### Install EGo using Snap Source: https://github.com/edgelesssys/ego/blob/master/docs/docs/getting-started/install.md Installs EGo using the snap package manager. This is the simplest installation method. It requires sudo privileges. Additionally, it notes the dependency on `gcc` and `libcrypto`, providing commands to install them on Ubuntu. ```bash sudo snap install ego-dev --classic ``` ```bash sudo apt install build-essential libssl-dev ``` -------------------------------- ### Install EGo using DEB package on Ubuntu Source: https://github.com/edgelesssys/ego/blob/master/docs/docs/getting-started/install.md Installs EGo using a DEB package for Ubuntu versions 20.04, 22.04, and 24.04. This method involves adding an Intel SGX repository, updating package lists, downloading the DEB file, and installing it along with necessary build tools. ```bash sudo mkdir -p /etc/apt/keyrings wget -qO- https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo tee /etc/apt/keyrings/intel-sgx-keyring.asc > /dev/null echo "deb [signed-by=/etc/apt/keyrings/intel-sgx-keyring.asc arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/intel-sgx.list sudo apt update EGO_DEB=ego_1.8.0_amd64_ubuntu-$(lsb_release -rs).deb wget https://github.com/edgelesssys/ego/releases/download/v1.8.0/$EGO_DEB sudo apt install ./$EGO_DEB build-essential libssl-dev ``` -------------------------------- ### Build and Run Server using EGo CLI Source: https://github.com/edgelesssys/ego/blob/master/samples/attested_tls/README.md Commands to build, sign, and run the EGo server. Requires the EGo toolchain to be installed and configured. ```shell ego-go build ego sign server ego run server ``` -------------------------------- ### Build, Sign, and Run SGX Enclaves with EGo CLI Source: https://context7.com/edgelesssys/ego/llms.txt This snippet demonstrates how to use the EGo CLI tools to build an enclave-compatible executable, sign it with an enclave configuration, and run the signed enclave. It also shows an example enclave.json configuration file. ```bash # Build an enclave-compatible executable ego-go build -o myapp main.go # Sign the executable with an enclave configuration # This generates enclave.json if it doesn't exist ego sign myapp # Run the signed enclave ego run myapp # Example enclave.json configuration cat > enclave.json << 'EOF' { "exe": "myapp", "key": "private.pem", "debug": true, "heapSize": 512, "productID": 1, "securityVersion": 1 } EOF # Sign with custom configuration ego sign enclave.json # Expected output: Creates myapp.signed executable and private.pem/public.pem keys ``` -------------------------------- ### Build EGo from Source Source: https://github.com/edgelesssys/ego/blob/master/docs/docs/getting-started/install.md Builds EGo from source code. This method requires Edgeless RT to be installed and sourced as a prerequisite. It involves creating a build directory, configuring the build with CMake, and then compiling and installing the project. ```bash mkdir build cd build cmake .. make make install ``` -------------------------------- ### Build, Sign, and Run EGo Apps (Bash) Source: https://github.com/edgelesssys/ego/blob/master/docs/docs/intro.md This snippet demonstrates the basic workflow for building, signing, and running an application using the EGo framework. It assumes you have the EGo tools installed and available in your PATH. The commands compile the Go application, sign the resulting enclave binary, and then execute it. ```bash ego-go build myapp.go ego sign myapp ego run myapp ``` -------------------------------- ### Ego Enclave Configuration Example (JSON) Source: https://github.com/edgelesssys/ego/blob/master/docs/docs/reference/config.md An example JSON configuration file for an Ego enclave. This file defines various settings including the executable name, private key, debug mode, heap size, product ID, security version, custom mount points (hostfs and memfs), and environment variables. ```json { "exe": "helloworld", "key": "private.pem", "debug": true, "heapSize": 512, "executableHeap": false, "productID": 1, "securityVersion": 1, "mounts": [ { "source": "/home/user", "target": "/data", "type": "hostfs", "readOnly": false }, { "target": "/tmp", "type": "memfs" } ], "env": [ { "name": "LANG", "fromHost": true }, { "name": "PWD", "value": "/data" } ], "files": [ { "source": "some_datafile", "target": "/some/path/to/datafile" }, { "source": "/etc/ssl/certs/ca-certificates.crt", "target": "/etc/ssl/certs/ca-certificates.crt" } ] } ``` -------------------------------- ### Build Client with EGo Snap Source: https://github.com/edgelesssys/ego/blob/master/samples/attested_tls/README.md Builds the client application when EGo is installed via a snap package. It sets the `EGOPATH` environment variable to point to the snap's EGo installation directory. ```shell EGOPATH=/snap/ego-dev/current/opt/ego CGO_CFLAGS=-I$EGOPATH/include CGO_LDFLAGS=-L$EGOPATH/lib go build ra_client/client.go ``` -------------------------------- ### Run Vault Server Source: https://github.com/edgelesssys/ego/blob/master/samples/vault/README.md Starts the Vault server in development mode using the `ego run` command. This command includes flags for disabling token storage and setting a root token. ```sh ego run vault server -dev -dev-no-store-token -dev-root-token-id mytoken ``` -------------------------------- ### Install Ego Binaries and Enclaves Source: https://github.com/edgelesssys/ego/blob/master/CMakeLists.txt Installs the ego enclave, binaries (ego-gdb, ego-go, ego), and related files to specified destinations. It also installs host and signature verification tools from