diff --git a/build/__tools__/build.sh b/build/__tools__/build.sh index 4dc69490..3cae8a90 100755 --- a/build/__tools__/build.sh +++ b/build/__tools__/build.sh @@ -89,8 +89,16 @@ if [ ! -d build ]; then fi cd build -#try cmake ${CMAKE_ARGS} .. -#try make ${MAKE_ARGS} + +#In the following we use a single threaded build due to race conditions the arise with a multi-threaded one. +#In the following we append the error log for multi-threaded (j4) build for troubleshooting in the future. +#11 33.53 build.sh: ERROR: operation failed: cmake --build . -- -j4 BUILD_CLIENT=0 +#11 33.53 make[1]: *** [Makefile:98: build] Error 111 +#11 33.53 make[1]: Leaving directory '/project/pdo/src/build' +#11 33.53 make: *** [Makefile:101: verified-build] Error 2 +#11 33.53 make: Leaving directory '/project/pdo/src/build' +#11 33.53 build_services.sh: ERROR: operation failed: make -C /project/pdo/src/build verified-build +#11 ERROR: process "/bin/sh -c /project/pdo/tools/build_services.sh" did not complete successfully: exit code: 111 try cmake --build . -- ${MAKE_ARGS} -j1 yell --------------- BIN --------------- diff --git a/common/crypto/attestation-api/test/attested_evidence_test.sh b/common/crypto/attestation-api/test/attested_evidence_test.sh index 8ff53848..cb094296 100755 --- a/common/crypto/attestation-api/test/attested_evidence_test.sh +++ b/common/crypto/attestation-api/test/attested_evidence_test.sh @@ -56,43 +56,6 @@ function orchestrate() ./verify_evidence_app_enclave } -#function orchestrate_with_go_conversion() -#{ -# #get attestation -# ./get_attestation_app -# define_to_variable "${DEFINES_FILEPATH}" "GET_ATTESTATION_OUTPUT" -# [ -f ${GET_ATTESTATION_OUTPUT} ] || die "no output from get_attestation" -# -# #translate attestation (note: attestation_to_evidence defines the EVIDENCE variable) -# ATTESTATION=$(cat ${GET_ATTESTATION_OUTPUT}) -# GO_CONVERSION_CMD="go run ${FPC_PATH}/common/crypto/attestation-api/test/conversion_app_go/main.go" -# EVIDENCE=$(${GO_CONVERSION_CMD} "${ATTESTATION}") -# -# define_to_variable "${DEFINES_FILEPATH}" "EVIDENCE_FILE" -# echo ${EVIDENCE} > ${EVIDENCE_FILE} -# -# #verify evidence -# ./verify_evidence_app -#} -# -#function orchestrate_with_go_verification() -#{ -# #get attestation -# ./get_attestation_app -# define_to_variable "${DEFINES_FILEPATH}" "GET_ATTESTATION_OUTPUT" -# [ -f ${GET_ATTESTATION_OUTPUT} ] || die "no output from get_attestation" -# -# #translate attestation (note: attestation_to_evidence defines the EVIDENCE variable) -# ATTESTATION=$(cat ${GET_ATTESTATION_OUTPUT}) -# attestation_to_evidence "${ATTESTATION}" -# -# define_to_variable "${DEFINES_FILEPATH}" "EVIDENCE_FILE" -# echo ${EVIDENCE} > ${EVIDENCE_FILE} -# -# #verify evidence -# go run -tags WITH_PDO_CRYPTO ${FPC_PATH}/common/crypto/attestation-api/test/verify_evidence_app_go/main.go -#} - function check_collateral_epid() { if [[ -z "${COLLATERAL_FOLDER}" ]]; then @@ -140,9 +103,6 @@ function epid_test() #run attestation generation/conversion/verification tests orchestrate - #run attestation generation/conversion/verification tests (same as before, though with Go-based conversion) - #orchestrate_with_go_conversion - say "Test success" } @@ -244,12 +204,6 @@ function simulated_test() #run attestation generation/conversion/verification tests orchestrate - #run attestation generation/conversion/verification tests (same as before, though with Go-based conversion) - #orchestrate_with_go_conversion - - #run attestation generation/conversion/verification tests (same as before, though with Go-based verification) - #orchestrate_with_go_verification - say "Test success" } diff --git a/common/crypto/attestation-api/test/conversion_app_go/main.go b/common/crypto/attestation-api/test/conversion_app_go/main.go deleted file mode 100644 index aa5e0c23..00000000 --- a/common/crypto/attestation-api/test/conversion_app_go/main.go +++ /dev/null @@ -1,74 +0,0 @@ -/* -Copyright IBM Corp. All Rights Reserved. - -SPDX-License-Identifier: Apache-2.0 -*/ - -// this tool is meant to be used in `$FPC_PATH/common/crypto/attestation-api/test` to ensure compatibility -// with the shell-based attestation conversion implementation in `$FPC_PATH/common/crypto/attestation-api/conversion`. -package main - -import ( - "fmt" - "os" - - "github.com/hyperledger/fabric-private-chaincode/internal/attestation" - "github.com/hyperledger/fabric-private-chaincode/internal/protos" - "github.com/hyperledger/fabric-private-chaincode/internal/utils" - "github.com/pkg/errors" -) - -func