Speed up incremental building of enclave by moving long-running steps into Docker.

.github/actions/enclave/action.yml

@@ -1,12 +0,0 @@
-name: enclave
-description: run a Makefile target in the enclave directory
-inputs:
-  target:
-    description: Makefile targets to run
-runs:
-  using: docker
-  image: '../../../enclave/docker/Dockerfile'
-  entrypoint: /bin/bash
-  args:
-    - "-c"
-    - "mkdir -p /github/workspace/enclave/build && cp -a /github/workspace/enclave /home/rust/src && rm -r /home/rust/src/build && ln -s /github/workspace/enclave/build /home/rust/src/build && HOME=/home/rust && make -C /home/rust/src/ ${{ inputs.target }}"

.github/workflows/dockercache/action.yml

@@ -0,0 +1,36 @@
+name: Docker Caching
+description: Cache a docker image
+
+inputs:
+  dockerdir:
+    required: true
+    type: string
+  imagename:
+    required: true
+    type: string
+
+runs:
+  using: composite
+
+  steps:
+    - name: Check for cached docker image
+      id: cached-docker
+      uses: actions/cache@v3
+      with:
+        path: dockerimage-${{ inputs.imagename }}.tar
+        key: ${{ runner.os }}-dockerimagetar-${{ inputs.imagename }}-${{ hashFiles(format('{0}/**', inputs.dockerdir)) }}
+        restore-keys: |
+          ${{ runner.os }}-dockerimagetar-${{ inputs.imagename }}-
+
+    - name: Load docker image
+      run: docker load --input dockerimage-${{ inputs.imagename }}.tar || true
+      shell: bash
+
+    - name: Build/label docker image
+      run: docker build -t ${{ inputs.imagename }} ${{ inputs.dockerdir }} --cache-from ${{ inputs.imagename }}:latest
+      shell: bash
+
+    - name: Save docker image
+      if: steps.cached-docker.outputs.cache-hit != 'true'
+      run: docker save --output dockerimage-${{ inputs.imagename }}.tar ${{ inputs.imagename }}:latest $(docker history -q ${{ inputs.imagename }}:latest | grep -v missing)
+      shell: bash

.github/workflows/enclave.yml

@@ -12,6 +12,19 @@ jobs:
     runs-on: ubuntu-18.04
     steps:
       - uses: actions/checkout@v1
-      - uses: ./.github/actions/enclave
+      - name: Docker cache
+        uses: ./.github/workflows/dockercache
         with:
-          target: check clippy test
+          dockerdir: enclave/docker
+          imagename: kbupd-enclave-builder
+      - run: make docker_"check clippy test"
+        working-directory: enclave
+  make_docker:
+    runs-on: ubuntu-18.04
+    steps:
+      - uses: actions/checkout@v1
+      - name: Docker cache
+        uses: ./.github/workflows/dockercache
+        with:
+          dockerdir: enclave/docker
+          imagename: kbupd-enclave-builder

enclave/Makefile

@@ -8,7 +8,7 @@ resourcedir = ../service/kbupd/res
 RUSTC ?= rustc
 CARGO ?= cargo
 RUSTUP ?= rustup
-BINDGEN ?= $(builddir)/bin/bindgen-0.51.1
+BINDGEN ?= bindgen
 DOCKER ?= docker
 INSTALL ?= install
 
@@ -16,11 +16,7 @@ RUSTUP_TOOLCHAIN_UNSTABLE ?= nightly
 
 FEATURES ?=
 
-PROST_GIT_REV      = 9c5d46e72acc07a9c4305ffba79d253e0f603a27
-RING_GIT_REV       = 323204d618ea9d339e40b7bf6f0517051a44e28a
-SERDE_JSON_GIT_REV = d79b0c67f62e168d4872bb8694377ffd97b8949f
-SNOW_GIT_REV       = d8d00a37c8e39b2557d23a26cc4f722595b4f2d9
-WEBPKI_GIT_REV     = 3c92126b95c6ffbe20f3c8f420f4e4fe804954bd
+include docker/deps.mk
 
 INSTALL_PROGRAM = $(INSTALL) -m 755 $(INSTALL_PROGRAM_FLAGS)
 INSTALL_DATA    = $(INSTALL) -m 644
@@ -46,18 +42,6 @@ export CARGO_HOME = $(CURDIR)/$(builddir)/cargo
 TEST_CFLAGS += $(CFLAGS) \
 	-DUNIT_TESTING -fsanitize=address -static-libasan -fsanitize=undefined -static-libubsan
 
-##
-## rust
-##
-
-RUST_DEPS_DIR = $(builddir)/rust_deps
-RUST_DEPS_DIRS = \
-	$(RUST_DEPS_DIR)/prost-$(PROST_GIT_REV) \
-	$(RUST_DEPS_DIR)/ring-$(RING_GIT_REV) \
-	$(RUST_DEPS_DIR)/serde_json-$(SERDE_JSON_GIT_REV) \
-	$(RUST_DEPS_DIR)/snow-$(SNOW_GIT_REV) \
-	$(RUST_DEPS_DIR)/webpki-$(WEBPKI_GIT_REV)
-
 ##
 ## sgxsd
 ##
@@ -112,15 +96,15 @@ unsigned: $(builddir)/$(KBUPD_ENCLAVE_NAME).unsigned.so
 
 llvm-bolt: $(LLVM_BOLT)
 
