diff --git a/deploy/scripts/sgx/enclave_env.sh b/deploy/scripts/sgx/enclave_env.sh index 45e270e7e..8be67f851 100755 --- a/deploy/scripts/sgx/enclave_env.sh +++ b/deploy/scripts/sgx/enclave_env.sh @@ -15,11 +15,46 @@ # limitations under the License. EXEC_DIR=/app/exec_dir +SGX_CONFIG_PATH="$GRPC_PATH/examples/dynamic_config.json" +TEMPLATE_PATH="/gramine/CI-Examples/generate-token/python.manifest.template" + +# 更新sgx的认证策略 +update_sgx_dynamic_config() { + local mr_enclave="$1" + local mr_signer="$2" + local isv_prod_id="$3" + local isv_svn="$4" + local json_data=$(cat "$SGX_CONFIG_PATH") + + # 创建json体 + local new_mrs=$(jq -n --arg mr_enclave "$mr_enclave" \ + --arg mr_signer "$mr_signer" \ + --arg isv_prod_id "$isv_prod_id" \ + --arg isv_svn "$isv_svn" \ + '{ + mr_enclave: $mr_enclave, + mr_signer: $mr_signer, + isv_prod_id: $isv_prod_id, + isv_svn: $isv_svn + }') + + # 检查sgx_mrs数组中是否存在相同的条目 + local exists=$(echo "$json_data" | jq --argjson check_mrs "$new_mrs" \ + '.sgx_mrs[] | select(.mr_enclave == $check_mrs.mr_enclave and .mr_signer == $check_mrs.mr_signer and .isv_prod_id == $check_mrs.isv_prod_id and .isv_svn == $check_mrs.isv_svn) | . != null') + + # 不重复添加 + if [[ -z "$exists" ]]; then + json_data=$(echo "$json_data" | jq --argjson new_mrs "$new_mrs" '.sgx_mrs += [$new_mrs]') + echo "$json_data" > "$SGX_CONFIG_PATH" + fi +} +# 从sig中获取度量值hex function get_env() { gramine-sgx-get-token -s python.sig -o /dev/null | grep $1 | awk -F ":" '{print $2}' | xargs } +# 设置自定义环境 function make_custom_env() { cd $EXEC_DIR @@ -44,10 +79,6 @@ function make_custom_env() { export JAVA_HOME=/opt/tiger/jdk/openjdk-1.8.0_265 export LD_LIBRARY_PATH=${HADOOP_HOME}/lib/native:${JAVA_HOME}/jre/lib/amd64/server:${LD_LIBRARY_PATH} export CLASSPATH=.:$CLASSPATH:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar:$($HADOOP_HOME/bin/hadoop classpath --glob) - export MR_ENCLAVE=`get_env mr_enclave` - export MR_SIGNER=`get_env mr_signer` - export ISV_PROD_ID=`get_env isv_prod_id` - export ISV_SVN=`get_env isv_svn` export RA_TLS_ALLOW_OUTDATED_TCB_INSECURE=1 if [ -z "$PEER_MR_SIGNER" ]; then @@ -58,19 +89,16 @@ function make_custom_env() { export PEER_MR_ENCLAVE=`get_env mr_enclave` fi - # network proxy - unset http_proxy https_proxy - # need meituan's - jq --arg mr_enclave "$PEER_MR_ENCLAVE" --arg mr_signer "$PEER_MR_SIGNER" \ - '.sgx_mrs[0].mr_enclave = $mr_enclave | .sgx_mrs[0].mr_signer = $mr_signer' \ - $GRPC_PATH/examples/dynamic_config.json > $EXEC_DIR/dynamic_config.json - + update_sgx_dynamic_config $PEER_MR_ENCLAVE $PEER_MR_SIGNER 0 0 + cp $SGX_CONFIG_PATH $EXEC_DIR cd - } +# 生成enclave和token function generate_token() { cd /gramine/CI-Examples/generate-token/ ./generate.sh + update_sgx_dynamic_config `get_env mr_enclave` `get_env mr_signer` 0 0 mkdir -p $EXEC_DIR cp /app/sgx/gramine/CI-Examples/tensorflow_io.py $EXEC_DIR cp python.sig $EXEC_DIR @@ -80,6 +108,57 @@ function generate_token() { cd - } +# 根据enclave_size调整enclave +function build_enclave(){ + local enclave_size="$1" + local need_clean="$2" + sed -i "/sgx.enclave_size/ s/\"[^\"]*\"/\"$enclave_size\"/" "$TEMPLATE_PATH" + if [ $? -eq 0 ]; then + echo "Enclave size changed to $enclave_size in $TEMPLATE_PATH" + else + echo "Failed to change enclave size in $TEMPLATE_PATH" + fi + generate_token + if [ -n "$need_clean" ]; then + rm -rf $EXEC_DIR + fi +} + +function build_enclave_all(){ + local enclave_size="8G" + if [ -n "$1" ] && [ $1 == "ps" ]; then + # build worker/master + if [ -n "$GRAMINE_ENCLAVE_SIZE" ]; then + enclave_size=$GRAMINE_ENCLAVE_SIZE + fi + build_enclave $enclave_size 1 + + # build ps + if [ -n "$COSTOM_PS_SIZE" ]; then + enclave_size=$COSTOM_PS_SIZE + else + enclave_size="16G" + fi + build_enclave $enclave_size + else + # build ps + if [ -n "$COSTOM_PS_SIZE" ]; then + enclave_size=$COSTOM_PS_SIZE + else + enclave_size="16G" + fi + build_enclave $enclave_size 1 + + # build worker/master + if [ -n "$GRAMINE_ENCLAVE_SIZE" ]; then + enclave_size=$GRAMINE_ENCLAVE_SIZE + else + enclave_size="8G" + fi + build_enclave $enclave_size + fi +} + if [ -n "$PCCS_IP" ]; then sed -i "s|PCCS_URL=https://[^ ]*|PCCS_URL=https://pccs_url:8081/sgx/certification/v3/|" /etc/sgx_default_qcnl.conf echo >> /etc/hosts @@ -87,8 +166,8 @@ if [ -n "$PCCS_IP" ]; then elif [ -n "$PCCS_URL" ]; then sed -i "s|PCCS_URL=[^ ]*|PCCS_URL=$PCCS_URL|" /etc/sgx_default_qcnl.conf fi +sed -i 's/USE_SECURE_CERT=TRUE/USE_SECURE_CERT=FALSE/' /etc/sgx_default_qcnl.conf -TEMPLATE_PATH="/gramine/CI-Examples/generate-token/python.manifest.template" if [ -n "$GRAMINE_LOG_LEVEL" ]; then sed -i "/loader.log_level/ s/\"[^\"]*\"/\"$GRAMINE_LOG_LEVEL\"/" "$TEMPLATE_PATH" if [ $? -eq 0 ]; then @@ -98,15 +177,6 @@ if [ -n "$GRAMINE_LOG_LEVEL" ]; then fi fi -if [ -n "$GRAMINE_ENCLAVE_SIZE" ]; then - sed -i "/sgx.enclave_size/ s/\"[^\"]*\"/\"$GRAMINE_ENCLAVE_SIZE\"/" "$TEMPLATE_PATH" - if [ $? -eq 0 ]; then - echo "Enclave size changed to $GRAMINE_ENCLAVE_SIZE in $TEMPLATE_PATH" - else - echo "Failed to change enclave size in $TEMPLATE_PATH" - fi -fi - if [ -n "$GRAMINE_THREAD_NUM" ]; then sed -i "s/sgx.thread_num = [0-9]\+/sgx.thread_num = $GRAMINE_THREAD_NUM/" "$TEMPLATE_PATH" if [ $? -eq 0 ]; then @@ -125,7 +195,5 @@ if [ -n "$GRAMINE_STACK_SIZE" ]; then fi fi -sed -i 's/USE_SECURE_CERT=TRUE/USE_SECURE_CERT=FALSE/' /etc/sgx_default_qcnl.conf mkdir -p /data - -generate_token \ No newline at end of file +build_enclave_all $1 \ No newline at end of file diff --git a/deploy/scripts/sgx/run_trainer_master_sgx.sh b/deploy/scripts/sgx/run_trainer_master_sgx.sh index 7a3fbc40f..41f74b29a 100755 --- a/deploy/scripts/sgx/run_trainer_master_sgx.sh +++ b/deploy/scripts/sgx/run_trainer_master_sgx.sh @@ -92,7 +92,7 @@ fi cp /app/sgx/gramine/CI-Examples/tensorflow_io.py /gramine/follower/ cp /app/sgx/gramine/CI-Examples/tensorflow_io.py /gramine/leader/ -source /app/deploy/scripts/sgx/enclave_env.sh +source /app/deploy/scripts/sgx/enclave_env.sh master unset HTTPS_PROXY https_proxy http_proxy ftp_proxy diff --git a/deploy/scripts/sgx/run_trainer_ps_sgx.sh b/deploy/scripts/sgx/run_trainer_ps_sgx.sh index d94db33b3..84450ad10 100755 --- a/deploy/scripts/sgx/run_trainer_ps_sgx.sh +++ b/deploy/scripts/sgx/run_trainer_ps_sgx.sh @@ -35,7 +35,7 @@ fi cp /app/sgx/gramine/CI-Examples/tensorflow_io.py /gramine/leader cp /app/sgx/gramine/CI-Examples/tensorflow_io.py /gramine/follower -source /app/deploy/scripts/sgx/enclave_env.sh +source /app/deploy/scripts/sgx/enclave_env.sh ps make_custom_env 4 source /root/start_aesm_service.sh diff --git a/deploy/scripts/sgx/run_trainer_worker_sgx.sh b/deploy/scripts/sgx/run_trainer_worker_sgx.sh index 26ff788e4..dc4c5543c 100755 --- a/deploy/scripts/sgx/run_trainer_worker_sgx.sh +++ b/deploy/scripts/sgx/run_trainer_worker_sgx.sh @@ -46,7 +46,7 @@ fi cp /app/sgx/gramine/CI-Examples/tensorflow_io.py /gramine/follower/ cp /app/sgx/gramine/CI-Examples/tensorflow_io.py /gramine/leader/ -source /app/deploy/scripts/sgx/enclave_env.sh +source /app/deploy/scripts/sgx/enclave_env.sh worker unset HTTPS_PROXY https_proxy http_proxy ftp_proxy diff --git a/fedlearner/channel/client_interceptor.py b/fedlearner/channel/client_interceptor.py index ad6c7adee..226fb1606 100644 --- a/fedlearner/channel/client_interceptor.py +++ b/fedlearner/channel/client_interceptor.py @@ -364,6 +364,8 @@ def _grpc_error_need_recover(e): #if 400 <= httpstatus < 500: # return True return True + if e.code() == grpc.StatusCode.UNAUTHENTICATED: + return False return True # recover in any case #return False diff --git a/sgx/gramine/CI-Examples/generate-token/python.manifest.template b/sgx/gramine/CI-Examples/generate-token/python.manifest.template index e2ab01898..444a6783e 100644 --- a/sgx/gramine/CI-Examples/generate-token/python.manifest.template +++ b/sgx/gramine/CI-Examples/generate-token/python.manifest.template @@ -9,15 +9,22 @@ loader.pal_internal_mem_size = "200M" loader.insecure__use_cmdline_argv = true loader.insecure__use_host_env = true +loader.insecure_disable_aslr = true +sgx.allow_file_creation = true +sgx.static_address = 1 loader.env.LD_LIBRARY_PATH = "/opt/meituan/hadoop/lib/native:/opt/tiger/jdk/openjdk-1.8.0_265/jre/lib/amd64/server:/opt/meituan/hadoop/lib/native:/opt/meituan/hadoop/lib/native/nfs:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/amd64/server:/usr/local/lib/x86_64-linux-gnu:/opt/tiger/yarn_deploy/hadoop_current/lib/native:/opt/tiger/jdk/openjdk-1.8.0_265/jre/lib/amd64/server:/opt/tiger/jdk/openjdk-1.8.0_265/jre/lib/amd64/jli/:/opt/tiger/jdk/openjdk-1.8.0_265/jre/lib/amd64:{{ python.stdlib }}/lib:/lib:{{ arch_libdir }}:/usr/local/lib:/usr/local/{{ arch_libdir }}:/usr/lib:/usr/{{ arch_libdir }}" - loader.env.SECRET_PROVISION_CONSTRUCTOR = "1" loader.env.SECRET_PROVISION_SET_PF_KEY = "1" sys.enable_sigterm_injection = true sys.enable_extra_runtime_domain_names_conf = true -sys.stack.size = "1M" +sgx.ioctl_structs.ifconf = [ {name = "ifc_len",size = 4, direction = "inout" }, {size = 4}, { ptr=[ {size= "ifc_len", direction = "in"} ] } ] +sgx.ioctl_structs.ifreq = [ { name ="ifreq", size=40, direction ="inout"} ] +sgx.allowed_ioctls = [ + { request_code = 0x8912, struct = "ifconf"}, + { request_code = 0x8927, struct = "ifreq"}, +] fs.mounts = [ { path = "/lib", uri = "file:{{ gramine.runtimedir() }}" }, @@ -48,7 +55,7 @@ sgx.remote_attestation = "dcap" sgx.preheat_enclave = false sgx.nonpie_binary = true sgx.enable_stats = false -sgx.enclave_size = "16G" +sgx.enclave_size = "8G" sgx.thread_num = 256 sgx.rpc_thread_num = 0 sgx.protected_files_key = "ffeeddccbbaa99887766554433221100" @@ -60,7 +67,9 @@ sgx.trusted_files = [ "file:/usr/{{ arch_libdir }}/", "file:/etc/ssl/certs/ca-certificates.crt", "file:/etc/default/apport", - "file:/etc/mime.types" + "file:/etc/mime.types", + "file:/gramine/leader/", + "file:/gramine/follower/" ] sgx.allowed_files = [ @@ -94,7 +103,4 @@ sgx.allowed_files = [ "file:/lib/", "file:/bin/", "file:/data/", - "file:/gramine/leader/", - "file:/gramine/follower/" -] - +] \ No newline at end of file diff --git a/sgx/grpc/v1.38.1/examples/dynamic_config.json b/sgx/grpc/v1.38.1/examples/dynamic_config.json index 0211b6567..c6e8128fc 100644 --- a/sgx/grpc/v1.38.1/examples/dynamic_config.json +++ b/sgx/grpc/v1.38.1/examples/dynamic_config.json @@ -5,12 +5,6 @@ "verify_isv_prod_id" : "on", "verify_isv_svn" : "on", "sgx_mrs": [ - { - "mr_enclave" : "", - "mr_signer" : "", - "isv_prod_id" : "0", - "isv_svn" : "0" - } ], "other" : [] } diff --git a/sgx/grpc/v1.38.1/src/cpp/sgx/sgx_ra_tls_utils.cc b/sgx/grpc/v1.38.1/src/cpp/sgx/sgx_ra_tls_utils.cc index 709b3f215..5907669a2 100644 --- a/sgx/grpc/v1.38.1/src/cpp/sgx/sgx_ra_tls_utils.cc +++ b/sgx/grpc/v1.38.1/src/cpp/sgx/sgx_ra_tls_utils.cc @@ -23,13 +23,6 @@ namespace sgx { struct ra_tls_context _ctx_; -void check_free(void* ptr) { - if (ptr) { - free(ptr); - ptr = nullptr; - }; -} - bool hex_to_byte(const char *src, char *dst, size_t dst_size) { if (strlen(src) < dst_size*2) { return false; @@ -100,107 +93,140 @@ void* library_engine::get_handle() { return handle; } -json_engine::json_engine() : handle(nullptr) {}; +json_engine::json_engine() : handle(nullptr){}; -json_engine::json_engine(const char* file) : handle(nullptr){ - this->open(file); +json_engine::json_engine(const char *file) : handle(nullptr) +{ + this->open(file); } -json_engine::~json_engine() { - this->close(); +json_engine::~json_engine() +{ + this->close(); } -bool json_engine::open(const char* file) { - if (!file) { - grpc_printf("wrong json file path\n"); - return false; - } +bool json_engine::open(const char *file) +{ + if (!file) + { + grpc_printf("wrong json file path\n"); + return false; + } - this->close(); + this->close(); - auto file_ptr = fopen(file, "r"); - fseek(file_ptr, 0, SEEK_END); - auto length = ftell(file_ptr); - fseek(file_ptr, 0, SEEK_SET); - auto buffer = malloc(length); - fread(buffer, 1, length, file_ptr); - fclose(file_ptr); + auto file_ptr = fopen(file, "r"); + fseek(file_ptr, 0, SEEK_END); + auto length = ftell(file_ptr); + fseek(file_ptr, 0, SEEK_SET); + auto buffer = malloc(length + 1); + memset(buffer, 0, length); + fread(buffer, 1, length, file_ptr); + fclose(file_ptr); - this->handle = cJSON_Parse((const char *)buffer); + this->handle = cJSON_Parse((const char*)buffer); - check_free(buffer); + if (buffer) + { + free(buffer); + buffer = nullptr; + } - if (this->handle) { - return true; - } else { - grpc_printf("cjson open %s error: %s", file, cJSON_GetErrorPtr()); - return false; - } + if (this->handle) + { + return true; + } + else + { + grpc_printf("cjson open %s error: %s", file, cJSON_GetErrorPtr()); + return false; + } } -void json_engine::close() { - if (this->handle) { - cJSON_Delete(this->handle); - this->handle = nullptr; - } +void json_engine::close() +{ + if (this->handle) + { + cJSON_Delete(this->handle); + this->handle = nullptr; + } } -cJSON * json_engine::get_handle() { - return this->handle; +cJSON *json_engine::get_handle() +{ + return this->handle; } -cJSON * json_engine::get_item(cJSON *obj, const char *item) { - return cJSON_GetObjectItem(obj, item); -}; - -char * json_engine::print_item(cJSON *obj) { - return cJSON_Print(obj); +cJSON *json_engine::get_item(cJSON *obj, const char *item) +{ + return cJSON_GetObjectItem(obj, item); }; -bool json_engine::compare_item(cJSON *obj, const char *item) { - auto obj_item = this->print_item(obj); - return strncmp(obj_item+1, item, std::min(strlen(item), strlen(obj_item)-2)) == 0; +bool json_engine::compare_item(cJSON *obj, const char *item) +{ + if (!obj || !cJSON_IsString(obj)){ + return false; + } + auto obj_item = obj->valuestring; + return strncmp(obj_item, item, std::min(strlen(item), strlen(obj_item))) == 0; }; -sgx_config parse_sgx_config_json(const char* file) { - class json_engine sgx_json(file); - struct sgx_config sgx_cfg; - - sgx_cfg.verify_in_enclave = sgx_json.compare_item(sgx_json.get_item(sgx_json.get_handle(), "verify_in_enclave"), "on"); - sgx_cfg.verify_mr_enclave = sgx_json.compare_item(sgx_json.get_item(sgx_json.get_handle(), "verify_mr_enclave"), "on"); - sgx_cfg.verify_mr_signer = sgx_json.compare_item(sgx_json.get_item(sgx_json.get_handle(), "verify_mr_signer"), "on"); - sgx_cfg.verify_isv_prod_id = sgx_json.compare_item(sgx_json.get_item(sgx_json.get_handle(), "verify_isv_prod_id"), "on"); - sgx_cfg.verify_isv_svn = sgx_json.compare_item(sgx_json.get_item(sgx_json.get_handle(), "verify_isv_svn"), "on"); - // grpc_printf("%d, %d, %d, %d, %d\n", sgx_cfg.verify_in_enclave, - // sgx_cfg.verify_mr_enclave, - // sgx_cfg.verify_mr_signer, - // sgx_cfg.verify_isv_prod_id, - // sgx_cfg.verify_isv_svn); - - auto objs = sgx_json.get_item(sgx_json.get_handle(), "sgx_mrs"); - auto obj_num = cJSON_GetArraySize(objs); - - sgx_cfg.sgx_mrs = std::vector(obj_num, sgx_measurement()); - for (auto i = 0; i < obj_num; i++) { - auto obj = cJSON_GetArrayItem(objs, i); - - auto mr_enclave = sgx_json.print_item(sgx_json.get_item(obj, "mr_enclave")); - memset(sgx_cfg.sgx_mrs[i].mr_enclave, 0, sizeof(sgx_cfg.sgx_mrs[i].mr_enclave)); - hex_to_byte(mr_enclave+1, sgx_cfg.sgx_mrs[i].mr_enclave, sizeof(sgx_cfg.sgx_mrs[i].mr_enclave)); - - auto mr_signer = sgx_json.print_item(sgx_json.get_item(obj, "mr_signer")); - memset(sgx_cfg.sgx_mrs[i].mr_signer, 0, sizeof(sgx_cfg.sgx_mrs[i].mr_signer)); - hex_to_byte(mr_signer+1, sgx_cfg.sgx_mrs[i].mr_signer, sizeof(sgx_cfg.sgx_mrs[i].mr_signer)); - - auto isv_prod_id = sgx_json.print_item(sgx_json.get_item(obj, "isv_prod_id")); - sgx_cfg.sgx_mrs[i].isv_prod_id = strtoul(isv_prod_id, nullptr, 10); +const char* json_engine::get_item_string(cJSON *obj, const char* item){ + auto item_json = get_item(obj, item); + return cJSON_IsString(item_json) ? item_json->valuestring : ""; +} - auto isv_svn = sgx_json.print_item(sgx_json.get_item(obj, "isv_svn")); - sgx_cfg.sgx_mrs[i].isv_svn = strtoul(isv_svn, nullptr, 10); - // grpc_printf("%s, %s, %s, %s\n", mr_enclave, mr_signer, isv_prod_id, isv_svn); - }; - return sgx_cfg; +sgx_config parse_sgx_config_json(const char *file) +{ + class json_engine sgx_json(file); + struct sgx_config sgx_cfg; + + sgx_cfg.verify_in_enclave = sgx_json.compare_item(sgx_json.get_item(sgx_json.get_handle(), "verify_in_enclave"), "on"); + sgx_cfg.verify_mr_enclave = sgx_json.compare_item(sgx_json.get_item(sgx_json.get_handle(), "verify_mr_enclave"), "on"); + sgx_cfg.verify_mr_signer = sgx_json.compare_item(sgx_json.get_item(sgx_json.get_handle(), "verify_mr_signer"), "on"); + sgx_cfg.verify_isv_prod_id = sgx_json.compare_item(sgx_json.get_item(sgx_json.get_handle(), "verify_isv_prod_id"), "on"); + sgx_cfg.verify_isv_svn = sgx_json.compare_item(sgx_json.get_item(sgx_json.get_handle(), "verify_isv_svn"), "on"); + + grpc_printf("|- verify_in_enclave: %s\n", sgx_cfg.verify_in_enclave ? "on" : "off"); + grpc_printf("|- verify_mr_enclave: %s\n", sgx_cfg.verify_mr_enclave ? "on" : "off"); + grpc_printf("|- verify_mr_signer: %s\n", sgx_cfg.verify_mr_signer ? "on" : "off"); + grpc_printf("|- verify_isv_prod_id: %s\n", sgx_cfg.verify_isv_prod_id ? "on" : "off"); + grpc_printf("|- verify_isv_svn: %s\n", sgx_cfg.verify_isv_svn ? "on" : "off"); + + auto objs = sgx_json.get_item(sgx_json.get_handle(), "sgx_mrs"); + auto obj_num = cJSON_GetArraySize(objs); + + sgx_cfg.sgx_mrs = std::vector(obj_num, sgx_measurement()); + for (auto i = 0; i < obj_num; i++) + { + auto obj = cJSON_GetArrayItem(objs, i); + grpc_printf(" |- expect measurement [%d]:\n", i + 1); + auto mr_enclave = sgx_json.get_item_string(obj, "mr_enclave"); + grpc_printf(" |- mr_enclave: %s\n", mr_enclave); + memset(sgx_cfg.sgx_mrs[i].mr_enclave, 0, sizeof(sgx_cfg.sgx_mrs[i].mr_enclave)); + auto res = hex_to_byte(mr_enclave, sgx_cfg.sgx_mrs[i].mr_enclave, sizeof(sgx_cfg.sgx_mrs[i].mr_enclave)); + if (!res){ + grpc_printf("mr_enclave invalid, %s\n", mr_enclave); + } + + auto mr_signer = sgx_json.get_item_string(obj, "mr_signer"); + grpc_printf(" |- mr_signer: %s\n", mr_signer); + memset(sgx_cfg.sgx_mrs[i].mr_signer, 0, sizeof(sgx_cfg.sgx_mrs[i].mr_signer)); + res = hex_to_byte(mr_signer, sgx_cfg.sgx_mrs[i].mr_signer, sizeof(sgx_cfg.sgx_mrs[i].mr_signer)); + if (!res){ + grpc_printf("mr_signer invalid, %s\n", mr_signer); + } + + auto isv_prod_id = sgx_json.get_item_string(obj, "isv_prod_id"); + grpc_printf(" |- isv_prod_id: %s\n", isv_prod_id); + sgx_cfg.sgx_mrs[i].isv_prod_id = strtoul(isv_prod_id ,nullptr, 10); + + auto isv_svn = sgx_json.get_item_string(obj, "isv_svn"); + grpc_printf(" |- isv_svn: %s\n", isv_svn); + sgx_cfg.sgx_mrs[i].isv_svn = strtoul(isv_svn ,nullptr, 10);; + }; + return sgx_cfg; } int TlsAuthorizationCheck::Schedule(grpc::experimental::TlsServerAuthorizationCheckArg* arg) { @@ -210,13 +236,10 @@ int TlsAuthorizationCheck::Schedule(grpc::experimental::TlsServerAuthorizationCh auto peer_cert_buf = arg->peer_cert(); peer_cert_buf.copy(der_crt, peer_cert_buf.length(), 0); - // char der_crt[16000] = TEST_CRT_PEM; - // grpc_printf("%s\n", der_crt); - int ret = (*_ctx_.verify_callback_f)(reinterpret_cast(der_crt), 