rune/libenclave/skeleton: Add support for product enclave

sgxsign now supports --product option to enable product enclave build and launch.
Signed-off-by: NShirong Hao <shirong@linux.alibaba.com>

rune/libenclave/internal/runtime/pal/skeleton/Makefile

@@ -46,6 +46,7 @@ $(OUTPUT)/encl.bin: $(OUTPUT)/encl.elf $(OUTPUT)/sgxsign
 $(OUTPUT)/encl.elf: encl.lds encl.c encl_bootstrap.S
 	$(CC) $(ENCL_CFLAGS) -T $^ -o $@
 
+# If you want to sign a production encalve, you need add '-p' args in sgxsign. In addition, for Intel SGX1 without FLC, please replace signing_key with the product signature key applied to Intel.
 $(OUTPUT)/signing_key.pem:
 	openssl genrsa -3 -out $@ 3072
 

rune/libenclave/internal/runtime/pal/skeleton/liberpal-skeleton.c

@@ -37,6 +37,7 @@ static bool initialized = false;
 static char *sgx_dev_path;
 static bool no_sgx_flc = false;
 static bool fork_test = false;
+static bool enclave_debug = true;
 bool is_oot_driver;
 /*
  * For SGX in-tree driver, dev_fd cannot be closed until an enclave instance
@@ -113,7 +114,9 @@ static bool encl_create(int dev_fd, unsigned long bin_size,
 
 	memset(secs, 0, sizeof(*secs));
 	secs->ssa_frame_size = 1;
-	secs->attributes = SGX_ATTR_MODE64BIT | SGX_ATTR_DEBUG;
+	secs->attributes = SGX_ATTR_MODE64BIT;
+	if (enclave_debug)
+		secs->attributes |= SGX_ATTR_DEBUG;
 	secs->xfrm = 7;
 
 	for (secs->size = PAGE_SIZE; secs->size < bin_size; )
@@ -210,6 +213,9 @@ static bool encl_build(struct sgx_secs *secs, void *bin, unsigned long bin_size,
 		return false;
 	}
 
+	if (!(sigstruct->body.attributes & SGX_ATTR_DEBUG))
+		enclave_debug = false;
+
 	if (!encl_create(dev_fd, bin_size, secs))
 		goto out_dev_fd;
 

rune/libenclave/internal/runtime/pal/skeleton/sgxsign.c

@@ -426,28 +426,18 @@ int main(int argc, char **argv)
 	const char *program;
 	int opt;
 	RSA *sign_key;
-
-	memset(&ss, 0, sizeof(ss));
-	ss.header.header1[0] = header1[0];
-	ss.header.header1[1] = header1[1];
-	ss.header.header2[0] = header2[0];
-	ss.header.header2[1] = header2[1];
-	ss.exponent = 3;
-
-#ifndef CONFIG_EINITTOKENKEY
-	ss.body.attributes = SGX_ATTR_MODE64BIT;
-#else
-	ss.body.attributes = SGX_ATTR_MODE64BIT | SGX_ATTR_EINITTOKENKEY;
-#endif
-	ss.body.attributes |= SGX_ATTR_DEBUG;
-	ss.body.xfrm = 7;
-	ss.body.attributes_mask = ss.body.attributes;
+	bool enclave_debug = true;
+	char* const short_options = "p";
+	struct option long_options = {"product", 0, NULL, 'p'};
 
 	program = argv[0];
 
 	do {
-		opt = getopt(argc, argv, "");
+		opt = getopt_long(argc, argv, short_options, &long_options, NULL);
 		switch (opt) {
+		case 'p':
+			enclave_debug = false;
+			break;
 		case -1:
 			break;
 		default:
@@ -461,6 +451,23 @@ int main(int argc, char **argv)
 	if (argc < 3)
 		exit_usage(program);
 
+        memset(&ss, 0, sizeof(ss));
+        ss.header.header1[0] = header1[0];
+        ss.header.header1[1] = header1[1];
+        ss.header.header2[0] = header2[0];
+        ss.header.header2[1] = header2[1];
+        ss.exponent = 3;
+
+#ifndef CONFIG_EINITTOKENKEY
+        ss.body.attributes = SGX_ATTR_MODE64BIT;
+#else
+        ss.body.attributes = SGX_ATTR_MODE64BIT | SGX_ATTR_EINITTOKENKEY;
+#endif
+	if (enclave_debug)
+		ss.body.attributes |= SGX_ATTR_DEBUG;
+	ss.body.xfrm = 7;
+	ss.body.attributes_mask = ss.body.attributes;
+
 	/* sanity check only */
 	if (check_crypto_errors())
 		exit(1);