diff --git a/Cargo.lock b/Cargo.lock index b4b43822f..4067b05b4 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -134,6 +134,20 @@ version = "1.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ace50bade8e6234aa140d9a2f552bbee1db4d353f69b8217bc503490fc1a9f26" +[[package]] +name = "aws-nitro" +version = "0.1.0" +dependencies = [ + "devices", + "libc", + "log", + "nitro-enclaves 0.6.0", + "nix 0.30.1", + "signal-hook", + "tar", + "vsock", +] + [[package]] name = "backtrace" version = "0.3.75" @@ -872,6 +886,7 @@ checksum = "d750af042f7ef4f724306de029d18836c26c1765a54a6a3f094cbd23a7267ffa" name = "libkrun" version = "1.17.0" dependencies = [ + "aws-nitro", "crossbeam-channel", "devices", "env_logger", @@ -883,7 +898,6 @@ dependencies = [ "libc", "libloading", "log", - "nitro", "nitro-enclaves 0.5.0", "once_cell", "polly", @@ -1012,20 +1026,6 @@ dependencies = [ "simd-adler32", ] -[[package]] -name = "nitro" -version = "0.1.0" -dependencies = [ - "devices", - "libc", - "log", - "nitro-enclaves 0.6.0", - "nix 0.30.1", - "signal-hook", - "tar", - "vsock", -] - [[package]] name = "nitro-enclaves" version = "0.5.0" diff --git a/Makefile b/Makefile index f8f007a86..e3bb947aa 100644 --- a/Makefile +++ b/Makefile @@ -17,22 +17,22 @@ SNP_INIT_SRC = init/tee/snp_attest.c \ $(KBS_INIT_SRC) \ TDX_INIT_SRC = $(KBS_INIT_SRC) -NITRO_INIT_SRC = \ - init/nitro/include/* \ - init/nitro/main.c \ - init/nitro/archive.c \ - init/nitro/args_reader.c \ - init/nitro/fs.c \ - init/nitro/device/include/* \ - init/nitro/device/app_stdio_output.c \ - init/nitro/device/device.c \ - init/nitro/device/net_tap_afvsock.c \ - init/nitro/device/signal.c \ +AWS_NITRO_INIT_SRC = \ + init/aws-nitro/include/* \ + init/aws-nitro/main.c \ + init/aws-nitro/archive.c \ + init/aws-nitro/args_reader.c \ + init/aws-nitro/fs.c \ + init/aws-nitro/device/include/* \ + init/aws-nitro/device/app_stdio_output.c \ + init/aws-nitro/device/device.c \ + init/aws-nitro/device/net_tap_afvsock.c \ + init/aws-nitro/device/signal.c \ KBS_LD_FLAGS = -lcurl -lidn2 -lssl -lcrypto -lzstd -lz -lbrotlidec-static \ -lbrotlicommon-static -NITRO_INIT_LD_FLAGS = -larchive -lnsm +AWS_NITRO_INIT_LD_FLAGS = -larchive -lnsm BUILD_INIT = 1 INIT_DEFS = @@ -75,9 +75,9 @@ endif ifeq ($(INPUT),1) FEATURE_FLAGS += --features input endif -ifeq ($(NITRO),1) - VARIANT = -nitro - FEATURE_FLAGS := --features nitro,net +ifeq ($(AWS_NITRO),1) + VARIANT = -awsnitro + FEATURE_FLAGS := --features aws-nitro,net BUILD_INIT = 0 endif @@ -138,9 +138,9 @@ $(INIT_BINARY): $(INIT_SRC) $(SYSROOT_TARGET) $(CC_LINUX) -O2 -static -Wall $(INIT_DEFS) -o $@ $(INIT_SRC) $(INIT_DEFS) endif -NITRO_INIT_BINARY= init/nitro/init -$(NITRO_INIT_BINARY): $(NITRO_INIT_SRC) - $(CC) -O2 -static -Wall $(NITRO_INIT_LD_FLAGS) -o $@ $(NITRO_INIT_SRC) $(NITRO_INIT_LD_FLAGS) +AWS_NITRO_INIT_BINARY= init/aws-nitro/init +$(AWS_NITRO_INIT_BINARY): $(AWS_NITRO_INIT_SRC) + $(CC) -O2 -static -Wall $(AWS_NITRO_INIT_LD_FLAGS) -o $@ $(AWS_NITRO_INIT_SRC) $(AWS_NITRO_INIT_LD_FLAGS) # Sysroot preparation rules for cross-compilation on macOS DEBIAN_PACKAGES = libc6 libc6-dev libgcc-12-dev linux-libc-dev @@ -179,7 +179,7 @@ $(LIBRARY_RELEASE_$(OS)): $(INIT_BINARY) ifeq ($(SEV),1) mv target/release/libkrun.so target/release/$(KRUN_BASE_$(OS)) endif -ifeq ($(NITRO),1) +ifeq ($(AWS_NITRO),1) mv target/release/libkrun.so target/release/$(KRUN_BASE_$(OS)) endif ifeq ($(TDX),1) diff --git a/examples/Makefile b/examples/Makefile index 16c9cb2c4..724a9049d 100644 --- a/examples/Makefile +++ b/examples/Makefile @@ -6,7 +6,7 @@ LDFLAGS_riscv64_Linux = -lkrun LDFLAGS_arm64_Darwin = -L/opt/homebrew/lib -lkrun LDFLAGS_sev = -lkrun-sev LDFLAGS_tdx = -lkrun-tdx -LDFLAGS_nitro = -lkrun-nitro +LDFLAGS_nitro = -lkrun-awsnitro CFLAGS = -O2 -g -I../include ROOTFS_DISTRO := fedora ROOTFS_DIR = rootfs_$(ROOTFS_DISTRO) diff --git a/examples/nitro.c