go/runtime/bundle/component: Add ELF metadata

Author: peternose

.changelog/5976.trivial.md

@@ -280,9 +280,11 @@ func (rt *Runtime) toRuntimeBundle(deploymentIndex int) (*bundle.Bundle, error)
 		_ = bnd.Add(elfBin, bundle.NewBytesData(binBuf))
 
 		comp := &bundle.Component{
-			Kind:       compCfg.Kind,
-			Version:    compCfg.Version,
-			Executable: elfBin,
+			Kind:    compCfg.Kind,
+			Version: compCfg.Version,
+			ELF: &bundle.ELFMetadata{
+				Executable: elfBin,
+			},
 		}
 
 		if rt.teeHardware == node.TEEHardwareIntelSGX {

go/oasis-test-runner/oasis/runtime.go

@@ -50,11 +50,22 @@ func (bnd *Bundle) Validate() error {
 	}
 	var needFiles []bundleFile
 	for id, comp := range bnd.Manifest.GetAvailableComponents() {
-		needFiles = append(needFiles, bundleFile{
-			descr:    fmt.Sprintf("%s: ELF executable", id),
-			fn:       comp.Executable,
-			optional: true,
-		})
+		if elf := comp.ELF; elf != nil {
+			needFiles = append(needFiles,
+				[]bundleFile{
+					{
+						descr: fmt.Sprintf("%s: ELF executable", id),
+						fn:    elf.Executable,
+					},
+				}...,
+			)
+		} else {
+			needFiles = append(needFiles, bundleFile{
+				descr:    fmt.Sprintf("%s: ELF executable", id),
+				fn:       comp.Executable,
+				optional: true,
+			})
+		}
 		if sgx := comp.SGX; sgx != nil {
 			needFiles = append(needFiles,
 				[]bundleFile{
@@ -494,7 +505,11 @@ func (bnd *Bundle) WriteExploded(dataDir string) (string, error) {
 		}
 
 		for id, comp := range bnd.Manifest.GetAvailableComponents() {
-			if comp.Executable != "" {
+			if comp.ELF != nil {
+				if err := os.Chmod(bnd.ExplodedPath(dataDir, comp.ELF.Executable), 0o700); err != nil {
+					return "", fmt.Errorf("runtime/bundle: failed to fixup executable permissions for '%s': %w", id, err)
+				}
+			} else if comp.Executable != "" {
 				if err := os.Chmod(bnd.ExplodedPath(dataDir, comp.Executable), 0o700); err != nil {
 					return "", fmt.Errorf("runtime/bundle: failed to fixup executable permissions for '%s': %w", id, err)
 				}

go/runtime/bundle/bundle.go

@@ -30,8 +30,10 @@ func TestBundle(t *testing.T) {
 		}(),
 		Components: []*Component{
 			{
-				Kind:       component.RONL,
-				Executable: "runtime.bin",
+				Kind: component.RONL,
+				ELF: &ELFMetadata{
+					Executable: "runtime.bin",
+				},
 				SGX: &SGXMetadata{
 					Executable: "runtime.sgx",
 				},
@@ -54,7 +56,7 @@ func TestBundle(t *testing.T) {
 	require.False(t, manifest.IsDetached(), "manifest with RONL component should not be detached")
 
 	t.Run("Add_Write", func(t *testing.T) {
-		err := bundle.Add(manifest.Components[0].Executable, NewBytesData(randBuffer(3252)))
+		err := bundle.Add(manifest.Components[0].ELF.Executable, NewBytesData(randBuffer(3252)))
 		require.NoError(t, err, "bundle.Add(elf)")
 		err = bundle.Add(manifest.Components[0].SGX.Executable, NewBytesData(randBuffer(6541)))
 		require.NoError(t, err, "bundle.Add(sgx)")
@@ -84,15 +86,15 @@ func TestBundle(t *testing.T) {
 
 	t.Run("Open_WithManifestHash", func(t *testing.T) {
 		var manifestHash hash.Hash
-		err := manifestHash.UnmarshalHex("905e9866eccb967e8991698273f41d20c616cab4f9e9332a2a12d9d3a1c8a486")
+		err := manifestHash.UnmarshalHex("2faad6101e24f0034a82b99aee10f4de909a00b1b2c125f7d6fb97d65dc7984b")
 		require.NoError(t, err, "UnmarshalHex")
 
