This is an automated email from the ASF dual-hosted git repository. shaojunwang pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/incubator-teaclave-java-tee-sdk.git
commit 907733d070519fb834527526e3543af1196ff7e0 Author: cengfeng.lzy <[email protected]> AuthorDate: Mon Aug 1 16:50:58 2022 +0800 Update base GraalVM to 22.2.0 Summary: All our Enclave adaption PR committed to GraalVM are accepted sincce GraalVM 22.2.0. Therefore, JavaEnclave can now directly depend on GraalVM's official release. Test Plan: all tests pass Reviewers: lei.yul, cengfeng.lzy, sanhong.lsh Issue: https://aone.alibaba-inc.com/task/43664463 CR: https://code.alibaba-inc.com/java-tee/JavaEnclave/codereview/9591926 --- sdk/enclave/docs/Incompatibilities.md | 10 +++++- sdk/enclave/pom.xml | 15 ++++++-- .../cpufeatures/EnclaveAMD64CPUFeatureAccess.java | 42 ++++++++++++++++++++++ .../EnclaveAMD64CPUFeatureAccessFeature.java | 36 +++++++++++++++++++ .../tee_sdk_svm/edge_routines/tee_sdk_symbol.c | 3 +- .../tee_sdk_svm/edge_routines/tee_sdk_symbol.h | 3 +- .../enclave/native-image.properties | 25 +++++++++++++ .../native-image/serialization-config.json | 3 ++ .../enclave/ConfigMemTest.java | 8 +++-- sdk/pom.xml | 2 -- test/enclave/pom.xml | 4 +-- .../bouncycastle-native/generate_bc_configs.sh | 2 +- third-party-libs/bouncycastle-native/pom.xml | 5 ++- .../bouncycastle-native/native-image.properties | 5 +++ tools/cicd/Dockerfile | 8 ++--- tools/cicd/make.sh | 12 +++---- 16 files changed, 158 insertions(+), 25 deletions(-) diff --git a/sdk/enclave/docs/Incompatibilities.md b/sdk/enclave/docs/Incompatibilities.md index e547c44..da358fc 100644 --- a/sdk/enclave/docs/Incompatibilities.md +++ b/sdk/enclave/docs/Incompatibilities.md @@ -18,7 +18,15 @@ We rewrite the native JNI code of above 5 methods by replacing `new` with `mallo See `src/main/resources/native/sunec/com_alibaba_confidentialcomputing_enclave_substitutes_NativeSunECMethods.h`, `com.alibaba.confidentialcomputing.enclave.SUNECReplaceFeature`, `com.alibaba.confidentialcomputing.enclave.substitutes.NativeSunECMethods` and `com.alibaba.confidentialcomputing.enclave.substitutes.SUNECSubstitutions` for more details. # System level ## CPU features check -Since 22.1.0, GraalVM reads CPU features and checks which is supported at runtime, so that it doesn't only rely on the statically set CPU features (See `com.oracle.svm.core.cpufeature.RuntimeCPUFeatureCheckFeature`). But Enclave SDKs don't support reading CPU features at runtime. A solution is to disable the `RuntimeCPUFeatureCheckFeature`. +Since 22.1.0, GraalVM reads CPU features and checks which is supported at runtime, so that it doesn't only rely on the statically set CPU features (see `com.oracle.svm.core.cpufeature.RuntimeCPUFeatureCheckFeature`). +But Enclave SDKs don't support reading CPU features at runtime. +A solution is to disable the `RuntimeCPUFeatureCheckFeature` (see `com.alibaba.confidentialcomputing.enclave.EnclaveFeature#afterRegistration`). + +Since 22.2.0, GraalVM verifies the cpu features as early as program starts (see `com.oracle.svm.core.JavaMainWrapper#run`), but the CPU checking functions are not supported by Enclave SDKs. +The checking