From b14e4260b2d74ea967a284160517c88531adeb46 Mon Sep 17 00:00:00 2001 From: ryan Date: Fri, 11 Jul 2025 23:15:12 -0400 Subject: [PATCH] cleanup, prep for exec example --- src/main.rs | 10 +++---- src/platform/aws.rs | 68 ++----------------------------------------- src/platform/mod.rs | 37 +++++++---------------- src/system/mod.rs | 1 + src/system/syscall.rs | 4 +-- 5 files changed, 19 insertions(+), 101 deletions(-) diff --git a/src/main.rs b/src/main.rs index 528ccf6..389710b 100644 --- a/src/main.rs +++ b/src/main.rs @@ -3,7 +3,6 @@ mod platform; mod result; mod system; -use platform::Platform; use result::Result; use system::dmesg; @@ -48,12 +47,11 @@ fn init() -> Result<()> { system::dmesg("EnclaveOS Booted"); - std::thread::sleep(std::time::Duration::from_secs(500)); - - /* let command = &config.target; match config.mode { config::Mode::Spawn => { + panic!("Spawn mode has not been tested.") + /* // set up a process reaper. any time a child process dies, a SIGCHLD will be fired, and // the signal handler will reap the processes eprintln!("installing signal handler"); @@ -64,13 +62,13 @@ fn init() -> Result<()> { eprintln!("Encountered error running {command}: {e}"); } } + */ } config::Mode::Exec => { - eprintln!("pivoting to {command}"); + dmesg("pivoting to {command}"); system::syscall::execv(command, &[])?; } } - */ Ok(()) } diff --git a/src/platform/aws.rs b/src/platform/aws.rs index 5a24dc8..91366be 100644 --- a/src/platform/aws.rs +++ b/src/platform/aws.rs @@ -45,6 +45,7 @@ impl Aws { )?; }; + dmesg("heartbeat =>"); write(fd, &buf)?; read(fd, &mut buf)?; close(fd)?; @@ -54,6 +55,8 @@ impl Aws { .context(format_args!("Bad value from heartbeat")); } + dmesg("<= heartbeat"); + Ok(()) } } @@ -63,74 +66,9 @@ impl super::Platform for Aws { std::fs::exists("/dev/nsm").context(format_args!("could not check if /dev/nsm exists")) } - fn get_modules(&self) -> Result> { - Ok(vec![("/nsm.ko".into(), String::new())]) - } - fn init(&self) -> Result<()> { Self::init_heartbeat()?; // enclaveos_shim::init_platform(); Ok(()) } } - -mod enclaveos_shim { - use super::dmesg; - - mod system { - use super::dmesg; - use std::os::fd::AsRawFd; - - pub fn insmod(path: &str) { - use libc::{syscall, SYS_finit_module}; - let file = std::fs::File::open(path).unwrap(); - let fd = file.as_raw_fd(); - if unsafe { syscall(SYS_finit_module, fd, &[0u8; 1], 0) } < 0 { - dmesg(format!("bad insert kernel module: {path}")); - } - } - pub fn socket_connect(family: libc::c_int, port: u32, cid: u32) -> libc::c_int { - use libc::{connect, sockaddr, sockaddr_vm, socket, SOCK_STREAM}; - let fd = unsafe { socket(family, SOCK_STREAM, 0) }; - if unsafe { - let mut sa: sockaddr_vm = std::mem::zeroed(); - sa.svm_family = family as _; - sa.svm_port = port; - sa.svm_cid = cid; - connect( - fd, - &sa as *const _ as *mut sockaddr, - size_of::() as _, - ) - } < 0 - { - panic!("yikes") - } else { - fd - } - } - } - - pub fn init_platform() { - use system::insmod; - // TODO: error handling - nitro_heartbeat(); - - // eprintln!