Build and Sign CCF Applications#
Before building a CCF application, make sure that CCF is installed (see Install CCF).
Once an application is complete, it needs to be built into a shared object, and signed.
cmake, an application can be built and then signed using the functions provided by CCF’s
cmake/ccf_app.cmake. For example, for the
The Open Enclave configuration file (
oe_sign.conf) should be placed under the same directory as the source files for the application. For example:
# Enclave settings: NumHeapPages=50000 NumStackPages=1024 NumTCS=8 ProductID=1 SecurityVersion=1 # The Debug setting is automatically inserted by sign_app_library in CMake, to build both debuggable and non-debuggable variants
The Open Enclave documentation provides details about the enclave settings in the
oe_sign.conf configuration file.
It is also possible to sign an existing enclave application (e.g.
libjs_generic.enclave.so) manually, using a signing key (specified by
$ openssl genrsa -out signing_key.pem -3 3072 $ /opt/openenclave/bin/oesign sign --enclave-image libjs_generic.enclave.so --config-file CCF/src/apps/js_generic/oe_sign.conf --key-file signing_key.pem Created libjs_generic.enclave.so.signed $ ls *.so.signed libjs_generic.enclave.so.signed
It is then possible to inspect the signed enclave library:
$ /opt/openenclave/bin/oesign dump --enclave-image libjs_generic.enclave.so.signed === Entry point: name=_start address=00000000008dee48 === SGX Enclave Properties: product_id=1 security_version=1 debug=1 xfrm=0 num_heap_pages=32768 num_stack_pages=1024 num_tcs=8 mrenclave=3175971c02d00c1a8f9dd23ca89e64955c5caa94e24f4a3a0579dcfb2e6aebf9 signature=...
For a given application, the
signature field depends on the key used to sign the enclave. See Updating Code Version for instructions on how members can register new application versions (
The Open Enclave documentation. provides further details about how to sign enclave applications using
To connect a debugger to a CCF node, the configuration passed to
oesign sign must have debugging enabled (
Debug=1). This must be disabled for production enclaves, to ensure confidentiality is maintained. If using the
sign_app_library function defined in
ccf_app.cmake, two variants will be produced for each enclave.
name.enclave.so.debuggable will have debugging enabled (meaning a debugger may be attached - the optimisation level is handled independently), while
name.enclave.so.signed produces a final debugging-disabled enclave. The produced binaries are otherwise identical.
cchost binary must be told that the enclave type is debug, by setting the
enclave.type configuration option to