rune/libenclave/skeleton: Support PAL API v3

1. Support PAL API V3.
2. Support `rune attest` command.
3. Add skeleton_remote_attestation_with_rune.md.
Signed-off-by: NYilin Li <YiLin.Li@linux.alibaba.com>

rune/libenclave/internal/runtime/pal/skeleton/Makefile

@@ -12,7 +12,7 @@ HOST_LDFLAGS := -fPIC -shared -Wl,-Bsymbolic
 IS_OOT_DRIVER := $(shell [ ! -e /dev/isgx ])
 IS_SGX_FLC := $(shell lscpu | grep -q sgx_lc)
 
-TEST_CUSTOM_PROGS := $(OUTPUT)/encl.bin $(OUTPUT)/encl.ss $(OUTPUT)/liberpal-skeleton-v1.so $(OUTPUT)/liberpal-skeleton-v2.so $(OUTPUT)/signing_key.pem
+TEST_CUSTOM_PROGS := $(OUTPUT)/encl.bin $(OUTPUT)/encl.ss $(OUTPUT)/liberpal-skeleton-v1.so $(OUTPUT)/liberpal-skeleton-v2.so $(OUTPUT)/liberpal-skeleton-v3.so $(OUTPUT)/signing_key.pem
 
 ifeq ($(IS_OOT_DRIVER),1)
     TEST_CUSTOM_PROGS += $(OUTPUT)/encl.token
@@ -37,6 +37,12 @@ $(OUTPUT)/liberpal-skeleton-v2.o: liberpal-skeleton-v2.c liberpal-skeleton.c
 $(OUTPUT)/liberpal-skeleton.o: liberpal-skeleton.c
 	$(CC) $(HOST_CFLAGS) -c $< -o $@
 
+$(OUTPUT)/liberpal-skeleton-v3.so: $(OUTPUT)/sgx_call.o $(OUTPUT)/liberpal-skeleton-v3.o $(OUTPUT)/liberpal-skeleton.o
+	$(CC) $(HOST_LDFLAGS) -o $@ $^
+
+$(OUTPUT)/liberpal-skeleton-v3.o: liberpal-skeleton-v3.c liberpal-skeleton.c
+	$(CC) $(HOST_CFLAGS) -c $< -o $@
+
 $(OUTPUT)/sgx_call.o: sgx_call.S
 	$(CC) $(HOST_CFLAGS) -c $< -o $@
 

rune/libenclave/internal/runtime/pal/skeleton/liberpal-skeleton-v3.c

+#include <stdio.h>
+#include <unistd.h>
+#include <sys/wait.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <linux/types.h>
+#include <sys/stat.h>
+#include "liberpal-skeleton.h"
+#include "sgx_call.h"
+#include "defines.h"
+
+int pal_get_version(void)
+{
+	return 3;
+}
+
+int pal_init(pal_attr_t *attr)
+{
+	return __pal_init(attr);
+}
+
+int pal_create_process(pal_create_process_args *args)
+{
+	return __pal_create_process(args);
+}
+
+int pal_exec(pal_exec_args *attr)
+{
+	return wait4child(attr);
+}
+
+int pal_get_local_report(void *targetinfo, int targetinfo_len, void *report, int* report_len) {
+	return __pal_get_local_report(targetinfo, targetinfo_len, report, report_len);
+}
+
+int pal_kill(int pid, int sig)
+{
+	return __pal_kill(pid, sig);
+}
+
+int pal_destroy(void)
+{
+	return __pal_destory();
+}

rune/libenclave/internal/runtime/pal/skeleton/liberpal-skeleton.c

@@ -39,6 +39,7 @@ static int exit_code;
 static char *sgx_dev_path;
 static bool no_sgx_flc = false;
 static bool enclave_debug = true;
+static int wait_timeout;
 bool debugging = false;
 bool is_oot_driver;
 /*
@@ -471,6 +472,15 @@ int __pal_exec(char *path, char *argv[], pal_stdio_fds *stdio, int *exit_code)
 		return -1;
 	}
 
+	for (int i = 0; argv[i]; i++) {
+		if (!strcmp(argv[i], "wait_timeout") && argv[i+1]) {
+			wait_timeout = atoi(argv[i+1]);
+			if (wait_timeout > 0)
+				sleep(wait_timeout);
+			break;
+		}
+	}
+
 	fprintf(fp, "Enclave runtime skeleton initialization succeeded\n");
 	fclose(fp);
 
