Merging upstream version 1.45.3+dfsg.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

4 files changed, 436 insertions, 0 deletions

diff --git a/src/fluent-bit/lib/wasm-micro-runtime-WAMR-1.2.2/samples/sgx-ra/CMakeLists.txt b/src/fluent-bit/lib/wasm-micro-runtime-WAMR-1.2.2/samples/sgx-ra/CMakeLists.txt
new file mode 100644
index 000000000..7ab552248
--- /dev/null
+++ b/src/fluent-bit/lib/wasm-micro-runtime-WAMR-1.2.2/samples/sgx-ra/CMakeLists.txt
@@ -0,0 +1,78 @@
+# Copyright (c) 2022 Intel Corporation
+# Copyright (c) 2020-2021 Alibaba Cloud
+# SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+
+cmake_minimum_required(VERSION 3.1.4)
+project(sgx-ra)
+
+################ runtime settings  ##############
+set (WAMR_BUILD_PLATFORM "linux-sgx")
+
+# Reset default linker flags
+set (CMAKE_SHARED_LIBRARY_LINK_C_FLAGS "")
+set (CMAKE_SHARED_LIBRARY_LINK_CXX_FLAGS "")
+
+# Set WAMR_BUILD_TARGET
+if (NOT DEFINED WAMR_BUILD_TARGET)
+  if (CMAKE_SIZEOF_VOID_P EQUAL 8)
+    # Build as X86_64 by default in 64-bit platform
+    set (WAMR_BUILD_TARGET "X86_64")
+  elseif (CMAKE_SIZEOF_VOID_P EQUAL 4)
+    # Build as X86_32 by default in 32-bit platform
+    set (WAMR_BUILD_TARGET "X86_32")
+  else ()
+    message(SEND_ERROR "Unsupported build target platform!")
+  endif ()
+endif ()
+
+if (NOT CMAKE_BUILD_TYPE)
+  set (CMAKE_BUILD_TYPE Release)
+endif ()
+
+set (WAMR_BUILD_INTERP 1)
+set (WAMR_BUILD_AOT 1)
+set (WAMR_BUILD_JIT 0)
+set (WAMR_BUILD_LIBC_BUILTIN 1)
+set (WAMR_BUILD_LIBC_WASI 1)
+set (WAMR_BUILD_LIB_PTHREAD 1)
+set (WAMR_BUILD_FAST_INTERP 1)
+set (WAMR_BUILD_LIB_RATS 1)
+
+# compiling and linking flags
+set (CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -Wl,--gc-sections")
+set (CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=gnu11 -ffunction-sections -fdata-sections \
+                                     -Wall -Wno-unused-parameter -Wno-pedantic \
+                                     -nostdinc -fvisibility=hidden -fpie" )
+
+# build out vmlib
+set (WAMR_ROOT_DIR ${CMAKE_CURRENT_LIST_DIR}/../..)
+set (SGX_PLATFORM_DIR ${WAMR_ROOT_DIR}/product-mini/platforms/linux-sgx)
+include (${WAMR_ROOT_DIR}/build-scripts/runtime_lib.cmake)
+
+add_library(vmlib ${WAMR_RUNTIME_LIB_SOURCE})
+
+add_custom_command (
+             OUTPUT libvmlib_untrusted.a
+             COMMAND mkdir -p untrusted && cd untrusted &&
+                     ${CMAKE_C_COMPILER} -c ${PLATFORM_SHARED_SOURCE_UNTRUSTED}
+             COMMAND ${CMAKE_AR} rc libvmlib_untrusted.a untrusted/*.o)
+
+add_custom_target (vmlib_untrusted ALL DEPENDS libvmlib_untrusted.a)
+
+execute_process (
+    COMMAND bash -c "sed -i -E 's/^#define WASM_ENABLE_LIB_RATS 0/#define WASM_ENABLE_LIB_RATS 1/g' ${SGX_PLATFORM_DIR}/enclave-sample/Enclave/Enclave.edl"
+    COMMAND bash -c "sed -i -E 's/^WAMR_BUILD_LIB_RATS = 0/WAMR_BUILD_LIB_RATS = 1/g' ${SGX_PLATFORM_DIR}/enclave-sample/Makefile"
+    OUTPUT_VARIABLE cmdOutput
+)
+
+################ wamr runtime ###################
+add_custom_target (
+              iwasm ALL
+              DEPENDS vmlib_untrusted vmlib_untrusted vmlib
+              COMMAND make -C  ${SGX_PLATFORM_DIR}/enclave-sample SGX_MODE=HW SGX_DEBUG=1 VMLIB_BUILD_DIR=${CMAKE_BINARY_DIR}
+              COMMAND ${CMAKE_COMMAND} -E copy ${SGX_PLATFORM_DIR}/enclave-sample/enclave.signed.so ${CMAKE_BINARY_DIR}
+              COMMAND ${CMAKE_COMMAND} -E copy ${SGX_PLATFORM_DIR}/enclave-sample/iwasm ${CMAKE_BINARY_DIR}
