AllowDebug false in policy.toml

[cchudant]

Description

When building in release mode for hardware mode, we should generate a policy.toml file that does not allow SGX debug mode. This probably requires changes to the rust code in order to launch the enclave in non-debug mode.

Motivation and Context

The hardware docker image we publish on dockerhub has no reason to have SGX debug mode on.

We should add a build option / environment variable to generate allow-debug policy files, for dev purposes.

Test plans

Either

• wait for the SGX-enabled CI runner and write a test
• run on our own SGX-enabled runner, write a test for hardware mode, which will get ignored by the non-SGX runner

This is a good opportunity to add the following tests:

• client does not allow debug mode enclave if allowDebug = false in policy.toml

Additional Information

none

Checklist

• [ ] This issue concerns BlindAI Client
• [x] This issue concerns BlindAI Server

[JoFrost]

Noted and accepted. Applying this won't ask for much changes. As we are only supporting SGX+FLC and higher, we can disable debug by default without drawbacks. Doing a debug feature that will switch the enclave to debug mode is the right move.