diff --git a/Makefile b/Makefile index 59f22e1..47a5613 100644 --- a/Makefile +++ b/Makefile @@ -252,7 +252,9 @@ $(OUT_DIR)/busybox: \ $(OUT_DIR)/init: $(call toolchain,$(USER)," \ cd /src/init/ && \ - RUSTFLAGS='-C target-feature=+crt-static' cargo build --release && \ + RUSTFLAGS='-C target-feature=+crt-static' cargo build \ + --target x86_64-unknown-linux-gnu \ + --release && \ cp /src/init/target/release/init /out/init \ ") diff --git a/src/init/Cargo.lock b/src/init/Cargo.lock index e75c922..e14365e 100644 --- a/src/init/Cargo.lock +++ b/src/init/Cargo.lock @@ -2,15 +2,319 @@ # It is not intended for manual editing. version = 3 +[[package]] +name = "autocfg" +version = "1.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa" + +[[package]] +name = "aws-nitro-enclaves-nsm-api" +version = "0.2.1" +source = "git+https://github.com/aws/aws-nitro-enclaves-nsm-api.git/?branch=main#16eebf7838fa6f399cfffda0049912b936c3a895" +dependencies = [ + "libc", + "log", + "nix", + "serde", + "serde_bytes", + "serde_cbor", +] + +[[package]] +name = "bitflags" +version = "1.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cf1de2fe8c75bc145a2f577add951f8134889b4795d47466a54a5c846d691693" + +[[package]] +name = "cbindgen" +version = "0.21.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "485ede05a56152367a6ec586a7425b475d6c3d3838581ff651d2a6e3730a62ef" +dependencies = [ + "heck", + "indexmap", + "log", + "proc-macro2", + "quote", + "serde", + "serde_json", + "syn", + "tempfile", + "toml", +] + +[[package]] +name = "cc" +version = "1.0.73" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2fff2a6927b3bb87f9595d67196a70493f627687a71d87a0d692242c33f58c11" + +[[package]] +name = "cfg-if" +version = "1.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" + +[[package]] +name = "fastrand" +version = "1.8.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a7a407cfaa3385c4ae6b23e84623d48c2798d06e3e6a1878f7f59f17b3f86499" +dependencies = [ + "instant", +] + +[[package]] +name = "half" +version = "1.8.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "eabb4a44450da02c90444cf74558da904edde8fb4e9035a9a6a4e15445af0bd7" + +[[package]] +name = "hashbrown" +version = "0.12.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8a9ee70c43aaf417c914396645a0fa852624801b24ebb7ae78fe8272889ac888" + +[[package]] +name = "heck" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2540771e65fc8cb83cd6e8a237f70c319bd5c29f78ed1084ba5d50eeac86f7f9" + +[[package]] +name = "indexmap" +version = "1.9.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "10a35a97730320ffe8e2d410b5d3b69279b98d2c14bdb8b70ea89ecf7888d41e" +dependencies = [ + "autocfg", + "hashbrown", +] + [[package]] name = "init" version = "0.1.0" dependencies = [ + "aws-nitro-enclaves-nsm-api", "libc", + "nsm-lib", ] +[[package]] +name = "instant" +version = "0.1.12" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7a5bbe824c507c5da5956355e86a746d82e0e1464f65d862cc5e71da70e94b2c" +dependencies = [ + "cfg-if", +] + +[[package]] +name = "itoa" +version = "1.0.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4217ad341ebadf8d8e724e264f13e593e0648f5b3e94b3896a5df283be015ecc" + [[package]] name = "libc" version = "0.2.134" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "329c933548736bc49fd575ee68c89e8be4d260064184389a5b77517cddd99ffb" + +[[package]] +name = "log" +version = "0.4.17" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "abb12e687cfb44aa40f41fc3978ef76448f9b6038cad6aef4259d3c095a2382e" +dependencies = [ + "cfg-if", +] + +[[package]] +name = "memoffset" +version = "0.6.