Merge #345

345: [PLAT-182] VME enclave runner r=raoulstrackx a=raoulstrackx

Initial PR with the Fortanixvme runner and fortanix-vme-abi. It only provides support for outgoing connections. It works together with [this](fortanix/rust#2) standard library.

Co-authored-by: Raoul Strackx <[email protected]>

Author: bors[bot]

Cargo.lock

@@ -1,5 +1,8 @@
 [workspace]
 members = [
+    "fortanix-vme/fortanix-vme-abi",
+    "fortanix-vme/fortanix-vme-runner",
+    "fortanix-vme/tests/outgoing_connection",
     "intel-sgx/aesm-client",
     "intel-sgx/dcap-provider",
     "intel-sgx/dcap-ql-sys",
@@ -8,13 +11,18 @@ members = [
     "intel-sgx/enclave-runner",
     "intel-sgx/fortanix-sgx-abi",
     "intel-sgx/fortanix-sgx-tools",
-    "ipc-queue",
     "intel-sgx/report-test",
-    "rs-libc",
     "intel-sgx/sgxs",
     "intel-sgx/sgx-isa",
     "intel-sgx/sgx-pkix",
     "intel-sgx/sgxs-loaders",
-    "intel-sgx/sgxs-tools"
+    "intel-sgx/sgxs-tools",
+    "ipc-queue",
+    "rs-libc",
 ]
 exclude = ["examples"]
+
+[patch.crates-io]
+libc  = { git = "https://github.com/fortanix/libc.git", branch = "fortanixvme" }
+serde = { git = "https://github.com/fortanix/serde.git", branch = "master" }
+vsock = { git = "https://github.com/raoulstrackx/vsock-rs.git", branch = "raoul/fortanixvme" }

Cargo.toml

@@ -0,0 +1,161 @@
+#!/bin/bash -ex
+repo_root=$(readlink -f $(dirname "${BASH_SOURCE[0]}")/..)
+
+function kernel_version {
+    kernel=$(uname -r)
+    IFS='.' read -ra kernel <<< "${kernel}"
+
+    kernel_major=${kernel[0]}
+    kernel_minor=${kernel[1]}
+}
+
+function has_vsock_loopback {
+    kernel_version
+    vsock_loopback=0
+    if [[ 5 -le ${kernel_major} ]]; then
+        if [[ 6 -le ${kernel_minor} ]]; then
+            if [[ $(lsmod | grep vsock_loopback) ]]; then
+            vsock_loopback=1
+            else
+                echo "You have a vsock loopback capable kernel, but the vsock_loopback module isn't loaded. Please run \'sudo modprobe vsock_loopback\'"
+                exit -1
+	    fi
+        fi
+    fi
+}
+
+function toolchain_version {
+    toolchain_version="nightly-2021-09-08-x86_64-unknown-linux-gnu"
+}
+
+function has_tools {
+    if [[ $(which musl-gcc) ]]; then
+	echo "'musl-gcc' installed correctly"
+    else
+        echo "'musl-gcc' isn't found. Please run 'sudo apt install musl-tools'"
+	exit -1
+    fi
+}
+
+function determine_platform {
+    if [[ -z "${NITRO_CLI_BLOBS}" ]]; then
+        platform="linux"
+    else
+        platform="nitro"
+    fi
+}
+
+function init {
+    kernel_version
+    has_vsock_loopback
+    toolchain_version
+    has_tools
+    determine_platform
+}
+
+function compile {
+    name=$1
+    VME_TARGET="${TOOLCHAIN_DIR}/rust/rustup/toolchains/${toolchain_version}/lib/rustlib/x86_64-unknown-linux-fortanixvme/x86_64-unknown-linux-fortanixvme.json"
+    CC=musl-gcc \
+      RUSTFLAGS="-Clink-self-contained=yes" \
+      cargo +${toolchain_version} build --locked --release --target ${VME_TARGET} -Zbuild-std
+
+    # use elf as an output variable
+    elf=${repo_root}/target/x86_64-unknown-linux-fortanixvme/release/${name}
+}
+
+function cargo_test {
+    name=$1
+    pushd ${repo_root}/fortanix-vme/tests/$name
+    out=$(mktemp /tmp/$name.out.XXXXX)
+    err=$(mktemp /tmp/$name.err.XXXXX)
+
+    if [ -f ./test_interaction.sh ]; then
+        ./test_interaction.sh &
+	test_interaction=$!
+    fi
+
+    compile ${name}
+
+    if [ "${platform}" == "nitro" ]; then
+	eif=$(mktemp /tmp/$name.eif.XXXXX)
+        elf2eif ${elf} ${eif}
+	eif_runner ${eif} ${out} ${err}
+        nitro-cli terminate-enclave --all
+
+	out=$(tail +12 ${out})
+	err=$(cat ${err} | grep -v "Start.*" || true)
+
+	if [ "${out}" != "" ]; then
+            echo "Test ${name} Failed"
+	    echo "Got: ${out}"
+            exit -1
+	fi
+
+	if [ "${err}" != "" ]; then
+            echo "Test ${name} Failed"
+	    echo "Got: ${err}"
+            exit -1
+        else
+            echo "Success"
+	fi
+    else
+	${elf} -- --nocapture
+	${elf} -- --nocapture > ${out} 2> ${err}
+
+        out=$(cat ${out} | grep -v "#" || true)
+        expected=$(cat ./out.expected)
+
+        if [ "${out}" == "${expected}" ]; then
+            echo "Test ${name}: Success"
+        else
+            echo "Test ${name}: Failed"
+	    echo "Got: ${out}"
+            echo "Expected: ${expected}"
+            exit -1
+        fi
+    fi
+
+    if [ -f ./test_interaction.sh ]; then
+        kill ${test_interaction}
+    fi
+
+    popd
+}
+
+function elf2eif {
+    enclave_elf=$1
+    enclave_eif=$2
+
+    tmpd=$(mktemp -d)
+    echo "FROM alpine" >> ${tmpd}/Dockerfile
+    echo "COPY enclave ." >> ${tmpd}/Dockerfile
+    echo "CMD ./enclave" >> ${tmpd}/Dockerfile
+
+    # Build eif image
+    cp ${enclave_elf} ${tmpd}/enclave
+    nitro-cli build-enclave --docker-dir ${tmpd} --docker-uri enclave --output-file ${enclave_eif}
+}
+
+function stop_enclaves {
+    if [[ ${nitro_platform} -eq 1 ]]; then
+        nitro-cli terminate-enclave --all || true
+    fi
+}
+
+function eif_runner {
+    enclave_eif=$1
+    out=$2
+    err=$3
+
+    # Configure parent, if it hadn't been already
+    nitro-cli-config -t 2 -m 512 > /dev/null 2> /dev/null || true
+
+    nitro-cli describe-enclaves
+
+    echo "running $1"
+    # Run enclave
+    nitro-cli run-enclave --eif-path ${enclave_eif} --cpu-count 2 --memory 512 --debug-mode > ${out} 2> ${err}
+}
+
+init