 		_, err = Open(bundleFn, WithManifestHash(manifestHash))
 		require.NoError(t, err, "Open_WithManifestHash")
 
 		_, err = Open(bundleFn, WithManifestHash(hash.Hash{}))
 		require.Error(t, err, "Open_WithManifestHash")
-		require.ErrorContains(t, err, "invalid manifest (got: 905e9866eccb967e8991698273f41d20c616cab4f9e9332a2a12d9d3a1c8a486, expected: 0000000000000000000000000000000000000000000000000000000000000000)")
+		require.ErrorContains(t, err, "invalid manifest (got: 2faad6101e24f0034a82b99aee10f4de909a00b1b2c125f7d6fb97d65dc7984b, expected: 0000000000000000000000000000000000000000000000000000000000000000)")
 	})
 
 	t.Run("ResetManifest", func(t *testing.T) {
@@ -137,8 +139,10 @@ func TestDetachedBundle(t *testing.T) {
 		Components: []*Component{
 			// No RONL component in the manifest.
 			{
-				Kind:       component.ROFL,
-				Executable: "runtime.bin",
+				Kind: component.ROFL,
+				ELF: &ELFMetadata{
+					Executable: "runtime.bin",
+				},
 				SGX: &SGXMetadata{
 					Executable: "runtime.sgx",
 				},
@@ -152,7 +156,7 @@ func TestDetachedBundle(t *testing.T) {
 	require.True(t, manifest.IsDetached(), "manifest without RONL component should be detached")
 
 	t.Run("Add_Write", func(t *testing.T) {
-		err := bundle.Add(manifest.Components[0].Executable, NewBytesData(randBuffer(2231)))
+		err := bundle.Add(manifest.Components[0].ELF.Executable, NewBytesData(randBuffer(2231)))
 		require.NoError(t, err, "bundle.Add(elf)")
 		err = bundle.Add(manifest.Components[0].SGX.Executable, NewBytesData(randBuffer(7627)))
 		require.NoError(t, err, "bundle.Add(sgx)")

go/runtime/bundle/bundle_test.go

@@ -40,8 +40,12 @@ type Component struct {
 	Version version.Version
 
 	// Executable is the name of the runtime ELF executable file if any.
+	// NOTE: This may go away in the future, use `ELFMetadata` instead.
 	Executable string `json:"executable,omitempty"`
 
+	// ELF is the ELF specific manifest metadata if any.
+	ELF *ELFMetadata `json:"elf,omitempty"`
+
 	// SGX is the SGX specific manifest metadata if any.
 	SGX *SGXMetadata `json:"sgx,omitempty"`
 
@@ -78,6 +82,12 @@ func (c *Component) Validate() error {
 	) {
 		return fmt.Errorf("each component can only include metadata for a single TEE")
 	}
+	if c.ELF != nil {
+		err := c.ELF.Validate()
+		if err != nil {
+			return fmt.Errorf("elf: %w", err)
+		}
+	}
 	if c.SGX != nil {
 		err := c.SGX.Validate()
 		if err != nil {
@@ -96,7 +106,7 @@ func (c *Component) Validate() error {
 		if c.Name != "" {
 			return fmt.Errorf("RONL component must have an empty name")
 		}
-		if c.Executable == "" {
+		if c.Executable == "" && c.ELF == nil {
 			return fmt.Errorf("RONL component must define an executable")
 		}
 		if c.Disabled {
@@ -123,7 +133,7 @@ func (c *Component) IsNetworkAllowed() bool {
 
