Random Key

src/enclave-agent/Cargo.toml

@@ -13,7 +13,7 @@ clap = "2.33.3"
 # logger module
 env_logger = "0.10.0"
 
-image-rs = { git = "https://github.com/confidential-containers/guest-components.git", default-features = false, rev = "fe8fb1a" }
+image-rs = { git = "https://github.com/piotrpalcz/image-rs.git", default-features = false, branch = "random_key_2" }
 kata-sys-util = { git = "https://github.com/kata-containers/kata-containers", rev = "4b57c04c3379d6adc7f440d156f0e4c42ac157df" }
 log = "0.4.11"
 protocols = { path = "../libs/protocols" }

src/runtime-boot/init/Cargo.toml

@@ -8,3 +8,5 @@ edition = "2018"
 libc = "0.2.147"
 serde = { version = "1.0.183", features = ["derive"] }
 serde_json = "1.0.104"
+nix = { version = "0.26" }
+anyhow = { version = "1.0", default-features = false }

src/runtime-boot/init/src/main.rs

@@ -4,30 +4,44 @@ extern crate serde_json;
 
 use libc::syscall;
 
+use anyhow::Result;
+use nix::mount::MsFlags;
 use std::error::Error;
+use std::ffi::CString;
+use std::fs;
 use std::fs::File;
 use std::io::prelude::*;
 use std::io::{ErrorKind, Read};
 
-use std::ffi::CString;
 use std::mem::size_of;
+use std::path::Path;
 
 fn main() -> Result<(), Box<dyn Error>> {
-    // TODO: Get the rootfs key and other parameters through RA/LA or PAL
-    let rootfs_key = b"c7-32-b3-ed-44-df-ec-7b-25-2d-9a-32-38-8d-58-61";
     let rootfs_upper_layer = "/sefs/upper";
     let rootfs_lower_layer = "/sefs/lower";
     let rootfs_entry = "/";
 
-    // Get the key of FS image if needed
+    // Create and mount directory for fs key from agent enclave
+    fs::create_dir("/mnt");
+    let fs_type = String::from("hostfs");
+    let source = Path::new("/host");
+    let mount_path = Path::new("/mnt");
+    let flags = MsFlags::empty();
+    let source_c = CString::new(source.to_str().unwrap()).unwrap();
+    let mountpoint_c = CString::new(mount_path.to_str().unwrap()).unwrap();
+    nix::mount::mount(
+        Some(fs_type.as_str()),
+        mountpoint_c.as_c_str(),
+        Some(fs_type.as_str()),
+        flags,
+        Some("dir=/keys"),
+    )
+    .unwrap_or_else(|e| panic!("mount failed: {e}"));
+
+    let KEY_FILE: &str = "/mnt/key.txt";
+    // Get the key of FS image
     let key = {
-        const IMAGE_KEY_FILE: &str = "/etc/image_key";
-        // TODO: Get the key through RA or LA
-        let mut file = File::create(IMAGE_KEY_FILE)?;
-        // Writes key.
-        file.write_all(rootfs_key)?;
-
-        let key_str = load_key(IMAGE_KEY_FILE)?;
+        let key_str = load_key(KEY_FILE)?;
         let mut key: sgx_key_128bit_t = Default::default();
         parse_str_to_bytes(&key_str, &mut key)?;
         Some(key)

src/shim/runtime/v2/rune/v2/create.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
 
 	"github.com/confidential-containers/enclave-cc/src/shim/runtime/v2/rune/config"
 	"github.com/confidential-containers/enclave-cc/src/shim/runtime/v2/rune/oci"
@@ -108,7 +109,14 @@ func handlePodContainer(ctx context.Context, s *service, r *taskAPI.CreateTaskRe
 			}
 		}
 		// sefsDir store the unionfs images (based on sefs)
-		sefsDir := filepath.Join(agentContainerRootDir, s.agentID, "merged/rootfs/images", cid)
+		lowerdirs := []string{
+			filepath.Join(agentContainerRootDir, s.agentID, "merged/rootfs/images", cid),
+			filepath.Join(bootContainerPath, "rootfs"),
+		}
+		sealDataDir := filepath.Join(agentContainerRootDir, s.agentID, "merged/rootfs/keys", cid)
+		if _, err := os.Stat(sealDataDir); !os.IsNotExist(err) {
+			lowerdirs = append(lowerdirs, sealDataDir)
+		}
 
 		var options []string
 		// Set index=off when mount overlayfs
@@ -117,7 +125,7 @@ func handlePodContainer(ctx context.Context, s *service, r *taskAPI.CreateTaskRe
 			fmt.Sprintf("workdir=%s", filepath.Join(workDir)),
 			fmt.Sprintf("upperdir=%s", filepath.Join(upperDir)),
 		)
-		options = append(options, fmt.Sprintf("lowerdir=%s:%s", sefsDir, filepath.Join(bootContainerPath, "rootfs")))
+		options = append(options, fmt.Sprintf("lowerdir=%s", strings.Join(lowerdirs, ":")))
 		r.Rootfs = append(r.Rootfs, &types.Mount{
 			Type:    "overlay",
 			Source:  "overlay",

tools/packaging/build/agent-enclave-bundle/Dockerfile

@@ -72,7 +72,8 @@ RUN export PATH="$PATH:/opt/occlum/build/bin" && \
 # TODO: add new build stage and copy occlum_instance.tar.gz to it
 WORKDIR /run/rune
 RUN tar xzf /run/enclave-agent/occlum_instance/occlum_instance.tar.gz && \
-    rm -rf /run/enclave-agent
+    rm -rf /run/enclave-agent && \
+    mkdir /keys
 
 RUN rm -rf $HOME/.cargo $HOME/.rustup /enclave-cc && sed -e '/cargo/d' -i /root/.profile && sed -e '/cargo/d' -i /root/.bashrc
 RUN apt-get purge -y wget gnupg tzdata jq occlum occlum-pal occlum-toolchains-glibc make binutils libfuse2 libfuse3-3 ca-certificates rsync build-essential cmake git && apt-get autoremove -y

tools/packaging/build/agent-enclave-bundle/enclave-agent-cc-kbc.yaml

@@ -1,6 +1,9 @@
 includes:
   - base.yaml
 targets:
+  - target: /
+    mkdirs:
+      - keys
   - target: /bin
     copy:
       - files:

tools/packaging/build/agent-enclave-bundle/enclave-agent-sample-kbc.yaml

@@ -1,6 +1,9 @@
 includes:
   - base.yaml
 targets:
+  - target: /
+    mkdirs:
+      - keys
   - target: /bin
     copy:
       - files:

tools/packaging/build/agent-enclave-bundle/jq.filter

@@ -8,5 +8,9 @@
    "target": "/etc/",
    "type": "hostfs",
    "source": "/configs"
+},{
+   "target": "/keys/",
+   "type": "hostfs",
+   "source": "/keys"
 }] |
 if $ENV.SGX_MODE == "SIM" then .metadata.debuggable = true else .metadata.debuggable = false end