-doc: $(RUST_DEPS_DIRS)
+doc:
 	env -u CFLAGS RUSTFLAGS="$(ENCLAVE_RUSTFLAGS)" \
 		$(CARGO) doc --package=kbupd_enclave --release --document-private-items --lib
 
-check: $(RUST_DEPS_DIRS)
+check:
 	$(CARGO) check --all --exclude=kbupd_enclave
 	$(CARGO) check --manifest-path=kbupd_enclave/Cargo.toml --lib --tests --features test,$(if $(FEATURES),$(FEATURES))
 
-test: $(TEST_SGXSD_TARGET) $(RUST_DEPS_DIRS)
+test: $(TEST_SGXSD_TARGET)
 	ASAN_OPTIONS="detect_leaks=0:$(ASAN_OPTIONS)" ./$(TEST_SGXSD_TARGET)
 	env -u CFLAGS \
 	RUST_BACKTRACE=full \
@@ -131,7 +115,7 @@ test: $(TEST_SGXSD_TARGET) $(RUST_DEPS_DIRS)
 	RUST_TEST_THREADS=1 \
 		$(CARGO) test --manifest-path=kbupd_enclave/Cargo.toml --lib --bins --features test,$(if $(FEATURES),$(FEATURES)) -- --test-threads=1
 
-test-asan: $(TEST_SGXSD_TARGET) $(RUST_DEPS_DIRS)
+test-asan: $(TEST_SGXSD_TARGET)
 	./$(TEST_SGXSD_TARGET)
 	env -u CFLAGS \
 	RUST_BACKTRACE=full \
@@ -148,14 +132,14 @@ test-asan: $(TEST_SGXSD_TARGET) $(RUST_DEPS_DIRS)
 		$(RUSTUP) run $(RUSTUP_TOOLCHAIN_UNSTABLE) \
 		$(CARGO) test --manifest-path=kbupd_enclave/Cargo.toml --lib --bins --tests --features test,$(if $(FEATURES),$(FEATURES)) -- --test-threads=1
 
-clippy: $(RUST_DEPS_DIRS)
+clippy:
 	$(CARGO) clippy --all --exclude=kbupd_enclave
 	$(CARGO) clippy --manifest-path=kbupd_enclave/Cargo.toml --features test,$(if $(FEATURES),$(FEATURES))
 
-benchmark: $(RUST_DEPS_DIRS)
+benchmark:
 	$(CARGO) bench --all
 
-bindgen: $(BINDGEN) | $(SGX_INCLUDEDIR)
+bindgen:
 	$(BINDGEN) --no-include-path-detection -o sgx_ffi/src/bindgen_wrapper.rs \
 		--rust-target 1.33 --use-core --ctypes-prefix libc --with-derive-default --with-derive-eq --no-prepend-enum-name \
 		sgx_ffi/src/bindgen_wrapper.h -- \
@@ -220,12 +204,10 @@ clean:
 		debian/kbupd-enclave.substvars \
 		debian/files \
 		debian/*.deb
-	-rm -r	$(targetdir)/release/ \
+	-rm -rf $(targetdir)/release/ \
 		$(targetdir)/debug/ \
 		$(builddir)/bolt/build \
 		$(builddir)/cargo/bin \
-		$(RUST_DEPS_DIR) \
-		$(SGX_SDK_SOURCE_DIR) \
 		debian/.debhelper/ \
 		debian/kbupd-enclave/
 	-$(CARGO) clean --release
@@ -235,53 +217,22 @@ clean:
 .PHONY: FORCE
 FORCE:
 
-$(targetdir)/debug/prostc: FORCE $(RUST_DEPS_DIRS)
+$(targetdir)/debug/prostc: FORCE
 	env -u CFLAGS $(CARGO) build --manifest-path=prostc/Cargo.toml --bin=prostc
-$(targetdir)/release/lib%.a: FORCE $(RUST_DEPS_DIRS)
+$(targetdir)/release/lib%.a: FORCE
 	env CFLAGS="-mno-red-zone" RUSTFLAGS="$(ENCLAVE_RUSTFLAGS)" \
 		$(CARGO) build -vv --release --manifest-path=$*/Cargo.toml --lib $(if $(FEATURES),--features $(FEATURES))
 
