Remove IceCap.

.github/workflows/main.yml

@@ -252,44 +252,6 @@ jobs:
           name: nitro
           path: workspaces/**/Cargo.lock
 
-  icecap:
-    runs-on: ubuntu-latest
-    needs: [check]
-    outputs:
-      output: ${{ steps.check-diff.outputs.cargo-lock }}
-    container:
-      image: ghcr.io/veracruz-project/veracruz/ci@sha256:dd434df33153bd8915859eb0f280270d2cdf07d6100ef4332bcd18c5e8525068
-      volumes:
-        - ${{ github.workspace }}:/work/veracruz
-    steps:
-      - name: Check out the Veracruz repository
-        uses: actions/checkout@v3
-        with:
-          submodules: recursive
-      - name: add the GITHUB_WORKSPACE into git config
-        run: |
-          git config --global --add safe.directory "$GITHUB_WORKSPACE"
-      - name: Running IceCap test script
-        id: icecap-build
-        run: |
-            VERACRUZ_TEST_TIMEOUT=2400 make -C /work/veracruz/workspaces icecap-tests PROFILE=release
-      - name: Check modification to Cargo.lock
-        id: check-diff
-        run: |
-          file_changed=$(git diff --diff-filter=ACMUXTRD --name-only -- '**Cargo.lock' | tr '\n' ' ' | xargs)
-          echo "cargo-lock=$file_changed" >> $GITHUB_OUTPUT
-          if [ -n "$file_changed" ] ; then
-              echo "::warning::Cargo.lock files modified";
-              echo "::warning::Cargo.lock change list: ${{ steps.check-diff.outputs.cargo-lock }}";
-          fi
-      - name: Upload Cargo.lock files
-        id: upload-changed-cargo-lock
-        if: steps.check-diff.outputs.cargo-lock != ''
-        uses: actions/upload-artifact@v3
-        with:
-          name: icecap
-          path: workspaces/**/Cargo.lock
-
   # tests that the CLI_QUICKSTART.markdown is still up to date
   quickstart:
     runs-on: ubuntu-latest
@@ -344,7 +306,7 @@ jobs:
           path: workspaces/**/Cargo.lock
 
   cargo-lock-check:
-    needs: [linux, nitro, icecap, quickstart]
+    needs: [linux, nitro, quickstart]
     runs-on: ubuntu-latest
     steps:
       - name: linux
@@ -357,11 +319,6 @@ jobs:
         run: |
           echo "::warning:: nitro Cargo.lock change list: ${{ needs.nitro.outputs.output }}"
           exit 1
-      - name: icecap
-        if: needs.icecap.outputs.output != ''
-        run: |
-          echo "::warning:: icecap Cargo.lock change list: ${{ needs.icecap.outputs.output }}"
-          exit 1
       - name: quickstart
         if: needs.quickstart.outputs.output != ''
         run: |

.gitmodules

@@ -8,13 +8,6 @@
 [submodule "veracruz-mcu-client/nanopb"]
 	path = veracruz-mcu-client/nanopb
 	url = https://github.com/nanopb/nanopb
-[submodule "icecap/icecap"]
-	path = icecap/icecap
-	url = https://gitlab.com/icecap-project/icecap.git
-	branch = realmos
-[submodule "icecap/sysroot/rust"]
-	path = icecap/sysroot/rust
-	url = https://gitlab.com/icecap-project/rust.git
 [submodule "third-party/nitro-enclave-attestation-document"]
 	path = third-party/nitro-enclave-attestation-document
 	url = https://github.com/veracruz-project/nitro-enclave-attestation-document.git
@@ -27,21 +20,6 @@
 	path = third-party/wasmi
 	url = https://github.com/veracruz-project/wasmi.git
 	branch = veracruz
-[submodule "workspaces/icecap-runtime/deps/seL4"]
-	path = workspaces/icecap-runtime/deps/seL4
-	url = https://gitlab.com/icecap-project/seL4.git
-	branch = realmos
-[submodule "workspaces/icecap-runtime/deps/seL4_tools"]
-	path = workspaces/icecap-runtime/deps/seL4_tools
-	url = https://gitlab.com/icecap-project/seL4_tools.git
-	branch = realmos
-[submodule "workspaces/icecap-runtime/deps/capdl"]
-	path = workspaces/icecap-runtime/deps/capdl
-	url = https://gitlab.com/icecap-project/capdl.git
-[submodule "icecap/sysroot/libc"]
-	path = icecap/sysroot/libc
-	url = https://gitlab.com/icecap-project/rust-libc.git
-	branch = icecap
 [submodule "third-party/rust-mbedtls"]
 	path = third-party/rust-mbedtls
 	url = https://github.com/veracruz-project/rust-mbedtls.git

