You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@teaclave.apache.org by sh...@apache.org on 2022/11/11 05:18:14 UTC
[incubator-teaclave-java-tee-sdk] 34/48: Update base GraalVM to 22.2.0
This is an automated email from the ASF dual-hosted git repository.
shaojunwang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-teaclave-java-tee-sdk.git
commit 907733d070519fb834527526e3543af1196ff7e0
Author: cengfeng.lzy <ce...@alibaba-inc.com>
AuthorDate: Mon Aug 1 16:50:58 2022 +0800
Update base GraalVM to 22.2.0
Summary: All our Enclave adaption PR committed to GraalVM are accepted
sincce GraalVM 22.2.0. Therefore, JavaEnclave can now directly depend on
GraalVM's official release.
Test Plan: all tests pass
Reviewers: lei.yul, cengfeng.lzy, sanhong.lsh
Issue: https://aone.alibaba-inc.com/task/43664463
CR:
https://code.alibaba-inc.com/java-tee/JavaEnclave/codereview/9591926
---
sdk/enclave/docs/Incompatibilities.md | 10 +++++-
sdk/enclave/pom.xml | 15 ++++++--
.../cpufeatures/EnclaveAMD64CPUFeatureAccess.java | 42 ++++++++++++++++++++++
.../EnclaveAMD64CPUFeatureAccessFeature.java | 36 +++++++++++++++++++
.../tee_sdk_svm/edge_routines/tee_sdk_symbol.c | 3 +-
.../tee_sdk_svm/edge_routines/tee_sdk_symbol.h | 3 +-
.../enclave/native-image.properties | 25 +++++++++++++
.../native-image/serialization-config.json | 3 ++
.../enclave/ConfigMemTest.java | 8 +++--
sdk/pom.xml | 2 --
test/enclave/pom.xml | 4 +--
.../bouncycastle-native/generate_bc_configs.sh | 2 +-
third-party-libs/bouncycastle-native/pom.xml | 5 ++-
.../bouncycastle-native/native-image.properties | 5 +++
tools/cicd/Dockerfile | 8 ++---
tools/cicd/make.sh | 12 +++----
16 files changed, 158 insertions(+), 25 deletions(-)
diff --git a/sdk/enclave/docs/Incompatibilities.md b/sdk/enclave/docs/Incompatibilities.md
index e547c44..da358fc 100644
--- a/sdk/enclave/docs/Incompatibilities.md
+++ b/sdk/enclave/docs/Incompatibilities.md
@@ -18,7 +18,15 @@ We rewrite the native JNI code of above 5 methods by replacing `new` with `mallo
See `src/main/resources/native/sunec/com_alibaba_confidentialcomputing_enclave_substitutes_NativeSunECMethods.h`, `com.alibaba.confidentialcomputing.enclave.SUNECReplaceFeature`, `com.alibaba.confidentialcomputing.enclave.substitutes.NativeSunECMethods` and `com.alibaba.confidentialcomputing.enclave.substitutes.SUNECSubstitutions` for more details.
# System level
## CPU features check
-Since 22.1.0, GraalVM reads CPU features and checks which is supported at runtime, so that it doesn't only rely on the statically set CPU features (See `com.oracle.svm.core.cpufeature.RuntimeCPUFeatureCheckFeature`). But Enclave SDKs don't support reading CPU features at runtime. A solution is to disable the `RuntimeCPUFeatureCheckFeature`.
+Since 22.1.0, GraalVM reads CPU features and checks which is supported at runtime, so that it doesn't only rely on the statically set CPU features (see `com.oracle.svm.core.cpufeature.RuntimeCPUFeatureCheckFeature`).
+But Enclave SDKs don't support reading CPU features at runtime.
+A solution is to disable the `RuntimeCPUFeatureCheckFeature` (see `com.alibaba.confidentialcomputing.enclave.EnclaveFeature#afterRegistration`).
+
+Since 22.2.0, GraalVM verifies the cpu features as early as program starts (see `com.oracle.svm.core.JavaMainWrapper#run`), but the CPU checking functions are not supported by Enclave SDKs.