-$(RUST_DEPS_DIR)/prost-$(PROST_GIT_REV):
-	mkdir -p $(RUST_DEPS_DIR)/unpack
-	wget -O - https://github.com/signalapp/prost/archive/$(PROST_GIT_REV).tar.gz \
-		| tar -xzf - -C $(RUST_DEPS_DIR)/unpack/
-	mv $(RUST_DEPS_DIR)/unpack/prost-$(PROST_GIT_REV) $(RUST_DEPS_DIR)/
-
-$(RUST_DEPS_DIR)/ring-$(RING_GIT_REV):
-	mkdir -p $(RUST_DEPS_DIR)/unpack
-	wget -O - https://github.com/signalapp/ring/archive/$(RING_GIT_REV).tar.gz \
-		| tar -xzf - -C $(RUST_DEPS_DIR)/unpack/
-	mkdir $(RUST_DEPS_DIR)/unpack/ring-$(RING_GIT_REV)/.git # hack to get ring to generate asm in its build.rs
-	mv $(RUST_DEPS_DIR)/unpack/ring-$(RING_GIT_REV) $(RUST_DEPS_DIR)/
-
-$(RUST_DEPS_DIR)/serde_json-$(SERDE_JSON_GIT_REV):
-	mkdir -p $(RUST_DEPS_DIR)/unpack
-	wget -O - https://github.com/signalapp/serde_json/archive/$(SERDE_JSON_GIT_REV).tar.gz \
-		| tar -xzf - -C $(RUST_DEPS_DIR)/unpack/
-	mv $(RUST_DEPS_DIR)/unpack/serde_json-$(SERDE_JSON_GIT_REV) $(RUST_DEPS_DIR)/
-
-$(RUST_DEPS_DIR)/snow-$(SNOW_GIT_REV):
-	mkdir -p $(RUST_DEPS_DIR)/unpack
-	wget -O - https://github.com/signalapp/snow/archive/$(SNOW_GIT_REV).tar.gz \
-		| tar -xzf - -C $(RUST_DEPS_DIR)/unpack/
-	mv $(RUST_DEPS_DIR)/unpack/snow-$(SNOW_GIT_REV) $(RUST_DEPS_DIR)/
-
-$(RUST_DEPS_DIR)/webpki-$(WEBPKI_GIT_REV):
-	mkdir -p $(RUST_DEPS_DIR)/unpack
-	wget -O - https://github.com/briansmith/webpki/archive/$(WEBPKI_GIT_REV).tar.gz \
-		| tar -xzf - -C $(RUST_DEPS_DIR)/unpack/
-	mv $(RUST_DEPS_DIR)/unpack/webpki-$(WEBPKI_GIT_REV) $(RUST_DEPS_DIR)/
-
 ## sgxsd
 
 $(BEARSSL_OBJECTS): $(wildcard $(includedir)/bearssl/%.h)
-$(SGXSD_OBJECTS): $(builddir)/%.o: %.c $(includedir)/sgxsd.h $(includedir)/sgxsd-enclave.h | $(SGX_INCLUDEDIR)
+$(SGXSD_OBJECTS): $(builddir)/%.o: %.c $(includedir)/sgxsd.h $(includedir)/sgxsd-enclave.h
 	@mkdir -p $(dir $@)
 	$(CC) -o $@ $(CFLAGS) $(ENCLAVE_CFLAGS) -c $<
 
 $(TEST_SGXSD_TARGET): $(TEST_SGXSD_OBJECTS)
 	$(CC) -o $@ $(TEST_SGXSD_OBJECTS) $(TEST_LDFLAGS)
-$(TEST_SGXSD_OBJECTS): $(builddir)/test/%.o: %.c $(includedir)/sgxsd.h $(includedir)/sgxsd-enclave.h $(includedir)/cmockery.h | $(SGX_INCLUDEDIR)
+$(TEST_SGXSD_OBJECTS): $(builddir)/test/%.o: %.c $(includedir)/sgxsd.h $(includedir)/sgxsd-enclave.h $(includedir)/cmockery.h
 	@mkdir -p $(dir $@)
 	$(CC) -o $@ $(CFLAGS) $(TEST_CFLAGS) -c $<
 
@@ -308,14 +259,22 @@ MAKETARGET ?= bindgen debuild sign
 
 docker: DOCKER_EXTRA=$(shell [ -L build ] && P=$$(readlink build) && echo -v $$P/:$$P )
 docker:
-	$(DOCKER) build --build-arg UID=$$(id -u) --build-arg GID=$$(id -g) \
-	  -t kbupd-enclave-builder ./docker
-	$(DOCKER) run -it --rm --user $$(id -u):$$(id -g) --cap-add SYS_PTRACE \
+	$(DOCKER) build -t kbupd-enclave-builder ./docker
+	$(DOCKER) run --rm -it --user $$(id -u):$$(id -g) --cap-add SYS_PTRACE \
 		-v `pwd`/:/home/rust/src $(DOCKER_EXTRA) \
 		--env MAKEFLAGS="$(MAKEFLAGS)" \
 		kbupd-enclave-builder \
 		sh -c "cd src; make $(MAKETARGET)"
 
+docker_%: DOCKER_EXTRA=$(shell [ -L build ] && P=$$(readlink build) && echo -v $$P/:$$P )
+docker_%:
+	$(DOCKER) build -t kbupd-enclave-builder ./docker
+	$(DOCKER) run --rm --user $$(id -u):$$(id -g) --cap-add SYS_PTRACE \
+		-v `pwd`/:/home/rust/src $(DOCKER_EXTRA) \
+		--env MAKEFLAGS="$*" \
+		kbupd-enclave-builder \
+		sh -c "set -x; cd src && mkdir -p build && ln -s /home/rust/rust_deps build/rust_deps && make $*"
+
 .PHONY: debuild
 debuild:
 	env -u LANG LC_ALL=C debuild --preserve-envvar=PATH --no-lintian --build=binary -uc -us -j1

