diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 1064e013..89e36a79 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,11 +1,15 @@ version: 2 updates: -- package-ecosystem: cargo - directory: "/" - schedule: - interval: weekly - open-pull-requests-limit: 10 -- package-ecosystem: github-actions - directory: "/" - schedule: - interval: weekly + - package-ecosystem: cargo + directory: "/" + schedule: + interval: weekly + open-pull-requests-limit: 10 + cooldown: + default-days: 7 + - package-ecosystem: github-actions + directory: "/" + schedule: + interval: weekly + cooldown: + default-days: 7 diff --git a/.github/workflows/build-docker-images.yml b/.github/workflows/build-docker-images.yml index 60b9be28..943e2818 100644 --- a/.github/workflows/build-docker-images.yml +++ b/.github/workflows/build-docker-images.yml @@ -14,16 +14,24 @@ on: - "intel-sgx/ppid-retrieval-tool/**" - ".github/workflows/**" -jobs: +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true - build: +permissions: {} +jobs: + build: + name: Build Docker Image runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - name: Checkout Repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false + - name: Build the Docker image run: | cd intel-sgx/ppid-retrieval-tool/Docker ./build.sh - diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8f177fe4..99c29a21 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -7,7 +7,13 @@ on: # This CI will be triggered on any merge_group events merge_group: schedule: - - cron: "0 6 * * *" # Run CI Daily few hours after UTC midnight, so we can track changes from nightly rust & Intel PCS + - cron: "0 6 * * *" # Run CI Daily few hours after UTC midnight, so we can track changes from nightly rust & Intel PCS + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +permissions: {} env: RUST_BACKTRACE: 1 @@ -28,99 +34,102 @@ jobs: CMAKE_POLICY_VERSION_MINIMUM: 3.5 steps: - - uses: actions/checkout@v6 + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - - name: Conditionally export PCS_API_KEY and PCCS_URL - run: | - if [ -n "${{ secrets.PCS_API_KEY }}" ]; then - echo "PCS_API_KEY=${{ secrets.PCS_API_KEY }}" >> $GITHUB_ENV - fi - if [ -n "${{ vars.PCCS_URL }}" ]; then - echo "PCCS_URL=${{ vars.PCCS_URL }}" >> $GITHUB_ENV - fi + - name: Conditionally export PCS_API_KEY and PCCS_URL + run: | + if [ -n "${{ secrets.PCS_API_KEY }}" ]; then + echo "PCS_API_KEY=${{ secrets.PCS_API_KEY }}" >> "$GITHUB_ENV" + fi + if [ -n "${{ vars.PCCS_URL }}" ]; then + echo "PCCS_URL=${{ vars.PCCS_URL }}" >> "$GITHUB_ENV" + fi - - name: Install build dependencies - run: sudo ./install_build_deps.sh + - name: Install build dependencies + run: sudo ./install_build_deps.sh - - name: Setup Rust toolchain - run: | - rustup target add x86_64-fortanix-unknown-sgx x86_64-unknown-linux-musl - rustup toolchain add nightly - rustup target add x86_64-fortanix-unknown-sgx --toolchain nightly - rustup update + - name: Setup Rust toolchain + run: | + rustup target add x86_64-fortanix-unknown-sgx x86_64-unknown-linux-musl + rustup toolchain add nightly + rustup target add x86_64-fortanix-unknown-sgx --toolchain nightly + rustup update - - name: Cargo test --all --exclude sgxs-loaders - run: cargo test --verbose --locked --all --exclude sgxs-loaders --exclude async-usercalls && [ "$(echo $(nm -D target/debug/sgx-detect|grep __vdso_sgx_enter_enclave))" = "w __vdso_sgx_enter_enclave" ] + - name: Cargo test --all --exclude sgxs-loaders + run: cargo test --verbose --locked --all --exclude sgxs-loaders --exclude async-usercalls && [ "$(echo $(nm -D target/debug/sgx-detect|grep __vdso_sgx_enter_enclave))" = "w __vdso_sgx_enter_enclave" ] - - name: Nightly test -p async-usercalls --target x86_64-fortanix-unknown-sgx --no-run - run: cargo +nightly test --verbose --locked -p async-usercalls --target x86_64-fortanix-unknown-sgx --no-run + - name: Nightly test -p async-usercalls --target x86_64-fortanix-unknown-sgx --no-run + run: cargo +nightly test --verbose --locked -p async-usercalls --target x86_64-fortanix-unknown-sgx --no-run - - name: Nightly test -p dcap-artifact-retrieval --target x86_64-fortanix-unknown-sgx --no-default-features --no-run - run: cargo +nightly test --verbose --locked -p dcap-artifact-retrieval --target x86_64-fortanix-unknown-sgx --no-default-features --no-run + - name: Nightly test -p dcap-artifact-retrieval --target x86_64-fortanix-unknown-sgx --no-default-features --no-run + run: cargo +nightly test --verbose --locked -p dcap-artifact-retrieval --target x86_64-fortanix-unknown-sgx --no-default-features --no-run - - name: Cargo test -p dcap-artifact-retrieval --features rustls-tls - run: cargo test --verbose --locked -p dcap-artifact-retrieval --features rustls-tls + - name: Cargo test -p dcap-artifact-retrieval --features rustls-tls + run: cargo test --verbose --locked -p dcap-artifact-retrieval --features rustls-tls - - name: Cargo test -p dcap-ql --features link - run: cargo test --verbose --locked -p dcap-ql --features link + - name: Cargo test -p dcap-ql --features link + run: cargo test --verbose --locked -p dcap-ql --features link - - name: Cargo test -p dcap-ql --features verify - run: cargo test --verbose --locked -p dcap-ql --features verify + - name: Cargo test -p dcap-ql --features verify + run: cargo test --verbose --locked -p dcap-ql --features verify - - name: Cargo test -p ias --features mbedtls - run: cargo test --verbose --locked -p ias --features mbedtls + - name: Cargo test -p ias --features mbedtls + run: cargo test --verbose --locked -p ias --features mbedtls - - name: Cargo test -p ias --features client,mbedtls - run: cargo test --verbose --locked -p ias --features client,mbedtls + - name: Cargo test -p ias --features client,mbedtls + run: cargo test --verbose --locked -p ias --features client,mbedtls - # uses backtrace, which still requires nightly on SGX - - name: Nightly build -p aesm-client --target=x86_64-fortanix-unknown-sgx - run: cargo +nightly build --verbose --locked -p aesm-client --target=x86_64-fortanix-unknown-sgx + # uses backtrace, which still requires nightly on SGX + - name: Nightly build -p aesm-client --target=x86_64-fortanix-unknown-sgx + run: cargo +nightly build --verbose --locked -p aesm-client --target=x86_64-fortanix-unknown-sgx - # uses sgxstd feature - - name: Nightly build -p aesm-client --target=x86_64-fortanix-unknown-sgx --features sgx-isa/sgxstd - run: cargo +nightly build --verbose --locked -p aesm-client --target=x86_64-fortanix-unknown-sgx --features sgx-isa/sgxstd + # uses sgxstd feature + - name: Nightly build -p aesm-client --target=x86_64-fortanix-unknown-sgx --features sgx-isa/sgxstd + run: cargo +nightly build --verbose --locked -p aesm-client --target=x86_64-fortanix-unknown-sgx --features sgx-isa/sgxstd - - name: Nightly test -p sgx-isa --features sgxstd --target x86_64-fortanix-unknown-sgx --no-run - run: cargo +nightly test --verbose --locked -p sgx-isa --features sgxstd --target x86_64-fortanix-unknown-sgx --no-run + - name: Nightly test -p sgx-isa --features sgxstd --target x86_64-fortanix-unknown-sgx --no-run + run: cargo +nightly test --verbose --locked -p sgx-isa --features sgxstd --target x86_64-fortanix-unknown-sgx --no-run - - name: Nightly test -p pcs --target x86_64-fortanix-unknown-sgx - run: cargo +nightly test --verbose --locked -p pcs --target x86_64-fortanix-unknown-sgx --no-run + - name: Nightly test -p pcs --target x86_64-fortanix-unknown-sgx + run: cargo +nightly test --verbose --locked -p pcs --target x86_64-fortanix-unknown-sgx --no-run - - name: Nightly test -p pcs --features verify - run: cargo +nightly test --verbose --locked -p pcs --features verify + - name: Nightly test -p pcs --features verify + run: cargo +nightly test --verbose --locked -p pcs --features verify - # Unfortunately running `faketime '2021-09-10 11:00:00 GMT' cargo test -p nitro-attestation-verify` causes a segmentation - # fault while compiling. We only execute `faketime` during the tests - #- run: cargo test --locked -p nitro-attestation-verify --no-run && faketime '2021-09-08 11:00:00 GMT' cargo test --locked -p nitro-attestation-verify --lib + # Unfortunately running `faketime '2021-09-10 11:00:00 GMT' cargo test -p nitro-attestation-verify` causes a segmentation + # fault while compiling. We only execute `faketime` during the tests + #- run: cargo test --locked -p nitro-attestation-verify --no-run && faketime '2021-09-08 11:00:00 GMT' cargo test --locked -p nitro-attestation-verify --lib - - name: Cargo test nitro-attestation-verify with faketime - run: cargo test --locked -p nitro-attestation-verify --no-run && faketime '2021-09-10 11:00:00 GMT' cargo test --locked -p nitro-attestation-verify --lib + - name: Cargo test nitro-attestation-verify with faketime + run: cargo test --locked -p nitro-attestation-verify --no-run && faketime '2021-09-10 11:00:00 GMT' cargo test --locked -p nitro-attestation-verify --lib - - name: Build fortanix-sgx-tools for x86_64-unknown-linux-musl - # NOTE: Skipping linking with the glibc version of OpenSSL to produce a musl based binary. It is unlikely that this would produce a working binary anyway. - run: | - mkdir -p /tmp/muslinclude - ln -sf /usr/include/x86_64-linux-gnu/openssl /tmp/muslinclude/openssl - PKG_CONFIG_ALLOW_CROSS=1 CFLAGS=-I/tmp/muslinclude CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_LINKER=true cargo build --locked -p fortanix-sgx-tools --target x86_64-unknown-linux-musl + - name: Build fortanix-sgx-tools for x86_64-unknown-linux-musl + # NOTE: Skipping linking with the glibc version of OpenSSL to produce a musl based binary. It is unlikely