Upgrade base images and playbooks to Ubuntu 20.04 (focal) (#2819)

.azure-pipelines-gh-pages.yml

@@ -7,9 +7,9 @@ trigger:
 
 jobs:
   - job: build_and_publish_docs
-    container: ccfciteam/ccf-ci:oe0.17.1
+    container: ccfciteam/ccf-ci:oe0.17.1-focal
     pool:
-      vmImage: ubuntu-18.04
+      vmImage: ubuntu-20.04
 
     steps:
       - checkout: self

.azure-pipelines-templates/matrix.yml

@@ -5,7 +5,7 @@ parameters:
     Hosted:
       container: nosgx
       pool:
-        vmImage: ubuntu-18.04
+        vmImage: ubuntu-20.04
     NoSGX:
       container: nosgx
       pool: Ubuntu-1804-D8s_v3

.azure-pipelines.yml

@@ -27,11 +27,11 @@ schedules:
 resources:
   containers:
     - container: nosgx
-      image: ccfciteam/ccf-ci:oe0.17.1
+      image: ccfciteam/ccf-ci:oe0.17.1-focal
       options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_PTRACE -v /dev/shm:/tmp/ccache -v /lib/modules:/lib/modules:ro
 
     - container: sgx
-      image: ccfciteam/ccf-ci:oe0.17.1
+      image: ccfciteam/ccf-ci:oe0.17.1-focal
       options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx:/dev/sgx -v /dev/shm:/tmp/ccache -v /lib/modules:/lib/modules:ro
 
 variables:

.daily.yml

@@ -23,11 +23,11 @@ schedules:
 resources:
   containers:
     - container: nosgx
-      image: ccfciteam/ccf-ci:oe0.17.1
+      image: ccfciteam/ccf-ci:oe0.17.1-focal
       options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_PTRACE -v /dev/shm:/tmp/ccache
 
     - container: sgx
-      image: ccfciteam/ccf-ci:oe0.17.1
+      image: ccfciteam/ccf-ci:oe0.17.1-focal
       options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx:/dev/sgx -v /dev/shm:/tmp/ccache
 
 jobs:

.github/workflows/ci-checks.yml

@@ -8,8 +8,8 @@ on:
 
 jobs:
   checks:
-    runs-on: ubuntu-18.04
-    container: ccfciteam/ccf-ci:oe0.17.1
+    runs-on: ubuntu-20.04
+    container: ccfciteam/ccf-ci:oe0.17.1-focal
 
     steps:
       - name: Checkout repository

.github/workflows/codeql-analysis.yml

@@ -12,7 +12,7 @@ on:
 jobs:
   analyze:
     name: Analyze
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-20.04
 
     strategy:
       fail-fast: false

.multi-thread.yml

@@ -16,7 +16,7 @@ pr:
 resources:
   containers:
     - container: sgx
-      image: ccfciteam/ccf-ci:oe0.17.1
+      image: ccfciteam/ccf-ci:oe0.17.1-focal
       options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx:/dev/sgx -v /dev/shm:/tmp/ccache
 
 jobs:

.stress.yml

@@ -21,7 +21,7 @@ schedules:
 resources:
   containers:
     - container: sgx
-      image: ccfciteam/ccf-ci:oe0.17.1
+      image: ccfciteam/ccf-ci:oe0.17.1-focal
       options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx:/dev/sgx -v /dev/shm:/tmp/ccache
 
 jobs:

CHANGELOG.md

@@ -11,6 +11,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 - Upgrade OpenEnclave from 0.17.0 to 0.17.1.
 - `get_state_at()` now returns receipts for signature transactions (#2785), see [documentation](https://microsoft.github.io/CCF/main/use_apps/verify_tx.html#transaction-receipts) for details.
+- Upgrade playbooks and base CI image to Ubuntu 20.04
 
 ### Removed
 

doc/build_apps/install_bin.rst

@@ -4,7 +4,7 @@ Install CCF
 Requirements
 ------------
 
-CCF builds and runs on Linux. It is primarily developed and tested on Ubuntu 18.04, with Clang 8.
+CCF builds and runs on Linux. It is primarily developed and tested on Ubuntu 20.04, with Clang 8.
 Running CCF with full security guarantees requires :term:`SGX` hardware with :term:`FLC`.
 