NETWORK.markdown

@@ -23,7 +23,7 @@ Veracruz Client               Veracruz Server                        Runtime Man
 +------------+      +------------+  +------------------+      +----------------------------+
 |    TCP     |      | TCP (3011) |  |   TCP (Linux)    |      |     TCP (6000) (Linux)     |
 +------------+      +------------+  |   Unix socket    |      | Unix socket (5005) (Nitro) |
-                                    | (Icecap & Nitro) |      |  VirtIO console (IceCap)   |
+                                    |     (Nitro)      |      |                            |
                                     +------------------+      +----------------------------+
 ```
 

docker/Makefile

@@ -54,7 +54,7 @@ base: base/Dockerfile
 		-t $(IMAGE)/$*/$(USER):$(VERSION) -f $< .
 
 .PHONY: all-base
-all-base: base linux-base nitro-base icecap-base
+all-base: base linux-base nitro-base
 	echo 'All base docker images re-built from scratch'
 
 # Make sure the cargo registry directory exists to avoid permission issues
@@ -111,23 +111,6 @@ localci-base: ci/Dockerfile.local ci-base
 all-ci: ci-image localci-base
 	echo 'All CI docker images re-built from scratch'
 
-#####################################################################
-# IceCap-related targets
-
-.PHONY:
-icecap-run: | $(HOME)/.cargo/registry
-	docker run --init --privileged --rm -d $(DOCKER_RUN_PARAMS) \
-		--name $(CONTAINER)-icecap-$(USER)-$(VERSION) \
-		$(IMAGE)/icecap/$(USER):$(VERSION) sleep inf
-
-.PHONY:
-icecap-exec:
-	docker exec -i -t $(CONTAINER)-icecap-$(USER)-$(VERSION) /bin/bash || true
-
-.PHONY: icecap-base
-icecap-base: icecap/Dockerfile base
-	$(DOCKER_BUILD_CMD) $(BUILD_ARGS) -t $(IMAGE)/icecap/$(USER):$(VERSION) -f $< .
-
 #####################################################################
 # Linux-related targets
 

docker/ci/Dockerfile.base

@@ -1,5 +1,5 @@
 # docker image for local CI.
-# It currently uses nitro image (which is a superset of linux image) and adds icecap
+# It currently uses nitro image (which is a superset of linux image)
 #
 # AUTHORS
 #
@@ -17,50 +17,6 @@ ARG VERSION="latest"
 
 FROM veracruz/nitro:${VERSION} as final
 
-# Install repo
-RUN \
-    export REPO=$(mktemp /tmp/repo.XXXXXXXXX) ; \
-    curl -o ${REPO} https://storage.googleapis.com/git-repo-downloads/repo && \
-    gpg --keyserver hkps://keyserver.ubuntu.com:443 --recv-key 8BB9AD793E8E6153AF0F9A4416530D5E920F5C65 && \
-    curl -s https://storage.googleapis.com/git-repo-downloads/repo.asc | gpg --verify - ${REPO} && \
-    install -m 755 ${REPO} /usr/bin/repo && \
-    rm ${REPO}
-
-# Install sel4-deps & other IceCap python package dependencies
-RUN \
-    python3 -m pip install --no-cache-dir \
-        aenum \
-        concurrencytest \
-        hypothesis \
-        nose \
-        orderedset \
-        pyelftools \
-        sel4-deps \
-        six \
-        sortedcontainers
-
-RUN set -eux; \
-    dpkgArch="$(dpkg --print-architecture)"; \
-    case "${dpkgArch##*-}" in \
-        amd64) arch='x86_64'; fileSha256='0581cebe880b8ed47556ee73d8bbb9d602b5b82e38f89f6aa53acaec37e7760d' ;; \
-        arm64) arch='aarch64'; fileSha256='741cf6552adcd41ca0c38c4f03b1e8f244873d988f70ef5ed4b502c0df28ea5a' ;; \
-        *) echo >&2 "unsupported architecture: ${dpkgArch}"; exit 1 ;; \
-    esac; \
-    curl -L -o stack.tar.gz "https://github.com/commercialhaskell/stack/releases/download/v2.9.1/stack-2.9.1-linux-${arch}.tar.gz" && \
-    echo "${fileSha256} *stack.tar.gz" | sha256sum -c - ; \
-    tar zxf stack.tar.gz && \
-    cp stack-2.9.1-linux-${arch}/stack /usr/bin && \
-    chmod a+x /usr/bin/stack && \
-    rm -rf stack* && \
-    git clone https://gitlab.com/arm-research/security/icecap/capdl.git && \
-    cd capdl/capDL-tool && \
-    stack --version && \
-    make && \
-    cp parse-capDL /usr/local/bin && \
-    cd ../.. && \
-    rm -rf capdl && \
-    rm -rf $HOME/.stack
-
 RUN \
     if [ -d /work/aarch64-linux-musl-native ] ; then \
         ln -s /work/aarch64-linux-musl-native /work/aarch64-linux-musl-cross ; \

docker/ci/Dockerfile.cache

@@ -18,11 +18,8 @@ ARG VERSION="latest"
 FROM veracruz/ci-base:${VERSION} as final
 
