Ubuntu 24.04 LTS (noble) part 2

.ci/check-python-platlib-debian12.dockerfile

@@ -0,0 +1,11 @@
+FROM debian:bookworm
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update && apt-get install -y \
+    python3 \
+    python3-distutils \
+    python3-setuptools
+
+COPY scripts/get-python-platlib.py /get-python-platlib.py
+RUN mkdir -p "$(python3 /get-python-platlib.py /usr/local)"

.ci/check-python-platlib-ubuntu24.04.dockerfile

@@ -0,0 +1,11 @@
+FROM ubuntu:24.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update && apt-get install -y \
+    python3 \
+    python3-distutils \
+    python3-setuptools
+
+COPY scripts/get-python-platlib.py /get-python-platlib.py
+RUN mkdir -p "$(python3 /get-python-platlib.py /usr/local)"

.ci/check-python-platlib.jenkinsfile

@@ -2,7 +2,9 @@ node() {
     checkout scm
 
     [
+        'debian12',
         'debian11',
+        'ubuntu24.04',
         'ubuntu22.04',
         'ubuntu20.04',
         'almalinux9',

.ci/lib/stage-test-direct.jenkinsfile

@@ -60,7 +60,7 @@ stage('test-direct') {
             # memcslap populates server but doesn't report errors, use
             # memcached-tool for this (must return two lines of stats)
             memcslap --servers=127.0.0.1 --concurrency=8
-            src/scripts/memcached-tool 127.0.0.1 | wc -l | grep -w "2"
+            test "$(src/scripts/memcached-tool 127.0.0.1 | wc -l)" -ge 2
         '''
     }
     timeout(time: 10, unit: 'MINUTES') {

.ci/lib/stage-test-sgx.jenkinsfile

@@ -15,7 +15,7 @@ stage('test-sgx') {
     '''
 
     if (env.RA_TYPE == null) {
-        env.RA_TYPE = 'epid'
+        env.RA_TYPE = 'dcap'
     }
 
     timeout(time: 5, unit: 'MINUTES') {
@@ -25,7 +25,7 @@ stage('test-sgx') {
             make ${MAKEOPTS} check
         '''
     }
-    timeout(time: 5, unit: 'MINUTES') {
+    timeout(time: 10, unit: 'MINUTES') {
         sh '''
             cd CI-Examples/python
             make ${MAKEOPTS} RA_TYPE=$RA_TYPE RA_CLIENT_SPID=${ra_client_spid}
@@ -55,7 +55,7 @@ stage('test-sgx') {
             # memcslap populates server but doesn't report errors, use
             # memcached-tool for this (must return two lines of stats)
             memcslap --servers=127.0.0.1 --concurrency=8
-            src/scripts/memcached-tool 127.0.0.1 | wc -l | grep -w "2"
+            test "$(src/scripts/memcached-tool 127.0.0.1 | wc -l)" -ge 2
         '''
     }
     timeout(time: 15, unit: 'MINUTES') {

.ci/lib/stage-test.jenkinsfile

@@ -1,6 +1,6 @@
 stage('test') {
     if (env.RA_TYPE == null) {
-        env.RA_TYPE = 'epid'
+        env.RA_TYPE = 'dcap'
     }
 
     timeout(time: 15, unit: 'MINUTES') {

.ci/linux-direct-ubuntu24.04-gcc-debug.jenkinsfile

@@ -0,0 +1,19 @@
+node('plain && noble') {
+    checkout scm
+
+    load '.ci/lib/config-docker.jenkinsfile'
+    docker.build(
+        "local:${env.BUILD_TAG}",
+        '-f .ci/ubuntu24.04.dockerfile .'
+    ).inside("${env.DOCKER_ARGS_COMMON} --security-opt seccomp=${env.WORKSPACE}/scripts/docker_seccomp_aug_2022.json") {
+        load '.ci/lib/config.jenkinsfile'
+        load '.ci/lib/config-debug.jenkinsfile'
+
+        load '.ci/lib/stage-lint.jenkinsfile'
+        load '.ci/lib/stage-clean-check-prepare.jenkinsfile'
+        load '.ci/lib/stage-build-nosgx.jenkinsfile'
+        load '.ci/lib/stage-test.jenkinsfile'
+        load '.ci/lib/stage-test-direct.jenkinsfile'
+        load '.ci/lib/stage-clean-check.jenkinsfile'
+    }
+}