OpenEnclave. ```cmake install(TARGETS ego-enclave DESTINATION ${CMAKE_INSTALL_DATADIR}) install( PROGRAMS src/ego-gdb src/ego-go ${CMAKE_BINARY_DIR}/ego DESTINATION ${CMAKE_INSTALL_BINDIR}) install(FILES ${CMAKE_BINARY_DIR}/ego-bundle DESTINATION ${CMAKE_INSTALL_DATADIR}) install( PROGRAMS ${OpenEnclave_DIR}/../../../bin/erthost RENAME ego-host DESTINATION ${CMAKE_INSTALL_BINDIR}) install( PROGRAMS ${OpenEnclave_DIR}/../../../bin/oesign RENAME ego-oesign DESTINATION ${CMAKE_INSTALL_BINDIR}) install(FILES ${OpenEnclave_DIR}/../host/liboehostverify.a DESTINATION ${CMAKE_INSTALL_LIBDIR}) install(FILES ${OpenEnclave_DIR}/../../../include/openenclave/host_verify.h DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/openenclave) install(FILES ${OpenEnclave_DIR}/../../../include/openenclave/attestation/verifier.h DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/openenclave/attestation) install( FILES ${OpenEnclave_DIR}/../../../include/openenclave/bits/defs.h ${OpenEnclave_DIR}/../../../include/openenclave/bits/evidence.h ${OpenEnclave_DIR}/../../../include/openenclave/bits/report.h ${OpenEnclave_DIR}/../../../include/openenclave/bits/result.h ${OpenEnclave_DIR}/../../../include/openenclave/bits/types.h DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}/openenclave/bits) install(DIRECTORY ${OpenEnclave_DIR}/../debugger DESTINATION ${CMAKE_INSTALL_LIBDIR}/openenclave) install(DIRECTORY _ertgo/ DESTINATION go USE_SOURCE_PERMISSIONS) ``` -------------------------------- ### Conditional Installation for /opt/ego Source: https://github.com/edgelesssys/ego/blob/master/CMakeLists.txt Installs symlinks and bash completion files to /usr/local/bin and /etc/bash_completion.d respectively, specifically when the CMAKE_INSTALL_PREFIX is set to /opt/ego. ```cmake if(CMAKE_INSTALL_PREFIX STREQUAL /opt/ego) install( FILES src/symlinks/ego src/symlinks/ego-gdb src/symlinks/ego-go DESTINATION /usr/local/bin) install(FILES ${CMAKE_BINARY_DIR}/ego_completion DESTINATION /${CMAKE_INSTALL_SYSCONFDIR}/bash_completion.d) endif() ``` -------------------------------- ### VS Code launch.json for EGo DEB/source build debugging Source: https://github.com/edgelesssys/ego/blob/master/docs/docs/workflows/debug.md This JSON configuration enables debugging of an EGo application within Visual Studio Code when installed via a DEB package or built from source. It correctly points to the ego-host and ego-gdb executables in the standard installation path and configures signal handling. ```json { "version": "0.2.0", "configurations": [ { "name": "(gdb) Launch", "type": "cppdbg", "request": "launch", "program": "/opt/ego/bin/ego-host", "args": [ "/opt/ego/share/ego-enclave:samples/helloworld/helloworld", "arg1", "arg2" ], "cwd": "${workspaceFolder}", "environment": [], "MIMode": "gdb", "miDebuggerPath": "/opt/ego/bin/ego-gdb", "setupCommands": [ { "description": "Enable pretty-printing for gdb", "text": "-enable-pretty-printing", "ignoreFailures": true }, { "text": "handle SIGILL nostop" } ] } ] } ``` -------------------------------- ### Basic CMake Configuration and Build Type Setup Source: https://github.com/edgelesssys/ego/blob/master/CMakeLists.txt Sets the minimum CMake version, project name, and version. It also ensures a CMAKE_BUILD_TYPE is set, defaulting to Debug if not specified. Debug builds disable optimizations for better debugging with gdb. ```cmake cmake_minimum_required(VERSION 3.11) project(ego VERSION 1.8.0) if(NOT CMAKE_BUILD_TYPE) set(CMAKE_BUILD_TYPE Debug) endif() if(CMAKE_BUILD_TYPE STREQUAL Debug) # disable optimizations to improve debugging with gdb set(PREMAIN_DEBUG_FLAGS -gcflags=all='-N -l') else() set(TRIMPATH -trimpath) endif() if(CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT) set(CMAKE_INSTALL_PREFIX /opt/ego CACHE PATH "" FORCE) endif() ``` -------------------------------- ### CXX Standard and Compiler Options Setup Source: https://github.com/edgelesssys/ego/blob/master/CMakeLists.txt Configures the C++ standard to C++17 and requires it to be strictly enforced. It also disables C++ extensions and adds common compiler warnings for better code quality and error detection. Optionally configures clang-tidy if the TIDY variable is set. ```cmake set(CMAKE_CXX_STANDARD 17) set(CMAKE_CXX_STANDARD_REQUIRED ON) set(CMAKE_CXX_EXTENSIONS OFF) add_compile_options(-Wall -Wextra -pedantic -Werror) if(TIDY) set(CMAKE_CXX_CLANG_TIDY clang-tidy-11) endif() ``` -------------------------------- ### Manage AKS Cluster Lifecycle with Azure CLI Source: https://github.com/edgelesssys/ego/blob/master/samples/aks/README.md Commands to start and stop an Azure Kubernetes Service (AKS) cluster using the Azure CLI. These operations help manage costs and availability. ```shell az aks start --name myAKSCluster --resource-group myResourceGroup az aks stop --name myAKSCluster --resource-group myResourceGroup ``` -------------------------------- ### VS Code launch.json for EGo snap debugging Source: https://github.com/edgelesssys/ego/blob/master/docs/docs/workflows/debug.md This JSON configuration sets up the Visual Studio Code debugger to attach to an EGo application run via the snap installation. It specifies the debugger path, program arguments, and environment variables, including handling SIGILL signals. This is suitable for debugging within an enclave. ```json { "version": "0.2.0", "configurations": [ { "name": "(gdb) Launch", "type": "cppdbg", "request": "launch", "program": "/snap/ego-dev/current/opt/ego/bin/ego-host", "args": [ "/snap/ego-dev/current/opt/ego/share/ego-enclave:samples/helloworld/helloworld", "arg1", "arg2" ], "cwd": "${workspaceFolder}", "environment": [ { "name": "LD_LIBRARY_PATH", "value": "/snap/ego-dev/current/usr/lib/x86_64-linux-gnu" } ], "MIMode": "gdb", "miDebuggerPath": "/snap/ego-dev/current/opt/ego/bin/ego-gdb", "setupCommands": [ { "description": "Enable pretty-printing for gdb", "text": "-enable-pretty-printing", "ignoreFailures": true }, { "text": "handle SIGILL nostop" } ] } ] } ``` -------------------------------- ### Get Enclave Self-Report (Go) Source: https://context7.com/edgelesssys/ego/llms.txt Retrieves a report detailing the current enclave's properties, including its UniqueID (MRENCLAVE), SignerID (MRSIGNER), ProductID, SecurityVersion, and debug mode status. This functionality uses the enclave package and is useful for logging or client verification. ```go package main import ( "encoding/hex" "fmt" "github.com/edgelesssys/ego/enclave" ) func main() { // Get a report of this enclave report, err := enclave.GetSelfReport() if err != nil { panic(err) } // Display enclave properties fmt.Println("=== Enclave Self-Report ===") fmt.Printf("UniqueID (MRENCLAVE): %s\n", hex.EncodeToString(report.UniqueID)) fmt.Printf("SignerID (MRSIGNER): %s\n", hex.EncodeToString(report.SignerID)) fmt.Printf("ProductID: %s\n", hex.EncodeToString(report.ProductID)) fmt.Printf("SecurityVersion: %d\n", report.SecurityVersion) fmt.Printf("Debug Mode: %v\n", report.Debug) fmt.Printf("TCB Status: %v\n", report.TCBStatus) // Use self-report for logging or configuration if report.Debug { fmt.Println("\n⚠️ WARNING: Running in debug mode - not for production!") } // The SignerID can be used by clients to verify enclaves fmt.Printf("\nShare this SignerID with clients:\n%s\n", hex.EncodeToString(report.SignerID)) } ``` -------------------------------- ### Build, Sign, and Run EGo Application Source: https://github.com/edgelesssys/ego/blob/master/samples/embedded_file/README.md Command-line instructions to build the EGo application, sign it to create an enclave, and then run the enclave. This sequence is essential for deploying and testing applications that utilize EGo features like embedded files. ```sh ego-go build ego sign ego run embedded_file ``` -------------------------------- ### Build and Run Server and Client Source: https://github.com/edgelesssys/ego/blob/master/samples/azure_attestation/README.md Instructions for building and running the remote attestation server and client. The server is built using `ego-go build`, signed with `ego sign server`, and run with `ego run server`. The client is built with a standard Go compiler and executed with a `signerID` argument obtained via `ego signerid`. ```sh # Build and run the server: ego-go build ego sign server ego run server # Build and run the client: go build ra_client/client.go ./client -s `ego signerid public.pem` ``` -------------------------------- ### Run Executable with ego run Source: https://github.com/edgelesssys/ego/blob/master/docs/docs/workflows/build.md Execute your signed enclave-compatible application using the `ego run` command. This command launches the application within its intended enclave environment. Replace `` with the name of your binary. ```bash ego run ``` -------------------------------- ### Sign Executable with ego sign Source: https://github.com/edgelesssys/ego/blob/master/docs/docs/workflows/build.md Sign your built executable using the `ego sign` command. This step is necessary before running the enclave-compatible application. Replace `` with the name of your binary. ```bash ego sign ``` -------------------------------- ### Build Go App with ego-go Source: https://github.com/edgelesssys/ego/blob/master/docs/docs/workflows/build.md Compile your Go project into an enclave-compatible executable using the `ego-go build` command. This command provides the same CLI as the original Go compiler but generates executables suitable for EGo enclaves. ```bash ego-go build ``` -------------------------------- ### Sign and Run EGo Application Source: https://github.com/edgelesssys/ego/blob/master/samples/wasmer/README.md After building the EGo application, this snippet shows the commands to sign the executable using 'ego sign' and then run the application using 'ego run'. ```shell ego sign wasmer_sample ego run wasmer_sample ``` -------------------------------- ### Download and Build Wasmer for EGo Source: https://github.com/edgelesssys/ego/blob/master/samples/wasmer/README.md This snippet downloads the Wasmer static library for Linux AMD64 and configures the Go compiler for static linking by setting CGO_CFLAGS and CGO_LDFLAGS. It then builds the EGo application with a custom Wasmer runtime tag. ```shell wget -O- https://github.com/wasmerio/wasmer/releases/download/2.2.1/wasmer-linux-amd64.tar.gz | tar xz --one-top-level=wasmer CGO_CFLAGS="-I$PWD/wasmer/include" CGO_LDFLAGS="$PWD/wasmer/lib/libwasmer.a -ldl -lm -static-libgcc" ego-go build -tags custom_wasmer_runtime ``` -------------------------------- ### Sign and run EGo application Source: https://github.com/edgelesssys/ego/blob/master/samples/wasmtime/README.md Signs the compiled EGo application and then executes it. This is a standard procedure for deploying and running applications within the EGo framework, after which the Wasmtime sample can be tested. ```shell ego sign wasmtime_sample ego run wasmtime_sample ``` -------------------------------- ### Build Vault Executable with EGo Source: https://github.com/edgelesssys/ego/blob/master/samples/vault/README.md Builds the Vault executable using `ego-go build`. This command compiles the Go application into a native executable compatible with EGo. ```sh ego-go build -v -o bin/vault ``` -------------------------------- ### Build