general/occlum
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[init] Clean up and format the init

Browse Source
This commit is contained in:
Zheng, Qi 2023-06-01 14:17:55 +08:00 committed by volcano
parent 1d24a1e83c
commit 887fbf2441
5 changed files with 64 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
tools/init/src/main.rs
View File

@ -37,8 +37,7 @@ fn main() -> Result<(), Box<dyn Error>> {
// User can provide valid path for runtime mount and boot // User can provide valid path for runtime mount and boot
// Otherwise, just pass null pointer to do general mount and boot // Otherwise, just pass null pointer to do general mount and boot
let root_config_path: *const i8 = std::ptr::null(); let root_config_path: *const i8 = std::ptr::null();
let ret = unsafe { syscall( let ret = unsafe { syscall(SYS_MOUNT_FS, key_ptr, root_config_path) };
SYS_MOUNT_FS, key_ptr, root_config_path) };
if ret < 0 { if ret < 0 {
return Err(Box::new(std::io::Error::last_os_error())); return Err(Box::new(std::io::Error::last_os_error()));
} }

63
tools/init_aecs/src/main.rs
View File

@ -5,15 +5,15 @@ extern crate serde_json;
use libc::syscall; use libc::syscall;
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
use std::env;
use std::error::Error; use std::error::Error;
use std::fs; use std::fs;
use std::fs::File; use std::fs::File;
use std::io::{ErrorKind, Read}; use std::io::{ErrorKind, Read};
use std::str; use std::str;
use std::env;
use std::ffi::CString; use std::ffi::CString;
use std::os::raw::{c_int, c_char}; use std::os::raw::{c_char, c_int};
#[link(name = "aecs_client")] #[link(name = "aecs_client")]
extern "C" { extern "C" {
@ -24,7 +24,7 @@ extern "C" {
secret_name: *const c_char, secret_name: *const c_char,
nonce: *const c_char, nonce: *const c_char,
secret_outbuf: *const u8, secret_outbuf: *const u8,
secret_outbuf_len: *mut i32 secret_outbuf_len: *mut i32,
) -> c_int; ) -> c_int;
} }
@ -83,7 +83,7 @@ struct InitRAConfig {
kms_server: String, kms_server: String,
kms_keys: Vec<KmsKeys>, kms_keys: Vec<KmsKeys>,
ua_env_pccs_url: String, ua_env_pccs_url: String,
ra_config: RAConfig ra_config: RAConfig,
} }
fn load_ra_config(ra_conf_path: &str) -> Result<InitRAConfig, Box<dyn Error>> { fn load_ra_config(ra_conf_path: &str) -> Result<InitRAConfig, Box<dyn Error>> {
@ -102,16 +102,17 @@ struct KeyInfo {
val_buf: Vec<u8>, val_buf: Vec<u8>,
} }
fn get_kms_keys(kms_keys: Vec<KmsKeys>, kms_server: CString) -> Result<Vec<KeyInfo>, Box<dyn Error>> { fn get_kms_keys(
kms_keys: Vec<KmsKeys>,
kms_server: CString,
) -> Result<Vec<KeyInfo>, Box<dyn Error>> {
let mut keys_info: Vec<KeyInfo> = Vec::new(); let mut keys_info: Vec<KeyInfo> = Vec::new();
for keys in kms_keys { for keys in kms_keys {
let key = CString::new(&*keys.key).unwrap(); let key = CString::new(&*keys.key).unwrap();
let service =CString::new(keys.service).unwrap(); let service = CString::new(keys.service).unwrap();
// Max key length is 10K // Max key length is 10K
let mut buffer: Vec<u8> = vec![0; 10240]; let mut buffer: Vec<u8> = vec![0; 10240];
let buffer_ptr: *const u8 = buffer.as_ptr();
let mut buffer_len: i32 = buffer.len() as i32; let mut buffer_len: i32 = buffer.len() as i32;
let len_ptr: *mut i32 = &mut buffer_len as *mut i32;
let ret = unsafe { let ret = unsafe {
aecs_client_get_secret_by_buffer( aecs_client_get_secret_by_buffer(
@ -120,21 +121,21 @@ fn get_kms_keys(kms_keys: Vec<KmsKeys>, kms_server: CString) -> Result<Vec<KeyIn
service.as_ptr(), service.as_ptr(),
key.as_ptr(), key.as_ptr(),
std::ptr::null(), std::ptr::null(),
buffer_ptr, buffer.as_ptr(),
len_ptr &mut buffer_len,
) )