 .. note::

docker/app_ci

@@ -1,7 +1,7 @@
 # Application Continuous Integration image
 # Contains a CCF release, compile toolchain and Azure CLI tooling
 
-FROM ubuntu:18.04
+FROM ubuntu:20.04
 
 ARG extra_vars
 
@@ -10,6 +10,7 @@ RUN echo "APT::Acquire::Retries \"5\";" | tee /etc/apt/apt.conf.d/80-retries
 # Work-around for https://github.com/intel/linux-sgx/issues/395
 RUN mkdir -p /etc/init
 
+ENV UBUNTU=focal
 ENV PSW_VERSION=2.13.103
 RUN if [ -z "$PSW_VERSION" ]; then echo "Please set PSW_VERSION (e.g. 2.11)." >&2; exit 1; fi
 ENV DCAP_CLIENT_VERSION=1.10
@@ -20,9 +21,9 @@ RUN apt-get update && apt-get install -y wget gnupg
 # Use the APT preference file to pin sgx packages to specific versions
 # Reference https://manpages.debian.org/buster/apt/apt_preferences.5.en.html
 # Download the pref file from https://download.01.org/intel-sgx/sgx_repo/ubuntu/apt_preference_files/
-# Assuming file name to follow *sgx_<PSW_VERSION>_bionic_custom_version.cfg convention
-RUN ["/bin/bash", "-c", "wget -r -l1 --no-parent -nd -A *sgx_$(echo ${PSW_VERSION//./_})_bionic_custom_version.cfg https://download.01.org/intel-sgx/sgx_repo/ubuntu/apt_preference_files/"]
-RUN ["/bin/bash", "-c", "mv *sgx_$(echo ${PSW_VERSION//./_})_bionic_custom_version.cfg /etc/apt/preferences.d/intel-sgx.pref"]
+# Assuming file name to follow *sgx_<PSW_VERSION>_${UBUNTU}_custom_version.cfg convention
+RUN ["/bin/bash", "-c", "wget -r -l1 --no-parent -nd -A *sgx_$(echo ${PSW_VERSION//./_})_${UBUNTU}_custom_version.cfg https://download.01.org/intel-sgx/sgx_repo/ubuntu/apt_preference_files/"]
+RUN ["/bin/bash", "-c", "mv *sgx_$(echo ${PSW_VERSION//./_})_${UBUNTU}_custom_version.cfg /etc/apt/preferences.d/intel-sgx.pref"]
 
 COPY getting_started/setup_vm/ /setup_vm/
 RUN apt update \

docker/app_run

@@ -1,7 +1,7 @@
 # Application Runtime image
 # Contains the cchost binary and its runtime dependencies
 
-FROM ubuntu:18.04
+FROM ubuntu:20.04
 
 ARG extra_vars
 
@@ -10,6 +10,7 @@ RUN echo "APT::Acquire::Retries \"5\";" | tee /etc/apt/apt.conf.d/80-retries
 # Work-around for https://github.com/intel/linux-sgx/issues/395
 RUN mkdir -p /etc/init
 
