Remove GSC

This is unused, untested and in bad shape.

.ci/run-pylint

@@ -10,6 +10,4 @@ find . -name \*.py \
 | xargs pylint3 "$@" \
     Pal/src/host/Linux-SGX/signer/pal-sgx-get-token \
     Pal/src/host/Linux-SGX/signer/pal-sgx-sign \
-    Tools/gen_manifest \
-    Tools/gsce \
     .ci/prfilter

Tools/README

@@ -1,70 +0,0 @@
-Graphene-SGX Secure Container
---------------------------------
-Graphene-SGX Secure Container (GSC) is a container system where the containerized application can be protected by Graphene-SGX while it is running in a container environment. The GSC system includes two parts: (1) a Docker container instance where the application is running inside Graphene-SGX and both of them are running inside the container instance; (2) a front-end named GSCE (GSC Engine) which takes a legacy Docker container image and automatically launches the contained application inside a GSC container instance.
-
-Launching a GSC container instance includes following steps:
-
-(1) Make sure there is a Docker container image of your application in the local or remote image repository.
-
-(2) Download and Compile Graphene-SGX;
-
-(2) Go to graphene/Tools
-
-(3) Run a GSC container via the following command:
-
-   ./gsce run [All the arguments used for launching a normal Docker container] [docker Image Name:Tag].
-
-Let's take redis, a key-value, in-memory database as an example. Assume the user runs a normal redis from its docker image as follows.
-```bash
-docker run -i -t -p 6379:6379 redis:latest
-```
-To launch a GSC container running redis, simply change docker to "./gsce", i.e., the user runs the command as follows.
-```bash
-./gsce run -i -t -p 6379:6379 redis:latest
-```
---------------------------------
-Setting up the Dockerfile:
-
-If running a C++ example your Dockerfile should have the following:
-```docker
-FROM gcc:9.1
-
-# Ensure you add your path to the graphene folder
-COPY . /home/username/graphene/LibOS/shim/test/apps/yourImageName
-
-WORKDIR /home/username/graphene/LibOS/shim/test/apps/yourImageName
-
-# You can use gcc or g++ and any flags you would like (std flag is for C++ 11 support)
-RUN g++ -o app sourcefile.cpp -std=c++11
-
-CMD ["./app"]
-```
-Note: If GSC has issues finding your program and it is added under the trusted files, it is possible that your path has a typo or is incorrect.
---------------------------------
-Issues You May Encounter
-1) Graphene is having trouble handling the symbolic links in graphene/Runtime
-	- For some reason Graphene doesn't read symbolic links in certain instances. You will need to replace all of the links with a copy of the actual files with the same name to the Runtime folder. Rather than doing this manually (more painful than you may think) use this trick:
-	- `shopt -s globstar` <-- enables globstar option
-	- `sed -i '' **/*` <-- replaces all of the links
-2) Cannot find (generated_offsets)/(site).py
-	- Graphene for some reason can't access certain modules it needs to sign enclaves, so all you need to do is copy wherever the modules are located to the folder: `/home/username/graphene/Pal/src/host/Linux-SGX/signer`
-3) "Cannot open device /dev/gsgx"
-	- cd into `graphene/Pal/src/host/Linux-SGX/sgx-driver/load.sh`
-	- run `./load.sh` to load the driver
-4) Permission denied on mapping enclave
-	- run `sudo sysctl vm.mmap_min_addr=0`
-5) If there is an issue when running bash.manifest.sgx
-	- edit the Entrypoint in relation to the executable in the Dockerfile
-6) Issues with trusted files in GSC
-	- Edit the gen_manifest python script and add your trusted files inside of the df.write.
-	- The names for the sgx trusted files are arbitrary but need to be unique or overlap issues will occur when signing the enclaves
-7) /lib64/ld-linux-x86-64.so.2: version 'SHIM' not found (required by libc.so.6)
-    - Run `echo $LD_LIBRARY_PATH` and check for a trailing colon at the end of this path
-8) "bad_alloc" or "st9_alloc"
-	- Your enclave size is too small (default is 256M). Try adding the line: `sgx.enclave_size = 1G` (Size must be a power of 2)
-9) Cannot connect to AESMD service (socket cannot connect)
-	- Most likley your isgx.ko did not load properly when you ran load.sh. Run load.sh and handle any errors that may appear (most are documented above)
-10) "Error while loading shared libraries: cannot open shared object file: No such file or directory"
-        - Add the library to your graphene/Runtime directory. This is a temporary workaround.
-11) "bash.manifest.sgx: file not found"
-        - Make sure that the location of the executable in your container is in your docker's PATH environment variable. If necessary, change the bin_name in gsce to the name of the binary manually.

