Remove open-enclave-hostverify dependency in virtual and snp builds (#6423)

Co-authored-by: Max Tropets <maxtropets@gmail.com> Co-authored-by: Max <maxtropets@microsoft.com>
2024-08-06 11:41:11 +01:00 · 2024-08-06 11:41:11 +01:00 · 20965ebdcb
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -56,7 +56,7 @@ jobs:
          set -ex
          mkdir build
          cd build
-          cmake -DCOMPILE_TARGET=virtual -DREQUIRE_OPENENCLAVE=OFF -DCMAKE_BUILD_TYPE=Debug -DBUILD_TESTS=OFF -DLVI_MITIGATIONS=OFF ..
+          cmake -DCOMPILE_TARGET=virtual -DCMAKE_BUILD_TYPE=Debug -DBUILD_TESTS=OFF -DLVI_MITIGATIONS=OFF ..
        name: Run CMake

      - run: |
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -716,7 +716,6 @@ elseif(COMPILE_TARGET STREQUAL "snp")
           nghttp2.snp
           ${CMAKE_THREAD_LIBS_INIT}
  )
-  link_openenclave_host(ccf.snp)

  set_property(TARGET ccf.snp PROPERTY POSITION_INDEPENDENT_CODE ON)

@ -767,7 +766,6 @@ elseif(COMPILE_TARGET STREQUAL "virtual")
           nghttp2.host
           ${CMAKE_THREAD_LIBS_INIT}
  )
-  link_openenclave_host(ccf.virtual)

  set_property(TARGET ccf.virtual PROPERTY POSITION_INDEPENDENT_CODE ON)

--- a/cmake/ccf_app.cmake
+++ b/cmake/ccf_app.cmake
@ -240,6 +240,5 @@ function(add_host_library name)
  add_library(${name} ${files})
  target_compile_options(${name} PUBLIC ${COMPILE_LIBCXX})
  target_link_libraries(${name} PUBLIC ${LINK_LIBCXX} -lgcc)
-  link_openenclave_host(${name})
  set_property(TARGET ${name} PROPERTY POSITION_INDEPENDENT_CODE ON)
 endfunction()
--- a/cmake/common.cmake
+++ b/cmake/common.cmake
@ -10,7 +10,6 @@ function(add_unit_test name)
  )
  enable_coverage(${name})
  target_link_libraries(${name} PRIVATE ${LINK_LIBCXX} ccfcrypto.host -pthread)
-  link_openenclave_host(${name})
  add_san(${name})

  add_test(NAME ${name} COMMAND ${name})
--- a/cmake/cpack_settings.cmake
+++ b/cmake/cpack_settings.cmake
@ -30,11 +30,7 @@ if(COMPILE_TARGET STREQUAL "sgx")
       "libc++1-11;libc++abi1-11;open-enclave (>=${OE_VERSION})"
  )
 else()
-  list(
-    APPEND
-    CCF_DEB_DEPENDENCIES
-    "libc++1-15;libc++abi1-15;open-enclave-hostverify (>=${OE_VERSION}) | open-enclave (>=${OE_VERSION})"
-  )
+  list(APPEND CCF_DEB_DEPENDENCIES "libc++1-15;libc++abi1-15")
 endif()

 list(JOIN CCF_DEB_DEPENDENCIES ", " CPACK_DEBIAN_PACKAGE_DEPENDS)
--- a/cmake/open_enclave.cmake
+++ b/cmake/open_enclave.cmake
@ -1,17 +1,7 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the Apache 2.0 License.

-# We allow for Open Enclave (and Open Enclave HostVerify) to _not_ be installed,
-# with some limitations (e.g. virtual/snp builds cannot verify sgx attestation
-# reports). This can hopefully be removed by 5.x (see
-# https://github.com/microsoft/CCF/issues/5291).
-option(REQUIRE_OPENENCLAVE "Requires Open Enclave or HostVerify variant" ON)
-
-if(REQUIRE_OPENENCLAVE)
-  if(NOT COMPILE_TARGET STREQUAL "sgx")
-    set(COMPONENT "OEHOSTVERIFY")
-  endif()
-
+if(COMPILE_TARGET STREQUAL "sgx")
  # Find OpenEnclave package
  find_package(OpenEnclave 0.19.7 CONFIG REQUIRED)