+ENV UBUNTU=focal
 ENV PSW_VERSION=2.13.103
 RUN if [ -z "$PSW_VERSION" ]; then echo "Please set PSW_VERSION (e.g. 2.11)." >&2; exit 1; fi
 ENV DCAP_CLIENT_VERSION=1.10
@@ -20,9 +21,9 @@ RUN apt-get update && apt-get install -y wget gnupg
 # Use the APT preference file to pin sgx packages to specific versions
 # Reference https://manpages.debian.org/buster/apt/apt_preferences.5.en.html
 # Download the pref file from https://download.01.org/intel-sgx/sgx_repo/ubuntu/apt_preference_files/
-# Assuming file name to follow *sgx_<PSW_VERSION>_bionic_custom_version.cfg convention
-RUN ["/bin/bash", "-c", "wget -r -l1 --no-parent -nd -A *sgx_$(echo ${PSW_VERSION//./_})_bionic_custom_version.cfg https://download.01.org/intel-sgx/sgx_repo/ubuntu/apt_preference_files/"]
-RUN ["/bin/bash", "-c", "mv *sgx_$(echo ${PSW_VERSION//./_})_bionic_custom_version.cfg /etc/apt/preferences.d/intel-sgx.pref"]
+# Assuming file name to follow *sgx_<PSW_VERSION>_${UBUNTU}_custom_version.cfg convention
+RUN ["/bin/bash", "-c", "wget -r -l1 --no-parent -nd -A *sgx_$(echo ${PSW_VERSION//./_})_${UBUNTU}_custom_version.cfg https://download.01.org/intel-sgx/sgx_repo/ubuntu/apt_preference_files/"]
+RUN ["/bin/bash", "-c", "mv *sgx_$(echo ${PSW_VERSION//./_})_${UBUNTU}_custom_version.cfg /etc/apt/preferences.d/intel-sgx.pref"]
 
 COPY getting_started/setup_vm/ /setup_vm/
 RUN apt update \

docker/ccf_ci

@@ -1,13 +1,16 @@
 # CCF Continuous Integration image
 # Contains CCF build dependencies, compile toolchain and Azure CLI tooling
 
-FROM ubuntu:18.04
+FROM ubuntu:20.04
+
+ARG extra_vars
 
 RUN echo "APT::Acquire::Retries \"5\";" | tee /etc/apt/apt.conf.d/80-retries
 
 # Work-around for https://github.com/intel/linux-sgx/issues/395
 RUN mkdir -p /etc/init
 
+ENV UBUNTU=focal
 ENV PSW_VERSION=2.13.103
 RUN if [ -z "$PSW_VERSION" ]; then echo "Please set PSW_VERSION (e.g. 2.11)." >&2; exit 1; fi
 ENV DCAP_CLIENT_VERSION=1.10
@@ -18,9 +21,9 @@ RUN apt-get update && apt-get install -y wget gnupg
 # Use the APT preference file to pin sgx packages to specific versions
 # Reference https://manpages.debian.org/buster/apt/apt_preferences.5.en.html
 # Download the pref file from https://download.01.org/intel-sgx/sgx_repo/ubuntu/apt_preference_files/
-# Assuming file name to follow *sgx_<PSW_VERSION>_bionic_custom_version.cfg convention
-RUN ["/bin/bash", "-c", "wget -r -l1 --no-parent -nd -A *sgx_$(echo ${PSW_VERSION//./_})_bionic_custom_version.cfg https://download.01.org/intel-sgx/sgx_repo/ubuntu/apt_preference_files/"]
-RUN ["/bin/bash", "-c", "mv *sgx_$(echo ${PSW_VERSION//./_})_bionic_custom_version.cfg /etc/apt/preferences.d/intel-sgx.pref"]
+# Assuming file name to follow *sgx_<PSW_VERSION>_${UBUNTU}_custom_version.cfg convention
+RUN ["/bin/bash", "-c", "wget -r -l1 --no-parent -nd -A *sgx_$(echo ${PSW_VERSION//./_})_${UBUNTU}_custom_version.cfg https://download.01.org/intel-sgx/sgx_repo/ubuntu/apt_preference_files/"]
+RUN ["/bin/bash", "-c", "mv *sgx_$(echo ${PSW_VERSION//./_})_${UBUNTU}_custom_version.cfg /etc/apt/preferences.d/intel-sgx.pref"]
 