enclave/debian/buildinfo

@@ -4,14 +4,14 @@ Binary: kbupd-enclave
 Architecture: amd64
 Version: 1.0
 Checksums-Md5:
- 6a5e17002b5dd8f7c3869862c44ebfe5 593820 kbupd-enclave_1.0_amd64.deb
+ 042b86119b1c1d3545a28e64849112c8 593848 kbupd-enclave_1.0_amd64.deb
 Checksums-Sha1:
- 30b6f9a4159858a32ef075bd4d5f8ef40b605700 593820 kbupd-enclave_1.0_amd64.deb
+ ca36830c3a310735d7bd913991fad34e36bdce29 593848 kbupd-enclave_1.0_amd64.deb
 Checksums-Sha256:
- 279465c13857c1cbaa79014715c15483bacdce23afda938540e0ae6c6aeced33 593820 kbupd-enclave_1.0_amd64.deb
+ 38fd7f90d29ff4faf49ddfed2f990bccb89377cabe006ff093c5ba223cbfd16c 593848 kbupd-enclave_1.0_amd64.deb
 Build-Origin: Debian
 Build-Architecture: amd64
-Build-Date: Wed, 20 Jul 2022 13:57:47 +0000
+Build-Date: Thu, 01 Sep 2022 23:02:46 +0000
 Installed-Build-Depends:
  autoconf (= 2.69-11),
  automake (= 1:1.16.1-4),

enclave/docker/Dockerfile

@@ -15,8 +15,8 @@ ARG UID=0
 ARG GID=0
 
 #Create a user to map the host user to.
-RUN    groupadd -o -g "${GID}" rust \
-    && useradd -m -o -u "${UID}" -g "${GID}" -s /bin/bash rust \
+RUN    groupadd rust \
+    && useradd -m -g rust -s /bin/bash rust \
     && mkdir -p /tmp/docker \
     && chown -R rust.rust /tmp/docker
 
@@ -27,16 +27,25 @@ ENV SHELL /bin/bash
 
 WORKDIR /home/rust
 
+COPY build_bolt.sh /home/rust/
+RUN bash build_bolt.sh
+
+COPY deps.mk fetch_rust_deps.sh /home/rust/
+RUN bash fetch_rust_deps.sh
+
+COPY deps.mk build_sgx.sh /home/rust/
+ADD linux-sgx-patches /home/rust/linux-sgx-patches/
+RUN bash ~/build_sgx.sh
+
 ARG TOOLCHAIN=1.40.0
-
 COPY rustup-init.sha256 /tmp/docker/
-
 RUN    curl -f https://static.rust-lang.org/rustup/archive/1.20.2/x86_64-unknown-linux-gnu/rustup-init -o /tmp/rustup-init \
     && [ `sha256sum /tmp/rustup-init|cut -d' ' -f1` = `cut -d' ' -f1</tmp/docker/rustup-init.sha256` ] \
     && chmod a+x /tmp/rustup-init \
     && /tmp/rustup-init -y --profile minimal --component rustfmt clippy --default-toolchain "${TOOLCHAIN}" \
     && rm -rf /tmp/rustup-init /tmp/docker
 
-ENV PATH="/home/rust/.cargo/bin:${PATH}"
+ENV PATH="/home/rust/.cargo/bin:/home/rust/bin:${PATH}"
+RUN cargo install --locked --force --version 0.51.1 --bin bindgen bindgen
 
 CMD [ "/bin/bash" ]

enclave/docker/build_bolt.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+set -e
+set -x
+
+BOLT_DIR=bolt
+BOLT_GIT_REV=130d2c758964950cf713bddef123104b41642161
+BOLT_LLVM_GIT_REV=f137ed238db11440f03083b1c88b7ffc0f4af65e
+BOLT_SRC_DIR=$BOLT_DIR/bolt-$BOLT_GIT_REV
+BOLT_LLVM_SRC_DIR=$BOLT_DIR/llvm-$BOLT_LLVM_GIT_REV
+mkdir -p bin $BOLT_DIR $BOLT_SRC_DIR
+wget -O - https://github.com/llvm-mirror/llvm/archive/$BOLT_LLVM_GIT_REV.tar.gz | tar -xzf -  -C $BOLT_DIR
+wget -O - https://github.com/signalapp/BOLT/archive/$BOLT_GIT_REV.tar.gz | tar -xzf - -C $BOLT_LLVM_SRC_DIR/tools
+mv $BOLT_LLVM_SRC_DIR/tools/BOLT-$BOLT_GIT_REV $BOLT_LLVM_SRC_DIR/tools/llvm-bolt
+patch -d $BOLT_LLVM_SRC_DIR -p 1 -T < $BOLT_LLVM_SRC_DIR/tools/llvm-bolt/llvm.patch
+mkdir -p $BOLT_DIR/build
+(cd $BOLT_DIR/build &&
+    cmake -G Ninja ../../$BOLT_LLVM_SRC_DIR -DLLVM_TARGETS_TO_BUILD="X86" -DCMAKE_BUILD_TYPE=Release &&
+    ninja)
+strip -o bin/llvm-bolt $BOLT_DIR/build/bin/llvm-bolt
+rm -rf $BOLT_DIR

