gramineproject · woju · Nov 15, 2024 · Nov 15, 2024 · Nov 15, 2024
diff --git a/.ci/lib/config.jenkinsfile b/.ci/lib/config.jenkinsfile
@@ -12,9 +12,5 @@ env.RA_TLS_ALLOW_HW_CONFIG_NEEDED = '1'
 env.RA_TLS_ALLOW_SW_HARDENING_NEEDED = '1'
 env.RA_TLS_ALLOW_DEBUG_ENCLAVE_INSECURE = '1'
 
-if (env.RA_TYPE == null) {
-    env.RA_TYPE = 'dcap'
-}
-
 env.LC_ALL = 'C.UTF-8'
 env.LANG = env.LC_ALL
diff --git a/.ci/lib/stage-build-sgx-vm.jenkinsfile b/.ci/lib/stage-build-sgx-vm.jenkinsfile
@@ -57,7 +57,6 @@ stage('build') {
                 -Ddirect=disabled \
                 -Dsgx=enabled \
                 -Dtests=enabled \
-                -Dsgx_driver=upstream \
                 $MESON_OPTIONS
             ninja -vC build/
         '''

diff --git a/.ci/lib/stage-build-sgx.jenkinsfile b/.ci/lib/stage-build-sgx.jenkinsfile
@@ -11,22 +11,6 @@ stage('build') {
     if (env.ASAN == '1') {
         env.MESON_OPTIONS += ' -Dasan=enabled'
     }
-    if (env.RA_TYPE == 'dcap') {
-        env.MESON_OPTIONS += ' -Ddcap=enabled'
-    }
-
-    if (env.SGX_DRIVER == null) {
-        env.SGX_DRIVER = 'upstream'
-    }
-    if (env.SGX_DRIVER == 'oot') {
-        sh '''
-            git clone https://github.com/intel/linux-sgx-driver.git
-            cd linux-sgx-driver
-            git checkout 276c5c6a064d22358542f5e0aa96b1c0ace5d695
-        '''
-
-        env.MESON_OPTIONS += ' -Dsgx_driver_include_path=' + env.WORKSPACE + '/linux-sgx-driver'
-    }
 
     try {
         sh '''
@@ -37,7 +21,6 @@ stage('build') {
                 -Ddirect=disabled \
                 -Dsgx=enabled \
                 -Dtests=enabled \
-                -Dsgx_driver="$SGX_DRIVER" \
                 $MESON_OPTIONS
             ninja -vC build/
         '''

diff --git a/.ci/lib/stage-clean-check.jenkinsfile b/.ci/lib/stage-clean-check.jenkinsfile
@@ -20,9 +20,6 @@ stage('clean-check') {
         # root, and keeps cache there
         rm -rf .pytest_cache
 
-        # We downloaded the OOT SGX driver during build stage
-        rm -rf linux-sgx-driver
-
         make -C libos/test/regression clean
         make -C libos/test/fs clean
 
@@ -67,7 +64,6 @@ stage('clean-check') {
      * Gramine source tree.
      */
     sh 'rm -rf "$PREFIX"'
-    sh 'rm -rf linux-sgx-driver'
     sh '''
         ./scripts/gitignore-test
     '''

