-
Notifications
You must be signed in to change notification settings - Fork 202
/
manifest_check.py
134 lines (119 loc) · 3.76 KB
/
manifest_check.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
# SPDX-License-Identifier: LGPL-3.0-or-later
# Copyright (C) 2024 Intel Corporation
# Wojtek Porczyk <[email protected]>
from voluptuous import (
Any,
Required,
Schema,
)
# size (number + suffix)
# TODO: write a better validator
_size = str
# masks for sgx.seal_key.*_mask fields
# TODO: write a better validator
_mask64 = str
_mask32 = str
# TODO: write a better validator
_uri = str
# fs.root and fs.mounts[] are almost the same, but fs.root does not contain path= key
_fs_base = (
{
'type': 'chroot',
Required('uri'): _uri,
},
{
Required('type'): 'encrypted',
Required('uri'): _uri,
'key_name': str,
},
{
Required('type'): 'tmpfs',
'uri': str, # not _uri, this field is ignored by Gramine
},
{
Required('type'): 'untrusted_shm',
Required('uri'): _uri,
},
)
_fs_root = Any(*_fs_base)
_fs_mount = Any(*({**d, Required('path'): str} for d in _fs_base))
GramineManifestSchema = Schema({
Required('fs'): {
Required('mounts'): [_fs_mount],
'root': _fs_root,
'start_dir': str,
'insecure__keys': {str: str},
},
Required('libos'): {
Required('entrypoint'): str,
'check_invalid_pointers': bool,
},
Required('loader'): {
# TODO: validator for sha256
Required('entrypoint'): {Required('uri'): _uri, 'sha256': str},
'argv': [str],
'argv_src_file': str,
'env': {str: Any(str, {'value': str}, {'passthrough': True})},
'env_src_file': str,
'gid': int,
'insecure__use_cmdline_argv': bool,
'insecure__use_host_env': bool,
'insecure__disable_aslr': bool,
'log_file': str,
'log_level': Any('none', 'error', 'warning', 'debug', 'trace', 'all'),
'uid': int,
},
'sgx': {
'allowed_files': [str],
'cpu_features': {
Any('avx', 'avx512', 'amx'): Any('unspecified', 'disabled', 'required'),
Any('mpx', 'pkru'): Any('disabled', 'required'),
},
'debug': bool,
'edmm_enable': bool,
'enable_stats': bool,
'enclave_size': _size,
'file_check_policy': Any('strict', 'allow_all_but_log'),
'insecure__allow_memfaults_without_exinfo': bool,
'insecure__rpc_thread_num': int,
'isvprodid': int,
'isvsvn': int,
'max_threads': int,
'preheat_enclave': bool,
'profile': {
'enable': Any('none', 'main', 'all'),
'mode': Any('aex', 'ocall_inner', 'ocall_outer'),
'with_stack': bool,
'frequency': int,
},
'remote_attestation': Any('none', 'dcap'),
'seal_key': {
'flags_mask': _mask64,
'xfrm_mask': _mask64,
'misc_mask': _mask32,
},
# TODO: validator for sha256
'trusted_files': [Any(str, {'uri': _uri, 'sha256': str})],
'use_exinfo': bool,
'vtune_profile': bool,
},
'sys': {
'allowed_ioctls': [{
Required('request_code'): int,
'struct': str,
}],
'brk': {'max_size': _size},
'disallow_subprocesses': bool,
'enable_extra_runtime_domain_names_conf': bool,
'enable_sigterm_injection': bool,
'experimental__enable_flock': bool,
'insecure__allow_eventfd': bool,
# Description of this thing will be both very hard to write, and mostly useless, since
# majority of errors will be semantic (wrong offsets), not syntactic. We'll leave it almost
# not validated.
'ioctl_structs': {str: object},
'debug__mock_syscalls': [{Required('name'): str, 'return': int}],
'stack': {'size': _size},
'fds': {'limit': int},
},
})