[RTE-710] elf2uki converter CLI tool #862

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

tvsfx wants to merge 19 commits into master from thomasvs/RTE-710-elf2uki

+1,458 −27

.github/workflows/build.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -49,6 +49,8 @@ jobs: @@
             # Install dependencies for build & test
             sudo apt-get update -y
             sudo apt-get install -y faketime protobuf-compiler libsgx-dcap-ql-dev clang-18 musl-tools gcc-multilib
+            # ukify tool for elf2uki
+            sudo apt install systemd-ukify
         - name: Setup Rust toolchain
           run: |
@@ Expand Down Expand Up / @@ -132,3 +134,6 @@ jobs: @@
         - name: snmalloc correntness test
           run: cd ./examples/mem-correctness-test && cargo run
+        - name: Run elf2uki example
+          run: ./examples/elf2uki/convert_hello_world.sh

Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Cargo.toml

-Original file line number
+Diff line change
@@ Expand Up / @@ -14,6 +14,8 @@ members = [ @@
         "fortanix-vme/fortanix-vme-initramfs",
         "fortanix-vme/fortanix-vme-runner",
         "fortanix-vme/fortanix-vme-tools",
+        "fortanix-vme/tools/confidential-vm-blobs",
+        "fortanix-vme/tools/elf2uki",
         "fortanix-vme/vme-pkix",
         "intel-sgx/aesm-client",
         "intel-sgx/async-usercalls",
@@ Expand All / @@ -39,6 +41,7 @@ members = [ @@
     ]
     exclude = [
         "examples/backtrace_panic",
+        "examples/elf2uki",
         "examples/mpsc-crypto-mining",
         "examples/tls",
         "examples/unit_tests",
@@ Expand Down @@

examples/.gitignore

-Original file line number
+Diff line change
@@ -1,5 +1,6 @@
     **/.cargo/*
     !**/.cargo/config
+    !**/.cargo/config.toml
     **/Cargo.lock
     /target
     target/

examples/elf2uki/convert_hello_world.sh

-Original file line number
+Diff line change
@@ -0,0 +1,16 @@
+    #!/bin/bash
+    set -euo pipefail
+    source_dir=$(dirname "${BASH_SOURCE[0]}")
+    app_dir="$source_dir/hello_world"
+    pushd "$app_dir"
+    #builds statically linked bin for `musl`
+    cargo -q build --release
+    popd
+    # build UKI and write it to `/dev/null`
+    cargo -q run -p elf2uki -- \
+        --app "$app_dir/target/x86_64-unknown-linux-musl/release/hello_world" \
+        --cmdline "console=ttyS0 earlyprintk=serial" \
+        --output /dev/null

examples/elf2uki/hello_world/.cargo/config.toml

examples/elf2uki/hello_world/Cargo.toml

-Original file line number
+Diff line change
@@ -0,0 +1,6 @@
+    [package]
+    name = "hello_world"
+    version = "0.1.0"
+    edition = "2021"
+    [dependencies]

examples/elf2uki/hello_world/src/main.rs

-Original file line number
+Diff line change
@@ -0,0 +1,3 @@
+    fn main() {
+        println!("Hello, world!");
+    }

fortanix-vme/fortanix-vme-initramfs/Cargo.toml

-Original file line number
+Diff line change
@@ -1,7 +1,7 @@
     [package]
     name = "fortanix-vme-initramfs"
     version = "0.1.0"
-    edition = "2024"
+    edition = "2021"
     [dependencies]
     cpio = "0.2"
@@ Expand Down @@

fortanix-vme/tools/confidential-vm-blobs/Cargo.toml

-Original file line number
+Diff line change
@@ -0,0 +1,8 @@
+    [package]
+    name = "confidential-vm-blobs"
+    version = "0.1.0"
+    edition = "2021"
+    [dependencies]
+    anyhow = "1.0.100"
+    tempfile = "3"

fortanix-vme/tools/confidential-vm-blobs/blobs/OVMF.amdsev.fd

Binary file not shown.

fortanix-vme/tools/confidential-vm-blobs/blobs/OVMF.fd

Binary file not shown.

fortanix-vme/tools/confidential-vm-blobs/blobs/README.md

-Original file line number
+Diff line change
@@ -0,0 +1,27 @@
+    <!-- TODO (RTE-739, RTE-728): clean up setup -->
+    # Blobs
+    These blobs have been vendored from the following locations
+    ## init
+    Tweaked the code to build the `init` executable from [here](https://github.com/aws/aws-nitro-enclaves-sdk-bootstrap/blob/f718dea60a9d9bb8b8682fd852ad793912f3c5db) and placed it under `build_init/`.
+    `build.rs` uses the shell script `build_init/update_init.sh` to place the generated `init` artifact in this folder and keep it up-to-date.
+    Changes made are as follows:
+. Remove function `init_nsm_driver`: initialization of Nitro Secure Module driver
+. Remove function `enclave_ready`: sending signal to nitro-cli that the enclave has started
+. Remove global vars for above two functions.
+    To see the diff:
+    ```sh
+    diff -c10 <(curl https://raw.githubusercontent.com/aws/aws-nitro-enclaves-sdk-bootstrap/f718dea60a9d9bb8b8682fd852ad793912f3c5db/init/init.c) blobs/build_init/init.c
+    ```
+    ## vmlinuz-{version}
+    Ubuntu kernel, extracted from noble package `linux-image-{version}`.
+    ## OVMF
+    Defaults copied from noble installation, taken from `/usr/share/ovmf/OVMF.fd` and `/usr/share/ovmf/OVMF.amdsev.fd` respectively
+    ## EFI boot stub
+    Defaults copied from noble package `sytemd-boot-efi` version `255.4-1ubuntu8.12`, installed under path `/usr/lib/systemd/boot/efi/linuxx64.efi.stub` by default

fortanix-vme/tools/confidential-vm-blobs/blobs/build_init/Dockerfile

-Original file line number
+Diff line change
@@ -0,0 +1,14 @@
+    FROM nixos/nix:2.21.4 AS build
+    ARG TARGET=all
+    ENV TARGET=${TARGET}
+    RUN mkdir /build
+    ADD ./ /build/
+    WORKDIR /build
+    RUN nix-build -A ${TARGET}
+    FROM scratch AS artifacts
+    COPY --from=build /build/result/* /blobs/
+    # Without a CMD we can not create a container from this to extract the content
+    CMD ["dummy"]

Provide feedback