You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@teaclave.apache.org by ms...@apache.org on 2020/04/23 01:08:30 UTC
[incubator-teaclave] branch master updated (f45e7de -> e1ad6b6)
This is an automated email from the ASF dual-hosted git repository.
mssun pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-teaclave.git.
from f45e7de [fusion] Support fusion data creation with example (#271)
new f2bc1dd [attestation] Use PlatformError for platform return result
new a25f02e Track edl changes in build.rs
new 5c6eb1f [license] Remove licenses of unused projects
new 39cce78 [docs] Add tutorial to execute the first function on Teaclave
new 493e59c [docker] Update runtime docker to support simulation mode
new 5e531fa [docs] Add mutual attestation explanation in docs
new e1ad6b6 [docs] Add threat model
The 7 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
CMakeLists.txt | 2 +-
LICENSE | 8 +--
README.md | 11 ++++
attestation/src/platform.rs | 61 +++++++++++--------
binder/build.rs | 4 +-
cmake/TeaclaveGenVars.cmake | 10 ++--
cmake/scripts/prep.sh | 2 +-
docker/README.md | 4 +-
docker/runtime.config.toml | 3 +
docker/teaclave-rt.ubuntu-1804.Dockerfile | 22 +++++--
docs/mutual-attestation.md | 47 +++++++++++++++
docs/my-first-function.md | 68 ++++++++++++++++++++++
docs/threat_model.md | 41 +++++++++++++
licenses/LICENSE-wasmi.txt | 13 -----
services/access_control/app/build.rs | 3 +
services/authentication/app/build.rs | 3 +
services/execution/app/build.rs | 3 +
services/frontend/app/build.rs | 3 +
services/management/app/build.rs | 3 +
services/scheduler/app/build.rs | 3 +
services/storage/app/build.rs | 3 +
services/utils/service_enclave_utils/src/macros.rs | 17 ++++++
tests/functional/app/build.rs | 3 +
tests/integration/app/build.rs | 3 +
tests/unit/app/build.rs | 3 +
25 files changed, 285 insertions(+), 58 deletions(-)
create mode 100644 docs/mutual-attestation.md
create mode 100644 docs/my-first-function.md
create mode 100644 docs/threat_model.md
delete mode 100644 licenses/LICENSE-wasmi.txt
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@teaclave.apache.org
For additional commands, e-mail: commits-help@teaclave.apache.org
[incubator-teaclave] 06/07: [docs] Add mutual attestation
explanation in docs
Posted by ms...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
mssun pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-teaclave.git
commit 5e531fa37d0e62e2e2cbf40ab59630a5103b4172
Author: Mingshen Sun <bo...@mssun.me>
AuthorDate: Wed Apr 22 16:49:07 2020 -0700
[docs] Add mutual attestation explanation in docs
---
docs/mutual-attestation.md | 47 ++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 47 insertions(+)
diff --git a/docs/mutual-attestation.md b/docs/mutual-attestation.md
new file mode 100644
index 0000000..2479638
--- /dev/null
+++ b/docs/mutual-attestation.md
@@ -0,0 +1,47 @@
+# Mutual Attestation: Why and How
+
+The standard procedure to establish a secure and trusted communication channel
+from a client to an enclave is through remote attestation. However, when the
+client itself is also an enclave and **mutual** trust between two enclaves is
+required, we need additional design and implementation effort. The Teaclave
+platform consists of multiple enclave services and most of the
+enclave-to-enclave RPC communications need bidirectional authentication. This
+document entails the methodology and process of Teaclave's mutual enclave remote
+attestation.
+
+## Problem
+
+The identity of an enclave is defined through a pair of cryptographically secure
+hash values, i.e., MRSIGNER and MRENCLAVE. MRSIGNER indicates the builder of the
+enclave, thus shared by enclaves signed by the same party. MRENCLAVE is unique
+to each individual enclave. Teaclave assumes that users do not trust the
+software builder, so verifying MRSIGNER is not enough. For each enclave service
+in Teaclave, it must strictly check the unique identity of the other enclaves it
+communicates to through MRENCLAVE.
+
+Since the SGX enclave trusts no outside input, the MRENCLAVE should be
+hard-coded into source files used for identity verification logic. Therefore,
+changing the MRENCLAVE value an enclave tries to match against will change the
+MRENCLAVE of the enclave itself. When two enclaves want to remotely attest each
+other, it is impossible to decide which enclave is to be built first.