}; };
if ret != 0 { if ret != 0 {
println!("aecs_client_get_secret_by_buffer failed return {}", ret); let err_msg = format!("aecs client get key error: {}", ret);
return Err(Box::new(std::io::Error::last_os_error())); return Err(Box::new(std::io::Error::new(ErrorKind::Other, err_msg)));
} }
buffer.resize(buffer_len as usize, 0); buffer.resize(buffer_len as usize, 0);
let key_info: KeyInfo = KeyInfo { let key_info: KeyInfo = KeyInfo {
path: keys.path.clone(), path: keys.path.clone(),
val_buf: buffer.clone() val_buf: buffer.clone(),
}; };
keys_info.push(key_info); keys_info.push(key_info);
@ -153,7 +154,10 @@ fn main() -> Result<(), Box<dyn Error>> {
// Extract RA config part // Extract RA config part
let ra_conf_string = serde_json::to_string_pretty(&init_ra_conf.ra_config).unwrap(); let ra_conf_string = serde_json::to_string_pretty(&init_ra_conf.ra_config).unwrap();
fs::create_dir_all("/etc/kubetee")?; fs::create_dir_all("/etc/kubetee")?;
fs::write("/etc/kubetee/unified_attestation.json", ra_conf_string.clone().into_bytes())?; fs::write(
"/etc/kubetee/unified_attestation.json",
ra_conf_string.clone().into_bytes(),
)?;
let server_addr = CString::new(init_ra_conf.kms_server).unwrap(); let server_addr = CString::new(init_ra_conf.kms_server).unwrap();
env::set_var("UA_ENV_PCCS_URL", init_ra_conf.ua_env_pccs_url.clone()); env::set_var("UA_ENV_PCCS_URL", init_ra_conf.ua_env_pccs_url.clone());
@ -165,9 +169,7 @@ fn main() -> Result<(), Box<dyn Error>> {
let secret = CString::new("image_key").unwrap(); let secret = CString::new("image_key").unwrap();
let service = CString::new("service1").unwrap(); let service = CString::new("service1").unwrap();
let mut buffer: Vec<u8> = vec![0; 256]; let mut buffer: Vec<u8> = vec![0; 256];
let buffer_ptr: *const u8 = buffer.as_ptr();
let mut buffer_len: i32 = buffer.len() as i32; let mut buffer_len: i32 = buffer.len() as i32;
let len_ptr: *mut i32 = &mut buffer_len as *mut i32;
let ret = unsafe { let ret = unsafe {
aecs_client_get_secret_by_buffer( aecs_client_get_secret_by_buffer(
@ -176,28 +178,26 @@ fn main() -> Result<(), Box<dyn Error>> {
service.as_ptr(), service.as_ptr(),
secret.as_ptr(), secret.as_ptr(),
std::ptr::null(), std::ptr::null(),
buffer_ptr, buffer.as_ptr(),
len_ptr &mut buffer_len,
) )
}; };
if ret != 0 { if ret != 0 {
println!("aecs_client_get_secret_by_buffer failed return {}", ret); let err_msg = format!("aecs client get key error: {}", ret);
return Err(Box::new(std::io::Error::last_os_error())); return Err(Box::new(std::io::Error::new(ErrorKind::Other, err_msg)));
} }
buffer.resize(buffer_len as usize, 0); buffer.resize(buffer_len as usize, 0);
let key_string = String::from_utf8(buffer) let key_string = String::from_utf8(buffer).expect("error converting to string");
.expect("error converting to string");
let key_str = key_string let key_str = key_string
.trim_end_matches(|c| c == '\r' || c == '\n').to_string(); .trim_end_matches(|c| c == '\r' || c == '\n')
.to_string();
let mut key: sgx_key_128bit_t = Default::default(); let mut key: sgx_key_128bit_t = Default::default();
parse_str_to_bytes(&key_str, &mut key)?; parse_str_to_bytes(&key_str, &mut key)?;
Some(key) Some(key)
}, }
"integrity-only" => { "integrity-only" => None,
None
},
_ => unreachable!(), _ => unreachable!(),
}; };
let key_ptr = key let key_ptr = key
@ -205,16 +205,17 @@ fn main() -> Result<(), Box<dyn Error>> {
.map(|key| key as *const sgx_key_128bit_t) .map(|key| key as *const sgx_key_128bit_t)
.unwrap_or(std::ptr::null()); .unwrap_or(std::ptr::null());
let keys_info: Vec<KeyInfo> = // Get keys from kms if any