is performed by the `CPUFeatureAccess` instance which is set `ImageSingletons` by `com.oracle.svm.hosted.AMD64CPUFeatureAccessFeature` at image build time. +So we added a subclass of `AMD64CPUFeatureAccessFeature`, `com.alibaba.confidentialcomputing.enclave.cpufeatures.EnclaveAMD64CPUFeatureAccessFeature` to override the behavior of setting `CPUFeatureAccess` instance. +`EnclaveAMD64CPUFeatureAccessFeature` sets `com.alibaba.confidentialcomputing.enclave.cpufeatures.EnclaveAMD64CPUFeatureAccess` instance into `ImageSingletons` instead of the original `AMD64CPUFeatureAccess`. + ## Memory Enclave SDKs don't support reading system memory information from standard POSIX interfaces: diff --git a/sdk/enclave/pom.xml b/sdk/enclave/pom.xml index 491bdd1..ca157ec 100644 --- a/sdk/enclave/pom.xml +++ b/sdk/enclave/pom.xml @@ -12,6 +12,9 @@ <packaging>jar</packaging> <name>JavaEnclave-Enclave</name> <url></url> + <properties> + <graal.version>22.2.0</graal.version> + </properties> <profiles> <profile> <id>native</id> @@ -92,6 +95,10 @@ <arg>--add-exports</arg> <arg>jdk.internal.vm.ci/jdk.vm.ci.meta=ALL-UNNAMED</arg> <arg>--add-exports</arg> + <arg>jdk.internal.vm.ci/jdk.vm.ci.amd64=ALL-UNNAMED</arg> + <arg>--add-exports</arg> + <arg>jdk.internal.vm.ci/jdk.vm.ci.code=ALL-UNNAMED</arg> + <arg>--add-exports</arg> <arg>jdk.internal.vm.compiler/org.graalvm.compiler.serviceprovider=ALL-UNNAMED</arg> <arg>--add-exports</arg> <arg>jdk.internal.vm.compiler/org.graalvm.compiler.options=ALL-UNNAMED</arg> @@ -139,6 +146,10 @@ <additionalJOption>--add-modules</additionalJOption> <additionalJOption>jdk.internal.vm.ci,jdk.internal.vm.compiler,jdk.crypto.ec</additionalJOption> <additionalJOption>--add-exports</additionalJOption> + <additionalJOption>jdk.internal.vm.ci/jdk.vm.ci.amd64=ALL-UNNAMED</additionalJOption> + <additionalJOption>--add-exports</additionalJOption> + <additionalJOption>jdk.internal.vm.ci/jdk.vm.ci.code=ALL-UNNAMED</additionalJOption> + <additionalJOption>--add-exports</additionalJOption> <additionalJOption>jdk.internal.vm.ci/jdk.vm.ci.meta=ALL-UNNAMED</additionalJOption> <additionalJOption>--add-exports</additionalJOption> <additionalJOption>jdk.internal.vm.compiler/org.graalvm.compiler.serviceprovider=ALL-UNNAMED</additionalJOption> @@ -198,12 +209,12 @@ <dependency> <groupId>org.graalvm.sdk</groupId> <artifactId>graal-sdk</artifactId> - <version>${enclave.graal.version}</version> + <version>${graal.version}</version> </dependency> <dependency> <groupId>org.graalvm.nativeimage</groupId> <artifactId>svm</artifactId> - <version>${enclave.graal.version}</version> + <version>${graal.version}</version> </dependency> <dependency> <groupId>org.graalvm.nativeimage</groupId> diff --git a/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/cpufeatures/EnclaveAMD64CPUFeatureAccess.java b/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/cpufeatures/EnclaveAMD64CPUFeatureAccess.java new file mode 100644 index 0000000..b52ccaf --- /dev/null +++ b/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/cpufeatures/EnclaveAMD64CPUFeatureAccess.java @@ -0,0 +1,42 @@ +package com.alibaba.confidentialcomputing.enclave.cpufeatures; + +import