 ARG ARCH=x86_64
-ARG ICECAP_RUST_VERSION=1.60.0
 
 RUN rustup target add ${ARCH}-unknown-linux-musl wasm32-wasi && \
-    rustup toolchain install ${ICECAP_RUST_VERSION} --target aarch64-unknown-linux-gnu && \
-    rustup component add --toolchain ${ICECAP_RUST_VERSION} rustfmt && \
     cargo install empty-library || true # Load crates.io index
 
 WORKDIR /work

docker/ci/Dockerfile.local

@@ -17,11 +17,8 @@ ARG VERSION="latest"
 FROM veracruz/ci-base:${VERSION} as final
 
 ARG ARCH=x86_64
-ARG ICECAP_RUST_VERSION=1.60.0
 
 RUN rustup target add ${ARCH}-unknown-linux-musl wasm32-wasi && \
-    rustup toolchain install ${ICECAP_RUST_VERSION} --target aarch64-unknown-linux-gnu && \
-    rustup component add rustfmt && \
-    rustup component add --toolchain ${ICECAP_RUST_VERSION} rustfmt
+    rustup component add rustfmt
 
 WORKDIR /work

execution-engine/Cargo.toml

@@ -7,11 +7,6 @@ version = "0.3.0"
 
 [features]
 default = []
-icecap = [
-  "mbedtls/icecap",
-  "platform-services/icecap",
-  "policy-utils/icecap",
-]
 nitro = [
   "mbedtls/monitor_getrandom",
   "platform-services/nitro",
@@ -30,9 +25,6 @@ log = "0.4.13"
 anyhow = "1"
 byteorder = "1.4.3"
 cfg-if = "1"
-# ctor is not used by this crate, but we must prevent other crates from
-# picking up a newer version of this crate which does not work with IceCap:
-ctor = "=0.1.16"
 err-derive = "0.2"
 lazy_static = { version = "1.4.0", features = ["spin_no_std"] }
 mbedtls = { path = "../third-party/rust-mbedtls/mbedtls", default-features = false, features = ["std", "aesni", "padlock", "tls13"] }

execution-engine/src/fs.rs

@@ -32,10 +32,7 @@ use std::{
     sync::{Arc, Mutex, MutexGuard},
     vec::Vec,
 };
-// TODO: wait for icecap to support direct conversion between bytes and os_str, bypassing
-// potential utf-8 encoding check
 use log::error;
-#[cfg(not(feature = "icecap"))]
 use std::{
     ffi::OsString,
     os::unix::ffi::{OsStrExt, OsStringExt},
@@ -363,11 +360,6 @@ impl InodeImpl {
         };
         let mut rst = Vec::new();
         for (index, (path, inode)) in dir.iter().enumerate() {
-            // TODO: wait for icecap support direct conversion from os_str to bytes, bypassing
-            // potential utf-8 encoding check when calling to_str
-            #[cfg(feature = "icecap")]
-            let path_byte = path.as_os_str().to_str().unwrap().as_bytes().to_vec();
-            #[cfg(not(feature = "icecap"))]
             let path_byte = path.as_os_str().as_bytes().to_vec();
             let dir_ent = DirEnt {
                 next: (u64::try_from_or_errno(index)? + 1u64).into(),
@@ -1926,12 +1918,6 @@ impl FileSystem {
                 inode_table.get(&inode)?.read_dir(&inode_table)?
             };
             for (_, sub_relative_path) in all_dir.iter() {
-                // TODO: wait for icecap support direct conversion from bytes to os_str, bypassing
-                // potential utf-8 encoding check
-                #[cfg(feature = "icecap")]
-                let sub_relative_path =
-                    PathBuf::from(String::from_utf8(sub_relative_path.to_vec()).unwrap());
-                #[cfg(not(feature = "icecap"))]
                 let sub_relative_path =
                     PathBuf::from(OsString::from_vec(sub_relative_path.to_vec()));
                 // Ignore the path for current and parent directories.
@@ -2000,12 +1986,6 @@ impl FileSystem {
                 rst.push((path.to_path_buf(), None));
             } else {
                 for (_, sub_relative_path) in all_dir.iter() {
-                    // TODO: wait for icecap support direct conversion from bytes to os_str, bypassing
-                    // potential utf-8 encoding check
-                    #[cfg(feature = "icecap")]
-                    let sub_relative_path =
-                        PathBuf::from(String::from_utf8(sub_relative_path.to_vec()).unwrap());
-                    #[cfg(not(feature = "icecap"))]
                     let sub_relative_path =
                         PathBuf::from(OsString::from_vec(sub_relative_path.to_vec()));
                     // Ignore the path for current and parent directories.