Merge pull request #553 from haitaohuang/docker_rel_2.9.2

Docker updates

Author: haitaohuang

.dockerignore

@@ -0,0 +1,9 @@
+linux/installer/docker
+linux/installer/docker/*
+docker
+docker/*
+docker/build/*
+*.md
+.git*
+*/*/.git*
+

README.md

@@ -29,14 +29,19 @@ Documentation
 - [Intel(R) SGX for Linux\* OS](https://01.org/intel-softwareguard-extensions) project home page on [01.org](https://01.org)
 - [Intel(R) SGX Programming Reference](https://software.intel.com/sites/default/files/managed/7c/f1/332831-sdm-vol-3d.pdf)
 
-Quick Start
+Quick Start with Docker and Docker Compose
 -----------------------------------------
-### Use Docker and Docker Compose
+
+- Build PSW and SDK from source. See this [README](docker/build/README.md) for details.
 ```
 $ cd docker/build && ./build_compose_run.sh
 ```
-See this [README](docker/build/README.md) for details.
 
+- Use prebuilt PSW and SDK downloaded from 01.org. See this [README](linux/installer/docker/README.md) for details.
+```
+$ cd linux/installer/docker && ./build_compose_run.sh
+```
+ 
 Build and Install the Intel(R) SGX Driver
 -----------------------------------------
 Follow the [README.md](https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/master/driver/linux/README.md) in the [SGXDataCenterAttestationPrimitives](https://github.com/intel/SGXDataCenterAttestationPrimitives/) project to build and install the Intel(R) SGX driver.     

docker/build/README.md

@@ -6,7 +6,7 @@ Files in this directory demonstrate how to build and install the SGX SDK and PSW
 
 ###  Prerequisites
 1. Install [Docker and Compose](https://docs.docker.com/) and configure them properly following their respective installation guide.
-2. Install [SGX out-of-tree driver](https://github.com/intel/linux-sgx-driver). **Note**: See below to run with the DCAP driver or an SGX capable kernel.
+2. Install [SGX Flexible Launch Control driver](https://github.com/intel/SGXDataCenterAttestationPrimitives/driver/linux). **Note**: See below to run with the Legacy Launch Control driver.
 
 ### Run with Docker Compose
 This will start AESM and an SGX sample on one terminal using docker-compose.
@@ -38,15 +38,18 @@ The Dockerfile specifies 3 image build targets:
 
 - [build_and_run_sample_docker.sh](./build_and_run_sample_docker.sh): Shows how to build and run the SampleEnclave app inside a Docker container with a locally built SGX sample image.
 
-## DCAP driver and kernel with SGX patches
+## Legacy Launch Control driver and kernel for SGX
 
 All SGX applications need access to the SGX device nodes exposed by the kernel space driver. Depending on the driver or kernel you are using, the SGX device nodes may have different names and locations. Therefore, you need to ensure those nodes are mapped and mounted inside the containers properly.
 
+
 [SGX kernel patches](https://github.com/jsakkine-intel/linux-sgx/commits/master) are still in process of upstreaming.
-The [DCAP driver](https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/master/driver) is developed to imitate the kernel patches as closely as possible. To use a custom built kernel with SGX patches or the DCAP driver instead of the SGX2 driver mentioned above, you need to make following modifications:
-1. Replace "/dev/isgx" device with "/dev/sgx/enclave" and "/dev/sgx/provision" devices for AESM in docker-compose.yml and build_and_run_aesm_docker.sh
-2. Replace "/dev/isgx" with "/dev/sgx/enclave" for the sample container in docker-compose.yml and build_and_run_sample_docker.sh
+The [Flexible Launch Control driver](https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/master/driver) is developed to imitate the kernel patches as closely as possible.
+
+The sample scripts and Compose files are compatible with the Flexible Launch Control driver or a custom built kernel with SGX support. If you need to use the Legacy Launch Control driver then you need to make following modifications:
+1. Replace "/dev/sgx/enclave" device with "/dev/isgx" and **remove** "/dev/sgx/provision" device for AESM in docker-compose.yml and build_and_run_aesm_docker.sh
+2. Replace "/dev/sgx/enclave" with "/dev/isgx" for the sample container in docker-compose.yml and build_and_run_sample_docker.sh
 
-**Note**: When you switch between DCAP and SGX2 drivers, make sure you uninstall the previous driver and reset the OS before installing the other one.
+**Note**: When you switch between drivers, make sure you uninstall the previous driver and reset the OS before installing the other one.
 
