SGX simulation build (#196)

- Added simulator-only seal and unseal implementations (seal/unseal is unsupported in simulation mode and errors out)
- Added simulation build script
- Added separate simulation configuration file
- Ignoring SGX data files

.gitignore

@@ -22,3 +22,6 @@
 # Ignore fuzz artifacts
 firmware/fuzz/.coverage-build
 firmware/fuzz/output
+
+# Ignore SGX data files
+**/kvstore-*.dat

firmware/build/build-sgx

@@ -1,5 +1,15 @@
 #! /usr/bin/env bash
 
+BUILD_TARGET=build
+if [[ "$(basename $0)" == "build-sgx-debug" ]]; then
+    BUILD_TARGET=build-debug
+elif [[ "$(basename $0)" == "build-sgx-sim" ]]; then
+    BUILD_TARGET=build-sim
+elif [[ "$(basename $0)" != "build-sgx" ]]; then
+    echo "Invalid build script"
+    exit 1
+fi
+
 if [[ $# -lt 3 ]]; then
     echo "Usage: $0 <checkpoint> <minimum_difficulty> <network>"
     exit 1
@@ -25,10 +35,6 @@ HSM_ROOT=$(realpath $BUILD_ROOT/../../)
 DOCKER_IMAGE=hsm:sgx
 source $BUILD_ROOT/../../docker/check-image
 
-BUILD_TARGET=build
-if [[ "$(basename $0)" == "build-sgx-debug" ]]; then
-    BUILD_TARGET=build-debug
-fi
 BUILD_CMD="\$SGX_ENVSETUP && make clean $BUILD_TARGET CHECKPOINT=$1 TARGET_DIFFICULTY=$2 NETWORK=$NETWORK"
 
 DOCKER_USER="$(id -u):$(id -g)"

firmware/build/build-sgx-debug

@@ -0,0 +1 @@
+build-sgx

firmware/build/build-sgx-sim

@@ -0,0 +1 @@
+build-sgx

firmware/src/hal/sgx/src/trusted/secret_store.c

@@ -74,6 +74,7 @@ typedef struct {
 static uint8_t unseal_data(const sealed_secret_t* sealed_secret,
                            uint8_t* dest,
                            size_t dest_length) {
+#ifndef SIM_BUILD
     if (sealed_secret->blob_size > MAX_BLOB_SIZE) {
         LOG("Sealed blob size is too large\n");
         goto unseal_data_error;
@@ -107,6 +108,25 @@ static uint8_t unseal_data(const sealed_secret_t* sealed_secret,
     if (plaintext)
         oe_free(plaintext);
     return SEST_ERROR;
+#else
+    // *************************************************** //
+    // UNSAFE SIMULATOR-ONLY UNSEAL IMPLEMENTATION         //
+    // NOT FOR PRODUCTION USE                              //
+    if (sealed_secret->blob_size > MAX_BLOB_SIZE) {
+        LOG("Sealed blob size is too large\n");
+        return SEST_ERROR;
+    }
+
+    if (sealed_secret->blob_size > dest_length) {
+        LOG("Unsealed data is too large\n");
+        return SEST_ERROR;
+    }
+
+    platform_memmove(dest, sealed_secret->blob, sealed_secret->blob_size);
+
+    return sealed_secret->blob_size;
+    // *************************************************** //
+#endif
 }
 
 /**
@@ -119,6 +139,7 @@ static uint8_t unseal_data(const sealed_secret_t* sealed_secret,
 static bool seal_data(uint8_t* data,
                       size_t data_length,
                       sealed_secret_t* sealed_secret) {
+#ifndef SIM_BUILD
     uint8_t* blob = NULL;
     size_t blob_size = 0;
     const oe_seal_setting_t settings[] = {OE_SEAL_SET_POLICY(SEAL_POLICY)};
@@ -142,6 +163,16 @@ static bool seal_data(uint8_t* data,
     sealed_secret->blob = blob;
     sealed_secret->blob_size = blob_size;
     return true;
+#else
+    // *************************************************** //
+    // UNSAFE SIMULATOR-ONLY SEAL IMPLEMENTATION           //
+    // NOT FOR PRODUCTION USE                              //
+    sealed_secret->blob = oe_malloc(data_length);
+    memcpy(sealed_secret->blob, data, data_length);
+    sealed_secret->blob_size = data_length;
+    return true;
+    // *************************************************** //
+#endif
 }
 
 // Public API

firmware/src/sgx/Makefile

@@ -111,6 +111,10 @@ build-debug: CFLAGS_COMMON += -DDEBUG_BUILD
 build-debug: CONF_FILE = $(SGX_SRC_DIR)/$(ENCLAVE_NAME)-debug.conf
 build-debug: build
 
+build-sim: CFLAGS_COMMON += -DSIM_BUILD -DDEBUG_BUILD
+build-sim: CONF_FILE = $(SGX_SRC_DIR)/$(ENCLAVE_NAME)-sim.conf
+build-sim: build
+
 check-private-key:
 	@if [ ! -f private.pem ]; then \
 		echo "Private key not found! Please place your private key in a private.pem file."; \

firmware/src/sgx/src/hsm-sim.conf

@@ -0,0 +1,16 @@
+# Copyright (c) Open Enclave SDK contributors.
+# Licensed under the MIT License.
+
+##############################################################################
+## Warning: this configuration file is FOR DEBUGGING PURPOSES ONLY, and should
+## not be used in production environments
+##############################################################################
+
+# Enclave settings:
+Debug=1
+NumHeapPages=1024
+NumStackPages=1024
+NumTCS=1
+ProductID=200
+SecurityVersion=1
+CapturePFGPExceptions=1

firmware/src/sgx/src/untrusted/enclave_provider.c

@@ -29,6 +29,13 @@
 #include "enclave_provider.h"
 #include "log.h"
 
+// Simulation build
+#ifndef SIM_BUILD
+#define CREATE_ENCLAVE_FLAGS 0
+#else
+#define CREATE_ENCLAVE_FLAGS OE_ENCLAVE_FLAG_SIMULATE
+#endif
+
 // Global pointer to the enclave. This should be the only global pointer to the enclave
 static char* G_enclave_path = NULL;
 static oe_enclave_t* G_enclave = NULL;
@@ -48,7 +55,7 @@ oe_enclave_t* epro_get_enclave() {
         LOG("Creating HSM enclave...\n");
         oe_result_t result = oe_create_hsm_enclave(G_enclave_path,
                                                    OE_ENCLAVE_TYPE_AUTO,
-                                                   0, NULL, 0, &enclave);
+                                                   CREATE_ENCLAVE_FLAGS, NULL, 0, &enclave);
         if (OE_OK != result) {
             LOG("Failed to create enclave: oe_result=%u (%s)\n", result, oe_result_str(result));
             return NULL;