b/examples/nitro.c index 179660f44..2a80e02fd 100644 --- a/examples/nitro.c +++ b/examples/nitro.c @@ -242,7 +242,7 @@ int main(int argc, char *const argv[]) } /* - * Start and enter the microVM. In the libkrun-nitro flavor, a positive + * Start and enter the microVM. In the libkrun-awsnitro flavor, a positive * value returned by krun_start_enter() is the enclave's CID. */ cid = krun_start_enter(ctx_id); diff --git a/init/nitro/archive.c b/init/aws-nitro/archive.c similarity index 100% rename from init/nitro/archive.c rename to init/aws-nitro/archive.c diff --git a/init/nitro/args_reader.c b/init/aws-nitro/args_reader.c similarity index 100% rename from init/nitro/args_reader.c rename to init/aws-nitro/args_reader.c diff --git a/init/nitro/device/app_stdio_output.c b/init/aws-nitro/device/app_stdio_output.c similarity index 100% rename from init/nitro/device/app_stdio_output.c rename to init/aws-nitro/device/app_stdio_output.c diff --git a/init/nitro/device/device.c b/init/aws-nitro/device/device.c similarity index 100% rename from init/nitro/device/device.c rename to init/aws-nitro/device/device.c diff --git a/init/nitro/device/include/device.h b/init/aws-nitro/device/include/device.h similarity index 100% rename from init/nitro/device/include/device.h rename to init/aws-nitro/device/include/device.h diff --git a/init/nitro/device/net_tap_afvsock.c b/init/aws-nitro/device/net_tap_afvsock.c similarity index 99% rename from init/nitro/device/net_tap_afvsock.c rename to init/aws-nitro/device/net_tap_afvsock.c index dd8b65f5e..e25a9a5fe 100644 --- a/init/nitro/device/net_tap_afvsock.c +++ b/init/aws-nitro/device/net_tap_afvsock.c @@ -43,6 +43,7 @@ static int tap_vsock_forward(int tun_fd, int vsock_fd, int shutdown_fd, bool event_found; struct ifreq ifr; int ret, sock_fd; + unsigned int sz; ssize_t nread; /* @@ -96,7 +97,6 @@ static int tap_vsock_forward(int tun_fd, int vsock_fd, int shutdown_fd, event_found = false; // Event on vsock. Read the frame and write it to the TAP device. if (pfds[0].revents & POLLIN) { - unsigned int sz; nread = read(vsock_fd, &sz, 4); if (nread != 4) exit(0); @@ -113,7 +113,7 @@ static int tap_vsock_forward(int tun_fd, int vsock_fd, int shutdown_fd, if (pfds[1].revents & POLLIN) { nread = read(tun_fd, buf, ifr.ifr_mtu); if (nread > 0) { - unsigned int sz = htonl(nread); + sz = htonl(nread); write(vsock_fd, (void *)&sz, 4); write(vsock_fd, buf, nread); } diff --git a/init/nitro/device/signal.c b/init/aws-nitro/device/signal.c similarity index 100% rename from init/nitro/device/signal.c rename to init/aws-nitro/device/signal.c diff --git a/init/nitro/fs.c b/init/aws-nitro/fs.c similarity index 71% rename from init/nitro/fs.c rename to init/aws-nitro/fs.c index 9b9fba93a..e990b0ff6 100644 --- a/init/nitro/fs.c +++ b/init/aws-nitro/fs.c @@ -14,11 +14,14 @@ #define SYS_FS_CGROUP_PATH "/sys/fs/cgroup/" #define CGROUP_SUB_PATH_SIZE (sizeof(SYS_FS_CGROUP_PATH) - 1 + 64) +#define NUM_SYS_DIRS 5 +#define NUM_DEV_DIRS 2 + /* * Initialize /dev/console and redirect std{err, in, out} to it for early debug * output. */ -int console_init() +int console_init(void) { const char *path = "/dev/console"; FILE *file; @@ -59,7 +62,7 @@ int console_init() /* * Initialize the cgroups. */ -int cgroups_init() +int cgroups_init(void) { char path[CGROUP_SUB_PATH_SIZE], *name; int ret, heir, groups, enabled; @@ -122,86 +125,115 @@ int cgroups_init() * Initialize the rest of the root filesystem with ephemeral enclave file * systems. */ -int filesystem_init() +int filesystem_init(void) { - int ret; + char *sys_dirs[NUM_SYS_DIRS] = {"/dev", "/proc", "/run", "/sys", "/tmp"}, + *dir; + char *dev_dirs[NUM_DEV_DIRS] = {"/dev/shm", "/dev/pts"}; + int ret, i; + + // Create the system directories not provided by the enclave rootfs. + for (i = 0; i < NUM_SYS_DIRS; i++) { + dir = sys_dirs[i]; + + ret = mkdir(dir, 0755); + if (ret < 0) { + fprintf(stderr, "mkdir %s: %s\n", dir, strerror(errno)); + return -errno; + } + } - // Create the /proc filesystem. - ret = - mount("proc", "/proc", "proc", MS_NODEV | MS_NOSUID | MS_NOEXEC, NULL); - if (ret < 0) { - perror("mount /proc"); + // Mount the /dev file system for device files. + ret = mount("/dev", "/dev", "devtmpfs", MS_NOSUID | MS_NOEXEC, NULL); + if (ret < -1 && errno != EBUSY) { + perror("mount /dev"); return -errno; } - ret = symlink("/proc/self/fd", "/dev/fd"); - if (ret < 0) { - perror("symlink add"); - return -errno; + // Create the initial device files. + for (i = 0; i < NUM_DEV_DIRS; i++) { + dir = dev_dirs[i]; + + ret = mkdir(dir, 0755); + if (ret < 0) { + fprintf(stderr, "mkdir %s: %s\n", dir, strerror(errno)); + return -errno; + } } - // Redirect the input/output/err file descriptors to /dev/std{err, in, out}. - ret = symlink("/proc/self/fd/0", "/dev/stdin"); + ret = mount("shm", "/dev/shm", "tmpfs", MS_NODEV | MS_NOSUID | MS_NOEXEC, + NULL); if (ret < 0) { - perror("symlink add"); + perror("mount /dev/shm"); return -errno; } - ret = symlink("/proc/self/fd/1", "/dev/stdout"); + ret = mount("devpts", "/dev/pts", "devpts", MS_NOSUID | MS_NOEXEC, NULL); if (ret < 0) { - perror("symlink add"); + perror("mount /dev/pts"); return -errno; } - ret = symlink("/proc/self/fd/2", "/dev/stderr"); + /* + * Initialize the /proc file system for special files representing the + * current state of the kernel. + */ + ret = + mount("/proc", "/proc", "proc", MS_NODEV | MS_NOSUID | MS_NOEXEC, NULL); if (ret < 0) { - perror("symlink add"); + perror("mount /proc"); return -errno; } - // Create the /tmp filesystem. - ret = mount("tmpfs", "/run", "tmpfs", MS_NODEV | MS_NOSUID | MS_NOEXEC, - "mode=0755"); + ret = symlink("/proc/self/fd", "/dev/fd"); if (ret < 0) { - perror("mount /run"); + perror("symlink add"); return -errno; } - ret = - mount("tmpfs", "/tmp", "tmpfs", MS_NODEV | MS_NOSUID | MS_NOEXEC, NULL); + ret = symlink("/proc/self/fd/0", "/dev/stdin"); if (ret < 0) { - perror("mount /tmp"); + perror("symlink add /dev/stdin"); return -errno; } - // Create /dev/shm. - ret = mkdir("/dev/shm", 0755); + ret = symlink("/proc/self/fd/1", "/dev/stdout"); if (ret < 0) { - perror("mkdir /dev/shm"); + perror("symlink add /dev/stdout"); return -errno; } - ret = mount("shm", "/dev/shm", "tmpfs", MS_NODEV | MS_NOSUID | MS_NOEXEC, - NULL); + ret = symlink("/proc/self/fd/2", "/dev/stderr"); if (ret < 0) { - perror("mount /dev/shm"); + perror("symlink add /dev/stderr"); return -errno; } - // Initialize pseudo-terminal device filesystem. - ret = mkdir("/dev/pts", 0755); + /* + * Mount the /run directory to store volatile runtime data about the system + * since boot. + */ + ret = mount("tmpfs", "/run", "tmpfs", MS_NODEV | MS_NOSUID | MS_NOEXEC, + "mode=0755"); if (ret < 0) { - perror("mkdir /dev/pts"); + perror("mount /run"); return -errno; } - ret = mount("devpts", "/dev/pts", "devpts", MS_NOSUID | MS_NOEXEC, NULL); + /* + * Mount the /tmp directory for temporary files (cleared on reboot). + */ + ret = + mount("tmpfs", "/tmp", "tmpfs", MS_NODEV | MS_NOSUID | MS_NOEXEC, NULL); if (ret < 0) { - perror("mount /dev/pts"); + perror("mount /tmp"); return -errno; } - // Initialize sysfs. + /* + * Mount the sysfs, accessed to set or obtain information about the kernel's + * view of the system. + */ ret = mount("sysfs", "/sys", "sysfs", MS_NODEV | MS_NOSUID | MS_NOEXEC, NULL); if (ret < 0) { diff --git a/init/nitro/include/archive.h b/init/aws-nitro/include/archive.h similarity index 100% rename from init/nitro/include/archive.h rename to init/aws-nitro/include/archive.h diff --git a/init/nitro/include/args_reader.h b/init/aws-nitro/include/args_reader.h similarity index 100% rename from init/nitro/include/args_reader.h rename to init/aws-nitro/include/args_reader.h diff --git a/init/nitro/include/fs.h