Tools/gen_manifest

@@ -1,126 +0,0 @@
-#!/usr/bin/env python2
-import os
-import sys
-import subprocess
-import re
-
-runtime_libs = ['libc',
-                'libdl',
-                'libm',
-                'libpthread',
-                'libutil',
-                'libnss_dns',
-                'libresolv',
-                'librt']
-
-
-def parse_libs(bin_path):
-  ldd_out = subprocess.check_output(['ldd', bin_path])
-  lib_list = []
-  for line in ldd_out.splitlines():
-    match = re.match(r'\t(.*) => (.*) \(0x', line)
-    if match and match.group(1) and match.group(2):
-      name_match = re.match(r'([\w\d]*)(-*)([\w\d]*)(\.*)(.*)', match.group(1))
-      if name_match:
-        lib_name = name_match.group(1)
-
-        # library can be formatted as libxxx-xxx.so which is invalid format in
-        # the manifest, so reformat to libxxx_xxx as the option key
-        if name_match.group(2) == '-' and name_match.group(3):
-          lib_name += '_' + name_match.group(3)
-
-        if lib_name not in runtime_libs:
-          lib_list.append((lib_name, match.group(2)))
-
-  return lib_list
-
-
-def make_executable(path):
-  mode = os.stat(path).st_mode
-  mode |= (mode & 0o444) >> 2    # copy R bits to X
-  os.chmod(path, mode)
-
-
-def gen_manifest(app_name, bin_name, g_path):
-  m_path = g_path + '/LibOS/shim/test/apps/' + app_name + '/' + app_name + '.' + 'manifest'
-  print('generating manifest: ' + m_path)
-
-  mf = open(m_path, 'w')
-  make_executable(m_path)
-
-  mf.write('#!' + g_path + '/Runtime/pal_loader\n')
-  mf.write('loader.preload = file:../../../../../Runtime/libsysdb.so\n')
-
-  # Get path of binary
-  bin_path = subprocess.check_output(['which', bin_name]).strip()
-  mf.write('loader.exec = file:' + bin_path + '\n')
-  mf.write('loader.execname = ' + bin_name + '\n')
-  mf.write('loader.env.LD_LIBRARY_PATH = /graphene:/graphene/resolv:/host:/usr/local/lib:/usr/lib:/usr/lib/x86_64-linux-gnu')
-
-  if 'LD_LIBRARY_PATH' in os.environ and os.environ['LD_LIBRARY_PATH']:
-    mf.write(':' + os.environ['LD_LIBRARY_PATH'])
-  mf.write('\n')
-
-  mf.write('loader.env.PATH = /usr/local/bin:/usr/bin:/bin\n' +
-           'loader.env.USERNAME =\n' +
-           'loader.env.PWD =\n' +
-           'loader.debug_type = none\n')
-  mf.write('\n')
-
-  # File system setting
-  mf.write('fs.mount.lib1.type = chroot\n' +
-           'fs.mount.lib1.path = /graphene\n' +
-           'fs.mount.lib1.uri = file:../../../../../Runtime\n\n')
-
-  mf.write('fs.mount.lib2.type = chroot\n' +
-           'fs.mount.lib2.path = /host\n' +
-           'fs.mount.lib2.uri = file:/lib/x86_64-linux-gnu\n\n')
-
-  mf.write('fs.mount.bin.type = chroot\n' +
-           'fs.mount.bin.path = /bin\n' +
-           'fs.mount.bin.uri = file:/bin\n\n')
-
-  mf.write('fs.mount.usr.type = chroot\n' +
-           'fs.mount.usr.path = /usr\n' +
-           'fs.mount.usr.uri = file:/usr\n\n')
-
-  mf.write('fs.mount.etc.type = chroot\n' +
-           'fs.mount.etc.path = /etc\n' +
-           'fs.mount.etc.uri = file:\n\n')
-
-  mf.write('fs.mount.opt.type = chroot\n' +
-           'fs.mount.opt.path = /opt\n' +
-           'fs.mount.opt.uri = file:\n\n')
-
-  # Set Dependent Libraries
-  mf.write('sgx.trusted_files.ld = file:../../../../../Runtime/ld-linux-x86-64.so.2\n' +
-           'sgx.trusted_files.libc = file:../../../../../Runtime/libc.so.6\n' +
-           'sgx.trusted_files.libdl = file:../../../../../Runtime/libdl.so.2\n' +
-           'sgx.trusted_files.libm = file:../../../../../Runtime/libm.so.6\n' +
-           'sgx.trusted_files.libpthread = file:../../../../../Runtime/libpthread.so.0\n' +
-           'sgx.trusted_files.libutil = file:../../../../../Runtime/libutil.so.1\n' +
-           'sgx.trusted_files.libnss_dns = file:../../../../../Runtime/libnss_dns.so.2\n' +
-           'sgx.trusted_files.libresolv = file:../../../../../Runtime/libresolv.so.2\n' +
-           'sgx.trusted_files.librt = file:../../../../../Runtime/librt.so.1\n')
-
-  lib_list = parse_libs(bin_path)
-  for lib_name, lib_path in lib_list:
-    print('lib name: ' + lib_name)
-    print('lib path: ' + lib_path)
-    mf.write('sgx.trusted_files.' + lib_name + ' = file:' + lib_path + '\n')
-  mf.write('\n')
-
-  mf.close()
-
-
-if __name__ == '__main__':
-  if len(sys.argv) != 4:
-    print('Usage: gen_manifest [application name] [actual binary name] [path to graphene]')
-    print('  e.g. gen_manifest apache httpd /home/me/graphene')
-    exit(1)
-
-  app_name = sys.argv[1]
-  bin_name = sys.argv[2]
-  g_path = sys.argv[3]
-
-  gen_manifest(app_name, bin_name, g_path)