com.oracle.svm.core.amd64.AMD64CPUFeatureAccess; +import com.oracle.svm.core.annotate.Uninterruptible; +import jdk.vm.ci.amd64.AMD64; +import jdk.vm.ci.code.Architecture; + +import java.util.EnumSet; + +/** + * Don't check CPU features in enclave environment because the native functions are not supported by enclave SDKs. + * + * @see EnclaveAMD64CPUFeatureAccessFeature + * @since GraalVM 22.2.0 + */ +public class EnclaveAMD64CPUFeatureAccess extends AMD64CPUFeatureAccess { + public EnclaveAMD64CPUFeatureAccess(EnumSet<?> buildtimeCPUFeatures, int[] offsets, byte[] errorMessageBytes, byte[] buildtimeFeatureMaskBytes) { + super(buildtimeCPUFeatures, offsets, errorMessageBytes, buildtimeFeatureMaskBytes); + } + + @Override + public EnumSet<AMD64.CPUFeature> determineHostCPUFeatures() { + return super.determineHostCPUFeatures(); + } + + @Override + @Uninterruptible(reason = "Thread state not set up yet.") + public int verifyHostSupportsArchitectureEarly() { + return 0; + } + + @Override + @Uninterruptible(reason = "Thread state not set up yet.") + public void verifyHostSupportsArchitectureEarlyOrExit() { + + } + + @Override + public void enableFeatures(Architecture runtimeArchitecture) { + + } +} diff --git a/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/cpufeatures/EnclaveAMD64CPUFeatureAccessFeature.java b/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/cpufeatures/EnclaveAMD64CPUFeatureAccessFeature.java new file mode 100644 index 0000000..8dc3e88 --- /dev/null +++ b/sdk/enclave/src/main/java/com/alibaba/confidentialcomputing/enclave/cpufeatures/EnclaveAMD64CPUFeatureAccessFeature.java @@ -0,0 +1,36 @@ +package com.alibaba.confidentialcomputing.enclave.cpufeatures; + +import com.alibaba.confidentialcomputing.enclave.EnclaveOptions; +import com.oracle.svm.core.amd64.AMD64CPUFeatureAccess; +import com.oracle.svm.core.annotate.AutomaticFeature; +import com.oracle.svm.hosted.AMD64CPUFeatureAccessFeature; +import org.graalvm.nativeimage.Platform; +import org.graalvm.nativeimage.Platforms; + +import java.util.EnumSet; + +/** + * {@link AMD64CPUFeatureAccessFeature} adds the {@link AMD64CPUFeatureAccess} instance into {@link org.graalvm.nativeimage.ImageSingletons}, + * while {@link AMD64CPUFeatureAccess} eventually calls enclave SDK unsupported CPU feature checking functions. So it will + * lead to runtime crash in enclave environment. + * This class disables {@link AMD64CPUFeatureAccessFeature} by extending it (as GraalVM always uses the most specific + * Feature class see {@link com.oracle.svm.hosted.FeatureHandler#registerFeatures} for details), and provides + * {@link EnclaveAMD64CPUFeatureAccess} instance instead to avoid calling the unsupported functions. + * <p> + * The unsupported functions are called by function {@code determineCPUFeatures} in {@code cpuid.c}. + * + * @since GraalVM 22.2.0 + */ +@AutomaticFeature +@Platforms({Platform.AMD64.class}) +public class EnclaveAMD64CPUFeatureAccessFeature extends AMD64CPUFeatureAccessFeature { + + @Override + protected AMD64CPUFeatureAccess createCPUFeatureAccessSingleton(EnumSet<?