This is an automated email from the ASF dual-hosted git repository. shaojunwang pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/incubator-teaclave-java-tee-sdk.git
commit 2381dc67f6825d010286b6ad82f4f471cf3021d0 Author: cengfeng.lzy <[email protected]> AuthorDate: Mon Jun 27 13:51:28 2022 +0800 [Enc] Update based GraalVM to 22.1.0 Summary: Update GraalVM to 22.1.0 Test Plan: all tests pass Reviewers: lei.yul, jeffery.wsj, sanhong.lsh Issue: https://aone.alibaba-inc.com/task/42820527 CR: https://code.aone.alibaba-inc.com/java-tee/JavaEnclave/codereview/9186461 --- sdk/enclave/pom.xml | 7 ++++--- .../confidentialcomputing/enclave/EnclaveFeature.java | 4 ++-- .../confidentialcomputing/enclave/EnclaveOptions.java | 4 ++++ .../enclave/EnclaveRandomFeature.java | 10 +++++++--- .../confidentialcomputing/enclave/SUNECReplaceFeature.java | 14 ++++++++------ .../enclave/system/EnclaveMemoryFeature.java | 13 +++++++------ .../confidentialcomputing/enclave/ConfigMemTest.java | 5 +++++ .../confidentialcomputing/enclave/ReplaceSunECTest.java | 8 +++----- test/enclave/pom.xml | 6 +++--- tools/cicd/Dockerfile | 6 +++--- tools/cicd/make.sh | 6 +++--- 11 files changed, 49 insertions(+), 34 deletions(-) diff --git a/sdk/enclave/pom.xml b/sdk/enclave/pom.xml index 3875579..8572558 100644 --- a/sdk/enclave/pom.xml +++ b/sdk/enclave/pom.xml @@ -13,7 +13,8 @@ <name>JavaEnclave-Enclave</name> <url></url> <properties> - <graal.version>enclave-11-22.0.0-0.1.0</graal.version> + <graal.version>22.1.0</graal.version> + <enclave.graal.version>enclave-11-22.1.0-1.0</enclave.graal.version> <svm.maven.version>0.9.10</svm.maven.version> </properties> <profiles> @@ -207,12 +208,12 @@ <dependency> <groupId>org.graalvm.sdk</groupId> <artifactId>graal-sdk</artifactId> - <version>${graal.version}</version> + <version>${enclave.graal.version}</version> </dependency> <dependency> <groupId>org.graalvm.nativeimage</groupId> <artifactId>svm</artifactId> - <version>${graal.version}</version> + <version>${enclave.graal.version}</version> </dependency> <dependency> <groupId>org.graalvm.nativeimage</groupId> diff --git a/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/EnclaveFeature.java b/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/EnclaveFeature.java index 8875700..b30d6d5 100644 --- a/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/EnclaveFeature.java +++ b/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/EnclaveFeature.java @@ -67,7 +67,7 @@ public class EnclaveFeature implements Feature { FeatureImpl.DuringSetupAccessImpl config = (FeatureImpl.DuringSetupAccessImpl) access; RuntimeSerialization.register(ConfidentialComputingException.class, RuntimeException.class, ReflectiveOperationException.class, ClassNotFoundException.class); - RuntimeSerialization.registerAllAssociatedClasses(Collections.EMPTY_LIST.getClass()); + RuntimeSerialization.registerIncludingAssociatedClasses(Collections.EMPTY_LIST.getClass()); imageClassLoader = config.getImageClassLoader(); } @@ -149,7 +149,7 @@ public class EnclaveFeature implements Feature { } private boolean registerCollectedConfigs() { - boolean registeredNewSerializations = registerCollectedConfigs(serializationCandidateTypes, RuntimeSerialization::registerAllAssociatedClasses); + boolean registeredNewSerializations = registerCollectedConfigs(serializationCandidateTypes, RuntimeSerialization::registerIncludingAssociatedClasses); boolean registeredNewReflectionTypes = registerCollectedConfigs(reflectionCandidateTypes, RuntimeReflection::register); boolean registeredNewReflectionMethods = registerCollectedConfigs(reflectionCandidateMethods, RuntimeReflection::register); return registeredNewSerializations || registeredNewReflectionTypes || registeredNewReflectionMethods; diff --git a/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/EnclaveOptions.java b/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/EnclaveOptions.java index df82f2f..03e872d 100644 --- a/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/EnclaveOptions.java +++ b/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/EnclaveOptions.java @@ -8,4 +8,8 @@ public class EnclaveOptions { @Option(help = "Use native function instead of