.ci/linux-direct-ubuntu24.04-gcc-release.jenkinsfile

@@ -0,0 +1,19 @@
+node('plain && noble') {
+    checkout scm
+
+    load '.ci/lib/config-docker.jenkinsfile'
+    docker.build(
+        "local:${env.BUILD_TAG}",
+        '-f .ci/ubuntu24.04.dockerfile .'
+    ).inside("${env.DOCKER_ARGS_COMMON} --security-opt seccomp=${env.WORKSPACE}/scripts/docker_seccomp_aug_2022.json") {
+        load '.ci/lib/config.jenkinsfile'
+        load '.ci/lib/config-release.jenkinsfile'
+
+        load '.ci/lib/stage-lint.jenkinsfile'
+        load '.ci/lib/stage-clean-check-prepare.jenkinsfile'
+        load '.ci/lib/stage-build-nosgx.jenkinsfile'
+        load '.ci/lib/stage-test.jenkinsfile'
+        load '.ci/lib/stage-test-direct.jenkinsfile'
+        load '.ci/lib/stage-clean-check.jenkinsfile'
+    }
+}

.ci/linux-direct-ubuntu24.04-sanitizers.jenkinsfile

@@ -0,0 +1,22 @@
+node('plain && noble') {
+    checkout scm
+
+    load '.ci/lib/config-docker.jenkinsfile'
+    docker.build(
+        "local:${env.BUILD_TAG}",
+        '-f .ci/ubuntu24.04.dockerfile .'
+    ).inside("${env.DOCKER_ARGS_COMMON} --security-opt seccomp=${env.WORKSPACE}/scripts/docker_seccomp_aug_2022.json") {
+        load '.ci/lib/config.jenkinsfile'
+        load '.ci/lib/config-clang.jenkinsfile'
+        load '.ci/lib/config-debug.jenkinsfile'
+        load '.ci/lib/config-ubsan.jenkinsfile'
+        load '.ci/lib/config-asan.jenkinsfile'
+
+        load '.ci/lib/stage-lint.jenkinsfile'
+        load '.ci/lib/stage-clean-check-prepare.jenkinsfile'
+        load '.ci/lib/stage-build-nosgx.jenkinsfile'
+        load '.ci/lib/stage-test.jenkinsfile'
+        load '.ci/lib/stage-test-direct.jenkinsfile'
+        load '.ci/lib/stage-clean-check.jenkinsfile'
+    }
+}

.ci/linux-sgx-ubuntu24.04-edmm.jenkinsfile

@@ -0,0 +1,29 @@
+node('sgx-edmm && aesni') {
+    checkout scm
+
+    env.AVX = '1'  // EDMM-capable machines in our CI always have AVX
+    env.SGX = '1'
+    env.EDMM = '1'
+    env.RA_TYPE = 'dcap'
+
+    load '.ci/lib/config-docker.jenkinsfile'
+
+    env.DOCKER_ARGS_SGX += '''
+        --add-host host.docker.internal:host-gateway
+    '''
+
+    docker.build(
+        "local:${env.BUILD_TAG}",
+        '-f .ci/ubuntu24.04.dockerfile .'
+    ).inside("${env.DOCKER_ARGS_COMMON} ${env.DOCKER_ARGS_SGX}") {
+        load '.ci/lib/config.jenkinsfile'
+        load '.ci/lib/config-release.jenkinsfile'
+
+        load '.ci/lib/stage-lint.jenkinsfile'
+        load '.ci/lib/stage-clean-check-prepare.jenkinsfile'
+        load '.ci/lib/stage-build-sgx.jenkinsfile'
+        load '.ci/lib/stage-test.jenkinsfile'
+        load '.ci/lib/stage-test-sgx.jenkinsfile'
+        load '.ci/lib/stage-clean-check.jenkinsfile'
+    }
+}

.ci/linux-sgx-ubuntu24.04-gcc-release-apps.jenkinsfile

@@ -0,0 +1,21 @@
+node('sgx && noble') {
+    checkout scm
+
+    env.SGX = '1'
+    env.RA_TYPE = 'dcap'
+
+    load '.ci/lib/config-docker.jenkinsfile'
+    docker.build(
+        "local:${env.BUILD_TAG}",
+        '-f .ci/ubuntu24.04.dockerfile .'
+    ).inside("${env.DOCKER_ARGS_COMMON} ${env.DOCKER_ARGS_SGX}") {
+        load '.ci/lib/config.jenkinsfile'
+        load '.ci/lib/config-release.jenkinsfile'
+
+        load '.ci/lib/stage-lint.jenkinsfile'
+        load '.ci/lib/stage-clean-check-prepare.jenkinsfile'
+        load '.ci/lib/stage-build-sgx.jenkinsfile'
+        load '.ci/lib/stage-test-sgx.jenkinsfile'
+        load '.ci/lib/stage-clean-check.jenkinsfile'
+    }
+}

