enable cargo test for environments without an sgx sdk, and extract …

…the `cargo test` from the docker build command. (#1480)

* [docker] Don't run cargo test as part of the build process, but add it as a separate command instead

* [GHA] add --release to test command

* [GHA] remove cargo test command, as it will not work anyhow.

* remove unnecessary change

* [GHA] fix workflow syntax

* [GHA] fix docker flag

* [service] remove static linking to `Enclave_u` for cargo tests

* don't link against anything if we run tests

* fix build.rs for test and builds

* [GHA] fix cargo test flag

* fix toml fmt

* [GHA] run cargo test on integritee builder

* [GHA] remove cargo test from the matrix

* [GHA] fix syntax

* [GHA] run cargo test not in container but on host directly

* [buil_and_test] run without rustup

* [buil_and_test] run cargo test on the github actions runner again

* working `cargo test` implementation

* [build_and_test] fix feature flag

* [enclave-api] rename `real-ffi` to `implement-ffi`

* [enclave-api] remove obsolete compiler error

* toml fmt

* fix clippy warnings in itp-enclave-api

* [service] extract main file to a separate file

* remove more clippy warnings from enclave-api

* fix clippy warnings in setup file

* allow unused functions due to link-binary flag

* fix clippy

* fix teeracle clippy

* [integritee-service] fix feature gating

* remove redundant feature flags

* [GHA] execute cargo test with --release flag

* [GHA] fix cargo test

.github/workflows/build_and_test.yml

@@ -77,7 +77,7 @@ jobs:
           buildkitd-flags: --debug
           driver: docker-container
 
-      - name: Build Worker & Run Cargo Test
+      - name: Build Worker
         env:
           DOCKER_BUILDKIT: 1
         run: >
@@ -98,7 +98,7 @@ jobs:
       - run: docker images --all
 
       - name: Test Enclave # cargo test is not supported in the enclave, see: https://github.com/apache/incubator-teaclave-sgx-sdk/issues/232
-        run: docker run ${{ env.DOCKER_DEVICES }} ${{ env.DOCKER_VOLUMES }} integritee-worker-${{ env.IMAGE_SUFFIX }} test --all
+        run: docker run --rm ${{ env.DOCKER_DEVICES }} ${{ env.DOCKER_VOLUMES }} integritee-worker-${{ env.IMAGE_SUFFIX }} test --all
 
       - name: Export worker image(s)
         run: |
@@ -145,6 +145,8 @@ jobs:
       fail-fast: false
       matrix:
         check: [
+          # Workspace
+          cargo test --release,
           # Worker
           # Use release mode as the CI runs out of disk space otherwise.
           cargo clippy --release -- -D warnings,

Cargo.lock

@@ -2911,7 +2911,6 @@ dependencies = [
  "sgx-verify",
  "sgx_crypto_helper",
  "sgx_types",
- "sgx_urts",
  "sha2 0.7.1",
  "sp-consensus-grandpa",
  "sp-core",

Makefile

@@ -76,13 +76,13 @@ ifeq ($(SGX_PRODUCTION), 1)
 	SGX_ENCLAVE_CONFIG = "enclave-runtime/Enclave.config.production.xml"
 	SGX_SIGN_KEY = $(SGX_COMMERCIAL_KEY)
 	SGX_SIGN_PASSFILE = $(SGX_PASSFILE)
-	WORKER_FEATURES := --features=production,$(WORKER_MODE),$(WORKER_FEATURES),$(ADDITIONAL_FEATURES)
+	WORKER_FEATURES := --features=production,link-binary,$(WORKER_MODE),$(WORKER_FEATURES),$(ADDITIONAL_FEATURES)
 else
 	SGX_ENCLAVE_MODE = "Development Mode"
 	SGX_ENCLAVE_CONFIG = "enclave-runtime/Enclave.config.xml"
 	SGX_SIGN_KEY = "enclave-runtime/Enclave_private.pem"
 	SGX_SIGN_PASSFILE = ""
-	WORKER_FEATURES := --features=default,$(WORKER_MODE),$(WORKER_FEATURES),$(ADDITIONAL_FEATURES)
+	WORKER_FEATURES := --features=default,link-binary,$(WORKER_MODE),$(WORKER_FEATURES),$(ADDITIONAL_FEATURES)
 endif
 