get_kms_keys(init_ra_conf.kms_keys, server_addr).unwrap(); let keys_info: Vec<KeyInfo> = get_kms_keys(init_ra_conf.kms_keys, server_addr)?;
// Remove config file
fs::remove_dir_all("/etc/kubetee")?;
// Mount the image // Mount the image
const SYS_MOUNT_FS: i64 = 363; const SYS_MOUNT_FS: i64 = 363;
// User can provide valid path for runtime mount and boot // User can provide valid path for runtime mount and boot
// Otherwise, just pass null pointer to do general mount and boot // Otherwise, just pass null pointer to do general mount and boot
let root_config_path: *const i8 = std::ptr::null(); let root_config_path: *const i8 = std::ptr::null();
let ret = unsafe { syscall( let ret = unsafe { syscall(SYS_MOUNT_FS, key_ptr, root_config_path) };
SYS_MOUNT_FS, key_ptr, root_config_path) };
if ret < 0 { if ret < 0 {
return Err(Box::new(std::io::Error::last_os_error())); return Err(Box::new(std::io::Error::last_os_error()));
} }

59
tools/init_grpc_ratls/src/main.rs
View File

@ -12,16 +12,16 @@ use std::io::{ErrorKind, Read};
use std::str; use std::str;
use std::ffi::CString; use std::ffi::CString;
use std::os::raw::{c_int, c_char}; use std::os::raw::{c_char, c_int};
#[link(name = "grpc_ratls_client")] #[link(name = "grpc_ratls_client")]
extern "C" { extern "C" {
fn grpc_ratls_get_secret_to_buf( fn grpc_ratls_get_secret_to_buf(
server_addr: *const c_char, // grpc server address+port, such as "localhost:50051" server_addr: *const c_char, // grpc server address+port, such as "localhost:50051"
config_json: *const c_char, // ratls handshake config json file config_json: *const c_char, // ratls handshake config json file
name: *const c_char, // secret name to be requested name: *const c_char, // secret name to be requested
secret_buf: *const u8, // secret buffer provided by user secret_buf: *const u8, // secret buffer provided by user
buf_len: *mut u32 // buffer size buf_len: *mut u32, // buffer size
) -> c_int; ) -> c_int;
} }
@ -60,7 +60,7 @@ struct KmsKeys {
struct InitRAConfig { struct InitRAConfig {
kms_server: String, kms_server: String,
kms_keys: Vec<KmsKeys>, kms_keys: Vec<KmsKeys>,
ra_config: RAConfig ra_config: RAConfig,
} }
fn load_ra_config(ra_conf_path: &str) -> Result<InitRAConfig, Box<dyn Error>> { fn load_ra_config(ra_conf_path: &str) -> Result<InitRAConfig, Box<dyn Error>> {
@ -79,36 +79,38 @@ struct KeyInfo {
val_buf: Vec<u8>, val_buf: Vec<u8>,
} }
fn get_kms_keys(kms_keys: Vec<KmsKeys>, kms_server: CString, kms_config: CString) -> Result<Vec<KeyInfo>, Box<dyn Error>> { fn get_kms_keys(
kms_keys: Vec<KmsKeys>,
kms_server: CString,
kms_config: CString,
) -> Result<Vec<KeyInfo>, Box<dyn Error>> {
let mut keys_info: Vec<KeyInfo> = Vec::new(); let mut keys_info: Vec<KeyInfo> = Vec::new();
for keys in kms_keys { for keys in kms_keys {
let key = CString::new(&*keys.key).unwrap(); let key = CString::new(&*keys.key).unwrap();
// Max key length is 10K // Max key length is 10K
let mut buffer: Vec<u8> = vec![0; 10240]; let mut buffer: Vec<u8> = vec![0; 10240];
let buffer_ptr: *const u8 = buffer.as_ptr();
let mut buffer_len: u32 = buffer.len() as u32; let mut buffer_len: u32 = buffer.len() as u32;
let len_ptr: *mut u32 = &mut buffer_len as *mut u32;
let ret = unsafe { let ret = unsafe {
grpc_ratls_get_secret_to_buf( grpc_ratls_get_secret_to_buf(
kms_server.as_ptr(), kms_server.as_ptr(),
kms_config.as_ptr(), kms_config.as_ptr(),
key.as_ptr(), key.as_ptr(),
buffer_ptr, buffer.as_ptr(),
len_ptr &mut buffer_len,
) )
}; };
if ret != 0 { if ret != 0 {
println!("grpc_ratls_get_secret_to_buf failed return {}", ret); let err_msg = format!("grpc_ratls client get secret error: {}", ret);