enclave/docker/build_sgx.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+source deps.mk
+set -e
+set -x
+
+SGX_DIR=linux-sgx
+SGX_SDK_SOURCE_DIR=$SGX_DIR/linux-sgx-$SGX_SDK_SOURCE_GIT_REV
+SGX_SDK_SOURCE_INCLUDEDIR=$SGX_SDK_SOURCE_DIR/common/inc
+SGX_SDK_SOURCE_LIBDIR=$SGX_SDK_SOURCE_DIR/build/linux
+SGX_INCLUDEDIR=$SGX_SDK_SOURCE_DIR/include
+PATCHDIR=linux-sgx-patches
+SGX_SDK_SOURCE_UNPACK_DIR=$SGX_DIR/unpack/linux-sgx-$SGX_SDK_SOURCE_GIT_REV
+SGX_DCAP_SOURCE_UNPACK_DIR=$SGX_DIR/unpack/SGXDataCenterAttestationPrimitives-$SGX_DCAP_SOURCE_GIT_REV
+
+mkdir -p $SGX_DIR/unpack/
+wget -O - https://github.com/intel/linux-sgx/archive/$SGX_SDK_SOURCE_GIT_REV.tar.gz | tar -xzf - -C $SGX_DIR/unpack/
+wget -O - https://github.com/intel/SGXDataCenterAttestationPrimitives/archive/$SGX_DCAP_SOURCE_GIT_REV.tar.gz | tar -xzf - -C $SGX_DIR/unpack/
+mv $SGX_DCAP_SOURCE_UNPACK_DIR $SGX_SDK_SOURCE_UNPACK_DIR/external/dcap_sources
+patch -d $SGX_SDK_SOURCE_UNPACK_DIR -p 1 -T < $PATCHDIR/linux-sgx-rep-stringops.patch
+patch -d $SGX_SDK_SOURCE_UNPACK_DIR -p 1 -T < $PATCHDIR/linux-sgx-rep-bcmp.patch
+mv $SGX_SDK_SOURCE_UNPACK_DIR $SGX_SDK_SOURCE_DIR
+env -u LDFLAGS -u CPPFLAGS CFLAGS='-D_TLIBC_USE_REP_STRING_ -fno-jump-tables -mno-red-zone -mindirect-branch-register -Wno-error=implicit-fallthrough' make -C $SGX_SDK_SOURCE_DIR/sdk simulation selib signtool edger8r trts tstdc
+
+mkdir -p $SGX_DIR/lib $SGX_DIR/bin
+for lib in trts tstdc trts_sim; do
+  ar mD $SGX_SDK_SOURCE_LIBDIR/libsgx_$lib.a $(ar t $SGX_SDK_SOURCE_LIBDIR/libsgx_$lib.a | env -u LANG LC_ALL=C sort)
+  cp $SGX_SDK_SOURCE_LIBDIR/libsgx_$lib.a $SGX_DIR/lib/
+done
+
+ar mD $SGX_SDK_SOURCE_DIR/sdk/selib/linux/libselib.a $(ar t $SGX_SDK_SOURCE_DIR/sdk/selib/linux/libselib.a | env -u LANG LC_ALL=C sort)
+cp $SGX_SDK_SOURCE_DIR/sdk/selib/linux/libselib.a $SGX_DIR/lib/
+
+
+for bin in sgx_edger8r sgx_sign; do
+  cp $SGX_SDK_SOURCE_LIBDIR/$bin $SGX_DIR/bin
+done
+
+cp -rf $SGX_SDK_SOURCE_INCLUDEDIR $SGX_DIR/include
+rm -rf $SGX_DIR/unpack $SGX_SDK_SOURCE_DIR

enclave/docker/deps.mk

@@ -0,0 +1,9 @@
+# This file is used by both `make` and `bash`, so it should be valid syntax
+# for both.
+PROST_GIT_REV=9c5d46e72acc07a9c4305ffba79d253e0f603a27
+RING_GIT_REV=323204d618ea9d339e40b7bf6f0517051a44e28a
+SERDE_JSON_GIT_REV=d79b0c67f62e168d4872bb8694377ffd97b8949f
+SNOW_GIT_REV=d8d00a37c8e39b2557d23a26cc4f722595b4f2d9
+WEBPKI_GIT_REV=3c92126b95c6ffbe20f3c8f420f4e4fe804954bd
+SGX_SDK_SOURCE_GIT_REV=effae6280234302a12169f89c561b96e54d80723
+SGX_DCAP_SOURCE_GIT_REV=68a77a852cd911a44a97733aec870e9bd93a3b86

enclave/docker/fetch_rust_deps.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+source deps.mk
+set -e
+set -x
+
+RUST_DEPS_DIR=rust_deps
+mkdir -p $RUST_DEPS_DIR/unpack
+wget -O - https://github.com/signalapp/prost/archive/$PROST_GIT_REV.tar.gz | tar -xzf - -C $RUST_DEPS_DIR/unpack/
+mv $RUST_DEPS_DIR/unpack/prost-$PROST_GIT_REV $RUST_DEPS_DIR/
+wget -O - https://github.com/signalapp/ring/archive/$RING_GIT_REV.tar.gz | tar -xzf - -C $RUST_DEPS_DIR/unpack/
+mkdir $RUST_DEPS_DIR/unpack/ring-$RING_GIT_REV/.git
+mv $RUST_DEPS_DIR/unpack/ring-$RING_GIT_REV $RUST_DEPS_DIR/
+wget -O - https://github.com/signalapp/serde_json/archive/$SERDE_JSON_GIT_REV.tar.gz | tar -xzf - -C $RUST_DEPS_DIR/unpack/
+mv $RUST_DEPS_DIR/unpack/serde_json-$SERDE_JSON_GIT_REV $RUST_DEPS_DIR/
+wget -O - https://github.com/signalapp/snow/archive/$SNOW_GIT_REV.tar.gz | tar -xzf - -C $RUST_DEPS_DIR/unpack/
+mv $RUST_DEPS_DIR/unpack/snow-$SNOW_GIT_REV $RUST_DEPS_DIR/
+wget -O - https://github.com/briansmith/webpki/archive/$WEBPKI_GIT_REV.tar.gz | tar -xzf - -C $RUST_DEPS_DIR/unpack/
+mv $RUST_DEPS_DIR/unpack/webpki-$WEBPKI_GIT_REV $RUST_DEPS_DIR/
+rmdir $RUST_DEPS_DIR/unpack
+
+mkdir -p src/build
+ln -s $(pwd)/rust_deps src/build/rust_deps

