Fixes after rebase

veracruz-project · Aug 1, 2023 · 9373a7c · 9373a7c
1 parent cbaa09b
commit 9373a7c
Show file tree

Hide file tree

Showing 11 changed files with 95 additions and 126 deletions.
diff --git a/execution-engine/src/engines/mod.rs b/execution-engine/src/engines/mod.rs
@@ -14,7 +14,7 @@ pub mod strace;
 pub(crate) mod wasmi;
 #[cfg(feature = "std")]
 pub(crate) mod wasmtime;
-#[cfg(feature = "icecap")]
+#[cfg(all(feature = "icecap", not(feature = "icecap-cca")))]
 pub mod icecap;
 #[cfg(feature = "icecap-cca")]
 pub mod icecap_cca;

diff --git a/icecap-runtime-manager/Cargo.toml b/icecap-runtime-manager/Cargo.toml
@@ -4,6 +4,8 @@ version = "0.3.0"
 edition = "2018"
 
 [features]
+icecap-lkvm = []
+icecap-lkvm_realm = []
 icecap-qemu = []
 
 [dependencies]

diff --git a/icecap-runtime-manager/src/main.rs b/icecap-runtime-manager/src/main.rs
@@ -24,7 +24,15 @@ use icecap_core::{
 };
 use icecap_start_generic::declare_generic_main;
 use icecap_std_external;
-use runtime_manager::common_runtime::CommonRuntime;
+use runtime_manager::{
+    common_runtime::CommonRuntime,
+    managers::session_manager::init_session_manager,
+};
+
+use veracruz_utils::{
+    runtime_manager_message::{ RuntimeManagerRequest, RuntimeManagerResponse, Status },
+};
+
 use serde::{Deserialize, Serialize};
 
 use core::fmt::{self, Write};
@@ -36,7 +44,6 @@ macro_rules! out {
     ($dst:expr, $($arg:tt)*) => (Writer($dst).write_fmt(format_args!($($arg)*)).unwrap());
 }
 
-
 impl fmt::Write for Writer<'_> {
     fn write_str(&mut self, s: &str) -> fmt::Result {
         self.0.tx(s.as_bytes());
@@ -113,14 +120,19 @@ impl RuntimeManager {
         loop {
             let badge = self.event.wait();
             if badge &  self.virtio_console_server_rx != 0 {
-                self.process()?;
+                let received_buffer = self.receive_buffer()?;
+                let response_buffer = runtime.decode_dispatch(&received_buffer)
+                    .map_err(|e| format_err!("Failed to dispatch request: {}", e))?;
+                debug_println!("IceCap Runtime Manager::main_loop received:{:02x?}", response_buffer);
+                self.send_buffer(&response_buffer)?;
+
                 self.channel.rx_callback();
             }
             self.channel.tx_callback();
         }
     }
 
-    fn process(&mut self) -> Fallible<()> {
+    pub fn receive_buffer(&mut self) -> Result<Vec<u8>, Error> {
         let mut raw_header = vec![];
         while raw_header.len() < size_of::<u32>() {
             if let Some(raw) = self.channel.rx() {
@@ -132,74 +144,22 @@ impl RuntimeManager {
         if raw_header.len() > size_of::<u32>() {
             raw_request = raw_header[size_of::<u32>()..].to_vec();
         }
-        let header = bincode::deserialize::<u32>(&raw_header[..size_of::<u32>()]).map_err(|e| format_err!("Failed to deserialize request: {}", e))?;
-        let size = usize::try_from(header).map_err(|e| format_err!("Failed to deserialize request: {}", e))?;
+        let header = bincode::deserialize::<u32>(&raw_header[..size_of::<u32>()])
+            .map_err(|e| format_err!("Failed to deserialize request: {}", e))?;
+        let size = usize::try_from(header)
+            .map_err(|e| format_err!("Failed to deserialize request: {}", e))?;
         while raw_request.len() < size {
             if let Some(raw) = self.channel.rx() {
                 raw_request = [&raw_request[..], &raw[..]].concat();
             }
         }
-        let request: RuntimeManagerRequest = bincode::deserialize(&raw_request).map_err(|e| format_err!("Failed to deserialize request: {}", e))?;
-        // process requests
-        let response = self.handle(request)?;
-        let raw_response = bincode::serialize(&response).map_err(|e| format_err!("Failed to serialize response: {}", e))?;
-        let raw_header = bincode::serialize(&u32::try_from(raw_response.len()).unwrap()).map_err(|e| format_err!("Failed to serialize response: {}", e))?;
-        //send response
-        self.channel.tx(&raw_header);
-        self.channel.tx(&raw_response);
-        Ok(())
+        Ok(raw_request)
     }
 