 CLIENT_FEATURES = --features=$(WORKER_MODE),$(ADDITIONAL_FEATURES)
@@ -170,15 +170,15 @@ $(Worker_Enclave_u_Object): service/Enclave_u.o
 
 $(Worker_Name): $(Worker_Enclave_u_Object) $(SRC_Files)
 	@echo
-	@echo "Building the integritee-service"
+	@echo "Building the integritee-service: $(Worker_Rust_Flags)"
 	@SGX_SDK=$(SGX_SDK) SGX_MODE=$(SGX_MODE) cargo build -p integritee-service $(Worker_Rust_Flags)
 	@echo "Cargo  =>  $@"
 	cp $(Worker_Rust_Path)/integritee-service ./bin
 
 ######## Integritee-client objects ########
 $(Client_Name): $(SRC_Files)
 	@echo
-	@echo "Building the integritee-cli"
+	@echo "Building the integritee-cli $(Client_Rust_Flags)"
 	@cargo build -p integritee-cli $(Client_Rust_Flags)
 	@echo "Cargo  =>  $@"
 	cp $(Client_Rust_Path)/$(Client_Binary) ./bin

build.Dockerfile

@@ -70,7 +70,7 @@ RUN --mount=type=cache,id=cargo-registry-cache,target=/opt/rust/registry/cache,s
 	--mount=type=cache,id=cargo-registry-index,target=/opt/rust/registry/index,sharing=private \
 	--mount=type=cache,id=cargo-git,target=/opt/rust/git/db,sharing=private \
 	--mount=type=cache,id=cargo-sccache-${WORKER_MODE}${ADDITIONAL_FEATURES},target=/home/ubuntu/.cache/sccache \
-	echo ${FINGERPRINT} && make && make identity && cargo test --release && sccache --show-stats
+	echo ${FINGERPRINT} && make && make identity && sccache --show-stats
 
 ### Base Runner Stage
 ### The runner needs the aesmd service for the `SGX_MODE=HW`.

core-primitives/enclave-api/Cargo.toml

@@ -13,7 +13,7 @@ thiserror = "1.0.25"
 
 sgx_crypto_helper = { branch = "master", git = "https://github.com/apache/teaclave-sgx-sdk.git" }
 sgx_types = { branch = "master", git = "https://github.com/apache/teaclave-sgx-sdk.git" }
-sgx_urts = { branch = "master", git = "https://github.com/apache/teaclave-sgx-sdk.git" }
+sgx_urts = { optional = true, branch = "master", git = "https://github.com/apache/teaclave-sgx-sdk.git" }
 
 frame-support = { git = "https://github.com/paritytech/substrate.git", branch = "polkadot-v0.9.42" }
 sp-consensus-grandpa = { git = "https://github.com/paritytech/substrate.git", branch = "polkadot-v0.9.42" }
@@ -27,3 +27,10 @@ itp-enclave-api-ffi = { path = "ffi" }
 itp-settings = { path = "../settings" }
 itp-storage = { path = "../storage" }
 itp-types = { path = "../types" }
+
+[features]
+default = []
+implement-ffi = [
+    "sgx_urts",
+    "itp-enclave-api-ffi/link-sgx-libs",
+]

core-primitives/enclave-api/ffi/Cargo.toml

@@ -7,3 +7,8 @@ edition = "2021"
 
 [dependencies]
 sgx_types = { branch = "master", git = "https://github.com/apache/teaclave-sgx-sdk.git" }
+
+[features]
+# necessary to run cargo tests without any preliminaries
+# See: https://github.com/rust-lang/cargo/issues/2549
+link-sgx-libs = []