+              COMMAND make -C ${SGX_PLATFORM_DIR}/enclave-sample clean)
+
+################ wasm application ###############
+add_subdirectory(wasm-app)
diff --git a/src/fluent-bit/lib/wasm-micro-runtime-WAMR-1.2.2/samples/sgx-ra/README.md b/src/fluent-bit/lib/wasm-micro-runtime-WAMR-1.2.2/samples/sgx-ra/README.md
new file mode 100644
index 000000000..39a2f2d9c
--- /dev/null
+++ b/src/fluent-bit/lib/wasm-micro-runtime-WAMR-1.2.2/samples/sgx-ra/README.md
@@ -0,0 +1,203 @@
+"sgx-ra" sample introduction
+==============
+
+This sample demonstrates how to execute Remote Attestation on SGX with [librats](https://github.com/inclavare-containers/librats) and run it with iwasm. It can only build on [SGX supported processors](https://www.intel.com/content/www/us/en/support/articles/000028173/processors.html), please check it.
+
+## Preparation
+
+SGX-RA requires to have installed:
+ - the WASI-SDK, located in `/opt/wasi-sdk`
+ - CMake >= 3.11, which is not provided on Ubuntu 18.04 (use [Kitware APT Repository](https://apt.kitware.com/))
+
+### Intel SGX dependencies
+
+Before starting, we need to download and install [SGX SDK](https://download.01.org/intel-sgx/latest/linux-latest/distro) and [SGX DCAP Library](https://download.01.org/intel-sgx/latest/dcap-latest) referring to this [guide](https://download.01.org/intel-sgx/sgx-dcap/1.8/linux/docs/Intel_SGX_DCAP_Linux_SW_Installation_Guide.pdf).
+
+The following commands are an example of the SGX environment installation on Ubuntu 18.04.
+``` shell
+# Set your platform, you can get the platforms list on
+# https://download.01.org/intel-sgx/latest/linux-latest/distro
+$ cd $HOME
+$ SGX_PLATFORM=ubuntu18.04-server
+$ SGX_SDK_VERSION=2.17.100.3
+$ SGX_DRIVER_VERSION=1.41
+
+# install the dependencies
+$ sudo apt-get update
+$ sudo apt-get install -y dkms
+
+# install SGX Driver
+$ wget https://download.01.org/intel-sgx/latest/linux-latest/distro/$SGX_PLATFORM/sgx_linux_x64_driver_$SGX_DRIVER_VERSION.bin
+$ chmod +x sgx_linux_x64_driver_$SGX_DRIVER_VERSION.bin
+$ sudo ./sgx_linux_x64_driver_$SGX_DRIVER_VERSION.bin
+
+# install SGX SDK
+$ wget https://download.01.org/intel-sgx/latest/linux-latest/distro/$SGX_PLATFORM/sgx_linux_x64_sdk_$SGX_SDK_VERSION.bin
+$ chmod +x sgx_linux_x64_sdk_$SGX_SDK_VERSION.bin
+$ sudo ./sgx_linux_x64_sdk_$SGX_SDK_VERSION.bin
+
+# install SGX DCAP Library
+$ echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu bionic main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list > /dev/null
+$ wget -O - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add -
+$ sudo apt-get update
+$ sudo apt-get install -y libsgx-uae-service libsgx-dcap-default-qpl-dev libsgx-dcap-ql-dev libsgx-dcap-quote-verify-dev
+
+# install SGX SSL Library
+$ git clone https://github.com/intel/linux-sgx.git
+$ cd linux-sgx && make preparation
+$ sudo cp external/toolset/{current_distr}/* /usr/local/bin
+$ # Verify that the paths are correctly set
+$ which ar as ld objcopy objdump ranlib
+$ cd ../
+$ git clone https://github.com/intel/intel-sgx-ssl.git
+$ wget https://www.openssl.org/source/openssl-1.1.1q.tar.gz
+$ cp openssl-1.1.1q.tar.gz intel-sgx-ssl/openssl_source
+$ rm -f openssl-1.1.1q.tar.gz
+$ cd intel-sgx-ssl/Linux
+$ source /opt/intel/sgxsdk/environment
+$ make all
+$ sudo make install
+```
+
+You can optionally grant users to communicate with the SDK platform using the following command.