that this would produce a working binary anyway. + run: | + mkdir -p /tmp/muslinclude + ln -sf /usr/include/x86_64-linux-gnu/openssl /tmp/muslinclude/openssl + PKG_CONFIG_ALLOW_CROSS=1 CFLAGS=-I/tmp/muslinclude CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_LINKER=true cargo build --locked -p fortanix-sgx-tools --target x86_64-unknown-linux-musl - - name: Build em-app, get-certificate for x86_64-unknown-linux-musl - run: cargo build --verbose --locked -p em-app -p get-certificate --target=x86_64-unknown-linux-musl + - name: Build em-app, get-certificate for x86_64-unknown-linux-musl + run: cargo build --verbose --locked -p em-app -p get-certificate --target=x86_64-unknown-linux-musl - - name: Build em-app, get-certificate for x86_64-fortanix-unknown-sgx - run: cargo build --verbose --locked -p em-app -p get-certificate --target=x86_64-fortanix-unknown-sgx + - name: Build em-app, get-certificate for x86_64-fortanix-unknown-sgx + run: cargo build --verbose --locked -p em-app -p get-certificate --target=x86_64-fortanix-unknown-sgx - - name: insecure-time test - run: cargo +nightly test -p insecure-time --features estimate_crystal_clock_freq + - name: insecure-time test + run: cargo +nightly test -p insecure-time --features estimate_crystal_clock_freq - - name: insecure-time build for SGX platform - run: cargo +nightly build -p insecure-time --features estimate_crystal_clock_freq --target x86_64-fortanix-unknown-sgx + - name: insecure-time build for SGX platform + run: cargo +nightly build -p insecure-time --features estimate_crystal_clock_freq --target x86_64-fortanix-unknown-sgx - - name: Generate API docs - run: ./doc/generate-api-docs.sh + - name: Generate API docs + run: ./doc/generate-api-docs.sh - - name: Run memory allocator stress test - run: cd ./examples/mem-alloc-test && cargo run + - name: Run memory allocator stress test + run: cd ./examples/mem-alloc-test && cargo run - - name: snmalloc correntness test - run: cd ./examples/mem-correctness-test && cargo run + - name: snmalloc correctness test + run: cd ./examples/mem-correctness-test && cargo run diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 67270446..4ab1b796 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,34 +6,40 @@ name: Create GitHub release and publish crate to crates.io on: push: tags: - - 'em-app_v[0-9]+.[0-9]+.[0-9]+' - - 'aesm-client_v[0-9]+.[0-9]+.[0-9]+' - - 'async-usercalls_v[0-9]+.[0-9]+.[0-9]+' - - 'confidential-vm-blobs_v[0-9]+.[0-9]+.[0-9]+' - - 'dcap-artifact-retrieval_v[0-9]+.[0-9]+.[0-9]+' - - 'dcap-provider_v[0-9]+.[0-9]+.[0-9]+' - - 'dcap-ql-sys_v[0-9]+.[0-9]+.[0-9]+' - - 'dcap-ql_v[0-9]+.[0-9]+.[0-9]+' - - 'dcap-retrieve-pckid_v[0-9]+.[0-9]+.[0-9]+' - - 'enclave-runner_v[0-9]+.[0-9]+.[0-9]+' - - 'enclave-runner-sgx_v[0-9]+.[0-9]+.[0-9]+' - - 'fortanix-sgx-abi_v[0-9]+.[0-9]+.[0-9]+' - - 'fortanix-sgx-tools_v[0-9]+.[0-9]+.[0-9]+' - - 'fortanix-vme-eif_v[0-9]+.[0-9]+.[0-9]+' - - 'fortanix-vme-initramfs_v[0-9]+.[0-9]+.[0-9]+' - - 'fortanix-vme-runner_v[0-9]+.[0-9]+.[0-9]+' - - 'ias_v[0-9]+.[0-9]+.[0-9]+' - - 'insecure-time_v[0-9]+.[0-9]+.[0-9]+' - - 'pcs_v[0-9]+.[0-9]+.[0-9]+' - - 'report-test_v[0-9]+.[0-9]+.[0-9]+' - - 'sgx_pkix_v[0-9]+.[0-9]+.