diff --git a/tools/init/src/main.rs b/tools/init/src/main.rs index 9e289255..7be2a331 100644 --- a/tools/init/src/main.rs +++ b/tools/init/src/main.rs @@ -37,8 +37,7 @@ fn main() -> Result<(), Box> { // User can provide valid path for runtime mount and boot // Otherwise, just pass null pointer to do general mount and boot let root_config_path: *const i8 = std::ptr::null(); - let ret = unsafe { syscall( - SYS_MOUNT_FS, key_ptr, root_config_path) }; + let ret = unsafe { syscall(SYS_MOUNT_FS, key_ptr, root_config_path) }; if ret < 0 { return Err(Box::new(std::io::Error::last_os_error())); } diff --git a/tools/init_aecs/build.rs b/tools/init_aecs/build.rs index 5ac7327e..79ae340a 100644 --- a/tools/init_aecs/build.rs +++ b/tools/init_aecs/build.rs @@ -6,4 +6,4 @@ fn main() { println!("cargo:rustc-link-lib=dylib=ssl"); println!("cargo:rustc-link-lib=dylib=z"); println!("cargo:rustc-link-lib=dylib=crypto"); -} \ No newline at end of file +} diff --git a/tools/init_aecs/src/main.rs b/tools/init_aecs/src/main.rs index 89e87c4d..9944b2c8 100644 --- a/tools/init_aecs/src/main.rs +++ b/tools/init_aecs/src/main.rs @@ -5,15 +5,15 @@ extern crate serde_json; use libc::syscall; use serde::{Deserialize, Serialize}; +use std::env; use std::error::Error; use std::fs; use std::fs::File; use std::io::{ErrorKind, Read}; use std::str; -use std::env; use std::ffi::CString; -use std::os::raw::{c_int, c_char}; +use std::os::raw::{c_char, c_int}; #[link(name = "aecs_client")] extern "C" { @@ -24,7 +24,7 @@ extern "C" { secret_name: *const c_char, nonce: *const c_char, secret_outbuf: *const u8, - secret_outbuf_len: *mut i32 + secret_outbuf_len: *mut i32, ) -> c_int; } @@ -83,7 +83,7 @@ struct InitRAConfig { kms_server: String, kms_keys: Vec, ua_env_pccs_url: String, - ra_config: RAConfig + ra_config: RAConfig, } fn load_ra_config(ra_conf_path: &str) -> Result> { @@ -102,16 +102,17 @@ struct KeyInfo { val_buf: Vec, } -fn get_kms_keys(kms_keys: Vec, kms_server: CString) -> Result, Box> { +fn get_kms_keys( + kms_keys: Vec, + kms_server: CString, +) -> Result, Box> { let mut keys_info: Vec = Vec::new(); for keys in kms_keys { let key = CString::new(&*keys.key).unwrap(); - let service =CString::new(keys.service).unwrap(); + let service = CString::new(keys.service).unwrap(); // Max key length is 10K let mut buffer: Vec = vec![0; 10240]; - let buffer_ptr: *const u8 = buffer.as_ptr(); let mut buffer_len: i32 = buffer.len() as i32; - let len_ptr: *mut i32 = &mut buffer_len as *mut i32; let ret = unsafe { aecs_client_get_secret_by_buffer( @@ -120,21 +121,21 @@ fn get_kms_keys(kms_keys: Vec, kms_server: CString) -> Result Result<(), Box> { // Extract RA config part let ra_conf_string = serde_json::to_string_pretty(&init_ra_conf.ra_config).unwrap(); fs::create_dir_all("/etc/kubetee")?; - fs::write("/etc/kubetee/unified_attestation.json", ra_conf_string.clone().into_bytes())?; + fs::write( + "/etc/kubetee/unified_attestation.json", + ra_conf_string.clone().into_bytes(), + )?; let server_addr = CString::new(init_ra_conf.kms_server).unwrap(); env::set_var("UA_ENV_PCCS_URL", init_ra_conf.ua_env_pccs_url.clone()); @@ -165,9 +169,7 @@ fn main() -> Result<(), Box> { let secret = CString::new("image_key").unwrap(); let service = CString::new("service1").unwrap(); let mut buffer: Vec = vec![0; 256]; - let buffer_ptr: *const u8 = buffer.as_ptr(); let mut buffer_len: i32 = buffer.len() as i32; - let len_ptr: *mut i32 = &mut buffer_len as *mut i32; let ret = unsafe { aecs_client_get_secret_by_buffer( @@ -176,28 +178,26 @@ fn main() -> Result<(), Box> { service.as_ptr(), secret.as_ptr(), std::ptr::null(), - buffer_ptr, - len_ptr + buffer.as_ptr(), + &mut buffer_len, ) }; if ret != 0 { - println!