core-primitives/enclave-api/ffi/build.rs

@@ -16,27 +16,29 @@
 
 */
 
-use std::env;
-
 fn main() {
-	let sdk_dir = env::var("SGX_SDK").unwrap_or_else(|_| "/opt/intel/sgxsdk".to_string());
-	let is_sim = env::var("SGX_MODE").unwrap_or_else(|_| "HW".to_string());
-
-	// NOTE: if the crate is a workspace member rustc-paths are relative from the root directory
-	println!("cargo:rustc-link-search=native=./lib");
-	println!("cargo:rustc-link-lib=static=Enclave_u");
-
-	println!("cargo:rustc-link-search=native={}/lib64", sdk_dir);
-	println!("cargo:rustc-link-lib=static=sgx_uprotected_fs");
-	match is_sim.as_ref() {
-		"SW" => {
-			println!("cargo:rustc-link-lib=dylib=sgx_urts_sim");
-			println!("cargo:rustc-link-lib=dylib=sgx_uae_service_sim");
-		},
-		_ => {
-			// HW by default
-			println!("cargo:rustc-link-lib=dylib=sgx_urts");
-			println!("cargo:rustc-link-lib=dylib=sgx_uae_service");
-		},
+	if cfg!(feature = "link-sgx-libs") {
+		use std::env;
+
+		let sdk_dir = env::var("SGX_SDK").unwrap_or_else(|_| "/opt/intel/sgxsdk".to_string());
+		let is_sim = env::var("SGX_MODE").unwrap_or_else(|_| "HW".to_string());
+
+		// NOTE: if the crate is a workspace member rustc-paths are relative from the root directory
+		println!("cargo:rustc-link-search=native=./lib");
+		println!("cargo:rustc-link-lib=static=Enclave_u");
+
+		println!("cargo:rustc-link-search=native={}/lib64", sdk_dir);
+		println!("cargo:rustc-link-lib=static=sgx_uprotected_fs");
+		match is_sim.as_ref() {
+			"SW" => {
+				println!("cargo:rustc-link-lib=dylib=sgx_urts_sim");
+				println!("cargo:rustc-link-lib=dylib=sgx_uae_service_sim");
+			},
+			_ => {
+				// HW by default
+				println!("cargo:rustc-link-lib=dylib=sgx_urts");
+				println!("cargo:rustc-link-lib=dylib=sgx_uae_service");
+			},
+		}
 	}
 }

core-primitives/enclave-api/src/direct_request.rs

@@ -16,37 +16,43 @@
 
 */
 
-use crate::{error::Error, Enclave, EnclaveResult};
-use frame_support::ensure;
-use itp_enclave_api_ffi as ffi;
-use sgx_types::sgx_status_t;
+use crate::EnclaveResult;
 
 pub trait DirectRequest: Send + Sync + 'static {
 	// Todo: Vec<u8> shall be replaced by D: Decode, E: Encode but this is currently
 	// not compatible with the direct_api_server...
 	fn rpc(&self, request: Vec<u8>) -> EnclaveResult<Vec<u8>>;
 }
 
-impl DirectRequest for Enclave {
-	fn rpc(&self, request: Vec<u8>) -> EnclaveResult<Vec<u8>> {
-		let mut retval = sgx_status_t::SGX_SUCCESS;
-		let response_len = 8192;
-		let mut response: Vec<u8> = vec![0u8; response_len as usize];
-
-		let res = unsafe {
-			ffi::call_rpc_methods(
-				self.eid,
-				&mut retval,
-				request.as_ptr(),
-				request.len() as u32,
-				response.as_mut_ptr(),
-				response_len,
-			)
-		};
-
-		ensure!(res == sgx_status_t::SGX_SUCCESS, Error::Sgx(res));
-		ensure!(retval == sgx_status_t::SGX_SUCCESS, Error::Sgx(retval));
-
-		Ok(response)
+#[cfg(feature = "implement-ffi")]
+mod impl_ffi {
+	use super::DirectRequest;
+	use crate::{error::Error, Enclave, EnclaveResult};
+	use frame_support::ensure;
+	use itp_enclave_api_ffi as ffi;
+	use sgx_types::sgx_status_t;
+
+	impl DirectRequest for Enclave {
+		fn rpc(&self, request: Vec<u8>) -> EnclaveResult<Vec<u8>> {
+			let mut retval = sgx_status_t::SGX_SUCCESS;
+			let response_len = 8192;
+			let mut response: Vec<u8> = vec![0u8; response_len as usize];
+
+			let res = unsafe {
+				ffi::call_rpc_methods(
+					self.eid,
+					&mut retval,
+					request.as_ptr(),
+					request.len() as u32,
+					response.as_mut_ptr(),
+					response_len,
+				)
+			};
+
+			ensure!(res == sgx_status_t::SGX_SUCCESS, Error::Sgx(res));
+			ensure!(retval == sgx_status_t::SGX_SUCCESS, Error::Sgx(retval));
+
+			Ok(response)
+		}
 	}
 }