+
+## Solution
+
+Teaclave resolves this problem by replying on third-party auditors. We assume
+that there will be several parties trusted by all participants of Teaclave's
+computation tasks (could platforms, data providers, and customers, etc). The
+source code and binaries of Teaclave are audited by these trusted parties. Once
+the auditors decided that Teaclave is secure, they sign and publish the
+identities of audited enclaves. The **public keys** of the auditors are
+hard-coded in Teaclave enclave source via build time configuration, while the
+enclave measures and their signatures are loaded from outside at runtime. Each
+enclave will verify that the enclave measures are indeed signed by the auditors
+before serving any requests.
+
+## In the Repository
+
+The [keys/auditors](../keys) directory in the source tree contain the key pairs
+of three fake auditing parties for PoC purposes. Private keys are also included
+to deliver a smooth build and test process. In production, builders of Teaclave
+should obtain the public keys, enclave identities, and the signatures directly
+from the auditors.
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@teaclave.apache.org
For additional commands, e-mail: commits-help@teaclave.apache.org
[incubator-teaclave] 01/07: [attestation] Use PlatformError for
platform return result
Posted by ms...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
mssun pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-teaclave.git
commit f2bc1dd43fb91f9a562da069f4cd170265a948bc
Author: Mingshen Sun <bo...@mssun.me>
AuthorDate: Wed Apr 22 12:20:56 2020 -0700
[attestation] Use PlatformError for platform return result
---
attestation/src/platform.rs | 61 +++++++++++++++++++++++++++------------------
1 file changed, 37 insertions(+), 24 deletions(-)
diff --git a/attestation/src/platform.rs b/attestation/src/platform.rs
index 0ada0d9..0e01b30 100644
--- a/attestation/src/platform.rs
+++ b/attestation/src/platform.rs
@@ -20,7 +20,6 @@
use std::prelude::v1::*;
-use anyhow::{ensure, Result};
use log::debug;
use sgx_rand::{os::SgxRng, Rng};
use sgx_tcrypto::rsgx_sha256_slice;
@@ -29,6 +28,7 @@ use sgx_types::sgx_status_t::SGX_SUCCESS;
use sgx_types::*;
type SgxStatus = sgx_types::sgx_status_t;
+type Result<T> = std::result::Result<T, PlatformError>;
#[derive(thiserror::Error, Debug)]
pub enum PlatformError {
@@ -94,11 +94,15 @@ pub(crate) fn init_sgx_quote() -> Result<(sgx_att_key_id_t, sgx_target_info_t)>
let res = unsafe { ocall_sgx_init_quote(&mut rt as _, &mut ak_id as _, &mut ti as _) };
- ensure!(
- res == SGX_SUCCESS,
- PlatformError::OCallError("ocall_sgx_init_quote".to_string(), res)
- );
- ensure!(rt == SGX_SUCCESS, PlatformError::InitQuoteError(rt));
+ if res != SGX_SUCCESS {
+ return Err(PlatformError::OCallError(
+ "ocall_sgx_init_quote".to_string(),
+ res,
+ ));
+ }
+ if rt != SGX_SUCCESS {
+ return Err(PlatformError::InitQuoteError(rt));
+ }
Ok((ak_id, ti))
}
@@ -130,11 +134,15 @@ pub(crate) fn get_sgx_quote(ak_id: &sgx_att_key_id_t, report: sgx_report_t) -> R
let res = unsafe { ocall_sgx_get_quote_size(&mut rt as _, ak_id as _, &mut quote_len as _) };
- ensure!(
- res == SGX_SUCCESS,
- PlatformError::OCallError("ocall_sgx_get_quote_size".to_string(), res)
- );
- ensure!(rt == SGX_SUCCESS, PlatformError::GetQuoteError(rt));
+ if res != SGX_SUCCESS {
+ return Err(PlatformError::OCallError(
+ "ocall_sgx_get_quote_size".to_string(),
+ res,
+ ));
+ }
+ if rt != SGX_SUCCESS {
+ return Err(PlatformError::GetQuoteError(rt));
+ }
let mut qe_report_info = sgx_qe_report_info_t::default();
let mut quote_nonce = sgx_quote_nonce_t::default();
@@ -148,10 +156,9 @@ pub(crate) fn get_sgx_quote(ak_id: &sgx_att_key_id_t, report: sgx_report_t) -> R