diff --git a/.ci/lib/stage-test-sgx.jenkinsfile b/.ci/lib/stage-test-sgx.jenkinsfile
@@ -24,7 +24,7 @@ stage('test-sgx') {
     timeout(time: 10, unit: 'MINUTES') {
         sh '''
             cd CI-Examples/python
-            make ${MAKEOPTS} RA_TYPE=$RA_TYPE RA_CLIENT_SPID=${ra_client_spid}
+            make ${MAKEOPTS}
             make ${MAKEOPTS} check
         '''
     }
@@ -119,24 +119,8 @@ stage('test-sgx') {
             export RA_TLS_MRENCLAVE=any
             export RA_TLS_ISV_PROD_ID=any
             export RA_TLS_ISV_SVN=any
-            if [ "${RA_TYPE}" = "epid" ]; then \
-                if [ "${ra_client_spid}" != "" ] && [ "${ra_client_key}" != "" ]; \
-                then \
-                    make check_epid RA_TYPE=epid RA_CLIENT_SPID=${ra_client_spid} \
-                        RA_TLS_EPID_API_KEY=${ra_client_key} RA_CLIENT_LINKABLE=0; \
-                    make check_epid_fail RA_TYPE=epid RA_CLIENT_SPID=${ra_client_spid} \
-                        RA_TLS_EPID_API_KEY=${ra_client_key} RA_CLIENT_LINKABLE=0; \
-                else \
-                    echo "Failure: no ra_client_spid and/or ra_client_key!"; \
-                    exit 1; \
-                fi \
-            elif [ "${RA_TYPE}" = "dcap" ]; then \
-                make check_dcap RA_TYPE=dcap; \
-                make check_dcap_fail RA_TYPE=dcap; \
-            else \
-                echo "Invalid RA_TYPE env variable: ${RA_TYPE}"; \
-                exit 1; \
-            fi
+            make check_dcap
+            make check_dcap_fail
         '''
     }
     timeout(time: 5, unit: 'MINUTES') {
@@ -146,21 +130,7 @@ stage('test-sgx') {
             export RA_TLS_MRENCLAVE=any
             export RA_TLS_ISV_PROD_ID=any
             export RA_TLS_ISV_SVN=any
-            if [ "${RA_TYPE}" = "epid" ]; then \
-                if [ "${ra_client_spid}" != "" ] && [ "${ra_client_key}" != "" ]; \
-                then \
-                    make check_epid RA_TYPE=epid RA_CLIENT_SPID=${ra_client_spid} \
-                        RA_TLS_EPID_API_KEY=${ra_client_key} RA_CLIENT_LINKABLE=0; \
-                else \
-                    echo "Failure: no ra_client_spid and/or ra_client_key!"; \
-                    exit 1; \
-                fi \
-            elif [ "${RA_TYPE}" = "dcap" ]; then \
-                make check_dcap RA_TYPE=dcap; \
-            else \
-                echo "Invalid RA_TYPE env variable: ${RA_TYPE}"; \
-                exit 1; \
-            fi
+            make check_dcap
         '''
     }
     timeout(time: 5, unit: 'MINUTES') {
@@ -170,21 +140,7 @@ stage('test-sgx') {
             export RA_TLS_MRENCLAVE=any
             export RA_TLS_ISV_PROD_ID=any
             export RA_TLS_ISV_SVN=any
-            if [ "${RA_TYPE}" = "epid" ]; then \
-                if [ "${ra_client_spid}" != "" ] && [ "${ra_client_key}" != "" ]; \
-                then \
-                    make check RA_TYPE=epid RA_CLIENT_SPID=${ra_client_spid} \
-                        RA_TLS_EPID_API_KEY=${ra_client_key} RA_CLIENT_LINKABLE=0; \
-                else \
-                    echo "Failure: no ra_client_spid and/or ra_client_key!"; \
-                    exit 1; \
-                fi \
-            elif [ "${RA_TYPE}" = "dcap" ]; then \
-                make check; \
-            else \
-                echo "Invalid RA_TYPE env variable: ${RA_TYPE}"; \
-                exit 1; \
-            fi
+            make check
         '''
     }
 }
diff --git a/.ci/lib/stage-test.jenkinsfile b/.ci/lib/stage-test.jenkinsfile
@@ -15,8 +15,7 @@ stage('test') {
         try {
             sh '''
                 cd libos/test/regression
-                RA_TYPE=$RA_TYPE RA_CLIENT_SPID=${ra_client_spid} \
-                    gramine-test -n tests${GRAMINE_MUSL+_musl}.toml build -v
+                gramine-test -n tests${GRAMINE_MUSL+_musl}.toml build -v
                 python3 -m pytest -v --junit-xml libos-regression.xml
             '''
         } finally {

diff --git a/.gitignore b/.gitignore
@@ -30,9 +30,7 @@ __pycache__
 # sgx
 *.manifest.sgx
 *.sig
-*.token
 *.cached
-.output.sgx_get_token.*
 .output.sgx_sign.*
 
 # gnu global

diff --git a/.pylintrc b/.pylintrc
@@ -168,7 +168,6 @@ ignored-classes=
 # and thus existing member attributes cannot be deduced by static analysis. It
 # supports qualified module names, as well as Unix pattern matching.
 ignored-modules=
-    aesm_pb2,
 
 # Show a hint with possible names when a member name was not found. The aspect
 # of finding the hint is based on edit distance.

diff --git a/CI-Examples/.gitignore b/CI-Examples/.gitignore
@@ -1,7 +1,6 @@
 *.manifest
 *.manifest.sgx
 *.sig
-*.token
 *.o
 *~
 *.swp
diff --git a/CI-Examples/README.md b/CI-Examples/README.md
@@ -45,8 +45,8 @@ addition, your application sample should have the following elements:
   command. If your application needs extra building steps, please document them
   in the `README.md`. In addition, we ask you to provide sufficient comments in
   the `Makefile` to help users understand the build process. If your application
-  also runs on Gramine-SGX, please include the commands for signing and
-  retrieving the token in the `Makefile`.
+  also runs on Gramine-SGX, please include the command for signing in the
+  `Makefile`.
 
