search

gramineproject / graphene

Graphene / Graphene-SGX - a library OS for Linux multi-process applications, with Intel SGX support
https://grapheneproject.io
GNU Lesser General Public License v3.0
769 stars 260 forks source link

[Pal/Linux-SGX] Define SGX allowed/trusted/protected files as TOML arrays #2644

Closed dimakuv closed 3 years ago

dimakuv commented 3 years ago

Description of the changes

This PR adds a new manifest syntax to define lists of SGX allowed, trusted, protected files. The previous syntax used TOML tables:

  sgx.trusted_files.file1 = "file:foo"
  sgx.trusted_files.file2 = "file:bar"

The new syntax uses TOML arrays:

  sgx.trusted_files = [ "file:foo", "file:bar" ]

The new syntax also allows to specify SHA256 hashes for a subset of trusted files (to skip hash generation during graphene-sgx-sign):

  [[sgx.trusted_files]]
  uri  = "file:trusted_testfile"
  sha256 = "c49a0aae384a14c8320f015ed5958d4402ba0726a31c4230cf772f76ff8aca2e"

The previous TOML-table syntax is still supported but deprecated. Graphene utility graphene-sgx-sign generates final SGX manifests using the new syntax, but graphene-sgx can still run old-syntax manifests.

All Graphene regression tests are updated to use the new syntax. But all examples still use the old syntax (to be fixed in next commits).

As a side effect, the TOML C library (tomlc99) is updated to the latest version -- it supports mixed TOML arrays.

Fixes #2593.

How to test this PR?

All tests should pass. Since I updated Graphene tests to the new syntax, and left the examples with the old syntax, both syntaxes will be tested in CI and both must succeed.

This change is Reviewable

dimakuv commented 3 years ago

Jenkins, retest Jenkins-Debug-20.04 please (test_libos.TC_50_GDB.test_000_gdb_backtrace failed with AssertionError: timeout (10 s) expired)