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5aa361d4faea93603064a027415f07bd8e1d5c88c9fbf68bf56a285428fd79ce" +dependencies = [ + "autocfg", +] + +[[package]] +name = "nix" +version = "0.20.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f5e06129fb611568ef4e868c14b326274959aa70ff7776e9d55323531c374945" +dependencies = [ + "bitflags", + "cc", + "cfg-if", + "libc", + "memoffset", +] + +[[package]] +name = "nsm-lib" +version = "0.2.1" +source = "git+https://github.com/aws/aws-nitro-enclaves-nsm-api.git/?branch=main#16eebf7838fa6f399cfffda0049912b936c3a895" +dependencies = [ + "aws-nitro-enclaves-nsm-api", + "cbindgen", + "serde_bytes", +] + +[[package]] +name = "proc-macro2" +version = "1.0.46" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "94e2ef8dbfc347b10c094890f778ee2e36ca9bb4262e86dc99cd217e35f3470b" +dependencies = [ + "unicode-ident", +] + +[[package]] +name = "quote" +version = "1.0.21" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bbe448f377a7d6961e30f5955f9b8d106c3f5e449d493ee1b125c1d43c2b5179" +dependencies = [ + "proc-macro2", +] + +[[package]] +name = "redox_syscall" +version = "0.2.16" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fb5a58c1855b4b6819d59012155603f0b22ad30cad752600aadfcb695265519a" +dependencies = [ + "bitflags", +] + +[[package]] +name = "remove_dir_all" +version = "0.5.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3acd125665422973a33ac9d3dd2df85edad0f4ae9b00dafb1a05e43a9f5ef8e7" +dependencies = [ + "winapi", +] + +[[package]] +name = "ryu" +version = "1.0.11" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4501abdff3ae82a1c1b477a17252eb69cee9e66eb915c1abaa4f44d873df9f09" + +[[package]] +name = "serde" +version = "1.0.145" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "728eb6351430bccb993660dfffc5a72f91ccc1295abaa8ce19b27ebe4f75568b" +dependencies = [ + "serde_derive", +] + +[[package]] +name = "serde_bytes" +version = "0.11.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cfc50e8183eeeb6178dcb167ae34a8051d63535023ae38b5d8d12beae193d37b" +dependencies = [ + "serde", +] + +[[package]] +name = "serde_cbor" +version = "0.11.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2bef2ebfde456fb76bbcf9f59315333decc4fda0b2b44b420243c11e0f5ec1f5" +dependencies = [ + "half", + "serde", +] + +[[package]] +name = "serde_derive" +version = "1.0.145" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "81fa1584d3d1bcacd84c277a0dfe21f5b0f6accf4a23d04d4c6d61f1af522b4c" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "serde_json" +version = "1.0.86" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "41feea4228a6f1cd09ec7a3593a682276702cd67b5273544757dae23c096f074" +dependencies = [ + "itoa", + "ryu", + "serde", +] + +[[package]] +name = "syn" +version = "1.0.102" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3fcd952facd492f9be3ef0d0b7032a6e442ee9b361d4acc2b1d0c4aaa5f613a1" +dependencies = [ + "proc-macro2", + "quote", + "unicode-ident", +] + +[[package]] +name = "tempfile" +version = "3.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5cdb1ef4eaeeaddc8fbd371e5017057064af0911902ef36b39801f67cc6d79e4" +dependencies = [ + "cfg-if", + "fastrand", + "libc", + "redox_syscall", + "remove_dir_all", + "winapi", +] + +[[package]] +name = "toml" +version = "0.5.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8d82e1a7758622a465f8cee077614c73484dac5b836c02ff6a40d5d1010324d7" +dependencies = [ + "serde", +] + +[[package]] +name = "unicode-ident" +version = "1.0.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6ceab39d59e4c9499d4e5a8ee0e2735b891bb7308ac83dfb4e80cad195c9f6f3" + +[[package]] +name = "winapi" +version = "0.3.