From e28c88641bd257253709849ca8f4fd96c8fc2407 Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Thu, 19 Oct 2023 09:19:11 +0300 Subject: [PATCH] shim: pass seal data prepared by enclave-agent to runtime-boot Signed-off-by: Mikko Ylinen --- src/shim/runtime/v2/rune/v2/create.go | 12 ++++++++++-- .../packaging/build/agent-enclave-bundle/Dockerfile | 3 ++- .../agent-enclave-bundle/enclave-agent-cc-kbc.yaml | 3 +++ .../enclave-agent-sample-kbc.yaml | 3 +++ tools/packaging/build/agent-enclave-bundle/jq.filter | 4 ++++ 5 files changed, 22 insertions(+), 3 deletions(-) diff --git a/src/shim/runtime/v2/rune/v2/create.go b/src/shim/runtime/v2/rune/v2/create.go index e734345e..e8957d7b 100644 --- a/src/shim/runtime/v2/rune/v2/create.go +++ b/src/shim/runtime/v2/rune/v2/create.go @@ -5,6 +5,7 @@ import ( "fmt" "os" "path/filepath" + "strings" "github.com/confidential-containers/enclave-cc/src/shim/runtime/v2/rune/config" "github.com/confidential-containers/enclave-cc/src/shim/runtime/v2/rune/oci" @@ -108,7 +109,14 @@ func handlePodContainer(ctx context.Context, s *service, r *taskAPI.CreateTaskRe } } // sefsDir store the unionfs images (based on sefs) - sefsDir := filepath.Join(agentContainerRootDir, s.agentID, "merged/rootfs/images", cid) + lowerdirs := []string{ + filepath.Join(agentContainerRootDir, s.agentID, "merged/rootfs/images", cid), + filepath.Join(bootContainerPath, "rootfs"), + } + sealDataDir := filepath.Join(agentContainerRootDir, s.agentID, "merged/rootfs/keys", cid) + if _, err := os.Stat(sealDataDir); !os.IsNotExist(err) { + lowerdirs = append(lowerdirs, sealDataDir) + } var options []string // Set index=off when mount overlayfs @@ -117,7 +125,7 @@ func handlePodContainer(ctx context.Context, s *service, r *taskAPI.CreateTaskRe fmt.Sprintf("workdir=%s", filepath.Join(workDir)), fmt.Sprintf("upperdir=%s", filepath.Join(upperDir)), ) - options = append(options, fmt.Sprintf("lowerdir=%s:%s", sefsDir, filepath.Join(bootContainerPath, "rootfs"))) + options = append(options, fmt.Sprintf("lowerdir=%s", strings.Join(lowerdirs, ":"))) r.Rootfs = append(r.Rootfs, &types.Mount{ Type: "overlay", Source: "overlay", diff --git a/tools/packaging/build/agent-enclave-bundle/Dockerfile b/tools/packaging/build/agent-enclave-bundle/Dockerfile index a97760a9..e46647af 100644 --- a/tools/packaging/build/agent-enclave-bundle/Dockerfile +++ b/tools/packaging/build/agent-enclave-bundle/Dockerfile @@ -72,7 +72,8 @@ RUN export PATH="$PATH:/opt/occlum/build/bin" && \ # TODO: add new build stage and copy occlum_instance.tar.gz to it WORKDIR /run/rune RUN tar xzf /run/enclave-agent/occlum_instance/occlum_instance.tar.gz && \ - rm -rf /run/enclave-agent + rm -rf /run/enclave-agent && \ + mkdir /keys RUN rm -rf $HOME/.cargo $HOME/.rustup /enclave-cc && sed -e '/cargo/d' -i /root/.profile && sed -e '/cargo/d' -i /root/.bashrc RUN apt-get purge -y wget gnupg tzdata jq occlum occlum-pal occlum-toolchains-glibc make binutils libfuse2 libfuse3-3 ca-certificates rsync build-essential cmake git && apt-get autoremove -y diff --git a/tools/packaging/build/agent-enclave-bundle/enclave-agent-cc-kbc.yaml b/tools/packaging/build/agent-enclave-bundle/enclave-agent-cc-kbc.yaml index e2d93ab6..0ee1c13e 100644 --- a/tools/packaging/build/agent-enclave-bundle/enclave-agent-cc-kbc.yaml +++ b/tools/packaging/build/agent-enclave-bundle/enclave-agent-cc-kbc.yaml @@ -1,6 +1,9 @@ includes: - base.yaml targets: + - target: / + mkdirs: + - keys - target: /bin copy: - files: diff --git a/tools/packaging/build/agent-enclave-bundle/enclave-agent-sample-kbc.yaml b/tools/packaging/build/agent-enclave-bundle/enclave-agent-sample-kbc.yaml index e2d93ab6..0ee1c13e 100644 --- a/tools/packaging/build/agent-enclave-bundle/enclave-agent-sample-kbc.yaml +++ b/tools/packaging/build/agent-enclave-bundle/enclave-agent-sample-kbc.yaml @@ -1,6 +1,9 @@ includes: - base.yaml targets: + - target: / + mkdirs: + - keys - target: /bin copy: - files: diff --git a/tools/packaging/build/agent-enclave-bundle/jq.filter b/tools/packaging/build/agent-enclave-bundle/jq.filter index 25951a0b..d9702a71 100644 --- a/tools/packaging/build/agent-enclave-bundle/jq.filter +++ b/tools/packaging/build/agent-enclave-bundle/jq.filter @@ -8,5 +8,9 @@ "target": "/etc/", "type": "hostfs", "source": "/configs" +},{ + "target": "/keys/", + "type": "hostfs", + "source": "/keys" }] | if $ENV.SGX_MODE == "SIM" then .metadata.debuggable = true else .metadata.debuggable = false end