Remove open-enclave-hostverify dependency in virtual and snp builds (m…

…icrosoft#6423) Co-authored-by: Max Tropets <[email protected]> Co-authored-by: Max <[email protected]>
maxtropets · Aug 6, 2024 · 20965eb · 20965eb
1 parent 5ad32d2
commit 20965eb
Show file tree

Hide file tree

Showing 13 changed files with 6 additions and 68 deletions.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -56,7 +56,7 @@ jobs:
           set -ex
           mkdir build
           cd build
-          cmake -DCOMPILE_TARGET=virtual -DREQUIRE_OPENENCLAVE=OFF -DCMAKE_BUILD_TYPE=Debug -DBUILD_TESTS=OFF -DLVI_MITIGATIONS=OFF ..
+          cmake -DCOMPILE_TARGET=virtual -DCMAKE_BUILD_TYPE=Debug -DBUILD_TESTS=OFF -DLVI_MITIGATIONS=OFF ..
         name: Run CMake
 
       - run: |

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -716,7 +716,6 @@ elseif(COMPILE_TARGET STREQUAL "snp")
            nghttp2.snp
            ${CMAKE_THREAD_LIBS_INIT}
   )
-  link_openenclave_host(ccf.snp)
 
   set_property(TARGET ccf.snp PROPERTY POSITION_INDEPENDENT_CODE ON)
 
@@ -767,7 +766,6 @@ elseif(COMPILE_TARGET STREQUAL "virtual")
            nghttp2.host
            ${CMAKE_THREAD_LIBS_INIT}
   )
-  link_openenclave_host(ccf.virtual)
 
   set_property(TARGET ccf.virtual PROPERTY POSITION_INDEPENDENT_CODE ON)
 

diff --git a/cmake/ccf_app.cmake b/cmake/ccf_app.cmake
@@ -240,6 +240,5 @@ function(add_host_library name)
   add_library(${name} ${files})
   target_compile_options(${name} PUBLIC ${COMPILE_LIBCXX})
   target_link_libraries(${name} PUBLIC ${LINK_LIBCXX} -lgcc)
-  link_openenclave_host(${name})
   set_property(TARGET ${name} PROPERTY POSITION_INDEPENDENT_CODE ON)
 endfunction()
diff --git a/cmake/common.cmake b/cmake/common.cmake
@@ -10,7 +10,6 @@ function(add_unit_test name)
   )
   enable_coverage(${name})
   target_link_libraries(${name} PRIVATE ${LINK_LIBCXX} ccfcrypto.host -pthread)
-  link_openenclave_host(${name})
   add_san(${name})
 
   add_test(NAME ${name} COMMAND ${name})

diff --git a/cmake/cpack_settings.cmake b/cmake/cpack_settings.cmake
@@ -30,11 +30,7 @@ if(COMPILE_TARGET STREQUAL "sgx")
        "libc++1-11;libc++abi1-11;open-enclave (>=${OE_VERSION})"
   )
 else()
-  list(
-    APPEND
-    CCF_DEB_DEPENDENCIES
-    "libc++1-15;libc++abi1-15;open-enclave-hostverify (>=${OE_VERSION}) | open-enclave (>=${OE_VERSION})"
-  )
+  list(APPEND CCF_DEB_DEPENDENCIES "libc++1-15;libc++abi1-15")
 endif()
 
 list(JOIN CCF_DEB_DEPENDENCIES ", " CPACK_DEBIAN_PACKAGE_DEPENDS)

diff --git a/cmake/open_enclave.cmake b/cmake/open_enclave.cmake
@@ -1,17 +1,7 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the Apache 2.0 License.
 
-# We allow for Open Enclave (and Open Enclave HostVerify) to _not_ be installed,
-# with some limitations (e.g. virtual/snp builds cannot verify sgx attestation
-# reports). This can hopefully be removed by 5.x (see
-# https://github.com/microsoft/CCF/issues/5291).
-option(REQUIRE_OPENENCLAVE "Requires Open Enclave or HostVerify variant" ON)
-
-if(REQUIRE_OPENENCLAVE)
-  if(NOT COMPILE_TARGET STREQUAL "sgx")
-    set(COMPONENT "OEHOSTVERIFY")
-  endif()
-
+if(COMPILE_TARGET STREQUAL "sgx")
   # Find OpenEnclave package
   find_package(OpenEnclave 0.19.7 CONFIG REQUIRED)
 
