From 2eb20d80af3a10ea486f48cde44066c46db52d40 Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Thu, 19 Oct 2023 09:19:11 +0300 Subject: [PATCH] shim: pass seal data prepared by enclave-agent to runtime-boot Signed-off-by: Mikko Ylinen --- src/shim/runtime/v2/rune/v2/create.go | 5 +++++ tools/packaging/build/agent-enclave-bundle/Dockerfile | 3 ++- .../build/agent-enclave-bundle/enclave-agent-cc-kbc.yaml | 3 +++ .../build/agent-enclave-bundle/enclave-agent-sample-kbc.yaml | 3 +++ tools/packaging/deploy/enclave-cc-deploy.sh | 1 - 5 files changed, 13 insertions(+), 2 deletions(-) diff --git a/src/shim/runtime/v2/rune/v2/create.go b/src/shim/runtime/v2/rune/v2/create.go index e734345e..dd532090 100644 --- a/src/shim/runtime/v2/rune/v2/create.go +++ b/src/shim/runtime/v2/rune/v2/create.go @@ -5,6 +5,7 @@ import ( "fmt" "os" "path/filepath" + "strings" "github.com/confidential-containers/enclave-cc/src/shim/runtime/v2/rune/config" "github.com/confidential-containers/enclave-cc/src/shim/runtime/v2/rune/oci" @@ -109,6 +110,10 @@ func handlePodContainer(ctx context.Context, s *service, r *taskAPI.CreateTaskRe } // sefsDir store the unionfs images (based on sefs) sefsDir := filepath.Join(agentContainerRootDir, s.agentID, "merged/rootfs/images", cid) + sealDataDir := filepath.Join(agentContainerRootDir, s.agentID, "merged/rootfs/keys", cid) + if _, err := os.Stat(sealDataDir); !os.IsNotExist(err) { + sefsDir = strings.Join([]string{sefsDir, sealDataDir}, ":") + } var options []string // Set index=off when mount overlayfs diff --git a/tools/packaging/build/agent-enclave-bundle/Dockerfile b/tools/packaging/build/agent-enclave-bundle/Dockerfile index 02257633..9cbd9608 100644 --- a/tools/packaging/build/agent-enclave-bundle/Dockerfile +++ b/tools/packaging/build/agent-enclave-bundle/Dockerfile @@ -71,7 +71,8 @@ RUN export PATH="$PATH:/opt/occlum/build/bin" && \ # TODO: add new build stage and copy occlum_instance.tar.gz to it WORKDIR /run/rune RUN tar xzf /run/enclave-agent/occlum_instance/occlum_instance.tar.gz && \ - rm -rf /run/enclave-agent + rm -rf /run/enclave-agent && \ + mkdir /keys /configs RUN rm -rf $HOME/.cargo $HOME/.rustup /enclave-cc && sed -e '/cargo/d' -i /root/.profile && sed -e '/cargo/d' -i /root/.bashrc RUN apt-get purge -y wget gnupg tzdata jq occlum occlum-pal occlum-toolchains-glibc make binutils libfuse2 libfuse3-3 ca-certificates rsync build-essential cmake git && apt-get autoremove -y diff --git a/tools/packaging/build/agent-enclave-bundle/enclave-agent-cc-kbc.yaml b/tools/packaging/build/agent-enclave-bundle/enclave-agent-cc-kbc.yaml index e2d93ab6..62c34a7a 100644 --- a/tools/packaging/build/agent-enclave-bundle/enclave-agent-cc-kbc.yaml +++ b/tools/packaging/build/agent-enclave-bundle/enclave-agent-cc-kbc.yaml @@ -1,6 +1,9 @@ includes: - base.yaml targets: + - target: / + mkdirs: + - /keys - target: /bin copy: - files: diff --git a/tools/packaging/build/agent-enclave-bundle/enclave-agent-sample-kbc.yaml b/tools/packaging/build/agent-enclave-bundle/enclave-agent-sample-kbc.yaml index e2d93ab6..62c34a7a 100644 --- a/tools/packaging/build/agent-enclave-bundle/enclave-agent-sample-kbc.yaml +++ b/tools/packaging/build/agent-enclave-bundle/enclave-agent-sample-kbc.yaml @@ -1,6 +1,9 @@ includes: - base.yaml targets: + - target: / + mkdirs: + - /keys - target: /bin copy: - files: diff --git a/tools/packaging/deploy/enclave-cc-deploy.sh b/tools/packaging/deploy/enclave-cc-deploy.sh index e588e153..d5c84d26 100755 --- a/tools/packaging/deploy/enclave-cc-deploy.sh +++ b/tools/packaging/deploy/enclave-cc-deploy.sh @@ -74,7 +74,6 @@ function install_artifacts() { install -D -m0755 ${shim_rune_binary} /opt/confidential-containers/bin/${shim_rune_binary} ln -sf /opt/confidential-containers/bin/${shim_rune_binary} "${install_path}/${shim_rune_binary}" - mkdir -p /opt/confidential-containers/share/enclave-cc-agent-instance/rootfs/configs echo ${DECRYPT_CONFIG} | base64 -d >/opt/confidential-containers/share/enclave-cc-agent-instance/rootfs/configs/decrypt_config.conf echo ${OCICRYPT_CONFIG} | base64 -d >/opt/confidential-containers/share/enclave-cc-agent-instance/rootfs/configs/ocicrypt.conf }