> buildtimeCPUFeatures, int[] offsets, byte[] errorMessageBytes, byte[] buildtimeFeatureMaskBytes) { + if (EnclaveOptions.RunInEnclave.getValue()) { + return new EnclaveAMD64CPUFeatureAccess(buildtimeCPUFeatures, offsets, errorMessageBytes, buildtimeFeatureMaskBytes); + } else { + return super.createCPUFeatureAccessSingleton(buildtimeCPUFeatures, offsets, errorMessageBytes, buildtimeFeatureMaskBytes); + } + } +} diff --git a/sdk/enclave/src/main/native/cpp/platform/tee_sdk_svm/edge_routines/tee_sdk_symbol.c b/sdk/enclave/src/main/native/cpp/platform/tee_sdk_svm/edge_routines/tee_sdk_symbol.c index 5f7a22e..0a74027 100644 --- a/sdk/enclave/src/main/native/cpp/platform/tee_sdk_svm/edge_routines/tee_sdk_symbol.c +++ b/sdk/enclave/src/main/native/cpp/platform/tee_sdk_svm/edge_routines/tee_sdk_symbol.c @@ -25,6 +25,7 @@ void deflateSetHeader() {TRACE_SYMBOL_CALL(); ASSERT();} void dlopen() {TRACE_SYMBOL_CALL(); ASSERT();} void dlsym() {TRACE_SYMBOL_CALL(); ASSERT();} void endmntent() {TRACE_SYMBOL_CALL(); ASSERT();} +void fputs() {TRACE_SYMBOL_CALL(); ASSERT();} void fscanf() {TRACE_SYMBOL_CALL(); ASSERT();} void fstatvfs() {TRACE_SYMBOL_CALL(); ASSERT();} void fstatvfs64() {TRACE_SYMBOL_CALL(); ASSERT();} @@ -165,4 +166,4 @@ int pthread_attr_destroy() { int setrlimit() { TRACE_SYMBOL_CALL(); return 0; -} \ No newline at end of file +} diff --git a/sdk/enclave/src/main/native/cpp/platform/tee_sdk_svm/edge_routines/tee_sdk_symbol.h b/sdk/enclave/src/main/native/cpp/platform/tee_sdk_svm/edge_routines/tee_sdk_symbol.h index 66c9071..6666808 100644 --- a/sdk/enclave/src/main/native/cpp/platform/tee_sdk_svm/edge_routines/tee_sdk_symbol.h +++ b/sdk/enclave/src/main/native/cpp/platform/tee_sdk_svm/edge_routines/tee_sdk_symbol.h @@ -43,6 +43,7 @@ void deflateSetHeader(); void dlopen(); void dlsym(); void endmntent(); +void fputs(); void fscanf(); void fstatvfs(); void fstatvfs64(); @@ -123,4 +124,4 @@ int pthread_cond_timedwait(); int pthread_attr_destroy(); int pthread_attr_setstacksize(); -#endif /* end of _TEE_SDK_SYMBOL_H */ \ No newline at end of file +#endif /* end of _TEE_SDK_SYMBOL_H */ diff --git a/sdk/enclave/src/main/resources/META-INF/native-image/com.alibaba.confidentialcomputing/enclave/native-image.properties b/sdk/enclave/src/main/resources/META-INF/native-image/com.alibaba.confidentialcomputing/enclave/native-image.properties new file mode 100644 index 0000000..7275a3d --- /dev/null +++ b/sdk/enclave/src/main/resources/META-INF/native-image/com.alibaba.confidentialcomputing/enclave/native-image.properties @@ -0,0 +1,25 @@ +Args=-J--add-exports=jdk.internal.vm.compiler/org.graalvm.compiler.options=ALL-UNNAMED \ + -J--add-exports=jdk.internal.vm.compiler/org.graalvm.compiler.serviceprovider=ALL-UNNAMED \ + -J--add-exports=jdk.internal.vm.compiler/org.graalvm.compiler.word=ALL-UNNAMED \ + -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.core=ALL-UNNAMED \ + -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.core.amd64=ALL-UNNAMED \ + -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.core.c=ALL-UNNAMED \ + -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.core.c.function=ALL-UNNAMED \ + -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.core.c.libc=ALL-UNNAMED \ + -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.core.heap=ALL-UNNAMED \ + -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.core.jdk.resources=ALL-UNNAMED \ + -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.core.option=ALL-UNNAMED \ + -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.core.os=ALL-UNNAMED \ + -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.core.posix=ALL-UNNAMED \ + -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.core.posix.linux.libc=ALL-UNNAMED \ + -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.core.util=ALL-UNNAMED \ + -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.hosted=ALL-UNNAMED \ + -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.hosted.analysis=ALL-UNNAMED \ + -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.hosted.meta=ALL-UNNAMED \ + -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.reflect.hosted=ALL-UNNAMED \ + -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.reflect.serialize.hosted=ALL-UNNAMED \ + -J--add-exports=org.graalvm.sdk/org.graalvm.nativeimage.impl=ALL-UNNAMED \ + -J--add-exports=jdk.internal.vm.ci/jdk.vm.ci.amd64=ALL-UNNAMED \ + -J--add-exports=jdk.internal.vm.ci/jdk.vm.ci.code=ALL-UNNAMED \ + -J--add-exports=jdk.internal.vm.ci/jdk.vm.ci.meta=ALL-UNNAMED \ + -J--add-opens=org.graalvm.nativeimage.builder/com.oracle.svm.hosted=ALL-UNNAMED \ No newline at end of file diff --git a/sdk/enclave/src/main/resources/META-INF/native-image/serialization-config.json b/sdk/enclave/src/main/resources/META-INF/native-image/serialization-config.json index eeea449..9d31c1d 100644 --- a/sdk/enclave/src/main/resources/META-INF/native-image/serialization-config.json +++ b/sdk/enclave/src/main/resources/META-INF/native-image/serialization-config.json @@ -55,5 +55,8 @@ }, { "name":"[Ljava.lang.StackTraceElement;" + }, + { + "name":"java.lang.Number" } ] diff --git a/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/ConfigMemTest.java b/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/ConfigMemTest.java index ad10024..923fad2 100644 --- a/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/ConfigMemTest.java +++ b/sdk/enclave/src/test/java/com/alibaba/confidentialcomputing/enclave/ConfigMemTest.java @@ -37,9 +37,13 @@ public class ConfigMemTest { "-DHEAP_PAGES=24000"); } -/* @Override + /* @Override public List<String> extraSVMOptions() { - return List.of("--debug-attach:7788"); + return List.of(*//*"--debug-attach:7788", + "-H:Dump=:3", + "-H:MethodFilter=com.oracle.svm.core.posix.PosixVirtualMemoryProvider.getPageSize", + "-H:MethodFilter=com.alibaba.confidentialcomputing.enclave.system.EnclaveVirtualMemoryProvider.getVPageSize"*//* + ); }*/ } diff --git a/sdk/pom.xml b/sdk/pom.xml index 2e6d08b..36cea01 100644 --- a/sdk/pom.xml +++ b/sdk/pom.xml @@ -13,8 +13,6 @@ <maven.compiler.target>11</maven.compiler.target> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <com.alibaba.enclave.platform>MOCK_IN_SVM:TEE_SDK:EMBEDDED_LIB_OS</com.alibaba.enclave.platform> - <enclave.graal.version>enclave-11-22.1.0-1.0</enclave.graal.version> - <graal.version>22.1.0</graal.version> <surefire.version>3.0.0-M5</surefire.version> <svm.maven.version>0.9.13</svm.maven.version> </properties> diff --git a/test/enclave/pom.xml b/test/enclave/pom.xml index e791ee7..5bc5380 100644 --- a/test/enclave/pom.xml +++ b/test/enclave/pom.xml @@ -13,7 +13,7 @@ <name>Test-Enclave</name> <url></url> <properties> - <svm.maven.version>0.9.10</svm.maven.version> + <svm.maven.version>0.9.13</svm.maven.version> <com.alibaba.enclave.privatePem.path></com.alibaba.enclave.privatePem.path> </properties> <profiles> @@ -200,4 +200,4 @@ <scope>test</scope> </dependency> </dependencies> -</project> \ No newline at end of file +</project> diff --git a/third-party-libs/bouncycastle-native/generate_bc_configs.sh b/third-party-libs/bouncycastle-native/generate_bc_configs.sh index 773dd19..c7b11c1 100644 --- a/third-party-libs/bouncycastle-native/generate_bc_configs.sh +++ b/third-party-libs/bouncycastle-native/generate_bc_configs.sh @@ -42,7 +42,7 @@ elif [ "$BC_VERSION""x" == "1.66x" ];then fi echo "Start BouncyCastle tests to collect native image configurations. It may take a while." -gradle $GRADLE_JAVA_HOME test +gradle clean $GRADLE_JAVA_HOME test BASE_MODULES="pg prov pkix core tls mail" if [ $(echo "${BC_VERSION} < 1.69" | bc) = 1 ];then diff --git a/third-party-libs/bouncycastle-native/pom.xml b/third-party-libs/bouncycastle-native/pom.xml index bb7a096..c21c2ec 100644 --- a/third-party-libs/bouncycastle-native/pom.xml +++ b/third-party-libs/bouncycastle-native/pom.xml @@ -8,15 +8,14 @@ <version>1.0-SNAPSHOT</version> <properties> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> - <enclave.graal.version>enclave-11-22.1.0-1.0</enclave.graal.version> - <graal.version>22.1.0</graal.version> + <graal.version>22.2.0</graal.version> </properties> <dependencies> <dependency> <groupId>org.graalvm.nativeimage</groupId> <artifactId>svm</artifactId> - <version>${enclave.graal.version}</version> + <version>${graal.version}</version> </dependency> <dependency> <groupId>org.graalvm.nativeimage</groupId> diff --git a/third-party-libs/bouncycastle-native/src/main/resources/META-INF/native-image/com.alibaba.confidentialcomputing/bouncycastle-native/native-image.properties b/third-party-libs/bouncycastle-native/src/main/resources/META-INF/native-image/com.alibaba.confidentialcomputing/bouncycastle-native/native-image.properties new file mode 100644 index 0000000..addd595 --- /dev/null +++ b/third-party-libs/bouncycastle-native/src/main/resources/META-INF/native-image/com.alibaba.confidentialcomputing/bouncycastle-native/native-image.properties @@ -0,0 +1,5 @@ +Args=-J--add-exports=jdk.internal.vm.compiler/org.graalvm.compiler.options=ALL-UNNAMED \ + -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.core.configure=ALL-UNNAMED \ + -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.hosted=ALL-UNNAMED \ + -J--add-exports=org.graalvm.nativeimage.builder/com.oracle.svm.core.option=ALL-UNNAMED \ + -J--add-exports=org.graalvm.sdk/org.graalvm.nativeimage.impl=ALL-UNNAMED diff --git a/tools/cicd/Dockerfile b/tools/cicd/Dockerfile index 544392d..e010d98 100644 --- a/tools/cicd/Dockerfile +++ b/tools/cicd/Dockerfile @@ -5,14 +5,14 @@ LABEL maintainer="Junshao Wang <[email protected]>" ENV APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 ENV DEBIAN_FRONTEND