diff --git a/.changelog/5975.trivial.md b/.changelog/5975.trivial.md new file mode 100644 index 00000000000..e69de29bb2d diff --git a/go/runtime/registry/config.go b/go/runtime/registry/config.go index c74aaafa398..affd0b5aa6d 100644 --- a/go/runtime/registry/config.go +++ b/go/runtime/registry/config.go @@ -107,40 +107,20 @@ func createProvisioner( identity *identity.Identity, consensus consensus.Backend, hostInfo *hostProtocol.HostInfo, - bundleRegistry bundle.Registry, ias []ias.Endpoint, qs pcs.QuoteService, ) (runtimeHost.Provisioner, error) { var err error + var insecureNoSandbox bool - // By default start with the environment specified in configuration. + attestInterval := config.GlobalConfig.Runtime.AttestInterval + sandboxBinary := config.GlobalConfig.Runtime.SandboxBinary + sgxLoader := config.GlobalConfig.Runtime.SGXLoader runtimeEnv := config.GlobalConfig.Runtime.Environment - // If the runtime environment is set to automatic selection and at least - // one bundle has a component that requires the use of a TEE, force a TEE - // environment to simplify configuration. - func() { - if runtimeEnv != rtConfig.RuntimeEnvironmentAuto { - return - } - for _, manifest := range bundleRegistry.GetManifests() { - for _, comp := range manifest.GetAvailableComponents() { - if comp.IsTEERequired() { - runtimeEnv = rtConfig.RuntimeEnvironmentSGX - return - } - } - } - }() - isEnvSGX := runtimeEnv == rtConfig.RuntimeEnvironmentSGX || runtimeEnv == rtConfig.RuntimeEnvironmentSGXMock - forceNoSGX := (config.GlobalConfig.Mode.IsClientOnly() && !isEnvSGX) || - (cmdFlags.DebugDontBlameOasis() && runtimeEnv == rtConfig.RuntimeEnvironmentELF) // Register provisioners based on the configured provisioner. - var insecureNoSandbox bool - sandboxBinary := config.GlobalConfig.Runtime.SandboxBinary - attestInterval := config.GlobalConfig.Runtime.AttestInterval provisioners := make(map[component.TEEKind]runtimeHost.Provisioner) switch p := config.GlobalConfig.Runtime.Provisioner; p { case rtConfig.RuntimeProvisionerMock: @@ -178,46 +158,41 @@ func createProvisioner( } // Configure the Intel SGX provisioner. - switch sgxLoader := config.GlobalConfig.Runtime.SGXLoader; { - case forceNoSGX: + forceNoSGX := runtimeEnv == rtConfig.RuntimeEnvironmentELF + if forceNoSGX && !cmdFlags.DebugDontBlameOasis() { + return nil, fmt.Errorf("ELF requires use of unsafe debug flags") + } + if forceNoSGX || config.GlobalConfig.Mode.IsClientOnly() && !isEnvSGX { // Remap SGX to non-SGX when forced to do so. - provisioners[component.TEEKindSGX], err = hostSandbox.New(hostSandbox.Config{ - HostInfo: hostInfo, - InsecureNoSandbox: insecureNoSandbox, - SandboxBinaryPath: sandboxBinary, - }) - if err != nil { - return nil, fmt.Errorf("failed to create runtime provisioner: %w", err) - } - case sgxLoader == "" && runtimeEnv == rtConfig.RuntimeEnvironmentSGX: - // SGX environment is forced, but we don't have the needed loader. - return nil, fmt.Errorf("SGX runtime environment requires setting the SGX loader") - case sgxLoader == "" && runtimeEnv != rtConfig.RuntimeEnvironmentSGXMock: + provisioners[component.TEEKindSGX] = provisioners[component.TEEKindNone] + break + } + + insecureMock := runtimeEnv == rtConfig.RuntimeEnvironmentSGXMock + if insecureMock && !cmdFlags.DebugDontBlameOasis() { + return nil, fmt.Errorf("mock SGX requires use of unsafe debug flags") + } + + if !insecureMock && sgxLoader == "" { // SGX may be needed, but we don't have a loader configured. break - default: - // Configure mock SGX if configured and we are in a debug mode. - insecureMock := runtimeEnv == rtConfig.RuntimeEnvironmentSGXMock - if insecureMock && !cmdFlags.DebugDontBlameOasis() { - return nil, fmt.Errorf("mock SGX requires use of unsafe debug flags") - } + } - provisioners[component.TEEKindSGX], err = hostSgx.New(hostSgx.Config{ - HostInfo: hostInfo, - CommonStore: commonStore, - LoaderPath: sgxLoader, - IAS: ias, - PCS: qs, - Consensus: consensus, - Identity: identity, - SandboxBinaryPath: sandboxBinary, - InsecureNoSandbox: insecureNoSandbox, - InsecureMock: insecureMock, - RuntimeAttestInterval: attestInterval, - }) - if err != nil { - return nil, fmt.Errorf("failed to create SGX runtime provisioner: %w", err) - } + provisioners[component.TEEKindSGX], err = hostSgx.New(hostSgx.Config{ + HostInfo: hostInfo, + CommonStore: commonStore, + LoaderPath: sgxLoader, + IAS: ias, + PCS: qs, + Consensus: consensus, + Identity: identity, + SandboxBinaryPath: sandboxBinary, + InsecureNoSandbox: insecureNoSandbox, + InsecureMock: insecureMock, + RuntimeAttestInterval: attestInterval, + }) + if err != nil { + return nil, fmt.Errorf("failed to create SGX runtime provisioner: %w", err) } default: return nil, fmt.Errorf("unsupported runtime provisioner: %s", p) diff --git a/go/runtime/registry/registry.go b/go/runtime/registry/registry.go index 147d961f56d..f0af8a54943 100644 --- a/go/runtime/registry/registry.go +++ b/go/runtime/registry/registry.go @@ -698,21 +698,9 @@ func New( consensus consensus.Backend, ias []ias.Endpoint, ) (Registry, error) { - // Create bundle registry. + // Create bundle registry and discovery. bundleRegistry := bundle.NewRegistry(dataDir) - - // Fill the registry with local bundles. - // - // This enables the provisioner to determine which runtime environment - // to use when the configuration is set to 'auto'. - // - // FIXME: Handle cases where the configuration is set to 'auto' but - // no bundles are configured. After addressing this, move the - // initialization to the bottom for better organization. bundleDiscovery := bundle.NewDiscovery(dataDir, bundleRegistry) - if err := bundleDiscovery.Init(); err != nil { - return nil, err - } // Create history keeper factory. historyFactory, err := createHistoryFactory() @@ -733,7 +721,7 @@ func New( } // Create runtime provisioner. - provisioner, err := createProvisioner(commonStore, identity, consensus, hostInfo, bundleRegistry, ias, qs) + provisioner, err := createProvisioner(commonStore, identity, consensus, hostInfo, ias, qs) if err != nil { return nil, err } @@ -751,6 +739,11 @@ func New( bundleDiscovery: bundleDiscovery, } + // Fill the registry with local bundles. + if err := bundleDiscovery.Init(); err != nil { + return nil, err + } + // Initialize the runtime registry. if err = r.Init(ctx); err != nil { return nil, err