 COPY getting_started/setup_vm/ /setup_vm/
 RUN apt update \

getting_started/setup_vm/ccf-dev.yml

@@ -9,9 +9,6 @@
     - import_role:
         name: openenclave
         tasks_from: binary_install.yml
-    - import_role:
-        name: llvm_repo
-        tasks_from: install.yml
     - import_role:
         name: nodejs
         tasks_from: install.yml

getting_started/setup_vm/roles/ccf_build/tasks/install.yml

@@ -1,24 +1,6 @@
 - name: Include vars
   include_vars: common.yml
 
-- name: Add Python PPA
-  apt_repository:
-    repo: ppa:deadsnakes/ppa
-  become: true
-
-- name: Add CMake repository key
-  apt_key:
-    url: "https://apt.kitware.com/keys/kitware-archive-latest.asc"
-    state: present
-  become: yes
-
-- name: Add CMake repository
-  apt_repository:
-    repo: "deb https://apt.kitware.com/ubuntu/ {{ ansible_distribution_release }} main"
-    state: present
-    update_cache: yes
-  become: yes
-
 - name: Install debs
   apt:
     name: "{{ debs }}"
@@ -69,36 +51,18 @@
 
 - name: Download doxygen
   get_url:
-    url: https://github.com/doxygen/doxygen/archive/Release_{{ doxygen_src }}
-    dest: "{{ workspace }}/{{ doxygen_src }}"
-  become: true
-
-- name: Remove existing doxygen checkout
-  file:
-    path: "{{ workspace }}/doxygen-{{ doxygen_dir }}"
-    state: absent
+    url: "{{ doxygen_url }}"
+    dest: "{{ workspace }}/{{ doxygen_bin }}"
 
 - name: Expand doxygen
   unarchive:
-    src: "{{ workspace }}/{{ doxygen_src }}"
+    src: "{{ workspace }}/{{ doxygen_bin }}"
     dest: "{{ workspace }}"
     copy: no
-    creates: "{{ workspace }}/doxygen-{{ doxygen_dir }}/CMakeLists.txt"
-
-- name: Make doxygen build dir
-  file:
-    path: "{{ workspace }}/doxygen-{{ doxygen_dir }}/build"
-    state: directory
-
-- name: Build doxygen
-  shell: |
-    CC=$(which clang-8) CXX=$(which clang++-8) cmake -DCMAKE_BUILD_TYPE=Release ..
-    make
-  args:
-    chdir: "{{ workspace }}/doxygen-{{ doxygen_dir }}/build"
+    creates: "{{ workspace }}/doxygen-{{ doxygen_ver }}/Makefile"
 
 - name: Install doxygen
   command: make install
   args:
-    chdir: "{{ workspace }}/doxygen-{{ doxygen_dir }}/build"
+    chdir: "{{ workspace }}/doxygen-{{ doxygen_ver }}"
   become: true

getting_started/setup_vm/roles/ccf_build/vars/common.yml

@@ -11,17 +11,20 @@ debs:
   - clang-8
   - clang-format-8
   - clang-tools-8
+  - build-essential
   - expect
   - git
   - ccache
-  - kmod
+  - kmod # modinfo for sgxinfo.sh
   - cmake
   - libssl-dev
-  - jq
+  - jq # operation scripts
   - sudo
-  - curl
-  - shellcheck
-  - iptables
+  - curl # client test infra
+  - shellcheck # bash lint
+  - iptables # partition test infra
+  - libclang1-9 # required by doxygen
+  - libclang-cpp9 # required by doxygen
   - flex # required to build doxygen
   - bison # required to build doxygen
 
@@ -29,6 +32,6 @@ mbedtls_ver: "2.16.10"
 mbedtls_dir: "mbedtls-{{ mbedtls_ver }}"
 mbedtls_src: "{{ mbedtls_dir }}.tar.gz"
 
