Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Veracruz working on IceCap RealmOS in CCA #555

Open
wants to merge 20 commits into
base: veracruz-v2
Choose a base branch
from
Open

Veracruz working on IceCap RealmOS in CCA #555

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
ad28f2f
add env var to help switch between realm mode and non-realm mode
May 19, 2022
a47e32e
use icecap_plat=lkvm_realm (or lkvm) to switch between realm mode and…
May 19, 2022
b25bae0
update Makefile + icecap submodule
May 20, 2022
e24e6e2
Update Makefile
May 23, 2022
4be84e9
RiceCap: support for virtio-console
Oct 3, 2022
3562c44
RiceCap: fix virtio-console for veracruz use case
Oct 4, 2022
0704e89
RiceCap: add debug prints in virtio-console for veracruz use casegi
basmaelgaabouri Oct 4, 2022
7cbefdc
RiceCap: virtio-console working in runtime manager
basmaelgaabouri Oct 5, 2022
dc364ba
RiceCap: add lkvm interface to veracruz server
basmaelgaabouri Oct 6, 2022
324664a
RiceCap: changes to build veracruz server for cca
basmaelgaabouri Oct 6, 2022
6e8ea81
Fix some rebase issues
mathias-arm Oct 7, 2022
391747c
Add cca Makefile
basmaelgaabouri Oct 11, 2022
7c5e80b
update Makefile and fix vc-server
basmaelgaabouri Oct 13, 2022
834f9b7
unix socket for icecap-veracruz server
basmaelgaabouri Oct 17, 2022
cc6f2b9
add build target for icecap-cca tests
basmaelgaabouri Oct 17, 2022
c547e60
update icecape platform in Makefiles
basmaelgaabouri Oct 19, 2022
955ecb8
Runtime: fix handling requests: part of the request was in the header
basmaelgaabouri Oct 27, 2022
5b1f4ed
veracruz server for icecap CCA
basmaelgaabouri Oct 27, 2022
cbaa09b
remove debug prints
basmaelgaabouri Oct 27, 2022
9373a7c
Fixes after rebase
mathias-arm Jun 22, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions execution-engine/src/engines/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,3 +14,11 @@ pub mod strace;
pub(crate) mod wasmi;
#[cfg(feature = "std")]
pub(crate) mod wasmtime;
#[cfg(all(feature = "icecap", not(feature = "icecap-cca")))]
pub mod icecap;
#[cfg(feature = "icecap-cca")]
pub mod icecap_cca;
#[cfg(feature = "linux")]
pub mod linux;
#[cfg(feature = "nitro")]
pub mod nitro;
2 changes: 2 additions & 0 deletions icecap-runtime-manager/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ version = "0.3.0"
edition = "2018"

[features]
icecap-lkvm = []
icecap-lkvm_realm = []
icecap-qemu = []

[dependencies]
Expand Down
130 changes: 72 additions & 58 deletions icecap-runtime-manager/src/main.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,9 +24,33 @@ use icecap_core::{
};
use icecap_start_generic::declare_generic_main;
use icecap_std_external;
use runtime_manager::common_runtime::CommonRuntime;
use runtime_manager::{
common_runtime::CommonRuntime,
managers::session_manager::init_session_manager,
};

use veracruz_utils::{
runtime_manager_message::{ RuntimeManagerRequest, RuntimeManagerResponse, Status },
};

use serde::{Deserialize, Serialize};

use core::fmt::{self, Write};
use icecap_core::ring_buffer::*;

pub(crate) struct Writer<'a>(pub &'a mut BufferedRingBuffer);

macro_rules! out {
($dst:expr, $($arg:tt)*) => (Writer($dst).write_fmt(format_args!($($arg)*)).unwrap());
}

impl fmt::Write for Writer<'_> {
fn write_str(&mut self, s: &str) -> fmt::Result {
self.0.tx(s.as_bytes());
Ok(())
}
}

mod icecap_runtime;

declare_generic_main!(main);
Expand All @@ -40,48 +64,50 @@ struct Config {

#[derive(Debug, Clone, Serialize, Deserialize)]
struct Badges {
virtio_console_server_ring_buffer: Badge,
virtio_console_server_tx: Badge,
virtio_console_server_rx: Badge,
//virtio_console_server_ring_buffer: Badge,
}

fn main(config: Config) -> Fallible<()> {
// TODO why do we need this?
icecap_runtime_init();

debug_println!("icecap-realmos: initializing...");

