shim: pass seal data prepared by enclave-agent to runtime-boot

Signed-off-by: Mikko Ylinen <[email protected]>
confidential-containers · Nov 9, 2023 · e28c886 · e28c886
1 parent bed141f
commit e28c886
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 3 deletions.
diff --git a/src/shim/runtime/v2/rune/v2/create.go b/src/shim/runtime/v2/rune/v2/create.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
 
 	"github.com/confidential-containers/enclave-cc/src/shim/runtime/v2/rune/config"
 	"github.com/confidential-containers/enclave-cc/src/shim/runtime/v2/rune/oci"
@@ -108,7 +109,14 @@ func handlePodContainer(ctx context.Context, s *service, r *taskAPI.CreateTaskRe
 			}
 		}
 		// sefsDir store the unionfs images (based on sefs)
-		sefsDir := filepath.Join(agentContainerRootDir, s.agentID, "merged/rootfs/images", cid)
+		lowerdirs := []string{
+			filepath.Join(agentContainerRootDir, s.agentID, "merged/rootfs/images", cid),
+			filepath.Join(bootContainerPath, "rootfs"),
+		}
+		sealDataDir := filepath.Join(agentContainerRootDir, s.agentID, "merged/rootfs/keys", cid)
+		if _, err := os.Stat(sealDataDir); !os.IsNotExist(err) {
+			lowerdirs = append(lowerdirs, sealDataDir)
+		}
 
 		var options []string
 		// Set index=off when mount overlayfs
@@ -117,7 +125,7 @@ func handlePodContainer(ctx context.Context, s *service, r *taskAPI.CreateTaskRe
 			fmt.Sprintf("workdir=%s", filepath.Join(workDir)),
 			fmt.Sprintf("upperdir=%s", filepath.Join(upperDir)),
 		)
-		options = append(options, fmt.Sprintf("lowerdir=%s:%s", sefsDir, filepath.Join(bootContainerPath, "rootfs")))
+		options = append(options, fmt.Sprintf("lowerdir=%s", strings.Join(lowerdirs, ":")))
 		r.Rootfs = append(r.Rootfs, &types.Mount{
 			Type:    "overlay",
 			Source:  "overlay",

diff --git a/tools/packaging/build/agent-enclave-bundle/Dockerfile b/tools/packaging/build/agent-enclave-bundle/Dockerfile
@@ -72,7 +72,8 @@ RUN export PATH="$PATH:/opt/occlum/build/bin" && \
 # TODO: add new build stage and copy occlum_instance.tar.gz to it
 WORKDIR /run/rune
 RUN tar xzf /run/enclave-agent/occlum_instance/occlum_instance.tar.gz && \
-    rm -rf /run/enclave-agent
+    rm -rf /run/enclave-agent && \
+    mkdir /keys
 
 RUN rm -rf $HOME/.cargo $HOME/.rustup /enclave-cc && sed -e '/cargo/d' -i /root/.profile && sed -e '/cargo/d' -i /root/.bashrc
 RUN apt-get purge -y wget gnupg tzdata jq occlum occlum-pal occlum-toolchains-glibc make binutils libfuse2 libfuse3-3 ca-certificates rsync build-essential cmake git && apt-get autoremove -y

diff --git a/tools/packaging/build/agent-enclave-bundle/enclave-agent-cc-kbc.yaml b/tools/packaging/build/agent-enclave-bundle/enclave-agent-cc-kbc.yaml
@@ -1,6 +1,9 @@
 includes:
   - base.yaml
 targets:
+  - target: /
+    mkdirs:
+      - keys
   - target: /bin
     copy:
       - files:

diff --git a/tools/packaging/build/agent-enclave-bundle/enclave-agent-sample-kbc.yaml b/tools/packaging/build/agent-enclave-bundle/enclave-agent-sample-kbc.yaml
@@ -1,6 +1,9 @@
 includes:
   - base.yaml
 targets:
+  - target: /
+    mkdirs:
+      - keys
   - target: /bin
     copy:
       - files:

diff --git a/tools/packaging/build/agent-enclave-bundle/jq.filter b/tools/packaging/build/agent-enclave-bundle/jq.filter
@@ -8,5 +8,9 @@
    "target": "/etc/",
    "type": "hostfs",
    "source": "/configs"
+},{
+   "target": "/keys/",
+   "type": "hostfs",
+   "source": "/keys"
 }] |
 if $ENV.SGX_MODE == "SIM" then .metadata.debuggable = true else .metadata.debuggable = false end