Skip to content

Dockerfile for PPID retrieval tool #291

Dockerfile for PPID retrieval tool

Dockerfile for PPID retrieval tool #291

Workflow file for this run

name: CI
on:
pull_request:
paths-ignore:
- '*.md'
- 'LICENSE'
branches:
- master
# This CI will be triigerred on any merge_group events
merge_group:
env:
RUST_BACKTRACE: 1
CARGO_TERM_COLOR: always
CARGO_INCREMENTAL: 0
CARGO_NET_RETRY: 10
CFLAGS_x86_64_fortanix_unknown_sgx: "-isystem/usr/include/x86_64-linux-gnu -mlvi-hardening -mllvm -x86-experimental-lvi-inline-asm-hardening"
CC_x86_64_fortanix_unknown_sgx: clang-11
jobs:
test:
name: Build+Test
runs-on: ubuntu-20.04
env:
# PCS_API_KEY: Raoul Strackx' personal access key. Only used here, and only provides access to the Intel PCS service, which is public anyway
PCS_API_KEY: ${{ secrets.PCS_API_KEY }}
steps:
- uses: actions/checkout@v4
- name: Install additional dependencies
run: |
# install gpg
sudo apt-get update -y && sudo apt install -y gpg
# Add intel-sgx package repository, key is download from https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key
cat intel-sgx-deb.key | gpg --dearmor | sudo tee /usr/share/keyrings/intel-sgx-deb.gpg > /dev/null
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/intel-sgx-deb.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" | sudo tee /etc/apt/sources.list.d/intel-sgx-deb.list > /dev/null
# Add llbm package repository, key is download from https://apt.llvm.org/llvm-snapshot.gpg.key
cat llvm-snapshot.gpg.key | gpg --dearmor | sudo tee /usr/share/keyrings/llvm-snapshot.gpg > /dev/null
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/llvm-snapshot.gpg] http://apt.llvm.org/focal/ llvm-toolchain-focal-11 main" | sudo tee /etc/apt/sources.list.d/llvm-snapshot.list > /dev/null
# Install dependencies for build & test
sudo apt-get update -y
sudo apt-get install -y faketime protobuf-compiler libsgx-dcap-ql-dev clang-11 musl-tools gcc-multilib
- name: Setup Rust toolchain
run: |
rustup target add x86_64-fortanix-unknown-sgx x86_64-unknown-linux-musl
rustup toolchain add nightly
rustup target add x86_64-fortanix-unknown-sgx --toolchain nightly
rustup update
- name: Cargo test --all --exclude sgxs-loaders
run: cargo test --verbose --locked --all --exclude sgxs-loaders --exclude async-usercalls && [ "$(echo $(nm -D target/debug/sgx-detect|grep __vdso_sgx_enter_enclave))" = "w __vdso_sgx_enter_enclave" ]
- name: cargo test -p async-usercalls --target x86_64-fortanix-unknown-sgx --no-run
run: cargo +nightly test --verbose --locked -p async-usercalls --target x86_64-fortanix-unknown-sgx --no-run
- name: Nightly test -p dcap-artifact-retrieval --target x86_64-fortanix-unknown-sgx --no-default-features --no-run
run: cargo +nightly test --verbose --locked -p dcap-artifact-retrieval --target x86_64-fortanix-unknown-sgx --no-default-features --no-run
- name: Cargo test -p dcap-ql --features link
run: cargo test --verbose --locked -p dcap-ql --features link
- name: Cargo test -p dcap-ql --features verify
run: cargo test --verbose --locked -p dcap-ql --features verify
- name: Cargo test -p ias --features mbedtls
run: cargo test --verbose --locked -p ias --features mbedtls
- name: Cargo test -p ias --features client,mbedtls
run: cargo test --verbose --locked -p ias --features client,mbedtls
# uses backtrace, which still requires nightly on SGX
- name: Nightly build -p aesm-client --target=x86_64-fortanix-unknown-sgx
run: cargo +nightly build --verbose --locked -p aesm-client --target=x86_64-fortanix-unknown-sgx
# uses sgxstd feature
- name: Nightly build -p aesm-client --target=x86_64-fortanix-unknown-sgx --features sgx-isa/sgxstd
run: cargo +nightly build --verbose --locked -p aesm-client --target=x86_64-fortanix-unknown-sgx --features sgx-isa/sgxstd
- name: Nightly test -p sgx-isa --features sgxstd --target x86_64-fortanix-unknown-sgx --no-run
run: cargo +nightly test --verbose --locked -p sgx-isa --features sgxstd --target x86_64-fortanix-unknown-sgx --no-run
- name: Nightly test -p pcs --target x86_64-fortanix-unknown-sgx
run: cargo +nightly test --verbose --locked -p pcs --target x86_64-fortanix-unknown-sgx --no-run
- name: Nightly test -p pcs --features verify
run: cargo +nightly test --verbose --locked -p pcs --features verify
# Unfortunately running `faketime '2021-09-10 11:00:00 GMT' cargo test -p nitro-attestation-verify` causes a segmentation
# fault while compiling. We only execute `faketime` during the tests
#- run: cargo test --locked -p nitro-attestation-verify --no-run && faketime '2021-09-08 11:00:00 GMT' cargo test --locked -p nitro-attestation-verify --lib
- name: Cargo test nitro-attestation-verify with faketime
run: cargo test --locked -p nitro-attestation-verify --no-run && faketime '2021-09-10 11:00:00 GMT' cargo test --locked -p nitro-attestation-verify --lib
- name: Build fortanix-sgx-tools for x86_64-unknown-linux-musl
# NOTE: Skipping linking with the glibc version of OpenSSL to produce a musl based binary. It is unlikely that this would produce a working binary anyway.
run: |
mkdir -p /tmp/muslinclude
ln -sf /usr/include/x86_64-linux-gnu/openssl /tmp/muslinclude/openssl
PKG_CONFIG_ALLOW_CROSS=1 CFLAGS=-I/tmp/muslinclude CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_LINKER=true cargo build --locked -p fortanix-sgx-tools --target x86_64-unknown-linux-musl
- name: Build em-app, get-certificate for x86_64-unknown-linux-musl
run: cargo build --verbose --locked -p em-app -p get-certificate --target=x86_64-unknown-linux-musl
- name: Build em-app, get-certificate for x86_64-fortanix-unknown-sgx
run: cargo build --verbose --locked -p em-app -p get-certificate --target=x86_64-fortanix-unknown-sgx
- name: Generate API docs
run: ./doc/generate-api-docs.sh
- name: Run memory allocator stress test
run: cd ./examples/mem-alloc-test && cargo run
- name: snmalloc correntness test
run: cd ./examples/mem-correctness-test && cargo run