+The checking is performed by the `CPUFeatureAccess` instance which is set `ImageSingletons` by `com.oracle.svm.hosted.AMD64CPUFeatureAccessFeature` at image build time.
+So we added a subclass of `AMD64CPUFeatureAccessFeature`, `com.alibaba.confidentialcomputing.enclave.cpufeatures.EnclaveAMD64CPUFeatureAccessFeature` to override the behavior of setting `CPUFeatureAccess` instance.
+`EnclaveAMD64CPUFeatureAccessFeature` sets `com.alibaba.confidentialcomputing.enclave.cpufeatures.EnclaveAMD64CPUFeatureAccess` instance into `ImageSingletons` instead of the original `AMD64CPUFeatureAccess`.
+
## Memory
Enclave SDKs don't support reading system memory information from standard POSIX interfaces:
diff --git a/sdk/enclave/pom.xml b/sdk/enclave/pom.xml
index 491bdd1..ca157ec 100644
--- a/sdk/enclave/pom.xml
+++ b/sdk/enclave/pom.xml
@@ -12,6 +12,9 @@
<packaging>jar</packaging>
<name>JavaEnclave-Enclave</name>
<url></url>
+ <properties>
+ <graal.version>22.2.0</graal.version>
+ </properties>
<profiles>
<profile>
<id>native</id>
@@ -92,6 +95,10 @@
<arg>--add-exports</arg>
<arg>jdk.internal.vm.ci/jdk.vm.ci.meta=ALL-UNNAMED</arg>
<arg>--add-exports</arg>
+ <arg>jdk.internal.vm.ci/jdk.vm.ci.amd64=ALL-UNNAMED</arg>
+ <arg>--add-exports</arg>
+ <arg>jdk.internal.vm.ci/jdk.vm.ci.code=ALL-UNNAMED</arg>
+ <arg>--add-exports</arg>
<arg>jdk.internal.vm.compiler/org.graalvm.compiler.serviceprovider=ALL-UNNAMED</arg>
<arg>--add-exports</arg>
<arg>jdk.internal.vm.compiler/org.graalvm.compiler.options=ALL-UNNAMED</arg>
@@ -139,6 +146,10 @@
<additionalJOption>--add-modules</additionalJOption>
<additionalJOption>jdk.internal.vm.ci,jdk.internal.vm.compiler,jdk.crypto.ec</additionalJOption>
<additionalJOption>--add-exports</additionalJOption>
+ <additionalJOption>jdk.internal.vm.ci/jdk.vm.ci.amd64=ALL-UNNAMED</additionalJOption>
+ <additionalJOption>--add-exports</additionalJOption>
+ <additionalJOption>jdk.internal.vm.ci/jdk.vm.ci.code=ALL-UNNAMED</additionalJOption>
+ <additionalJOption>--add-exports</additionalJOption>
<additionalJOption>jdk.internal.vm.ci/jdk.vm.ci.meta=ALL-UNNAMED</additionalJOption>
<additionalJOption>--add-exports</additionalJOption>
<additionalJOption>jdk.internal.vm.compiler/org.graalvm.compiler.serviceprovider=ALL-UNNAMED</additionalJOption>
@@ -198,12 +209,12 @@
<dependency>
<groupId>org.graalvm.sdk</groupId>
<artifactId>graal-sdk</artifactId>
- <version>${enclave.graal.version}</version>
+ <version>${graal.version}</version>
</dependency>
<dependency>
<groupId>org.graalvm.nativeimage</groupId>
<artifactId>svm</artifactId>
- <version>${enclave.graal.version}</version>
+ <version>${graal.version}</version>
</dependency>
<dependency>
<groupId>org.graalvm.nativeimage</groupId>
diff --git a/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/cpufeatures/EnclaveAMD64CPUFeatureAccess.java b/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/cpufeatures/EnclaveAMD64CPUFeatureAccess.java
new file mode 100644
index 0000000..b52ccaf
--- /dev/null
+++ b/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/cpufeatures/EnclaveAMD64CPUFeatureAccess.java
@@ -0,0 +1,42 @@
+package com.alibaba.confidentialcomputing.enclave.cpufeatures;
+
+import com.oracle.svm.core.amd64.AMD64CPUFeatureAccess;
+import com.oracle.svm.core.annotate.Uninterruptible;
+import jdk.vm.ci.amd64.AMD64;
+import jdk.vm.ci.code.Architecture;
+
+import java.util.EnumSet;
+
+/**
+ * Don't check CPU features in enclave environment because the native functions are not supported by enclave SDKs.