 - Manifest:
   Please provide the manifest needed for running your application sample. Do not

diff --git a/CI-Examples/bash/Makefile b/CI-Examples/bash/Makefile
@@ -63,7 +63,7 @@ regression: all
 
 .PHONY: clean
 clean:
-	$(RM) *.manifest *.manifest.sgx *.token *.sig OUTPUT scripts/testdir/*
+	$(RM) *.manifest *.manifest.sgx *.sig OUTPUT scripts/testdir/*
 
 .PHONY: distclean
 distclean: clean
diff --git a/CI-Examples/blender/Makefile b/CI-Examples/blender/Makefile
@@ -65,8 +65,7 @@ check: all
 .PHONY: clean
 clean:
 	$(RM) -r \
-		$(RUN_DIR) $(DATA_DIR)/images blender.manifest blender.manifest.sgx blender.sig \
-		blender.token
+		$(RUN_DIR) $(DATA_DIR)/images blender.manifest blender.manifest.sgx blender.sig
 
 .PHONY: distclean
 distclean: clean

diff --git a/CI-Examples/busybox/Makefile b/CI-Examples/busybox/Makefile
@@ -9,9 +9,7 @@ else
 GRAMINE_LOG_LEVEL = error
 endif
 
-RA_TYPE ?= none
-RA_CLIENT_SPID ?=
-RA_CLIENT_LINKABLE ?= 0
+RA_TYPE ?= dcap
 
 .PHONY: all
 all: busybox.manifest
@@ -24,8 +22,6 @@ busybox.manifest: busybox.manifest.template
 		-Dbusybox=$(BUSYBOX) \
 		-Dlog_level=$(GRAMINE_LOG_LEVEL) \
 		-Dra_type=$(RA_TYPE) \
-		-Dra_client_spid=$(RA_CLIENT_SPID) \
-		-Dra_client_linkable=$(RA_CLIENT_LINKABLE) \
 		$< > $@
 
 busybox.manifest.sgx busybox.sig &: busybox.manifest
@@ -47,7 +43,7 @@ check: all
 
 .PHONY: clean
 clean:
-	$(RM) *.token *.sig *.manifest.sgx *.manifest OUTPUT
+	$(RM) *.sig *.manifest.sgx *.manifest OUTPUT
 
 .PHONY: distclean
 distclean: clean
diff --git a/CI-Examples/busybox/README.md b/CI-Examples/busybox/README.md
@@ -26,20 +26,6 @@ a working DCAP setup. Then build the example as follows:
 make SGX=1 RA_TYPE=dcap
 ```
 
-Otherwise, you will probably want to use EPID attestation. For this, you will
-additionally need to provide an SPID and specify whether it is set up for
-linkable quotes or not:
-```
-make SGX=1 RA_TYPE=epid RA_CLIENT_SPID=12345678901234567890123456789012 \
-    RA_CLIENT_LINKABLE=0
-```
-
-The above dummy values will suffice for simple experiments, but if you wish to
-generate real SGX quotes, you will need to provide an [SPID recognized by
-Intel][spid].
-
-[spid]: https://gramine.readthedocs.io/en/stable/sgx-intro.html#term-spid
-
 # Quick Start
 
 ```sh

diff --git a/CI-Examples/busybox/busybox.manifest.template b/CI-Examples/busybox/busybox.manifest.template
@@ -26,8 +26,6 @@ sgx.debug = true
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
 
 sgx.remote_attestation = "{{ ra_type }}"
-sgx.ra_client_spid = "{{ ra_client_spid }}"
-sgx.ra_client_linkable = {{ 'true' if ra_client_linkable == '1' else 'false' }}
 
 sgx.trusted_files = [
   "file:{{ busybox }}",

diff --git a/CI-Examples/helloworld/Makefile b/CI-Examples/helloworld/Makefile
@@ -47,7 +47,7 @@ check: all
 
 .PHONY: clean
 clean:
-	$(RM) *.token *.sig *.manifest.sgx *.manifest helloworld.o helloworld OUTPUT
+	$(RM) *.sig *.manifest.sgx *.manifest helloworld.o helloworld OUTPUT
 