16000); if (ret != 0) { - grpc_printf("something went wrong while verifying quote\n"); + grpc_printf("something went wrong while verifying quote, error: %s\n", mbedtls_high_level_strerr(ret)); arg->set_success(0); arg->set_status(GRPC_STATUS_UNAUTHENTICATED); } else { @@ -405,7 +428,7 @@ int ra_tls_auth_check_schedule(void* /* confiuser_data */, int ret = (*_ctx_.verify_callback_f)(reinterpret_cast(der_crt), 16000); if (ret != 0) { - grpc_printf("something went wrong while verifying quote\n"); + grpc_printf("something went wrong while verifying quote, error: %s\n", mbedtls_high_level_strerr(ret)); arg->success = 0; arg->status = GRPC_STATUS_UNAUTHENTICATED; } else { diff --git a/sgx/grpc/v1.38.1/src/cpp/sgx/sgx_ra_tls_utils.h b/sgx/grpc/v1.38.1/src/cpp/sgx/sgx_ra_tls_utils.h index e060f4377..f2a897a4b 100644 --- a/sgx/grpc/v1.38.1/src/cpp/sgx/sgx_ra_tls_utils.h +++ b/sgx/grpc/v1.38.1/src/cpp/sgx/sgx_ra_tls_utils.h @@ -85,28 +85,29 @@ class library_engine { char* error; }; -class json_engine { - public: +class json_engine +{ +public: json_engine(); - json_engine(const char*); + json_engine(const char *); ~json_engine(); - bool open(const char*); + bool open(const char *); void close(); - cJSON * get_handle(); - - cJSON * get_item(cJSON *obj, const char *item); + cJSON *get_handle(); - char * print_item(cJSON *obj); + cJSON *get_item(cJSON *obj, const char *item); bool compare_item(cJSON *obj, const char *item); - private: - cJSON* handle; + const char* get_item_string(cJSON *obj, const char* item); + +private: + cJSON *handle; }; class TlsAuthorizationCheck @@ -155,8 +156,6 @@ struct ra_tls_context { int (*verify_callback_f)(uint8_t* der_crt, size_t der_crt_size) = nullptr; }; -void check_free(void* ptr); - sgx_config parse_sgx_config_json(const char* file); bool ra_tls_verify_measurement(const char* mr_enclave, const char* mr_signer, diff --git a/sgx/tf/sgx_tls_sample.diff b/sgx/tf/sgx_tls_sample.diff index e537bf090..98f6a9fbe 100644 --- a/sgx/tf/sgx_tls_sample.diff +++ b/sgx/tf/sgx_tls_sample.diff @@ -1,5 +1,5 @@ diff --git a/tensorflow/core/distributed_runtime/rpc/BUILD b/tensorflow/core/distributed_runtime/rpc/BUILD -index ce1a20a5ae9..a972f51f930 100644 +index ce1a20a5ae9..23f329096ca 100644 --- a/tensorflow/core/distributed_runtime/rpc/BUILD +++ b/tensorflow/core/distributed_runtime/rpc/BUILD @@ -41,9 +41,9 @@ filegroup( @@ -11,23 +11,15 @@ index ce1a20a5ae9..a972f51f930 100644 - linkopts = if_windows(["-DEFAULTLIB:ws2_32.lib"]), + srcs = ["grpc_util.cc", "grpc_sgx_ra_tls_utils.cc", "grpc_sgx_ra_tls_server.cc", "grpc_sgx_ra_tls_client.cc", "grpc_sgx_credentials_provider.cc"], + hdrs = ["grpc_util.h", "grpc_sgx_ra_tls.h", "grpc_sgx_ra_tls_utils.h", "grpc_sgx_credentials_provider.h"], -+ linkopts = ["-L/usr/local/lib", "-l:libmbedx509_gramine.a", "-l:libmbedcrypto_gramine.a"], ++ linkopts = ["-L/usr/local/lib", "-l:libmbedx509_gramine.a", "-l:libmbedcrypto_gramine.a", "-l:libcjson.a", "-l:libcjson_utils.a"], deps = [ "//tensorflow/core:lib", # Required to be able to overload TensorResponse parsing. diff --git a/tensorflow/core/distributed_runtime/rpc/grpc_channel.cc b/tensorflow/core/distributed_runtime/rpc/grpc_channel.cc -index 985b0454837..f0b462d06e9 100644 +index 985b0454837..2d2b6d68003 100644 --- a/tensorflow/core/distributed_runtime/rpc/grpc_channel.cc +++ b/tensorflow/core/distributed_runtime/rpc/grpc_channel.cc -@@ -36,6 +36,7 @@ limitations under the License. - #include "tensorflow/core/platform/types.h" - #include "tensorflow/core/util/device_name_utils.h" - -+ - namespace tensorflow { - - namespace { -@@ -143,8 +144,9 @@ Status NewHostPortGrpcChannel(const string& target, +@@ -143,8 +143,9 @@ Status NewHostPortGrpcChannel(const string& target, TF_RETURN_IF_ERROR(ValidateHostPortPair(target)); ::grpc::ChannelArguments args = GetChannelArguments(rpc_options); @@ -65,7 +57,7 @@ index fb925e51497..2dbe6b3ba32 100644 ChannelCreationFunction GrpcServer::GetChannelCreationFunction() const { diff --git a/tensorflow/core/distributed_runtime/rpc/grpc_util.cc b/tensorflow/core/distributed_runtime/rpc/grpc_util.cc -index 98e05b64aad..d92b93d5df9 100644 +index 98e05b64aad..3d802241a5b 100644 --- a/tensorflow/core/distributed_runtime/rpc/grpc_util.cc +++ b/tensorflow/core/distributed_runtime/rpc/grpc_util.cc @@ -16,6 +16,7 @@ limitations under the License. @@ -96,12 +88,12 @@ index 98e05b64aad..d92b93d5df9 100644 + LOG(INFO) << "GetCredentials"; + if (secure && strcmp(secure, "on") == 0) { + LOG(INFO) << "Secure mode: " << string(secure); -+ const char* mr_enclave = std::getenv("MR_ENCLAVE"); -+ const char* mr_signer = std::getenv("MR_SIGNER"); -+ const char* isv_prod_id = std::getenv("ISV_PROD_ID"); -+ const char* isv_svn = std::getenv("ISV_SVN"); -+ LOG(INFO) << "\tSecure Params: " << string(mr_enclave) << "\n\t\t" << string(mr_signer); -+ return ::grpc::sgx::TlsCredentials(mr_enclave, mr_signer, isv_prod_id, isv_svn); ++ const char* config_path = std::getenv("TF_GRPC_SGX_RA_TLS_CONFIG"); ++ if (!config_path){ ++ config_path = "dynamic_config.json"; ++ } ++ LOG(INFO) << "Config path: " << string(config_path); ++ return ::grpc::sgx::TlsCredentials(config_path); + } + return ::grpc::InsecureChannelCredentials(); +} @@ -120,12 +112,11 @@ index aed798217cb..aa70e94971a 100644 } // namespace tensorflow #endif // TENSORFLOW_CORE_DISTRIBUTED_RUNTIME_RPC_GRPC_UTIL_H_ - diff --git a/third_party/grpc/generate_cc_env_fix.patch b/third_party/grpc/generate_cc_env_fix.patch -index 51832fe9628..199d0cda566 100644 +index 51832fe9628..4be9e293263 100644 --- a/third_party/grpc/generate_cc_env_fix.patch +++ b/third_party/grpc/generate_cc_env_fix.patch -@@ -1,10 +1,81 @@ +@@ -1,6 +1,8 @@ +diff --git a/bazel/generate_cc.bzl b/bazel/generate_cc.bzl +index 484959ebb7..81d52fd28f 100644 --- a/bazel/generate_cc.bzl @@ -135,10 +126,9 @@ index 51832fe9628..199d0cda566 100644 outputs = out_files, executable = ctx.executable._protoc, arguments = arguments, - + use_default_shell_env = True, +@@ -8,3 +10,72 @@ ) -- -+ + return struct(files = depset(out_files)) +diff --git a/src/core/lib/security/credentials/tls/tls_credentials.cc b/src/core/lib/security/credentials/tls/tls_credentials.cc +index 701fd3b150..0826d05933 100644 diff --git a/sgx/tf/tensorflow/core/distributed_runtime/rpc/grpc_sgx_ra_tls.h b/sgx/tf/tensorflow/core/distributed_runtime/rpc/grpc_sgx_ra_tls.h index 005d34e52..24d1b87fe 100644 --- a/sgx/tf/tensorflow/core/distributed_runtime/rpc/grpc_sgx_ra_tls.h +++ b/sgx/tf/tensorflow/core/distributed_runtime/rpc/grpc_sgx_ra_tls.h @@ -27,9 +27,7 @@ namespace grpc { namespace sgx { -std::shared_ptr TlsCredentials( - const char* mrenclave, const char* mrsigner, - const char* isv_prod_id, const char* isv_svn); +std::shared_ptr TlsCredentials(const char* sgx_cfg_path); std::shared_ptr CreateSecureChannel(string, std::shared_ptr); diff --git a/sgx/tf/tensorflow/core/distributed_runtime/rpc/grpc_sgx_ra_tls_client.cc b/sgx/tf/tensorflow/core/distributed_runtime/rpc/grpc_sgx_ra_tls_client.cc index 79a03d886..68ea2ab68 100644 --- a/sgx/tf/tensorflow/core/distributed_runtime/rpc/grpc_sgx_ra_tls_client.cc +++ b/sgx/tf/tensorflow/core/distributed_runtime/rpc/grpc_sgx_ra_tls_client.cc @@ -45,11 +45,12 @@ struct sgx_measurement { }; struct sgx_config { + bool verify_in_enclave = true; bool verify_mr_enclave = true; bool verify_mr_signer = true; bool verify_isv_prod_id = true; bool verify_isv_svn = true; - struct sgx_measurement sgx_mrs; + std::vector sgx_mrs; }; struct ra_tls_cache { @@ -71,79 +72,112 @@ struct ra_tls_context { struct ra_tls_context _ctx_; -void parse_args(const char* mr_enclave, const char* mr_signer, - const char* isv_prod_id, const char* isv_svn) { - if (parse_hex(mr_enclave, _ctx_.sgx_cfg.sgx_mrs.mr_enclave, - sizeof(_ctx_.sgx_cfg.sgx_mrs.mr_enclave)) < 0) { - mbedtls_printf("Cannot parse MRENCLAVE!\n"); - return; - } +sgx_config parse_sgx_config_json(const char *file) +{ + class json_engine sgx_json(file); + struct sgx_config sgx_cfg; + + sgx_cfg.verify_in_enclave = sgx_json.compare_item(sgx_json.get_item(sgx_json.get_handle(), "verify_in_enclave"), "on"); + sgx_cfg.verify_mr_enclave = sgx_json.compare_item(sgx_json.get_item(sgx_json.get_handle(), "verify_mr_enclave"), "on"); + sgx_cfg.verify_mr_signer = sgx_json.compare_item(sgx_json.get_item(sgx_json.get_handle(), "verify_mr_signer"), "on"); + sgx_cfg.verify_isv_prod_id = sgx_json.compare_item(sgx_json.get_item(sgx_json.get_handle(), "verify_isv_prod_id"), "on"); + sgx_cfg.verify_isv_svn = sgx_json.compare_item(sgx_json.get_item(sgx_json.get_handle(), "verify_isv_svn"), "on"); + + mbedtls_printf("|- verify_in_enclave: %s\n", sgx_cfg.verify_in_enclave ? "on" : "off"); + mbedtls_printf("|- verify_mr_enclave: %s\n", sgx_cfg.verify_mr_enclave ? "on" : "off"); + mbedtls_printf("|- verify_mr_signer: %s\n", sgx_cfg.verify_mr_signer ? "on" : "off"); + mbedtls_printf("|- verify_isv_prod_id: %s\n", sgx_cfg.verify_isv_prod_id ? "on" : "off"); + mbedtls_printf("|- verify_isv_svn: %s\n", sgx_cfg.verify_isv_svn ? "on" : "off"); + + auto objs = sgx_json.get_item(sgx_json.get_handle(), "sgx_mrs"); + auto obj_num = cJSON_GetArraySize(objs); + + sgx_cfg.sgx_mrs = std::vector(obj_num, sgx_measurement()); + for (auto i = 0; i < obj_num; i++) + { + auto obj = cJSON_GetArrayItem(objs, i); + mbedtls_printf(" |- expect measurement [%d]:\n", i + 1); + auto mr_enclave = sgx_json.get_item_string(obj, "mr_enclave"); + mbedtls_printf(" |- mr_enclave: %s\n", mr_enclave); + memset(sgx_cfg.sgx_mrs[i].mr_enclave, 0, sizeof(sgx_cfg.sgx_mrs[i].mr_enclave)); + auto res = parse_hex(mr_enclave, sgx_cfg.sgx_mrs[i].mr_enclave, sizeof(sgx_cfg.sgx_mrs[i].mr_enclave)); + if (!res){ + mbedtls_printf("mr_enclave invalid, %s\n", mr_enclave); + } - if (parse_hex(mr_signer, _ctx_.sgx_cfg.sgx_mrs.mr_signer, - sizeof(_ctx_.sgx_cfg.sgx_mrs.mr_signer)) < 0) { - mbedtls_printf("Cannot parse MRSIGNER!