enclave/sgx_enclave.mk

@@ -7,115 +7,32 @@ export USE_OPT_LIBS
 ## linux sdk
 ##
 
-# https://github.com/intel/linux-sgx/releases/tag/sgx_2.17
-SGX_SDK_SOURCE_GIT_REV  ?= effae6280234302a12169f89c561b96e54d80723
-
-# https://github.com/intel/SGXDataCenterAttestationPrimitives/releases/tag/DCAP_1.14
-SGX_DCAP_SOURCE_GIT_REV ?= 68a77a852cd911a44a97733aec870e9bd93a3b86
-
-export SGX_SDK_SOURCE_DIR = $(builddir)/linux-sgx/linux-sgx-$(SGX_SDK_SOURCE_GIT_REV)
-export SGX_SDK_SOURCE_INCLUDEDIR = $(SGX_SDK_SOURCE_DIR)/common/inc
-export SGX_SDK_SOURCE_LIBDIR = $(SGX_SDK_SOURCE_DIR)/build/linux
-
-ifneq ($(SGX_SDK_DIR),)
-SGX_LIBDIR = $(SGX_SDK_DIR)/lib64
-SGX_INCLUDEDIR = $(SGX_SDK_DIR)/include
-endif
-
-SGX_INCLUDEDIR ?= $(SGX_SDK_SOURCE_INCLUDEDIR)
-export SGX_INCLUDEDIR
-SGX_LIBDIR ?= $(SGX_SDK_SOURCE_LIBDIR)
+SGX_DIR ?= $$HOME/linux-sgx
+SGX_LIBDIR ?= $(SGX_DIR)/lib
+SGX_INCLUDEDIR ?= $(SGX_DIR)/include
+SGX_BINDIR ?= $(SGX_DIR)/bin
+SGX_EDGER8R ?= $(SGX_BINDIR)/sgx_edger8r
+SGX_SIGN ?= $(SGX_BINDIR)/sgx_sign
 export SGX_LIBDIR
-SGX_SIGN ?= $(SGX_SDK_SOURCE_LIBDIR)/sgx_sign
-SGX_EDGER8R ?= $(SGX_SDK_SOURCE_LIBDIR)/sgx_edger8r
-SGX_SDK_MAKE = env -u LDFLAGS -u CPPFLAGS CFLAGS="-D_TLIBC_USE_REP_STRING_ -fno-jump-tables -mno-red-zone -mindirect-branch-register -Wno-error=implicit-fallthrough" $(MAKE)
-
-$(SGX_SDK_SOURCE_INCLUDEDIR): | $(SGX_SDK_SOURCE_DIR)
-
-$(SGX_SDK_SOURCE_LIBDIR)/libsgx_trts_sim.a: | $(SGX_SDK_SOURCE_DIR)
-	$(SGX_SDK_MAKE) -C $(SGX_SDK_SOURCE_DIR)/sdk simulation
-$(SGX_SDK_SOURCE_LIBDIR)/libsgx_%.a: | $(SGX_SDK_SOURCE_DIR)
-	$(SGX_SDK_MAKE) -C $(SGX_SDK_SOURCE_DIR)/sdk $*
-$(SGX_SDK_SOURCE_DIR)/sdk/selib/linux/libselib.a: | $(SGX_SDK_SOURCE_DIR)
-	$(SGX_SDK_MAKE) -C $(SGX_SDK_SOURCE_DIR)/sdk selib
-$(SGX_SDK_SOURCE_LIBDIR)/libsgx_urts_sim.so: | $(SGX_SDK_SOURCE_DIR)
-	$(SGX_SDK_MAKE) -C $(SGX_SDK_SOURCE_DIR)/psw simulation
-$(SGX_SDK_SOURCE_LIBDIR)/libsgx_%.so: | $(SGX_SDK_SOURCE_DIR)
-	$(SGX_SDK_MAKE) -C $(SGX_SDK_SOURCE_DIR)/psw $*
-$(SGX_SDK_SOURCE_LIBDIR)/sgx_sign: | $(SGX_SDK_SOURCE_DIR)
-	$(SGX_SDK_MAKE) -C $(SGX_SDK_SOURCE_DIR)/sdk signtool
-$(SGX_SDK_SOURCE_LIBDIR)/sgx_edger8r: | $(SGX_SDK_SOURCE_DIR)
-	$(SGX_SDK_MAKE) -C $(SGX_SDK_SOURCE_DIR)/sdk edger8r
-
-$(builddir)/libsgx_%.a: $(SGX_LIBDIR)/libsgx_%.a
-	ar mD $< $$(ar t $< | env -u LANG LC_ALL=C sort)
-	cp $< $@
-$(builddir)/libsgx_%.so: $(SGX_LIBDIR)/libsgx_%.so
-	cp $< $@ #XXX Need to sort the symbols for reproducability.
-$(builddir)/libselib.a: $(SGX_SDK_SOURCE_DIR)/sdk/selib/linux/libselib.a
-	ar mD $< $$(ar t $< | env -u LANG LC_ALL=C sort)
-	cp $< $@
-
-SGX_SDK_SOURCE_UNPACK_DIR  = $(builddir)/linux-sgx/unpack/linux-sgx-$(SGX_SDK_SOURCE_GIT_REV)
-SGX_DCAP_SOURCE_UNPACK_DIR = $(builddir)/linux-sgx/unpack/SGXDataCenterAttestationPrimitives-$(SGX_DCAP_SOURCE_GIT_REV)
-
-$(builddir)/linux-sgx/linux-sgx-$(SGX_SDK_SOURCE_GIT_REV):
-	rm -rf $(builddir)/linux-sgx/unpack/
-	mkdir -p $(builddir)/linux-sgx/unpack/
-	wget -O - https://github.com/intel/linux-sgx/archive/$(SGX_SDK_SOURCE_GIT_REV).tar.gz \
-		| tar -xzf - -C $(builddir)/linux-sgx/unpack/
-	wget -O - https://github.com/intel/SGXDataCenterAttestationPrimitives/archive/$(SGX_DCAP_SOURCE_GIT_REV).tar.gz \
-		| tar -xzf - -C $(builddir)/linux-sgx/unpack/
-	mv $(SGX_DCAP_SOURCE_UNPACK_DIR) $(SGX_SDK_SOURCE_UNPACK_DIR)/external/dcap_sources
-	patch -d $(SGX_SDK_SOURCE_UNPACK_DIR) -p 1 -T < $(patchdir)/linux-sgx-rep-stringops.patch
-	patch -d $(SGX_SDK_SOURCE_UNPACK_DIR) -p 1 -T < $(patchdir)/linux-sgx-rep-bcmp.patch
-	mv $(SGX_SDK_SOURCE_UNPACK_DIR) $@
+export SGX_INCLUDEDIR
 
