Improve install with exported options (#986)

.azure-pipelines-templates/matrix.yml

@@ -33,7 +33,7 @@ parameters:
     common:
       cmake_args: '-DCMAKE_C_COMPILER_LAUNCHER="ccache" -DCMAKE_CXX_COMPILER_LAUNCHER="ccache"'
     NoSGX:
-      cmake_args: '-DTARGET=virtual -DCOVERAGE=ON'
+      cmake_args: '-DCOMPILE_TARGETS=virtual -DCOVERAGE=ON'
     SGX:
       cmake_args: ''
     debug:

CMakeLists.txt

@@ -42,7 +42,7 @@ option(BUILD_SMALLBANK "Build SmallBank sample app and clients" ON)
 # Build common library for CCF enclaves
 add_custom_target(ccf ALL)
 
-if("sgx" IN_LIST TARGET)
+if("sgx" IN_LIST COMPILE_TARGETS)
   # enclave version
   add_library(
     ccf.enclave STATIC
@@ -94,7 +94,7 @@ if("sgx" IN_LIST TARGET)
   add_dependencies(ccf ccf.enclave)
 endif()
 
-if("virtual" IN_LIST TARGET)
+if("virtual" IN_LIST COMPILE_TARGETS)
   # virtual version
   add_library(
     ccf.virtual STATIC ${CCF_DIR}/src/enclave/main.cpp

cmake/ccf_app.cmake

@@ -2,8 +2,16 @@
 # Licensed under the Apache 2.0 License.
 
 set(ALLOWED_TARGETS "sgx;virtual")
+
+set(COMPILE_TARGETS
+    "sgx;virtual"
+    CACHE
+      STRING
+      "List of target compilation platforms. Choose from: ${ALLOWED_TARGETS}"
+)
+
 set(IS_VALID_TARGET "FALSE")
-foreach(REQUESTED_TARGET ${TARGET})
+foreach(REQUESTED_TARGET ${COMPILE_TARGETS})
   if(${REQUESTED_TARGET} IN_LIST ALLOWED_TARGETS)
     set(IS_VALID_TARGET "TRUE")
   else()
@@ -17,10 +25,16 @@ endforeach()
 if((NOT ${IS_VALID_TARGET}))
   message(
     FATAL_ERROR
-      "Variable list 'TARGET' must include at least one supported target. Choose from: ${ALLOWED_TARGETS}"
+      "Variable list 'COMPILE_TARGETS' must include at least one supported target. Choose from: ${ALLOWED_TARGETS}"
   )
 endif()
 
+find_package(OpenEnclave 0.8 CONFIG REQUIRED)
+# As well as pulling in openenclave:: targets, this sets variables which can be
+# used for our edge cases (eg - for virtual libraries). These do not follow the
+# standard naming patterns, for example use OE_INCLUDEDIR rather than
+# OpenEnclave_INCLUDE_DIRS
+
 # Sign a built enclave library with oesign
 function(sign_app_library name app_oe_conf_path enclave_sign_key_path)
   if(TARGET ${name})
@@ -100,7 +114,7 @@ function(add_ccf_app name)
 
   add_custom_target(${name} ALL)
 
-  if("sgx" IN_LIST TARGET)
+  if("sgx" IN_LIST COMPILE_TARGETS)
     set(enc_name ${name}.enclave)
 
     add_library(${enc_name} SHARED ${PARSED_ARGS_SRCS})
@@ -125,7 +139,7 @@ function(add_ccf_app name)
     add_dependencies(${name} ${enc_name})
   endif()
 
-  if("virtual" IN_LIST TARGET)
+  if("virtual" IN_LIST COMPILE_TARGETS)
     # Build a virtual enclave, loaded as a shared library without OE
     set(virt_name ${name}.virtual)
 

cmake/common.cmake

@@ -25,29 +25,6 @@ find_package(Threads REQUIRED)
 
 set(PYTHON unbuffer python3)
 
