diff --git a/.changelog/1599.feature.md b/.changelog/1599.feature.md new file mode 100644 index 00000000000..e0050b9f012 --- /dev/null +++ b/.changelog/1599.feature.md @@ -0,0 +1,4 @@ +go/worker/common: Allow specifying the path to the bwrap binary + +This adds a new config option `--worker.runtime.sandbox_binary` that +allows overriding the path to the sandbox support binary (ie: bwrap). diff --git a/.changelog/2469.internal.1.md b/.changelog/2469.internal.1.md new file mode 100644 index 00000000000..a64f3ec093f --- /dev/null +++ b/.changelog/2469.internal.1.md @@ -0,0 +1 @@ +runtime: Rename the rpc crate to enclave_rpc diff --git a/.changelog/2469.internal.2.md b/.changelog/2469.internal.2.md new file mode 100644 index 00000000000..e8a3bb16511 --- /dev/null +++ b/.changelog/2469.internal.2.md @@ -0,0 +1 @@ +client: Rename the rpc crate to enclave_rpc diff --git a/client/src/rpc/api/enclaverpc.rs b/client/src/enclave_rpc/api/enclaverpc.rs similarity index 100% rename from client/src/rpc/api/enclaverpc.rs rename to client/src/enclave_rpc/api/enclaverpc.rs diff --git a/client/src/rpc/api/mod.rs b/client/src/enclave_rpc/api/mod.rs similarity index 100% rename from client/src/rpc/api/mod.rs rename to client/src/enclave_rpc/api/mod.rs diff --git a/client/src/rpc/client.rs b/client/src/enclave_rpc/client.rs similarity index 99% rename from client/src/rpc/client.rs rename to client/src/enclave_rpc/client.rs index 53c274832a9..239bb13abd5 100644 --- a/client/src/rpc/client.rs +++ b/client/src/enclave_rpc/client.rs @@ -24,11 +24,11 @@ use tokio_executor::spawn; use oasis_core_runtime::common::runtime::RuntimeId; use oasis_core_runtime::{ common::{cbor, sgx::avr::EnclaveIdentity}, - protocol::Protocol, - rpc::{ + enclave_rpc::{ session::{Builder, Session}, types, }, + protocol::Protocol, }; #[cfg(not(target_env = "sgx"))] @@ -400,8 +400,8 @@ mod test { use tokio::runtime::Runtime; use oasis_core_runtime::{ + enclave_rpc::{demux::Demux, session, types}, rak::RAK, - rpc::{demux::Demux, session, types}, }; use super::{super::transport::Transport, RpcClient}; diff --git a/client/src/rpc/macros.rs b/client/src/enclave_rpc/macros.rs similarity index 100% rename from client/src/rpc/macros.rs rename to client/src/enclave_rpc/macros.rs diff --git a/client/src/rpc/mod.rs b/client/src/enclave_rpc/mod.rs similarity index 100% rename from client/src/rpc/mod.rs rename to client/src/enclave_rpc/mod.rs diff --git a/client/src/rpc/transport.rs b/client/src/enclave_rpc/transport.rs similarity index 96% rename from client/src/rpc/transport.rs rename to client/src/enclave_rpc/transport.rs index 021be90a8e4..047b14dcd46 100644 --- a/client/src/rpc/transport.rs +++ b/client/src/enclave_rpc/transport.rs @@ -7,7 +7,7 @@ use io_context::Context; #[cfg(not(target_env = "sgx"))] use oasis_core_runtime::common::runtime::RuntimeId; -use oasis_core_runtime::{common::cbor, protocol::Protocol, rpc::types, types::Body}; +use oasis_core_runtime::{common::cbor, enclave_rpc::types, protocol::Protocol, types::Body}; #[cfg(not(target_env = "sgx"))] use super::api::{CallEnclaveRequest, EnclaveRPCClient}; diff --git a/client/src/lib.rs b/client/src/lib.rs index f6fbbbdf752..b173ecfcb28 100644 --- a/client/src/lib.rs +++ b/client/src/lib.rs @@ -3,10 +3,9 @@ #[cfg(not(target_env = "sgx"))] #[macro_use] pub mod grpc; +pub mod enclave_rpc; #[cfg(not(target_env = "sgx"))] pub mod node; -// TODO: Rename "rpc" module to "enclave_rpc" or similar. -pub mod rpc; #[cfg(not(target_env = "sgx"))] pub mod transaction; @@ -14,6 +13,6 @@ pub mod transaction; pub