|
5 | 5 | "path/filepath" |
6 | 6 |
|
7 | 7 | "github.com/oasisprotocol/oasis-core/go/common" |
| 8 | + "github.com/oasisprotocol/oasis-core/go/common/sgx" |
8 | 9 | "github.com/oasisprotocol/oasis-core/go/common/version" |
9 | 10 | "github.com/oasisprotocol/oasis-core/go/runtime/bundle/component" |
10 | 11 | ) |
@@ -40,7 +41,7 @@ type Component struct { |
40 | 41 | Version version.Version |
41 | 42 |
|
42 | 43 | // Executable is the name of the runtime ELF executable file if any. |
43 | | - // NOTE: This may go away in the future, use `ELFMetadata` instead. |
| 44 | + // NOTE: This may go away in the future, use `ELF` instead. |
44 | 45 | Executable string `json:"executable,omitempty"` |
45 | 46 |
|
46 | 47 | // ELF is the ELF specific manifest metadata if any. |
@@ -147,3 +148,120 @@ func (c *Component) TEEKind() component.TEEKind { |
147 | 148 | return component.TEEKindNone |
148 | 149 | } |
149 | 150 | } |
| 151 | + |
| 152 | +// ELFMetadata is the ELF specific manifest metadata. |
| 153 | +type ELFMetadata struct { |
| 154 | + // Executable is the name of the ELF executable file. |
| 155 | + Executable string `json:"executable"` |
| 156 | +} |
| 157 | + |
| 158 | +// Validate validates the ELF metadata structure for well-formedness. |
| 159 | +func (e *ELFMetadata) Validate() error { |
| 160 | + if e.Executable == "" { |
| 161 | + return fmt.Errorf("executable must be set") |
| 162 | + } |
| 163 | + return nil |
| 164 | +} |
| 165 | + |
| 166 | +// SGXMetadata is the SGX specific manifest metadata. |
| 167 | +type SGXMetadata struct { |
| 168 | + // Executable is the name of the SGX enclave executable file. |
| 169 | + Executable string `json:"executable"` |
| 170 | + |
| 171 | + // Signature is the name of the SGX enclave signature file. |
| 172 | + Signature string `json:"signature"` |
| 173 | +} |
| 174 | + |
| 175 | +// Validate validates the SGX metadata structure for well-formedness. |
| 176 | +func (s *SGXMetadata) Validate() error { |
| 177 | + if s.Executable == "" { |
| 178 | + return fmt.Errorf("executable must be set") |
| 179 | + } |
| 180 | + return nil |
| 181 | +} |
| 182 | + |
| 183 | +// TDXMetadata is the TDX specific manifest metadata. |
| 184 | +// |
| 185 | +// Note that changes to these fields may change the TD measurements. |
| 186 | +type TDXMetadata struct { |
| 187 | + // Firmware is the name of the virtual firmware file. It should rarely change and multiple |
| 188 | + // components may use the same firmware. |
| 189 | + Firmware string `json:"firmware"` |
| 190 | + // Kernel is the name of the kernel image file. It should rarely change and multiple components |
| 191 | + // may use the same kernel. |
| 192 | + Kernel string `json:"kernel,omitempty"` |
| 193 | + // InitRD is the name of the initial RAM disk image file. It should rarely change and multiple |
| 194 | + // components may use the same initrd. |
| 195 | + InitRD string `json:"initrd,omitempty"` |
| 196 | + // ExtraKernelOptions are the extra kernel options to pass to the kernel after any of the |
| 197 | + // default options. Note that kernel options affect TD measurements. |
| 198 | + ExtraKernelOptions []string `json:"extra_kernel_options,omitempty"` |
| 199 | + |
| 200 | + // Stage2Image is the name of the stage 2 VM image file. |
| 201 | + Stage2Image string `json:"stage2_image,omitempty"` |
| 202 | + |
| 203 | + // Resources are the requested VM resources. |
| 204 | + Resources TDXResources `json:"resources"` |
| 205 | +} |
| 206 | + |
| 207 | +// Validate validates the TDX metadata structure for well-formedness. |
| 208 | +func (t *TDXMetadata) Validate() error { |
| 209 | + if t.Firmware == "" { |
| 210 | + return fmt.Errorf("firmware must be set") |
| 211 | + } |
| 212 | + if !t.HasKernel() && t.HasStage2() { |
| 213 | + return fmt.Errorf("kernel must be set if stage 2 image is set") |
| 214 | + } |
| 215 | + if !t.HasKernel() && t.HasInitRD() { |
| 216 | + return fmt.Errorf("kernel must be set if initrd image is set") |
| 217 | + } |
| 218 | + if err := t.Resources.Validate(); err != nil { |
| 219 | + return err |
| 220 | + } |
| 221 | + return nil |
| 222 | +} |
| 223 | + |
| 224 | +// HasKernel returns true iff the TDX metadata indicates there is a kernel present. |
| 225 | +func (t *TDXMetadata) HasKernel() bool { |
| 226 | + return t.Kernel != "" |
| 227 | +} |
| 228 | + |
| 229 | +// HasInitRD returns true iff the TDX metadata indicates there is an initial RAM disk image present. |
| 230 | +func (t *TDXMetadata) HasInitRD() bool { |
| 231 | + return t.InitRD != "" |
| 232 | +} |
| 233 | + |
| 234 | +// HasStage2 returns true iff the TDX metadata indicates there is a stage 2 image present. |
| 235 | +func (t *TDXMetadata) HasStage2() bool { |
| 236 | + return t.Stage2Image != "" |
| 237 | +} |
| 238 | + |
| 239 | +// TDXResources are the requested VM resources for TDX VMs. |
| 240 | +// |
| 241 | +// Note that changes to these fields may change the TD measurements. |
| 242 | +type TDXResources struct { |
| 243 | + // Memory is the requested VM memory amount in megabytes. |
| 244 | + Memory uint64 `json:"memory"` |
| 245 | + // CPUCount is the requested number of vCPUs. |
| 246 | + CPUCount uint8 `json:"cpus"` |
| 247 | +} |
| 248 | + |
| 249 | +// Validate validates the VM resources. |
| 250 | +func (r *TDXResources) Validate() error { |
| 251 | + if r.Memory < 16 { |
| 252 | + return fmt.Errorf("memory limit must be at least 16M") |
| 253 | + } |
| 254 | + if r.CPUCount < 1 { |
| 255 | + return fmt.Errorf("vCPU count must be at least 1") |
| 256 | + } |
| 257 | + return nil |
| 258 | +} |
| 259 | + |
| 260 | +// Identity is the cryptographic identity of a component. |
| 261 | +type Identity struct { |
| 262 | + // Hypervisor is the optional hypervisor this identity is for. |
| 263 | + Hypervisor string `json:"hypervisor,omitempty"` |
| 264 | + |
| 265 | + // Enclave is the enclave identity. |
| 266 | + Enclave sgx.EnclaveIdentity `json:"enclave"` |
| 267 | +} |
0 commit comments