b/init/aws-nitro/include/fs.h similarity index 57% rename from init/nitro/include/fs.h rename to init/aws-nitro/include/fs.h index 359cea8ba..62d0eb161 100644 --- a/init/nitro/include/fs.h +++ b/init/aws-nitro/include/fs.h @@ -3,8 +3,8 @@ #ifndef _FS_INIT_H #define _FS_INIT_H -int console_init(); -int filesystem_init(); -int cgroups_init(); +int console_init(void); +int filesystem_init(void); +int cgroups_init(void); #endif // _FS_INIT_H diff --git a/init/nitro/main.c b/init/aws-nitro/main.c similarity index 98% rename from init/nitro/main.c rename to init/aws-nitro/main.c index 2b5c53403..6750dea97 100644 --- a/init/nitro/main.c +++ b/init/aws-nitro/main.c @@ -497,13 +497,6 @@ int main(int argc, char *argv[]) if (ret < 0) goto out; - // Ensure the container /dev is initialized as well. - ret = mount("dev", "/dev", "devtmpfs", MS_NOSUID | MS_NOEXEC, NULL); - if (ret < 0 && errno != EBUSY) { - perror("mount"); - return ret; - } - // Initialize the rest of the filesystem. ret = filesystem_init(); if (ret < 0) diff --git a/src/nitro/Cargo.toml b/src/aws_nitro/Cargo.toml similarity index 90% rename from src/nitro/Cargo.toml rename to src/aws_nitro/Cargo.toml index e92a9f3a2..19850b0cf 100644 --- a/src/nitro/Cargo.toml +++ b/src/aws_nitro/Cargo.toml @@ -1,10 +1,10 @@ [package] -name = "nitro" +name = "aws-nitro" version = "0.1.0" edition = "2021" [features] -nitro = [] +aws-nitro = [] [dependencies] libc = "0.2.171" diff --git a/src/nitro/src/enclave/args_writer.rs b/src/aws_nitro/src/enclave/args_writer.rs similarity index 98% rename from src/nitro/src/enclave/args_writer.rs rename to src/aws_nitro/src/enclave/args_writer.rs index 25c8d7ea6..ef23631e8 100644 --- a/src/nitro/src/enclave/args_writer.rs +++ b/src/aws_nitro/src/enclave/args_writer.rs @@ -14,7 +14,7 @@ use std::{ }; use vsock::{VsockAddr, VsockListener, VsockStream, VMADDR_CID_ANY}; -// A known byte that libkrun-nitro and the enclave initramfs will exchange to confirm that startup +// A known byte that libkrun-awsnitro and the enclave initramfs will exchange to confirm that startup // was successful and the initramfs is ready to begin reading enclave arguments. const ENCLAVE_VSOCK_LAUNCH_ARGS_READY: u8 = 0xb7; diff --git a/src/nitro/src/enclave/mod.rs b/src/aws_nitro/src/enclave/mod.rs similarity index 71% rename from src/nitro/src/enclave/mod.rs rename to src/aws_nitro/src/enclave/mod.rs index 9dce60ffa..064b69c07 100644 --- a/src/nitro/src/enclave/mod.rs +++ b/src/aws_nitro/src/enclave/mod.rs @@ -18,23 +18,23 @@ use std::{ fs, io::{self, Read, Write}, os::fd::RawFd, - path::PathBuf, + path::{Path, PathBuf}, }; use tar::HeaderMode; use vsock::{VsockAddr, VsockListener, VMADDR_CID_ANY}; const KRUN_NITRO_EIF_PATH_ENV_VAR: &str = "KRUN_NITRO_EIF_PATH"; -const KRUN_NITRO_EIF_PATH_DEFAULT: &str = "/usr/share/krun-nitro/krun-nitro.eif"; +const KRUN_NITRO_EIF_PATH_DEFAULT: &str = "/krun-awsnitro/krun-awsnitro.eif"; /// Directories within the configured rootfs that will be ignored when writing to the enclave. The /// enclave is responsible for initializing these directories within the guest operating system. const ROOTFS_DIR_DENYLIST: [&str; 6] = [ - "proc", // /proc. - "run", // /run. - "tmp", // /tmp. - "dev", // /dev. - "sys", // /sys. - "usr/share/krun-nitro", // Cached EIF file (and possibly other metadata). + "proc", // /proc. + "run", // /run. + "tmp", // /tmp. + "dev", // /dev. + "sys", // /sys. + "krun-awsnitro", // Cached EIF file (and possibly other metadata). ]; /// Nitro Enclave data. @@ -55,13 +55,13 @@ pub struct NitroEnclave { pub net_unixfd: Option, /// Path to redirect enclave output to. pub output_path: PathBuf, - // Output kernel and initramfs debug logs from enclave. + /// Output kernel and initramfs debug logs from enclave. pub debug: bool, } impl NitroEnclave { /// Run an application within a nitro enclave. - pub fn run(mut