type BoxFuture = Box + Send>; // Re-exports. -pub use self::rpc::RpcClient; +pub use self::enclave_rpc::RpcClient; #[cfg(not(target_env = "sgx"))] pub use self::{node::Node, transaction::TxnClient}; diff --git a/go/runtime/host/sandbox/process/bwrap.go b/go/runtime/host/sandbox/process/bwrap.go index f5df092950b..12beb4d1a4c 100644 --- a/go/runtime/host/sandbox/process/bwrap.go +++ b/go/runtime/host/sandbox/process/bwrap.go @@ -16,8 +16,6 @@ const ( sandboxMountBinary = "/entrypoint" sandboxMountLibDir = "/usr/lib" - - bwrapPath = "/usr/bin/bwrap" ) type bwrap struct { @@ -164,7 +162,7 @@ func NewBubbleWrap(cfg Config) (Process, error) { // Start our sandbox. n, err := NewNaked(Config{ - Path: bwrapPath, + Path: cfg.SandboxBinaryPath, Args: cliArgs, Stdout: cfg.Stdout, Stderr: cfg.Stderr, diff --git a/go/runtime/host/sandbox/process/bwrap_test.go b/go/runtime/host/sandbox/process/bwrap_test.go index 35525e0595e..115c773cfd9 100644 --- a/go/runtime/host/sandbox/process/bwrap_test.go +++ b/go/runtime/host/sandbox/process/bwrap_test.go @@ -4,6 +4,6 @@ import "testing" func TestBubbleWrapSandbox(t *testing.T) { t.Run("BindData", func(t *testing.T) { - testBindData(t, NewBubbleWrap) + testBindData(t, NewBubbleWrap, "/usr/bin/bwrap") }) } diff --git a/go/runtime/host/sandbox/process/naked_test.go b/go/runtime/host/sandbox/process/naked_test.go index d73cbfce552..03ab22d4532 100644 --- a/go/runtime/host/sandbox/process/naked_test.go +++ b/go/runtime/host/sandbox/process/naked_test.go @@ -13,11 +13,11 @@ import ( func TestNakedSandbox(t *testing.T) { t.Run("BindData", func(t *testing.T) { - testBindData(t, NewNaked) + testBindData(t, NewNaked, "") }) } -func testBindData(t *testing.T, factory func(Config) (Process, error)) { +func testBindData(t *testing.T, factory func(Config) (Process, error), sandboxBinary string) { require := require.New(t) dir, err := ioutil.TempDir("", "oasis-runtime-host-sandbox-test_") @@ -34,7 +34,8 @@ func testBindData(t *testing.T, factory func(Config) (Process, error)) { BindData: map[string]io.Reader{ boundPath: bytes.NewBufferString("hello world"), }, - Stdout: &stdout, + Stdout: &stdout, + SandboxBinaryPath: sandboxBinary, }) require.NoError(err, "NewNaked") diff --git a/go/runtime/host/sandbox/process/process.go b/go/runtime/host/sandbox/process/process.go index 311b71fabc8..71ccd4bee3d 100644 --- a/go/runtime/host/sandbox/process/process.go +++ b/go/runtime/host/sandbox/process/process.go @@ -39,6 +39,9 @@ type Config struct { // process' os.Stderr will be used. Stderr io.Writer + // SandboxBinaryPath is the path to the sandbox support binary. + SandboxBinaryPath string + extraFiles []*os.File } diff --git a/go/runtime/host/sandbox/sandbox.go b/go/runtime/host/sandbox/sandbox.go index 8c578a88095..649a0319f59 100644 --- a/go/runtime/host/sandbox/sandbox.go +++ b/go/runtime/host/sandbox/sandbox.go @@ -47,6 +47,9 @@ type Config struct { // default logger will be created. Logger *logging.Logger + // SandboxBinaryPath is the path to the sandbox support binary. + SandboxBinaryPath string + // InsecureNoSandbox disables the sandbox and runs the runtime binary directly. InsecureNoSandbox bool } @@ -492,12 +495,13 @@ func (r *sandboxedRuntime) manager() { func New(cfg Config) (host.Provisioner, error) { // Use a default GetSandboxConfig if none was provided. if cfg.GetSandboxConfig == nil { - cfg.GetSandboxConfig = func(cfg host.Config, socketPath string, runtimeDir string) (process.Config, error) { + cfg.GetSandboxConfig = func(hostCfg host.Config, socketPath string, runtimeDir