Fix the error of demos with encrypted fs image
This commit is contained in:
LI Qing
Zongmin.Gu
parent
c3a02ffc28
commit
7deeccb03b
@ -1,7 +1,7 @@
|
|||||||
{
|
{
|
||||||
"resource_limits": {
|
"resource_limits": {
|
||||||
"user_space_size": "512MB",
|
"user_space_size": "512MB",
|
||||||
"kernel_space_heap_size": "32MB",
|
"kernel_space_heap_size": "64MB",
|
||||||
"kernel_space_stack_size": "1MB",
|
"kernel_space_stack_size": "1MB",
|
||||||
"max_num_of_threads": 32
|
"max_num_of_threads": 32
|
||||||
},
|
},
|
||||||
@ -29,15 +29,24 @@
|
|||||||
"mount": [
|
"mount": [
|
||||||
{
|
{
|
||||||
"target": "/",
|
"target": "/",
|
||||||
"type": "sefs",
|
"type": "unionfs",
|
||||||
"source": "./image",
|
|
||||||
"options": {
|
"options": {
|
||||||
"integrity_only": true
|
"layers": [
|
||||||
|
{
|
||||||
|
"target": "/",
|
||||||
|
"type": "sefs",
|
||||||
|
"source": "./build/mount/__ROOT",
|
||||||
|
"options": {
|
||||||
|
"MAC": ""
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"target": "/root",
|
"target": "/",
|
||||||
"type": "sefs"
|
"type": "sefs",
|
||||||
|
"source": "./run/mount/__ROOT"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"target": "/host",
|
"target": "/host",
|
||||||
@ -46,7 +55,19 @@
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
"target": "/tmp",
|
"target": "/tmp",
|
||||||
"type": "ramfs"
|
"type": "sefs",
|
||||||
|
"source": "./run/mount/tmp",
|
||||||
|
"options": {
|
||||||
|
"temporary": true
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"target": "/proc",
|
||||||
|
"type": "procfs"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"target": "/dev",
|
||||||
|
"type": "devfs"
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
@ -21,6 +21,8 @@ static mut ENCLAVE_PATH: String = String::new();
|
|||||||
lazy_static! {
|
lazy_static! {
|
||||||
static ref INIT_ONCE: Once = Once::new();
|
static ref INIT_ONCE: Once = Once::new();
|
||||||
static ref HAS_INIT: AtomicBool = AtomicBool::new(false);
|
static ref HAS_INIT: AtomicBool = AtomicBool::new(false);
|
||||||
|
pub static ref ENTRY_POINTS: RwLock<Vec<PathBuf>> =
|
||||||
|
RwLock::new(config::LIBOS_CONFIG.entry_points.clone());
|
||||||
}
|
}
|
||||||
|
|
||||||
macro_rules! ecall_errno {
|
macro_rules! ecall_errno {
|
||||||
@ -292,8 +294,9 @@ fn validate_program_path(target_path: &PathBuf) -> Result<()> {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Check whether the prefix of the program path matches one of the entry points
|
// Check whether the prefix of the program path matches one of the entry points
|
||||||
let is_valid_entry_point = &config::LIBOS_CONFIG
|
let is_valid_entry_point = &ENTRY_POINTS
|
||||||
.entry_points
|
.read()
|
||||||
|
.unwrap()
|
||||||
.iter()
|
.iter()
|
||||||
.any(|valid_path_prefix| target_path.starts_with(valid_path_prefix));
|
.any(|valid_path_prefix| target_path.starts_with(valid_path_prefix));
|
||||||
if !is_valid_entry_point {
|
if !is_valid_entry_point {
|
||||||
|
|||||||
@ -8,7 +8,7 @@ lazy_static! {
|
|||||||
}
|
}
|
||||||
|
|
||||||
pub fn do_mount_rootfs(
|
pub fn do_mount_rootfs(
|
||||||
mount_configs: &Vec<ConfigMount>,
|
user_config: &config::Config,
|
||||||
user_key: &Option<sgx_key_128bit_t>,
|
user_key: &Option<sgx_key_128bit_t>,
|
||||||
) -> Result<()> {
|
) -> Result<()> {
|
||||||
debug!("mount rootfs");
|
debug!("mount rootfs");
|
||||||
@ -17,14 +17,15 @@ pub fn do_mount_rootfs(
|
|||||||
return_errno!(EPERM, "rootfs cannot be mounted more than once");
|
return_errno!(EPERM, "rootfs cannot be mounted more than once");
|
||||||
}
|
}
|
||||||
let new_root_inode = {
|
let new_root_inode = {
|
||||||
let rootfs = open_root_fs_according_to(mount_configs, user_key)?;
|
let rootfs = open_root_fs_according_to(&user_config.mount, user_key)?;
|
||||||
rootfs.root_inode()
|
rootfs.root_inode()
|
||||||
};
|
};
|
||||||
mount_nonroot_fs_according_to(&new_root_inode, mount_configs, user_key)?;
|
mount_nonroot_fs_according_to(&new_root_inode, &user_config.mount, user_key)?;
|
||||||
MOUNT_ONCE.call_once(|| {
|
MOUNT_ONCE.call_once(|| {
|
||||||
let mut root_inode = ROOT_INODE.write().unwrap();
|
let mut root_inode = ROOT_INODE.write().unwrap();
|
||||||
root_inode.fs().sync().expect("failed to sync old rootfs");
|
root_inode.fs().sync().expect("failed to sync old rootfs");
|
||||||
*root_inode = new_root_inode;
|
*root_inode = new_root_inode;
|
||||||
|
*ENTRY_POINTS.write().unwrap() = user_config.entry_points.to_owned();
|
||||||
});
|
});
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|||||||
@ -533,8 +533,7 @@ pub fn do_mount_rootfs(
|
|||||||
}
|
}
|
||||||
let expected_occlum_json_mac = unsafe { occlum_json_mac_ptr.read() };
|
let expected_occlum_json_mac = unsafe { occlum_json_mac_ptr.read() };
|
||||||
let user_config_path = unsafe { format!("{}{}", INSTANCE_DIR, "/build/Occlum.json.protected") };
|
let user_config_path = unsafe { format!("{}{}", INSTANCE_DIR, "/build/Occlum.json.protected") };
|
||||||
let user_mount_config =
|
let user_config = config::load_config(&user_config_path, &expected_occlum_json_mac)?;
|
||||||
config::load_config(&user_config_path, &expected_occlum_json_mac)?.mount;
|
fs_ops::do_mount_rootfs(&user_config, &key)?;
|
||||||
fs_ops::do_mount_rootfs(&user_mount_config, &key)?;
|
|
||||||
Ok(0)
|
Ok(0)
|
||||||
}
|
}
|
||||||
|
|||||||
@ -237,7 +237,7 @@ fn main() {
|
|||||||
default_heap_size: occlum_config.process.default_heap_size,
|
default_heap_size: occlum_config.process.default_heap_size,
|
||||||
default_mmap_size: occlum_config.process.default_mmap_size,
|
default_mmap_size: occlum_config.process.default_mmap_size,
|
||||||
},
|
},
|
||||||
entry_points: occlum_config.entry_points,
|
entry_points: json!(["/bin"]),
|
||||||
env: occlum_config.env,
|
env: occlum_config.env,
|
||||||
mount: gen_sys_mount_config(occlum_conf_init_fs_mac.to_string()),
|
mount: gen_sys_mount_config(occlum_conf_init_fs_mac.to_string()),
|
||||||
};
|
};
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user