-    fn handle(&mut self, req: RuntimeManagerRequest) -> Fallible<RuntimeManagerResponse> {
-        Ok(match req {
-            RuntimeManagerRequest::Attestation(challenge, device_id) => {
-                match session_manager::init_session_manager()
-                    .and(self.handle_attestation(device_id, &challenge))
-                {
-                    Err(_) => RuntimeManagerResponse::Status(Status::Fail),
-                    Ok((token, csr)) => RuntimeManagerResponse::AttestationData(token, csr),
-                }
-            }
-            RuntimeManagerRequest::Initialize(policy_json, cert_chain) => {
-                match session_manager::load_policy(&policy_json)
-                    .and(session_manager::load_cert_chain(&cert_chain))
-                {
-                    Err(_) => RuntimeManagerResponse::Status(Status::Fail),
-                    Ok(()) => RuntimeManagerResponse::Status(Status::Success),
-                }
-            }
-            RuntimeManagerRequest::NewTlsSession => match session_manager::new_session() {
-                Err(_) => RuntimeManagerResponse::Status(Status::Fail),
-                Ok(sess) => RuntimeManagerResponse::TlsSession(sess),
-            },
-            RuntimeManagerRequest::CloseTlsSession(sess) => {
-                match session_manager::close_session(sess) {
-                    Err(_) => RuntimeManagerResponse::Status(Status::Fail),
-                    Ok(()) => RuntimeManagerResponse::Status(Status::Success),
-                }
-            }
-            RuntimeManagerRequest::SendTlsData(sess, data) => {
-                match session_manager::send_data(sess, &data) {
-                    Err(_) => RuntimeManagerResponse::Status(Status::Fail),
-                    Ok(()) => RuntimeManagerResponse::Status(Status::Success),
-                }
-            }
-            RuntimeManagerRequest::GetTlsDataNeeded(sess) => {
-                match session_manager::get_data_needed(sess) {
-                    Err(_) => RuntimeManagerResponse::Status(Status::Fail),
-                    Ok(needed) => RuntimeManagerResponse::TlsDataNeeded(needed),
-                }
-            }
-            RuntimeManagerRequest::GetTlsData(sess) => match session_manager::get_data(sess) {
-                Err(_) => RuntimeManagerResponse::Status(Status::Fail),
-                Ok((active, data)) => {
-                    self.active = active;
-                    RuntimeManagerResponse::TlsData(data, active)
-                }
-            },
-        })
+    pub fn send_buffer(&mut self, buffer: &[u8]) -> Result<(), Error> {
+        self.channel.tx(&buffer);
+        Ok(())
     }
-
 }
 
 const LOG_LEVEL: Level = Level::Error;

diff --git a/icecap-veracruz-server/src/server.rs b/icecap-veracruz-server/src/server.rs
@@ -350,6 +350,43 @@ impl VeracruzServer for VeracruzServerIceCap {
             .read_exact(&mut buffer)
             .map_err(|e| anyhow!(e))?;
         return Ok(buffer);
+    fn tls_data(
+        &mut self,
+        session_id: u32,
+        input: Vec<u8>,
+    ) -> Result<(bool, Option<Vec<Vec<u8>>>), VeracruzServerError> {
+        match self.communicate(&RuntimeManagerRequest::SendTlsData(session_id, input))? {
+            RuntimeManagerResponse::Status(Status::Success) => (),
+            resp => {
+                return Err(VeracruzServerError::IceCapError(
+                    IceCapError::UnexpectedRuntimeManagerResponse(resp),
+                ))
+            }
+        }
+
+        let mut acc = Vec::new();
+        let active = loop {
+            if !self.tls_data_needed(session_id)? {
+                break true;
+            }
+            match self.communicate(&RuntimeManagerRequest::GetTlsData(session_id))? {
+                RuntimeManagerResponse::TlsData(data, active) => {
+                    acc.push(data);
+                    if !active {
+                        break false;
+                    }
+                }
+                resp => return Err(IceCapError::UnexpectedRuntimeManagerResponse(resp).into()),
+            };
+        };
+
+        Ok((
+            active,
+            match acc.len() {
+                0 => None,
+                _ => Some(acc),
+            },
+        ))
     }
 }
 

