public
/
enclaveos
5
0
Fork 1
Code Issues Pull Requests 2 Packages Projects Releases Wiki Activity

Compare commits

base: public:2945c6fb7312fe62b002f5ae509fb16f8a03811f
Branches Tags
public:master
public:ryansquared/nginx-example
public:ryansquared/cpio-refactor
public:monocrate
public:ryansquared/create-mount-points
public:feat/add-license
...
compare: public:500ef3393df3460861517938fd16c64cab5d0419
Branches Tags
public:ryansquared/nginx-example
public:ryansquared/cpio-refactor
public:monocrate
public:master
public:ryansquared/create-mount-points
public:feat/add-license

3 Commits
2945c6fb73 ... 500ef3393d

Author SHA1 Message Date
Ryan Heywood 500ef3393d
fix dockerignore and Makefile 2025-08-31 21:30:55 -04:00
Ryan Heywood b53bdf0f80
add nit and move to cpio builder 2025-08-31 21:30:39 -04:00
Ryan Heywood b80ca11e77
remove all Rust code, just OS now 2025-08-31 20:50:27 -04:00
10 changed files with 55 additions and 739 deletions
Show Stats Expand all files Collapse all files

1
.dockerignore
View File

@ -1 +1,2 @@
Makefile
out out

116
Containerfile
View File

@ -1,72 +1,56 @@
FROM stagex/binutils:sx2024.09.0@sha256:30a1bd110273894fe91c3a4a2103894f53eaac43cf12a035008a6982cb0e6908 AS binutils FROM stagex/core-binutils@sha256:f2d3bf6104db0d5ac39ca155c0241bfea2516a6829e3b4fd657cf9ba5b625478 AS core-binutils
FROM stagex/ca-certificates:sx2024.09.0@sha256:33787f1feb634be4232a6dfe77578c1a9b890ad82a2cf18c11dd44507b358803 AS ca-certificates FROM stagex/core-ca-certificates@sha256:d135f1189e9b232eb7316626bf7858534c5540b2fc53dced80a4c9a95f26493e AS core-ca-certificates
FROM stagex/gcc:sx2024.09.0@sha256:439bf36289ef036a934129d69dd6b4c196427e4f8e28bc1a3de5b9aab6e062f0 AS gcc FROM stagex/core-gcc@sha256:964ffd3793c5a38ca581e9faefd19918c259f1611c4cbf5dc8be612e3a8b72f5 AS core-gcc
FROM stagex/zlib:sx2024.09.0@sha256:96b4100550760026065dac57148d99e20a03d17e5ee20d6b32cbacd61125dbb6 AS zlib FROM stagex/core-zlib@sha256:06f5168e20d85d1eb1d19836cdf96addc069769b40f8f0f4a7a70b2f49fc18f8 AS core-zlib
FROM stagex/llvm:sx2024.09.0@sha256:30517a41af648305afe6398af5b8c527d25545037df9d977018c657ba1b1708f AS llvm FROM stagex/core-llvm@sha256:583ecda677f51b69857f8027dfc58f4a931d1adc4d16214870a373505210d973 AS core-llvm
FROM stagex/openssl:sx2024.09.0@sha256:2c1a9d8fcc6f52cb11a206f380b17d74c1079f04cbb08071a4176648b4df52c1 AS openssl FROM stagex/core-openssl@sha256:d6487f0cb15f4ee02b420c717cb9abd85d73043c0bb3a2c6ce07688b23c1df07 AS core-openssl
FROM stagex/eif_build:sx2024.09.0@sha256:291653f1ca528af48fd05858749c443300f6b24d2ffefa7f5a3a06c27c774566 AS eif_build FROM stagex/user-eif_build@sha256:935032172a23772ea1a35c6334aa98aa7b0c46f9e34a040347c7b2a73496ef8a AS user-eif_build
FROM stagex/gen_initramfs:sx2024.09.0@sha256:f5b9271cca6003e952cbbb9ef041ffa92ba328894f563d1d77942e6b5cdeac1a AS gen_initramfs FROM stagex/user-gen_initramfs@sha256:a87e9a3fa8468d2e08b5abb0a6da4c7a11df22273e2c526cb22e6b131151def8 AS user-gen_initramfs
FROM stagex/libunwind:sx2024.09.0@sha256:97ee6068a8e8c9f1c74409f80681069c8051abb31f9559dedf0d0d562d3bfc82 AS libunwind FROM stagex/core-libunwind@sha256:eb66122d8fc543f5e2f335bb1616f8c3a471604383e2c0a9df4a8e278505d3bc AS core-libunwind
FROM stagex/rust:sx2024.09.0@sha256:b7c834268a81bfcc473246995c55b47fe18414cc553e3293b6294fde4e579163 AS rust FROM stagex/core-musl@sha256:d9af23284cca2e1002cd53159ada469dfe6d6791814e72d6163c7de18d4ae701 AS core-musl
FROM stagex/musl:sx2024.09.0@sha256:ad351b875f26294562d21740a3ee51c23609f15e6f9f0310e0994179c4231e1d AS musl FROM stagex/core-git@sha256:6b3e0055f6aeaa8465f207a871db2c63a939cd7406113e9d769ff3b37239f3d0 AS core-git
FROM stagex/git:sx2024.09.0@sha256:29a02c423a4b55fa72cf2fce89f3bbabd1defea86d251bb2aea84c056340ab22 AS git FROM stagex/core-pkgconf@sha256:52624a89bb8cc684bc0391fcb7770ded2bbcb281e84bdb68a31fce127439fd7b AS core-pkgconf