accessing /dev/random /dev/urandom for getting random number.", type = OptionType.User) // public static final HostedOptionKey<Boolean> UseNativeGetRandom = new HostedOptionKey<>(true); + + @Option(help = "Enable enclave features.", type = OptionType.User) +// + public static final HostedOptionKey<Boolean> RunInEnclave = new HostedOptionKey<>(true); } diff --git a/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/EnclaveRandomFeature.java b/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/EnclaveRandomFeature.java index 400228e..5744b29 100644 --- a/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/EnclaveRandomFeature.java +++ b/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/EnclaveRandomFeature.java @@ -1,14 +1,18 @@ package com.alibaba.confidentialcomputing.enclave; +import com.oracle.svm.core.annotate.AutomaticFeature; import com.oracle.svm.hosted.FeatureHandler; import com.oracle.svm.hosted.FeatureImpl; import org.graalvm.nativeimage.hosted.Feature; +@AutomaticFeature public class EnclaveRandomFeature implements Feature { @Override public void afterRegistration(Feature.AfterRegistrationAccess access) { - FeatureImpl.AfterRegistrationAccessImpl a = (FeatureImpl.AfterRegistrationAccessImpl) access; - FeatureHandler featureHandler = a.getFeatureHandler(); - EnclavePlatFormSettings.disableFeatures(featureHandler, "com.oracle.svm.core.posix.NativeSecureRandomFilesCloser"); + if (EnclaveOptions.RunInEnclave.getValue()) { + FeatureImpl.AfterRegistrationAccessImpl a = (FeatureImpl.AfterRegistrationAccessImpl) access; + FeatureHandler featureHandler = a.getFeatureHandler(); + EnclavePlatFormSettings.disableFeatures(featureHandler, "com.oracle.svm.core.posix.NativeSecureRandomFilesCloser"); + } } } diff --git a/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/SUNECReplaceFeature.java b/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/SUNECReplaceFeature.java index aa365d5..b160a55 100644 --- a/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/SUNECReplaceFeature.java +++ b/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/SUNECReplaceFeature.java @@ -45,12 +45,14 @@ public class SUNECReplaceFeature extends JNIRegistrationUtil implements Feature @Override public void beforeAnalysis(BeforeAnalysisAccess access) { - access.registerReachabilityHandler(this::prepareEncSunEC, - method(access, "com.alibaba.confidentialcomputing.enclave.substitutes.NativeSunECMethods", "signDigest", byte[].class, byte[].class, byte[].class, byte[].class, int.class), - method(access, "com.alibaba.confidentialcomputing.enclave.substitutes.NativeSunECMethods", "verifySignedDigest", byte[].class, byte[].class, byte[].class, byte[].class), - method(access, "com.alibaba.confidentialcomputing.enclave.substitutes.NativeSunECMethods", "isCurveSupported", byte[].class), - method(access, "com.alibaba.confidentialcomputing.enclave.substitutes.NativeSunECMethods", "generateECKeyPair", int.class, byte[].class, byte[].class), - method(access, "com.alibaba.confidentialcomputing.enclave.substitutes.NativeSunECMethods", "deriveKey", byte[].class, byte[].class, byte[].class)); + if (EnclaveOptions.RunInEnclave.getValue()) { + access.registerReachabilityHandler(this::prepareEncSunEC, + method(access, "com.alibaba.confidentialcomputing.enclave.substitutes.NativeSunECMethods", "signDigest", byte[].class, byte[].class, byte[].class, byte[].class, int.class), + method(access, "com.alibaba.confidentialcomputing.enclave.substitutes.NativeSunECMethods", "verifySignedDigest", byte[].class, byte[].class, byte[].class, byte[].class), + method(access, "com.alibaba.confidentialcomputing.enclave.substitutes.NativeSunECMethods", "isCurveSupported", byte[].class), + method(access, "com.alibaba.confidentialcomputing.enclave.substitutes.NativeSunECMethods", "generateECKeyPair", int.class, byte[].class, byte[].class), + method(access, "com.alibaba.confidentialcomputing.enclave.substitutes.NativeSunECMethods", "deriveKey", byte[].class, byte[].class, byte[].class)); + } } @Platforms(Platform.LINUX.class) diff --git a/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/system/EnclaveMemoryFeature.java b/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/system/EnclaveMemoryFeature.java