 ##
 ## edger8r
 ##
 
-%_t.c: %.edl %_t.h | $(SGX_EDGER8R)
+%_t.c: %.edl %_t.h
 	mv $*_t.h $*_t.h.bak
 	 $(SGX_EDGER8R) --trusted --trusted-dir $(dir $@) --search-path $(SGX_INCLUDEDIR) --search-path $(includedir) $<; RES=$$?; mv $*_t.h.bak $*_t.h; exit $$RES
-%_t.h: %.edl | $(SGX_EDGER8R)
+%_t.h: %.edl
 	 $(SGX_EDGER8R) --trusted --trusted-dir $(dir $@) --search-path $(SGX_INCLUDEDIR) --search-path $(includedir) --header-only $<
 
-%_u.c: %.edl %_u.h | $(SGX_EDGER8R)
+%_u.c: %.edl %_u.h
 	mv $*_u.h $*_u.h.bak
 	$(SGX_EDGER8R) --untrusted --untrusted-dir $(dir $@) --search-path $(SGX_INCLUDEDIR) --search-path $(includedir) $<; RES=$$?; mv $*_u.h.bak $*_u.h; exit $$RES
-%_u.h: %.edl | $(SGX_EDGER8R)
+%_u.h: %.edl
 	 $(SGX_EDGER8R) --untrusted --untrusted-dir $(dir $@) --search-path $(SGX_INCLUDEDIR) --search-path $(includedir) --header-only $<
 
-##
-## BOLT
-##
-
-LLVM_BOLT ?= $(builddir)/bin/llvm-bolt
-BOLT_DIR   = $(builddir)/bolt
-
-BOLT_GIT_REV      = 130d2c758964950cf713bddef123104b41642161
-BOLT_SRC_DIR      = $(BOLT_DIR)/llvm-bolt-$(BOLT_GIT_REV)
-BOLT_LLVM_GIT_REV = f137ed238db11440f03083b1c88b7ffc0f4af65e
-BOLT_LLVM_SRC_DIR = $(BOLT_DIR)/llvm-$(BOLT_LLVM_GIT_REV)
-
-$(BOLT_SRC_DIR):
-	mkdir -p $(BOLT_DIR)
-	-rm -r $(BOLT_LLVM_SRC_DIR)
-	wget -O - https://github.com/llvm-mirror/llvm/archive/$(BOLT_LLVM_GIT_REV).tar.gz \
-		| tar -xzf -  -C $(BOLT_DIR)
-	wget -O - https://github.com/signalapp/BOLT/archive/$(BOLT_GIT_REV).tar.gz \
-		| tar -xzf - -C $(BOLT_LLVM_SRC_DIR)/tools
-	mv $(BOLT_LLVM_SRC_DIR)/tools/BOLT-$(BOLT_GIT_REV) $(BOLT_LLVM_SRC_DIR)/tools/llvm-bolt
-	patch -d $(BOLT_LLVM_SRC_DIR) -p 1 -T < $(BOLT_LLVM_SRC_DIR)/tools/llvm-bolt/llvm.patch
-	mv $(BOLT_LLVM_SRC_DIR) $@
-$(builddir)/bin/llvm-bolt: | $(BOLT_SRC_DIR)
-	mkdir -p $(BOLT_DIR)/build
-	@( cd $(BOLT_DIR)/build && \
-	   cmake -G Ninja $(CURDIR)/$(BOLT_SRC_DIR) -DLLVM_TARGETS_TO_BUILD="X86" -DCMAKE_BUILD_TYPE=Release && \
-	   ninja )
-	mkdir -p $(builddir)/bin
-	strip -o $@ $(BOLT_DIR)/build/bin/llvm-bolt
+LLVM_BOLT ?= llvm-bolt
 