-**Note**: Earlier versions of the DCAP driver and kernel patches may expose the SGX device as a single node at "/dev/sgx".
+**Note**: Earlier versions of the Flexible Launch Control driver and kernel patches may expose the SGX device as a single node at "/dev/sgx".

docker/build/build_and_run_aesm_docker.sh

@@ -41,7 +41,7 @@ docker build --target aesm --build-arg https_proxy=$https_proxy \
 mkdir -p -m 777 /tmp/aesmd
 chmod -R -f 777 /tmp/aesmd || sudo chmod -R -f 777 /tmp/aesmd || true
 
-# If you use the DCAP driver, replace /dev/isgx with /dev/sgx/enclave, and add
+# If you use the Legacy Launch Control driver, replace /dev/sgx/enclave with /dev/isgx, and remove
 # --device=/dev/sgx/provision
 
-docker run --env http_proxy --env https_proxy --device=/dev/isgx -v /dev/log:/dev/log -v /tmp/aesmd:/var/run/aesmd -it sgx_aesm
+docker run --env http_proxy --env https_proxy --device=/dev/sgx --device=/dev/sgx/provision -v /dev/log:/dev/log -v /tmp/aesmd:/var/run/aesmd -it sgx_aesm

docker/build/build_and_run_sample_docker.sh

@@ -34,5 +34,5 @@ docker build --target sample --build-arg https_proxy=$https_proxy \
              --build-arg http_proxy=$http_proxy -t sgx_sample -f ./Dockerfile ../../
 
 # Another container should expose AESM and its socket
-# Replace /dev/isgx with /dev/sgx/enclave if you use the DCAP driver
-docker run --env http_proxy --env https_proxy --device=/dev/isgx -v /tmp/aesmd:/var/run/aesmd -it sgx_sample
+# Replace /dev/sgx/enclave with /dev/isgx if you use the Legacy Launch Control driver
+docker run --env http_proxy --env https_proxy --device=/dev/sgx/enclave -v /tmp/aesmd:/var/run/aesmd -it sgx_sample

docker/build/docker-compose.yml

@@ -27,16 +27,17 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 #
-# If you use the DCAP driver, replace /dev/isgx with /dev/sgx/enclave for both
-# sample and aesm, and add /dev/sgx/provision in "devices" list for aesm
+# If you use the Legacy Launch Control driver, replace /dev/sgx/enclave with /dev/isgx for both
+# sample and aesm, and remove /dev/sgx/provision in "devices" list for aesm
 #
 version: '3'
 
 services:
   aesm:
     image: sgx_aesm
     devices:
-      - /dev/isgx
+      - /dev/sgx/enclave
+      - /dev/sgx/provision
     volumes:
       - /tmp/aesmd:/var/run/aesmd
     stdin_open: true
@@ -50,7 +51,7 @@ services:
     depends_on:
       - aesm
     devices:
-      - /dev/isgx
+      - /dev/sgx/enclave
     volumes:
       - /tmp/aesmd:/var/run/aesmd
     stdin_open: true

linux/installer/docker/README.md

@@ -6,7 +6,7 @@ Files in this directory demonstrate how to build and deploy SGX enclave applicat
 
 ###  Prerequisites
 1. Install [Docker and Compose](https://docs.docker.com/) and configure them properly following respective their installation guide.
-2. Install [SGX out-of-tree driver](https://github.com/intel/linux-sgx-driver). **Note**: See below to run with the DCAP driver or an SGX capable kernel.
+2. Install [SGX Flexible Launch Control driver](https://github.com/intel/SGXDataCenterAttestationPrimitives/driver/linux). **Note**: See below to run with the Legacy Launch Control driver.
 
 ### Run with Docker Compose
 This will start AESM and an SGX sample on one terminal using docker-compose.
@@ -34,16 +34,19 @@ The [Dockerfile](../docker/Dockerfile)  specifies 3 image build targets:
 2. aesm: Installs sgx-aesm and its dependencies from the SGX PPA and starts the AESM service.
 3. sample: Installs the SGX SDK and runtime libaries, builds and runs the SampleEnclave app in SDK sample code.
 
-## DCAP driver and kernel with SGX patches
+## Legacy Launch Control driver and kernel for SGX
+
+All SGX applications need access to the SGX device nodes exposed by the kernel space driver. Depending on the driver or kernel you are using, the SGX device nodes may have different names and locations. Therefore, you need to ensure those nodes are mapped and mounted inside the containers properly.
 
-All SGX applications need access to the SGX device nodes exposed by kernel space driver. Depending on the driver or kernel you are using, the SGX device nodes may have different names and locations. Therefore, you need ensure those nodes mapped and mounted inside the containers appropriately.
 