FROM stagex/pkgconf:sx2024.09.0@sha256:ba7fce4108b721e8bf1a0d993a5f9be9b65eceda8ba073fe7e8ebca2a31b1494 AS pkgconf FROM stagex/core-busybox@sha256:637b1e0d9866807fac94c22d6dc4b2e1f45c8a5ca1113c88172e0324a30c7283 AS core-busybox
FROM stagex/busybox:sx2024.09.0@sha256:d34bfa56566aa72d605d6cbdc154de8330cf426cfea1bc4ba8013abcac594395 AS busybox FROM stagex/user-linux-nitro@sha256:aa1006d91a7265b33b86160031daad2fdf54ec2663ed5ccbd312567cc9beff2c AS user-linux-nitro
FROM stagex/linux-nitro:sx2024.03.0@sha256:073c4603686e3bdc0ed6755fee3203f6f6f1512e0ded09eaea8866b002b04264 AS linux-nitro FROM stagex/user-nit@sha256:60b6eef4534ea6ea78d9f29e4c7feb27407b615424f20ad8943d807191688be7 AS user-nit
FROM stagex/user-cpio@sha256:9c8bf39001eca8a71d5617b46f8c9b4f7426db41a052f198d73400de6f8a16df AS user-cpio
FROM scratch as base FROM scratch AS base
ENV TARGET=x86_64-unknown-linux-musl
ENV RUSTFLAGS="-C target-feature=+crt-static"
ENV CARGOFLAGS="--locked --no-default-features --release --target ${TARGET}"
ENV OPENSSL_STATIC=true
COPY --from=busybox . / COPY --from=core-busybox . /
COPY --from=musl . / COPY --from=core-musl . /
COPY --from=libunwind . / COPY --from=core-libunwind . /
COPY --from=openssl . / COPY --from=core-openssl . /
COPY --from=zlib . / COPY --from=core-zlib . /
COPY --from=ca-certificates . / COPY --from=core-ca-certificates . /
COPY --from=binutils . / COPY --from=core-binutils . /
COPY --from=pkgconf . / COPY --from=core-pkgconf . /
COPY --from=git . / COPY --from=core-git . /
COPY --from=rust . / COPY --from=user-gen_initramfs . /
COPY --from=gen_initramfs . / COPY --from=user-eif_build . /
COPY --from=eif_build . / COPY --from=core-llvm . /
COPY --from=llvm . / COPY --from=core-gcc . /
COPY --from=gcc . / COPY --from=user-cpio . /
COPY --from=linux-nitro /bzImage . COPY --from=user-linux-nitro /bzImage .
COPY --from=linux-nitro /nsm.ko . COPY --from=user-linux-nitro /linux.config .
COPY --from=linux-nitro /linux.config .
ADD . /src
FROM base as build FROM base AS build
WORKDIR /src/init
RUN cargo build ${CARGOFLAGS}
WORKDIR /build_cpio WORKDIR /build_cpio
RUN cp /src/init/target/${TARGET}/release/init init RUN mkdir /build_cpio/rootfs
COPY --from=user-nit /usr/bin/init rootfs/init
ENV KBUILD_BUILD_TIMESTAMP=1 ENV KBUILD_BUILD_TIMESTAMP=1
COPY <<-EOF initramfs.list WORKDIR /build_cpio/rootfs
file /init init 0755 0 0
file /nsm.ko /nsm.ko 0755 0 0
dir /run 0755 0 0
dir /tmp 0755 0 0
dir /etc 0755 0 0
dir /bin 0755 0 0
dir /sbin 0755 0 0
dir /proc 0755 0 0
dir /sys 0755 0 0
dir /usr 0755 0 0
dir /usr/bin 0755 0 0
dir /usr/sbin 0755 0 0
dir /dev 0755 0 0
dir /dev/shm 0755 0 0
dir /dev/pts 0755 0 0
nod /dev/console 0600 0 0 c 5 1
EOF
RUN <<-EOF RUN <<-EOF
find . -exec touch -hcd "@0" "{}" + find . -exec touch -hcd "@0" "{}" + -print0 \
gen_init_cpio -t 1 initramfs.list > rootfs.cpio | sort -z \
touch -hcd "@0" rootfs.cpio | cpio \
--null \
--create \
--verbose \
--reproducible \
--format=newc \
| gzip --best \
> /build_cpio/rootfs.cpio
EOF EOF
WORKDIR /build_eif WORKDIR /build_eif
RUN eif_build \ RUN eif_build \
@ -77,10 +61,10 @@ RUN eif_build \
--output /nitro.eif \ --output /nitro.eif \
--cmdline 'reboot=k initrd=0x2000000,3228672 root=/dev/ram0 panic=1 pci=off nomodules console=ttyS0 i8042.noaux i8042.nomux i8042.nopnp i8042.dumbkbd' --cmdline 'reboot=k initrd=0x2000000,3228672 root=/dev/ram0 panic=1 pci=off nomodules console=ttyS0 i8042.noaux i8042.nomux i8042.nopnp i8042.dumbkbd'
FROM base as install FROM base AS install
WORKDIR /rootfs WORKDIR /rootfs
COPY --from=build /nitro.eif . COPY --from=build /nitro.eif .
COPY --from=build /nitro.pcrs . COPY --from=build /nitro.pcrs .
FROM scratch as package FROM scratch AS package
COPY --from=install /rootfs . COPY --from=install /rootfs .

