rte 204 insecure time through rdtscp fixed #273
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
pull_request: | |
paths-ignore: | |
- '*.md' | |
- 'LICENSE' | |
branches: | |
- master | |
# This CI will be triigerred on any merge_group events | |
merge_group: | |
env: | |
RUST_BACKTRACE: 1 | |
CARGO_TERM_COLOR: always | |
CARGO_INCREMENTAL: 0 | |
CARGO_NET_RETRY: 10 | |
CFLAGS_x86_64_fortanix_unknown_sgx: "-isystem/usr/include/x86_64-linux-gnu -mlvi-hardening -mllvm -x86-experimental-lvi-inline-asm-hardening" | |
CC_x86_64_fortanix_unknown_sgx: clang-11 | |
jobs: | |
test: | |
name: Build+Test | |
runs-on: ubuntu-20.04 | |
env: | |
# PCS_API_KEY: Raoul Strackx' personal access key. Only used here, and only provides access to the Intel PCS service, which is public anyway | |
PCS_API_KEY: ${{ secrets.PCS_API_KEY }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install additional dependencies | |
run: | | |
# install gpg | |
sudo apt-get update -y && sudo apt install -y gpg | |
# Add intel-sgx package repository, key is download from https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | |
cat intel-sgx-deb.key | gpg --dearmor | sudo tee /usr/share/keyrings/intel-sgx-deb.gpg > /dev/null | |
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/intel-sgx-deb.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" | sudo tee /etc/apt/sources.list.d/intel-sgx-deb.list > /dev/null | |
# Add llbm package repository, key is download from https://apt.llvm.org/llvm-snapshot.gpg.key | |
cat llvm-snapshot.gpg.key | gpg --dearmor | sudo tee /usr/share/keyrings/llvm-snapshot.gpg > /dev/null | |
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/llvm-snapshot.gpg] http://apt.llvm.org/focal/ llvm-toolchain-focal-11 main" | sudo tee /etc/apt/sources.list.d/llvm-snapshot.list > /dev/null | |
# Install dependencies for build & test | |
sudo apt-get update -y | |
sudo apt-get install -y faketime protobuf-compiler libsgx-dcap-ql-dev clang-11 musl-tools gcc-multilib | |
- name: Setup Rust toolchain | |
run: | | |
rustup target add x86_64-fortanix-unknown-sgx x86_64-unknown-linux-musl | |
rustup toolchain add nightly | |
rustup target add x86_64-fortanix-unknown-sgx --toolchain nightly | |
rustup update | |
- name: Cargo test --all --exclude sgxs-loaders | |
run: cargo test --verbose --locked --all --exclude sgxs-loaders --exclude async-usercalls && [ "$(echo $(nm -D target/debug/sgx-detect|grep __vdso_sgx_enter_enclave))" = "w __vdso_sgx_enter_enclave" ] | |
- name: cargo test -p async-usercalls --target x86_64-fortanix-unknown-sgx --no-run | |
run: cargo +nightly test --verbose --locked -p async-usercalls --target x86_64-fortanix-unknown-sgx --no-run | |
- name: Nightly test -p dcap-artifact-retrieval --target x86_64-fortanix-unknown-sgx --no-default-features --no-run | |
run: cargo +nightly test --verbose --locked -p dcap-artifact-retrieval --target x86_64-fortanix-unknown-sgx --no-default-features --no-run | |
- name: Cargo test -p dcap-ql --features link | |
run: cargo test --verbose --locked -p dcap-ql --features link | |
- name: Cargo test -p dcap-ql --features verify | |
run: cargo test --verbose --locked -p dcap-ql --features verify | |
- name: Cargo test -p ias --features mbedtls | |
run: cargo test --verbose --locked -p ias --features mbedtls | |
- name: Cargo test -p ias --features client,mbedtls | |
run: cargo test --verbose --locked -p ias --features client,mbedtls | |
# uses backtrace, which still requires nightly on SGX | |
- name: Nightly build -p aesm-client --target=x86_64-fortanix-unknown-sgx | |
run: cargo +nightly build --verbose --locked -p aesm-client --target=x86_64-fortanix-unknown-sgx | |
# uses sgxstd feature | |
- name: Nightly build -p aesm-client --target=x86_64-fortanix-unknown-sgx --features sgx-isa/sgxstd | |
run: cargo +nightly build --verbose --locked -p aesm-client --target=x86_64-fortanix-unknown-sgx --features sgx-isa/sgxstd | |
- name: Nightly test -p sgx-isa --features sgxstd --target x86_64-fortanix-unknown-sgx --no-run | |
run: cargo +nightly test --verbose --locked -p sgx-isa --features sgxstd --target x86_64-fortanix-unknown-sgx --no-run | |
- name: Nightly test -p pcs --target x86_64-fortanix-unknown-sgx | |
run: cargo +nightly test --verbose --locked -p pcs --target x86_64-fortanix-unknown-sgx --no-run | |
- name: Nightly test -p pcs --features verify | |
run: cargo +nightly test --verbose --locked -p pcs --features verify | |
# Unfortunately running `faketime '2021-09-10 11:00:00 GMT' cargo test -p nitro-attestation-verify` causes a segmentation | |
# fault while compiling. We only execute `faketime` during the tests | |
#- run: cargo test --locked -p nitro-attestation-verify --no-run && faketime '2021-09-08 11:00:00 GMT' cargo test --locked -p nitro-attestation-verify --lib | |
- name: Cargo test nitro-attestation-verify with faketime | |
run: cargo test --locked -p nitro-attestation-verify --no-run && faketime '2021-09-10 11:00:00 GMT' cargo test --locked -p nitro-attestation-verify --lib | |
- name: Build fortanix-sgx-tools for x86_64-unknown-linux-musl | |
# NOTE: Skipping linking with the glibc version of OpenSSL to produce a musl based binary. It is unlikely that this would produce a working binary anyway. | |
run: | | |
mkdir -p /tmp/muslinclude | |
ln -sf /usr/include/x86_64-linux-gnu/openssl /tmp/muslinclude/openssl | |
PKG_CONFIG_ALLOW_CROSS=1 CFLAGS=-I/tmp/muslinclude CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_LINKER=true cargo build --locked -p fortanix-sgx-tools --target x86_64-unknown-linux-musl | |
- name: Build em-app, get-certificate for x86_64-unknown-linux-musl | |
run: cargo build --verbose --locked -p em-app -p get-certificate --target=x86_64-unknown-linux-musl | |
- name: Build em-app, get-certificate for x86_64-fortanix-unknown-sgx | |
run: cargo build --verbose --locked -p em-app -p get-certificate --target=x86_64-fortanix-unknown-sgx | |
- name: Generate API docs | |
run: ./doc/generate-api-docs.sh | |
- name: Run memory allocator stress test | |
run: cd ./examples/mem-alloc-test && cargo run | |
- name: snmalloc correntness test | |
run: cd ./examples/mem-correctness-test && cargo run |