// returned with the quote
let res = unsafe { sgx_self_target(&mut qe_report_info.app_enclave_target_info as _) };
- ensure!(
- res == SGX_SUCCESS,
- PlatformError::GetSelfTargetInfoError(res)
- );
+ if res != SGX_SUCCESS {
+ return Err(PlatformError::GetSelfTargetInfoError(res));
+ }
let mut quote = vec![0; quote_len as usize];
@@ -167,11 +174,15 @@ pub(crate) fn get_sgx_quote(ak_id: &sgx_att_key_id_t, report: sgx_report_t) -> R
)
};
- ensure!(
- res == SGX_SUCCESS,
- PlatformError::OCallError("ocall_sgx_get_quote".to_string(), res)
- );
- ensure!(rt == SGX_SUCCESS, PlatformError::GetQuoteError(rt));
+ if res != SGX_SUCCESS {
+ return Err(PlatformError::OCallError(
+ "ocall_sgx_get_quote".to_string(),
+ res,
+ ));
+ }
+ if rt != SGX_SUCCESS {
+ return Err(PlatformError::GetQuoteError(rt));
+ }
debug!("rsgx_verify_report");
let qe_report = qe_report_info.qe_report;
@@ -191,10 +202,12 @@ pub(crate) fn get_sgx_quote(ak_id: &sgx_att_key_id_t, report: sgx_report_t) -> R
debug!("rsgx_sha256_slice");
let rhs_hash = rsgx_sha256_slice(&rhs_vec).map_err(PlatformError::Others)?;
let lhs_hash = &qe_report.body.report_data.d[..32];
- ensure!(
- rhs_hash == lhs_hash,
- PlatformError::ReportReplay(rhs_hash.to_vec(), lhs_hash.to_vec())
- );
+ if rhs_hash != lhs_hash {
+ return Err(PlatformError::ReportReplay(
+ rhs_hash.to_vec(),
+ lhs_hash.to_vec(),
+ ));
+ }
Ok(quote)
}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@teaclave.apache.org
For additional commands, e-mail: commits-help@teaclave.apache.org
[incubator-teaclave] 05/07: [docker] Update runtime docker to
support simulation mode
Posted by ms...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
mssun pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-teaclave.git
commit 493e59cbc1f81f36098126719353ad8e63400da1
Author: Mingshen Sun <bo...@mssun.me>
AuthorDate: Wed Apr 22 16:23:43 2020 -0700
[docker] Update runtime docker to support simulation mode
---
docker/teaclave-rt.ubuntu-1804.Dockerfile | 22 +++++++++++++++++-----
1 file changed, 17 insertions(+), 5 deletions(-)
diff --git a/docker/teaclave-rt.ubuntu-1804.Dockerfile b/docker/teaclave-rt.ubuntu-1804.Dockerfile
index 2fcfe82..36c6417 100644
--- a/docker/teaclave-rt.ubuntu-1804.Dockerfile
+++ b/docker/teaclave-rt.ubuntu-1804.Dockerfile
@@ -1,23 +1,35 @@
FROM ubuntu:18.04
-ENV SGX_DOWNLOAD_URL_BASE "https://download.01.org/intel-sgx/sgx-linux/2.7.1/distro/ubuntu18.04-server"
-ENV LIBSGX_ENCLAVE_COMMON libsgx-enclave-common_2.7.101.3-bionic1_amd64.deb
-ENV LIBSGX_ENCLAVE_COMMON_URL "$SGX_DOWNLOAD_URL_BASE/$LIBSGX_ENCLAVE_COMMON"
+ENV VERSION 2.9.100.2-bionic1
+ENV SGX_DOWNLOAD_URL_BASE "https://download.01.org/intel-sgx/sgx-linux/2.9/distro/ubuntu18.04-server"
+ENV SGX_LINUX_X64_SDK sgx_linux_x64_sdk_2.9.100.2.bin
+ENV SGX_LINUX_X64_SDK_URL "$SGX_DOWNLOAD_URL_BASE/$SGX_LINUX_X64_SDK"
RUN apt-get update && apt-get install -q -y \
libcurl4-openssl-dev \
libprotobuf-dev \
curl \
- pkg-config
+ pkg-config \
+ wget
RUN echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu bionic main' | \
tee /etc/apt/sources.list.d/intel-sgx.list
RUN curl -fsSL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | apt-key add -
RUN apt-get update && apt-get install -q -y \
- libsgx-launch libsgx-urts libsgx-quote-ex
+ libsgx-launch=$VERSION \
+ libsgx-urts=$VERSION \
+ libsgx-quote-ex=$VERSION
RUN mkdir /etc/init
+# Install Intel SGX SDK for libsgx_urts_sim.so
+RUN wget $SGX_LINUX_X64_SDK_URL && \
+ chmod u+x $SGX_LINUX_X64_SDK && \
+ echo -e 'no\n/opt/intel' | ./$SGX_LINUX_X64_SDK && \
+ rm $SGX_LINUX_X64_SDK && \
+ echo 'source /opt/sgxsdk/environment' >> /etc/environment
+ENV LD_LIBRARY_PATH=/opt/intel/sgxsdk/sdk_libs
+