Tools/gsce

@@ -1,137 +0,0 @@
-#!/usr/bin/env python2
-import sys,os
-import subprocess
-import re
-
-def gen_dockerfile( image_name, app_name, bin_name, proj_dir):
-  if not os.path.exists(proj_dir + '/Tools/build'):
-    os.makedirs(proj_dir + '/Tools/build')
-  df =open(proj_dir + '/Tools/build/Dockerfile' + '.' + app_name, 'w')
-  df.write('# This file is auto-generated, any edits will be overwritten\n')
-
-  df.write('\n')
-  # Choose the base image from the user input
-  df.write('FROM '+ image_name + '\n')
-  df.write('\n')
-
-  # SWITCH to ROOT
-  df.write('# SWITCH to root\n')
-  df.write('USER root\n\n')
-
-  # DOWNLOAD dependencies
-  df.write('# Download dependencies\n')
-  df.write('RUN apt-get update && \\\n')
-  df.write('    apt-get install -y openssl libjemalloc-dev python python-pip python-dev\n')
-  df.write('RUN pip install protobuf && \\\n')
-  df.write('    pip install pycrypto\n')
-
-  df.write('# Temporal fixes for Dependencies Issue #1: libcrypto.so.1.0.0 and libssl.so.1.0.0 have different locations\n')
-  if not os.path.isfile('/lib/x86_64-linux-gnu/libcrypto.so.1.0.0'):
-    df.write('RUN ln -s /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 \\\n')
-  if not os.path.isfile('/lib/x86_64-linux-gnu/libssl.so.1.0.0'):
-    df.write('RUN ln -s /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 /lib/x86_64-linux-gnu/libssl.so.1.0.0\n')
-
-  # SETUP Directory Structure
-  df.write('# Setup Directory Structure\n')
-  df.write('RUN mkdir -p ' + proj_dir + '/LibOS/shim/test/apps/' + app_name + ' \\\n')
-  df.write(' && mkdir -p ' + proj_dir + '/Pal/src/host/Linux-SGX/signer \\\n')
-  df.write(' && mkdir -p ' + proj_dir + '/Runtime \\\n')
-  df.write(' && mkdir /gbin\n')
-
-  # COPY system files
-  df.write('# Copy system files\n')
-  df.write('COPY Runtime/* ' + proj_dir + '/Runtime/\n')
-  df.write('COPY Pal/src/Makefile.Host ' + proj_dir + '/Pal/src/Makefile.Host\n')
-  df.write('COPY Pal/src/host/Linux-SGX/signer/* ' + proj_dir + '/Pal/src/host/Linux-SGX/signer/\n')
-
-  # COPY tools for building app instance
-  df.write('# Copy tools for building app instance\n')
-  df.write('COPY Tools/build/tools/* /gbin/\n')
-  df.write('COPY Tools/gen_manifest /gbin/\n')
-
-  # Generating manifest file for target app
-  df.write('# Generating manifest for target app\n')
-  df.write('RUN /gbin/gen_manifest ' + app_name + ' ' + bin_name + ' ' + proj_dir + '\n')
-
-  # Sign Enclave
-  df.write('# Signing Enclave\n')
-  df.write('RUN cd ' + proj_dir + '/LibOS/shim/test/apps/' + app_name + ' && \\\n'
-           '    '+ proj_dir + '/Pal/src/host/Linux-SGX/signer/pal-sgx-sign -libpal ' + proj_dir +
-           '/Pal/src/host/Linux-SGX/../../../../Runtime/libpal-Linux-SGX.so -key ' + proj_dir +