12
Makefile
View File

@ -1,22 +1,18 @@
REGISTRY := local REGISTRY := local
.DEFAULT_GOAL := .DEFAULT_GOAL :=
.PHONY: default .PHONY: default
default: out/enclaveos.tar default: out/nitro.eif
out: out:
mkdir out mkdir out
out/enclaveos.tar: out \ out/nitro.eif: out
$(shell git ls-files \
src/init \
src/aws \
)
docker build \ docker build \
--tag $(REGISTRY)/enclaveos \ --tag $(REGISTRY)/enclaveos \
--progress=plain \ --progress=plain \
--output type=local,rewrite-timestamp=true,dest=out\ --output type=local,rewrite-timestamp=true,dest=out\
-f Containerfile \ -f Containerfile \
src/ .
.PHONY: run .PHONY: run
run: out/nitro.eif run: out/nitro.eif
@ -26,4 +22,4 @@ run: out/nitro.eif
--memory 512M \ --memory 512M \
--eif-path out/nitro.eif \ --eif-path out/nitro.eif \
--debug-mode \ --debug-mode \
--attach-console --attach-console

12
src/aws/Cargo.toml
View File

@ -1,12 +0,0 @@
[package]
name = "aws"
version = "0.1.0"
edition = "2021"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[dependencies]
libc = "0.2.134"
nsm_lib = { git = "https://github.com/aws/aws-nitro-enclaves-nsm-api.git/", branch = "main", package="nsm-lib", optional = false }
nsm_api = { git = "https://github.com/aws/aws-nitro-enclaves-nsm-api.git/", branch = "main", package="aws-nitro-enclaves-nsm-api", optional = false }
system = { path = "../system"}