return Err(Box::new(std::io::Error::last_os_error())); return Err(Box::new(std::io::Error::new(ErrorKind::Other, err_msg)));
} }
buffer.resize(buffer_len as usize, 0); buffer.resize(buffer_len as usize, 0);
let key_info: KeyInfo = KeyInfo { let key_info: KeyInfo = KeyInfo {
path: keys.path.clone(), path: keys.path.clone(),
val_buf: buffer.clone() val_buf: buffer.clone(),
}; };
keys_info.push(key_info); keys_info.push(key_info);
@ -136,9 +138,7 @@ fn main() -> Result<(), Box<dyn Error>> {
// Get the image encrypted key through RA // Get the image encrypted key through RA
let secret = CString::new("image_key").unwrap(); let secret = CString::new("image_key").unwrap();
let mut buffer: Vec<u8> = vec![0; 256]; let mut buffer: Vec<u8> = vec![0; 256];
let buffer_ptr: *const u8 = buffer.as_ptr();
let mut buffer_len: u32 = buffer.len() as u32; let mut buffer_len: u32 = buffer.len() as u32;
let len_ptr: *mut u32 = &mut buffer_len as *mut u32;
//Read to buffer instead of file system for better security //Read to buffer instead of file system for better security
let ret = unsafe { let ret = unsafe {
@ -146,28 +146,26 @@ fn main() -> Result<(), Box<dyn Error>> {
server_addr.as_ptr(), server_addr.as_ptr(),
config_json.as_ptr(), config_json.as_ptr(),
secret.as_ptr(), secret.as_ptr(),
buffer_ptr, buffer.as_ptr(),
len_ptr &mut buffer_len,
) )
}; };
if ret != 0 { if ret != 0 {
println!("grpc_ratls_get_secret failed return {}", ret); let err_msg = format!("grpc_ratls client get secret error: {}", ret);
return Err(Box::new(std::io::Error::last_os_error())); return Err(Box::new(std::io::Error::new(ErrorKind::Other, err_msg)));
} }
buffer.resize(buffer_len as usize, 0); buffer.resize(buffer_len as usize, 0);
let key_string = String::from_utf8(buffer) let key_string = String::from_utf8(buffer).expect("error converting to string");
.expect("error converting to string");
let key_str = key_string let key_str = key_string
.trim_end_matches(|c| c == '\r' || c == '\n').to_string(); .trim_end_matches(|c| c == '\r' || c == '\n')
.to_string();
let mut key: sgx_key_128bit_t = Default::default(); let mut key: sgx_key_128bit_t = Default::default();
parse_str_to_bytes(&key_str, &mut key)?; parse_str_to_bytes(&key_str, &mut key)?;
Some(key) Some(key)
}, }
"integrity-only" => { "integrity-only" => None,
None
},
_ => unreachable!(), _ => unreachable!(),
}; };
let key_ptr = key let key_ptr = key
@ -175,16 +173,17 @@ fn main() -> Result<(), Box<dyn Error>> {
.map(|key| key as *const sgx_key_128bit_t) .map(|key| key as *const sgx_key_128bit_t)
.unwrap_or(std::ptr::null()); .unwrap_or(std::ptr::null());
let keys_info: Vec<KeyInfo> = // Get keys from kms if any
get_kms_keys(init_ra_conf.kms_keys, server_addr, config_json).unwrap(); let keys_info: Vec<KeyInfo> = get_kms_keys(init_ra_conf.kms_keys, server_addr, config_json)?;
// Remove config file
fs::remove_file("ra_config.json")?;
// Mount the image // Mount the image
const SYS_MOUNT_FS: i64 = 363; const SYS_MOUNT_FS: i64 = 363;
// User can provide valid path for runtime mount and boot // User can provide valid path for runtime mount and boot
// Otherwise, just pass null pointer to do general mount and boot // Otherwise, just pass null pointer to do general mount and boot
let root_config_path: *const i8 = std::ptr::null(); let root_config_path: *const i8 = std::ptr::null();
let ret = unsafe { syscall( let ret = unsafe { syscall(SYS_MOUNT_FS, key_ptr, root_config_path) };
SYS_MOUNT_FS, key_ptr, root_config_path) };
if ret < 0 { if ret < 0 {
return Err(Box::new(std::io::Error::last_os_error())); return Err(Box::new(std::io::Error::last_os_error()));
} }