fortanix-vme/ci-common.sh

@@ -0,0 +1,57 @@
+#!/bin/bash -ex
+repo_root=$(readlink -f $(dirname "${BASH_SOURCE[0]}")/..)
+cd ${repo_root}/fortanix-vme
+
+source ./ci-common.sh
+
+function cleanup {
+    stop_runner
+}
+
+function setup_environment {
+    if [[ -z "${TOOLCHAIN_DIR}" ]]; then
+        echo 'The `TOOLCHAIN_DIR` environment variable isnt set. Make sure to source the `shell/env` script from the toolchain repo'
+        exit -1
+    fi
+    trap cleanup err
+    trap cleanup exit
+    cargo +${toolchain_version} --locked clean
+}
+
+function start_runner {
+    pushd fortanix-vme-runner
+    cargo +${toolchain_version} --locked run &
+    pid_runner=$!
+    popd
+}
+
+function stop_runner {
+    if [[ ${pid_runner} -ne 0 ]]; then
+        echo "Stopping enclave runner"
+        kill ${pid_runner}
+	pid_runner=0
+    fi
+}
+
+function run_tests {
+    tests=$@
+
+    setup_environment
+
+    if [[ ${vsock_loopback} -eq 1 ]]; then
+        start_runner
+        for name in ${tests}
+        do
+            cargo_test $name
+        done
+        stop_runner
+    else
+        echo "vsock loopback device not available, skipping these tests"
+    fi
+}
+
+run_tests outgoing_connection 
+
+echo "********************************"
+echo "**    All tests succeeded!    **"
+echo "********************************"

fortanix-vme/ci-fortanixvme.sh

@@ -0,0 +1,19 @@
+[package]
+name = "fortanix-vme-abi"
+version = "0.1.0"
+edition = "2018"
+authors = ["Fortanix, Inc."]
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+core = { version = "1.0.0", optional = true, package = "rustc-std-workspace-core" }
+alloc = { version = "1.0.0", optional = true, package = "rustc-std-workspace-alloc" }
+compiler_builtins = { version = "0.1.0", optional = true }
+# Avoid using patch section due to https://github.com/rust-lang/cargo/issues/10031
+serde = { git = "https://github.com/fortanix/serde.git", branch = "master", default-features = false, features = ["derive", "alloc"] }
+
+[features]
+default = []
+docs = []
+rustc-dep-of-std = ["core", "alloc", "compiler_builtins/rustc-dep-of-std", "serde/rustc-dep-of-std"]

fortanix-vme/fortanix-vme-abi/Cargo.toml

@@ -0,0 +1,21 @@
+#![no_std]
+extern crate alloc;
+
+use alloc::string::String;
+use serde::{Deserialize, Serialize};
+
+pub const SERVER_PORT: u32 = 10000;
+
+#[derive(Debug, PartialEq, Eq, Serialize, Deserialize)]
+pub enum Request {
+    Connect {
+        addr: String,
+    },
+}
+
+#[derive(Debug, PartialEq, Eq, Serialize, Deserialize)]
+pub enum Response {
+    Connected {
+        proxy_port: u32,
+    },
+}

fortanix-vme/fortanix-vme-abi/src/lib.rs

@@ -0,0 +1,12 @@
+[package]
+name = "fortanix-vme-runner"
+version = "0.1.0"
+edition = "2018"
+authors = ["Fortanix, Inc."]
+
+[dependencies]
+fortanix-vme-abi = { path = "../fortanix-vme-abi" }
+nix = "0.22.1"
+serde = { version = "1.0", features = ["derive"] }
+serde_cbor = { version = "0.11" }
+vsock = "0.2.4"