diff --git a/tests/Cargo.toml b/tests/Cargo.toml
@@ -24,7 +24,6 @@ icecap = [
 ]
 icecap-cca = [
   "policy-utils/icecap",
-  "proxy-attestation-server/icecap",
   "veracruz-server/icecap-cca",
   "veracruz-utils/icecap",
 ]

diff --git a/veracruz-server/Cargo.toml b/veracruz-server/Cargo.toml
@@ -29,7 +29,6 @@ icecap = [
 icecap-lkvm = []
 icecap-cca = [
   "io-utils/icecap",
-  "openssl/vendored",
   "policy-utils/icecap",
   "psa-attestation",
   "signal-hook",

diff --git a/veracruz-server/src/common.rs b/veracruz-server/src/common.rs
@@ -9,7 +9,7 @@
 //! See the `LICENSE_MIT.markdown` file in the Veracruz root directory for
 //! information on licensing and copyright.
 
-#[cfg(feature = "icecap")]
+#[cfg(all(feature = "icecap", not(feature = "icecap-cca")))]
 use crate::platforms::icecap::IceCapError;
 #[cfg(feature = "icecap-cca")]
 use crate::platforms::icecap_cca::IceCapError;
@@ -56,7 +56,9 @@ pub enum VeracruzServerError {
     #[cfg(feature = "icecap-cca")]
     #[error(display = "VeracruzServer: IceCap CCA error: {:?}", _0)]
     IceCapError(#[error(source)] IceCapError),
-    #[cfg(feature = "icecap")]
+    #[cfg(all(feature = "icecap", not(feature = "icecap-cca")))]
+    #[error(display = "VeracruzServer: IceCap error: {:?}", _0)]
+    IceCapError(#[error(source)] IceCapError),
     #[error(display = "VeracruzServer: TransportProtocolError: {:?}.", _0)]
     TransportProtocolError(#[error(source)] transport_protocol::TransportProtocolError),
     #[error(display = "VeracruzServer: Join Error: {:?}.", _0)]

diff --git a/veracruz-server/src/platforms/icecap_cca.rs b/veracruz-server/src/platforms/icecap_cca.rs
@@ -11,7 +11,7 @@
 
 use crate::common::{VeracruzServer, VeracruzServerError};
 use err_derive::Error;
-use io_utils::http::{post_buffer, send_proxy_attestation_server_start};
+use proxy_attestation_client;
 use policy_utils::policy::Policy;
 use signal_hook::{
     consts::SIGINT,
@@ -41,7 +41,7 @@ const VERACRUZ_ICECAP_LKVM_FLAGS_DEFAULT: &'static [&'static str] = &[
     "run",
     "--realm",
     "--irqchip=gicv3",
-    "--console=serial", 
+    "--console=serial",
     "--network",
     "mode=none",
     "--tty",
@@ -212,10 +212,13 @@ impl VeracruzServerIceCapCCA {
         Ok(response)
     }
 
-    fn tls_data_needed(&mut self, session_id: u32) -> Result<bool, VeracruzServerError> {
-        match self.communicate(&RuntimeManagerRequest::GetTlsDataNeeded(session_id))? {
-            RuntimeManagerResponse::TlsDataNeeded(needed) => Ok(needed),
-            resp => Err(IceCapError::UnexpectedRuntimeManagerResponse(resp).into()),
+    fn shutdown_isolate(&mut self) -> Result<(), Box<dyn Error>> {
+        match self.0.take() {
+            Some(realm) => {
+                realm.shutdown()?;
+                Ok(())
+            }
+            None => Ok(()),
         }
     }
 }
@@ -226,10 +229,8 @@ impl VeracruzServer for VeracruzServerIceCapCCA {
 
         let mut self_ = Self(Some(IceCapRealm::spawn()?));
 
-        let (device_id, challenge) = send_proxy_attestation_server_start(
+        let (device_id, challenge) = proxy_attestation_client::start_proxy_attestation(
             policy.proxy_attestation_server_url(),
-            "psa",
-            FIRMWARE_VERSION,
         )?;
 
         let (token, csr) =
@@ -242,27 +243,20 @@ impl VeracruzServer for VeracruzServerIceCapCCA {
                 }
             };
 