+Otherwise, enclaves must be launched with root privileges.
+
+```shell
+sudo usermod -a -G sgx_prv <username>
+```
+
+### Intel Provisioning Certification Service (Intel PCS)
+
+Intel DCAP connects to Intel PCS to download the attestation collateral for SGX-enabled machines.
+Intel provides a [quick install guide](https://www.intel.com/content/www/us/en/developer/articles/guide/intel-software-guard-extensions-data-center-attestation-primitives-quick-install-guide.html) to set up a simplified environment.
+This section summarizes the commands to issue for setting up a working environment on Ubuntu 18.04.
+
+### Subscribe to Intel PCS Web services
+
+Intel SGX DCAP requires a complimentary subscription to the Intel PCS.
+To subscribe to the service, browse the [Intel SGX Software Services](https://api.portal.trustedservices.intel.com/) page.
+A the end of the subscription process, save the primary and the secondary keys.
+
+### Set up the Intel Provisioning Certification Caching Service (Intel PCCS)
+
+Intel PCCS is a caching mechanism for attestation collateral, preventing continuously communicating with Intel PCS during attestation.
+Intel provides an implementation of the cache mechanism.
+
+The following commands set up Intel PCCS.
+```shell
+# install Node.js
+$ curl -o setup.sh -sL https://deb.nodesource.com/setup_14.x
+$ chmod a+x setup.sh
+$ sudo ./setup.sh
+# install PCCS software
+$ sudo apt-get install -y cracklib-runtime sqlite3 python build-essential
+$ sudo apt-get install -y sgx-dcap-pccs
+```
+
+The installation will run the PCCS setup script, asking you several questions.
+
+```
+Do you want to configure PCCS now? (Y/N)
+```
+
+Answer "Y" to this question.
+
+```
+Set HTTPS listening port [8081] (1024-65535)
+```
+
+Accept the default listening port of 8081.
+
+```
+Set the PCCS service to accept local connections only? [Y] (Y/N)
+```
+
+Answer "N" to this question. We want the PCCS service to accept connections from other systems.
+
+```
+Set your Intel PCS API key (Press ENTER to skip)
+```
+
+Enter either your primary or secondary key retrieved from the previous subsection.
+If you already subscribed, you can retrieve them [here](https://api.portal.trustedservices.intel.com/developer).
+
+```
+Choose caching fill method : [LAZY] (LAZY/OFFLINE/REQ)
+```
+
+Answer "REQ" to this question. This places the caching service in the "on request" mode, which means it will fetch the attestation collateral for hosts as provisioning requests are received.
+
+```
+Set PCCS server administrator password:
+Re-enter administrator password:
+Set PCCS server user password:
+Re-enter user password:
+```
+
+Enter two passwords for the PCCS server.
+
+```
+Do you want to generate insecure HTTPS key and cert for PCCS service? [Y] (Y/N)
+```
+
+Answer "Y" to this question.
+
+### Provisioning a system into Intel PCCS
+
+Now that the PCCS is up and running, it's time to provision an Intel SGX-enabled platform.
+We use the tool `PCKIDRetrievalTool` to get the attestation collateral of the current machine.
+
+``` shell
+$ sudo apt-get install -y sgx-pck-id-retrieval-tool
+```
+
+Adapt the configuration file of `PCKIDRetrievalTool` located in `/opt/intel/sgx-pck-id-retrieval-tool/network_setting.conf` and make the following changes:
+- Change the **PCCS_URL** to match your caching service's location.
+- Uncomment the **user_token** parameter, and set it to the user password you created when configuring the PCCS.
+- Set the **proxy_type** to fit your environment (most likely, this will be `direct`)
+- Ensure **USE_SECURE_CERT** is set to `FALSE` since we're using a self-signed certificate for testing purposes.
+
+Save your changes and run the provisioning tool.