-set(SERVICE_IDENTITY_CURVE_CHOICE
-    "secp384r1"
-    CACHE STRING
-          "One of secp384r1, ed25519, secp256k1_mbedtls, secp256k1_bitcoin"
-)
-if(${SERVICE_IDENTITY_CURVE_CHOICE} STREQUAL "secp384r1")
-  add_definitions(-DSERVICE_IDENTITY_CURVE_CHOICE_SECP384R1)
-  set(DEFAULT_PARTICIPANTS_CURVE "secp384r1")
-elseif(${SERVICE_IDENTITY_CURVE_CHOICE} STREQUAL "ed25519")
-  add_definitions(-DSERVICE_IDENTITY_CURVE_CHOICE_ED25519)
-  set(DEFAULT_PARTICIPANTS_CURVE "ed25519")
-elseif(${SERVICE_IDENTITY_CURVE_CHOICE} STREQUAL "secp256k1_mbedtls")
-  add_definitions(-DSERVICE_IDENTITY_CURVE_CHOICE_SECP256K1_MBEDTLS)
-  set(DEFAULT_PARTICIPANTS_CURVE "secp256k1")
-elseif(${SERVICE_IDENTITY_CURVE_CHOICE} STREQUAL "secp256k1_bitcoin")
-  add_definitions(-DSERVICE_IDENTITY_CURVE_CHOICE_SECP256K1_BITCOIN)
-  set(DEFAULT_PARTICIPANTS_CURVE "secp256k1")
-else()
-  message(
-    FATAL_ERROR "Unsupported curve choice ${SERVICE_IDENTITY_CURVE_CHOICE}"
-  )
-endif()
-
 set(DISTRIBUTE_PERF_TESTS
     ""
     CACHE
@@ -72,7 +49,7 @@ endif()
 option(VERBOSE_LOGGING "Enable verbose logging" OFF)
 set(TEST_HOST_LOGGING_LEVEL "info")
 if(VERBOSE_LOGGING)
-  add_definitions(-DVERBOSE_LOGGING)
+  add_compile_definitions(VERBOSE_LOGGING)
   set(TEST_HOST_LOGGING_LEVEL "debug")
 endif()
 
@@ -80,14 +57,14 @@ option(NO_STRICT_TLS_CIPHERSUITES
        "Disable strict list of valid TLS ciphersuites" OFF
 )
 if(NO_STRICT_TLS_CIPHERSUITES)
-  add_definitions(-DNO_STRICT_TLS_CIPHERSUITES)
+  add_compile_definitions(NO_STRICT_TLS_CIPHERSUITES)
 endif()
 
 option(USE_NULL_ENCRYPTOR "Turn off encryption of ledger updates - debug only"
        OFF
 )
 if(USE_NULL_ENCRYPTOR)
-  add_definitions(-DUSE_NULL_ENCRYPTOR)
+  add_compile_definitions(USE_NULL_ENCRYPTOR)
 endif()
 
 option(SAN "Enable Address and Undefined Behavior Sanitizers" OFF)
@@ -99,12 +76,12 @@ option(DEBUG_CONFIG "Enable non-production options options to aid debugging"
        OFF
 )
 if(DEBUG_CONFIG)
-  add_definitions(-DDEBUG_CONFIG)
+  add_compile_definitions(DEBUG_CONFIG)
 endif()
 
 option(USE_NLJSON_KV_SERIALISER "Use nlohmann JSON as the KV serialiser" OFF)
 if(USE_NLJSON_KV_SERIALISER)
-  add_definitions(-DUSE_NLJSON_KV_SERIALISER)
+  add_compile_definitions(USE_NLJSON_KV_SERIALISER)
 endif()
 
 enable_language(ASM)
@@ -117,21 +94,13 @@ include_directories(
   ${CCF_DIR}/3rdparty/flatbuffers/include
 )
 
-set(TARGET
-    "sgx;virtual"
-    CACHE STRING "One of sgx, virtual, or 'sgx;virtual'"
-)
-
 find_package(MbedTLS REQUIRED)
 
 set(CLIENT_MBEDTLS_INCLUDE_DIR "${MBEDTLS_INCLUDE_DIRS}")
 set(CLIENT_MBEDTLS_LIBRARIES "${MBEDTLS_LIBRARIES}")
 
-find_package(OpenEnclave CONFIG REQUIRED)
-# As well as pulling in openenclave:: targets, this sets variables which can be
-# used for our edge cases (eg - for virtual libraries). These do not follow the
-# standard naming patterns, for example use OE_INCLUDEDIR rather than
-# OpenEnclave_INCLUDE_DIRS
+include(${CMAKE_CURRENT_SOURCE_DIR}/cmake/ccf_app.cmake)
+install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/cmake/ccf_app.cmake DESTINATION cmake)
 
 add_custom_command(
   COMMAND openenclave::oeedger8r ${CCF_DIR}/edl/ccf.edl --trusted --trusted-dir
@@ -143,9 +112,6 @@ add_custom_command(
   COMMENT "Generating code from EDL, and renaming to .cpp"
 )
 