65
src/aws/src/lib.rs
View File

@ -1,65 +0,0 @@
use system::{dmesg, SystemError};
// Signal to Nitro hypervisor that booting was successful
fn nitro_heartbeat() {
use system::socket_connect;
use libc::{write, read, close, AF_VSOCK};
let mut buf: [u8; 1] = [0; 1];
buf[0] = 0xB7; // AWS Nitro heartbeat value
let fd = match socket_connect(AF_VSOCK, 9000, 3) {
Ok(f)=> f,
Err(e)=> {
eprintln!("{}", e);
return
},
};
unsafe {
write(fd, buf.as_ptr() as _, 1);
read(fd, buf.as_ptr() as _, 1);
close(fd);
}
dmesg(format!("Sent NSM heartbeat"));
}
// Get entropy sample from Nitro device
pub fn get_entropy(size: usize) -> Result<Vec<u8>, SystemError> {
use nsm_api::api::ErrorCode;
use nsm_lib::{nsm_get_random, nsm_lib_init};
let nsm_fd = nsm_lib_init();
if nsm_fd < 0 {
return Err(SystemError {
message: String::from("Failed to connect to NSM device")
});
};
let mut dest = Vec::with_capacity(size);
while dest.len() < size {
let mut buf = [0u8; 256];
let mut buf_len = buf.len();
let status = unsafe {
nsm_get_random(nsm_fd, buf.as_mut_ptr(), &mut buf_len)
};
match status {
ErrorCode::Success => {
dest.extend_from_slice(&buf);
},
_ => {
return Err(SystemError {
message: String::from("Failed to get entropy from NSM device")
});
}
};
}
Ok(dest)
}
// Initialize nitro device
pub fn init_platform(){
use system::insmod;
// TODO: error handling
nitro_heartbeat();
match insmod("/nsm.ko") {
Ok(())=> dmesg(format!("Loaded nsm.ko")),
Err(e)=> eprintln!("{}", e)
};
}