 ##
 ## pyxed/Intel Xed
@@ -147,7 +64,7 @@ ENCLAVE_CFLAGS = -fvisibility=hidden -fPIC -I$(SGX_INCLUDEDIR)/tlibc -fno-jump-t
 
 ENCLAVE_LDFLAGS = \
 	-Wl,-z,relro,-z,now,-z,noexecstack \
-	-Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(builddir) \
+	-Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(builddir) -L$(SGX_LIBDIR) \
 	-Wl,--whole-archive -lsgx_trts -Wl,--no-whole-archive \
 	-Wl,--start-group -lsgx_tstdc -lselib -Wl,--end-group \
 	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-allow-shlib-undefined \
@@ -155,11 +72,11 @@ ENCLAVE_LDFLAGS = \
 	-Wl,--defsym,__ImageBase=0 -Wl,--emit-relocs
 
 $(builddir)/lib%.unstripped.so: CFLAGS += $(ENCLAVE_CFLAGS)
-$(builddir)/lib%.unstripped.so: $(builddir)/%_t.o $(builddir)/libsgx_trts.a $(builddir)/libselib.a $(builddir)/libsgx_tstdc.a
+$(builddir)/lib%.unstripped.so: $(builddir)/%_t.o
 	$(CC) $(LDFLAGS) -o $@ $(filter %.o,$^) $(LDLIBS) \
 		$(ENCLAVE_LDFLAGS) -Wl,--version-script=lib$*.lds -Wl,-soname,lib$*.so
 
-$(builddir)/%.hardened.unstripped.so: $(builddir)/%.unstripped.so | $(LLVM_BOLT)
+$(builddir)/%.hardened.unstripped.so: $(builddir)/%.unstripped.so
 	$(LLVM_BOLT) -trap-old-code -use-gnu-stack -update-debug-sections -update-end -v=2 \
 		-skip-funcs=$(shell cat bolt_skip_funcs.txt) \
 		-eliminate-unreachable=0 -strip-rep-ret=0 -simplify-conditional-tail-calls=0 \
@@ -192,9 +109,9 @@ $(builddir)/%.unsigned.so: $(builddir)/%.unstripped.so
 	cp $< $@
 %.debug.config.xml: %.config.xml
 	sed -e 's@<DisableDebug>1</DisableDebug>@<DisableDebug>0</DisableDebug>@' $< > $@
-$(builddir)/%.debug.signdata: $(builddir)/%.unstripped.so %.debug.config.xml | $(SGX_SIGN)
+$(builddir)/%.debug.signdata: $(builddir)/%.unstripped.so %.debug.config.xml
 	$(SGX_SIGN) gendata -out $@ -enclave $(builddir)/$*.unstripped.so -config $*.debug.config.xml
-$(builddir)/%.debug.so: $(builddir)/%.unstripped.so $(builddir)/%.debug.signdata %.debug.config.xml %.debug.pub $(builddir)/%.debug.sig | $(SGX_SIGN)
+$(builddir)/%.debug.so: $(builddir)/%.unstripped.so $(builddir)/%.debug.signdata %.debug.config.xml %.debug.pub $(builddir)/%.debug.sig
 	$(SGX_SIGN) catsig \
 		-out $@ \
 		-enclave $(builddir)/$*.unstripped.so \
@@ -211,14 +128,14 @@ $(builddir)/%.debug.so: $(builddir)/%.unstripped.so $(builddir)/%.debug.signdata
 $(builddir)/%.test.unsigned.so: $(builddir)/%.unsigned.so
 	cp $< $@
 
-$(builddir)/%.signdata: $(builddir)/%.unsigned.so %.config.xml | $(SGX_SIGN)
+$(builddir)/%.signdata: $(builddir)/%.unsigned.so %.config.xml
 	$(SGX_SIGN) gendata -out $@ -enclave $(builddir)/$*.unsigned.so -config $*.config.xml
 $(builddir)/%.mrenclave: $(builddir)/%.signdata
 	perl -e 'undef $$/; print unpack("x188 H64", <>);' $< > $@
 	@echo mrenclave: $$(cat $@)
 $(builddir)/%.sig: $(builddir)/%.signdata %.key
 	openssl dgst -sha256 -out $@ -sign $*.key $(builddir)/$*.signdata
-$(builddir)/%.signed.so: $(builddir)/%.unsigned.so $(builddir)/%.signdata %.config.xml %.pub $(builddir)/%.sig | $(SGX_SIGN)
+$(builddir)/%.signed.so: $(builddir)/%.unsigned.so $(builddir)/%.signdata %.config.xml %.pub $(builddir)/%.sig
 	$(SGX_SIGN) catsig \
 		-out $@ \
 		-enclave $(builddir)/$*.unsigned.so \

enclave/sgxsd_ffi/src/bindgen_wrapper.rs

@@ -2506,7 +2506,7 @@ pub struct br_hash_class_ {
     #[doc = ""]
     #[doc = " This method saves the current running state into the `dst`"]
     #[doc = " buffer. What constitutes the \"running state\" depends on the"]
-    #[doc = " hash function; for Merkle-Damgård hash functions (like"]
+    #[doc = " hash function; for Merkle-Damg\u{e5}rd hash functions (like"]
     #[doc = " MD5 or SHA-1), this is the output obtained after processing"]
     #[doc = " each block. The number of bytes injected so far is returned."]
     #[doc = " The context is not modified by this call."]