 .PHONY: distclean
 distclean: clean
diff --git a/CI-Examples/lighttpd/Makefile b/CI-Examples/lighttpd/Makefile
@@ -108,7 +108,7 @@ start-gramine-server: all
 .PHONY: clean
 clean:
 	$(RM) \
-		*.manifest *.manifest.sgx *.token *.sig OUTPUT result-* $(CONF_FILES)
+		*.manifest *.manifest.sgx *.sig OUTPUT result-* $(CONF_FILES)
 
 .PHONY: distclean
 distclean: clean

diff --git a/CI-Examples/memcached/Makefile b/CI-Examples/memcached/Makefile
@@ -64,7 +64,7 @@ start-gramine-server: all
 
 .PHONY: clean
 clean:
-	$(RM) *.token *.sig *.manifest.sgx *.manifest memcached .lck
+	$(RM) *.sig *.manifest.sgx *.manifest memcached .lck
 
 .PHONY: distclean
 distclean: clean

diff --git a/CI-Examples/nginx/Makefile b/CI-Examples/nginx/Makefile
@@ -128,7 +128,7 @@ start-gramine-server: all
 
 .PHONY: clean
 clean:
-	$(RM) *.manifest *.manifest.sgx *.token *.sig OUTPUT result-* tmp nginx_args
+	$(RM) *.manifest *.manifest.sgx *.sig OUTPUT result-* tmp nginx_args
 
 .PHONY: distclean
 distclean: clean

diff --git a/CI-Examples/python/Makefile b/CI-Examples/python/Makefile
@@ -15,18 +15,14 @@ ifeq ($(SGX),1)
 all: python.manifest.sgx python.sig
 endif
 
-RA_TYPE ?= none
-RA_CLIENT_SPID ?=
-RA_CLIENT_LINKABLE ?= 0
+RA_TYPE ?= dcap
 
 python.manifest: python.manifest.template
 	gramine-manifest \
 		-Dlog_level=$(GRAMINE_LOG_LEVEL) \
 		-Darch_libdir=$(ARCH_LIBDIR) \
 		-Dentrypoint=$(realpath $(shell sh -c "command -v python3")) \
 		-Dra_type=$(RA_TYPE) \
-		-Dra_client_spid=$(RA_CLIENT_SPID) \
-		-Dra_client_linkable=$(RA_CLIENT_LINKABLE) \
 		$< >$@
 
 python.manifest.sgx python.sig &: python.manifest
@@ -48,7 +44,7 @@ endif
 
 .PHONY: clean
 clean:
-	$(RM) *.manifest *.manifest.sgx *.token *.sig OUTPUT* *.PID TEST_STDOUT TEST_STDERR
+	$(RM) *.manifest *.manifest.sgx *.sig OUTPUT* *.PID TEST_STDOUT TEST_STDERR
 	$(RM) -r scripts/__pycache__
 
 .PHONY: distclean

diff --git a/CI-Examples/python/README.md b/CI-Examples/python/README.md
@@ -30,21 +30,6 @@ a working DCAP setup. Then build the example as follows:
 make SGX=1 RA_TYPE=dcap
 ```
 
-Otherwise, you will probably want to use EPID attestation. For this, you will
-additionally need to provide an SPID and specify whether it is set up for
-linkable quotes or not:
-
-```
-make SGX=1 RA_TYPE=epid RA_CLIENT_SPID=12345678901234567890123456789012 \
-    RA_CLIENT_LINKABLE=0
-```
-
-The above dummy values will suffice for simple experiments, but if you wish to
-run `sgx-quote.py` and verify the output, you will need to provide an
-[SPID recognized by Intel][spid].
-
-[spid]: https://gramine.readthedocs.io/en/stable/sgx-intro.html#term-spid
-
 # Run Python with Gramine
 
 Here's an example of running Python scripts under Gramine:

diff --git a/CI-Examples/python/python.manifest.template b/CI-Examples/python/python.manifest.template
@@ -40,8 +40,6 @@ sgx.enclave_size = "1G"
 sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '32' }}
 
 sgx.remote_attestation = "{{ ra_type }}"
-sgx.ra_client_spid = "{{ ra_client_spid }}"
-sgx.ra_client_linkable = {{ 'true' if ra_client_linkable == '1' else 'false' }}
 
 sgx.trusted_files = [
   "file:{{ entrypoint }}",