("Loading nsm.ko"); - // insmod("/nsm.ko"); - } - - fn nitro_heartbeat() { - use libc::{close, read, write, AF_VSOCK}; - use system::socket_connect; - let mut buf: [u8; 1] = [0; 1]; - buf[0] = 0xB7; // AWS Nitro heartbeat value - let fd = socket_connect(AF_VSOCK, 9000, 3); - unsafe { - write(fd, buf.as_ptr() as _, 1); - read(fd, buf.as_ptr() as _, 1); - close(fd); - } - dmesg("Sent NSM heartbeat"); - } -} diff --git a/src/platform/mod.rs b/src/platform/mod.rs index fcdf913..383863a 100644 --- a/src/platform/mod.rs +++ b/src/platform/mod.rs @@ -1,4 +1,7 @@ -use crate::{system::{self, Mount, MountType}, result::Result}; +use crate::{ + result::Result, + system::{self, Mount}, +}; pub trait Platform: std::fmt::Debug { /// Whether the current Platform is the `Self` platform. @@ -14,26 +17,10 @@ pub trait Platform: std::fmt::Debug { /// The configuration for mounting filesystems for the platform. /// - /// This normally includes filesystems such as `/dev` and `/proc` that are not - /// backed by physical media. + /// Filesystems such as `/proc` and `/dev` have already been mounted. This method should be + /// used to define additional mounts. fn get_mounts(&self) -> Result> { - use libc::{MS_NODEV, MS_NOEXEC, MS_NOSUID}; - use MountType::{DevPts, DevTmpFs, Proc, Shm, SysFs, TmpFs}; - - let no_se = MS_NOSUID | MS_NOEXEC; - let no_dse = no_se | MS_NODEV; - - let m755 = Some("mode=0755"); - - Ok(vec![ - Mount::new(DevTmpFs, "/dev", DevTmpFs, no_se, m755), - Mount::new(DevPts, "/dev/pts", DevPts, no_se, None), - Mount::new(Shm, "/dev/shm", TmpFs, no_dse, m755), - Mount::new(Proc, "/proc", Proc, no_dse, m755), - Mount::new(TmpFs, "/tmp", TmpFs, no_dse, None), - Mount::new(SysFs, "/sys", SysFs, no_dse, None), - Mount::new("cgroup_root", "/sys/fs/cgroup", TmpFs, no_dse, m755), - ]) + Ok(vec![]) } /// Initialize all necessary requirements for the platform. @@ -73,22 +60,18 @@ pub fn get_current_platform(name: Option<&str>) -> Result Result<()> { - // Error handling strategy: If a platform is compiled in and loaded, if platform - // specific error handling doesn't work, fall back to generic. + // TODO: Error handling strategy: If a platform is compiled in and loaded, if platform + // specific error handling doesn't work, fall back to generic? - // NOTE: We need to make get_mounts _additional_ beyond a base set. - // We need `/dev/nsm` to exist so Aws.is() works. - /* platform.get_mounts().and_then(init_filesystems)?; platform.get_modules().and_then(init_modules)?; - */ platform.init()?; Ok(()) diff --git a/src/system/mod.rs b/src/system/mod.rs index 424496d..7be0b8e 100644 --- a/src/system/mod.rs +++ b/src/system/mod.rs @@ -85,6 +85,7 @@ impl Mount { } } +#[allow(clippy::similar_names)] pub fn mount_default_targets() -> Result<(), Vec> { let no_dse = MS_NODEV | MS_NOSUID | MS_NOEXEC; let no_se = MS_NOSUID | MS_NOEXEC; diff --git a/src/system/syscall.rs b/src/system/syscall.rs index ca84d9d..55b2dc0 100644 --- a/src/system/syscall.rs +++ b/src/system/syscall.rs @@ -159,14 +159,12 @@ pub use libc::sockaddr_vm; // This function is unsafe since we have to pass it a C-style union. pub unsafe fn connect(fd: RawFd, sockaddr: *mut libc::sockaddr, size: usize) -> Result<()> { - /* let size = u32::try_from(size).context(format_args!( "connect(..., size = {size}) has size > {}", u32::MAX ))?; - */ - match unsafe { libc::connect(fd, sockaddr, size as u32) } { + match unsafe { libc::connect(fd, sockaddr, size) } { 0 => Ok(()), -1 => ctx_os_error(format_args!("error calling connect({fd}, ...)")), n => unreachable!("connect({fd}, ...) returned bad value: {n}"),