noninteractive -ADD ["graalvm-enclave-22.1.0.tar", "/root/tools/"] +ADD ["graalvm-ce-java11-22.2.0.tar", "/root/tools/"] ADD ["zlib-1.2.11.tar.gz", "/root/tools/"] ADD ["settings.xml", "/root/tools/"] ADD ["zlib-1.2.11.tar.gz", "/root/tools/"] ADD ["Alibaba_Dragonwell_11.0.15.11.9_x64_alpine-linux.tar.gz", "/root/tools"] ADD ["sgx_linux_x64_sdk_2.17.100.0.bin", "/root/tools/"] -ENV GRAALVM_HOME "/root/tools/graalvm-enclave-22.1.0" -ENV JAVA_HOME "/root/tools/graalvm-enclave-22.1.0" +ENV GRAALVM_HOME "/root/tools/graalvm-ce-java11-22.2.0" +ENV JAVA_HOME "/root/tools/graalvm-ce-java11-22.2.0" ENV PATH="/opt/occlum/build/bin:/usr/local/occlum/bin:$PATH" ENV CC=/usr/local/occlum/bin/occlum-gcc @@ -42,4 +42,4 @@ RUN apt-get update && apt-get install -y gdb gnupg wget aptitude libfuse-dev lib cd /root/tools && chmod 777 sgx_linux_x64_sdk_2.17.100.0.bin && echo -e 'no\n/opt/teesdk\n' | ./sgx_linux_x64_sdk_2.17.100.0.bin # copy dcap_occlum lib from occlum docker image. -COPY --from=occlum/occlum:0.26.4-ubuntu18.04 /opt/occlum/toolchains/dcap_lib /opt/occlum/toolchains/dcap_lib \ No newline at end of file +COPY --from=occlum/occlum:0.26.4-ubuntu18.04 /opt/occlum/toolchains/dcap_lib /opt/occlum/toolchains/dcap_lib diff --git a/tools/cicd/make.sh b/tools/cicd/make.sh index 399f774..971b8b7 100755 --- a/tools/cicd/make.sh +++ b/tools/cicd/make.sh @@ -3,7 +3,7 @@ MODE=$1 BUILD_IMAGE=javaenclave_build -BUILD_TAG=v0.1.10 +BUILD_TAG=v0.1.11 SHELL_FOLDER=$(cd "$(dirname "$0")";pwd) @@ -13,15 +13,15 @@ WORKDIR=$(dirname $(dirname "$PWD")) # check target images exist or not, build it if not. if [[ "$(docker images -q ${BUILD_IMAGE}:${BUILD_TAG} 2> /dev/null)" == "" ]]; then - # Get the customized Graal VM from [email protected]:graal/SGXGraalVM.git - # This should be replaced to the offical version when all patches are accepted by the Graal community - wget https://graal.oss-cn-beijing.aliyuncs.com/graal-enclave/JDK11-22.1.0/graalvm-enclave-22.1.0.tar + # We have built and packaged GraalVM 22.2.0 from source code and then uploaded to OSS, the official release of GraalVM CE required to manually install native-image component. + wget http://graal.oss-cn-beijing.aliyuncs.com/graal-enclave/JDK11-22.2.0/graalvm-ce-java11-22.2.0.tar wget http://graal.oss-cn-beijing.aliyuncs.com/graal-enclave/zlib-1.2.11.tar.gz wget http://graal.oss-cn-beijing.aliyuncs.com/graal-enclave/settings_taobao.xml -O settings.xml wget https://dragonwell.oss-cn-shanghai.aliyuncs.com/11/tee_java/dependency/sgx_linux_x64_sdk_2.17.100.0.bin wget https://dragonwell.oss-cn-shanghai.aliyuncs.com/11.0.15.11.9/Alibaba_Dragonwell_11.0.15.11.9_x64_alpine-linux.tar.gz docker build -t ${BUILD_IMAGE}:${BUILD_TAG} . - rm -f graalvm-enclave-22.1.0.tar + rm -f graalvm-ce-java11-22.2.0.tar + rm -f settings.xml rm -f zlib-1.2.11.tar.gz rm -f sgx_linux_x64_sdk_2.17.100.0.bin rm -f Alibaba_Dragonwell_11.0.15.11.9_x64_alpine-linux.tar.gz @@ -50,4 +50,4 @@ elif [ "develop" = "$MODE" ]; then -v /dev/sgx_enclave:/dev/sgx/enclave \ -v /dev/sgx_provision:/dev/sgx/provision \ ${BUILD_IMAGE}:${BUILD_TAG} /bin/bash -fi \ No newline at end of file +fi --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