 // IsTEERequired returns true iff the component only provides TEE executables.
 func (c *Component) IsTEERequired() bool {
-	return c.Executable == "" && c.TEEKind() != component.TEEKindNone
+	return c.Executable == "" && c.ELF == nil && c.TEEKind() != component.TEEKindNone
 }
 
 // TEEKind returns the kind of TEE supported by the component.

go/runtime/bundle/component.go

@@ -114,10 +114,12 @@ func (m *Manifest) GetComponentByID(id component.ID) *Component {
 	// We also support legacy manifests which define the RONL component at the top-level.
 	if id.IsRONL() && m.IsLegacy() {
 		return &Component{
-			Kind:       component.RONL,
-			Executable: m.Executable,
-			Version:    m.Version,
-			SGX:        m.SGX,
+			Kind:    component.RONL,
+			Version: m.Version,
+			ELF: &ELFMetadata{
+				Executable: m.Executable,
+			},
+			SGX: m.SGX,
 		}
 	}
 	return nil
@@ -141,6 +143,20 @@ func (m *Manifest) GetVersion() version.Version {
 	return m.Version
 }
 
+// ELFMetadata is the ELF specific manifest metadata.
+type ELFMetadata struct {
+	// Executable is the name of the ELF executable file.
+	Executable string `json:"executable"`
+}
+
+// Validate validates the ELF metadata structure for well-formedness.
+func (e *ELFMetadata) Validate() error {
+	if e.Executable == "" {
+		return fmt.Errorf("executable must be set")
+	}
+	return nil
+}
+
 // SGXMetadata is the SGX specific manifest metadata.
 type SGXMetadata struct {
 	// Executable is the name of the SGX enclave executable file.

go/runtime/bundle/manifest.go

@@ -264,8 +264,10 @@ func (r *registry) GetComponents(runtimeID common.Namespace, version version.Ver
 		return []*ExplodedComponent{
 			{
 				Component: &Component{
-					Kind:       component.RONL,
-					Executable: "mock",
+					Kind: component.RONL,
+					ELF: &ELFMetadata{
+						Executable: "mock",
+					},
 				},
 				Detached: false,
 			},

go/runtime/bundle/registry.go

@@ -25,9 +25,11 @@ func createSyntheticBundle(dir string, runtimeID common.Namespace, version versi
 		switch comp {
 		case component.RONL:
 			manifest.Components = append(manifest.Components, &Component{
-				Kind:       component.RONL,
-				Version:    version,
-				Executable: "runtime.bin",
+				Kind:    component.RONL,
+				Version: version,
+				ELF: &ELFMetadata{
+					Executable: "runtime.bin",
+				},
 			})
 		case component.ROFL:
 			manifest.Components = append(manifest.Components, &Component{
@@ -43,7 +45,7 @@ func createSyntheticBundle(dir string, runtimeID common.Namespace, version versi
 	}
 
 	if slices.Contains(components, component.RONL) {
-		if err := bnd.Add(manifest.Components[0].Executable, NewBytesData([]byte{1})); err != nil {
+		if err := bnd.Add(manifest.Components[0].ELF.Executable, NewBytesData([]byte{1})); err != nil {
 			return "", err
 		}
 	}

go/runtime/bundle/registry_test.go

@@ -616,8 +616,13 @@ func DefaultGetSandboxConfig(logger *logging.Logger, sandboxBinaryPath string) G
 			"provisioner", "sandbox",
 		)
 
+		executable := comp.Executable
+		if comp.ELF != nil {
+			executable = comp.ELF.Executable
+		}
+
 		return process.Config{
-			Path:              comp.ExplodedPath(comp.Executable),
+			Path:              comp.ExplodedPath(executable),
 			SandboxBinaryPath: sandboxBinaryPath,
 			Stdout:            logWrapper,
 			Stderr:            logWrapper,