ADD release/services/teaclave_frontend_service /teaclave/
ADD release/services/teaclave_frontend_service_enclave.signed.so /teaclave/
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@teaclave.apache.org
For additional commands, e-mail: commits-help@teaclave.apache.org
[incubator-teaclave] 04/07: [docs] Add tutorial to execute the
first function on Teaclave
Posted by ms...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
mssun pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-teaclave.git
commit 39cce78fbefa91be6beb9f672d31cff385580272
Author: Mingshen Sun <bo...@mssun.me>
AuthorDate: Wed Apr 22 15:21:23 2020 -0700
[docs] Add tutorial to execute the first function on Teaclave
---
CMakeLists.txt | 2 +-
README.md | 6 ++++
cmake/TeaclaveGenVars.cmake | 10 +++----
cmake/scripts/prep.sh | 2 +-
docker/README.md | 4 +--
docker/runtime.config.toml | 3 ++
docs/my-first-function.md | 68 +++++++++++++++++++++++++++++++++++++++++++++
7 files changed, 86 insertions(+), 9 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 65749d2..c5df00d 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -6,7 +6,6 @@ include(TeaclaveUtils)
include(ExternalProject)
find_package(Git)
find_package(OpenSSL)
-init_submodules()
check_exe_dependencies(rustup pypy)
# ====== VARIABLES FOR CMAKE -D{VAR}=VAL CONFIGURATION BEGIN ======
@@ -22,6 +21,7 @@ option(TEST_MODE "Turn on/off test mode" OFF)
option(SGX_SIM_MODE "Turn on/off sgx simulation mode" OFF)
option(DCAP "Turn on/off DCAP attestation" OFF)
option(GIT_SUBMODULE "Check submodules during build" ON)
+init_submodules()
if(DCAP)
set(RUSTFLAGS "${RUSTFLAGS} --cfg dcap")
diff --git a/README.md b/README.md
index 35f7e0d..8536cee 100644
--- a/README.md
+++ b/README.md
@@ -28,6 +28,12 @@ platform, making computation on privacy-sensitive data safe and simple.
Components in Teaclave are designed in modular, and can be easily embedded in
other projects.
+## Getting Started
+
+### Try Teaclave
+
+- [My First Function](docs/my-first-function.md)
+
## Contributing
Teaclave is open source in [The Apache Way](https://www.apache.org/theapacheway/),
diff --git a/cmake/TeaclaveGenVars.cmake b/cmake/TeaclaveGenVars.cmake
index 726b905..d50c3b2 100644
--- a/cmake/TeaclaveGenVars.cmake
+++ b/cmake/TeaclaveGenVars.cmake
@@ -65,7 +65,10 @@ endif()
set(SGX_ENCLAVE_FEATURES -Z package-features --features mesalock_sgx)
string(TOLOWER "${CMAKE_BUILD_TYPE}" CMAKE_BUILD_TYPE_LOWER)
-if(CMAKE_BUILD_TYPE_LOWER STREQUAL "debug")
+if(CMAKE_BUILD_TYPE_LOWER STREQUAL "release")
+ set(TARGET release)
+ set(CARGO_BUILD_FLAGS --release)
+else()
set(TARGET debug)
set(CARGO_BUILD_FLAGS "")
@@ -76,9 +79,6 @@ if(CMAKE_BUILD_TYPE_LOWER STREQUAL "debug")
set(RUSTFLAGS "${RUSTFLAGS} -D warnings -Zprofile -Ccodegen-units=1 \
-Cllvm_args=-inline-threshold=0 -Coverflow-checks=off -Zno-landing-pads")
endif()
-else()
- set(TARGET release)
- set(CARGO_BUILD_FLAGS --release)
endif()
if(OFFLINE)
@@ -148,5 +148,5 @@ message("SGX_SDK=${SGX_SDK}")
message("SGX_MODE=${SGX_MODE}")
message("RUSTUP_TOOLCHAIN=${RUSTUP_TOOLCHAIN}")
message("DCAP=${DCAP}")
-message("BUILD TYPE=${TARGET}")
+message("BUILD_TYPE=${TARGET}")
message("TEACLAVE_SYMLINKS=${TEACLAVE_SYMLINKS}")
diff --git a/cmake/scripts/prep.sh b/cmake/scripts/prep.sh
index 47628dd..3d08a2d 100755
--- a/cmake/scripts/prep.sh
+++ b/cmake/scripts/prep.sh
@@ -78,7 +78,7 @@ function build_edl() {
done
}
-# check
+# check
for edl in ${TEACLAVE_EDL_DIR}/*.edl
do
fname=$(basename "${edl}" .edl)
diff --git a/docker/README.md b/docker/README.md
index 24f279e..37a64be 100644
--- a/docker/README.md
+++ b/docker/README.md
@@ -51,8 +51,8 @@ before start the services. You can use env vars or set them in the
Here is an example to start all services.
