Build and Sign CCF Applications#
Before building a CCF application, make sure that CCF is installed (see Install CCF).
Once an application is complete, it needs to be built into a shared object, and signed.
cmake, an application can be built and then signed using the functions provided by CCF’s
cmake/ccf_app.cmake. For example, for the
The Open Enclave configuration file (
oe_sign.conf) should be placed under the same directory as the source files for the application. For example:
# Enclave settings:
# The Debug setting is automatically inserted by sign_app_library in CMake, to build both debuggable and non-debuggable variants
The Open Enclave documentation provides details about the enclave settings in the
oe_sign.conf configuration file.
It is also possible to sign an existing enclave application (e.g.
libjs_generic.enclave.so) manually, using a signing key (specified by
$ openssl genrsa -out signing_key.pem -3 3072
$ /opt/openenclave/bin/oesign sign --enclave-image libjs_generic.enclave.so --config-file CCF/src/apps/js_generic/oe_sign.conf --key-file signing_key.pem
$ ls *.so.signed
It is then possible to inspect the signed enclave library:
$ /opt/openenclave/bin/oesign dump --enclave-image libjs_generic.enclave.so.signed
=== Entry point:
=== SGX Enclave Properties:
For a given application, the
signature field depends on the key used to sign the enclave. See Updating Code Version for instructions on how members can register new application versions (
The Open Enclave documentation. provides further details about how to sign enclave applications using
To connect a debugger to a CCF node, the configuration passed to
oesign sign must have debugging enabled (
Debug=1). This must be disabled for production enclaves, to ensure confidentiality is maintained. If using the
sign_app_library function defined in
ccf_app.cmake, two variants will be produced for each enclave.
name.enclave.so.debuggable will have debugging enabled (meaning a debugger may be attached - the optimisation level is handled independently), while
name.enclave.so.signed produces a final debugging-disabled enclave. The produced binaries are otherwise identical.
cchost binary must be told that the enclave type is debug, by setting the
enclave.type configuration option to