@ -52,16 +42,5 @@ if(REQUIRE_OPENENCLAVE)
    endfunction()

    set(OE_HOST_LIBRARY openenclave::oehost)
-  else()
-    set(OE_HOST_LIBRARY openenclave::oehostverify)
  endif()
-elseif(COMPILE_TARGET STREQUAL "sgx")
-  message(FATAL_ERROR "Open Enclave is required for SGX target")
 endif()
-
-function(link_openenclave_host name)
-  if(REQUIRE_OPENENCLAVE)
-    target_link_libraries(${name} PUBLIC ${OE_HOST_LIBRARY})
-    target_compile_definitions(${name} PUBLIC SGX_ATTESTATION_VERIFICATION)
-  endif()
-endfunction()
--- a/getting_started/setup_vm/app-dev.yml
+++ b/getting_started/setup_vm/app-dev.yml
@ -19,21 +19,10 @@
    - import_role:
        name: az_dcap
        tasks_from: install.yml
-
-    # If OE is already installed, we don't want to install hostverify as they are mutually
-    # exclusive. Non-SGX CCF builds can use either of them.
-    - name: Gather the package facts
-      ansible.builtin.package_facts:
-        manager: auto
    - import_role:
        name: openenclave
        tasks_from: binary_install.yml
-      when: (platform == "sgx") or ("open-enclave" in ansible_facts.packages)
-    - import_role:
-        name: openenclave
-        tasks_from: install_host_verify.yml
-      when: (platform != "sgx") and ("open-enclave" not in ansible_facts.packages)
-
+      when: platform == "sgx"
    - import_role:
        name: ccf_build
        tasks_from: install.yml
--- a/getting_started/setup_vm/app-run.yml
+++ b/getting_started/setup_vm/app-run.yml
@ -23,10 +23,6 @@
        name: openenclave
        tasks_from: binary_install.yml
      when: platform == "sgx"
-    - import_role:
-        name: openenclave
-        tasks_from: install_host_verify.yml
-      when: platform != "sgx"
    - import_role:
        name: ccf_install
        tasks_from: deb_install.yml
--- a/getting_started/setup_vm/ccf-dev.yml
+++ b/getting_started/setup_vm/ccf-dev.yml
@ -2,7 +2,6 @@
  vars:
    platform: "sgx"
    clang_version: "11"
-    require_open_enclave: true
  tasks:
    - import_role:
        name: llvm_repo
@ -19,15 +18,11 @@
    - import_role:
        name: az_dcap
        tasks_from: install.yml
-      when: require_open_enclave
+      when: platform == "sgx"
    - import_role:
        name: openenclave
        tasks_from: binary_install.yml
      when: platform == "sgx"
-    - import_role:
-        name: openenclave
-        tasks_from: install_host_verify.yml
-      when: platform != "sgx" and require_open_enclave
    - import_role:
        name: nodejs
        tasks_from: install.yml
--- a/getting_started/setup_vm/roles/openenclave/tasks/binary_install.yml
+++ b/getting_started/setup_vm/roles/openenclave/tasks/binary_install.yml
@ -1,12 +1,6 @@
 - name: Include vars
  include_vars: common.yml

- name: Uninstall Open Enclave Host Verify
-  apt:
-    name: open-enclave-hostverify
-    state: absent
-  become: yes
-
 - name: Install Open Enclave
  apt:
    deb: "{{ oe_deb }}"
--- a/getting_started/setup_vm/roles/openenclave/tasks/install_host_verify.yml
+++ b/getting_started/setup_vm/roles/openenclave/tasks/install_host_verify.yml
@ -1,7 +0,0 @@
- name: Include vars
-  include_vars: common.yml
-
- name: Install Open Enclave Host Verify
-  apt:
-    deb: "{{ oe_host_verify_deb }}"
-  become: true
--- a/getting_started/setup_vm/roles/openenclave/vars/common.yml
+++ b/getting_started/setup_vm/roles/openenclave/vars/common.yml
@ -12,4 +12,3 @@ oe_build_opts: "-DLVI_MITIGATION=ControlFlow-GNU"

 # Binary install
 oe_deb: "https://github.com/openenclave/openenclave/releases/download/v{{ oe_ver }}/Ubuntu_2004_open-enclave_{{ oe_ver_ }}_amd64.deb"
-oe_host_verify_deb: "https://github.com/openenclave/openenclave/releases/download/v{{ oe_ver }}/Ubuntu_2004_open-enclave-hostverify_{{ oe_ver_ }}_amd64.deb"
--- a/tests/infra/e2e_args.py
+++ b/tests/infra/e2e_args.py
@ -77,6 +77,7 @@ def cli_args(
        "--oe-binary",
        help="Path to Open Enclave binary folder",
        type=str,
+        nargs="?",
        default="/opt/openenclave/bin/",
    )
    parser.add_argument(