Client with EGo SDK Source: https://github.com/edgelesssys/ego/blob/master/samples/attested_tls/README.md Builds the client application using `ego-go` or a standard Go compiler, specifying EGo SDK include and library paths. This is necessary for integrating with the EGo enclave's security features. ```shell CGO_CFLAGS=-I/opt/ego/include CGO_LDFLAGS=-L/opt/ego/lib go build ra_client/client.go ``` -------------------------------- ### Build EGo application with Wasmtime Source: https://github.com/edgelesssys/ego/blob/master/samples/wasmtime/README.md Compiles the EGo application, instructing the Go compiler to link against the previously built Wasmtime static library. This step ensures that the application can utilize the Wasmtime runtime with the correct syscall configurations. ```shell CGO_LDFLAGS=wasmtime/target/release/libwasmtime.a ego-go build ``` -------------------------------- ### Build Vault with Make in EGo Env Source: https://github.com/edgelesssys/ego/blob/master/samples/vault/README.md Builds the Vault executable using `make` command within the `ego env`. This is an alternative method to `ego-go build` for compiling the application. ```sh ego env make ``` -------------------------------- ### Build Wasmtime with libc backend Source: https://github.com/edgelesssys/ego/blob/master/samples/wasmtime/README.md Builds the Wasmtime library with the libc backend support, which is required for EGo's syscall compatibility. This command clones the Wasmtime repository, checks out a specific version, updates submodules, and then compiles the C-API library using Rust flags to enable the libc configuration. ```shell git clone -bv15.0.1 --depth=1 https://github.com/bytecodealliance/wasmtime cd wasmtime git submodule update --init --depth=1 RUSTFLAGS=--cfg=rustix_use_libc cargo build --release -p wasmtime-c-api cd .. ``` -------------------------------- ### Simulate Enclave with OE_SIMULATION Source: https://github.com/edgelesssys/ego/blob/master/docs/docs/workflows/build.md Set the `OE_SIMULATION=1` environment variable to simulate the enclave environment. This is useful for development and testing on hardware that does not natively support enclaves. ```bash export OE_SIMULATION=1 ``` -------------------------------- ### Build and Sign Test Marble Executable Source: https://github.com/edgelesssys/ego/blob/master/CMakeLists.txt Builds the 'test-marble' executable using ertgo and signs it with 'oesign'. This process requires the ego-enclave, a private key, and specific configuration files. ```cmake add_custom_command( OUTPUT test-marble DEPENDS ego-enclave test_private.pem ego/cmd/test-marble/enclave.conf ego/cmd/test-marble/main.go ego/test/t.go COMMAND ${CMAKE_COMMAND} -E env GOROOT=${CMAKE_SOURCE_DIR}/_ertgo ${CMAKE_SOURCE_DIR}/_ertgo/bin/go build -o ${CMAKE_BINARY_DIR} COMMAND oesign sign -e ${CMAKE_BINARY_DIR}/ego-enclave -c ${CMAKE_SOURCE_DIR}/ego/cmd/test-marble/enclave.conf -k ${CMAKE_BINARY_DIR}/test_private.pem --payload ${CMAKE_BINARY_DIR}/test-marble WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/ego/cmd/test-marble) ``` -------------------------------- ### Configure and Sign Ego Enclave with Open Enclave Source: https://github.com/edgelesssys/ego/blob/master/docs/docs/reference/config.md This snippet demonstrates how to configure an Ego enclave using a custom 'enclave.conf' file and then sign it using the 'ego sign' and 'ego-oesign' commands. It requires an 'enclave.conf' file, a private key, and the payload to be signed. The output is a signed enclave ready for deployment. ```bash cat < enclave.conf Debug=1 NumHeapPages=131072 NumStackPages=1024 NumTCS=32 ProductID=1 SecurityVersion=1 EOF /opt/ego/bin/ego-oesign sign -e /opt/ego/share/ego-enclave -c enclave.conf -k private.pem --payload helloworld ``` -------------------------------- ### Create Attested TLS Server Configuration Source: https://context7.com/edgelesssys/ego/llms.txt Creates a TLS server configuration with an embedded attestation report in the certificate. This enables secure communication where the server's identity and enclave integrity can be verified by clients. It sets up an HTTPS server that listens for incoming connections. ```go package main import ( "fmt" "net/http" "github.com/edgelesssys/ego/enclave" ) func main() { // Create TLS config with self-signed certificate and embedded report tlsCfg, err := enclave.CreateAttestationServerTLSConfig() if err != nil { panic(err) } // Create HTTP handlers http.HandleFunc("/secret", func(w http.ResponseWriter, r *http.Request) { secret := r.URL.Query().Get("s") fmt.Printf("Received secret from %s: %s\n", r.RemoteAddr, secret) w.WriteHeader(http.StatusOK) fmt.Fprintf(w, "Secret received securely") }) http.HandleFunc("/data", func(w http.ResponseWriter, r *http.Request) { w.Header().Set("Content-Type", "application/json") fmt.Fprintf(w, `{"status": "secure", "enclave": "running"}`) }) // Create HTTPS server with attestation server := http.Server{ Addr: "0.0.0.0:8080", TLSConfig: tlsCfg, } fmt.Println("Attested TLS server listening on :8080") if err := server.ListenAndServeTLS("", ""); err != nil { fmt.Printf("Server error: %v\n", err) } } ``` -------------------------------- ### Create Attested TLS Client Configuration Source: https://context7.com/edgelesssys/ego/llms.txt Creates a TLS client configuration that verifies attestation reports embedded in server certificates. This client ensures that the server it connects to is running in a genuine enclave and meets specified security criteria. It uses a callback function to validate the attestation report details. ```go package main import ( "bytes" "crypto/tls" "encoding/binary" "encoding/hex" "errors" "fmt" "io/ioutil" "net/http" "github.com/edgelesssys/ego/attestation" "github.com/edgelesssys/ego/eclient" ) func main() { // Expected signer ID (MRSIGNER value from the enclave) expectedSigner, _ := hex.DecodeString("9affcfae47b848ec2caf1c49b4b283531e1cc425f93582b36806e52a43d78d1a") // Create TLS config that verifies attestation reports tlsConfig := eclient.CreateAttestationClientTLSConfig( func(report attestation.Report) error { // Verify the enclave properties if report.SecurityVersion < 2 { return errors.New("security version too low") } // Check product ID (little-endian encoded) productID := binary.LittleEndian.Uint16(report.ProductID) if productID != 1234 { return fmt.Errorf("invalid product ID: %d", productID) } // Verify signer identity if !bytes.Equal(report.SignerID, expectedSigner) { return errors.New("untrusted signer") } // Production: ensure debug mode is disabled if report.Debug { return errors.New("debug enclave not allowed in production") } fmt.Println("Attestation verification successful") return nil }, ) // Create HTTP client with attestation verification client := http.Client{ Transport: &http.Transport{TLSClientConfig: tlsConfig}, } // Make secure request resp, err := client.Get("https://localhost:8080/secret?s=mySecretData") if err != nil { panic(err) } defer resp.Body.Close() body, _ := ioutil.ReadAll(resp.Body) fmt.Printf("Response: %s\n", string(body)) fmt.Println("Data transmitted over attested TLS channel") } ``` -------------------------------- ### Sign Vault Executable Source: https://github.com/edgelesssys/ego/blob/master/samples/vault/README.md Signs the compiled Vault executable using the `ego sign` command. Signing is a required step before running the executable. ```sh cd bin ego sign vault ``` -------------------------------- ### Build and Sign Concurrency Test Executable Source: https://github.com/edgelesssys/ego/blob/master/CMakeLists.txt Builds the 'concurrency-test' executable using ertgo and signs it with 'oesign' using a provided private key and enclave configuration. It depends on the ego-enclave and a generated private key. ```cmake add_custom_command( OUTPUT concurrency-test DEPENDS ego-enclave test_private.pem ego/cmd/concurrency-test/enclave.conf ego/cmd/concurrency-test/main.go COMMAND ${CMAKE_COMMAND} -E env GOROOT=${CMAKE_SOURCE_DIR}/_ertgo ${CMAKE_SOURCE_DIR}/_ertgo/bin/go build -o ${CMAKE_BINARY_DIR} COMMAND oesign sign -e ${CMAKE_BINARY_DIR}/ego-enclave -c ${CMAKE_SOURCE_DIR}/ego/cmd/concurrency-test/enclave.conf -k ${CMAKE_BINARY_DIR}/test_private.pem --payload ${CMAKE_BINARY_DIR}/concurrency-test WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/ego/cmd/concurrency-test) ``` -------------------------------- ### Interact with Vault KV Store Source: https://github.com/edgelesssys/ego/blob/master/samples/vault/README.md Demonstrates interacting with the Vault Key-Value (KV) store using the Vault CLI. It includes putting data into a secret and retrieving it. ```sh ./vault kv put secret/hello foo=world ./vault kv get secret/hello ``` -------------------------------- ### Building Premain Archive for Enclave Source: https://github.com/edgelesssys/ego/blob/master/CMakeLists.txt Defines a custom command to build the premain archive using 'ertgo'. This command depends on specific Go files and runs when the 'premain.a' output is needed. It passes build flags like trimpath and debug flags. ```cmake add_custom_command( OUTPUT premain.a DEPENDS ego/premain/main.go ego/premain/core/core.go COMMAND ertgo build -buildmode=c-archive -o ${CMAKE_BINARY_DIR} ${TRIMPATH} ${PREMAIN_DEBUG_FLAGS} WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/ego/premain) add_custom_target(premainbuild DEPENDS premain.a) ``` -------------------------------- ### Build and Push Docker Image for EGo App Source: https://github.com/edgelesssys/ego/blob/master/samples/aks/README.md Generates a signing key and builds a Docker image for the EGo sample application. This image can then be pushed to a container registry for deployment. ```shell openssl genrsa -out private.pem -3 3072 openssl rsa -in private.pem -pubout -out public.pem docker buildx build --secret id=signingkey,src=private.pem --tag ghcr.io/OWNER/ego-sample . docker push ghcr.io/OWNER/ego-sample ``` -------------------------------- ### Run EGo app with ego-gdb console interface Source: https://github.com/edgelesssys/ego/blob/master/docs/docs/workflows/debug.md This command launches the EGo host process with the specified arguments using the ego-gdb debugger. It's used for interactive debugging directly from the terminal. Ensure your application is compiled with `-gcflags=all='-N -l'` for optimal debugging. ```bash ego-gdb --args ./helloworld ``` -------------------------------- ### Set Vault Environment Variables Source: https://github.com/edgelesssys/ego/blob/master/samples/vault/README.md Exports necessary environment variables for the Vault client to connect to the running Vault server. `VAULT_ADDR` specifies the server address, and `VAULT_TOKEN` provides authentication. ```sh export VAULT_ADDR=http://127.0.0.1:8200 export VAULT_TOKEN=mytoken ``` -------------------------------- ### Building Ego CLI Tool Source: https://github.com/edgelesssys/ego/blob/master/CMakeLists.txt Defines a custom command to build the ego CLI executable. It depends on various Go source files and uses a shell script to perform the build, passing the binary directory, project version, and trimpath flags. It also generates bash completion scripts. ```cmake # # ego cli # add_custom_command( OUTPUT ego DEPENDS ${CMAKE_SOURCE_DIR}/ego/*/*.go ${CMAKE_SOURCE_DIR}/ego/*/*/*.go COMMAND ${CMAKE_SOURCE_DIR}/src/build_ego.sh ${CMAKE_BINARY_DIR} ${PROJECT_VERSION} ${TRIMPATH} COMMAND ${CMAKE_BINARY_DIR}/ego completion bash > ${CMAKE_BINARY_DIR}/ego_completion WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/ego/ego) add_custom_target(egobuild ALL DEPENDS ego) ``` -------------------------------- ### Attested TLS Client - CreateAttestationClientTLSConfig Source: https://context7.com/edgelesssys/ego/llms.txt Creates a TLS client configuration that verifies attestation reports embedded in server certificates. It allows for custom verification logic. ```APIDOC ## CreateAttestationClientTLSConfig ### Description Creates a TLS client configuration that verifies attestation reports embedded in server certificates. ### Method Not applicable (Function call) ### Endpoint Not applicable (Function call) ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Request Example ```go // Example usage within a Go program expectedSigner, _ := hex.DecodeString("9affcfae47b848ec2caf1c49b4b283531e1cc425f93582b36806e52a43d78d1a") tlsConfig := eclient.CreateAttestationClientTLSConfig( func(report attestation.Report) error { // Custom verification logic here if report.SecurityVersion < 2 { return errors.New("security version too low") } productID := binary.LittleEndian.Uint16(report.ProductID) if productID != 1234 { return fmt.Errorf("invalid product ID: %d", productID) } if !bytes.Equal(report.SignerID, expectedSigner) { return errors.New("untrusted signer") } if report.Debug { return errors.New("debug enclave not allowed in production") } return nil }, ) ``` ### Response #### Success Response - **tls.Config** (object) - A TLS configuration object suitable for use with `http.Client.Transport`. #### Response Example ```go // tlsConfig is a *tls.Config object ``` ``` -------------------------------- ### Finding OpenEnclave and Submodule Initialization Source: https://github.com/edgelesssys/ego/blob/master/CMakeLists.txt Includes the GNUInstallDirs module and finds the OpenEnclave configuration package. It also ensures Git submodules, specifically '_ertgo', are updated and initialized. ```cmake include(GNUInstallDirs) find_package(OpenEnclave CONFIG REQUIRED) execute_process( COMMAND git submodule update --init _ertgo WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}) ``` -------------------------------- ### Clone Vault Repository Source: https://github.com/edgelesssys/ego/blob/master/samples/vault/README.md Clones the HashiCorp Vault repository to the specified version. This is the initial step before building the application with EGo. ```sh git clone --depth=1 --branch=v1.14.8 https://github.com/hashicorp/vault cd vault ``` -------------------------------- ### Seal Data with Product Key for Enclave Updates (Go) Source: https://context7.com/edgelesssys/ego/llms.txt Encrypts application state using a product key, allowing it to be decrypted by enclaves with the same signer and product ID, even after enclave updates. It requires the ecrypto package and persists the sealed data to a file. ```go package main import ( "fmt" "io/ioutil" "github.com/edgelesssys/ego/ecrypto" ) func main() { // Application state to persist across updates appState := []byte(`{ "user_preferences": { "theme": "dark", "notifications": true }, "session_data": { "login_count": 42, "last_login": "2023-10-15T10:30:00Z" } }`) // Seal with product key - survives enclave updates // Same SignerID and ProductID required to unseal sealed, err := ecrypto.SealWithProductKey(appState, nil) if err != nil { panic(err) } // Persist to disk if err := ioutil.WriteFile("app_state.sealed", sealed, 0644); err != nil { panic(err) } fmt.Println("Application state sealed with product key") // After enclave update: unseal persisted state sealed, err = ioutil.ReadFile("app_state.sealed") if err != nil { panic(err) } unsealed, err := ecrypto.Unseal(sealed, nil) if err != nil { panic(err) } fmt.Printf("Recovered state after update:\n%s\n", string(unsealed)) // Works across SecurityVersion updates but requires same SignerID/ProductID } ``` -------------------------------- ### Building Ego Bundle Executable Source: https://github.com/edgelesssys/ego/blob/master/CMakeLists.txt Defines a custom command to build the 'ego-bundle' executable, which acts as a loader for bundled ego enclaves. It depends on Go source files and uses a build script similar to the ego CLI build. ```cmake # # ego-bundle - the loader executable for bundled ego enclaves # add_custom_command( OUTPUT ego-bundle DEPENDS ${CMAKE_SOURCE_DIR}/ego/*/*.go ${CMAKE_SOURCE_DIR}/ego/*/*/*.go COMMAND ${CMAKE_SOURCE_DIR}/src/build_ego.sh ${CMAKE_BINARY_DIR}/ego-bundle ${PROJECT_VERSION} ${TRIMPATH} WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/ego/cmd/bundle) add_custom_target(egobundle ALL DEPENDS ego-bundle) ``` -------------------------------- ### Configure TLS for MarbleRun Marbles Source: https://context7.com/edgelesssys/ego/llms.txt Configures TLS for applications running as MarbleRun Marbles with Coordinator integration. It fetches TLS configuration, including certificates and CA, from MarbleRun environment variables. The function `marble.GetTLSConfig(true)` is used to obtain the configuration, enabling client certificate verification. It returns a configured `*http.Server` ready for secure communication. ```go package main import ( "fmt" "net/http" "github.com/edgelesssys/ego/marble" ) func main() { // Get TLS config from MarbleRun environment variables // MarbleRun Coordinator provides certificates and CA tlsConfig, err := marble.GetTLSConfig(true) // true = verify client