-        let (root_cert, compute_cert) = {
-            let req = transport_protocol::serialize_native_psa_attestation_token(
-                &token, &csr, device_id,
-            )?;
-            let req = base64::encode(&req);
-            let url = format!(
-                "{:}/PSA/AttestationToken",
-                policy.proxy_attestation_server_url()
-            );
-            let resp = post_buffer(&url, &req)?;
-            let resp = base64::decode(&resp)?;
-            let pasr = transport_protocol::parse_proxy_attestation_server_response(None, &resp)?;
-            let cert_chain = pasr.get_cert_chain();
-            let root_cert = cert_chain.get_root_cert();
-            let compute_cert = cert_chain.get_enclave_cert();
-            (root_cert.to_vec(), compute_cert.to_vec())
+        let cert_chain = {
+            let cert_chain = proxy_attestation_client::complete_proxy_attestation_linux(
+                policy.proxy_attestation_server_url(),
+                &token,
+                &csr,
+                device_id,
+            )
+            .map_err(|err| err)?;
+            cert_chain
         };
-        println!("vc-server: send policy");
+
         match self_.communicate(&RuntimeManagerRequest::Initialize(
             policy_json.to_string(),
-            vec![compute_cert, root_cert],
+            cert_chain,
         ))? {
             RuntimeManagerResponse::Status(Status::Success) => (),
             resp => {
@@ -283,15 +277,6 @@ impl VeracruzServer for VeracruzServerIceCapCCA {
         }
     }
 
-    fn close_tls_session(&mut self, session_id: u32) -> Result<(), VeracruzServerError> {
-        match self.communicate(&RuntimeManagerRequest::CloseTlsSession(session_id))? {
-            RuntimeManagerResponse::Status(Status::Success) => Ok(()),
-            resp => Err(VeracruzServerError::IceCapError(
-                IceCapError::UnexpectedRuntimeManagerResponse(resp),
-            )),
-        }
-    }
-
     fn tls_data(
         &mut self,
         session_id: u32,
@@ -308,11 +293,11 @@ impl VeracruzServer for VeracruzServerIceCapCCA {
 
         let mut acc = Vec::new();
         let active = loop {
-            if !self.tls_data_needed(session_id)? {
-                break true;
-            }
             match self.communicate(&RuntimeManagerRequest::GetTlsData(session_id))? {
                 RuntimeManagerResponse::TlsData(data, active) => {
+                    if data.len() == 0 {
+                        break active;
+                    }
                     acc.push(data);
                     if !active {
                         break false;
@@ -330,16 +315,6 @@ impl VeracruzServer for VeracruzServerIceCapCCA {
             },
         ))
     }
-
-    fn shutdown_isolate(&mut self) -> Result<(), Box<dyn Error>> {
-        match self.0.take() {
-            Some(realm) => {
-                realm.shutdown()?;
-                Ok(())
-            }
-            None => Ok(()),
-        }
-    }
 }
 
 impl Drop for VeracruzServerIceCapCCA {

diff --git a/veracruz-server/src/server.rs b/veracruz-server/src/server.rs
@@ -10,7 +10,7 @@
 //! information on licensing and copyright.
 
 use crate::common::*;
-#[cfg(feature = "icecap")]
+#[cfg(all(feature = "icecap", not(feature = "icecap-cca")))]
 use crate::platforms::icecap::VeracruzServerIceCap as VeracruzServerEnclave;
 #[cfg(feature = "icecap-cca")]
 use crate::platforms::icecap_cca::VeracruzServerIceCapCCA as VeracruzServerEnclave;

diff --git a/workspaces/icecap-host/Cargo.lock b/workspaces/icecap-host/Cargo.lock
diff --git a/workspaces/icecap-host/Makefile b/workspaces/icecap-host/Makefile
@@ -61,15 +61,11 @@ build: rustup-plat icecap-runtime
 	$(COMPILERS) $(BUILD_PARAMETERS) \
 		cargo build $(PROFILE_FLAG) $(host_feature_flags) $(V_FLAG)
 
-build-cca: rustup-plat
-	$(COMPILERS) \
+build-cca: rustup-plat $(VERACRUZ_ICECAP_QEMU_IMAGE)
+	$(COMPILERS)  $(BUILD_PARAMETERS) \
 		cargo build $(PROFILE_FLAG) \
-		-p proxy-attestation-server \
-		-p veracruz-client -p veracruz-server \
-		--features proxy-attestation-server/icecap \
 		--features veracruz-client/icecap \
 		--features veracruz-server/icecap-cca \
-		--features cli \
 		$(host_feature_flags) \
 		$(V_FLAG)