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419" +dependencies = [ + "winapi-i686-pc-windows-gnu", + "winapi-x86_64-pc-windows-gnu", +] + +[[package]] +name = "winapi-i686-pc-windows-gnu" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6" + +[[package]] +name = "winapi-x86_64-pc-windows-gnu" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" diff --git a/src/init/Cargo.toml b/src/init/Cargo.toml index dbd0f2c..a3c5e27 100644 --- a/src/init/Cargo.toml +++ b/src/init/Cargo.toml @@ -5,6 +5,9 @@ edition = "2021" [dependencies] libc = "0.2.134" +nsm_lib = { git = "https://github.com/aws/aws-nitro-enclaves-nsm-api.git/", branch = "main", package="nsm-lib", optional = false } +nsm_api = { git = "https://github.com/aws/aws-nitro-enclaves-nsm-api.git/", branch = "main", package="aws-nitro-enclaves-nsm-api", optional = false } + [[bin]] name = "init" diff --git a/src/init/init.rs b/src/init/init.rs index 9004fe3..1edeb94 100644 --- a/src/init/init.rs +++ b/src/init/init.rs @@ -46,9 +46,9 @@ pub fn mount( ) { use libc::mount; let src_cs = CString::new(src).unwrap(); - let target_cs = CString::new(target).unwrap(); let fstype_cs = CString::new(fstype).unwrap(); let data_cs = CString::new(data).unwrap(); + let target_cs = CString::new(target).unwrap(); if unsafe { mount( src_cs.as_ptr(), @@ -84,8 +84,20 @@ pub fn freopen( } } -// Signal to hypervisor that booting was successful -pub fn heartbeat(){ +// Insert kernel module into memory +pub fn insmod(path: &str){ + use libc::{syscall, SYS_finit_module}; + let file = File::open(path).unwrap(); + let fd = file.as_raw_fd(); + if unsafe { syscall(SYS_finit_module, fd, &[0u8; 1], 0) } < 0 { + error(format!("Failed to insert kernel module: {}", path)); + } else { + info(format!("Loaded kernel module: {}", path)); + } +} + +// Signal to Nitro hypervisor that booting was successful +pub fn nitro_heartbeat(){ use libc::{connect, socket, write, read, close, sockaddr, sockaddr_vm, SOCK_STREAM, AF_VSOCK}; let mut buf: [u8; 1] = [0; 1]; buf[0] = 0xB7; // AWS Nitro heartbeat value @@ -107,6 +119,31 @@ pub fn heartbeat(){ info(format!("Sent NSM heartbeat")); } +// Get entropy sample from Nitro device +pub fn nitro_get_entropy() -> u8 { + use nsm_lib::{nsm_lib_init, nsm_get_random}; + use nsm_api::api::ErrorCode; + let nsm_fd = nsm_lib_init(); + if nsm_fd < 0 { + error(format!("Failed to connect to NSM device")); + }; + let mut dest: [u8; 256] = [0; 256]; + let mut dest_len = dest.len(); + let status = unsafe { + nsm_get_random(nsm_fd, dest.as_mut_ptr(), &mut dest_len) + }; + match status { + ErrorCode::Success => info(format!("Entropy seeding success")), + _ => error(format!("Failed to get entropy from NSM device")), + } +} + +pub fn init_nitro(){ + nitro_heartbeat(); + insmod("/nsm.ko"); + nitro_seed_entropy(); +} + // Initialize console with stdin/stdout/stderr pub fn init_console() { freopen("/dev/console", "r", 0); @@ -127,24 +164,14 @@ pub fn init_rootfs() { mount("cgroup_root", "/sys/fs/cgroup", "tmpfs", MS_NODEV | MS_NOSUID | MS_NOEXEC, "mode=0755"); } -// Insert kernel module into memory -// TODO: compile all modules in kernel and disable lkm support. -pub fn insmod(path: &str){ - use libc::{syscall, SYS_finit_module}; - let file = File::open(path).unwrap(); - let fd = file.as_raw_fd(); - if unsafe { syscall(SYS_finit_module, fd, &[0u8; 1], 0) } < 0 { - error(format!("Failed to insert kernel module: {}", path)); - } else { - info(format!("Loaded kernel module: {}", path)); - } +pub fn boot(){ + init_rootfs(); + init_console(); + init_nitro(); } fn main() { - init_rootfs(); - init_console(); - heartbeat(); - insmod("/nsm.ko"); + boot(); info("EnclaveOS Booted".to_string()); reboot(); }