index 0ad76c9..dfce358 100644 --- a/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/system/EnclaveMemoryFeature.java +++ b/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/system/EnclaveMemoryFeature.java @@ -1,5 +1,6 @@ package com.alibaba.confidentialcomputing.enclave.system; +import com.alibaba.confidentialcomputing.enclave.EnclaveOptions; import com.alibaba.confidentialcomputing.enclave.EnclavePlatFormSettings; import com.alibaba.confidentialcomputing.enclave.c.EnclaveEnvironment; import com.alibaba.confidentialcomputing.enclave.system.EnclavePhysicalMemory.PhysicalMemorySupportImpl; @@ -21,8 +22,6 @@ import java.util.List; * implemented in native code and linked by out framework. See {@code test/resources/native/enc_invoke_entry_test.c} and * {@code com.alibaba.confidentialcomputing.enclave.NativeImageTest#compileJNILibrary()} for details. * <p> - * On the other hand, the original queries from sysconf must be invalided. So the option {@code -H:DisableFeatures=com.oracle.svm.core.posix.linux.LinuxPhysicalMemory$PhysicalMemoryFeature} - * must be set. */ @AutomaticFeature public class EnclaveMemoryFeature implements Feature { @@ -38,9 +37,11 @@ public class EnclaveMemoryFeature implements Feature { @Override public void afterRegistration(AfterRegistrationAccess access) { - RuntimeClassInitializationSupport rci = ImageSingletons.lookup(RuntimeClassInitializationSupport.class); - rci.initializeAtBuildTime("com.alibaba.confidentialcomputing.enclave.system.EnclaveVirtualMemoryProvider", "Native Image classes are always initialized at build time"); - EnclavePlatFormSettings.replaceImageSingletonEntry(PhysicalMemorySupportImpl.getPhysicalMemorySupportClass(), new PhysicalMemorySupportImpl()); - ImageSingletons.add(VirtualMemoryProvider.class, new EnclaveVirtualMemoryProvider()); + if (EnclaveOptions.RunInEnclave.getValue()) { + RuntimeClassInitializationSupport rci = ImageSingletons.lookup(RuntimeClassInitializationSupport.class); + rci.initializeAtBuildTime("com.alibaba.confidentialcomputing.enclave.system.EnclaveVirtualMemoryProvider", "Native Image classes are always initialized at build time"); + EnclavePlatFormSettings.replaceImageSingletonEntry(PhysicalMemorySupportImpl.getPhysicalMemorySupportClass(), new PhysicalMemorySupportImpl()); + ImageSingletons.add(VirtualMemoryProvider.class, new EnclaveVirtualMemoryProvider()); + } } } diff --git a/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/ConfigMemTest.java b/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/ConfigMemTest.java index 8632751..97229b9 100644 --- a/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/ConfigMemTest.java +++ b/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/ConfigMemTest.java @@ -36,6 +36,11 @@ public class ConfigMemTest { return List.of("-DPAGE_SIZE=2048", "-DHEAP_PAGES=24000"); } + + /*@Override + public List<String> extraSVMOptions() { + return List.of("--debug-attach:7788"); + }*/ } private static final String MEM_SERVICE = "com.alibaba.confidentialcomputing.enclave.testservice.MemService"; diff --git a/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/ReplaceSunECTest.java b/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/ReplaceSunECTest.java index 8034352..fb63c28 100644 --- a/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/ReplaceSunECTest.java +++ b/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/ReplaceSunECTest.java @@ -10,10 +10,8 @@ import org.junit.jupiter.api.AfterEach; import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; -import sun.security.ec.ECKeyPairGenerator; import java.security.KeyPair; -import java.util.List; import static org.junit.jupiter.api.Assertions.assertNotNull; @@ -70,9 +68,9 @@ public class ReplaceSunECTest { Class<?> PKCS8KeyClass = a.getImageClassLoader().findClass("sun.security.pkcs.PKCS8Key").get(); Class<?