[packaging,CI] Add initial deb packaging and tests

Signed-off-by: Wojtek Porczyk <[email protected]>

.ci/debian11.dockerfile

@@ -0,0 +1,42 @@
+FROM debian:bullseye-backports
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+# ca-certificates needed for update over https
+# and auxiliary tools
+RUN apt-get update && apt-get install -y \
+    ca-certificates \
+    git \
+    jq \
+    pbuilder
+
+# Intel's RSA-1024 key signing intel-sgx/sgx_repo below. Expires 2023-05-24.
+# https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key
+COPY .ci/intel-sgx-deb.key /etc/apt/trusted.gpg.d/intel-sgx-deb.asc
+RUN echo deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main > /etc/apt/sources.list.d/intel-sgx.list
+
+# dependencies for actual build (cf. debian/control)
+RUN apt-get update && apt-get install -y -t bullseye-backports \
+    build-essential \
+    autoconf \
+    bison \
+    gawk \
+    libcjson-dev \
+    libcurl4-openssl-dev \
+    libprotobuf-c-dev \
+    libsgx-dcap-quote-verify-dev \
+    linux-headers-amd64 \
+    meson \
+    nasm \
+    ninja-build \
+    pkg-config \
+    protobuf-compiler \
+    protobuf-c-compiler \
+    python3-breathe \
+    python3-sphinx \
+    python3-sphinx-rtd-theme \
+    python3-tomli \
+    python3-tomli-w
+
+# Define default command.
+CMD ["bash"]

.ci/intel-sgx-deb.key

@@ -0,0 +1,11 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQCNBFznVOwBBADmczvcfL9MRpZ0nJnEckWBja1ahLL6JLtfMB/+Ygsbqt6f+h0TMgaUJjPUeqm2
+JNgdstGqLcQJa9QOsS4qjbwM2E68PW/BlrxjSzLH4fkdUhoY0xz3FbpQexD3hBkzAGJMsBobdhcD
+0OMW4iq5D6wfWLLW7/Q7RyCpBUgMD4XhfwARAQABtQAWU0dYX0RDQVBfcmVwb19zaWduX2tleYkA
+vgQTAQgAKAUCXOdU7AIbAwUJB4YfgAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQqmWtJiYb
+Mgs8PQQAlaZuIv7G/GPNDc0VxXbyl2pKBFaGqol96QyiXcBU1atjcwh5W0ErpypOaS4eqHTt92/J
+sD5wH0+Q7wqd2pnhbKRvwSM2N3w5qsjcjEuACkxrboZBHNk0c8pkepawFhQFkv7OXo6EowFgXYrs
+UoYJ5PHswaihtdjNBFluU4pqrMk=
+=IvD4
+-----END PGP PUBLIC KEY BLOCK-----

.ci/pkg-deb-debian11.jenkinsfile

@@ -0,0 +1,30 @@
+pipeline {
+    agent {
+        dockerfile { filename '.ci/debian11.dockerfile' }
+    }
+    stages {
+        stage('build') {
+            steps {
+                sh '''
+                    ./scripts/makedist.sh
+                    tar -xzf gramine_*.orig.tar.gz
+                    cd gramine-*
+                    debuild
+                '''
+            }
+        }
+    }
+    post {
+        always {
+            archiveArtifacts '''
+                gramine*.deb,
+                gramine*.tar.xz,
+                gramine_*.orig.tar.gz,
+                gramine_*.build,
+                gramine_*.buildinfo,
+                gramine_*.changes,
+                gramine_*.dsc,
+            '''
+        }
+    }
+}

.gitignore

@@ -1,5 +1,6 @@
 /build
 /install
+/obj-*
 
 # No editor backup files.
 *.sw*

debian/.gitignore

@@ -0,0 +1,10 @@
+/*.debhelper.log
+/*.substvars
+/.debhelper
+/build*
+/debhelper-build-stamp
+/files
+/gramine
+/gramine-ratls-dcap
+/gramine-ratls-epid
+/tmp