337
src/init/Cargo.lock generated
View File

@ -1,337 +0,0 @@
# This file is automatically @generated by Cargo.
# It is not intended for manual editing.
version = 3
[[package]]
name = "autocfg"
version = "1.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa"
[[package]]
name = "aws"
version = "0.1.0"
dependencies = [
"aws-nitro-enclaves-nsm-api",
"libc",
"nsm-lib",
"system",
]
[[package]]
name = "aws-nitro-enclaves-nsm-api"
version = "0.2.1"
source = "git+https://github.com/aws/aws-nitro-enclaves-nsm-api.git/?branch=main#16eebf7838fa6f399cfffda0049912b936c3a895"
dependencies = [
"libc",
"log",
"nix",
"serde",
"serde_bytes",
"serde_cbor",
]
[[package]]
name = "bitflags"
version = "1.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cf1de2fe8c75bc145a2f577add951f8134889b4795d47466a54a5c846d691693"
[[package]]
name = "cbindgen"
version = "0.21.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "485ede05a56152367a6ec586a7425b475d6c3d3838581ff651d2a6e3730a62ef"
dependencies = [
"heck",
"indexmap",
"log",
"proc-macro2",
"quote",
"serde",
"serde_json",
"syn",
"tempfile",
"toml",
]
[[package]]
name = "cc"
version = "1.0.73"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2fff2a6927b3bb87f9595d67196a70493f627687a71d87a0d692242c33f58c11"
[[package]]
name = "cfg-if"
version = "1.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
[[package]]
name = "fastrand"
version = "1.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a7a407cfaa3385c4ae6b23e84623d48c2798d06e3e6a1878f7f59f17b3f86499"
dependencies = [
"instant",
]
[[package]]
name = "half"
version = "1.8.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "eabb4a44450da02c90444cf74558da904edde8fb4e9035a9a6a4e15445af0bd7"
[[package]]
name = "hashbrown"
version = "0.12.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8a9ee70c43aaf417c914396645a0fa852624801b24ebb7ae78fe8272889ac888"
[[package]]
name = "heck"
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2540771e65fc8cb83cd6e8a237f70c319bd5c29f78ed1084ba5d50eeac86f7f9"
[[package]]
name = "indexmap"
version = "1.9.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "10a35a97730320ffe8e2d410b5d3b69279b98d2c14bdb8b70ea89ecf7888d41e"
dependencies = [
"autocfg",
"hashbrown",
]
[[package]]
name = "init"
version = "0.1.0"
dependencies = [
"aws",
"libc",
"system",
]
[[package]]
name = "instant"
version = "0.1.12"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7a5bbe824c507c5da5956355e86a746d82e0e1464f65d862cc5e71da70e94b2c"
dependencies = [
"cfg-if",
]
[[package]]
name = "itoa"
version = "1.0.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4217ad341ebadf8d8e724e264f13e593e0648f5b3e94b3896a5df283be015ecc"
[[package]]
name = "libc"
version = "0.2.134"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "329c933548736bc49fd575ee68c89e8be4d260064184389a5b77517cddd99ffb"
[[package]]
name = "log"
version = "0.4.17"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "abb12e687cfb44aa40f41fc3978ef76448f9b6038cad6aef4259d3c095a2382e"
dependencies = [
"cfg-if",
]
[[package]]
name = "memoffset"
version = "0.6.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5aa361d4faea93603064a027415f07bd8e1d5c88c9fbf68bf56a285428fd79ce"
dependencies = [
"autocfg",
]
[[package]]
name = "nix"
version = "0.20.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f5e06129fb611568ef4e868c14b326274959aa70ff7776e9d55323531c374945"
dependencies = [
"bitflags",
"cc",
"cfg-if",
"libc",
"memoffset",
]
[[package]]
name = "nsm-lib"
version = "0.2.1"
source = "git+https://github.com/aws/aws-nitro-enclaves-nsm-api.git/?branch=main#16eebf7838fa6f399cfffda0049912b936c3a895"
dependencies = [
"aws-nitro-enclaves-nsm-api",
"cbindgen",
"serde_bytes",
]
[[package]]
name = "proc-macro2"
version = "1.0.46"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "94e2ef8dbfc347b10c094890f778ee2e36ca9bb4262e86dc99cd217e35f3470b"
dependencies = [
"unicode-ident",
]
[[package]]
name = "quote"
version = "1.0.21"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bbe448f377a7d6961e30f5955f9b8d106c3f5e449d493ee1b125c1d43c2b5179"
dependencies = [
"proc-macro2",
]
[[package]]
name = "redox_syscall"
version = "0.2.16"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "fb5a58c1855b4b6819d59012155603f0b22ad30cad752600aadfcb695265519a"
dependencies = [
"bitflags",
]
[[package]]
name = "remove_dir_all"
version = "0.5.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3acd125665422973a33ac9d3dd2df85edad0f4ae9b00dafb1a05e43a9f5ef8e7"
dependencies = [
"winapi",
]
[[package]]
name = "ryu"
version = "1.0.11"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4501abdff3ae82a1c1b477a17252eb69cee9e66eb915c1abaa4f44d873df9f09"
[[package]]
name = "serde"
version = "1.0.145"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "728eb6351430bccb993660dfffc5a72f91ccc1295abaa8ce19b27ebe4f75568b"
dependencies = [
"serde_derive",
]
[[package]]
name = "serde_bytes"
version = "0.11.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cfc50e8183eeeb6178dcb167ae34a8051d63535023ae38b5d8d12beae193d37b"
dependencies = [
"serde",
]
[[package]]
name = "serde_cbor"
version = "0.11.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2bef2ebfde456fb76bbcf9f59315333decc4fda0b2b44b420243c11e0f5ec1f5"
dependencies = [
"half",
"serde",
]
[[package]]
name = "serde_derive"
version = "1.0.145"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "81fa1584d3d1bcacd84c277a0dfe21f5b0f6accf4a23d04d4c6d61f1af522b4c"
dependencies = [
"proc-macro2",
"quote",
"syn",
]
[[package]]
name = "serde_json"
version = "1.0.86"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "41feea4228a6f1cd09ec7a3593a682276702cd67b5273544757dae23c096f074"
dependencies = [
"itoa",
"ryu",
"serde",
]
[[package]]
name = "syn"
version = "1.0.102"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3fcd952facd492f9be3ef0d0b7032a6e442ee9b361d4acc2b1d0c4aaa5f613a1"
dependencies = [
"proc-macro2",
"quote",
"unicode-ident",
]
[[package]]
name = "system"
version = "0.1.0"
dependencies = [
"libc",
]
[[package]]
name = "tempfile"
version = "3.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5cdb1ef4eaeeaddc8fbd371e5017057064af0911902ef36b39801f67cc6d79e4"
dependencies = [
"cfg-if",
"fastrand",
"libc",
"redox_syscall",
"remove_dir_all",
"winapi",
]
[[package]]
name = "toml"
version = "0.5.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8d82e1a7758622a465f8cee077614c73484dac5b836c02ff6a40d5d1010324d7"
dependencies = [
"serde",
]
[[package]]
name = "unicode-ident"
version = "1.0.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6ceab39d59e4c9499d4e5a8ee0e2735b891bb7308ac83dfb4e80cad195c9f6f3"
[[package]]
name = "winapi"
version = "0.3.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
dependencies = [
"winapi-i686-pc-windows-gnu",
"winapi-x86_64-pc-windows-gnu",
]
[[package]]
name = "winapi-i686-pc-windows-gnu"
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
[[package]]
name = "winapi-x86_64-pc-windows-gnu"
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"