-doxygen_ver: "1_9_1"
-doxygen_dir: "Release_{{ doxygen_ver }}"
-doxygen_src: "{{ doxygen_ver }}.tar.gz"
+doxygen_ver: "1.9.1"
+doxygen_bin: "doxygen-{{ doxygen_ver }}.linux.bin.tar.gz"
+doxygen_url: "https://doxygen.nl/files/{{ doxygen_bin }}"

getting_started/setup_vm/roles/intel/vars/common.yml

@@ -3,8 +3,8 @@
 
 ---
 flc_enabled: true
-intel_sgx_w_flc_driver_url: "https://download.01.org/intel-sgx/sgx-dcap/1.7/linux/distro/ubuntu18.04-server/sgx_linux_x64_driver_1.35.bin"
-intel_sgx1_driver_url: "https://download.01.org/intel-sgx/sgx-linux/2.13/distro/ubuntu18.04-server/sgx_linux_x64_driver_2.11.0_0373e2e.bin"
+intel_sgx_w_flc_driver_url: "https://download.01.org/intel-sgx/sgx-dcap/1.7/linux/distro/ubuntu20.04-server/sgx_linux_x64_driver_1.41.bin"
+intel_sgx1_driver_url: "https://download.01.org/intel-sgx/sgx-linux/2.13/distro/ubuntu20.04-server/sgx_linux_x64_driver_2.11.0_2d2b795.bin"
 
 intel_sgx_packages:
   - "libsgx-enclave-common"

getting_started/setup_vm/roles/openenclave/tasks/binary_install.yml

@@ -70,7 +70,7 @@
 - name: Copy Intel LVI as
   copy:
     remote_src: yes
-    src: "{{ workspace }}/external/toolset/ubuntu18.04/as"
+    src: "{{ workspace }}/external/toolset/ubuntu20.04/as"
     dest: "{{ oe_lvi_bin_dir }}/as"
     mode: "0775"
   become: yes
@@ -78,7 +78,7 @@
 - name: Copy Intel LVI ld
   copy:
     remote_src: yes
-    src: "{{ workspace }}/external/toolset/ubuntu18.04/ld"
+    src: "{{ workspace }}/external/toolset/ubuntu20.04/ld"
     dest: "{{ oe_lvi_bin_dir }}/ld"
     mode: "0775"
   become: yes

getting_started/setup_vm/roles/openenclave/vars/common.yml

@@ -11,7 +11,7 @@ oe_playbook: scripts/ansible/oe-contributors-acc-setup-no-driver.yml
 oe_build_opts: ""
 
 # Binary install
-oe_deb: "https://github.com/openenclave/openenclave/releases/download/v{{ oe_ver }}/Ubuntu_1804_open-enclave_{{ oe_ver_ }}_amd64.deb"
+oe_deb: "https://github.com/openenclave/openenclave/releases/download/v{{ oe_ver }}/Ubuntu_2004_open-enclave_{{ oe_ver_ }}_amd64.deb"
 
 # LVI mitigations
 oe_lvi_scripts_dir: "{{ oe_prefix }}/bin/scripts/lvi-mitigation"
@@ -19,4 +19,4 @@ oe_lvi_clang_version: "clang-8"
 oe_lvi_clangpp_version: "clang++-8"
 oe_lvi_bin_dir: /opt/oe_lvi
 oe_lvi_toolset_name: "as.ld.objdump.gold.r3.tar.gz"
-oe_lvi_intel_bin_url: "https://download.01.org/intel-sgx/sgx-linux/2.13.3/{{ oe_lvi_toolset_name }}"
+oe_lvi_intel_bin_url: "https://download.01.org/intel-sgx/sgx-linux/2.14/{{ oe_lvi_toolset_name }}"

getting_started/setup_vm/run.sh

@@ -4,11 +4,6 @@
 
 set -ex
 
-# Bionic/18.04 ships ansible 2.5, which does not support some of
-# the features our playbooks need like apt_repository. Once we
-# upgrade to 20.4, the following two lines can be removed.
-sudo add-apt-repository ppa:ansible/ansible -y
 sudo apt-get update
-
 sudo apt install ansible -y
 ansible-playbook "$@"