// enable ring buffer to serial-server
let virtio_console_client =
RingBuffer::unmanaged_from_config(&config.virtio_console_server_ring_buffer);
virtio_console_client.enable_notify_read();
virtio_console_client.enable_notify_write();
debug_println!("icecap-realmos: enabled ring buffer");

let mut virtio_console_client = BufferedRingBuffer::new(
RingBuffer::unmanaged_from_config(
&config.virtio_console_server_ring_buffer,
)
);
debug_println!("icecap-realmos: running...");
RuntimeManager::new(
virtio_console_client,
config.event_nfn,
config.badges.virtio_console_server_ring_buffer,
config.badges.virtio_console_server_tx,
config.badges.virtio_console_server_rx,
)
.run()
}

struct RuntimeManager {
channel: RingBuffer,
channel: BufferedRingBuffer,
event: Notification,
virtio_console_server_ring_buffer_badge: Badge,
virtio_console_server_tx: Badge,
virtio_console_server_rx: Badge,
active: bool,
}

impl RuntimeManager {
fn new(
channel: RingBuffer,
channel: BufferedRingBuffer,
event: Notification,
virtio_console_server_ring_buffer_badge: Badge,
virtio_console_server_tx: Badge,
virtio_console_server_rx: Badge,
) -> Self {
Self {
channel: channel,
event: event,
virtio_console_server_ring_buffer_badge: virtio_console_server_ring_buffer_badge,
virtio_console_server_tx: virtio_console_server_tx,
virtio_console_server_rx: virtio_console_server_rx,
active: true,
}
}
Expand All @@ -93,57 +119,45 @@ impl RuntimeManager {
let mut runtime = CommonRuntime::new(&icecap_runtime);
loop {
let badge = self.event.wait();
if badge & self.virtio_console_server_ring_buffer_badge != 0 {
self.process(&mut runtime)?;
self.channel.enable_notify_read();
self.channel.enable_notify_write();

if !self.active {
return Ok(());
}
if badge & self.virtio_console_server_rx != 0 {
let received_buffer = self.receive_buffer()?;
let response_buffer = runtime.decode_dispatch(&received_buffer)
.map_err(|e| format_err!("Failed to dispatch request: {}", e))?;
debug_println!("IceCap Runtime Manager::main_loop received:{:02x?}", response_buffer);
self.send_buffer(&response_buffer)?;

self.channel.rx_callback();
}
self.channel.tx_callback();
}
}

fn process(&mut self, runtime: &mut CommonRuntime) -> Fallible<()> {
// recv request if we have a full request in our ring buffer
if self.channel.poll_read() < size_of::<u32>() {
return Ok(());
pub fn receive_buffer(&mut self) -> Result<Vec<u8>, Error> {
let mut raw_header = vec![];
while raw_header.len() < size_of::<u32>() {
if let Some(raw) = self.channel.rx() {
raw_header = [&raw_header[..], &raw[..]].concat();
}
}
let mut raw_request = vec![];
//header containers part of the request
if raw_header.len() > size_of::<u32>() {
raw_request = raw_header[size_of::<u32>()..].to_vec();
}
let mut raw_header = [0; size_of::<u32>()];
self.channel.peek(&mut raw_header);
let header = bincode::deserialize::<u32>(&raw_header)
let header = bincode::deserialize::<u32>(&raw_header[..size_of::<u32>()])
.map_err(|e| format_err!("Failed to deserialize request: {}", e))?;
let size = usize::try_from(header)
.map_err(|e| format_err!("Failed to deserialize request: {}", e))?;

if self.channel.poll_read() < size_of::<u32>() + size {
return Ok(());
while raw_request.len() < size {
if let Some(raw) = self.channel.rx() {
raw_request = [&raw_request[..], &raw[..]].concat();
}
}
let mut raw_request = vec![0; usize::try_from(header).unwrap()];
self.channel.skip(size_of::<u32>());
self.channel.read(&mut raw_request);
// let request = bincode::deserialize::<RuntimeManagerRequest>(&raw_request)
// .map_err(|e| format_err!("Failed to deserialize request: {}", e))?;

// process requests
//let response = self.handle(request)?;
let response_buffer = runtime
.decode_dispatch(&raw_request)
.map_err(|err| format_err!("runtime.decode_dispatch failed: {}", err))?;

// send response
// let raw_response = bincode::serialize(&response_buffer)
// .map_err(|e| format_err!("Failed to serialize response: {}", e))?;
let raw_header = bincode::serialize(&u32::try_from(response_buffer.len()).unwrap())
.map_err(|e| format_err!("Failed to serialize response: {}", e))?;

self.channel.write(&raw_header);
self.channel.write(&response_buffer);

self.channel.notify_read();
self.channel.notify_write();
Ok(raw_request)
}

pub fn send_buffer(&mut self, buffer: &[u8]) -> Result<(), Error> {
self.channel.tx(&buffer);
Ok(())
}
}
Expand Down
37 changes: 37 additions & 0 deletions icecap-veracruz-server/src/server.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -350,6 +350,43 @@ impl VeracruzServer for VeracruzServerIceCap {
.read_exact(&mut buffer)
.map_err(|e| anyhow!(e))?;
return Ok(buffer);
fn tls_data(
&mut self,
session_id: u32,
input: Vec<u8>,
) -> Result<(bool, Option<Vec<Vec<u8>>>), VeracruzServerError> {
match self.communicate(&RuntimeManagerRequest::SendTlsData(session_id, input))? {
RuntimeManagerResponse::Status(Status::Success) => (),
resp => {
return Err(VeracruzServerError::IceCapError(
IceCapError::UnexpectedRuntimeManagerResponse(resp),
))
}
}

let mut acc = Vec::new();
let active = loop {
if !self.tls_data_needed(session_id)? {
break true;
}
match self.communicate(&RuntimeManagerRequest::GetTlsData(session_id))? {
RuntimeManagerResponse::TlsData(data, active) => {
acc.push(data);
if !active {
break false;
}
}
resp => return Err(IceCapError::UnexpectedRuntimeManagerResponse(resp).into()),
};
};

Ok((
active,
match acc.len() {
0 => None,
_ => Some(acc),
},
))
}
}

Expand Down
1 change: 1 addition & 0 deletions runtime-manager/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ icecap = [
"veracruz-utils/icecap",
]
icecap-lkvm = []
icecap-lkvm_realm = []
icecap-qemu = []
linux = [
"bincode",
Expand Down
13 changes: 7 additions & 6 deletions tests/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,13 +22,14 @@ icecap = [
"veracruz-server/icecap",
"veracruz-utils/icecap",
]
icecap-lkvm = [
"veracruz-server/icecap-lkvm"
]
icecap-qemu = [
"veracruz-server/icecap-qemu",
"icecap-veracruz-server"
icecap-cca = [
"policy-utils/icecap",
"veracruz-server/icecap-cca",
"veracruz-utils/icecap",
]
icecap-lkvm = ["veracruz-server/icecap-lkvm"]
icecap-lkvm_realm = ["veracruz-server/icecap-lkvm_realm"]
icecap-qemu = ["veracruz-server/icecap-qemu"]
linux = [
"linux-veracruz-server",
"policy-utils/std",
Expand Down
8 changes: 8 additions & 0 deletions tests/tests/server_test.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,14 @@ use std::{
};
use transport_protocol;
use veracruz_server::common::*;
#[cfg(feature = "icecap-cca")]
use veracruz_server::icecap_cca::VeracruzServerIceCapCCA as VeracruzServerEnclave;
#[cfg(feature = "icecap")]
use veracruz_server::icecap::VeracruzServerIceCap as VeracruzServerEnclave;
#[cfg(feature = "linux")]
use veracruz_server::linux::veracruz_server_linux::VeracruzServerLinux as VeracruzServerEnclave;
#[cfg(feature = "nitro")]
use veracruz_server::nitro::veracruz_server_nitro::VeracruzServerNitro as VeracruzServerEnclave;
use veracruz_utils::VERACRUZ_RUNTIME_HASH_EXTENSION_ID;

// Policy files
Expand Down
9 changes: 9 additions & 0 deletions veracruz-server/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,15 @@ icecap = [
"veracruz-utils/icecap",
]
icecap-lkvm = []
icecap-cca = [
"io-utils/icecap",
"policy-utils/icecap",
"psa-attestation",
"signal-hook",
"tempfile",
"veracruz-utils/icecap",
]
icecap-lkvm_realm = []
icecap-qemu = []
linux = [
"data-encoding",
Expand Down
11 changes: 10 additions & 1 deletion veracruz-server/src/common.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,10 @@
//! See the `LICENSE_MIT.markdown` file in the Veracruz root directory for
//! information on licensing and copyright.

#[cfg(all(feature = "icecap", not(feature = "icecap-cca")))]
use crate::platforms::icecap::IceCapError;
#[cfg(feature = "icecap-cca")]
use crate::platforms::icecap_cca::IceCapError;
use err_derive::Error;
#[cfg(feature = "nitro")]
use nitro_enclave::NitroError;
Expand Down Expand Up @@ -49,7 +53,12 @@ pub enum VeracruzServerError {
#[cfg(feature = "nitro")]
#[error(display = "VeracruzServer: Nitro Error:{:?}", _0)]
NitroError(#[error(source)] NitroError),
#[cfg(feature = "icecap")]
#[cfg(feature = "icecap-cca")]
#[error(display = "VeracruzServer: IceCap CCA error: {:?}", _0)]
IceCapError(#[error(source)] IceCapError),
#[cfg(all(feature = "icecap", not(feature = "icecap-cca")))]
#[error(display = "VeracruzServer: IceCap error: {:?}", _0)]
IceCapError(#[error(source)] IceCapError),
#[error(display = "VeracruzServer: TransportProtocolError: {:?}.", _0)]
TransportProtocolError(#[error(source)] transport_protocol::TransportProtocolError),
#[error(display = "VeracruzServer: Join Error: {:?}.", _0)]
Expand Down
Loading