-include(${CMAKE_CURRENT_SOURCE_DIR}/cmake/ccf_app.cmake)
-install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/cmake/ccf_app.cmake DESTINATION cmake)
-
 # Copy utilities from tests directory
 set(CCF_UTILITIES tests.sh keygenerator.sh cimetrics_env.sh
                   upload_pico_metrics.py scurl.sh
@@ -164,7 +130,7 @@ install(PROGRAMS ${CCF_DIR}/tests/scurl.sh ${CCF_DIR}/tests/keygenerator.sh
 # Install getting_started scripts for VM creation and setup
 install(DIRECTORY ${CCF_DIR}/getting_started/ DESTINATION getting_started)
 
-if("sgx" IN_LIST TARGET)
+if("sgx" IN_LIST COMPILE_TARGETS)
   # If OE was built with LINK_SGX=1, then we also need to link SGX
   if(OE_SGX)
     message(STATUS "Linking SGX")
@@ -244,7 +210,7 @@ function(add_unit_test name)
   set_property(TEST ${name} APPEND PROPERTY LABELS unit_test)
 endfunction()
 
-if("sgx" IN_LIST TARGET)
+if("sgx" IN_LIST COMPILE_TARGETS)
   # Host Executable
   add_executable(
     cchost ${CCF_DIR}/src/host/main.cpp ${CCF_GENERATED_DIR}/ccf_u.cpp
@@ -272,7 +238,7 @@ if("sgx" IN_LIST TARGET)
   install(TARGETS cchost DESTINATION bin)
 endif()
 
-if("virtual" IN_LIST TARGET)
+if("virtual" IN_LIST COMPILE_TARGETS)
   if(SAN)
     set(SNMALLOC_LIB)
     set(SNMALLOC_CPP)
@@ -430,8 +396,7 @@ function(add_e2e_test)
       NAME ${PARSED_ARGS_NAME}
       COMMAND
         ${PYTHON} ${PARSED_ARGS_PYTHON_SCRIPT} -b . --label ${PARSED_ARGS_NAME}
-        ${CCF_NETWORK_TEST_ARGS} --participants-curve
-        ${DEFAULT_PARTICIPANTS_CURVE} --consensus ${PARSED_ARGS_CONSENSUS}
+        ${CCF_NETWORK_TEST_ARGS} --consensus ${PARSED_ARGS_CONSENSUS}
         ${PARSED_ARGS_ADDITIONAL_ARGS}
     )
 
@@ -473,7 +438,7 @@ function(add_perf_test)
   endif()
 
   set(TESTS_SUFFIX "")
-  if("sgx" IN_LIST TARGET)
+  if("sgx" IN_LIST COMPILE_TARGETS)
     set(TESTS_SUFFIX "${TESTS_SUFFIX}_SGX")
   endif()
   if("raft" STREQUAL ${PARSED_ARGS_CONSENSUS})

cmake/crypto.cmake

@@ -16,7 +16,7 @@ file(GLOB_RECURSE EVERCRYPT_SRC "${EVERCRYPT_PREFIX}/*.[cS]")
 
 # We need two versions of EverCrypt, because it depends on libc
 
-if("sgx" IN_LIST TARGET)
+if("sgx" IN_LIST COMPILE_TARGETS)
   add_library(evercrypt.enclave STATIC ${EVERCRYPT_SRC})
   target_compile_options(
     evercrypt.enclave PRIVATE -Wno-implicit-function-declaration
@@ -53,7 +53,7 @@ set(CCFCRYPTO_SRC ${CCF_DIR}/src/crypto/hash.cpp
 
 set(CCFCRYPTO_INC ${CCF_DIR}/src/crypto/ ${EVERCRYPT_INC})
 
-if("sgx" IN_LIST TARGET)
+if("sgx" IN_LIST COMPILE_TARGETS)
   add_library(ccfcrypto.enclave STATIC ${CCFCRYPTO_SRC})
   target_compile_definitions(
     ccfcrypto.enclave PRIVATE INSIDE_ENCLAVE _LIBCPP_HAS_THREAD_API_PTHREAD

cmake/pbft.cmake

@@ -2,11 +2,11 @@
 # Licensed under the Apache 2.0 License.
 # PBFT
 
-add_definitions(-DSIGN_BATCH)
+add_compile_definitions(SIGN_BATCH)
 set(SIGN_BATCH ON)
 
 if(SAN)
-  add_definitions(-DUSE_STD_MALLOC)
+  add_compile_definitions(USE_STD_MALLOC)
 endif()
 
 set(PBFT_SRC
@@ -54,7 +54,7 @@ set(PBFT_SRC
     ${CMAKE_SOURCE_DIR}/src/consensus/pbft/libbyz/Append_entries.cpp
 )
 