+
+```shell
+$ PCKIDRetrievalTool
+Intel(R) Software Guard Extensions PCK Cert ID Retrieval Tool Version 1.14.100.3
+
+the data has been sent to cache server successfully and pckid_retrieval.csv has been generated successfully!
+```
+
+You may get some warnings during this execution of the tool.
+A correct insertion into the cache server usually means the retrieval of the attestation collateral worked.
+Execute the following command to verify the collateral could be stored in your instance of Intel PCCS:
+
+```
+curl -k https://localhost:8081/sgx/certification/v3/qe/identity
+```
+
+This should print a JSON value with the attestation collateral.
+
+### Runtime configuration
+
+Edit the configuration file, `/etc/sgx_default_qcnl.conf`, and make the following changes:
+- Set the **PCCS_URL** parameter to the location of our PCCS server.
+- Set **USE_SECURE_CERT** to `FALSE` since we're using a self-signed certificate for testing purposes.
+
+This system is now ready to run Intel SGX workloads with generate evidence for remote attestation.
+
+## Build and executing the sample
+
+``` shell
+$ mkdir build && cd build
+$ cmake ..
+$ make
+$ # run the sample
+$ ./iwasm wasm-app/test.wasm
+```
+
+The sample will print the evidence in JSON and the message: *Evidence is trusted.*
+
+## Further readings
+
+- [Intel SGX Software Installation Guide For Linux OS](https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_SGX_SW_Installation_Guide_for_Linux.pdf)
+- [Intel Software Guard Extensions (Intel® SGX) Data Center Attestation Primitives: Library API ](https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_SGX_ECDSA_QuoteLibReference_DCAP_API.pdf)
+- [Remote Attestation for Multi-Package Platforms using Intel SGX Datacenter Attestation Primitives (DCAP)](https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_SGX_DCAP_Multipackage_SW.pdf)
diff --git a/src/fluent-bit/lib/wasm-micro-runtime-WAMR-1.2.2/samples/sgx-ra/wasm-app/CMakeLists.txt b/src/fluent-bit/lib/wasm-micro-runtime-WAMR-1.2.2/samples/sgx-ra/wasm-app/CMakeLists.txt
new file mode 100644
index 000000000..afba7dfb6
--- /dev/null
+++ b/src/fluent-bit/lib/wasm-micro-runtime-WAMR-1.2.2/samples/sgx-ra/wasm-app/CMakeLists.txt
@@ -0,0 +1,38 @@
+# Copyright (c) 2022 Intel Corporation
+# Copyright (c) 2020-2021 Alibaba Cloud
+# SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+
+cmake_minimum_required(VERSION 3.0)
+project(wasm-app)
+
+set (WAMR_ROOT_DIR ${CMAKE_CURRENT_SOURCE_DIR}/../../..)
+set (LIB_RATS_DIR ${WAMR_ROOT_DIR}/core/iwasm/libraries/lib-rats)
+
+set (CMAKE_C_LINK_FLAGS "")
+set (CMAKE_CXX_LINK_FLAGS "")
+if (APPLE)
+    set (HAVE_FLAG_SEARCH_PATHS_FIRST 0)
+endif ()
+
+set (CMAKE_SYSTEM_PROCESSOR wasm32)
+set (CMAKE_SYSROOT                  ${WAMR_ROOT_DIR}/wamr-sdk/app/libc-builtin-sysroot)
+
+if (NOT DEFINED WASI_SDK_DIR)
+    set (WASI_SDK_DIR               "/opt/wasi-sdk")
+endif ()
+
+set (CMAKE_C_FLAGS                  "-nostdlib")
+set (CMAKE_C_COMPILER_TARGET        "wasm32")
+set (CMAKE_C_COMPILER               "${WASI_SDK_DIR}/bin/clang")
+
+set (CMAKE_EXE_LINKER_FLAGS
+    "-Wl,--max-memory=131072 -z stack-size=8192   \
+     -Wl,--no-entry,--strip-all                   \
+     -Wl,--export=__main_argc_argv                \
+     -Wl,--export=__heap_base,--export=__data_end \
+     -Wl,--allow-undefined"
+)
+
+add_executable(test.wasm main.c)
+set_target_properties(test.wasm PROPERTIES INCLUDE_DIRECTORIES ${LIB_RATS_DIR})
+target_link_libraries(test.wasm)