self) -> Result<(), Error> { + pub fn run(mut self) -> Result { // Collect all launch parameters (rootfs, execution arguments, device proxies) and establish // an enclave argument writer to write this data to the nitro enclave when started. let rootfs_archive = self.rootfs_archive().map_err(Error::RootFsArchive)?; @@ -98,21 +98,11 @@ impl NitroEnclave { // terminated by the enclave (by closing the vsock connection). proxies.run(cid).map_err(Error::DeviceProxy)?; - // In debug mode, the console device doesn't shut down until the enclave itself exits. Thus, - // libkrun will be unable to retrieve the shutdown code from the enclave. - if !self.debug { - // Retrieve the application return code from the enclave. - let ret = self - .shutdown_ret(retcode_listener) - .map_err(Error::ReturnCodeListener)?; - - // A non-zero return code indicates an error. Wrap this code within an Error object. - if ret != 0 { - return Err(Error::AppReturn(ret)); - } - } + let ret = self + .shutdown_ret(retcode_listener) + .map_err(Error::ReturnCodeListener)?; - Ok(()) + Ok(ret) } /// Start a nitro enclave. @@ -181,50 +171,42 @@ impl NitroEnclave { } /// Produce a tarball of the enclave's rootfs (to be written to and extracted by the enclave - // initramfs). + /// initramfs). fn rootfs_archive(&self) -> Result, io::Error> { - let mut builder = tar::Builder::new(Vec::new()); - - builder.mode(HeaderMode::Deterministic); - builder.follow_symlinks(false); - - let pathbuf = PathBuf::from(self.rootfs.clone()); - let pathbuf_copy = pathbuf.clone(); - let rootfs_dirname = pathbuf_copy - .file_name() - .unwrap_or(OsStr::new("/")) - .to_str() - .ok_or(io::Error::other(format!( - "unable to convert rootfs directory name (\"{:?}\") to str", - pathbuf_copy - )))?; - - // Traverse each directory and file within the root directory tree. If a directory is not - // found within the denylist, add it to the archive. - for entry in fs::read_dir(pathbuf)? { + let mut tar = tar::Builder::new(Vec::new()); + + tar.mode(HeaderMode::Deterministic); + tar.follow_symlinks(false); + + let rootfs = self.rootfs.clone(); + let rootfs = Path::new(&rootfs); + + for entry in fs::read_dir(self.rootfs.clone())? { let entry = entry?; - let filetype = entry.file_type()?; - let filename = entry.file_name().into_string().map_err(|e| { - io::Error::other(format!( - "unable to convert file name {:?} to String object", - e - )) - })?; - - if !ROOTFS_DIR_DENYLIST.contains(&filename.as_str()) && filename != rootfs_dirname { - if filetype.is_dir() { - builder.append_dir_all(format!("rootfs/{}", filename), entry.path())? - } else if filetype.is_file() { - builder.append_path_with_name(entry.path(), format!("rootfs/{}", filename))? + let r#type = entry.file_type()?; + let name = entry.file_name().into_string().unwrap(); + let target = format!("rootfs/{}", name); + let rootfs_name = { + let name = rootfs.file_name().unwrap_or(OsStr::new("/")); + + name.to_str() + .ok_or(io::Error::other("unable to convert rootfs dirname to str")) + }?; + + if !ROOTFS_DIR_DENYLIST.contains(&name.as_str()) && name != rootfs_name { + if r#type.is_dir() { + tar.append_dir_all(target, entry.path())? + } else { + tar.append_path_with_name(entry.path(), target)? } } } - builder.into_inner() + tar.into_inner() } - // Receive a 4-byte (representing an i32) return code from the enclave via vsock. This - // represents the return code of the application that ran within the enclave. + /// Receive a 4-byte (representing an i32) return code from the enclave via vsock. This + /// represents the return code of the application that ran within the enclave. fn shutdown_ret(&self, vsock_listener: VsockListener) -> Result { let (mut vsock_stream, _vsock_addr) = vsock_listener .accept() @@ -243,7 +225,7 @@ impl NitroEnclave { Ok(i32::from_ne_bytes(buf)) } - // Enable or disable all signals. + /// Enable or disable all signals. fn