Merge #360

360: [PLAT-388] Bugfix `ftxvme-elf2eif` r=Pagten a=raoulstrackx

The `ftxvme-elf2eif` used to generate eif files based on the `scratch` Docker image. That is causing problems for Nitro enclaves. Reverted back to the `alpine` image for now. CI has also been modified to facilitate easier testing in the future.

Co-authored-by: Raoul Strackx <[email protected]>

Author: bors[bot]

Cargo.lock

@@ -3,6 +3,7 @@ members = [
     "fortanix-vme/eif-tools",
     "fortanix-vme/fortanix-vme-abi",
     "fortanix-vme/fortanix-vme-runner",
+    "fortanix-vme/tests/hello_world",
     "fortanix-vme/tests/outgoing_connection",
     "fortanix-vme/tests/incoming_connection",
     "fortanix-vme/tests/iron",

Cargo.toml

@@ -76,9 +76,9 @@ function cargo_test {
     fi
 
     compile ${name}
+    eif=$(mktemp /tmp/$name.eif.XXXXX)
 
     if [ "${platform}" == "nitro" ]; then
-	eif=$(mktemp /tmp/$name.eif.XXXXX)
         elf2eif ${elf} ${eif}
 	eif_runner ${eif} ${out} ${err}
         nitro-cli terminate-enclave --all
@@ -100,6 +100,14 @@ function cargo_test {
             echo "Success"
 	fi
     else
+        if [[ -v AWS_VM ]]; then
+            elf2eif ${elf} ${eif}
+            ssh ubuntu@${AWS_VM} "mkdir -p /home/ubuntu/ci-fortanixvme/${name}/"
+            scp ${enclave_eif} ubuntu@${AWS_VM}:/home/ubuntu/ci-fortanixvme/${name}/
+            if [ -f ./test_interaction.sh ]; then
+                scp ./test_interaction.sh ubuntu@${AWS_VM}:/home/ubuntu/ci-fortanixvme/${name}/
+            fi
+        fi
 	RUST_BACKTRACE=full ${elf} -- --nocapture > ${out} 2> ${err}
 
         out=$(cat ${out} | grep -v "#" || true)
@@ -126,14 +134,22 @@ function elf2eif {
     enclave_elf=$1
     enclave_eif=$2
 
-    tmpd=$(mktemp -d)
-    echo "FROM alpine" >> ${tmpd}/Dockerfile
-    echo "COPY enclave ." >> ${tmpd}/Dockerfile
-    echo "CMD ./enclave" >> ${tmpd}/Dockerfile
+    if [[ -z "${NITRO_RESOURCES}" ]]; then
+        dir=$(mktemp -d /tmp/aws_cli.XXXXX)
+        pushd ${dir}
+        git clone https://github.com/aws/aws-nitro-enclaves-cli.git
+        resources=${dir}/aws-nitro-enclaves-cli/blobs/x86_64
+        NITRO_RESOURCES=${resources}
+        popd
+    else
+        resources=${NITRO_RESOURCES}
+    fi
 
-    # Build eif image
-    cp ${enclave_elf} ${tmpd}/enclave
-    nitro-cli build-enclave --docker-dir ${tmpd} --docker-uri enclave --output-file ${enclave_eif}
+    # Newly compiled ftxvme-elf2eif from this repo
+    pushd ${repo_root}/fortanix-vme
+    cargo run --bin ftxvme-elf2eif -- --input-file ${enclave_elf} --output-file ${enclave_eif} --resource-path ${resources} --verbose
+    ls -lh ${enclave_eif}
+    popd
 }
 
 function stop_enclaves {
@@ -156,5 +172,3 @@ function eif_runner {
     # Run enclave
     nitro-cli run-enclave --eif-path ${enclave_eif} --cpu-count 2 --memory 512 --debug-mode > ${out} 2> ${err}
 }
-
-init

fortanix-vme/ci-common.sh

@@ -2,7 +2,14 @@
 repo_root=$(readlink -f $(dirname "${BASH_SOURCE[0]}")/..)
 cd ${repo_root}/fortanix-vme
 
+# Options:
+# AWS_VM: When this environment variable is set, binaries will be sent to this AWS VM
+# NITRO_RESOURCES: The location of the nitro resources (e.g., kernel, ...) required for
+#                    the elf2eif tool. When this environment variable isn't set, the 
+#                    resources will be downloaded
+
 source ./ci-common.sh
+init
 
 function cleanup {
     stop_runner
@@ -21,7 +28,14 @@ function setup_environment {
 
 function start_runner {
     pushd fortanix-vme-runner
+    cargo +${toolchain_version} --locked build
     cargo +${toolchain_version} --locked run &
+
+    if [[ -v AWS_VM ]]; then
+        ssh ubuntu@${AWS_VM} 'mkdir -p /home/ubuntu/ci-fortanixvme'
+        scp ${repo_root}/target/debug/fortanix-vme-runner  ubuntu@${AWS_VM}:/home/ubuntu/ci-fortanixvme
+    fi
+
     pid_runner=$!
     popd
 }
@@ -52,9 +66,10 @@ function run_tests {
 }
 
 run_tests\
-	outgoing_connection \
-	incoming_connection \
-	iron
+    hello_world \
+    outgoing_connection \
+    incoming_connection \
+    iron
 
 echo "********************************"
 echo "**    All tests succeeded!    **"

fortanix-vme/ci-fortanixvme.sh

@@ -16,7 +16,7 @@ fn setup_docker_dir(elf_path: &str) -> Result<TempDir> {
     const DOCKERFILE: &str = "
         FROM scratch
         COPY enclave .
-        CMD ./enclave
+        CMD [\"./enclave\"]
     ";
     info!("Setting up docker directory");
     let docker_dir = TempDir::new("elf2eif_docker_dir")?;
@@ -79,7 +79,7 @@ fn main() {
     let mut logger = env_logger::Builder::from_default_env();
     let logger = logger.format(|buf, record| writeln!(buf, "{}", record.args()));
     if verbose {
-        logger.filter_level(LevelFilter::Info).init();
+        logger.filter_level(LevelFilter::Debug).init();
     } else {
         logger.filter_level(LevelFilter::Error).init();
     }

fortanix-vme/eif-tools/src/bin/ftxvme-elf2eif.rs

@@ -0,0 +1,8 @@
+[package]
+name = "hello_world"
+version = "0.1.0"
+edition = "2021"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]

fortanix-vme/tests/hello_world/Cargo.toml

@@ -0,0 +1,10 @@
+use std::{thread, time};
+
+fn main() {
+    for i in 0..30 {
+        println!("{}: Hello, world!", i);
+        thread::sleep(time::Duration::from_secs(1));
+    }
+
+    println!("Byte bye!");
+}

fortanix-vme/tests/hello_world/src/main.rs

@@ -2,6 +2,7 @@ use std::net::{Ipv4Addr, TcpStream};
 use std::io::{Read, Write};
 
 fn main() {
+    println!("# Running outgoing connection test");
     let mut socket = TcpStream::connect(format!("google.com:80")).unwrap();
     // `socket.local_addr()` may return the actual local IP address, not 127.0.0.1
     assert!(socket.local_addr().unwrap().port() != 80);