shim: pass seal data prepared by enclave-agent to runtime-boot

Signed-off-by: Mikko Ylinen <[email protected]>
confidential-containers · Oct 19, 2023 · 2eb20d8 · 2eb20d8
1 parent 0c64598
commit 2eb20d8
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 2 deletions.
diff --git a/src/shim/runtime/v2/rune/v2/create.go b/src/shim/runtime/v2/rune/v2/create.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
 
 	"github.com/confidential-containers/enclave-cc/src/shim/runtime/v2/rune/config"
 	"github.com/confidential-containers/enclave-cc/src/shim/runtime/v2/rune/oci"
@@ -109,6 +110,10 @@ func handlePodContainer(ctx context.Context, s *service, r *taskAPI.CreateTaskRe
 		}
 		// sefsDir store the unionfs images (based on sefs)
 		sefsDir := filepath.Join(agentContainerRootDir, s.agentID, "merged/rootfs/images", cid)
+		sealDataDir := filepath.Join(agentContainerRootDir, s.agentID, "merged/rootfs/keys", cid)
+		if _, err := os.Stat(sealDataDir); !os.IsNotExist(err) {
+			sefsDir = strings.Join([]string{sefsDir, sealDataDir}, ":")
+		}
 
 		var options []string
 		// Set index=off when mount overlayfs

diff --git a/tools/packaging/build/agent-enclave-bundle/Dockerfile b/tools/packaging/build/agent-enclave-bundle/Dockerfile
@@ -71,7 +71,8 @@ RUN export PATH="$PATH:/opt/occlum/build/bin" && \
 # TODO: add new build stage and copy occlum_instance.tar.gz to it
 WORKDIR /run/rune
 RUN tar xzf /run/enclave-agent/occlum_instance/occlum_instance.tar.gz && \
-    rm -rf /run/enclave-agent
+    rm -rf /run/enclave-agent && \
+    mkdir /keys /configs
 
 RUN rm -rf $HOME/.cargo $HOME/.rustup /enclave-cc && sed -e '/cargo/d' -i /root/.profile && sed -e '/cargo/d' -i /root/.bashrc
 RUN apt-get purge -y wget gnupg tzdata jq occlum occlum-pal occlum-toolchains-glibc make binutils libfuse2 libfuse3-3 ca-certificates rsync build-essential cmake git && apt-get autoremove -y

diff --git a/tools/packaging/build/agent-enclave-bundle/enclave-agent-cc-kbc.yaml b/tools/packaging/build/agent-enclave-bundle/enclave-agent-cc-kbc.yaml
@@ -1,6 +1,9 @@
 includes:
   - base.yaml
 targets:
+  - target: /
+    mkdirs:
+      - /keys
   - target: /bin
     copy:
       - files:

diff --git a/tools/packaging/build/agent-enclave-bundle/enclave-agent-sample-kbc.yaml b/tools/packaging/build/agent-enclave-bundle/enclave-agent-sample-kbc.yaml
@@ -1,6 +1,9 @@
 includes:
   - base.yaml
 targets:
+  - target: /
+    mkdirs:
+      - /keys
   - target: /bin
     copy:
       - files:

diff --git a/tools/packaging/deploy/enclave-cc-deploy.sh b/tools/packaging/deploy/enclave-cc-deploy.sh
@@ -74,7 +74,6 @@ function install_artifacts() {
 	install -D -m0755 ${shim_rune_binary} /opt/confidential-containers/bin/${shim_rune_binary}
 	ln -sf /opt/confidential-containers/bin/${shim_rune_binary} "${install_path}/${shim_rune_binary}"
 
-	mkdir -p /opt/confidential-containers/share/enclave-cc-agent-instance/rootfs/configs
 	echo ${DECRYPT_CONFIG} | base64 -d >/opt/confidential-containers/share/enclave-cc-agent-instance/rootfs/configs/decrypt_config.conf
 	echo ${OCICRYPT_CONFIG} | base64 -d >/opt/confidential-containers/share/enclave-cc-agent-instance/rootfs/configs/ocicrypt.conf
 }