```
-$ export AS_SPID="xxx"
-$ export AS_KEY="xxx"
+$ export AS_SPID="00000000000000000000000000000000"
+$ export AS_KEY="00000000000000000000000000000000"
$ export AS_ALGO="sgx_epid"
$ export AS_URL="https://api.trustedservices.intel.com:443"
diff --git a/docker/runtime.config.toml b/docker/runtime.config.toml
index 1a9cfa7..a678642 100644
--- a/docker/runtime.config.toml
+++ b/docker/runtime.config.toml
@@ -29,3 +29,6 @@ algorithm = "sgx_epid"
url = "https://api.trustedservices.intel.com:443"
key = "00000000000000000000000000000000"
spid = "00000000000000000000000000000000"
+
+[mount]
+fusion_base_dir = "/tmp/fusion_data"
diff --git a/docs/my-first-function.md b/docs/my-first-function.md
new file mode 100644
index 0000000..94ff01a
--- /dev/null
+++ b/docs/my-first-function.md
@@ -0,0 +1,68 @@
+# My First Function
+
+This documentation will guide you through executing your first function on the
+Teaclave platform.
+
+## Prerequisites
+
+To run Teacalve, a hardware with Intel SGX support is needed. You can
+check with this list of [supported hardware](https://github.com/ayeks/SGX-hardware).
+Note that you need to configure BIOS to enable SGX sometime. Additionally, you
+need to install driver and platform software to run SGX applications. Details
+can found in
+[Intel SGX Installation Guide](https://download.01.org/intel-sgx/sgx-linux/2.9/docs/Intel_SGX_Installation_Guide_Linux_2.9_Open_Source.pdf).
+
+If you don't have an SGX supported hardware at hand, Teaclave can also run in
+simulation mode. However some functions like remote attestation will be disable
+at this mode.
+
+## Clone and Build Teaclave
+
+Clone the Teaclave repository:
+
+```
+$ git clone https://github.com/apache/incubator-teaclave.git
+```
+
+Since the building dependencies is a bit complicated, we suggest to build the
+Teaclave platform with our docker images. You can learn more details about the
+building environment from `Dockerfile` under the [`docker`](../docker)
+directory.
+
+Build the Teaclave platform using docker:
+
+```
+$ cd incubator-teaclave
+$ docker run --rm -v $(pwd):/teaclave -w /teaclave \
+ -it teaclave/teaclave-build-ubuntu-1804-sgx-2.9:latest \
+ bash -c ". /root/.cargo/env && \
+ mkdir -p build && cd build && \
+ cmake -DTEST_MODE=ON .. && \
+ make"
+```
+
+To build in simulation mode, you can add `-DSGX_SIM_MODE=ON` to `cmake`.
+
+### Launch Teaclave
+
+Teaclave contains multiple services. To ease the deployment, you can use
+[docker-compose](https://docs.docker.com/compose/) to manage all services in a
+containerized environment.
+
+Launch all services with `docker-compose`:
+
+```
+$ export AS_SPID="00000000000000000000000000000000"
+$ export AS_KEY="00000000000000000000000000000000"
+$ export AS_ALGO="sgx_epid"
+$ export AS_URL="https://api.trustedservices.intel.com:443"
+
+$ (cd docker && docker-compose -f docker-compose-ubuntu-1804.yml up --build)
+Starting teaclave-authentication-service ... done
+Starting teaclave-access-control-service ... done
+Starting teaclave-scheduler-service ... done
+Starting teaclave-management-service ... done
+Starting teaclave-execution-service ... done
+Starting teaclave-frontend-service ... done
+Attaching to ...