("aecs_client_get_secret_by_buffer failed return {}", ret); - return Err(Box::new(std::io::Error::last_os_error())); + let err_msg = format!("aecs client get key error: {}", ret); + return Err(Box::new(std::io::Error::new(ErrorKind::Other, err_msg))); } buffer.resize(buffer_len as usize, 0); - let key_string = String::from_utf8(buffer) - .expect("error converting to string"); + let key_string = String::from_utf8(buffer).expect("error converting to string"); let key_str = key_string - .trim_end_matches(|c| c == '\r' || c == '\n').to_string(); + .trim_end_matches(|c| c == '\r' || c == '\n') + .to_string(); let mut key: sgx_key_128bit_t = Default::default(); parse_str_to_bytes(&key_str, &mut key)?; Some(key) - }, - "integrity-only" => { - None - }, + } + "integrity-only" => None, _ => unreachable!(), }; let key_ptr = key @@ -205,16 +205,17 @@ fn main() -> Result<(), Box> { .map(|key| key as *const sgx_key_128bit_t) .unwrap_or(std::ptr::null()); - let keys_info: Vec = - get_kms_keys(init_ra_conf.kms_keys, server_addr).unwrap(); + // Get keys from kms if any + let keys_info: Vec = get_kms_keys(init_ra_conf.kms_keys, server_addr)?; + // Remove config file + fs::remove_dir_all("/etc/kubetee")?; // Mount the image const SYS_MOUNT_FS: i64 = 363; // User can provide valid path for runtime mount and boot // Otherwise, just pass null pointer to do general mount and boot let root_config_path: *const i8 = std::ptr::null(); - let ret = unsafe { syscall( - SYS_MOUNT_FS, key_ptr, root_config_path) }; + let ret = unsafe { syscall(SYS_MOUNT_FS, key_ptr, root_config_path) }; if ret < 0 { return Err(Box::new(std::io::Error::last_os_error())); } diff --git a/tools/init_grpc_ratls/build.rs b/tools/init_grpc_ratls/build.rs index cc3578d7..1dd72f39 100644 --- a/tools/init_grpc_ratls/build.rs +++ b/tools/init_grpc_ratls/build.rs @@ -4,4 +4,4 @@ fn main() { println!("cargo:rustc-link-lib=dylib=grpc_ratls_client"); println!("cargo:rustc-link-lib=dylib=hw_grpc_proto"); println!("cargo:rustc-link-lib=dylib=occlum_dcap"); -} \ No newline at end of file +} diff --git a/tools/init_grpc_ratls/src/main.rs b/tools/init_grpc_ratls/src/main.rs index f761f035..68b1f6c7 100644 --- a/tools/init_grpc_ratls/src/main.rs +++ b/tools/init_grpc_ratls/src/main.rs @@ -12,16 +12,16 @@ use std::io::{ErrorKind, Read}; use std::str; use std::ffi::CString; -use std::os::raw::{c_int, c_char}; +use std::os::raw::{c_char, c_int}; #[link(name = "grpc_ratls_client")] extern "C" { fn grpc_ratls_get_secret_to_buf( server_addr: *const c_char, // grpc server address+port, such as "localhost:50051" config_json: *const c_char, // ratls handshake config json file - name: *const c_char, // secret name to be requested - secret_buf: *const u8, // secret buffer provided by user - buf_len: *mut u32 // buffer size + name: *const c_char, // secret name to be requested + secret_buf: *const u8, // secret buffer provided by user + buf_len: *mut u32, // buffer size ) -> c_int; } @@ -60,7 +60,7 @@ struct KmsKeys { struct InitRAConfig { kms_server: String, kms_keys: Vec, - ra_config: RAConfig + ra_config: RAConfig, } fn load_ra_config(ra_conf_path: &str) -> Result> { @@ -79,36 +79,38 @@ struct KeyInfo { val_buf: Vec, } -fn get_kms_keys(kms_keys: Vec, kms_server: CString, kms_config: CString) -> Result, Box> { +fn get_kms_keys( + kms_keys: Vec, + kms_server: CString, + kms_config: CString, +) -> Result, Box> { let mut keys_info: Vec = Vec::new(); for keys in kms_keys { let key = CString::new(&*keys.key).unwrap(); // Max key length is 10K let mut buffer: Vec = vec![0; 10240]; - let buffer_ptr: *const u8 = buffer.as_ptr(); let mut buffer_len: u32 = buffer.len() as u32; - let len_ptr: *mut u32 = &mut buffer_len as *mut u32; let ret = unsafe { grpc_ratls_get_secret_to_buf( kms_server.as_ptr(), kms_config.as_ptr(), key.as_ptr(), - buffer_ptr, - len_ptr + buffer.as_ptr(), + &mut buffer_len, ) }; if ret != 0 { - println!("grpc_ratls_get_secret_to_buf failed return {}", ret); - return Err(Box::new(std::io::Error::last_os_error())); + let err_msg = format!("grpc_ratls client get secret error: {}", ret); + return Err(Box::new(std::io::Error::new(ErrorKind::Other, err_msg))); } buffer.resize(buffer_len as usize, 0); let key_info: KeyInfo = KeyInfo { path: keys.path.clone(), - val_buf: buffer.clone() + val_buf: buffer.clone(), }; keys_info.push(key_info); @@ -136,9 +138,7 @@ fn main() -> Result<(), Box> { // Get the image encrypted key through RA let secret = CString::new("image_key").unwrap(); let mut buffer: Vec = vec![0; 256]; - let buffer_ptr: *const u8 = buffer.as_ptr(); let mut buffer_len: u32 = buffer.len() as u32; - let len_ptr: *mut u32 = &mut buffer_len as *mut u32; //Read to buffer instead of file system for better security let ret = unsafe { @@ -146,28 +146,26 @@ fn main() -> Result<(), Box> { server_addr.as_ptr(), config_json.as_ptr(), secret.as_ptr(), - buffer_ptr, - len_ptr + buffer.as_ptr(), + &mut buffer_len, ) }; if ret != 0 { - println!("grpc_ratls_get_secret failed return {}", ret); - return Err(Box::new(std::io::Error::last_os_error())); + let err_msg = format!("grpc_ratls client get secret error: {}", ret); + return Err(Box::new(std::io::Error::new(ErrorKind::Other, err_msg))); } buffer.resize(buffer_len as usize, 0); - let key_string = String::from_utf8(buffer) - .expect("error converting to string"); + let key_string = String::from_utf8(buffer).expect("error converting to string"); let key_str = key_string - .trim_end_matches(|c| c == '\r' || c == '\n').to_string(); + .trim_end_matches(|c| c == '\r' || c == '\n') + .to_string(); let mut key: sgx_key_128bit_t = Default::default(); parse_str_to_bytes(&key_str, &mut key)?; Some(key) - }, - "integrity-only" => { - None - }, + } + "integrity-only" => None, _ => unreachable!(), }; let key_ptr = key @@ -175,16 +173,17 @@ fn main() -> Result<(), Box> { .map(|key| key as *const sgx_key_128bit_t) .unwrap_or(std::ptr::null()); - let keys_info: Vec = - get_kms_keys(init_ra_conf.kms_keys, server_addr, config_json).unwrap(); + // Get keys from kms if any + let keys_info: Vec = get_kms_keys(init_ra_conf.kms_keys, server_addr, config_json)?; + // Remove config file + fs::remove_file("ra_config.json")?; // Mount the image const SYS_MOUNT_FS: i64 = 363; // User can provide valid path for runtime mount and boot // Otherwise, just pass null pointer to do general mount and boot let root_config_path: *const i8 = std::ptr::null(); - let ret = unsafe { syscall( - SYS_MOUNT_FS, key_ptr, root_config_path) }; + let ret = unsafe { syscall(SYS_MOUNT_FS, key_ptr, root_config_path) }; if ret < 0 { return Err(Box::new(std::io::Error::last_os_error())); }