string) (process.Config, error) { return process.Config{ - Path: cfg.Path, + Path: hostCfg.Path, Env: map[string]string{ "OASIS_WORKER_HOST": socketPath, }, + SandboxBinaryPath: cfg.SandboxBinaryPath, }, nil } } diff --git a/go/runtime/host/sandbox/sandbox_test.go b/go/runtime/host/sandbox/sandbox_test.go index fca0f0a0374..48fed43820a 100644 --- a/go/runtime/host/sandbox/sandbox_test.go +++ b/go/runtime/host/sandbox/sandbox_test.go @@ -11,6 +11,8 @@ import ( var envRuntimePath = os.Getenv("OASIS_TEST_RUNTIME_HOST_RUNTIME_PATH") func TestProvisionerSandbox(t *testing.T) { + const bwrapPath = "/usr/bin/bwrap" // Sensible systems only. + // Skip test if there is no runtime configured. if envRuntimePath == "" { t.Skip("skipping as OASIS_TEST_RUNTIME_HOST_RUNTIME_PATH is not set") @@ -24,13 +26,16 @@ func TestProvisionerSandbox(t *testing.T) { tests.TestProvisioner(t, cfg, func() (host.Provisioner, error) { return New(Config{ InsecureNoSandbox: true, + SandboxBinaryPath: bwrapPath, }) }, nil) }) t.Run("Sandboxed", func(t *testing.T) { tests.TestProvisioner(t, cfg, func() (host.Provisioner, error) { - return New(Config{}) + return New(Config{ + SandboxBinaryPath: bwrapPath, + }) }, nil) }) } diff --git a/go/runtime/host/sgx/sgx.go b/go/runtime/host/sgx/sgx.go index 0e38937d39f..91c5e643e00 100644 --- a/go/runtime/host/sgx/sgx.go +++ b/go/runtime/host/sgx/sgx.go @@ -57,6 +57,9 @@ type Config struct { // a default will be used. RuntimeAttestInterval time.Duration + // SandboxBinaryPath is the path to the sandbox support binary. + SandboxBinaryPath string + // InsecureNoSandbox disables the sandbox and runs the loader directly. InsecureNoSandbox bool } @@ -174,6 +177,7 @@ func (s *sgxProvisioner) getSandboxConfig(rtCfg host.Config, socketPath string, runtimePath: bytes.NewReader(sgxs), signaturePath: bytes.NewReader(sig), }, + SandboxBinaryPath: s.cfg.SandboxBinaryPath, }, nil } diff --git a/go/runtime/host/sgx/sgx_test.go b/go/runtime/host/sgx/sgx_test.go index 7b3957fe22b..99e03888624 100644 --- a/go/runtime/host/sgx/sgx_test.go +++ b/go/runtime/host/sgx/sgx_test.go @@ -37,6 +37,8 @@ func skipIfMissingDeps(t *testing.T) { } func TestProvisionerSGX(t *testing.T) { + const bwrapPath = "/usr/bin/bwrap" // Sensible systems only. + skipIfMissingDeps(t) require := require.New(t) @@ -63,6 +65,7 @@ func TestProvisionerSGX(t *testing.T) { IAS: ias, RuntimeAttestInterval: 2 * time.Second, InsecureNoSandbox: true, + SandboxBinaryPath: bwrapPath, }) }, extraTests) }) @@ -73,6 +76,7 @@ func TestProvisionerSGX(t *testing.T) { LoaderPath: envRuntimeLoaderPath, RuntimeAttestInterval: 2 * time.Second, IAS: ias, + SandboxBinaryPath: bwrapPath, }) }, extraTests) }) diff --git a/go/worker/common/config.go b/go/worker/common/config.go index 55dd8c059f1..cb25daa56b1 100644 --- a/go/worker/common/config.go +++ b/go/worker/common/config.go @@ -2,6 +2,7 @@ package common import ( "fmt" + "os" "time" flag "github.com/spf13/pflag" @@ -43,6 +44,7 @@ var ( // paths. CfgRuntimeSGXSignatures = "worker.runtime.sgx.signatures" + cfgSandboxBinary = "worker.runtime.sandbox_binary" cfgStorageCommitTimeout = "worker.storage_commit_timeout" // Flags has the configuration flags. @@ -146,6 +148,7 @@ func NewConfig(ias ias.Endpoint) (*Config, error) { // Register provisioners based on the configured provisioner. var insecureNoSandbox bool + sandboxBinary := viper.GetString(cfgSandboxBinary) rh.Provisioners = make(map[node.TEEHardware]runtimeHost.Provisioner) switch p := viper.GetString(CfgRuntimeProvisioner); p { case RuntimeProvisionerMock: @@ -165,9 +168,15 @@ func NewConfig(ias ias.Endpoint) (*Config, error) { fallthrough case RuntimeProvisionerSandboxed: + if !insecureNoSandbox { + if _, err = os.Stat(sandboxBinary); err != nil { + return nil, fmt.Errorf("failed to stat sandbox binary: %w", err) + } + } // Sandboxed provisioner, can be used with no TEE or with Intel SGX. rh.Provisioners[node.TEEHardwareInvalid], err = hostSandbox.New(hostSandbox.Config{ InsecureNoSandbox: insecureNoSandbox, + SandboxBinaryPath: sandboxBinary, }) if err != nil { return nil, fmt.Errorf("failed to create runtime provisioner: %w", err) @@ -176,6 +185,7 @@ func NewConfig(ias ias.Endpoint) (*Config, error) { rh.Provisioners[node.TEEHardwareIntelSGX], err = hostSgx.New(hostSgx.Config{ LoaderPath: viper.GetString(CfgRuntimeSGXLoader), IAS: ias, + SandboxBinaryPath: sandboxBinary, InsecureNoSandbox: insecureNoSandbox, }) if err != nil { @@ -235,6 +245,8 @@ func init() { Flags.StringToString(CfgRuntimePaths, nil, "Paths to runtime resources (format: =,=)") Flags.StringToString(CfgRuntimeSGXSignatures, nil, "(for SGX runtimes) Paths to signatures (format: =,=") + Flags.String(cfgSandboxBinary, "/usr/bin/bwrap", "Path to the sandbox binary (bubblewrap)") + Flags.Duration(cfgStorageCommitTimeout, 5*time.Second, "Storage commit timeout") _ = viper.BindPFlags(Flags) diff --git a/keymanager-client/src/client.rs b/keymanager-client/src/client.rs index c229dcd2929..47bfc633c97 100644 --- a/keymanager-client/src/client.rs +++ b/keymanager-client/src/client.rs @@ -16,9 +16,9 @@ use oasis_core_client::{create_rpc_api_client, BoxFuture, RpcClient}; use oasis_core_keymanager_api_common::*; use oasis_core_runtime::{ common::{cbor, runtime::RuntimeId, sgx::avr::EnclaveIdentity}, + enclave_rpc::session, protocol::Protocol, rak::RAK, - rpc::session, }; use super::KeyManagerClient; diff --git a/keymanager-lib/src/kdf.rs b/keymanager-lib/src/kdf.rs index 4ac23cd3302..d1e390627e1 100644 --- a/keymanager-lib/src/kdf.rs +++ b/keymanager-lib/src/kdf.rs @@ -27,8 +27,8 @@ use oasis_core_runtime::{ runtime::RuntimeId, sgx::egetkey::egetkey, }, + enclave_rpc::Context as RpcContext, executor::Executor, - rpc::Context as RpcContext, runtime_context, storage::StorageContext, BUILD_INFO, diff --git a/keymanager-lib/src/keymanager.rs b/keymanager-lib/src/keymanager.rs index c5cef14896e..fa9005adc13 100644 --- a/keymanager-lib/src/keymanager.rs +++ b/keymanager-lib/src/keymanager.rs @@ -5,13 +5,12 @@ use anyhow::Result; use oasis_core_keymanager_api_common::*; use oasis_core_runtime::{ dispatcher::Initializer, - rak::RAK, - register_runtime_rpc_methods, - rpc::{ + enclave_rpc::{ dispatcher::{Method as RpcMethod, MethodDescriptor as RpcMethodDescriptor}, Context as RpcContext, }, - Protocol, RpcDemux, RpcDispatcher, TxnDispatcher, + rak::RAK, + register_runtime_rpc_methods, Protocol, RpcDemux, RpcDispatcher, TxnDispatcher, }; use crate::{context, kdf::Kdf, policy::Policy}; diff --git a/keymanager-lib/src/methods.rs b/keymanager-lib/src/methods.rs index dc7f46a3047..dc3fc817e87 100644 --- a/keymanager-lib/src/methods.rs +++ b/keymanager-lib/src/methods.rs @@ -1,7 +1,7 @@ //! Methods exported to remote clients via EnclaveRPC. use anyhow::Result; use oasis_core_keymanager_api_common::*; -use oasis_core_runtime::rpc::Context as RpcContext; +use oasis_core_runtime::enclave_rpc::Context as RpcContext; use crate::{kdf::Kdf, policy::Policy}; diff --git a/keymanager-lib/src/policy.rs b/keymanager-lib/src/policy.rs index bd218ced330..3b21a9490a7 100644 --- a/keymanager-lib/src/policy.rs +++ b/keymanager-lib/src/policy.rs @@ -19,7 +19,7 @@ use oasis_core_runtime::{ seal::{seal, unseal}, }, }, - rpc::Context as RpcContext, + enclave_rpc::Context as RpcContext, runtime_context, storage::StorageContext, }; diff --git a/runtime/src/dispatcher.rs b/runtime/src/dispatcher.rs index 2f675804b9f..0e1bafdc5c4 100644 --- a/runtime/src/dispatcher.rs +++ b/runtime/src/dispatcher.rs @@ -21,14 +21,14 @@ use crate::{ logger::get_logger, roothash::{Block, ComputeResultsHeader, COMPUTE_RESULTS_HEADER_CONTEXT}, }, - protocol::{Protocol, ProtocolUntrustedLocalStorage}, - rak::RAK, - rpc::{ + enclave_rpc::{ demux::Demux as RpcDemux, dispatcher::Dispatcher as RpcDispatcher, types::{Message as RpcMessage, Request as RpcRequest}, Context as RpcContext, }, + protocol::{Protocol, ProtocolUntrustedLocalStorage}, + rak::RAK, storage::{ mkvs::{ sync::{HostReadSyncer, NoopReadSyncer}, diff --git a/runtime/src/rpc/context.rs b/runtime/src/enclave_rpc/context.rs similarity index 100% rename from runtime/src/rpc/context.rs rename to runtime/src/enclave_rpc/context.rs diff --git a/runtime/src/rpc/demux.rs b/runtime/src/enclave_rpc/demux.rs similarity index 100% rename from runtime/src/rpc/demux.rs rename to runtime/src/enclave_rpc/demux.rs diff --git a/runtime/src/rpc/dispatcher.rs b/runtime/src/enclave_rpc/dispatcher.rs similarity index 100% rename from runtime/src/rpc/dispatcher.rs rename to runtime/src/enclave_rpc/dispatcher.rs diff --git a/runtime/src/rpc/macros.rs b/runtime/src/enclave_rpc/macros.rs similarity index 81% rename from runtime/src/rpc/macros.rs rename to runtime/src/enclave_rpc/macros.rs index 170c5a0e152..8509599bb63 100644 --- a/runtime/src/rpc/macros.rs +++ b/runtime/src/enclave_rpc/macros.rs @@ -19,12 +19,12 @@ macro_rules! register_runtime_rpc_methods { ) => { $( $rpc_dispatcher.add_method( - $crate::rpc::dispatcher::Method::new( - $crate::rpc::dispatcher::MethodDescriptor { + $crate::enclave_rpc::dispatcher::Method::new( + $crate::enclave_rpc::dispatcher::MethodDescriptor { name: stringify!($method_name).to_owned(), }, |args: &$arguments_type, - ctx: &mut $crate::rpc::context::Context| + ctx: &mut $crate::enclave_rpc::context::Context| -> ::anyhow::Result<$output_type> { $method_name(args, ctx) }, diff --git a/runtime/src/rpc/mod.rs b/runtime/src/enclave_rpc/mod.rs similarity index 100% rename from runtime/src/rpc/mod.rs rename to runtime/src/enclave_rpc/mod.rs diff --git a/runtime/src/rpc/session.rs b/runtime/src/enclave_rpc/session.rs similarity index 100% rename from runtime/src/rpc/session.rs rename to runtime/src/enclave_rpc/session.rs diff --git a/runtime/src/rpc/types.rs b/runtime/src/enclave_rpc/types.rs similarity index 100% rename from runtime/src/rpc/types.rs rename to runtime/src/enclave_rpc/types.rs diff --git a/runtime/src/lib.rs b/runtime/src/lib.rs index e1ad0193b18..2933d93beb8 100644 --- a/runtime/src/lib.rs +++ b/runtime/src/lib.rs @@ -51,12 +51,12 @@ use sgx_isa::{AttributesFlags, Report}; #[macro_use] pub mod common; pub mod dispatcher; +pub mod enclave_rpc; pub mod executor; pub mod init; pub mod macros; pub mod protocol; pub mod rak; -pub mod rpc; pub mod storage; pub mod tracing; pub mod transaction; @@ -121,8 +121,8 @@ pub struct BuildInfo { // Re-exports. pub use self::{ + enclave_rpc::{demux::Demux as RpcDemux, dispatcher::Dispatcher as RpcDispatcher}, init::start_runtime, protocol::Protocol, - rpc::{demux::Demux as RpcDemux, dispatcher::Dispatcher as RpcDispatcher}, transaction::dispatcher::{Dispatcher as TxnDispatcher, MethodDispatcher as TxnMethDispatcher}, };