14
src/init/Cargo.toml
View File

@ -1,14 +0,0 @@
[package]
name = "init"
version = "0.1.0"
edition = "2021"
[dependencies]
libc = "0.2.134"
aws = { path = "../aws"}
system = { path = "../system"}
[[bin]]
name = "init"
path = "init.rs"

59
src/init/init.rs
View File

@ -1,59 +0,0 @@
use system::{seed_entropy, reboot, freopen, mount, dmesg};
//TODO: Feature flag
use aws::{init_platform, get_entropy};
// Mount common filesystems with conservative permissions
fn init_rootfs() {
use libc::{MS_NOSUID, MS_NOEXEC, MS_NODEV };
let no_dse = MS_NODEV | MS_NOSUID | MS_NOEXEC;
let no_se = MS_NOSUID | MS_NOEXEC;
let args = [
("devtmpfs", "/dev", "devtmpfs", no_se, "mode=0755"),
("devtmpfs", "/dev", "devtmpfs", no_se, "mode=0755"),
("devpts", "/dev/pts", "devpts", no_se, ""),
("shm", "/dev/shm", "tmpfs", no_dse, "mode=0755"),
("proc", "/proc", "proc", no_dse, "hidepid=2"),
("tmpfs", "/run", "tmpfs", no_dse, "mode=0755"),
("tmpfs", "/tmp", "tmpfs", no_dse, ""),
("sysfs", "/sys", "sysfs", no_dse, ""),
("cgroup_root", "/sys/fs/cgroup", "tmpfs", no_dse, "mode=0755"),
];
for (src, target, fstype, flags, data) in args {
match mount(src, target, fstype, flags, data) {
Ok(())=> dmesg(format!("Mounted {}", target)),
Err(e)=> eprintln!("{}", e),
}
}
}
// Initialize console with stdin/stdout/stderr
fn init_console() {
let args = [
("/dev/console", "r", 0),
("/dev/console", "w", 1),
("/dev/console", "w", 2),
];
for (filename, mode, file) in args {
match freopen(filename, mode, file) {
Ok(())=> {},
Err(e)=> eprintln!("{}", e),
}
}
}
fn boot(){
init_rootfs();
init_console();
init_platform();
match seed_entropy(4096, get_entropy) {
Ok(size)=> dmesg(format!("Seeded kernel with entropy: {}", size)),
Err(e)=> eprintln!("{}", e)
};
}
fn main() {
boot();
dmesg("EnclaveOS Booted".to_string());
reboot();
}

9
src/system/Cargo.toml
View File

@ -1,9 +0,0 @@
[package]
name = "system"
version = "0.1.0"
edition = "2021"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[dependencies]
libc = "0.2.134"