signals(&self, enable: bool) { let sig = if enable { libc::SIG_UNBLOCK @@ -271,6 +253,6 @@ pub enum VsockPortOffset { AppOutput = 3, ReturnCode = 4, SignalHandler = 5, - // Not set by krun-nitro. + // Not set by krun-awsnitro. Console = 10000, } diff --git a/src/nitro/src/enclave/proxy/mod.rs b/src/aws_nitro/src/enclave/proxy/mod.rs similarity index 100% rename from src/nitro/src/enclave/proxy/mod.rs rename to src/aws_nitro/src/enclave/proxy/mod.rs diff --git a/src/nitro/src/enclave/proxy/proxies/mod.rs b/src/aws_nitro/src/enclave/proxy/proxies/mod.rs similarity index 100% rename from src/nitro/src/enclave/proxy/proxies/mod.rs rename to src/aws_nitro/src/enclave/proxy/proxies/mod.rs diff --git a/src/nitro/src/enclave/proxy/proxies/net.rs b/src/aws_nitro/src/enclave/proxy/proxies/net.rs similarity index 100% rename from src/nitro/src/enclave/proxy/proxies/net.rs rename to src/aws_nitro/src/enclave/proxy/proxies/net.rs diff --git a/src/nitro/src/enclave/proxy/proxies/output.rs b/src/aws_nitro/src/enclave/proxy/proxies/output.rs similarity index 99% rename from src/nitro/src/enclave/proxy/proxies/output.rs rename to src/aws_nitro/src/enclave/proxy/proxies/output.rs index 047016232..1f8cdbb29 100644 --- a/src/nitro/src/enclave/proxy/proxies/output.rs +++ b/src/aws_nitro/src/enclave/proxy/proxies/output.rs @@ -18,7 +18,7 @@ type Result = std::result::Result; const OUTPUT_BUFFER_SIZE: usize = 1500; /// Output proxy. May output application process logs or (in debug mode) kernel+initramfs logs as -// well. +/// well. pub struct OutputProxy { // The file to write enclave output to. file: File, diff --git a/src/nitro/src/enclave/proxy/proxies/signal_handler.rs b/src/aws_nitro/src/enclave/proxy/proxies/signal_handler.rs similarity index 95% rename from src/nitro/src/enclave/proxy/proxies/signal_handler.rs rename to src/aws_nitro/src/enclave/proxy/proxies/signal_handler.rs index 7b4ab7b02..3d0483010 100644 --- a/src/nitro/src/enclave/proxy/proxies/signal_handler.rs +++ b/src/aws_nitro/src/enclave/proxy/proxies/signal_handler.rs @@ -25,7 +25,7 @@ pub struct SignalHandler { } impl SignalHandler { - // Create a new signal handler proxy with the SIGTERM hook set to false (not caught yet). + /// Create a new signal handler proxy with the SIGTERM hook set to false (not caught yet). pub fn new() -> Result { let sig = Arc::new(AtomicBool::new(false)); signal_hook::flag::register(SIGTERM, Arc::clone(&sig)).map_err(Error::SignalRegister)?; @@ -54,7 +54,7 @@ impl DeviceProxy for SignalHandler { } /// Check if a SIGTERM was caught. If so, write the signal to the enclave indicating it should - // gracefully shut down. + /// gracefully shut down. fn send(&mut self, vsock: &mut VsockStream) -> Result { if !self.sig.load(Ordering::Relaxed) { return Ok(0); diff --git a/src/nitro/src/error.rs b/src/aws_nitro/src/error.rs similarity index 95% rename from src/nitro/src/error.rs rename to src/aws_nitro/src/error.rs index 0218ec6f9..a4d3588a2 100644 --- a/src/nitro/src/error.rs +++ b/src/aws_nitro/src/error.rs @@ -6,8 +6,6 @@ use std::{fmt, io}; /// Error in the running of a nitro enclave. #[derive(Debug)] pub enum Error { - // Application running within the enclave returned a non-zero return code. - AppReturn(i32), // Argument writing process. ArgsWrite(args_writer::Error), // Error in device proxy execution. @@ -23,7 +21,6 @@ pub enum Error { impl fmt::Display for Error { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { let msg = match self { - Self::AppReturn(ret) => format!("app returned non-zero return code: {ret}"), Self::ArgsWrite(e) => format!("enclave VM argument writer error: {e}"), Self::DeviceProxy(e) => format!