+ *
+ * @see EnclaveAMD64CPUFeatureAccessFeature
+ * @since GraalVM 22.2.0
+ */
+public class EnclaveAMD64CPUFeatureAccess extends AMD64CPUFeatureAccess {
+ public EnclaveAMD64CPUFeatureAccess(EnumSet<?> buildtimeCPUFeatures, int[] offsets, byte[] errorMessageBytes, byte[] buildtimeFeatureMaskBytes) {
+ super(buildtimeCPUFeatures, offsets, errorMessageBytes, buildtimeFeatureMaskBytes);
+ }
+
+ @Override
+ public EnumSet<AMD64.CPUFeature> determineHostCPUFeatures() {
+ return super.determineHostCPUFeatures();
+ }
+
+ @Override
+ @Uninterruptible(reason = "Thread state not set up yet.")
+ public int verifyHostSupportsArchitectureEarly() {
+ return 0;
+ }
+
+ @Override
+ @Uninterruptible(reason = "Thread state not set up yet.")
+ public void verifyHostSupportsArchitectureEarlyOrExit() {
+
+ }
+
+ @Override
+ public void enableFeatures(Architecture runtimeArchitecture) {
+
+ }
+}
diff --git a/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/cpufeatures/EnclaveAMD64CPUFeatureAccessFeature.java b/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/cpufeatures/EnclaveAMD64CPUFeatureAccessFeature.java
new file mode 100644
index 0000000..8dc3e88
--- /dev/null
+++ b/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/cpufeatures/EnclaveAMD64CPUFeatureAccessFeature.java
@@ -0,0 +1,36 @@
+package com.alibaba.confidentialcomputing.enclave.cpufeatures;
+
+import com.alibaba.confidentialcomputing.enclave.EnclaveOptions;
+import com.oracle.svm.core.amd64.AMD64CPUFeatureAccess;
+import com.oracle.svm.core.annotate.AutomaticFeature;
+import com.oracle.svm.hosted.AMD64CPUFeatureAccessFeature;
+import org.graalvm.nativeimage.Platform;
+import org.graalvm.nativeimage.Platforms;
+
+import java.util.EnumSet;
+
+/**
+ * {@link AMD64CPUFeatureAccessFeature} adds the {@link AMD64CPUFeatureAccess} instance into {@link org.graalvm.nativeimage.ImageSingletons},
+ * while {@link AMD64CPUFeatureAccess} eventually calls enclave SDK unsupported CPU feature checking functions. So it will
+ * lead to runtime crash in enclave environment.
+ * This class disables {@link AMD64CPUFeatureAccessFeature} by extending it (as GraalVM always uses the most specific
+ * Feature class see {@link com.oracle.svm.hosted.FeatureHandler#registerFeatures} for details), and provides
+ * {@link EnclaveAMD64CPUFeatureAccess} instance instead to avoid calling the unsupported functions.
+ * <p>
+ * The unsupported functions are called by function {@code determineCPUFeatures} in {@code cpuid.c}.
