Merge pull request #357 from oasisprotocol/matevz/feature/mock-sgx

sapphire-runtime: Enable mock SGX
oasisprotocol · Aug 30, 2024 · 2d244ae · 2d244ae
2 parents d8246ee + 8ea7c69
commit 2d244ae
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 8 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -25,8 +25,9 @@ jobs:
           pkg-dirs: runtime
           binaries: sapphire-paratime
           clean: no
+          features: debug-mock-sgx
           setup: |
-            export OASIS_UNSAFE_SKIP_AVR_VERIFY=1 OASIS_UNSAFE_SKIP_KM_POLICY=1 OASIS_UNSAFE_ALLOW_DEBUG_ENCLAVES=1 OASIS_UNSAFE_USE_LOCALNET_CHAINID=1
+            export OASIS_UNSAFE_SKIP_AVR_VERIFY=1 OASIS_UNSAFE_ALLOW_DEBUG_ENCLAVES=1 OASIS_UNSAFE_USE_LOCALNET_CHAINID=1
 
       - name: Create the debug Oasis Runtime Container
         run: |

diff --git a/runtime/Cargo.toml b/runtime/Cargo.toml
@@ -30,3 +30,7 @@ once_cell = "1.8.0"
 [profile.release]
 codegen-units = 1
 lto = "thin"
+
+[features]
+# Enables mock SGX in test builds.
+debug-mock-sgx = ["oasis-runtime-sdk/debug-mock-sgx"]
diff --git a/runtime/Makefile b/runtime/Makefile
@@ -4,7 +4,7 @@ SAPPHIRE_DEV_DOCKER=ghcr.io/oasisprotocol/sapphire-localnet:latest
 all:
 
 build-debug:
-	OASIS_UNSAFE_SKIP_AVR_VERIFY=1 OASIS_UNSAFE_SKIP_KM_POLICY=1 OASIS_UNSAFE_ALLOW_DEBUG_ENCLAVES=1 OASIS_UNSAFE_USE_LOCALNET_CHAINID=1 cargo build
+	OASIS_UNSAFE_SKIP_AVR_VERIFY=1 OASIS_UNSAFE_ALLOW_DEBUG_ENCLAVES=1 OASIS_UNSAFE_USE_LOCALNET_CHAINID=1 cargo build --features debug-mock-sgx
 
 pull:
 	docker pull $(SAPPHIRE_DEV_DOCKER)

diff --git a/runtime/README.md b/runtime/README.md
@@ -93,18 +93,25 @@ Add the Fortanix SGX tools by running:
 cargo install --locked fortanix-sgx-tools sgxs-tools
 ```
 
-### Non-SGX Binary
+### Mock SGX Binary
 
-To build the non-SGX binary of the Sapphire ParaTime, checkout the appropriate
-version and run:
+Mock SGX allows a developer to run the Sapphire ParaTime binary without
+performing the attestation and requiring actual SGX hardware. While you can't
+connect to a production Mainnet or Testnet with such a setup, it is useful for
+testing Sapphire locally and/or testing dApps that require
+Sapphire-specific features, for example in the CI environments.
+
+To build the unsafe, mock SGX binary of the Sapphire ParaTime for Localnet
+checkout the appropriate version and run:
 
 ```shell
-cargo build --release --locked
+export OASIS_UNSAFE_SKIP_AVR_VERIFY=1 OASIS_UNSAFE_ALLOW_DEBUG_ENCLAVES=1 OASIS_UNSAFE_USE_LOCALNET_CHAINID=1
+cargo build --release --locked --features debug-mock-sgx
 ```
 
 The resulting ELF binary is located at `target/release/sapphire-paratime`.
 
-_NOTE: The non-SGX binary is dynamically linked so it may not be portable
+_NOTE: The mock SGX binary is dynamically linked so it may not be portable
 between machines with different versions of shared libraries._
 
 ### SGX Binary

diff --git a/runtime/src/lib.rs b/runtime/src/lib.rs
@@ -135,7 +135,9 @@ impl sdk::Runtime for Runtime {
 
     fn trusted_signers() -> Option<TrustedSigners> {
         #[allow(clippy::partialeq_to_none)]
-        if option_env!("OASIS_UNSAFE_SKIP_KM_POLICY") == Some("1") {
+        if option_env!("OASIS_UNSAFE_SKIP_KM_POLICY") == Some("1")
+            || cfg!(feature = "debug-mock-sgx")
+        {
             return Some(TrustedSigners::default());
         }
         let tps = keymanager::trusted_policy_signers();