debian/changelog

@@ -0,0 +1,56 @@
+gramine (1.3.1~post) UNRELEASED; urgency=medium
+
+  *
+
+ -- Wojtek Porczyk <[email protected]>  Tue, 11 Nov 2022 13:00:00 +0200
+
+gramine (1.3.1-1~ubuntu0.18.04) bionic focal; urgency=medium
+
+  * rebuild for bionic and focal
+
+ -- Wojtek Porczyk <[email protected]>  Thu, 29 Sep 2022 20:00:00 +0200
+
+gramine (1.3.1-1) stable; urgency=medium
+
+  * bump to upstream commit e18bc05b17fd704b259cb0401f928dc4ec5199a6
+  * more libratls fixes
+
+ -- Wojtek Porczyk <[email protected]>  Mon, 26 Sep 2022 23:00:00 +0200
+
+gramine (1.3-1) stable; urgency=medium
+
+  * bump to upstream commit a6887a5321433c8605bdbecea9f3d45afed66993
+  * fix dependencies for ratls packages
+  * fix packaging of ratls libraries
+
+ -- Wojtek Porczyk <[email protected]>  Mon, 26 Sep 2022 22:00:00 +0200
+
+gramine (1.2-1) stable; urgency=medium
+
+  * bump to upstream version 1.2
+  * add nasm dependency per upstream
+  * -Ddcap=enable, add respective dependencies
+  * add missing libprotobuf-c1 dependency
+  * fill debian/copyright
+  * add missing python3-cryptography dependency
+  * add missing runtime dependencies for -Ddcap
+  * fix debian/rules clean for bumped paths in subprojects/
+  * split ratls packages for precise dependencies
+  * fix dependencies and cleanup
+  * fix dependencies, again
+  * remove libc6 dependencies
+  * fix manpages installation in -dcap and -oot variants
+
+ -- Wojtek Porczyk <[email protected]>  Fri, 27 May 2022 12:00:00 +0200
+
+gramine (1.1-1) stable; urgency=medium
+
+  * update to v1.1
+
+ -- Wojtek Porczyk <[email protected]>  Wed, 02 Feb 2022 19:15:49 +0100
+
+gramine (1.0-1) stable; urgency=medium
+
+  * update to v1.0
+
+ -- Wojtek Porczyk <[email protected]>  Fri, 09 Oct 2021 19:20:00 +0200

debian/control

@@ -0,0 +1,67 @@
+Source: gramine
+Priority: optional
+Maintainer: Wojtek Porczyk <[email protected]>
+Build-Depends: debhelper-compat (= 13),
+ autoconf,
+ bison,
+ gawk,
+ libcjson-dev (>= 1.7),
+ libcurl4-openssl-dev (>= 7.58),
+ libprotobuf-c-dev,
+ libsgx-dcap-quote-verify-dev,
+ linux-headers-amd64 (>= 5.11),
+ meson (>= 0.56),
+ nasm,
+ ninja-build,
+ pkg-config,
+ protobuf-compiler,
+ protobuf-c-compiler,
+ python3-breathe,
+ python3-sphinx,
+ python3-sphinx-rtd-theme,
+ python3-tomli (>= 1.1.0),
+ python3-tomli-w (>= 0.4.0),
+#libunwind8,
+#python3-pytest,
+Standards-Version: 4.1.3
+Section: misc
+Homepage: https://gramine.readthedocs.io/
+Vcs-Browser: https://github.com/gramineproject/gramine
+Vcs-Git: https://github.com/gramineproject/gramine.git
+
+Package: gramine
+Architecture: amd64
+Description: A lightweight usermode guest OS designed to run a single Linux application
+Depends:
+ libcjson1 (>= 1.7),
+ libcurl4 (>= 7.58),
+ libprotobuf-c1,
+ python3,
+ python3-click,
+ python3-cryptography,
+ python3-jinja2,
+ python3-protobuf (>= 3.12),
+ python3-pyelftools,
+ python3-tomli (>= 1.1.0),
+ python3-tomli-w (>= 0.4.0),
+Recommends:
+ gramine-ratls-dcap,
+ gramine-ratls-epid,
+Conflicts:
+ gramine-oot,
+ gramine-dcap,
+
+Package: gramine-ratls-dcap
+Architecture: amd64
+Description: DCAP-based Remote Attestation TLS (RA-TLS) library for Gramine
+Depends:
+ gramine (= ${binary:Version}),
+ libsgx-dcap-quote-verify,
+# TODO: add appropriate dependency against libc6, possibly (>= 2.28)
+
+Package: gramine-ratls-epid
+Architecture: amd64
+Description: EPID-based Remote Attestation TLS (RA-TLS) library for Gramine
+Depends:
+ gramine (= ${binary:Version}),
+# TODO: libc6