printHelp() { - fmt.Printf( - `Usage: %s [] -convert attestation to evidence in (base64-encoded) Credentials protobuf -`, - os.Args[0]) -} - -func main() { - - // get input - if len(os.Args) < 2 { - printHelp() - exitIfError(fmt.Errorf("expect argument")) - } - - // convert - output, err := convert([]byte(os.Args[1])) - exitIfError(err) - - // return output - fmt.Printf("%s\n", string(output)) -} - -func exitIfError(err error) { - if err != nil { - fmt.Fprintf(os.Stderr, "ERROR: %v\n", err) - os.Exit(1) - } -} - -func convert(input []byte) ([]byte, error) { - credentials := &protos.Credentials{ - SerializedAttestedData: nil, - Attestation: input, - Evidence: nil, - } - credentialsOnlyAttestation := utils.MarshallProtoBase64(credentials) - - // conversion - converter := attestation.NewDefaultCredentialConverter() - credentialsStringOut, err := converter.ConvertCredentials(credentialsOnlyAttestation) - if err != nil { - return nil, errors.Wrap(err, "ERROR: couldn't convert credentials") - } - - credentialsOut, err := utils.UnmarshalCredentials(credentialsStringOut) - if err != nil { - return nil, errors.Wrap(err, "ERROR: couldn't unmarshal credentials") - } - - // return to stdout - return credentialsOut.Evidence, nil -} diff --git a/common/crypto/attestation-api/test/verify_evidence_app_go/main.go b/common/crypto/attestation-api/test/verify_evidence_app_go/main.go deleted file mode 100644 index ee050d53..00000000 --- a/common/crypto/attestation-api/test/verify_evidence_app_go/main.go +++ /dev/null @@ -1,70 +0,0 @@ -/* -Copyright IBM Corp. All Rights Reserved. - -SPDX-License-Identifier: Apache-2.0 -*/ - -// this tool is meant to be used in `$FPC_PATH/common/crypto/attestation-api/test` to ensure compatibility -// with the shell-based attestation verification implementation in `$FPC_PATH/common/crypto/attestation-api/evidence`. -package main - -import ( - "fmt" - "os" - "strings" - - "github.com/hyperledger/fabric-private-chaincode/internal/attestation" - "github.com/hyperledger/fabric-private-chaincode/internal/attestation/epid/pdo" - "github.com/hyperledger/fabric-private-chaincode/internal/attestation/simulation" - "github.com/hyperledger/fabric-private-chaincode/internal/protos" - "github.com/pkg/errors" - "google.golang.org/protobuf/types/known/anypb" -) - -func main() { - - evidenceJson, err := readFile("verify_evidence_input.txt") - exitIfError(err) - - statementJson, err := readFile("statement.txt") - exitIfError(err) - - expectedMrenclave, err := readFile("code_id.txt") - exitIfError(err) - - verifier := attestation.NewCredentialVerifier( - simulation.NewSimulationVerifier(), - pdo.NewEpidLinkableVerifier(), - pdo.NewEpidUnlinkableVerifier(), - ) - - cred := &protos.Credentials{ - SerializedAttestedData: &anypb.Any{ - Value: []byte(statementJson), - }, - Evidence: []byte(evidenceJson), - } - - err = verifier.VerifyCredentials(cred, expectedMrenclave) - exitIfError(err) -} - -func exitIfError(err error) { - if err != nil { - fmt.Fprintf(os.Stderr, "ERROR: %v\n", err) - os.Exit(1) - } -} - -func readFile(path string) (string, error) { - content, err := os.ReadFile(path) - if err != nil { - return "", errors.Wrapf(err, "could not read %s", path) - } - - if len(content) == 0 { - return "", errors.Errorf("empty file %s", path) - } - - return strings.TrimSuffix(string(content), "\n"), nil -} diff --git a/docker/pdo_services_base.dockerfile b/docker/pdo_services_base.dockerfile index b7da30d9..44531846 100644 --- a/docker/pdo_services_base.dockerfile +++ b/docker/pdo_services_base.dockerfile @@ -101,14 +101,10 @@ RUN apt-get install -y -q \ RUN apt-get install -y \ basez \ clang \ - cmake \ - curl \ libsgx-dcap-default-qpl \ #libsgx-dcap-default-qpl-dev adds libdcap_quoteprov.so and /usr/include/sgx_default_quote_provider.h libsgx-dcap-default-qpl-dev \ - jq \ - libssl-dev \ - vim + jq ARG DCAP=1.19 ENV DCAP_PRIMITIVES=/tmp/SGXDataCenterAttestationPrimitives @@ -122,6 +118,9 @@ RUN cd ${DCAP_PRIMITIVES}/QuoteGeneration \ && ./download_prebuilt.sh \ && make GEN_STATIC=1 +# NOTE: below the build (./release) is run twice. Unfortunately, this is necessary because both builds fails +# when run separately in a clean environment, but succeed if they run in sequence, and produce the expected result. +# This issue has been communicated to the developers of the DCAP primitives. RUN cd ${DCAP_PRIMITIVES}/QuoteVerification/QVL/Src \ && ./release -DBUILD_ENCLAVE=ON -DBUILD_TESTS=OFF ; ./release -DBUILD_ENCLAVE=ON -DBUILD_ATTESTATION_APP=OFF -DBUILD_TESTS=OFF