+```
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@teaclave.apache.org
For additional commands, e-mail: commits-help@teaclave.apache.org
[incubator-teaclave] 02/07: Track edl changes in build.rs
Posted by ms...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
mssun pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-teaclave.git
commit a25f02ec9f091bccffac4852beb0e339e28099ba
Author: Mingshen Sun <bo...@mssun.me>
AuthorDate: Wed Apr 22 12:25:13 2020 -0700
Track edl changes in build.rs
---
binder/build.rs | 4 +++-
services/access_control/app/build.rs | 3 +++
services/authentication/app/build.rs | 3 +++
services/execution/app/build.rs | 3 +++
services/frontend/app/build.rs | 3 +++
services/management/app/build.rs | 3 +++
services/scheduler/app/build.rs | 3 +++
services/storage/app/build.rs | 3 +++
services/utils/service_enclave_utils/src/macros.rs | 17 +++++++++++++++++
tests/functional/app/build.rs | 3 +++
tests/integration/app/build.rs | 3 +++
tests/unit/app/build.rs | 3 +++
12 files changed, 50 insertions(+), 1 deletion(-)
diff --git a/binder/build.rs b/binder/build.rs
index 4dd8dfc..028b90e 100644
--- a/binder/build.rs
+++ b/binder/build.rs
@@ -29,7 +29,9 @@ fn choose_sgx_dylib(is_sim: bool) {
fn main() {
let sdk_dir = env::var("SGX_SDK").unwrap_or("/opt/intel/sgxsdk".into());
- println!("cargo:rerun-if-changed=Enclave.edl");
+ if let Ok(edl_dir) = env::var("TEACLAVE_EDL_DIR") {
+ println!("cargo:rerun-if-changed={}/Enclave_common.edl", edl_dir);
+ }
println!("cargo:rustc-link-search=native={}/lib64", sdk_dir);
println!("cargo:rustc-link-lib=static=sgx_uprotected_fs");
diff --git a/services/access_control/app/build.rs b/services/access_control/app/build.rs
index dfb54b2..dff52fd 100644
--- a/services/access_control/app/build.rs
+++ b/services/access_control/app/build.rs
@@ -36,6 +36,9 @@ fn main() {
let out_dir = &PathBuf::from(out_path);
println!("cargo:rustc-link-search=native={}", out_dir.display());
+ if let Ok(edl_dir) = env::var("TEACLAVE_EDL_DIR") {
+ println!("cargo:rerun-if-changed={}/Enclave_common.edl", edl_dir);
+ }
println!("cargo:rustc-link-lib=static=Enclave_common_u");
let is_sim = match env::var("SGX_MODE") {
diff --git a/services/authentication/app/build.rs b/services/authentication/app/build.rs
index dfb54b2..dff52fd 100644
--- a/services/authentication/app/build.rs
+++ b/services/authentication/app/build.rs
@@ -36,6 +36,9 @@ fn main() {
let out_dir = &PathBuf::from(out_path);
println!("cargo:rustc-link-search=native={}", out_dir.display());
+ if let Ok(edl_dir) = env::var("TEACLAVE_EDL_DIR") {
+ println!("cargo:rerun-if-changed={}/Enclave_common.edl", edl_dir);
+ }
println!("cargo:rustc-link-lib=static=Enclave_common_u");
let is_sim = match env::var("SGX_MODE") {
diff --git a/services/execution/app/build.rs b/services/execution/app/build.rs
index 3881e6a..168e837 100644
--- a/services/execution/app/build.rs
+++ b/services/execution/app/build.rs
@@ -36,6 +36,9 @@ fn main() {
let out_dir = &PathBuf::from(out_path);
println!("cargo:rustc-link-search=native={}", out_dir.display());
+ if let Ok(edl_dir) = env::var("TEACLAVE_EDL_DIR") {
+ println!("cargo:rerun-if-changed={}/Enclave_fa.edl", edl_dir);
+ }
println!("cargo:rustc-link-lib=static=Enclave_fa_u");
let is_sim = match env::var("SGX_MODE") {
diff --git a/services/frontend/app/build.rs b/services/frontend/app/build.rs
index dfb54b2..dff52fd 100644
--- a/services/frontend/app/build.rs
+++ b/services/frontend/app/build.rs
@@ -36,6 +36,9 @@ fn main() {
let out_dir = &PathBuf::from(out_path);
println!("cargo:rustc-link-search=native={}", out_dir.display());
+ if let Ok(edl_dir) = env::var("TEACLAVE_EDL_DIR") {
+ println!("cargo:rerun-if-changed={}/Enclave_common.edl", edl_dir);
+ }
println!("cargo:rustc-link-lib=static=Enclave_common_u");
let is_sim = match env::var("SGX_MODE") {
diff --git a/services/management/app/build.rs b/services/management/app/build.rs
index dfb54b2..dff52fd 100644
--- a/services/management/app/build.rs
+++ b/services/management/app/build.rs
@@ -36,6 +36,9 @@ fn main() {
let out_dir = &PathBuf::from(out_path);
println!("cargo:rustc-link-search=native={}", out_dir.display());