debian/copyright

@@ -0,0 +1,86 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: gramine
+Upstream-Contact: Gramine Maintainers <[email protected]>
+Source: https://gramine.readthedocs.io/
+
+Files: *
+Copyright:
+ 2011-2022 Intel Corporation
+ 2014-2016 Stony Brook University
+ 2017 Fortanix, Inc.
+ 2017 University of North Carolina at Chapel Hill
+ 2017-2019 Texas A&M University
+ 2018 Isaku Yamahata
+ 2018-2021 Invisible Things Lab
+ 2019-2021 Wojtek Porczyk
+ 2022 Integritee AG
+License: LGPL-3.0+
+
+Files: debian/*
+Copyright: 2020-2022 Wojtek Porczyk <[email protected]>
+License: LGPL-3.0+
+
+Files:
+ common/include/atomic.h
+ common/src/string/ctype.c
+ common/src/string/strspn.c
+Copyright:
+ 2005-2020 Rich Felker, et al.
+License: MIT
+
+Files: common/src/network/inet_pton.c
+Copyright: 1996,1999 Internet Software Consortium
+License: ISC
+
+Files:
+ pal/include/arch/x86_64/linux/sigcontext.h
+ pal/include/arch/x86_64/linux/sigset.h
+ pal/include/elf/elf.h
+Copyright: 1991-2010 Free Software Foundation, Inc.
+License: LGPL-2.1+
+
+Files:
+ CI-Examples/ra-tls-mbedtls/src/client.c
+ CI-Examples/ra-tls-mbedtls/src/server.c
+Copyright:
+ 2006-2015 ARM Limited
+ 2020 Intel Labs
+License: Apache-2.0
+
+Files: pal/src/host/linux-sgx/enclave_xstate.c
+Copyright: 2011-2019 Intel Corporation
+License: BSD
+
+Files: python/graminelibos/ninja_syntax.py
+Copyright: 2011 Google Inc.
+License: Apache-2.0
+
+Files: DCO
+Copyright: 2004, 2006 The Linux Foundation and its contributors
+License: Verbatim
+
+Files: LICENSE.txt
+Copyright: 2007 Free Software Foundation, Inc. <https://fsf.org/>
+License: Verbatim
+
+License: LGPL-3.0+
+ This package is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 3 of the License, or (at your option) any later version.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ Lesser General Public License for more details.
+ .
+ You should have received a copy of the GNU Lesser General Public License
+ along with this program. If not, see <https://www.gnu.org/licenses/>.
+ .
+ On Debian systems, the complete text of the GNU Lesser General
+ Public License can be found in "/usr/share/common-licenses/LGPL-3".
+
+# Please also look if there are files or directories which have a
+# different copyright/license attached and list them here.
+# Please avoid picking licenses with terms that are more restrictive than the
+# packaged work, as it may make Debian's contributions unacceptable upstream.

debian/get-linux-src-path.sh

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+set -e
+
+dir=$(dpkg-query -W linux-headers-\*-common | while read name version
+do
+    test -n "$version" || continue
+    dpkg --compare-versions "$version" '>=' '5.11' || continue
+
+    # sanity check: if directory does not exist, break here and not in meson
+    dir=/usr/src/"$name"
+    test -d "$dir" || exit 2
+
+    printf %s\\n "$dir"
+    break
+done)
+
+test -n "$dir" || exit 1
+printf %s\\n "$dir"

debian/gramine-ratls-dcap.install

@@ -0,0 +1,4 @@
+usr/lib/${DEB_HOST_MULTIARCH}/libra_tls_verify_dcap*
+usr/lib/${DEB_HOST_MULTIARCH}/libsecret_prov_verify_dcap*
+usr/lib/${DEB_HOST_MULTIARCH}/gramine/runtime/glibc/libra_tls_verify_dcap*
+usr/lib/${DEB_HOST_MULTIARCH}/gramine/runtime/glibc/libsecret_prov_verify_dcap*

debian/gramine-ratls-epid.install

@@ -0,0 +1,4 @@
+usr/lib/${DEB_HOST_MULTIARCH}/libra_tls_verify_epid*
+usr/lib/${DEB_HOST_MULTIARCH}/libsecret_prov_verify_epid*
+usr/lib/${DEB_HOST_MULTIARCH}/gramine/runtime/glibc/libra_tls_verify_epid*
+usr/lib/${DEB_HOST_MULTIARCH}/gramine/runtime/glibc/libsecret_prov_verify_epid*

debian/gramine.install

@@ -0,0 +1,15 @@
+usr/bin/gramine-*
+usr/bin/is-sgx-available
+usr/lib/python3/dist-packages/graminelibos/
+usr/lib/${DEB_HOST_MULTIARCH}/gramine/direct/libpal.so
+usr/lib/${DEB_HOST_MULTIARCH}/gramine/direct/loader
+usr/lib/${DEB_HOST_MULTIARCH}/gramine/libsysdb.so
+usr/lib/${DEB_HOST_MULTIARCH}/gramine/runtime/glibc/
+usr/lib/${DEB_HOST_MULTIARCH}/gramine/runtime/musl/
+usr/lib/${DEB_HOST_MULTIARCH}/gramine/sgx/libpal.so
+usr/lib/${DEB_HOST_MULTIARCH}/gramine/sgx/loader
+usr/lib/${DEB_HOST_MULTIARCH}/libmbed*_gramine.*
+usr/lib/${DEB_HOST_MULTIARCH}/libra_tls_attest.so*
+usr/lib/${DEB_HOST_MULTIARCH}/libsecret_prov_attest.so*
+usr/lib/${DEB_HOST_MULTIARCH}/libsgx_util.a*
+usr/lib/${DEB_HOST_MULTIARCH}/pkgconfig/*.pc

debian/gramine.manpages

@@ -0,0 +1,9 @@
+Documentation/_build/man/gramine-direct.1
+Documentation/_build/man/gramine-manifest.1
+Documentation/_build/man/gramine-sgx-get-token.1
+Documentation/_build/man/gramine-sgx-ias-request.1
+Documentation/_build/man/gramine-sgx-ias-verify-report.1
+Documentation/_build/man/gramine-sgx-quote-dump.1
+Documentation/_build/man/gramine-sgx-sign.1
+Documentation/_build/man/gramine-sgx.1
+Documentation/_build/man/is-sgx-available.1