@@ -545,6 +555,42 @@ int wait4child(pal_exec_args *attr)
 	return 0;
 }
 
+int __pal_get_local_report(void *targetinfo, int targetinfo_len, void *report, int* report_len)
+{
+	uint8_t report_data[64] = { 0, };
+	struct sgx_report report_align;
+	int ret;
+
+	if (!initialized) {
+		fprintf(stderr, "Enclave runtime skeleton uninitialized yet!\n");
+		return -1;
+	}
+
+	if (targetinfo == NULL || targetinfo_len != sizeof(struct sgx_target_info)) {
+		fprintf(stderr, "Input parameter targetinfo is NULL or targentinfo_len != sizeof(struct sgx_target_info)!\n");
+		return -1;
+	}
+
+	if (report == NULL || report_len == NULL || *report_len < SGX_REPORT_SIZE) {
+		fprintf(stderr, "Input parameter report is NULL or report_len is not enough!\n");
+		return -1;
+	}
+
+	ret = SGX_ENTER_3_ARGS(ECALL_REPORT, (void *)secs.base, targetinfo,
+						report_data, &report_align);
+	if (ret) {
+		fprintf(stderr, "failed to get report\n");
+		return ret;
+	}
+
+	memcpy(report, &report_align, SGX_REPORT_SIZE);
+	if (debugging) {
+		fprintf(stdout, "succeed to get local report\n");
+	}
+
+	return 0;
+}
+
 int __pal_kill(int pid, int sig)
 {
 	if (!initialized) {

rune/libenclave/internal/runtime/pal/skeleton/liberpal-skeleton.h

@@ -32,6 +32,7 @@ int __pal_init(pal_attr_t *attr);
 int __pal_exec(char *path, char *argv[], pal_stdio_fds *stdio, int *exit_code);
 int __pal_create_process(pal_create_process_args *args);
 int wait4child(pal_exec_args *attr);
+int __pal_get_local_report(void *targetinfo, int targetinfo_len, void *report, int* report_len);
 int __pal_kill(int pid, int sig);
 int __pal_destory(void);
 

rune/libenclave/internal/runtime/pal/skeleton/skeleton_remote_attestation_with_rune.md

+# Introduction
+This guide will guide you how to use remote attestation based on SGX in skeleton with rune.
+
+# Before you start
+- Build a skeleton bundle according to [this guide](https://github.com/alibaba/inclavare-containers/blob/master/rune/libenclave/internal/runtime/pal/skeleton/README.md) from scratch.
+- Build rune according to [this guide](https://github.com/alibaba/inclavare-containers#rune).
+- Register a `SPID` and `Subscription Key` of [IAS](https://api.portal.trustedservices.intel.com/EPID-attestation). After the registration, Intel will respond with a SPID which is needed to communicate with IAS.
+
+# Run skeleton bundle with `rune`
+Before using `rune attest` command, you must ensure your skeleton container/bundles(such as skeleton-enclave-container) running by setting `"wait_timeout","100"` of `process.args` in config.json, just like
+```json
+"process": {
+	"args": [
+		"${YOUR_PROGRAM}","wait_timeout","100"
+	],
+}
+```
+
+Then you can run your skeleton containers by typing the following commands:
+
+```shell
+cd "$HOME/rune_workdir/rune-container"
+
+# copy /etc/resolv.conf from host to bundles to ensure network is ready for the remote attestation of IAS.
+cp /etc/resolv.conf rootfs/etc/resolv.conf
+
+sudo rune run skeleton-enclave-container
+```
+
+# Use `rune attest` command with skeleton
+You can type the following command to use `rune attest` command with skeleton in another shell:
+
+```shell
+rune attest --product=false \
+		--linkable=false \
+		--spid=${EPID_SPID} \
+		--subscription-key=${EPID_SUBSCRIPTION_KEY} \
+		skeleton-enclave-container
+```
+
+where:
+- @product: specify the type of enclave is in product mode or debug mode.
+- @linkable: specify the type of `EPID` is `linkable` or `unlinkable`.
+- @spid: specify the `SPID`.
+- @subscription-key: specify the `Subscription Key`.