+ if let Ok(edl_dir) = env::var("TEACLAVE_EDL_DIR") {
+ println!("cargo:rerun-if-changed={}/Enclave_common.edl", edl_dir);
+ }
println!("cargo:rustc-link-lib=static=Enclave_common_u");
let is_sim = match env::var("SGX_MODE") {
diff --git a/services/scheduler/app/build.rs b/services/scheduler/app/build.rs
index dfb54b2..dff52fd 100644
--- a/services/scheduler/app/build.rs
+++ b/services/scheduler/app/build.rs
@@ -36,6 +36,9 @@ fn main() {
let out_dir = &PathBuf::from(out_path);
println!("cargo:rustc-link-search=native={}", out_dir.display());
+ if let Ok(edl_dir) = env::var("TEACLAVE_EDL_DIR") {
+ println!("cargo:rerun-if-changed={}/Enclave_common.edl", edl_dir);
+ }
println!("cargo:rustc-link-lib=static=Enclave_common_u");
let is_sim = match env::var("SGX_MODE") {
diff --git a/services/storage/app/build.rs b/services/storage/app/build.rs
index dfb54b2..dff52fd 100644
--- a/services/storage/app/build.rs
+++ b/services/storage/app/build.rs
@@ -36,6 +36,9 @@ fn main() {
let out_dir = &PathBuf::from(out_path);
println!("cargo:rustc-link-search=native={}", out_dir.display());
+ if let Ok(edl_dir) = env::var("TEACLAVE_EDL_DIR") {
+ println!("cargo:rerun-if-changed={}/Enclave_common.edl", edl_dir);
+ }
println!("cargo:rustc-link-lib=static=Enclave_common_u");
let is_sim = match env::var("SGX_MODE") {
diff --git a/services/utils/service_enclave_utils/src/macros.rs b/services/utils/service_enclave_utils/src/macros.rs
index ef1877c..6f38324 100644
--- a/services/utils/service_enclave_utils/src/macros.rs
+++ b/services/utils/service_enclave_utils/src/macros.rs
@@ -1,3 +1,20 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
#[macro_export]
macro_rules! bail {
($err:expr $(,)?) => {
diff --git a/tests/functional/app/build.rs b/tests/functional/app/build.rs
index dfb54b2..dff52fd 100644
--- a/tests/functional/app/build.rs
+++ b/tests/functional/app/build.rs
@@ -36,6 +36,9 @@ fn main() {
let out_dir = &PathBuf::from(out_path);
println!("cargo:rustc-link-search=native={}", out_dir.display());
+ if let Ok(edl_dir) = env::var("TEACLAVE_EDL_DIR") {
+ println!("cargo:rerun-if-changed={}/Enclave_common.edl", edl_dir);
+ }
println!("cargo:rustc-link-lib=static=Enclave_common_u");
let is_sim = match env::var("SGX_MODE") {
diff --git a/tests/integration/app/build.rs b/tests/integration/app/build.rs
index dfb54b2..dff52fd 100644
--- a/tests/integration/app/build.rs
+++ b/tests/integration/app/build.rs
@@ -36,6 +36,9 @@ fn main() {
let out_dir = &PathBuf::from(out_path);
println!("cargo:rustc-link-search=native={}", out_dir.display());
+ if let Ok(edl_dir) = env::var("TEACLAVE_EDL_DIR") {
+ println!("cargo:rerun-if-changed={}/Enclave_common.edl", edl_dir);
+ }
println!("cargo:rustc-link-lib=static=Enclave_common_u");
let is_sim = match env::var("SGX_MODE") {
diff --git a/tests/unit/app/build.rs b/tests/unit/app/build.rs
index 3881e6a..168e837 100644
--- a/tests/unit/app/build.rs
+++ b/tests/unit/app/build.rs
@@ -36,6 +36,9 @@ fn main() {
let out_dir = &PathBuf::from(out_path);
println!("cargo:rustc-link-search=native={}", out_dir.display());
+ if let Ok(edl_dir) = env::var("TEACLAVE_EDL_DIR") {
+ println!("cargo:rerun-if-changed={}/Enclave_fa.edl", edl_dir);
+ }
println!("cargo:rustc-link-lib=static=Enclave_fa_u");
let is_sim = match env::var("SGX_MODE") {
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@teaclave.apache.org
For additional commands, e-mail: commits-help@teaclave.apache.org
[incubator-teaclave] 03/07: [license] Remove licenses of unused
projects
Posted by ms...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
mssun pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-teaclave.git
commit 5c6eb1f62d3c7bb574aeed6945474060c1d0d098
Author: Mingshen Sun <bo...@mssun.me>
AuthorDate: Wed Apr 22 13:50:16 2020 -0700
[license] Remove licenses of unused projects
---
LICENSE | 8 ++------
licenses/LICENSE-wasmi.txt | 13 -------------
2 files changed, 2 insertions(+), 19 deletions(-)
diff --git a/LICENSE b/LICENSE
index 0eca811..310ee62 100644
--- a/LICENSE
+++ b/LICENSE
@@ -211,10 +211,6 @@ licenses/ for text of these licenses.
