sync -j 4 --force-sync && \
patch -N -F 4 /src/optee/build/common.mk < /src/src/optee/common.mk.patch && \
Expand Down Expand Up @@ -340,7 +340,7 @@ docker run -v "$(pwd):/src" -w /src jforissier/optee_os_ci:qemu_check /bin/bash
# Build and test the OP-TEE OS and client
make -j 4 check
cd /src && \
git clone https://github.com/OP-TEE/optee_client.git && \
[ ! -d optee_client ] && git clone https://github.com/OP-TEE/optee_client.git && \
cd optee_client && \
mkdir -p build && \
cd build && \
Expand All @@ -351,7 +351,7 @@ docker run -v "$(pwd):/src" -w /src jforissier/optee_os_ci:qemu_check /bin/bash
make install"
```

### Building OP-TEE Libdogecoin Key Manager Enclave (QEMU ARMv8 or NanoPC-T6)
### Step 2 (QEMU or NanoPC): Building OP-TEE Libdogecoin Key Manager Enclave

This command builds the OP-TEE Libdogecoin Key Manager Enclave for QEMU ARMv8 or NanoPC-T6. The enclave is built using the OP-TEE SDK and client. The enclave binary is located in `/doge/libdogecoin/optee/out/bin/libdogecoin.img`.

Expand All @@ -361,9 +361,10 @@ docker run --privileged -v "$(pwd):/src" -w /src jforissier/optee_os_ci:qemu_che
apt-get update && \
apt-get install -y autoconf automake libtool-bin build-essential curl python3 valgrind g++-aarch64-linux-gnu qemu-user-static qemu-user && \
# Build libdogecoin for Host
make -j 4 -C depends HOST=aarch64-linux-gnu && \
./autogen.sh && \
./configure --prefix=/src/depends/aarch64-linux-gnu LIBS=-levent_pthreads --enable-static --disable-shared --enable-test-passwd --enable-optee CFLAGS=-U_FORTIFY_SOURCE HOST=aarch64-linux-gnu && \
./configure --prefix=/src/depends/aarch64-linux-gnu LIBS=-levent_pthreads --enable-static --disable-shared --enable-test-passwd HOST=aarch64-linux-gnu && \
make -j 4 && \
make install && \
Expand All @@ -377,8 +378,14 @@ docker run --privileged -v "$(pwd):/src" -w /src jforissier/optee_os_ci:qemu_che
LDFLAGS=\"-L/src/optee/toolchains/aarch64/lib -L/src/depends/aarch64-linux-gnu/lib -ldogecoin -lunistring\" \
CFLAGS=\"-I/src/optee/toolchains/aarch64/include -I/src/src/optee/ta/include -I/src/depends/aarch64-linux-gnu/include -I/src/depends/aarch64-linux-gnu/include/ykpers-1 -I/src/depends/aarch64-linux-gnu/include/dogecoin\" && \
# Build libdogecoin for OP-TEE
cd /src/ && \
./configure --prefix=/src/depends/aarch64-linux-gnu LIBS=-levent_pthreads --enable-static --disable-shared --enable-test-passwd --enable-optee CFLAGS=-U_FORTIFY_SOURCE HOST=aarch64-linux-gnu && \
make -j 4 && \
make install && \
# Build the Enclave
cd ../ta && \
cd /src/src/optee/ta && \
make -j 4 \
CROSS_COMPILE=aarch64-linux-gnu- \
LDFLAGS=\"-L/src/depends/aarch64-linux-gnu/lib -ldogecoin -lunistring\" \
Expand Down Expand Up @@ -414,7 +421,7 @@ docker run --privileged -v "$(pwd):/src" -w /src jforissier/optee_os_ci:qemu_che
exit"
```

### Running OP-TEE Libdogecoin Key Manager Enclave (on NanoPC-T6)
### Step 3 (NanoPC): Running OP-TEE Libdogecoin Key Manager Enclave

Use scp to copy the /doge/libdogecoin/optee/out/bin/libdogecoin.img to the NanoPC-T6 (e.g. `scp /doge/libdogecoin/optee/out/bin/libdogecoin.img [email protected]:/root/`). Then, SSH into the NanoPC-T6 and run the following commands:

Expand All @@ -426,7 +433,7 @@ cp /media/libdogecoin/62d95dc0-7fc2-4cb3-a7f3-c13ae4e633c4.ta /lib/optee_armtz/
./optee_libdogecoin -c generate_mnemonic
```

### Running OP-TEE Libdogecoin Key Manager Enclave (in QEMU ARMv8)
### Step 3 (QEMU): Running OP-TEE Libdogecoin Key Manager Enclave

```sh
docker run --privileged -v /dev/bus/usb:/dev/bus/usb -it -v "$(pwd):/src" -w /src jforissier/optee_os_ci:qemu_check /bin/bash -c "\
Expand Down Expand Up @@ -513,11 +520,16 @@ docker run --device /dev/sgx_enclave:/dev/sgx_enclave --device /dev/sgx_provisio
apt-get install -y autoconf automake libtool-bin build-essential curl python3 valgrind python3-dev python3-dbg pkg-config && \
cd /src && \
make -j 4 -C depends HOST=x86_64-pc-linux-gnu && \
make -j 4 -C depends HOST=x86_64-pc-linux-gnu/host && \
./autogen.sh && \
./configure --prefix=/src/depends/x86_64-pc-linux-gnu --enable-openenclave --enable-test-passwd CFLAGS=-U_FORTIFY_SOURCE && \
make && \
make install && \
./configure --prefix=/src/depends/x86_64-pc-linux-gnu/host --enable-test-passwd && \
make && \
make install && \
# Set up the OpenEnclave environment and build the enclave
apt-get install -y wget gnupg2 cmake && \
echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | tee /etc/apt/sources.list.d/intel-sgx.list && \
Expand Down
4 changes: 2 additions & 2 deletions src/openenclave/host/CMakeLists.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,9 @@ endif ()

target_include_directories(
host PRIVATE # Needed for the generated file libdogecoin_u.h
${CMAKE_CURRENT_BINARY_DIR} /usr/local/include /usr/local/include/dogecoin /usr/include/ykpers-1 ${CMAKE_SOURCE_DIR}/../../depends/x86_64-pc-linux-gnu/include/ ${CMAKE_SOURCE_DIR}/../../depends/x86_64-pc-linux-gnu/include/dogecoin/ ${CMAKE_SOURCE_DIR}/../../depends/x86_64-pc-linux-gnu/include/ykpers-1 ${CMAKE_SOURCE_DIR}/../../src/libevent/build/include)
${CMAKE_CURRENT_BINARY_DIR} /usr/local/include /usr/local/include/dogecoin /usr/include/ykpers-1 ${CMAKE_SOURCE_DIR}/../../depends/x86_64-pc-linux-gnu/host/include/ ${CMAKE_SOURCE_DIR}/../../depends/x86_64-pc-linux-gnu/host/include/dogecoin/ ${CMAKE_SOURCE_DIR}/../../depends/x86_64-pc-linux-gnu/host/include/ykpers-1 ${CMAKE_SOURCE_DIR}/../../src/libevent/build/include)

# Add search paths to find the enclave libraries.
target_link_directories(host PRIVATE ${CMAKE_SOURCE_DIR}../../ ${CMAKE_SOURCE_DIR}/../../src/libevent/build/lib ${CMAKE_SOURCE_DIR}/../../depends/x86_64-pc-linux-gnu/lib)
target_link_directories(host PRIVATE ${CMAKE_SOURCE_DIR}../../ ${CMAKE_SOURCE_DIR}/../../src/libevent/build/lib ${CMAKE_SOURCE_DIR}/../../depends/x86_64-pc-linux-gnu/host/lib)

target_link_libraries(host openenclave::oehost "libdogecoin.a" "libevent.a" "libunistring.a" "libykpers-1.so" "libyubikey.so" "libusb-1.0.so")

0 comments on commit f1b013d

Please sign in to comment.