@@ -52,16 +42,5 @@ if(REQUIRE_OPENENCLAVE)
     endfunction()
 
     set(OE_HOST_LIBRARY openenclave::oehost)
-  else()
-    set(OE_HOST_LIBRARY openenclave::oehostverify)
   endif()
-elseif(COMPILE_TARGET STREQUAL "sgx")
-  message(FATAL_ERROR "Open Enclave is required for SGX target")
 endif()
-
-function(link_openenclave_host name)
-  if(REQUIRE_OPENENCLAVE)
-    target_link_libraries(${name} PUBLIC ${OE_HOST_LIBRARY})
-    target_compile_definitions(${name} PUBLIC SGX_ATTESTATION_VERIFICATION)
-  endif()
-endfunction()
diff --git a/getting_started/setup_vm/app-dev.yml b/getting_started/setup_vm/app-dev.yml
@@ -19,21 +19,10 @@
     - import_role:
         name: az_dcap
         tasks_from: install.yml
-
-    # If OE is already installed, we don't want to install hostverify as they are mutually
-    # exclusive. Non-SGX CCF builds can use either of them.
-    - name: Gather the package facts
-      ansible.builtin.package_facts:
-        manager: auto
     - import_role:
         name: openenclave
         tasks_from: binary_install.yml
-      when: (platform == "sgx") or ("open-enclave" in ansible_facts.packages)
-    - import_role:
-        name: openenclave
-        tasks_from: install_host_verify.yml
-      when: (platform != "sgx") and ("open-enclave" not in ansible_facts.packages)
-
+      when: platform == "sgx"
     - import_role:
         name: ccf_build
         tasks_from: install.yml

diff --git a/getting_started/setup_vm/app-run.yml b/getting_started/setup_vm/app-run.yml
@@ -23,10 +23,6 @@
         name: openenclave
         tasks_from: binary_install.yml
       when: platform == "sgx"
-    - import_role:
-        name: openenclave
-        tasks_from: install_host_verify.yml
-      when: platform != "sgx"
     - import_role:
         name: ccf_install
         tasks_from: deb_install.yml

diff --git a/getting_started/setup_vm/ccf-dev.yml b/getting_started/setup_vm/ccf-dev.yml
@@ -2,7 +2,6 @@
   vars:
     platform: "sgx"
     clang_version: "11"
-    require_open_enclave: true
   tasks:
     - import_role:
         name: llvm_repo
@@ -19,15 +18,11 @@
     - import_role:
         name: az_dcap
         tasks_from: install.yml
-      when: require_open_enclave
+      when: platform == "sgx"
     - import_role:
         name: openenclave
         tasks_from: binary_install.yml
       when: platform == "sgx"
-    - import_role:
-        name: openenclave
-        tasks_from: install_host_verify.yml
-      when: platform != "sgx" and require_open_enclave
     - import_role:
         name: nodejs
         tasks_from: install.yml

diff --git a/getting_started/setup_vm/roles/openenclave/tasks/binary_install.yml b/getting_started/setup_vm/roles/openenclave/tasks/binary_install.yml
@@ -1,12 +1,6 @@
 - name: Include vars
   include_vars: common.yml
 
-- name: Uninstall Open Enclave Host Verify
-  apt:
-    name: open-enclave-hostverify
-    state: absent
-  become: yes
-
 - name: Install Open Enclave
   apt:
     deb: "{{ oe_deb }}"

diff --git a/getting_started/setup_vm/roles/openenclave/tasks/install_host_verify.yml b/getting_started/setup_vm/roles/openenclave/tasks/install_host_verify.yml
diff --git a/getting_started/setup_vm/roles/openenclave/vars/common.yml b/getting_started/setup_vm/roles/openenclave/vars/common.yml
@@ -12,4 +12,3 @@ oe_build_opts: "-DLVI_MITIGATION=ControlFlow-GNU"
 
 # Binary install
 oe_deb: "https://github.com/openenclave/openenclave/releases/download/v{{ oe_ver }}/Ubuntu_2004_open-enclave_{{ oe_ver_ }}_amd64.deb"
-oe_host_verify_deb: "https://github.com/openenclave/openenclave/releases/download/v{{ oe_ver }}/Ubuntu_2004_open-enclave-hostverify_{{ oe_ver_ }}_amd64.deb"
diff --git a/tests/infra/e2e_args.py b/tests/infra/e2e_args.py
@@ -77,6 +77,7 @@ def cli_args(
         "--oe-binary",
         help="Path to Open Enclave binary folder",
         type=str,
+        nargs="?",
         default="/opt/openenclave/bin/",
     )
     parser.add_argument(