[0-9]+' - - 'sgx-isa_v[0-9]+.[0-9]+.[0-9]+' - - 'sgxs-loaders_v[0-9]+.[0-9]+.[0-9]+' - - 'sgxs-tools_v[0-9]+.[0-9]+.[0-9]+' - - 'sgxs_v[0-9]+.[0-9]+.[0-9]+' - - 'ipc-queue_v[0-9]+.[0-9]+.[0-9]+' - - 'rs-libc_v[0-9]+.[0-9]+.[0-9]+' - - 'tdx-ql_v[0-9]+.[0-9]+.[0-9]+' + - "em-app_v[0-9]+.[0-9]+.[0-9]+" + - "aesm-client_v[0-9]+.[0-9]+.[0-9]+" + - "async-usercalls_v[0-9]+.[0-9]+.[0-9]+" + - "confidential-vm-blobs_v[0-9]+.[0-9]+.[0-9]+" + - "dcap-artifact-retrieval_v[0-9]+.[0-9]+.[0-9]+" + - "dcap-provider_v[0-9]+.[0-9]+.[0-9]+" + - "dcap-ql-sys_v[0-9]+.[0-9]+.[0-9]+" + - "dcap-ql_v[0-9]+.[0-9]+.[0-9]+" + - "dcap-retrieve-pckid_v[0-9]+.[0-9]+.[0-9]+" + - "enclave-runner_v[0-9]+.[0-9]+.[0-9]+" + - "enclave-runner-sgx_v[0-9]+.[0-9]+.[0-9]+" + - "fortanix-sgx-abi_v[0-9]+.[0-9]+.[0-9]+" + - "fortanix-sgx-tools_v[0-9]+.[0-9]+.[0-9]+" + - "fortanix-vme-eif_v[0-9]+.[0-9]+.[0-9]+" + - "fortanix-vme-initramfs_v[0-9]+.[0-9]+.[0-9]+" + - "fortanix-vme-runner_v[0-9]+.[0-9]+.[0-9]+" + - "ias_v[0-9]+.[0-9]+.[0-9]+" + - "insecure-time_v[0-9]+.[0-9]+.[0-9]+" + - "pcs_v[0-9]+.[0-9]+.[0-9]+" + - "report-test_v[0-9]+.[0-9]+.[0-9]+" + - "sgx_pkix_v[0-9]+.[0-9]+.[0-9]+" + - "sgx-isa_v[0-9]+.[0-9]+.[0-9]+" + - "sgxs-loaders_v[0-9]+.[0-9]+.[0-9]+" + - "sgxs-tools_v[0-9]+.[0-9]+.[0-9]+" + - "sgxs_v[0-9]+.[0-9]+.[0-9]+" + - "ipc-queue_v[0-9]+.[0-9]+.[0-9]+" + - "rs-libc_v[0-9]+.[0-9]+.[0-9]+" + - "tdx-ql_v[0-9]+.[0-9]+.[0-9]+" + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: {} env: RUST_BACKTRACE: 1 @@ -53,23 +59,24 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Install build dependencies run: sudo ./install_build_deps.sh - - name: Get name of crate to be published run: | # Extract the crate name from the GITHUB_REF_NAME environment variable # GITHUB_REF_NAME contains the Tag name (e.g. rs-lic_v0.2.4) associated with the event export CRATE_NAME=$(python3 -c "print('$GITHUB_REF_NAME'.rsplit('_v', 1)[0])") - echo "CRATE_NAME=$CRATE_NAME" >> $GITHUB_ENV + echo "CRATE_NAME=$CRATE_NAME" >> "$GITHUB_ENV" - name: Set per-crate config (toolchain/target) run: | source ./crate-publish-config.sh "$CRATE_NAME" - echo "CARGO_BUILD_TARGET=$CARGO_BUILD_TARGET" >> $GITHUB_ENV + echo "CARGO_BUILD_TARGET=$CARGO_BUILD_TARGET" >> "$GITHUB_ENV" - name: Update Rust toolchain run: rustup update @@ -86,10 +93,14 @@ jobs: needs: publish environment: "Publish to crates.io" runs-on: ubuntu-24.04 + permissions: + contents: write # Needed to publish Github releases steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Install build dependencies run: ./install_build_deps.sh @@ -102,10 +113,10 @@ jobs: # Extract the crate name from the GITHUB_REF_NAME environment variable # GITHUB_REF_NAME contains the Tag name (e.g. rs-lic_v0.2.4) associated with the event export CRATE_NAME=$(python3 -c "print('$GITHUB_REF_NAME'.rsplit('_v', 1)[0])") - echo "CRATE_NAME=$CRATE_NAME" >> $GITHUB_ENV + echo "CRATE_NAME=$CRATE_NAME" >> "$GITHUB_ENV" - name: Build artifacts for GitHub Release - run: ./build-release-artifacts.py --target x86_64-unknown-linux-gnu --package $CRATE_NAME + run: ./build-release-artifacts.py --target x86_64-unknown-linux-gnu --package "$CRATE_NAME" - name: Publish GitHub Release using GitHub CLI env: