sgx-faasm: bump faasm version and refine deployment strategy

Author: csegarragonz

ansible/tasks/sgx-faasm/apt.yaml

@@ -7,7 +7,7 @@
 
 - name: "Add Intel SGX repository"
   apt_repository:
-    repo: "deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx-archive-keyring.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main"
+    repo: "deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx-archive-keyring.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu noble main"
     filename: intel-sgx
     state: present
   become: yes
@@ -17,7 +17,7 @@
     update_cache: yes
   become: yes
 
-- name: "Install APT depdencencies"
+- name: "Install APT dependencies"
   become: yes
   apt:
     name:

ansible/tasks/sgx-faasm/sgx_setup.yaml

@@ -5,23 +5,3 @@
 
 - name: "Set WASM VM env. variable to SGX"
   shell: "echo 'export PATH=$PATH:/home/{{ ansible_user }}/.local/bin' >> /home/{{ ansible_user }}/.bashrc"
-
-- name: "Update apt cache"
-  become: yes
-  apt:
-    update_cache: yes
-
-- name: "Install linux recommends"
-  become: yes
-  shell: "apt install --install-recommends -y linux-generic"
-
-- name: "Upgrade to 6.x kernel for EDMM features"
-  become: yes
-  apt:
-    name: linux-image-6.5.0-1025-azure
-  environment:
-    DEBIAN_FRONTEND: noninteractive
-
-- name: "Reboot to pick-up latest kernel"
-  reboot:
-  become: yes

ansible/tasks/sgxfaasm.yaml

@@ -1,5 +1,17 @@
 ---
 
+- name: "Fetch all container images"
+  shell:
+    cmd: |
+      docker pull ghcr.io/faasm/accless-experiments:{{ accless_version}}
+      docker pull ghcr.io/faasm/upload:{{ faasm_version }}
+      docker pull ghcr.io/faasm/worker:{{ faasm_version }}
+      docker pull ghcr.io/faasm/worker-sgx:{{ faasm_version }}
+      docker pull ghcr.io/faasm/cli:{{ faasm_version }}
+      docker pull ghcr.io/faasm/cli-sgx:{{ faasm_version }}
+  args:
+    executable: /bin/bash
+
 - name: "Deploy Faasm cluster"
   shell: rm -rf ./venv-bm && source ./bin/workon.sh && faasmctl deploy.compose --mount-source . --workers=4
   args:
@@ -12,18 +24,12 @@
     # FAASM_ATTESTATION_SERVICE_URL: "{{ as_ip }}"
     FAASM_WASM_VM: sgx
 
-# Build all the targets for the SGX baselines (SGX-Faasm and Accless-Faasm)
+# Build all the targets for the SGX and non-SGX baselines
 - name: "Deploy Faasm cluster"
-  shell: source ./bin/workon.sh && faasmctl cli.faasm --cmd "./bin/inv_wrapper.sh dev.tools --build Release --sgx Hardware"
-  args:
-    chdir: "/home/{{ ansible_user }}/git/faasm/faasm"
-    executable: /bin/bash
-  environment:
-    FAASM_WASM_VM: sgx
-
-# Build all the targets for the non-SGX baseline (Faasm)
-- name: "Deploy Faasm cluster"
-  shell: source ./bin/workon.sh && faasmctl cli.faasm --cmd "./bin/inv_wrapper.sh dev.tools --build Release --sgx Disabled"
+  shell:
+  cmd: |
+    source ./bin/workon.sh && faasmctl cli.faasm --cmd "./bin/inv_wrapper.sh dev.tools --build Release --sgx Hardware"
+    source ./bin/workon.sh && faasmctl cli.faasm --cmd "./bin/inv_wrapper.sh dev.tools --build Release --sgx Disabled"
   args:
     chdir: "/home/{{ ansible_user }}/git/faasm/faasm"
     executable: /bin/bash
@@ -39,9 +45,4 @@
   environment:
     FAASM_WASM_VM: sgx
 
-- name: "Fetch the cross-compilation toolchain image"
-  shell: docker pull ghcr.io/faasm/accless-experiments:{{ accless_version}}
-  args:
-    executable: /bin/bash
-
 # TODO: build workflows here, and patch with the right certificate for the AS

bin/workon.sh

@@ -32,7 +32,7 @@ alias kubectl=${COCO_SOURCE}/bin/kubectl
 
 # This is the path in the SGX-enabled machine we use for the experiments
 export FAASM_INI_FILE=/home/tless/git/faasm/faasm/faasm.ini
-export FAASM_VERSION=0.30.0
+export FAASM_VERSION=0.33.0
 
 # ----------------------------
 # Git config

docs/sgx_faasm.md

@@ -2,17 +2,31 @@
 
 TODO(docs): explain SGX-Faasm design
 
+SGX-Faasm is a port of the [Faasm](https://github.com/faasm/faasm) serverless
+runtime to execute serverless functions (inside WASM modules) inside SGX
+enclaves and, optionally, leverage Accless for access control.
+
+We had to modify Faasm quite extensively, but all our modifications are
+upstreamed and cover mostly what is under the `src/enclave` directory.
+
 ## Deploy
 
 For the time being, we deploy SGX-Faasm on an SGXv2 VM on Azure, and deploy
 a Faasm compose cluster in there. In the future we could consider deploying
 directly on top of AKS.
 
+To create the Azure resources to run SGX-Faasm you may run:
+
 ```bash
 invrs azure sgx-faasm create
 invrs azure sgx-faasm provision
 ```
 
+then, for each variant of Faasm follow the coresponding instructions:
+* [Faasm](#faasm) - vanilla  Faasm.
+* [SGX-Faasm](#sgx-faasm) - Faasm on top of SGX, no access control.
+* [Accless-Faasm](#sgx-faasm) - Faasm on top of SGX with access control.
+
 ### Faasm
 
 ```bash

invrs/ansible/inventory/vms.ini

@@ -37,4 +37,8 @@ impl Env {
 
         Ok(version.trim().to_string())
     }
+
+    pub fn get_faasm_version() -> String {
+        std::env::var("FAASM_VERSION").unwrap()
+    }
 }

invrs/src/env.rs

@@ -7,7 +7,7 @@ use crate::tasks::s3::S3;
 use crate::tasks::ubench::{MicroBenchmarks, Ubench, UbenchRunArgs};
 use clap::{Parser, Subcommand};
 use log::error;
-use std::{path::Path, process};
+use std::{collections::HashMap, path::Path, process};
 
 pub mod attestation_service;
 pub mod env;
@@ -604,10 +604,13 @@ async fn main() -> anyhow::Result<()> {
                     let client_ip = Azure::get_vm_ip("accless-cvm");
                     let server_ip = Azure::get_vm_ip("accless-as");
 
+                    let vars: HashMap<&str, &str> = HashMap::from([
+                        ("as_ip", server_ip.as_str())
+                    ]);
                     Azure::provision_with_ansible(
                         "accless",
                         "accless",
-                        Some(format!("as_ip={server_ip}").as_str()),
+                        Some(vars),
                     );
 
                     // Copy the necessary stuff from the server to the client
@@ -677,10 +680,13 @@ async fn main() -> anyhow::Result<()> {
                 AzureSubCommand::Provision {} => {
                     let service_ip = Azure::get_vm_ip("attestation-service");
 
+                    let vars: HashMap<&str, &str> = HashMap::from([
+                        ("as_ip", service_ip.as_str())
+                    ]);
                     Azure::provision_with_ansible(
                         "attestation-service",
                         "attestationservice",
-                        Some(format!("as_ip={service_ip}").as_str()),
+                        Some(vars),
                     );
                 }
                 AzureSubCommand::ScpResults {} => {
@@ -739,10 +745,15 @@ async fn main() -> anyhow::Result<()> {
                 }
                 AzureSubCommand::Provision {} => {
                     let version = Env::get_version().unwrap();
+                    let faasm_version = Env::get_faasm_version();
+                    let vars: HashMap<&str, &str> = HashMap::from([
+                        ("accless_version", version.as_str()),
+                        ("faasm_version", faasm_version.as_str()),
+                    ]);
                     Azure::provision_with_ansible(
                         "sgx-faasm",
                         "sgxfaasm",
-                        Some(format!("accless_version={version}").as_str()),
+                        Some(vars),
                     );
                 }
                 AzureSubCommand::ScpResults {} => {
@@ -779,10 +790,11 @@ async fn main() -> anyhow::Result<()> {
                 }
                 AzureSubCommand::Provision {} => {
                     let version = Env::get_version().unwrap();
+                    let vars: HashMap<&str, &str> = HashMap::from([("accless_version", version.as_str())]);
                     Azure::provision_with_ansible(
                         "snp-knative",
                         "snpknative",
-                        Some(format!("accless_version={version}").as_str()),
+                        Some(vars),
                     );
                 }
                 AzureSubCommand::ScpResults {} => {
@@ -828,10 +840,13 @@ async fn main() -> anyhow::Result<()> {
                     let client_ip = Azure::get_vm_ip("tless-trustee-client");
                     let server_ip = Azure::get_vm_ip("tless-trustee-server");
 
+                    let vars: HashMap<&str, &str> = HashMap::from([
+                        ("kbs_ip", server_ip.as_str())
+                    ]);
                     Azure::provision_with_ansible(
                         "tless-trustee",
                         "trustee",
-                        Some(format!("kbs_ip={server_ip}").as_str()),
+                        Some(vars),
                     );
 
                     // Copy the necessary stuff from the server to the client

invrs/src/main.rs

@@ -3,7 +3,7 @@ use base64::Engine;
 use log::info;
 use serde_json::Value;
 use shellexpand;
-use std::{fs, process::Command, process::ExitStatus};
+use std::{fs, collections::HashMap, process::Command, process::ExitStatus};
 
 const AZURE_RESOURCE_GROUP: &str = "faasm";
 const AZURE_USERNAME: &str = "tless";
@@ -12,8 +12,7 @@ const AZURE_LOCATION: &str = "eastus";
 const AZURE_SSH_PRIV_KEY: &str = "~/.ssh/id_rsa";
 const AZURE_SSH_PUB_KEY: &str = "~/.ssh/id_rsa.pub";
 
-const AZURE_SGX_VM_IMAGE: &str =
-    "Canonical:0001-com-ubuntu-server-jammy:22_04-lts-gen2:22.04.202301140";
+const AZURE_SGX_VM_IMAGE: &str = "Canonical:ubuntu-24_04-lts:server:latest";
 const AZURE_SNP_CC_VM_SIZE: &str =
     "/CommunityGalleries/cocopreview-91c44057-c3ab-4652-bf00-9242d5a90170/Images/ubu2204-snp-host-upm/Versions/latest";
 
@@ -482,7 +481,7 @@ impl Azure {
     pub fn provision_with_ansible(
         vm_deployment: &str,
         inventory_name: &str,
-        extra_vars: Option<&str>,
+        extra_vars: Option<HashMap<&str, &str>>,
     ) {
         let mut inventory_file = Env::ansible_root().join("inventory");
         fs::create_dir_all(&inventory_file).expect("invrs: failed to create inventory directory");
@@ -514,7 +513,10 @@ impl Azure {
                 .to_str()
                 .unwrap(),
             match extra_vars {
-                Some(val) => format!("-e {val}"),
+                Some(val) => {
+                    let json = serde_json::to_string(&val).unwrap();
+                    format!("-e {json}")
+                },
                 None => "".to_string(),
             }
         );