This document contains an overview of the code layout and development model, to help a new developer get started writing code for the project. It's a good read before your first PR.
Please see README for how to obtain the source code.
Under the root directory, we have:
third_party/musl/crtfolder that implements the libc library based on MUSL;kernelthat implements the Mystikos kernel;targetthat implements a few targets we support so far;toolsthat implementsmystcommand, the primary tool of Mystikos;- Specifically for the SGX target, folder
third_party/openenclaveprovides enclave related functions. We use a feature branch from the OpenEnclave SDK repo.
Also under the root directory:
- The
testsfolder contains test cases we run for CI/CD pipelines. - The
solutionsfolder contains sophisticated applications we can run with Mystikos. They are also covered by the CI/CD pipeline. - The
samplesfolder contains test cases for evolving features which are not stable enough to be moved intotests. - The
scriptsfolder contains several helper scripts for using Mystikos or integrating with the pipeline.
Other directories include:
alpine: contains the Docker image used by some testsart: contains graphical resources used in documentationasm: contains assembly codecrt: contains Mystikos's addition to musl librarydoc: contains documentationsdocker: contains files to build Mystikos in a containerext2: contains EXT2 file system implementationgcov: contains gcov-based code coverage utilitieshost: contains files used by the host launcher of Mystikoshostfs: a file system primarily used for testing/debugginginclude: contains Mystikos header filesjson: a json parser implementation, primarily used to parse configuration fileoe: contains extension to OpenEnclave, exposing OE APIs through syscallsprereqs: contains prerequisite such as Intel SGX driver and other required application packagesutils: contains various utility files
Please see README for how to install the pre-requisite packages and build the source code.
The following instructions assume Mystikos is cloned to $HOME/Mystikos,
referred to as project root hereafter.
-
The build process creates a
buildfolder under the project root, which consists of the following artifacts:- bin: the executables of Mystikos, including:
- the main executable
myst - the debugger
myst-gdb
- the main executable
- lib: including:
- libmystcrt.so, the output from building
third_party/musl/crt - libmystkernel.so, the output from building
kernel - mysttarget*.a, the output from building target libraries
- openenclave/mystenc.so, the output from building
tools/myst/enc
- libmystcrt.so, the output from building
- openenclave, including the outputs from building OE SDK.
- bin: the executables of Mystikos, including:
-
Run a simple application built with gcc
cd tests/hello make make testsIn the 2nd step
make, we create a temporary folderappdir, compilehello.cwithgcc, and place the output executable underappdir/bin/hello, finally we create a CPIO archive out ofappdir.In the 3rd step
make tests, we launchmyst, giving it the CPIO archive, the command to run (/bin/helloin this case), and the command line arguments, e.g., "red", "green", and "blue". With this step, we should see the following outputs:Hello world! I received: argv[0]={/bin/hello}, argv[1]={red}, argv[2]={green}, argv[3]={blue} -
Run an existing application included in Ubuntu
We build a self-contained application folder using
appbuilder. The outputappdirdirectory contains the executables and libraries bundled in an Ubuntu base image. We create a CPIO archive out ofappdirand then execute commandlswithmyst.appbuilder -i ubuntu:18.04 myst mkcpio appdir rootfs myst exec-sgx rootfs /bin/ls /
-
Run a user application based on a Linux container. The base OS could be Ubuntu, Redhat, Alpine, or other distros.
cd solutions/attested_tls make && make runDuring
make, we useappbuilderto generated a self contained application folderappdirfrom dockerfilesolutions/attested_tls/Dockerfile, and convert that into a CPIO archive.make runwill launchmystcommand which in turn launch the application located in the CPIO archive.
Mystikos currently can be run on two targets, SGX Target or Linux Target. When run on SGX Target, we have four ELF partitions, and on the Linux Target we have three ELF partitions (as shown in Fig 1). It is possible that the different ELF regions have the same function symbol repeated in them, eg: having two main() functions; in this case, if you set a breakpoint on main, GDB will consider both of them as breakpoints.
Fig 1
C Call -> Call from the user application to the C-Runtime
Syscall -> Calls into the kernel
T Call -> Target call/calls into the target
O Call -> Calls into the host (untrusted environment)
-
For most applications under
tests, we can launch the debugger with commandmake tests GDB=1. For example:cd Mystikos/tests/hello make && make tests GDB=1For applications that are run in package mode, ensure that the field
"Debug":1is set in theconfig.jsonfile, and the debugger can be launched using the run command:myst-gdb --args myst/bin/<appname> <opts> -
Once inside the gdb window, we can set two breakpoints to examine the events during booting Mystikos and launching user applications.
break main break myst_enter_crt run -
The first breakpoint should be hit at the
mainfunction inMystikos/tools/myst/host/host.c. This is the host launcher for the bootstrapping enclave. -
Enter
continuecommand to gdb, the second breakpoint should be hit at themyst_enter_crtfunction inMystikos/crt/enter.c. -
The
wherecommand to gdb reveals that we have gone through the following events to reach the point of starting C-runtime (CRT):- myst_enter_ecall, where we cross the boundary between the host launcher and the bootstrapping enclave.
- myst_enter_kernel, where we cross the boundary between the bootstrapping enclave and the kernel.
- myst_enter_crt, where we cross the boundary between the kernel and CRT
-
Enter
continuecommand to gdb, the third breakpoint should be hit at themainfunction in the user application. -
Now in the GDB window, set a breakpoint to observe how Mystikos handles syscalls.
break myst_syscall continue where -
Experiment with more gdb commands and breakpoints.