Apache License, Version 2.0
---------------------------
-mesatee_services/fns/sgx_trusted_lib/src/trusted_worker/wasm/sgxwasm.rs
-mesatee_services/fns/sgx_trusted_lib/src/trusted_worker/wasm/sgxwasm_compute.rs
-tests/integration_test/src/wasm/wasmi_basic.rs
-tests/integration_test/src/wasm/wasmi_faas.rs
third-party/crates-io
third-party/crates-sgx
@@ -222,11 +218,11 @@ third-party/crates-sgx
BSD 3-Clause License
--------------------
-teaclave_common/protected_fs_rs/protected_fs_c
+common/protected_fs_rs/protected_fs_c
MIT License
-----------
third_party/mesapy
-teaclave_common/rusty_leveldb_sgx
+common/rusty_leveldb_sgx
diff --git a/licenses/LICENSE-wasmi.txt b/licenses/LICENSE-wasmi.txt
deleted file mode 100644
index 302e4b1..0000000
--- a/licenses/LICENSE-wasmi.txt
+++ /dev/null
@@ -1,13 +0,0 @@
-Copyright 2018 Nikolay Volf
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@teaclave.apache.org
For additional commands, e-mail: commits-help@teaclave.apache.org
[incubator-teaclave] 07/07: [docs] Add threat model
Posted by ms...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
mssun pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-teaclave.git
commit e1ad6b65cb27110774b572cda537fa503f7eb655
Author: Mingshen Sun <bo...@mssun.me>
AuthorDate: Wed Apr 22 17:12:53 2020 -0700
[docs] Add threat model
---
README.md | 5 +++++
docs/threat_model.md | 41 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 46 insertions(+)
diff --git a/README.md b/README.md
index 8536cee..bf168d0 100644
--- a/README.md
+++ b/README.md
@@ -34,6 +34,11 @@ platform, making computation on privacy-sensitive data safe and simple.
- [My First Function](docs/my-first-function.md)
+### Design
+
+- [Threat Model](docs/threat_model.md)
+- [Mutual Attestation: Why and How](docs/mutual-attestation.md)
+
## Contributing
Teaclave is open source in [The Apache Way](https://www.apache.org/theapacheway/),
diff --git a/docs/threat_model.md b/docs/threat_model.md
new file mode 100644
index 0000000..2d0e170
--- /dev/null
+++ b/docs/threat_model.md
@@ -0,0 +1,41 @@
+# Threat Model
+
+With its strongest security setting applied, Teaclave guarantees data
+confidentiality even if all parties along the computation path, privileged or
+not, are untrusted. This includes:
+
+- Internet service provider
+- Cloud provider
+- Function provider
+- Other data providers
+
+Consider the following scenario. A small business needs to employ image
+classification techniques in its daily production. However, the business does
+not have the capabilities to train a high-quality machine learning model, nor
+does it have the hardware resources to host the machine learning
+infrastructures. Under such circumstances, the only solution is to subscribe to
+some cloud computing service and run the needed image classification tasks
+remotely. However, this solution requires the small business to upload its
+private data to the cloud, which may deeply concerns the business owner and
+hinders the deployment of such techniques.
+
+With Teaclave, privacy concerns above are no more. The small business can
+subscribe to the cloud service from company A, rent the machine learning model
+from company B, and use the deep learning inference engine provided by company
+C. None of these parties need to trust another, yet the computation can commence
+with everyone's privacy respected.
+
+In the settings above, the root of trust converges to Intel and its SGX-enabled
+CPU chips. Before the computation starts, Teaclave is booted as a secure SGX
+enclave on one of these CPUs owned by the cloud service provider. After that,
+each party can **remotely** attest the authenticity of the hardware and the
+integrity of Teaclave platform. Private data are securely provisioned to the
+Teaclave enclave only if the attestation passes. After the provision, no
+privileged software is able to access the memory content owned by the enclave
+from outside.
+
+The remote attestation functionality implemented by Teaclave is augmented from
+the method described by an Intel [white paper](https://arxiv.org/abs/1801.05863).
+The complicated structure of Teaclave requires additional work for remote
+attestation, which is explained in details via a separate
+[documentation](mutual_attestation.md).
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@teaclave.apache.org
For additional commands, e-mail: commits-help@teaclave.apache.org