+ *
+ * @since GraalVM 22.2.0
+ */
+@AutomaticFeature
+@Platforms({Platform.AMD64.class})
+public class EnclaveAMD64CPUFeatureAccessFeature extends AMD64CPUFeatureAccessFeature {
+
+ @Override
+ protected AMD64CPUFeatureAccess createCPUFeatureAccessSingleton(EnumSet<?> buildtimeCPUFeatures, int[] offsets, byte[] errorMessageBytes, byte[] buildtimeFeatureMaskBytes) {
+ if (EnclaveOptions.RunInEnclave.getValue()) {
+ return new EnclaveAMD64CPUFeatureAccess(buildtimeCPUFeatures, offsets, errorMessageBytes, buildtimeFeatureMaskBytes);
+ } else {
+ return super.createCPUFeatureAccessSingleton(buildtimeCPUFeatures, offsets, errorMessageBytes, buildtimeFeatureMaskBytes);
+ }
+ }
+}
diff --git a/sdk/enclave/src/main/native/cpp/platform/tee_sdk_svm/edge_routines/tee_sdk_symbol.c b/sdk/enclave/src/main/native/cpp/platform/tee_sdk_svm/edge_routines/tee_sdk_symbol.c
index 5f7a22e..0a74027 100644
--- a/sdk/enclave/src/main/native/cpp/platform/tee_sdk_svm/edge_routines/tee_sdk_symbol.c
+++ b/sdk/enclave/src/main/native/cpp/platform/tee_sdk_svm/edge_routines/tee_sdk_symbol.c
@@ -25,6 +25,7 @@ void deflateSetHeader() {TRACE_SYMBOL_CALL(); ASSERT();}
void dlopen() {TRACE_SYMBOL_CALL(); ASSERT();}
void dlsym() {TRACE_SYMBOL_CALL(); ASSERT();}
void endmntent() {TRACE_SYMBOL_CALL(); ASSERT();}
+void fputs() {TRACE_SYMBOL_CALL(); ASSERT();}
void fscanf() {TRACE_SYMBOL_CALL(); ASSERT();}
void fstatvfs() {TRACE_SYMBOL_CALL(); ASSERT();}
void fstatvfs64() {TRACE_SYMBOL_CALL(); ASSERT();}
@@ -165,4 +166,4 @@ int pthread_attr_destroy() {
int setrlimit() {
TRACE_SYMBOL_CALL();
return 0;
-}
\ No newline at end of file
+}
diff --git a/sdk/enclave/src/main/native/cpp/platform/tee_sdk_svm/edge_routines/tee_sdk_symbol.h b/sdk/enclave/src/main/native/cpp/platform/tee_sdk_svm/edge_routines/tee_sdk_symbol.h
index 66c9071..6666808 100644
--- a/sdk/enclave/src/main/native/cpp/platform/tee_sdk_svm/edge_routines/tee_sdk_symbol.h
+++ b/sdk/enclave/src/main/native/cpp/platform/tee_sdk_svm/edge_routines/tee_sdk_symbol.h
@@ -43,6 +43,7 @@ void deflateSetHeader();
void dlopen();
void dlsym();
void endmntent();
+void fputs();
void fscanf();
void fstatvfs();
void fstatvfs64();
@@ -123,4 +124,4 @@ int pthread_cond_timedwait();
int pthread_attr_destroy();
int pthread_attr_setstacksize();
-#endif /* end of _TEE_SDK_SYMBOL_H */
\ No newline at end of file
+#endif /* end of _TEE_SDK_SYMBOL_H */
diff --git a/sdk/enclave/src/main/resources/META-INF/native-image/com.alibaba.confidentialcomputing/enclave/native-image.properties b/sdk/enclave/src/main/resources/META-INF/native-image/com.alibaba.confidentialcomputing/enclave/native-image.properties
new file mode 100644
index 0000000..7275a3d
--- /dev/null
+++ b/sdk/enclave/src/main/resources/META-INF/native-image/com.alibaba.confidentialcomputing/enclave/native-image.properties
@@ -0,0 +1,25 @@
+Args=-J--add-exports=jdk.internal.vm.compiler/org.graalvm.compiler.options=ALL-UNNAMED \
+ -J--add-exports=jdk.internal.vm.compiler/org.graalvm.compiler.serviceprovider=ALL-UNNAMED \
+ -J--add-exports=jdk.internal.vm.compiler/org.graalvm.compiler.word=ALL-UNNAMED \
+ -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.core=ALL-UNNAMED \
+ -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.core.amd64=ALL-UNNAMED \
+ -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.core.c=ALL-UNNAMED \
+ -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.core.c.function=ALL-UNNAMED \
+ -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.core.c.libc=ALL-UNNAMED \
+ -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.core.heap=ALL-UNNAMED \
+ -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.core.jdk.resources=ALL-UNNAMED \
+ -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.core.option=ALL-UNNAMED \
+ -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.core.os=ALL-UNNAMED \