-if("sgx" IN_LIST TARGET)
+if("sgx" IN_LIST COMPILE_TARGETS)
   add_library(libbyz.enclave STATIC ${PBFT_SRC})
   target_compile_options(libbyz.enclave PRIVATE -nostdinc)
   target_compile_definitions(
@@ -76,7 +76,7 @@ endif()
 
 set(CMAKE_EXPORT_COMPILE_COMMANDS ON)
 
-if("virtual" IN_LIST TARGET)
+if("virtual" IN_LIST COMPILE_TARGETS)
 
   add_library(libbyz.host STATIC ${PBFT_SRC})
   target_compile_options(libbyz.host PRIVATE -stdlib=libc++)

cmake/quickjs.cmake

@@ -23,7 +23,7 @@ message(STATUS "QuickJS prefix: ${QUICKJS_PREFIX} version: ${QUICKJS_VERSION}")
 
 # We need two versions of libquickjs, because it depends on libc
 
-if("sgx" IN_LIST TARGET)
+if("sgx" IN_LIST COMPILE_TARGETS)
   add_library(
     quickjs.enclave STATIC ${QUICKJS_SRC} ${CCF_DIR}/3rdparty/stub/stub.c
   )

cmake/secp256k1.cmake

@@ -1,7 +1,7 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the Apache 2.0 License.
 
-if("sgx" IN_LIST TARGET)
+if("sgx" IN_LIST COMPILE_TARGETS)
   add_library(
     secp256k1.enclave STATIC ${CCF_DIR}/3rdparty/secp256k1/src/secp256k1.c
   )

cmake/sss.cmake

@@ -11,7 +11,7 @@ set(SSS_SRC ${SSS_PREFIX}/sss.c ${SSS_PREFIX}/hazmat.c
             ${SSS_PREFIX}/tweetnacl.c
 )
 
-if("sgx" IN_LIST TARGET)
+if("sgx" IN_LIST COMPILE_TARGETS)
   add_library(sss.enclave STATIC ${SSS_SRC})
   set_property(TARGET sss.enclave PROPERTY POSITION_INDEPENDENT_CODE ON)
   install(

samples/apps/smallbank/smallbank.cmake

@@ -14,17 +14,27 @@ sign_app_library(
   ${CCF_DIR}/src/apps/sample_key.pem
 )
 
-if(${SERVICE_IDENTITY_CURVE_CHOICE} STREQUAL "secp256k1_bitcoin")
-  set(SMALL_BANK_SIGNED_VERIFICATION_FILE
-      ${CMAKE_CURRENT_LIST_DIR}/tests/verify_small_bank_50k.json
+function(get_verification_file iterations output_var)
+  math(EXPR thousand_iterations "${iterations} / 1000")
+  set(proposed_name
+      ${CMAKE_CURRENT_LIST_DIR}/tests/verify_small_bank_${thousand_iterations}k.json
   )
-  set(SMALL_BANK_SIGNED_ITERATIONS 50000)
-else()
-  set(SMALL_BANK_SIGNED_VERIFICATION_FILE
-      ${CMAKE_CURRENT_LIST_DIR}/tests/verify_small_bank_2k.json
+  if(NOT EXISTS "${proposed_name}")
+    message(
+      FATAL_ERROR
+        "Could not find verification file for ${iterations} iterations (looking for ${proposed_name})"
+    )
+  endif()
+  set(${output_var}
+      ${proposed_name}
+      PARENT_SCOPE
   )
-  set(SMALL_BANK_SIGNED_ITERATIONS 2000)
-endif()
+endfunction()
+
+set(SMALL_BANK_SIGNED_ITERATIONS 50000)
+get_verification_file(
+  ${SMALL_BANK_SIGNED_ITERATIONS} SMALL_BANK_SIGNED_VERIFICATION_FILE
+)
 
 if(BUILD_TESTS)
   # Small Bank end to end and performance test
@@ -32,22 +42,14 @@ if(BUILD_TESTS)
 
     if(${CONSENSUS} STREQUAL pbft)
       if(NOT CMAKE_BUILD_TYPE STREQUAL "Debug")
-        set(SMALL_BANK_VERIFICATION_FILE
-            ${CMAKE_CURRENT_LIST_DIR}/tests/verify_small_bank_50k.json
-        )
         set(SMALL_BANK_ITERATIONS 50000)
       else()
-        set(SMALL_BANK_VERIFICATION_FILE
-            ${CMAKE_CURRENT_LIST_DIR}/tests/verify_small_bank_2k.json
-        )
         set(SMALL_BANK_ITERATIONS 2000)
       endif()
     else()
-      set(SMALL_BANK_VERIFICATION_FILE
-          ${CMAKE_CURRENT_LIST_DIR}/tests/verify_small_bank.json
-      )
       set(SMALL_BANK_ITERATIONS 200000)
     endif()
+    get_verification_file(${SMALL_BANK_ITERATIONS} SMALL_BANK_VERIFICATION_FILE)
 
