Merge pull request #25 from iExecBlockchainComputing/hotfix/1.1.1

Hotfix version 1.1.1

CHANGELOG.md

@@ -2,6 +2,12 @@
 
 All notable changes to this project will be documented in this file.
 
+## [[1.1.1]](https://github.com/iExecBlockchainComputing/iexec-commons-containers/releases/tag/v1.1.1) 2023-09-27
+
+### Bug Fixes
+- Revert PR #23, the official **SGX devices** coming with the **in-kernel SGX driver** since kernel 5.11
+  are not yet supported in SGX enclaves based on the Gramine framework currently in use. (#25)
+
 ## [[1.1.0]](https://github.com/iExecBlockchainComputing/iexec-commons-containers/releases/tag/v1.1.0) 2023-09-26
 
 ### New Features

src/main/java/com/iexec/commons/containers/SgxDriverMode.java

@@ -16,23 +16,42 @@
 
 package com.iexec.commons.containers;
 
+import lombok.Getter;
+
 import javax.annotation.Nonnull;
 
+/**
+ * List of supported SGX drivers and devices.
+ * <p>
+ * Currently, 3 modes are supported:
+ * <ul>
+ * <li>{@code NONE} for no device, the container will not be running in an enclave.
+ * <li>{@code LEGACY} for {@code /dev/isgx} device. This device is created by installing manually the SGX driver in a
+ *     Linux kernel prior to version 5.11.
+ * <li>{@code NATIVE} for {@code /dev/sgx/enclave} and {@code /dev/sgx/provision} devices. Those devices are created
+ *     automatically on compatible hardware where SGX is supported and kernel version is greater than or equal to 5.11.
+ * </ul>
+ * <p>
+ * Since kernel version 5.11, official devices are {@code /dev/sgx_enclave} and {@code /dev/sgx_provision}.
+ * It is not possible to upgrade the {@code NATIVE} driver mode with those devices as we use an old version of the
+ * Gramine framework which does not support them. An upgrade to a newer version of the Gramine framework is required
+ * before updating this enum.
+ *
+ * @see <a href="https://github.com/gramineproject/gramine/blob/2ad54dd52426da115261a26244c10110840f9c83/tools/sgx/is-sgx-available/is_sgx_available.cpp#L172">
+ *      Gramine SGX drivers support</a>
+ */
+@Getter
 public enum SgxDriverMode {
     NONE(),
     LEGACY("/dev/isgx"),
-    NATIVE("/dev/sgx_enclave", "/dev/sgx_provision");
+    NATIVE("/dev/sgx/enclave", "/dev/sgx/provision");
 
     private final String[] devices;
 
     SgxDriverMode(String... driverNames) {
         this.devices = driverNames;
     }
 
-    public String[] getDevices() {
-        return devices;
-    }
-
     /**
      * Returns {@literal false} if given {@link SgxDriverMode} is {@literal null}
      * or {@link SgxDriverMode#NONE}, {@literal true} otherwise.

src/test/java/com/iexec/commons/containers/DockerRunRequestTests.java

@@ -86,15 +86,15 @@ void shouldAddNativeSgxDevices() {
         assertThat(request.getDevices().get(0).getcGroupPermissions())
                 .isEqualTo(SgxUtils.SGX_CGROUP_PERMISSIONS);
         assertThat(request.getDevices().get(0).getPathInContainer())
-                .isEqualTo("/dev/sgx_enclave");
+                .isEqualTo("/dev/sgx/enclave");
         assertThat(request.getDevices().get(0).getPathOnHost())
-                .isEqualTo("/dev/sgx_enclave");
+                .isEqualTo("/dev/sgx/enclave");
         assertThat(request.getDevices().get(1).getcGroupPermissions())
                 .isEqualTo(SgxUtils.SGX_CGROUP_PERMISSIONS);
         assertThat(request.getDevices().get(1).getPathInContainer())
-                .isEqualTo("/dev/sgx_provision");
+                .isEqualTo("/dev/sgx/provision");
         assertThat(request.getDevices().get(1).getPathOnHost())
-                .isEqualTo("/dev/sgx_provision");
+                .isEqualTo("/dev/sgx/provision");
     }
     // endregion