+ -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.core.posix=ALL-UNNAMED \
+ -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.core.posix.linux.libc=ALL-UNNAMED \
+ -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.core.util=ALL-UNNAMED \
+ -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.hosted=ALL-UNNAMED \
+ -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.hosted.analysis=ALL-UNNAMED \
+ -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.hosted.meta=ALL-UNNAMED \
+ -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.reflect.hosted=ALL-UNNAMED \
+ -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.reflect.serialize.hosted=ALL-UNNAMED \
+ -J--add-exports=org.graalvm.sdk/org.graalvm.nativeimage.impl=ALL-UNNAMED \
+ -J--add-exports=jdk.internal.vm.ci/jdk.vm.ci.amd64=ALL-UNNAMED \
+ -J--add-exports=jdk.internal.vm.ci/jdk.vm.ci.code=ALL-UNNAMED \
+ -J--add-exports=jdk.internal.vm.ci/jdk.vm.ci.meta=ALL-UNNAMED \
+ -J--add-opens=org.graalvm.nativeimage.builder/com.oracle.svm.hosted=ALL-UNNAMED
\ No newline at end of file
diff --git a/sdk/enclave/src/main/resources/META-INF/native-image/serialization-config.json b/sdk/enclave/src/main/resources/META-INF/native-image/serialization-config.json
index eeea449..9d31c1d 100644
--- a/sdk/enclave/src/main/resources/META-INF/native-image/serialization-config.json
+++ b/sdk/enclave/src/main/resources/META-INF/native-image/serialization-config.json
@@ -55,5 +55,8 @@
},
{
"name":"[Ljava.lang.StackTraceElement;"
+ },
+ {
+ "name":"java.lang.Number"
}
]
diff --git a/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/ConfigMemTest.java b/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/ConfigMemTest.java
index ad10024..923fad2 100644
--- a/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/ConfigMemTest.java
+++ b/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/ConfigMemTest.java
@@ -37,9 +37,13 @@ public class ConfigMemTest {
"-DHEAP_PAGES=24000");
}
-/* @Override
+ /* @Override
public List<String> extraSVMOptions() {
- return List.of("--debug-attach:7788");
+ return List.of(*//*"--debug-attach:7788",
+ "-H:Dump=:3",
+ "-H:MethodFilter=com.oracle.svm.core.posix.PosixVirtualMemoryProvider.getPageSize",
+ "-H:MethodFilter=com.alibaba.confidentialcomputing.enclave.system.EnclaveVirtualMemoryProvider.getVPageSize"*//*
+ );
}*/
}
diff --git a/sdk/pom.xml b/sdk/pom.xml
index 2e6d08b..36cea01 100644
--- a/sdk/pom.xml
+++ b/sdk/pom.xml
@@ -13,8 +13,6 @@
<maven.compiler.target>11</maven.compiler.target>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<com.alibaba.enclave.platform>MOCK_IN_SVM:TEE_SDK:EMBEDDED_LIB_OS</com.alibaba.enclave.platform>
- <enclave.graal.version>enclave-11-22.1.0-1.0</enclave.graal.version>
- <graal.version>22.1.0</graal.version>
<surefire.version>3.0.0-M5</surefire.version>
<svm.maven.version>0.9.13</svm.maven.version>
</properties>
diff --git a/test/enclave/pom.xml b/test/enclave/pom.xml
index e791ee7..5bc5380 100644
--- a/test/enclave/pom.xml
+++ b/test/enclave/pom.xml
@@ -13,7 +13,7 @@
<name>Test-Enclave</name>
<url></url>
<properties>
- <svm.maven.version>0.9.10</svm.maven.version>
+ <svm.maven.version>0.9.13</svm.maven.version>
<com.alibaba.enclave.privatePem.path></com.alibaba.enclave.privatePem.path>
</properties>
<profiles>
@@ -200,4 +200,4 @@
<scope>test</scope>
</dependency>
</dependencies>
-</project>
\ No newline at end of file
+</project>
diff --git a/third-party-libs/bouncycastle-native/generate_bc_configs.sh b/third-party-libs/bouncycastle-native/generate_bc_configs.sh
index 773dd19..c7b11c1 100644
--- a/third-party-libs/bouncycastle-native/generate_bc_configs.sh
+++ b/third-party-libs/bouncycastle-native/generate_bc_configs.sh
@@ -42,7 +42,7 @@ elif [ "$BC_VERSION""x" == "1.66x" ];then
fi
echo "Start BouncyCastle tests to collect native image configurations. It may take a while."