     add_perf_test(
       NAME small_bank_client_test_${CONSENSUS}
@@ -103,4 +105,5 @@ if(BUILD_TESTS)
       --participants-curve
       "secp256k1"
   )
+
 endif()

sphinx/source/developers/cryptography.rst

@@ -44,8 +44,11 @@ Algorithms and Curves
 
 Authenticated encryption in CCF relies on AES256-GCM. Ledger authentication relies on Merkle trees using SHA2-256. These algorithms are provided by `project Everest <https://project-everest.github.io/>`_.
 
-Public-key certificates, signatures, and ephemeral Diffie-Hellman key exchanges all rely on
-elliptic curves. They can be configured to use one of the following implementations:
+Public-key certificates, signatures, and ephemeral Diffie-Hellman key exchanges all rely on elliptic curves. The supported curves are listed in `tls/curve.h`:
 
- * secp384r1 from `mbedTLS <https://tls.mbed.org/>`_.
- * secp256k1 from `bitcoin core <https://github.com/bitcoin-core/secp256k1>`_.
+    .. literalinclude:: ../../../src/tls/curve.h
+        :language: cpp
+        :start-after: SNIPPET_START: supported_curves
+        :end-before: SNIPPET_END: supported_curves
+
+The ``service_identity_curve_choice`` determines the curve used by CCF for the service and node identities. User and member certificates do not need to match this, and can be created on any supported curve.

sphinx/source/quickstart/build.rst

@@ -44,11 +44,9 @@ The full list of build switches can be obtained by running:
 * **BUILD_TESTS**: Boolean. Build all tests for CCF. Default to ON.
 * **BUILD_SMALLBANK**: Boolean. Build SmallBank performance benchmark. Default to OFF.
 * **CLIENT_MBEDTLS_PREFIX**: Path. Prefix to mbedtls install to be used by test clients. Default to ``/usr/local``.
-* **SERVICE_IDENTITY_CURVE_CHOICE**: String, one of ``secp384r1``, ``secp256k1_mbedtls``, ``secp256k1_bitcoin``. Elliptic curve to use for CCF network and node identities. Defaults to ``secp384r1``.
 * **NO_STRICT_TLS_CIPHERSUITES**: Boolean. Relax the list of accepted TLS ciphersuites. Default to OFF.
-* **OpenEnclave_DIR**: Path. Open Enclave install directory. Default to ``/opt/openenclave/lib/openenclave/cmake``.
 * **SAN**: Boolean. Build unit tests with Address and Undefined behaviour sanitizers enabled. Default to OFF.
-* **TARGET**: String, one of ``sgx``, ``virtual``, or ``sgx;virtual``. Defaults to ``sgx;virtual``, which builds both "virtual" enclaves and actual SGX enclaves.
+* **COMPILE_TARGETS**: String. List of target compilation platforms. Defaults to ``sgx;virtual``, which builds both "virtual" enclaves and actual SGX enclaves.
 * **VERBOSE_LOGGING**: Boolean. Enable all logging levels. Default to OFF.
 
 Running Tests

src/tls/curve.h

@@ -12,6 +12,7 @@
 
 namespace tls
 {
+  // SNIPPET_START: supported_curves
   enum class CurveImpl
   {
     secp384r1 = 1,
@@ -21,20 +22,9 @@ namespace tls
     secp256k1_mbedtls = 3,
     secp256k1_bitcoin = 4,
 
-#if SERVICE_IDENTITY_CURVE_CHOICE_SECP384R1
     service_identity_curve_choice = secp384r1,
-#elif SERVICE_IDENTITY_CURVE_CHOICE_ED25519
-    service_identity_curve_choice = ed25519,
-#elif SERVICE_IDENTITY_CURVE_CHOICE_SECP256K1_MBEDTLS
-    service_identity_curve_choice = secp256k1_mbedtls,
-#elif SERVICE_IDENTITY_CURVE_CHOICE_SECP256K1_BITCOIN
-    service_identity_curve_choice = secp256k1_bitcoin,
-#else
-#  pragma message( \
-    "No service identity curve specified - defaulting to secp384r1")
-    service_identity_curve_choice = secp384r1,
-#endif
   };
+  // SNIPPET_END: supported_curves
 
   // 2 implementations of secp256k1 are available - mbedtls and bitcoin. Either
   // can be asked for explicitly via the CurveImpl enum. For cases where we