Set up loopback interface at start.

Amnesic-Systems · Oct 18, 2024 · ed9b3bb · ed9b3bb
1 parent 7f5f212
commit ed9b3bb
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 2 deletions.
diff --git a/internal/service/service.go b/internal/service/service.go
@@ -11,6 +11,7 @@ import (
 
 	"github.com/Amnesic-Systems/veil/internal/config"
 	"github.com/Amnesic-Systems/veil/internal/enclave"
+	"github.com/Amnesic-Systems/veil/internal/errs"
 	"github.com/Amnesic-Systems/veil/internal/httputil"
 	"github.com/Amnesic-Systems/veil/internal/service/attestation"
 	"github.com/Amnesic-Systems/veil/internal/system"
@@ -27,10 +28,13 @@ func Run(
 ) {
 	var appReady = make(chan struct{})
 
-	// Run basic safety checks before starting.
+	// Run safety checks and setup tasks before starting.
 	if err := checkSystemSafety(config); err != nil {
 		log.Fatalf("Failed safety check: %v", err)
 	}
+	if err := setupSystem(); err != nil {
+		log.Fatalf("Failed to set up system: %v", err)
+	}
 
 	// Initialize the enclave keys for enclave synchronization.
 	cert, key, err := httputil.CreateCertificate(config.FQDN)
@@ -64,7 +68,8 @@ func Run(
 	log.Println("Exiting.")
 }
 
-func checkSystemSafety(config *config.Config) error {
+func checkSystemSafety(config *config.Config) (err error) {
+	defer errs.Wrap(&err, "failed system safety check")
 	if config.Testing {
 		return nil
 	}
@@ -78,6 +83,12 @@ func checkSystemSafety(config *config.Config) error {
 	return nil
 }
 
+func setupSystem() (err error) {
+	defer errs.Wrap(&err, "failed to set up system")
+
+	return system.SetupLo()
+}
+
 func startAllWebSrvs(
 	ctx context.Context,
 	ready chan struct{},

diff --git a/internal/system/system_darwin.go b/internal/system/system_darwin.go
@@ -2,3 +2,4 @@ package system
 
 func HasSecureRNG() bool           { return true }
 func HasSecureKernelVersion() bool { return true }
+func SetupLo() error               { return nil }
diff --git a/internal/system/system_linux.go b/internal/system/system_linux.go
@@ -2,15 +2,38 @@ package system
 
 import (
 	"log"
+	"net"
 	"os"
 	"syscall"
+
+	"github.com/milosgajdos/tenus"
+
+	"github.com/Amnesic-Systems/veil/internal/errs"
 )
 
 const (
 	pathToRNG = "/sys/devices/virtual/misc/hw_random/rng_current"
 	wantRNG   = "nsm-hwrng"
 )
 
+// SetupLo sets up the loopback interface.
+func SetupLo() (err error) {
+	defer errs.Wrap(&err, "failed to configure loopback interface")
+
+	link, err := tenus.NewLinkFrom("lo")
+	if err != nil {
+		return err
+	}
+	addr, network, err := net.ParseCIDR("127.0.0.1/8")
+	if err != nil {
+		return err
+	}
+	if err = link.SetLinkIp(addr, network); err != nil {
+		return err
+	}
+	return link.SetLinkUp()
+}
+
 // HasSecureRNG checks if the enclave is configured to use the Nitro hardware
 // RNG. This was suggested in:
 // https://blog.trailofbits.com/2024/09/24/notes-on-aws-nitro-enclaves-attack-surface/
Original file line number	Diff line number	Diff line change
Expand Up		@@ -2,3 +2,4 @@ package system

		func HasSecureRNG() bool { return true }
		func HasSecureKernelVersion() bool { return true }
		func SetupLo() error { return nil }