-gradle $GRADLE_JAVA_HOME test
+gradle clean $GRADLE_JAVA_HOME test
BASE_MODULES="pg prov pkix core tls mail"
if [ $(echo "${BC_VERSION} < 1.69" | bc) = 1 ];then
diff --git a/third-party-libs/bouncycastle-native/pom.xml b/third-party-libs/bouncycastle-native/pom.xml
index bb7a096..c21c2ec 100644
--- a/third-party-libs/bouncycastle-native/pom.xml
+++ b/third-party-libs/bouncycastle-native/pom.xml
@@ -8,15 +8,14 @@
<version>1.0-SNAPSHOT</version>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
- <enclave.graal.version>enclave-11-22.1.0-1.0</enclave.graal.version>
- <graal.version>22.1.0</graal.version>
+ <graal.version>22.2.0</graal.version>
</properties>
<dependencies>
<dependency>
<groupId>org.graalvm.nativeimage</groupId>
<artifactId>svm</artifactId>
- <version>${enclave.graal.version}</version>
+ <version>${graal.version}</version>
</dependency>
<dependency>
<groupId>org.graalvm.nativeimage</groupId>
diff --git a/third-party-libs/bouncycastle-native/src/main/resources/META-INF/native-image/com.alibaba.confidentialcomputing/bouncycastle-native/native-image.properties b/third-party-libs/bouncycastle-native/src/main/resources/META-INF/native-image/com.alibaba.confidentialcomputing/bouncycastle-native/native-image.properties
new file mode 100644
index 0000000..addd595
--- /dev/null
+++ b/third-party-libs/bouncycastle-native/src/main/resources/META-INF/native-image/com.alibaba.confidentialcomputing/bouncycastle-native/native-image.properties
@@ -0,0 +1,5 @@
+Args=-J--add-exports=jdk.internal.vm.compiler/org.graalvm.compiler.options=ALL-UNNAMED \
+ -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.core.configure=ALL-UNNAMED \
+ -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.hosted=ALL-UNNAMED \
+ -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.core.option=ALL-UNNAMED \
+ -J--add-exports=org.graalvm.sdk/org.graalvm.nativeimage.impl=ALL-UNNAMED
diff --git a/tools/cicd/Dockerfile b/tools/cicd/Dockerfile
index 544392d..e010d98 100644
--- a/tools/cicd/Dockerfile
+++ b/tools/cicd/Dockerfile
@@ -5,14 +5,14 @@ LABEL maintainer="Junshao Wang <je...@alibaba-inc.com>"
ENV APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1
ENV DEBIAN_FRONTEND noninteractive
-ADD ["graalvm-enclave-22.1.0.tar", "/root/tools/"]
+ADD ["graalvm-ce-java11-22.2.0.tar", "/root/tools/"]
ADD ["zlib-1.2.11.tar.gz", "/root/tools/"]
ADD ["settings.xml", "/root/tools/"]
ADD ["zlib-1.2.11.tar.gz", "/root/tools/"]
ADD ["Alibaba_Dragonwell_11.0.15.11.9_x64_alpine-linux.tar.gz", "/root/tools"]
ADD ["sgx_linux_x64_sdk_2.17.100.0.bin", "/root/tools/"]
-ENV GRAALVM_HOME "/root/tools/graalvm-enclave-22.1.0"
-ENV JAVA_HOME "/root/tools/graalvm-enclave-22.1.0"
+ENV GRAALVM_HOME "/root/tools/graalvm-ce-java11-22.2.0"
+ENV JAVA_HOME "/root/tools/graalvm-ce-java11-22.2.0"
ENV PATH="/opt/occlum/build/bin:/usr/local/occlum/bin:$PATH"
ENV CC=/usr/local/occlum/bin/occlum-gcc
@@ -42,4 +42,4 @@ RUN apt-get update && apt-get install -y gdb gnupg wget aptitude libfuse-dev lib
cd /root/tools && chmod 777 sgx_linux_x64_sdk_2.17.100.0.bin && echo -e 'no\n/opt/teesdk\n' | ./sgx_linux_x64_sdk_2.17.100.0.bin