.ci/linux-sgx-ubuntu24.04-musl.jenkinsfile

@@ -0,0 +1,21 @@
+node('sgx && noble') {
+    checkout scm
+
+    env.SGX = '1'
+    env.GRAMINE_MUSL = '1'
+
+    load '.ci/lib/config-docker.jenkinsfile'
+    docker.build(
+        "local:${env.BUILD_TAG}",
+        '-f .ci/ubuntu24.04.dockerfile .'
+    ).inside("${env.DOCKER_ARGS_COMMON} ${env.DOCKER_ARGS_SGX}") {
+        load '.ci/lib/config.jenkinsfile'
+        load '.ci/lib/config-release.jenkinsfile'
+
+        load '.ci/lib/stage-lint.jenkinsfile'
+        load '.ci/lib/stage-clean-check-prepare.jenkinsfile'
+        load '.ci/lib/stage-build-sgx.jenkinsfile'
+        load '.ci/lib/stage-test.jenkinsfile'
+        load '.ci/lib/stage-clean-check.jenkinsfile'
+    }
+}

.ci/linux-sgx-ubuntu24.04-sanitizers.jenkinsfile

@@ -0,0 +1,25 @@
+node('sgx && noble') {
+    checkout scm
+
+    env.SGX = '1'
+    env.RA_TYPE = 'dcap'
+
+    load '.ci/lib/config-docker.jenkinsfile'
+    docker.build(
+        "local:${env.BUILD_TAG}",
+        '-f .ci/ubuntu24.04.dockerfile .'
+    ).inside("${env.DOCKER_ARGS_COMMON} ${env.DOCKER_ARGS_SGX}") {
+        load '.ci/lib/config.jenkinsfile'
+        load '.ci/lib/config-clang.jenkinsfile'
+        load '.ci/lib/config-debug.jenkinsfile'
+        load '.ci/lib/config-ubsan.jenkinsfile'
+        load '.ci/lib/config-asan.jenkinsfile'
+
+        load '.ci/lib/stage-lint.jenkinsfile'
+        load '.ci/lib/stage-clean-check-prepare.jenkinsfile'
+        load '.ci/lib/stage-build-sgx.jenkinsfile'
+        load '.ci/lib/stage-test.jenkinsfile'
+        load '.ci/lib/stage-test-sgx.jenkinsfile'
+        load '.ci/lib/stage-clean-check.jenkinsfile'
+    }
+}

.ci/sgx_default_qcnl.conf

@@ -0,0 +1,10 @@
+{
+    "local_cache_only": true,
+    "pccs_url": "https://frackles.telenet.unc.edu:8081/sgx/certification/v4/",
+    "collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/",
+    "pck_cache_expire_hours": 168,
+    "retry_delay": 10,
+    "retry_times": 6,
+    "use_secure_cert": false,
+    "verify_collateral_cache_expire_hours": 168
+}

.ci/ubuntu24.04.dockerfile

@@ -37,14 +37,65 @@ RUN apt-get update && apt-get satisfy -y \
 # dependencies for various tests, CI-Examples, etc.
 # git: scripts/gitignore-test (among others)
 # libunwind8: libos/test/regression/bootstrap_cpp.manifest.template
+# musl-tools: for compilation with musl (not done in deb/rpm)
 # nginx: CI-Examples/ra-tls-nginx
 # shellcheck: .ci/run-shellcheck
+# busybox: CI-Examples/busybox
+# cargo: CI-Examples/rust
+# clang: asan and ubsan builds
+# jq: used in jenkinsfiles
+# cpio dwarves kmod qemu-kvm: for building kernel modules and running VMs
+# wget: scripts/download
+# python3-pytest: for running tests
+# python3-pytest-xdist: for pytest -n option, to run in parallel
+# python3-numpy python3-scipy: imported by script in CI-Examples/python
+# gdb: tested in libos suite
+# ncat: used in scripts/wait_for_server
+# linux-libc-dev: among others, needed to compile busybox (CI-Examples/busybox)
+# libomp-dev: needed for libos/test/regression/openmp.c
+# libevent-dev: CI-Examples/memcached
+# libmemcached-tools: CI-Examples/memcache
+# zlib1g-dev: CI-Examples/lighttpd
+# wrk: used by CI-Examples/common_tools/benchmark-http.sh
+# libssl-dev: CI-Examples/nginx
+# sqlite3: CI-Examples/sqlite
+# libsgx-*: CI-Examples/ra-tls-*
+# curl: CI-Examples/ra-tls-secret-prov
 RUN apt-get update && apt-get install -y \
+    busybox \
+    cargo \
+    clang \
     cmake \
+    cpio \
+    curl \
+    dwarves \
+    gdb \
     git \
+    jq \
+    kmod \
+    libevent-dev \
+    libmemcached-tools \
+    libomp-dev \
+    libsgx-dcap-default-qpl \
+    libsgx-dcap-quote-verify-dev \
+    libsgx-urts \
+    libssl-dev \
     libunwind8 \
+    linux-libc-dev \
+    musl-tools \
+    ncat \
     nginx \
+    python3-numpy \
     python3-pytest \
-    shellcheck
+    python3-pytest-xdist \
+    python3-scipy \
+    qemu-kvm \
+    shellcheck \
+    sqlite3 \
+    wget \
+    wrk \
+    zlib1g-dev
+
+COPY .ci/sgx_default_qcnl.conf /etc/sgx_default_qcnl.conf
 