\n"); - return; - } + auto mr_signer = sgx_json.get_item_string(obj, "mr_signer"); + mbedtls_printf(" |- mr_signer: %s\n", mr_signer); + memset(sgx_cfg.sgx_mrs[i].mr_signer, 0, sizeof(sgx_cfg.sgx_mrs[i].mr_signer)); + res = parse_hex(mr_signer, sgx_cfg.sgx_mrs[i].mr_signer, sizeof(sgx_cfg.sgx_mrs[i].mr_signer)); + if (!res){ + mbedtls_printf("mr_signer invalid, %s\n", mr_signer); + } - errno = 0; - _ctx_.sgx_cfg.sgx_mrs.isv_prod_id = (uint16_t)strtoul(isv_prod_id, NULL, 10); - if (errno) { - mbedtls_printf("Cannot parse ISV_PROD_ID!\n"); - return; - } + auto isv_prod_id = sgx_json.get_item_string(obj, "isv_prod_id"); + mbedtls_printf(" |- isv_prod_id: %s\n", isv_prod_id); + sgx_cfg.sgx_mrs[i].isv_prod_id = strtoul(isv_prod_id ,nullptr, 10); - errno = 0; - _ctx_.sgx_cfg.sgx_mrs.isv_svn = (uint16_t)strtoul(isv_svn, NULL, 10); - if (errno) { - mbedtls_printf("Cannot parse ISV_SVN\n"); - return; + auto isv_svn = sgx_json.get_item_string(obj, "isv_svn"); + mbedtls_printf(" |- isv_svn: %s\n", isv_svn); + sgx_cfg.sgx_mrs[i].isv_svn = strtoul(isv_svn ,nullptr, 10);; + }; + return sgx_cfg; +} + +bool ra_tls_verify_measurement(const char* mr_enclave, const char* mr_signer, + const char* isv_prod_id, const char* isv_svn) { + bool status = false; + auto & sgx_cfg = _ctx_.sgx_cfg; + for (auto & obj : sgx_cfg.sgx_mrs) { + status = true; + + if (status && sgx_cfg.verify_mr_enclave && \ + memcmp(obj.mr_enclave, mr_enclave, 32)) { + status = false; + } + + if (status && sgx_cfg.verify_mr_signer && \ + memcmp(obj.mr_signer, mr_signer, 32)) { + status = false; + } + + if (status && sgx_cfg.verify_isv_prod_id && \ + (obj.isv_prod_id != *(uint16_t*)isv_prod_id)) { + status = false; + } + + if (status && sgx_cfg.verify_isv_svn && \ + (obj.isv_svn != *(uint16_t*)isv_svn)) { + status = false; + } + + if (status) { + break; + } } + return status; } // RA-TLS: our own callback to verify SGX measurements int ra_tls_verify_mr_callback(const char* mr_enclave, const char* mr_signer, const char* isv_prod_id, const char* isv_svn) { std::lock_guard lock(_ctx_.mtx); + bool status = false; try { assert(mr_enclave && mr_signer && isv_prod_id && isv_svn); + status = ra_tls_verify_measurement(mr_enclave, mr_signer, isv_prod_id, isv_svn); + mbedtls_printf("MRENCLAVE\n"); - mbedtls_printf(" |- Expect : "); hexdump_mem(_ctx_.sgx_cfg.sgx_mrs.mr_enclave, 32); mbedtls_printf(" |- Get : "); hexdump_mem(mr_enclave, 32); mbedtls_printf("MRSIGNER\n"); - mbedtls_printf(" |- Expect : "); hexdump_mem(_ctx_.sgx_cfg.sgx_mrs.mr_signer, 32); mbedtls_printf(" |- Get : "); hexdump_mem(mr_signer, 32); mbedtls_printf("ISV_PROD_ID\n"); - mbedtls_printf(" |- Expect : %hu\n", _ctx_.sgx_cfg.sgx_mrs.isv_prod_id); mbedtls_printf(" |- Get : %hu\n", *((uint16_t*)isv_prod_id)); mbedtls_printf("ISV_SVN\n"); - mbedtls_printf(" |- Expect : %hu\n", _ctx_.sgx_cfg.sgx_mrs.isv_svn); mbedtls_printf(" |- Get : %hu\n", *((uint16_t*)isv_svn)); - bool status = true; - if (status && _ctx_.sgx_cfg.verify_mr_enclave && - memcmp(mr_enclave, _ctx_.sgx_cfg.sgx_mrs.mr_enclave, - sizeof(_ctx_.sgx_cfg.sgx_mrs.mr_enclave))) { - status = false; - } - - if (status && _ctx_.sgx_cfg.verify_mr_signer && - memcmp(mr_signer, _ctx_.sgx_cfg.sgx_mrs.mr_signer, - sizeof(_ctx_.sgx_cfg.sgx_mrs.mr_signer))) { - status = false; - } - - if (status && _ctx_.sgx_cfg.verify_isv_prod_id && - (_ctx_.sgx_cfg.sgx_mrs.isv_prod_id != *(uint16_t*)isv_prod_id)) { - status = false; - } - - if (status && _ctx_.sgx_cfg.verify_isv_svn && - (_ctx_.sgx_cfg.sgx_mrs.isv_svn != *(uint16_t*)isv_svn)) { - status = false; - } - if (status) { mbedtls_printf("Quote Verify\n |- Result : Success\n"); } else { @@ -160,8 +194,7 @@ int ra_tls_verify_mr_callback(const char* mr_enclave, const char* mr_signer, } void ra_tls_verify_init() { - const char* in_enclave = getenv("TF_GRPC_SGX_RA_TLS_ENABLE"); - if (in_enclave && strcmp(in_enclave, "on") == 0) { + if (_ctx_.sgx_cfg.verify_in_enclave) { if (!