# copy dcap_occlum lib from occlum docker image.
-COPY --from=occlum/occlum:0.26.4-ubuntu18.04 /opt/occlum/toolchains/dcap_lib /opt/occlum/toolchains/dcap_lib
\ No newline at end of file
+COPY --from=occlum/occlum:0.26.4-ubuntu18.04 /opt/occlum/toolchains/dcap_lib /opt/occlum/toolchains/dcap_lib
diff --git a/tools/cicd/make.sh b/tools/cicd/make.sh
index 399f774..971b8b7 100755
--- a/tools/cicd/make.sh
+++ b/tools/cicd/make.sh
@@ -3,7 +3,7 @@
MODE=$1
BUILD_IMAGE=javaenclave_build
-BUILD_TAG=v0.1.10
+BUILD_TAG=v0.1.11
SHELL_FOLDER=$(cd "$(dirname "$0")";pwd)
@@ -13,15 +13,15 @@ WORKDIR=$(dirname $(dirname "$PWD"))
# check target images exist or not, build it if not.
if [[ "$(docker images -q ${BUILD_IMAGE}:${BUILD_TAG} 2> /dev/null)" == "" ]]; then
- # Get the customized Graal VM from git@gitlab.alibaba-inc.com:graal/SGXGraalVM.git
- # This should be replaced to the offical version when all patches are accepted by the Graal community
- wget https://graal.oss-cn-beijing.aliyuncs.com/graal-enclave/JDK11-22.1.0/graalvm-enclave-22.1.0.tar
+ # We have built and packaged GraalVM 22.2.0 from source code and then uploaded to OSS, the official release of GraalVM CE required to manually install native-image component.
+ wget http://graal.oss-cn-beijing.aliyuncs.com/graal-enclave/JDK11-22.2.0/graalvm-ce-java11-22.2.0.tar
wget http://graal.oss-cn-beijing.aliyuncs.com/graal-enclave/zlib-1.2.11.tar.gz
wget http://graal.oss-cn-beijing.aliyuncs.com/graal-enclave/settings_taobao.xml -O settings.xml
wget https://dragonwell.oss-cn-shanghai.aliyuncs.com/11/tee_java/dependency/sgx_linux_x64_sdk_2.17.100.0.bin
wget https://dragonwell.oss-cn-shanghai.aliyuncs.com/11.0.15.11.9/Alibaba_Dragonwell_11.0.15.11.9_x64_alpine-linux.tar.gz
docker build -t ${BUILD_IMAGE}:${BUILD_TAG} .
- rm -f graalvm-enclave-22.1.0.tar
+ rm -f graalvm-ce-java11-22.2.0.tar
+ rm -f settings.xml
rm -f zlib-1.2.11.tar.gz
rm -f sgx_linux_x64_sdk_2.17.100.0.bin
rm -f Alibaba_Dragonwell_11.0.15.11.9_x64_alpine-linux.tar.gz
@@ -50,4 +50,4 @@ elif [ "develop" = "$MODE" ]; then
-v /dev/sgx_enclave:/dev/sgx/enclave \
-v /dev/sgx_provision:/dev/sgx/provision \
${BUILD_IMAGE}:${BUILD_TAG} /bin/bash
-fi
\ No newline at end of file
+fi
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@teaclave.apache.org
For additional commands, e-mail: commits-help@teaclave.apache.org