certificates if err != nil { panic(err) } // Create HTTP handlers http.HandleFunc("/api/data", func(w http.ResponseWriter, r *http.Request) { // Client certificate automatically verified by MarbleRun fmt.Fprintf(w, "Secure data access granted") }) http.HandleFunc("/health", func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusOK) }) // Create server with MarbleRun TLS config server := &http.Server{ Addr: ":8080", TLSConfig: tlsConfig, } fmt.Println("MarbleRun Marble listening on :8080") fmt.Println("Using Coordinator-provided certificates") if err := server.ListenAndServeTLS("", ""); err != nil { fmt.Printf("Server error: %v\n", err) } // MarbleRun environment variables used: // - MARBLE_PREDEFINED_MARBLE_CERTIFICATE_CHAIN // - MARBLE_PREDEFINED_ROOT_CA // - MARBLE_PREDEFINED_PRIVATE_KEY } ``` -------------------------------- ### Compiling Ego Enclave Library Source: https://github.com/edgelesssys/ego/blob/master/CMakeLists.txt Creates a static library for the ego enclave using specified source files. It links against the OpenEnclave includes. ```cmake # # ego-enclave # add_library(ego-enclave-lib src/enc.cpp src/exception_handler.cpp src/go_runtime_cleanup.cpp) target_link_libraries(ego-enclave-lib PRIVATE openenclave::oe_includes) ``` -------------------------------- ### Build Marble Test Executable Source: https://github.com/edgelesssys/ego/blob/master/CMakeLists.txt Builds the 'marble-test' executable using Go, with CGO_ENABLED set to 0. This command is used for building a test utility without native C code compilation. ```cmake add_custom_command( OUTPUT marble-test DEPENDS ego/cmd/marble-test/main.go ego/test/t.go COMMAND CGO_ENABLED=0 go build -o ${CMAKE_BINARY_DIR} WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/ego/cmd/marble-test) ``` -------------------------------- ### Run Client with Signer ID Source: https://github.com/edgelesssys/ego/blob/master/samples/attested_tls/README.md Executes the client application, providing the signer ID (MRSIGNER) as a command-line argument. The signer ID is obtained using the `ego signerid` command. ```shell ./client -s `ego signerid public.pem` ``` -------------------------------- ### Attested TLS Server - CreateAttestationServerTLSConfig Source: https://context7.com/edgelesssys/ego/llms.txt Creates a TLS server configuration that embeds an attestation report within its certificate. This allows clients to verify the server's attestation. ```APIDOC ## CreateAttestationServerTLSConfig ### Description Creates a TLS server configuration with an embedded attestation report in the certificate. ### Method Not applicable (Function call) ### Endpoint Not applicable (Function call) ### Parameters None ### Request Example ```go // Example usage within a Go program tlsCfg, err := enclave.CreateAttestationServerTLSConfig() if err != nil { panic(err) } ``` ### Response #### Success Response - **tls.Config** (object) - A TLS configuration object suitable for use with `http.Server`. #### Response Example ```go // tlsCfg is a *tls.Config object ``` ``` -------------------------------- ### Create Azure Attestation Token (Go) Source: https://context7.com/edgelesssys/ego/llms.txt Generates a JSON Web Token (JWT) for Microsoft Azure Attestation, including an enclave quote and runtime data. This token can be verified by Azure services. It requires the enclave package and the Azure Attestation Provider URL. ```go package main import ( "encoding/json" "fmt" "github.com/edgelesssys/ego/enclave" ) func main() { // Data to include in the attestation runtimeData := map[string]interface{}{ "nonce": "random-challenge-12345", "timestamp": "2023-10-15T10:30:00Z", "purpose": "database-access", } jsonData, err := json.Marshal(runtimeData) if err != nil { panic(err) } // Azure Attestation Provider URL providerURL := "https://myattestationprovider.eus.attest.azure.net" // Create attestation token (JWT format) token, err := enclave.CreateAzureAttestationToken(jsonData, providerURL) if err != nil { panic(err) } fmt.Println("=== Azure Attestation Token ===") fmt.Printf("Token (first 100 chars): %s...\n", token[:100]) fmt.Printf("Full token length: %d bytes\n", len(token)) // Send token to Azure services for verification fmt.Println("\nToken can be verified by Azure services") fmt.Println("The token includes:") fmt.Println("- Enclave quote (SGX report)") fmt.Println("- Runtime data") fmt.Println("- Provider signature") } ``` -------------------------------- ### Verify Remote Attestation Report in Go Source: https://context7.com/edgelesssys/ego/llms.txt This Go code snippet demonstrates how to verify a remote attestation report received from another enclave using the `eclient.VerifyRemoteReport` function. It fetches the report via HTTP and then prints the verified report's contents and status. ```go package main import ( "encoding/hex" "fmt" "io/ioutil" "net/http" "github.com/edgelesssys/ego/eclient" ) func main() { // Fetch the remote report from an enclave server resp, err := http.Get("http://localhost:8080/report") if err != nil { panic(err) } defer resp.Body.Close() reportBytes, err := ioutil.ReadAll(resp.Body) if err != nil { panic(err) } // Verify the remote report report, err := eclient.VerifyRemoteReport(reportBytes) if err != nil { fmt.Printf("Report verification failed: %v\n", err) return } // Verify the report contents fmt.Printf("Report verified successfully\n") fmt.Printf("UniqueID: %s\n", hex.EncodeToString(report.UniqueID)) fmt.Printf("SignerID: %s\n", hex.EncodeToString(report.SignerID)) fmt.Printf("ProductID: %s\n", hex.EncodeToString(report.ProductID)) fmt.Printf("SecurityVersion: %d\n", report.SecurityVersion) fmt.Printf("Debug: %v\n", report.Debug) fmt.Printf("TCBStatus: %v\n", report.TCBStatus) // Validate against expected values if report.Debug { fmt.Println("Warning: Enclave is in debug mode") } } ``` -------------------------------- ### Compiling Ego Enclave Executable Source: https://github.com/edgelesssys/ego/blob/master/CMakeLists.txt Creates the main ego-enclave executable by linking several libraries and custom build outputs. It depends on the 'premainbuild' target and includes OpenEnclave libraries, the ego-enclave library, and the reserved TLS library. ```cmake add_executable(ego-enclave src/gcc_libinit.c src/gcc_mmap.c) add_dependencies(ego-enclave premainbuild) target_link_libraries(ego-enclave openenclave::oeenclave openenclave::ertcalls ego-enclave-lib openenclave::oehostepoll openenclave::oehostfs openenclave::oehostresolver openenclave::oehostsock ${CMAKE_BINARY_DIR}/premain.a openenclave::ertlibc openenclave::ertttls -Wl,--whole-archive openenclave::oelibc -Wl,--no-whole-archive reserved_tls_last) ``` -------------------------------- ### Enable Testing and Define Test Cases Source: https://github.com/edgelesssys/ego/blob/master/CMakeLists.txt Enables CMake's testing functionality and defines several test cases: 'api-unit-tests' using 'go test', 'ego-unit-tests' within the 'ego' directory, an 'integration' test using a shell script, and custom 'concurrency' and 'marble' tests. ```cmake enable_testing() add_test(NAME api-unit-tests COMMAND go test -race --count=3 ./... WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}) add_test(NAME ego-unit-tests COMMAND go test -race --count=3 ./... WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/ego) add_test(integration ${CMAKE_SOURCE_DIR}/src/integration_test.sh) add_test(concurrency erthost ego-enclave:concurrency-test) add_test(marble marble-test) ``` -------------------------------- ### Server: Create Azure Attestation Token in Go Source: https://github.com/edgelesssys/ego/blob/master/samples/azure_attestation/README.md Generates a JSON Web Token (JWT) for remote attestation using Azure Attestation. This function binds the enclave's identity to a certificate and interacts with the Azure Attestation Provider to validate the enclave's report. It requires the enclave to be set up within an SGX environment. ```go package enclave import ( "crypto/x509" "encoding/pem" "errors" "net/http" "time" "github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys" "github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal/exported" "github.com/edgelesssys/ego/attestation" ) // CreateAzureAttestationToken creates a JWT for remote attestation using Azure Attestation. // It generates a self-signed certificate, binds its hash to the enclave's identity in a report, // sends the report and certificate to the Azure Attestation Provider, and returns the signed JWT. // The function returns the JWT, the self-signed certificate, and any error encountered. func CreateAzureAttestationToken(attestationProviderURL string, enclaveHeldData []byte) (string, *x509.Certificate, error) { // ... implementation details ... // This is a placeholder and does not contain the actual SDK calls. _ = exported.KeyOperationKindEncrypt _ = azkeys.KeyClient{} _ = attestation.VerifyAzureAttestationToken _ = http.Get _ = time.Second return "dummy-jwt-token", nil, errors.New("not implemented") } ``` -------------------------------- ### Interact with EGo App Service using Client Source: https://github.com/edgelesssys/ego/blob/master/samples/aks/README.md Uses a client application to connect to the EGo service deployed on AKS over an attested TLS channel. Requires the signer ID and the external IP of the service. ```shell export AZDCAP_DEBUG_LOG_LEVEL=error ./client -s `ego signerid public.pem` -a :8080 ``` -------------------------------- ### Generate RSA Private Key (Bash) Source: https://github.com/edgelesssys/ego/blob/master/docs/docs/reference/config.md Command to generate a 3072-bit RSA private key using OpenSSL. This key is used for signing enclave executables with Ego. The generated key is saved to a file named 'private.pem'. ```bash openssl genrsa -out private.pem -3 3072 ``` -------------------------------- ### Client: Verify Azure Attestation Token in Go Source: https://github.com/edgelesssys/ego/blob/master/samples/azure_attestation/README.md Verifies the signature and claims of a JWT received from an attested server. It fetches the signing public key from the Azure Attestation Provider's OpenID Metadata Endpoint and validates the token's integrity. The client must then verify the report details from the token to ensure server identity and integrity. ```go package attestation import ( "crypto/x509" "encoding/json" "net/http" "time" "github.com/Azure/go-autorest/autorest/adal" "github.com/lestrrat-go/jwx/jwa" "github.com/lestrrat-go/jwx/jwt" ) // VerifyAzureAttestationToken verifies the JWT signature and claims against the Azure Attestation Provider. // It retrieves the public key used for signing from the provider's metadata endpoint and performs validation. // The function returns the verified claims, the signing certificate, and any error encountered. // The caller is responsible for validating the report details within the claims. func VerifyAzureAttestationToken(tokenString string, attestationProviderURL string) (json.RawMessage, *x509.Certificate, error) { // ... implementation details ... // This is a placeholder and does not contain the actual SDK calls. _ = adal.NewServicePrincipalToken _ = http.Get _ = time.Second _ = jwa.RS256 _ = jwt.Parse return nil, nil, errors.New("not implemented") } ```