Skip to content

Commit

Permalink
go/runtime/registry: Simplify creation of provisioners
Browse files Browse the repository at this point in the history
  • Loading branch information
peternose committed Dec 17, 2024
1 parent 82a371c commit 80836f1
Show file tree
Hide file tree
Showing 3 changed files with 42 additions and 76 deletions.
Empty file added .changelog/5975.trivial.md
Empty file.
97 changes: 35 additions & 62 deletions go/runtime/registry/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -107,40 +107,18 @@ func createProvisioner(
identity *identity.Identity,
consensus consensus.Backend,
hostInfo *hostProtocol.HostInfo,
bundleRegistry bundle.Registry,
ias []ias.Endpoint,
qs pcs.QuoteService,
) (runtimeHost.Provisioner, error) {
var err error
var insecureNoSandbox bool

// By default start with the environment specified in configuration.
attestInterval := config.GlobalConfig.Runtime.AttestInterval
sandboxBinary := config.GlobalConfig.Runtime.SandboxBinary
sgxLoader := config.GlobalConfig.Runtime.SGXLoader
runtimeEnv := config.GlobalConfig.Runtime.Environment

// If the runtime environment is set to automatic selection and at least
// one bundle has a component that requires the use of a TEE, force a TEE
// environment to simplify configuration.
func() {
if runtimeEnv != rtConfig.RuntimeEnvironmentAuto {
return
}
for _, manifest := range bundleRegistry.GetManifests() {
for _, comp := range manifest.GetAvailableComponents() {
if comp.IsTEERequired() {
runtimeEnv = rtConfig.RuntimeEnvironmentSGX
return
}
}
}
}()

isEnvSGX := runtimeEnv == rtConfig.RuntimeEnvironmentSGX || runtimeEnv == rtConfig.RuntimeEnvironmentSGXMock
forceNoSGX := (config.GlobalConfig.Mode.IsClientOnly() && !isEnvSGX) ||
(cmdFlags.DebugDontBlameOasis() && runtimeEnv == rtConfig.RuntimeEnvironmentELF)

// Register provisioners based on the configured provisioner.
var insecureNoSandbox bool
sandboxBinary := config.GlobalConfig.Runtime.SandboxBinary
attestInterval := config.GlobalConfig.Runtime.AttestInterval
provisioners := make(map[component.TEEKind]runtimeHost.Provisioner)
switch p := config.GlobalConfig.Runtime.Provisioner; p {
case rtConfig.RuntimeProvisionerMock:
Expand Down Expand Up @@ -178,46 +156,41 @@ func createProvisioner(
}

// Configure the Intel SGX provisioner.
switch sgxLoader := config.GlobalConfig.Runtime.SGXLoader; {
case forceNoSGX:
forceNoSGX := runtimeEnv == rtConfig.RuntimeEnvironmentELF
if forceNoSGX && !cmdFlags.DebugDontBlameOasis() {
return nil, fmt.Errorf("ELF requires use of unsafe debug flags")
}
if forceNoSGX {
// Remap SGX to non-SGX when forced to do so.
provisioners[component.TEEKindSGX], err = hostSandbox.New(hostSandbox.Config{
HostInfo: hostInfo,
InsecureNoSandbox: insecureNoSandbox,
SandboxBinaryPath: sandboxBinary,
})
if err != nil {
return nil, fmt.Errorf("failed to create runtime provisioner: %w", err)
}
case sgxLoader == "" && runtimeEnv == rtConfig.RuntimeEnvironmentSGX:
// SGX environment is forced, but we don't have the needed loader.
return nil, fmt.Errorf("SGX runtime environment requires setting the SGX loader")
case sgxLoader == "" && runtimeEnv != rtConfig.RuntimeEnvironmentSGXMock:
provisioners[component.TEEKindSGX] = provisioners[component.TEEKindNone]
break
}

if sgxLoader == "" {
// SGX may be needed, but we don't have a loader configured.
break
default:
// Configure mock SGX if configured and we are in a debug mode.
insecureMock := runtimeEnv == rtConfig.RuntimeEnvironmentSGXMock
if insecureMock && !cmdFlags.DebugDontBlameOasis() {
return nil, fmt.Errorf("mock SGX requires use of unsafe debug flags")
}
}

provisioners[component.TEEKindSGX], err = hostSgx.New(hostSgx.Config{
HostInfo: hostInfo,
CommonStore: commonStore,
LoaderPath: sgxLoader,
IAS: ias,
PCS: qs,
Consensus: consensus,
Identity: identity,
SandboxBinaryPath: sandboxBinary,
InsecureNoSandbox: insecureNoSandbox,
InsecureMock: insecureMock,
RuntimeAttestInterval: attestInterval,
})
if err != nil {
return nil, fmt.Errorf("failed to create SGX runtime provisioner: %w", err)
}
insecureMock := runtimeEnv == rtConfig.RuntimeEnvironmentSGXMock
if insecureMock && !cmdFlags.DebugDontBlameOasis() {
return nil, fmt.Errorf("mock SGX requires use of unsafe debug flags")
}

provisioners[component.TEEKindSGX], err = hostSgx.New(hostSgx.Config{
HostInfo: hostInfo,
CommonStore: commonStore,
LoaderPath: sgxLoader,
IAS: ias,
PCS: qs,
Consensus: consensus,
Identity: identity,
SandboxBinaryPath: sandboxBinary,
InsecureNoSandbox: insecureNoSandbox,
InsecureMock: insecureMock,
RuntimeAttestInterval: attestInterval,
})
if err != nil {
return nil, fmt.Errorf("failed to create SGX runtime provisioner: %w", err)
}
default:
return nil, fmt.Errorf("unsupported runtime provisioner: %s", p)
Expand Down
21 changes: 7 additions & 14 deletions go/runtime/registry/registry.go
Original file line number Diff line number Diff line change
Expand Up @@ -698,21 +698,9 @@ func New(
consensus consensus.Backend,
ias []ias.Endpoint,
) (Registry, error) {
// Create bundle registry.
// Create bundle registry and discovery.
bundleRegistry := bundle.NewRegistry(dataDir)

// Fill the registry with local bundles.
//
// This enables the provisioner to determine which runtime environment
// to use when the configuration is set to 'auto'.
//
// FIXME: Handle cases where the configuration is set to 'auto' but
// no bundles are configured. After addressing this, move the
// initialization to the bottom for better organization.
bundleDiscovery := bundle.NewDiscovery(dataDir, bundleRegistry)
if err := bundleDiscovery.Init(); err != nil {
return nil, err
}

// Create history keeper factory.
historyFactory, err := createHistoryFactory()
Expand All @@ -733,7 +721,7 @@ func New(
}

// Create runtime provisioner.
provisioner, err := createProvisioner(commonStore, identity, consensus, hostInfo, bundleRegistry, ias, qs)
provisioner, err := createProvisioner(commonStore, identity, consensus, hostInfo, ias, qs)
if err != nil {
return nil, err
}
Expand All @@ -751,6 +739,11 @@ func New(
bundleDiscovery: bundleDiscovery,
}

// Fill the registry with local bundles.
if err := bundleDiscovery.Init(); err != nil {
return nil, err
}

// Initialize the runtime registry.
if err = r.Init(ctx); err != nil {
return nil, err
Expand Down

0 comments on commit 80836f1

Please sign in to comment.