forked from occlum/occlum
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathbuild_occlum_instance.sh
executable file
·74 lines (63 loc) · 2.45 KB
/
build_occlum_instance.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
#!/bin/bash
set -e
function get_mr() {
sgx_sign dump -enclave ../occlum_$1/build/lib/libocclum-libos.signed.so -dumpfile ../metadata_info_$1.txt
if [ "$2" == "mr_enclave" ]; then
sed -n -e '/enclave_hash.m/,/metadata->enclave_css.body.isv_prod_id/p' ../metadata_info_$1.txt |head -3|tail -2|xargs|sed 's/0x//g'|sed 's/ //g'
elif [ "$2" == "mr_signer" ]; then
tail -2 ../metadata_info_$1.txt |xargs|sed 's/0x//g'|sed 's/ //g'
fi
}
function build_instance() {
# 1. Init Occlum Workspace
rm -rf occlum_$postfix
mkdir occlum_$postfix
pushd occlum_$postfix
occlum init
new_json="$(jq '.resource_limits.user_space_size = "500MB" |
.metadata.debuggable = false' Occlum.json)" && \
echo "${new_json}" > Occlum.json
if [ "$postfix" == "server" ]; then
# Server will verify client's mr_enclave and mr_signer
jq ' .verify_mr_enclave = "on" |
.verify_mr_signer = "on" |
.verify_isv_prod_id = "off" |
.verify_isv_svn = "off" |
.verify_config_svn = "off" |
.verify_enclave_debuggable = "on" |
.sgx_mrs[0].mr_enclave = ''"'`get_mr client mr_enclave`'" |
.sgx_mrs[0].mr_signer = ''"'`get_mr client mr_signer`'" |
.sgx_mrs[0].debuggable = false ' ../ra_config_template.json > dynamic_config.json
if [ "$libnss_require" == "y" ]; then
cp /lib/x86_64-linux-gnu/libnss*.so.2 image/$occlum_glibc
cp /lib/x86_64-linux-gnu/libresolv.so.2 image/$occlum_glibc
fi
bomfile="../grpc_ratls_server.yaml"
else
# Client verify only enclave non-debuggable from server
jq ' .verify_mr_enclave = "off" |
.verify_mr_signer = "off" |
.verify_isv_prod_id = "off" |
.verify_isv_svn = "off" |
.verify_config_svn = "off" |
.verify_enclave_debuggable = "on" |
.sgx_mrs[0].debuggable = false ' ../ra_config_template.json > dynamic_config.json
bomfile="../grpc_ratls_client.yaml"
fi
rm -rf image
copy_bom -f $bomfile --root image --include-dir /opt/occlum/etc/template
occlum build
popd
}
if [[ $1 == "musl" ]]; then
echo "*** Build musl-libc Occlum instance ***"
else
echo "*** Build glibc Occlum instance ***"
# glibc version requires libnss
libnss_require="y"
occlum_glibc=/opt/occlum/glibc/lib/
fi
postfix=client
build_instance
postfix=server
build_instance