 [SGX kernel patches](https://github.com/jsakkine-intel/linux-sgx/commits/master) are still in process of upstreaming.
-The [DCAP driver](https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/master/driver) is developed to imitate the kernel patches as closely as possible. To use custom built kernel with SGX patches or the DCAP driver instead of the SGX2 driver mentioned above, you need make following modifications:
-1. Replace "/dev/isgx" device with "/dev/sgx/enclave" and "/dev/sgx/provision" devices for AESM in docker-compose.yml  and build_and_run_aesm_docker.sh
-2. Replace "/dev/isgx" with "/dev/sgx/enclave" for the sample container in docker-compose.yml and build_and_run_sample_docker.sh
+The [Flexible Launch Control driver](https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/master/driver) is developed to imitate the kernel patches as closely as possible.
+
+The sample scripts and Compose files are compatible with the Flexible Launch Control  driver or a custom built kernel with SGX support. If you need to use the Legacy Launch Control driver then you need to make following modifications:
+1. Replace "/dev/sgx/enclave" device with "/dev/isgx" and **remove** "/dev/sgx/provision" device for AESM in docker-compose.yml and build_and_run_aesm_docker.sh
+2. Replace "/dev/sgx/enclave" with "/dev/isgx" for the sample container in docker-compose.yml and build_and_run_sample_docker.sh
 
-**Note**: When you switch between the DCAP and SGX2 drivers, make sure you uninstall the previous driver and reset the OS before installing the other one.
+**Note**: When you switch between drivers, make sure you uninstall the previous driver and reset the OS before installing the other one.
 
-**Note**: Earlier versions of the DCAP driver and kernel patches may expose the SGX device as a single node at "/dev/sgx".
+**Note**: Earlier versions of the Flexible Launch Control driver and kernel patches may expose the SGX device as a single node at "/dev/sgx".
 

linux/installer/docker/build_and_run_aesm_docker.sh

@@ -41,6 +41,6 @@ docker build --target aesm --build-arg https_proxy=$https_proxy \
 mkdir -p -m 777 /tmp/aesmd
 chmod -R -f 777 /tmp/aesmd || sudo chmod -R -f 777 /tmp/aesmd || true
 
-# If you use the DCAP driver, replace /dev/isgx with /dev/sgx/enclave, and add
+# If you use the Legacy Launch Control driver, replace /dev/sgx/enclave with /dev/isgx, and remove
 # --device=/dev/sgx/provision
-docker run --env http_proxy --env https_proxy --device=/dev/isgx -v /dev/log:/dev/log -v /tmp/aesmd:/var/run/aesmd -it sgx_aesm
+docker run --env http_proxy --env https_proxy --device=/dev/sgx/enclave --device=/dev/sgx/provision -v /dev/log:/dev/log -v /tmp/aesmd:/var/run/aesmd -it sgx_aesm

linux/installer/docker/build_and_run_sample_docker.sh

@@ -34,5 +34,5 @@ docker build --target sample --build-arg https_proxy=$https_proxy \
              --build-arg http_proxy=$http_proxy -t sgx_sample -f ./Dockerfile ./
 
 # Another container should expose AESM and its socket
-# Replace /dev/isgx with /dev/sgx/enclave if you use the DCAP driver
-docker run --env http_proxy --env https_proxy --device=/dev/isgx -v /tmp/aesmd:/var/run/aesmd -it sgx_sample
+# Replace /dev/sgx/enclave with /dev/isgx if you use the Legacy Launch Control driver
+docker run --env http_proxy --env https_proxy --device=/dev/sgx/enclave -v /tmp/aesmd:/var/run/aesmd -it sgx_sample

linux/installer/docker/docker-compose.yml

@@ -27,16 +27,17 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 #
-# If you use the DCAP driver, replace /dev/isgx with /dev/sgx/enclave for both
-# sample and aesm, and add /dev/sgx/provision in "devices" list for aesm
+# If you use the Legacy Launch Control driver, replace /dev/sgx/enclave with /dev/isgx for both
+# sample and aesm, and remove /dev/sgx/provision in "devices" list for aesm
 #
 version: '3'
 
 services:
   aesm:
     image: sgx_aesm
     devices:
-      - /dev/isgx
+      - /dev/sgx/enclave
+      - /dev/sgx/provision
     volumes:
       - /tmp/aesmd:/var/run/aesmd
     stdin_open: true
@@ -50,7 +51,7 @@ services:
     depends_on:
       - aesm
     devices:
-      - /dev/isgx
+      - /dev/sgx/enclave
     volumes:
       - /tmp/aesmd:/var/run/aesmd
     stdin_open: true