169
src/system/src/lib.rs
View File

@ -1,169 +0,0 @@
use libc::{ c_ulong, c_int, c_void };
use std::{
mem::{zeroed, size_of},
ffi::CString,
fs::File,
os::unix::io::AsRawFd,
fmt,
};
pub struct SystemError {
pub message: String,
}
impl fmt::Display for SystemError {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
write!(f, "{} {}", boot_time(), self.message)
}
}
// Log dmesg formatted log to console
pub fn dmesg(message: String){
println!("{} {}", boot_time(), message);
}
// Dmesg formatted seconds since boot
pub fn boot_time() -> String {
use libc::{clock_gettime, timespec, CLOCK_BOOTTIME};
let mut t = timespec { tv_sec: 0, tv_nsec: 0 };
unsafe { clock_gettime(CLOCK_BOOTTIME, &mut t as *mut timespec); }
format!("[ {: >4}.{}]", t.tv_sec, t.tv_nsec / 1000).to_string()
}
// Unconditionally reboot the system now
pub fn reboot(){
use libc::{reboot, RB_AUTOBOOT};
unsafe {
reboot(RB_AUTOBOOT);
}
}
// libc::mount casting/error wrapper
pub fn mount(
src: &str,
target: &str,
fstype: &str,
flags: c_ulong,
data: &str,
) -> Result<(), SystemError> {
use libc::mount;
let src_cs = CString::new(src).unwrap();
let fstype_cs = CString::new(fstype).unwrap();
let data_cs = CString::new(data).unwrap();
let target_cs = CString::new(target).unwrap();
if unsafe {
mount(
src_cs.as_ptr(),
target_cs.as_ptr(),
fstype_cs.as_ptr(),
flags,
data_cs.as_ptr() as *const c_void
)
} != 0 {
Err(SystemError { message: format!("Failed to mount: {}", target) })
} else {
Ok(())
}
}
// libc::freopen casting/error wrapper
pub fn freopen(
filename: &str,
mode: &str,
file: c_int,
) -> Result<(), SystemError> {
use libc::{freopen, fdopen};
let filename_cs = CString::new(filename).unwrap();
let mode_cs = CString::new(mode).unwrap();
if unsafe {
freopen(
filename_cs.as_ptr(),
mode_cs.as_ptr(),
fdopen(file, mode_cs.as_ptr() as *const i8)
)
}.is_null() {
Err(SystemError { message: format!("Failed to freopen: {}", filename) })
} else {
Ok(())
}
}
// Insert kernel module into memory
pub fn insmod(path: &str) -> Result<(), SystemError> {
use libc::{syscall, SYS_finit_module};
let file = File::open(path).unwrap();
let fd = file.as_raw_fd();
if unsafe { syscall(SYS_finit_module, fd, &[0u8; 1], 0) } < 0 {
Err(SystemError {
message: format!("Failed to insert kernel module: {}", path)
})
} else {
Ok(())
}
}
// Instantiate a socket
pub fn socket_connect(
family: c_int,
port: u32,
cid: u32,
) -> Result<c_int, SystemError> {
use libc::{connect, socket, sockaddr, sockaddr_vm, SOCK_STREAM};
let fd = unsafe { socket(family, SOCK_STREAM, 0) };
if unsafe {
let mut sa: sockaddr_vm = zeroed();
sa.svm_family = family as _;
sa.svm_port = port;
sa.svm_cid = cid;
connect(
fd,
&sa as *const _ as *mut sockaddr,
size_of::<sockaddr_vm>() as _,
)
} < 0 {
Err(SystemError {
message: format!("Failed to connect to socket: {}", family)
})
} else {
Ok(fd)
}
}
// Seed an entropy sample into the kernel randomness pool.
pub fn seed_entropy(
size: usize,
source: fn(usize) -> Result<Vec<u8>, SystemError>,
) -> Result<usize, SystemError> {
use std::io::Write;
let entropy_sample = match source(size) {
Ok(sample)=> sample,
Err(e)=> { return Err(e) },
};
use std::fs::OpenOptions;
let mut random_fd = match OpenOptions::new()
.read(true)
.write(true)
.open("/dev/urandom")
{
Ok(file) => file,
Err(_) => {
return Err(SystemError {
message: String::from("Failed to open /dev/urandom"),
});
},
};
// 5.10+ kernel entropy pools are made of BLAKE2 hashes fixed at 256 bit
// The RNDADDENTROPY crediting system is now complexity with no gain.
// We just simply write samples to /dev/urandom now.
// See: https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.119
match random_fd.write_all(&entropy_sample) {
Ok(()) => Ok(entropy_sample.len()),
Err(_) => {
return Err(SystemError {
message: String::from("Failed to write to /dev/urandom"),
});
}
}
}