-           '/Pal/src/host/Linux-SGX/signer/enclave-key.pem -output ' + app_name + '.manifest.sgx ' +
-           '-manifest ' + app_name + '.manifest\n')
-  # Remove signing key
-  df.write('# Removing key after signing\n')
-
-  # Overwrite Entry Point
-  df.write('ENTRYPOINT  ["/bin/bash", "/gbin/app_exec"]\n')
-  df.close()
-
-def make_executable(path):
-  mode = os.stat(path).st_mode
-  mode |= (mode & 0o444) >> 2    # copy R bits to X
-  os.chmod(path, mode)
-
-def gen_app_executor(app_name, bin_cmd, proj_dir):
-  if not os.path.exists(proj_dir + '/Tools/build/tools'):
-    os.makedirs(proj_dir + '/Tools/build/tools')
-
-  e_path = proj_dir + '/Tools/build/tools/app_exec'
-  ef = open(e_path, 'w')
-  make_executable(e_path)
-
-  ef.write('#!/usr/bin/env bash\n\n')
-  ef.write('cd ' + proj_dir + '/LibOS/shim/test/apps/' + app_name +'\n')
-  ef.write('# Generate EINITOKEN\n')
-  ef.write(proj_dir + '/Pal/src/host/Linux-SGX/signer/pal-sgx-get-token -output '
-           + app_name + '.token -sig ' + app_name + '.sig\n')
-  ef.write('# Run the application\n')
-  ef.write('SGX=1 ./' + app_name + '.manifest.sgx ' + bin_cmd + '\n')
-
-  ef.close()
-
-if __name__ == '__main__':
-  if len(sys.argv) < 3:
-    print('Usage: gsce run [Image name]')
-    exit()
-
-  image_name = sys.argv[-1]
-  image_match = re.match(r'([^:]*)(:*)(.*)', image_name)
-  if image_match:
-    app_name = image_match.group(1)
-
-  # application name may contain '/', remove it
-  app_name = app_name.split('/')[-1]
-
-  inspect_cmd = 'sudo docker inspect --format \'{{.Config.Cmd}}\' ' + image_name
-  res = subprocess.check_output(inspect_cmd, shell=True).strip()
-
-  # Docker image may execute '[/bin/sh -c command]', replace with just '[command]'
-  if res.startswith('[/bin/sh -c '):
-    res = '[' + res[len('[/bin/sh -c '):]
-
-  match = re.match(r'\[([^\s]*)\s*(.*)\]', res)
-  bin_name = match.group(1)
-  bin_cmd = ''
-  if match.group(2):
-    bin_cmd = match.group(2)
-
-  # Store the rest arguments as Docker run arguments
-  docker_str = ' ' + ' '.join(sys.argv[2:-1])
-
-  # print image_cmd
-  proj_dir = os.path.abspath(os.getcwd() + '/../')
-
-  # STEP 1: Generating Dockerfile
-  gen_dockerfile(image_name, app_name, bin_name, proj_dir)
-
-  # STEP 2: Generating entry point execute script
-  gen_app_executor(app_name, bin_cmd, proj_dir)
-
-  # STEP 3: Building new docker image with generated Dockerfile
-  os.chdir('..')
-  os.system('sudo docker build -f Tools/build/Dockerfile.' + app_name + ' -t gsc_' + app_name + ' .\n')
-
-  # STEP 4: Run GSC with the target app
-  os.system('sudo docker run -i -t' + docker_str +' --device=/dev/gsgx --device=/dev/isgx ' +
-            '-v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket gsc_' + app_name + '\n')