("device proxy error: {e}"), Self::ReturnCodeListener(e) => { diff --git a/src/nitro/src/lib.rs b/src/aws_nitro/src/lib.rs similarity index 53% rename from src/nitro/src/lib.rs rename to src/aws_nitro/src/lib.rs index 2b9e282be..21d7888fb 100644 --- a/src/nitro/src/lib.rs +++ b/src/aws_nitro/src/lib.rs @@ -1,7 +1,7 @@ // SPDX-License-Identifier: Apache-2.0 -#[cfg(feature = "nitro")] +#[cfg(feature = "aws-nitro")] pub mod enclave; -#[cfg(feature = "nitro")] +#[cfg(feature = "aws-nitro")] mod error; diff --git a/src/devices/Cargo.toml b/src/devices/Cargo.toml index 9ec04c141..f78b67ae1 100644 --- a/src/devices/Cargo.toml +++ b/src/devices/Cargo.toml @@ -15,7 +15,7 @@ gpu = ["rutabaga_gfx", "thiserror", "zerocopy", "krun_display"] snd = ["pw", "thiserror"] input = ["zerocopy", "krun_input"] virgl_resource_map2 = [] -nitro = [] +aws-nitro = [] test_utils = [] [dependencies] diff --git a/src/devices/src/virtio/mod.rs b/src/devices/src/virtio/mod.rs index 4f9258383..384aef5ac 100644 --- a/src/devices/src/virtio/mod.rs +++ b/src/devices/src/virtio/mod.rs @@ -21,7 +21,7 @@ pub mod console; pub mod descriptor_utils; pub mod device; pub mod file_traits; -#[cfg(not(any(feature = "tee", feature = "nitro")))] +#[cfg(not(any(feature = "tee", feature = "aws-nitro")))] pub mod fs; #[cfg(feature = "gpu")] pub mod gpu; @@ -44,7 +44,7 @@ pub use self::balloon::*; pub use self::block::{Block, CacheType}; pub use self::console::*; pub use self::device::*; -#[cfg(not(any(feature = "tee", feature = "nitro")))] +#[cfg(not(any(feature = "tee", feature = "aws-nitro")))] pub use self::fs::*; #[cfg(feature = "gpu")] pub use self::gpu::*; diff --git a/src/libkrun/Cargo.toml b/src/libkrun/Cargo.toml index 235e3aa8a..d97f70f3e 100644 --- a/src/libkrun/Cargo.toml +++ b/src/libkrun/Cargo.toml @@ -16,7 +16,7 @@ gpu = ["krun_display"] snd = [] input = ["krun_input", "vmm/input", "devices/input"] virgl_resource_map2 = [] -nitro = [ "dep:nitro", "dep:nitro-enclaves" ] +aws-nitro = [ "dep:aws-nitro", "dep:nitro-enclaves" ] [dependencies] crossbeam-channel = ">=0.5.15" @@ -40,7 +40,7 @@ hvf = { path = "../hvf" } [target.'cfg(target_os = "linux")'.dependencies] kvm-bindings = { version = ">=0.11", features = ["fam-wrappers"] } kvm-ioctls = ">=0.21" -nitro = { path = "../nitro", optional = true } +aws-nitro = { path = "../aws_nitro", optional = true } nitro-enclaves = { version = "0.5.0", optional = true } vm-memory = { version = ">=0.13", features = ["backend-mmap"] } diff --git a/src/libkrun/src/lib.rs b/src/libkrun/src/lib.rs index e497c0157..c420e48f0 100644 --- a/src/libkrun/src/lib.rs +++ b/src/libkrun/src/lib.rs @@ -58,8 +58,8 @@ use vmm::vmm_config::machine_config::VmConfig; use vmm::vmm_config::net::NetworkInterfaceConfig; use vmm::vmm_config::vsock::VsockDeviceConfig; -#[cfg(feature = "nitro")] -use nitro::enclave::NitroEnclave; +#[cfg(feature = "aws-nitro")] +use aws_nitro::enclave::NitroEnclave; #[cfg(feature = "gpu")] use devices::virtio::display::{DisplayInfoEdid, PhysicalSize, MAX_DISPLAYS}; @@ -81,7 +81,7 @@ const KRUNFW_NAME: &str = "libkrunfw-tdx.so.5"; #[cfg(target_os = "macos")] const KRUNFW_NAME: &str = "libkrunfw.5.dylib"; -#[cfg(feature = "nitro")] +#[cfg(feature = "aws-nitro")] static KRUN_NITRO_DEBUG: Mutex = Mutex::new(false); // Path to the init binary to be executed inside the VM. @@ -333,7 +333,7 @@ impl ContextConfig { } } -#[cfg(feature = "nitro")] +#[cfg(feature = "aws-nitro")] impl TryFrom for NitroEnclave { type Error = i32; @@ -446,9 +446,9 @@ pub extern "C" fn krun_set_log_level(level: u32) -> i32 { let filter = log_level_to_filter_str(level); env_logger::Builder::from_env(Env::default().default_filter_or(filter)).init(); - #[cfg(feature = "nitro")] + #[cfg(feature = "aws-nitro")] { - // Notify krun-nitro to enable debug for log level. + // Notify krun-awsnitro to enable debug for log level. if level == 4 { let mut debug = KRUN_NITRO_DEBUG.lock().unwrap(); @@ -1419,7 +1419,7 @@ pub unsafe extern "C" fn krun_add_vsock_port2( c_filepath: *const c_char, listen: bool, ) -> i32 { - #[cfg(feature = "nitro")] + #[cfg(feature = "aws-nitro")] if listen { return -libc::EINVAL; } @@ -2492,7 +2492,7 @@ pub extern "C" fn krun_start_enter(ctx_id: u32) -> i32 { unsafe { libc::prctl(libc::PR_SET_NAME, prname.as_ptr()) }; } - #[cfg(feature = "nitro")] + #[cfg(feature = "aws-nitro")] return krun_start_enter_nitro(ctx_id); let mut event_manager = match EventManager::new() { @@ -2690,7 +2690,7 @@ pub extern "C" fn krun_start_enter(ctx_id: u32) -> i32 { } } -#[cfg(feature = "nitro")] +#[cfg(feature = "aws-nitro")] #[no_mangle] fn krun_start_enter_nitro(ctx_id: u32) -> i32 { let ctx_cfg = match CTX_MAP.lock().unwrap().remove(&ctx_id) { @@ -2703,7 +2703,7 @@ fn krun_start_enter_nitro(ctx_id: u32) -> i32 { }; match enclave.run() { - Ok(()) => KRUN_SUCCESS, + Ok(ret) => ret, Err(e) => { error!("Error running nitro enclave: {e}"); diff --git a/src/vmm/Cargo.toml b/src/vmm/Cargo.toml index 95deedb34..6e48efd66 100644 --- a/src/vmm/Cargo.toml +++ b/src/vmm/Cargo.toml @@ -14,7 +14,7 @@ efi = [ "blk", "net" ] gpu = ["krun_display"] snd = [] input = ["krun_input"] -nitro = [] +aws-nitro = [] [dependencies] crossbeam-channel = ">=0.5.15" diff --git a/src/vmm/src/builder.rs b/src/vmm/src/builder.rs index 92ac87079..ce3d17961 100644 --- a/src/vmm/src/builder.rs +++ b/src/vmm/src/builder.rs @@ -58,7 +58,7 @@ use crate::signal_handler::register_sigwinch_handler; use crate::terminal::{term_restore_mode, term_set_raw_mode}; #[cfg(feature = "blk")] use crate::vmm_config::block::BlockBuilder; -#[cfg(not(any(feature = "tee", feature = "nitro")))] +#[cfg(not(any(feature = "tee", feature = "aws-nitro")))] use crate::vmm_config::fs::FsDeviceConfig; use crate::vmm_config::kernel_cmdline::DEFAULT_KERNEL_CMDLINE; #[cfg(target_os = "linux")] @@ -72,7 +72,7 @@ use device_manager::shm::ShmManager; use devices::virtio::display::DisplayInfo; #[cfg(feature = "gpu")] use devices::virtio::display::NoopDisplayBackend; -#[cfg(not(any(feature = "tee", feature = "nitro")))] +#[cfg(not(any(feature = "tee", feature = "aws-nitro")))] use devices::virtio::{fs::ExportTable, VirtioShmRegion}; use flate2::read::GzDecoder; #[cfg(feature = "gpu")] @@ -90,10 +90,10 @@ use utils::eventfd::EventFd; use utils::worker_message::WorkerMessage; #[cfg(all(target_arch = "x86_64", not(feature = "efi"), not(feature = "tee")))] use vm_memory::mmap::MmapRegion; -#[cfg(not(any(feature = "tee", feature = "nitro")))] +#[cfg(not(any(feature = "tee", feature = "aws-nitro")))] use vm_memory::Address; use vm_memory::Bytes; -#[cfg(not(feature = "nitro"))] +#[cfg(not(feature = "aws-nitro"))] use vm_memory::GuestMemory; #[cfg(all(target_arch = "x86_64", not(feature = "tee")))] use vm_memory::GuestRegionMmap; @@ -998,7 +998,7 @@ pub fn build_microvm( console_id += 1; } - #[cfg(not(any(feature = "tee", feature = "nitro")))] + #[cfg(not(any(feature = "tee", feature = "aws-nitro")))] let export_table: Option = if cfg!(feature = "gpu") { Some(Default::default()) } else { @@ -1031,7 +1031,7 @@ pub fn build_microvm( attach_input_devices(&mut vmm, &vm_resources.input_backends, intc.clone())?; } - #[cfg(not(any(feature = "tee", feature = "nitro")))] + #[cfg(not(any(feature = "tee", feature = "aws-nitro")))] attach_fs_devices( &mut vmm, &vm_resources.fs, @@ -1873,7 +1873,7 @@ fn attach_mmio_device( Ok(()) } -#[cfg(not(any(feature = "tee", feature = "nitro")))] +#[cfg(not(any(feature = "tee", feature = "aws-nitro")))] fn attach_fs_devices( vmm: &mut Vmm, fs_devs: &[FsDeviceConfig], diff --git a/src/vmm/src/device_manager/shm.rs b/src/vmm/src/device_manager/shm.rs index ef26905c9..e3c3b9bf9 100644 --- a/src/vmm/src/device_manager/shm.rs +++ b/src/vmm/src/device_manager/shm.rs @@ -47,7 +47,7 @@ impl ShmManager { regions } - #[cfg(not(any(feature = "tee", feature = "nitro")))] + #[cfg(not(any(feature = "tee", feature = "aws-nitro")))] pub fn fs_region(&self, index: usize) -> Option<&ShmRegion> { self.fs_regions.get(&index) }