diff --git a/src/fluent-bit/lib/wasm-micro-runtime-WAMR-1.2.2/samples/sgx-ra/wasm-app/main.c b/src/fluent-bit/lib/wasm-micro-runtime-WAMR-1.2.2/samples/sgx-ra/wasm-app/main.c
new file mode 100644
index 000000000..89c4144aa
--- /dev/null
+++ b/src/fluent-bit/lib/wasm-micro-runtime-WAMR-1.2.2/samples/sgx-ra/wasm-app/main.c
@@ -0,0 +1,117 @@
+/*
+ * Copyright (c) 2022 Intel Corporation
+ * Copyright (c) 2020-2021 Alibaba Cloud
+ *
+ * SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include "lib_rats_wrapper.h"
+
+#define __is_print(ch) ((unsigned int)((ch) - ' ') < 127u - ' ')
+
+/**
+ * hex_dump
+ *
+ * @brief dump data in hex format
+ *
+ * @param title: Title
+ * @param buf: User buffer
+ * @param size: Dump data size
+ * @param number: The number of outputs per line
+ *
+ * @return void
+ */
+void
+hex_dump(const char *title, const uint8_t *buf, uint32_t size, uint32_t number)
+{
+    int i, j;
+    if (title) {
+        printf("\n\t%s:\n\n", title);
+    }
+
+    for (i = 0; i < size; i += number) {
+        printf("%08X: ", i);
+
+        for (j = 0; j < number; j++) {
+            if (j % 8 == 0) {
+                printf(" ");
+            }
+            if (i + j < size)
+                printf("%02X ", buf[i + j]);
+            else
+                printf("   ");
+        }
+        printf(" ");
+
+        for (j = 0; j < number; j++) {
+            if (i + j < size) {
+                printf("%c", __is_print(buf[i + j]) ? buf[i + j] : '.');
+            }
+        }
+        printf("\n");
+    }
+}
+
+int
+main(int argc, char **argv)
+{
+    int ret_code = -1;
+    char *evidence_json = NULL;
+
+    // Generate user_data by SHA256 buffer and the wasm module.
+    // user_data = SHA256(sha256_wasm_module || buffer)
+    const char *buffer = "This is a sample.";
+
+    // If you want to declare the evidence of type rats_sgx_evidence_t on the
+    // stack, you should modify the stack size of the CMAKE_EXE_LINKER_FLAGS in
+    // CMakeLists.txt to 51200 at least.
+    rats_sgx_evidence_t *evidence =
+        (rats_sgx_evidence_t *)malloc(sizeof(rats_sgx_evidence_t));
+    if (!evidence) {
+        printf("ERROR: No memory to allocate.\n");
+        goto err;
+    }
+
+    int rats_err = librats_collect(&evidence_json, buffer);
+    if (rats_err != 0) {
+        printf("ERROR: Collect evidence failed, error code: %#x\n", rats_err);
+        goto err;
+    }
+
+    if (librats_parse_evidence(evidence_json, evidence) != 0) {
+        printf("ERROR: Parse evidence failed.\n");
+        goto err;
+    }
+
+    // You could use these parameters for further verification.
+    hex_dump("Quote", evidence->quote, evidence->quote_size, 32);
+    hex_dump("User Data", evidence->user_data, SGX_USER_DATA_SIZE, 32);
+    hex_dump("MRENCLAVE", evidence->mr_enclave, SGX_MEASUREMENT_SIZE, 32);
+    hex_dump("MRSIGNER", evidence->mr_signer, SGX_MEASUREMENT_SIZE, 32);
+    printf("\n\tProduct ID:\t\t%u\n", evidence->product_id);
+    printf("\tSecurity Version:\t%u\n", evidence->security_version);
+    printf("\tAttributes.flags:\t%llu\n", evidence->att_flags);
+    printf("\tAttribute.xfrm:\t\t%llu\n", evidence->att_xfrm);
+
+    rats_err = librats_verify((const char *)evidence_json, evidence->user_data);
+    if (rats_err != 0) {
+        printf("ERROR: Evidence is not trusted, error code: %#x.\n", rats_err);
+        goto err;
+    }
+
+    ret_code = 0;
+    printf("Evidence is trusted.\n");
+
+err:
+    if (evidence_json) {
+        free(evidence_json);
+    }
+
+    if (evidence) {
+        free(evidence);
+    }
+
+    return ret_code;
+}