python/utils/verify_quote.sh

@@ -50,7 +50,7 @@ if [ ${#trusted_mrenclaves[@]} -eq 0 ]; then
     for code_id in $(curl -sS --fail -X GET "${node_address}"/node/code "${@}" | jq .versions | jq -c ".[]"); do
         code_status=$(echo "${code_id}" | jq -r .status)
         if [ "${code_status}" = "AllowedToJoin" ]; then
-            trusted_mrenclaves+=($(echo "${code_id}" | jq -r .digest))
+            trusted_mrenclaves+=("$(echo "${code_id}" | jq -r .digest)")
         fi
     done
     echo "Retrieved ${#trusted_mrenclaves[@]} accepted code versions from CCF service."

scripts/ci-checks.sh

@@ -57,7 +57,7 @@ if [ ! -f "scripts/env/bin/activate" ]
 fi
 
 source scripts/env/bin/activate
-pip --disable-pip-version-check install -U black pylint mypy 1>/dev/null
+pip --disable-pip-version-check install -U wheel black pylint mypy 1>/dev/null
 
 echo "Python format"
 if [ $FIX -ne 0 ]; then

tests/jwt_test.py

@@ -142,9 +142,26 @@ def test_jwt_with_sgx_key_policy(network, args):
     kid = "my_kid"
     issuer = infra.jwt_issuer.JwtIssuer("my_issuer", oe_cert_pem)
 
+    oesign = os.path.join(args.oe_binary, "oesign")
+    oeutil_enc = os.path.join(args.oe_binary, "oeutil_enc.signed")
+    sc = infra.proc.ccall(
+        oesign,
+        "dump",
+        "-e",
+        oeutil_enc,
+    )
+    sc.check_returncode()
+    lines = sc.stdout.decode().split()
+    for line in lines:
+        if line.startswith("mrsigner="):
+            mrsigner = line.strip().split("=")[1]
+            break
+    else:
+        assert False, f"Could not find mrsigner in {lines}"
+
     matching_key_policy = {
         "sgx_claims": {
-            "signer_id": "c03633124785becb6b1b007e45e4ba8f07aea3000c9a500e91e00bdd5a232d46",
+            "signer_id": mrsigner,
             "attributes": "0300000000000000",
         }
     }

tests/sandbox/sandbox.sh

@@ -55,7 +55,7 @@ if [ -f "${VERSION_FILE}" ]; then
         extra_args+=(--package "${PATH_HERE}/../lib/libjs_generic")
         extra_args+=(--js-app-bundle "${PATH_HERE}/../samples/logging/js")
     fi
-    if [ ! -z "${PYTHON_PACKAGE_PATH}" ]; then
+    if [ -n "${PYTHON_PACKAGE_PATH}" ]; then
         # With an install tree, the python package can be specified, e.g. when testing
         # an install just before it is released
         echo "Using python package: ${PYTHON_PACKAGE_PATH}"

tests/test_install.sh

@@ -40,7 +40,7 @@ fi
 
 # Setup env
 INSTALL_PREFIX="$1"
-if [ ! -z "$PYTHON_PACKAGE_PATH" ]; then
+if [ -n "$PYTHON_PACKAGE_PATH" ]; then
     PYTHON_PACKAGE_PATH=$(realpath -s "${PYTHON_PACKAGE_PATH}")
 fi
 working_dir="nested/run"

tests/test_install_build.sh

@@ -5,5 +5,5 @@ set -ex
 
 mkdir -p build_against_install
 cd build_against_install
-CC=$(which clang-8) CXX=$(which clang++-8) cmake -GNinja ../samples/apps/logging/
+CC=$(command -v clang-8) CXX=$(command -v clang++-8) cmake -GNinja ../samples/apps/logging/
 ninja