 CMD ["bash"]

CI-Examples/busybox/Makefile

@@ -1,14 +1,7 @@
 # Copyright (C) 2023 Gramine contributors
 # SPDX-License-Identifier: BSD-3-Clause
 
-ARCH_LIBDIR ?= /lib/$(shell $(CC) -dumpmachine)
-
-SRCDIR = src
-BUSYBOX_SHA256 ?= c35d87f1d04b2b153d33c275c2632e40d388a88f19a9e71727e0bbbff51fe689
-BUSYBOX_SRC ?= busybox-1.32.0.tar.bz2
-BUSYBOX_MIRRORS ?= \
-    https://busybox.net/downloads \
-    https://packages.gramineproject.io/distfiles
+BUSYBOX ?= $(shell command -v busybox)
 
 ifeq ($(DEBUG),1)
 GRAMINE_LOG_LEVEL = debug
@@ -21,31 +14,15 @@ RA_CLIENT_SPID ?=
 RA_CLIENT_LINKABLE ?= 0
 
 .PHONY: all
-all: busybox busybox.manifest
+all: busybox.manifest
 ifeq ($(SGX),1)
 all: busybox.manifest.sgx busybox.sig
 endif
 
-$(SRCDIR)/Makefile:
-	../common_tools/download --output busybox.tar.bz2 --sha256 $(BUSYBOX_SHA256) \
-		$(foreach mirror,$(BUSYBOX_MIRRORS),--url $(mirror)/$(BUSYBOX_SRC))
-	mkdir $(SRCDIR)
-	tar -C $(SRCDIR) --strip-components=1 -xf busybox.tar.bz2
-
-$(SRCDIR)/.config: $(SRCDIR)/Makefile
-	$(MAKE) -C $(SRCDIR) clean
-	$(MAKE) -C $(SRCDIR) defconfig
-	# Enable usage of Busybox's built-in applets
-	sed -e 's/.*CONFIG_FEATURE_SH_STANDALONE.*/CONFIG_FEATURE_SH_STANDALONE=y/' \
-		-i $(SRCDIR)/.config
-
-$(SRCDIR)/busybox: $(SRCDIR)/.config
-	$(MAKE) -C $(SRCDIR)
-
 busybox.manifest: busybox.manifest.template
 	gramine-manifest \
+		-Dbusybox=$(BUSYBOX) \
 		-Dlog_level=$(GRAMINE_LOG_LEVEL) \
-		-Darch_libdir=$(ARCH_LIBDIR) \
 		-Dra_type=$(RA_TYPE) \
 		-Dra_client_spid=$(RA_CLIENT_SPID) \
 		-Dra_client_linkable=$(RA_CLIENT_LINKABLE) \
@@ -57,15 +34,11 @@ busybox.manifest.sgx busybox.sig: sgx_sign
 	@:
 
 .INTERMEDIATE: sgx_sign
-sgx_sign: busybox.manifest busybox
+sgx_sign: busybox.manifest
 	gramine-sgx-sign \
 		--manifest $< \
 		--output $<.sgx
 
-# Copy Busybox binary to our root directory for simplicity.
-busybox: $(SRCDIR)/busybox
-	cp $(SRCDIR)/busybox busybox
-
 ifeq ($(SGX),)
 GRAMINE = gramine-direct
 else
@@ -80,8 +53,7 @@ check: all
 
 .PHONY: clean
 clean:
-	$(RM) *.token *.sig *.manifest.sgx *.manifest busybox OUTPUT
+	$(RM) *.token *.sig *.manifest.sgx *.manifest OUTPUT
 
 .PHONY: distclean
 distclean: clean
-	$(RM) -r $(SRCDIR) busybox.tar.bz2