> X509KeyClass = a.getImageClassLoader().findClass("sun.security.x509.X509Key").get(); RuntimeSerialization.register(PKCS8KeyClass, X509KeyClass); - RuntimeSerialization.registerAllAssociatedClasses(java.security.KeyRep.class); - RuntimeSerialization.registerAllAssociatedClasses(sun.security.ec.ECPrivateKeyImpl.class); - RuntimeSerialization.registerAllAssociatedClasses(sun.security.ec.ECPublicKeyImpl.class); + RuntimeSerialization.registerIncludingAssociatedClasses(java.security.KeyRep.class); + RuntimeSerialization.registerIncludingAssociatedClasses(sun.security.ec.ECPrivateKeyImpl.class); + RuntimeSerialization.registerIncludingAssociatedClasses(sun.security.ec.ECPublicKeyImpl.class); } } } diff --git a/test/enclave/pom.xml b/test/enclave/pom.xml index 2d99e31..165d78a 100644 --- a/test/enclave/pom.xml +++ b/test/enclave/pom.xml @@ -34,7 +34,7 @@ <configuration> <buildArgs> <buildArg>--no-fallback</buildArg> - <buildArg>-H:DisableFeatures=com.oracle.svm.core.posix.NativeSecureRandomFilesCloser,com.alibaba.confidentialcomputing.enclave.system.EnclaveMemoryFeature</buildArg> + <buildArg>-H:-RunInEnclave</buildArg> </buildArgs> </configuration> <phase>test</phase> @@ -51,7 +51,7 @@ <buildArg>--no-fallback</buildArg> <buildArg>--allow-incomplete-classpath</buildArg> <buildArg>-H:Path=svm-output</buildArg> - <buildArg>-H:DisableFeatures=com.oracle.svm.core.posix.NativeSecureRandomFilesCloser,com.alibaba.confidentialcomputing.enclave.system.EnclaveMemoryFeature</buildArg> + <buildArg>-H:-RunInEnclave</buildArg> <buildArg>-H:ReflectionConfigurationFiles=${project.basedir}/target/native/agent-output/test/reflect-config.json</buildArg> </buildArgs> </configuration> @@ -69,7 +69,7 @@ <buildArg>--no-fallback</buildArg> <buildArg>--allow-incomplete-classpath</buildArg> <buildArg>-H:Path=svm-output</buildArg> - <buildArg>-H:DisableFeatures=com.oracle.svm.core.posix.NativeSecureRandomFilesCloser,com.oracle.svm.core.posix.linux.LinuxPhysicalMemory$PhysicalMemoryFeature</buildArg> + <buildArg>-H:-RunInEnclave</buildArg> <buildArg>-H:ReflectionConfigurationFiles=${project.basedir}/target/native/agent-output/test/reflect-config.json</buildArg> </buildArgs> </configuration> diff --git a/tools/cicd/Dockerfile b/tools/cicd/Dockerfile index 1dd55bd..f112fcd 100644 --- a/tools/cicd/Dockerfile +++ b/tools/cicd/Dockerfile @@ -5,13 +5,13 @@ LABEL maintainer="Junshao Wang <[email protected]>" ENV APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 ENV DEBIAN_FRONTEND noninteractive -ADD ["graalvm-enclave-22.0.0.tar", "/root/tools/"] +ADD ["graalvm-enclave-22.1.0.tar", "/root/tools/"] ADD ["x86_64-linux-musl-native.tgz", "/root/tools/"] ADD ["zlib-1.2.12.tar.gz", "/root/tools/"] ADD ["settings.xml", "/root/tools/"] ADD ["sgx_linux_x64_sdk_2.15.100.0.bin", "/root/tools/"] -ENV GRAALVM_HOME "/root/tools/graalvm-enclave-22.0.0" -ENV JAVA_HOME "/root/tools/graalvm-enclave-22.0.0" +ENV GRAALVM_HOME "/root/tools/graalvm-enclave-22.1.0" +ENV JAVA_HOME "/root/tools/graalvm-enclave-22.1.0" ENV CC "/root/tools/x86_64-linux-musl-native/bin/gcc" ENV PATH $PATH:"/root/tools/x86_64-linux-musl-native/bin" diff --git a/tools/cicd/make.sh b/tools/cicd/make.sh index 6da95c9..7609320 100755 --- a/tools/cicd/make.sh +++ b/tools/cicd/make.sh @@ -1,7 +1,7 @@ #!/bin/bash BUILD_IMAGE=javaenclave_build -BUILD_TAG=v0.1.6 +BUILD_TAG=v0.1.7 SHELL_FOLDER=$(cd "$(dirname "$0")";pwd) @@ -13,13 +13,13 @@ WORKDIR=$(dirname $(dirname "$PWD")) if [[ "$(docker images -q ${BUILD_IMAGE}:${BUILD_TAG} 2> /dev/null)" == "" ]]; then # Get the customized Graal VM from [email protected]:graal/SGXGraalVM.git # This should be replaced to the offical version when all patches are accepted by the Graal community - wget https://graal.oss-cn-beijing.aliyuncs.com/graal-enclave/JDK11-22.0.0/graalvm-enclave-22.0.0.tar + wget https://graal.oss-cn-beijing.aliyuncs.com/graal-enclave/JDK11-22.1.0/graalvm-enclave-22.1.0.tar wget http://graal.oss-cn-beijing.aliyuncs.com/graal-enclave/x86_64-linux-musl-native.tgz wget http://graal.oss-cn-beijing.aliyuncs.com/graal-enclave/zlib-1.2.12.tar.gz wget http://graal.oss-cn-beijing.aliyuncs.com/graal-enclave/settings_taobao.xml -O settings.xml wget https://dragonwell.oss-cn-shanghai.aliyuncs.com/11/tee_java/dependency/sgx_linux_x64_sdk_2.15.100.0.bin docker build -t ${BUILD_IMAGE}:${BUILD_TAG} . - rm -f graalvm-enclave-22.0.0.tar + rm -f graalvm-enclave-22.1.0.tar rm -f x86_64-linux-musl-native.tgz rm -f zlib-1.2.12.tar.gz rm -f sgx_linux_x64_sdk_2.15.100.0.bin --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