_ctx_.verify_lib.get_handle()) { _ctx_.verify_lib.open("libra_tls_verify_dcap_gramine.so", RTLD_LAZY); } @@ -187,6 +220,12 @@ void ra_tls_verify_init() { (*set_verify_mr_callback_f)(ra_tls_verify_mr_callback); } +void ra_tls_verify_init(const char* sgx_cfg_path) { + std::lock_guard lock(_ctx_.mtx); + _ctx_.sgx_cfg = parse_sgx_config_json(sgx_cfg_path); + ra_tls_verify_init(); +} + typedef class ::grpc_impl::experimental::TlsServerAuthorizationCheckArg TlsServerAuthorizationCheckArg; typedef struct ::grpc_impl::experimental::TlsServerAuthorizationCheckInterface @@ -250,14 +289,9 @@ class TlsServerAuthorizationCheck : public TlsServerAuthorizationCheckInterface // } // }; -std::shared_ptr TlsCredentials( - const char* mr_enclave, const char* mr_signer, - const char* isv_prod_id, const char* isv_svn) { - std::lock_guard lock(_ctx_.mtx); - - parse_args(mr_enclave, mr_signer, isv_prod_id, isv_svn); +std::shared_ptr TlsCredentials(const char* sgx_cfg_path) { - ra_tls_verify_init(); + ra_tls_verify_init(sgx_cfg_path); _ctx_.cache.id++; diff --git a/sgx/tf/tensorflow/core/distributed_runtime/rpc/grpc_sgx_ra_tls_utils.cc b/sgx/tf/tensorflow/core/distributed_runtime/rpc/grpc_sgx_ra_tls_utils.cc index ce9d06c71..b874a989e 100644 --- a/sgx/tf/tensorflow/core/distributed_runtime/rpc/grpc_sgx_ra_tls_utils.cc +++ b/sgx/tf/tensorflow/core/distributed_runtime/rpc/grpc_sgx_ra_tls_utils.cc @@ -21,27 +21,27 @@ namespace grpc { namespace sgx { -void hexdump_mem(const void* data, size_t size) { - uint8_t* ptr = (uint8_t*)data; - for (size_t i = 0; i < size; i++) - printf("%02x", ptr[i]); - printf("\n"); -} - -int parse_hex(const char* hex, void* buffer, size_t buffer_size) { - if (strlen(hex) != buffer_size * 2) { - return -1; +bool parse_hex(const char* hex, void* buffer, size_t buffer_size) { + if (strlen(hex) < buffer_size * 2) { + return false; } else { for (size_t i = 0; i < buffer_size; i++) { if (!isxdigit(hex[i * 2]) || !isxdigit(hex[i * 2 + 1])) { - return -1; + return false; } sscanf(hex + i * 2, "%02hhx", &((uint8_t*)buffer)[i]); } - return 0; + return true; } } +void hexdump_mem(const void* data, size_t size) { + uint8_t* ptr = (uint8_t*)data; + for (size_t i = 0; i < size; i++) + printf("%02x", ptr[i]); + printf("\n"); +} + library_engine::library_engine() : handle(nullptr), error(nullptr) {}; library_engine::library_engine(const char* file, int mode) : handle(nullptr), error(nullptr) { @@ -83,5 +83,88 @@ void* library_engine::get_handle() { return handle; } +json_engine::json_engine() : handle(nullptr){}; + +json_engine::json_engine(const char *file) : handle(nullptr) +{ + this->open(file); +} + +json_engine::~json_engine() +{ + this->close(); +} + +bool json_engine::open(const char *file) +{ + if (!file) + { + printf("wrong json file path\n"); + return false; + } + + this->close(); + + auto file_ptr = fopen(file, "r"); + fseek(file_ptr, 0, SEEK_END); + auto length = ftell(file_ptr); + fseek(file_ptr, 0, SEEK_SET); + auto buffer = malloc(length + 1); + memset(buffer, 0, length); + fread(buffer, 1, length, file_ptr); + fclose(file_ptr); + + this->handle = cJSON_Parse((const char*)buffer); + + if (buffer) + { + free(buffer); + buffer = nullptr; + } + + if (this->handle) + { + return true; + } + else + { + printf("cjson open %s error: %s", file, cJSON_GetErrorPtr()); + return false; + } +} + +void json_engine::close() +{ + if (this->handle) + { + cJSON_Delete(this->handle); + this->handle = nullptr; + } +} + +cJSON *json_engine::get_handle() +{ + return this->handle; +} + +cJSON *json_engine::get_item(cJSON *obj, const char *item) +{ + return cJSON_GetObjectItem(obj, item); +}; + +bool json_engine::compare_item(cJSON *obj, const char *item) +{ + if (!obj || !cJSON_IsString(obj)){ + return false; + } + auto obj_item = obj->valuestring; + return strncmp(obj_item, item, std::min(strlen(item), strlen(obj_item))) == 0; +}; + +const char* json_engine::get_item_string(cJSON *obj, const char* item){ + auto item_json = get_item(obj, item); + return cJSON_IsString(item_json) ? item_json->valuestring : ""; +} + } // namespace sgx } // namespace grpc diff --git a/sgx/tf/tensorflow/core/distributed_runtime/rpc/grpc_sgx_ra_tls_utils.h b/sgx/tf/tensorflow/core/distributed_runtime/rpc/grpc_sgx_ra_tls_utils.h index 394609f7e..99554a032 100644 --- a/sgx/tf/tensorflow/core/distributed_runtime/rpc/grpc_sgx_ra_tls_utils.h +++ b/sgx/tf/tensorflow/core/distributed_runtime/rpc/grpc_sgx_ra_tls_utils.h @@ -54,9 +54,11 @@ namespace sgx { #include #include -void hexdump_mem(const void*, size_t); +#include -int parse_hex(const char*, void*, size_t); +bool parse_hex(const char*, void*, size_t); + +void hexdump_mem(const void* data, size_t size); class library_engine { public: @@ -79,6 +81,31 @@ class library_engine { char* error; }; +class json_engine +{ +public: + json_engine(); + + json_engine(const char *); + + ~json_engine(); + + bool open(const char *); + + void close(); + + cJSON *get_handle(); + + cJSON *get_item(cJSON *obj, const char *item); + + bool compare_item(cJSON *obj, const char *item); + + const char* get_item_string(cJSON *obj, const char* item); + +private: + cJSON *handle; +}; + } // namespace sgx } // namespace grpc