Nitro reformatting + rootfs writing update

Makefile

@@ -17,22 +17,22 @@ SNP_INIT_SRC =	init/tee/snp_attest.c		\
 		$(KBS_INIT_SRC)			\
 
 TDX_INIT_SRC = $(KBS_INIT_SRC)
-NITRO_INIT_SRC = \
-		init/nitro/include/*        	  	\
-        init/nitro/main.c				\
-        init/nitro/archive.c				\
-        init/nitro/args_reader.c			\
-        init/nitro/fs.c				\
-        init/nitro/device/include/*			\
-		init/nitro/device/app_stdio_output.c	\
-		init/nitro/device/device.c              \
-		init/nitro/device/net_tap_afvsock.c	\
-		init/nitro/device/signal.c		\
+AWS_NITRO_INIT_SRC = \
+		init/aws-nitro/include/*        	  	\
+        init/aws-nitro/main.c				\
+        init/aws-nitro/archive.c				\
+        init/aws-nitro/args_reader.c			\
+        init/aws-nitro/fs.c				\
+        init/aws-nitro/device/include/*			\
+		init/aws-nitro/device/app_stdio_output.c	\
+		init/aws-nitro/device/device.c              \
+		init/aws-nitro/device/net_tap_afvsock.c	\
+		init/aws-nitro/device/signal.c		\
 
 KBS_LD_FLAGS =	-lcurl -lidn2 -lssl -lcrypto -lzstd -lz -lbrotlidec-static \
 		-lbrotlicommon-static
 
-NITRO_INIT_LD_FLAGS = -larchive -lnsm
+AWS_NITRO_INIT_LD_FLAGS = -larchive -lnsm
 
 BUILD_INIT = 1
 INIT_DEFS =
@@ -75,9 +75,9 @@ endif
 ifeq ($(INPUT),1)
     FEATURE_FLAGS += --features input
 endif
-ifeq ($(NITRO),1)
-	VARIANT = -nitro
-	FEATURE_FLAGS := --features nitro,net
+ifeq ($(AWS_NITRO),1)
+	VARIANT = -awsnitro
+	FEATURE_FLAGS := --features aws-nitro,net
 	BUILD_INIT = 0
 endif
 
@@ -138,9 +138,9 @@ $(INIT_BINARY): $(INIT_SRC) $(SYSROOT_TARGET)
 	$(CC_LINUX) -O2 -static -Wall $(INIT_DEFS) -o $@ $(INIT_SRC) $(INIT_DEFS)
 endif
 
-NITRO_INIT_BINARY= init/nitro/init
-$(NITRO_INIT_BINARY): $(NITRO_INIT_SRC)
-	$(CC) -O2 -static -Wall $(NITRO_INIT_LD_FLAGS) -o $@ $(NITRO_INIT_SRC) $(NITRO_INIT_LD_FLAGS)
+AWS_NITRO_INIT_BINARY= init/aws-nitro/init
+$(AWS_NITRO_INIT_BINARY): $(AWS_NITRO_INIT_SRC)
+	$(CC) -O2 -static -Wall $(AWS_NITRO_INIT_LD_FLAGS) -o $@ $(AWS_NITRO_INIT_SRC) $(AWS_NITRO_INIT_LD_FLAGS)
 
 # Sysroot preparation rules for cross-compilation on macOS
 DEBIAN_PACKAGES = libc6 libc6-dev libgcc-12-dev linux-libc-dev
@@ -179,7 +179,7 @@ $(LIBRARY_RELEASE_$(OS)): $(INIT_BINARY)
 ifeq ($(SEV),1)
 	mv target/release/libkrun.so target/release/$(KRUN_BASE_$(OS))
 endif
-ifeq ($(NITRO),1)
+ifeq ($(AWS_NITRO),1)
 	mv target/release/libkrun.so target/release/$(KRUN_BASE_$(OS))
 endif
 ifeq ($(TDX),1)

examples/Makefile

@@ -6,7 +6,7 @@ LDFLAGS_riscv64_Linux = -lkrun
 LDFLAGS_arm64_Darwin = -L/opt/homebrew/lib -lkrun
 LDFLAGS_sev = -lkrun-sev
 LDFLAGS_tdx = -lkrun-tdx
-LDFLAGS_nitro = -lkrun-nitro
+LDFLAGS_nitro = -lkrun-awsnitro
 CFLAGS = -O2 -g -I../include
 ROOTFS_DISTRO := fedora
 ROOTFS_DIR = rootfs_$(ROOTFS_DISTRO)

examples/nitro.c

@@ -242,7 +242,7 @@ int main(int argc, char *const argv[])
     }
 
     /*
-     * Start and enter the microVM. In the libkrun-nitro flavor, a positive
+     * Start and enter the microVM. In the libkrun-awsnitro flavor, a positive
      * value returned by krun_start_enter() is the enclave's CID.
      */
     cid = krun_start_enter(ctx_id);

init/nitro/device/net_tap_afvsock.c → init/aws-nitro/device/net_tap_afvsock.c

@@ -43,6 +43,7 @@ static int tap_vsock_forward(int tun_fd, int vsock_fd, int shutdown_fd,
     bool event_found;
     struct ifreq ifr;
     int ret, sock_fd;
+    unsigned int sz;
     ssize_t nread;
 
     /*
@@ -96,7 +97,6 @@ static int tap_vsock_forward(int tun_fd, int vsock_fd, int shutdown_fd,
         event_found = false;
         // Event on vsock. Read the frame and write it to the TAP device.
         if (pfds[0].revents & POLLIN) {
-            unsigned int sz;
             nread = read(vsock_fd, &sz, 4);
             if (nread != 4)
                 exit(0);
@@ -113,7 +113,7 @@ static int tap_vsock_forward(int tun_fd, int vsock_fd, int shutdown_fd,
         if (pfds[1].revents & POLLIN) {
             nread = read(tun_fd, buf, ifr.ifr_mtu);
             if (nread > 0) {
-                unsigned int sz = htonl(nread);
+                sz = htonl(nread);
                 write(vsock_fd, (void *)&sz, 4);
                 write(vsock_fd, buf, nread);
             }

init/nitro/fs.c → init/aws-nitro/fs.c

@@ -14,11 +14,14 @@
 #define SYS_FS_CGROUP_PATH "/sys/fs/cgroup/"
 #define CGROUP_SUB_PATH_SIZE (sizeof(SYS_FS_CGROUP_PATH) - 1 + 64)
 
+#define NUM_SYS_DIRS 5
+#define NUM_DEV_DIRS 2
+
 /*
  * Initialize /dev/console and redirect std{err, in, out} to it for early debug
  * output.
  */
-int console_init()
+int console_init(void)
 {
     const char *path = "/dev/console";
     FILE *file;
@@ -59,7 +62,7 @@ int console_init()
 /*
  * Initialize the cgroups.
  */
-int cgroups_init()
+int cgroups_init(void)
 {
     char path[CGROUP_SUB_PATH_SIZE], *name;
     int ret, heir, groups, enabled;
@@ -122,86 +125,115 @@ int cgroups_init()
  * Initialize the rest of the root filesystem with ephemeral enclave file
  * systems.
  */
-int filesystem_init()
+int filesystem_init(void)
 {
-    int ret;
+    char *sys_dirs[NUM_SYS_DIRS] = {"/dev", "/proc", "/run", "/sys", "/tmp"},
+         *dir;
+    char *dev_dirs[NUM_DEV_DIRS] = {"/dev/shm", "/dev/pts"};
+    int ret, i;
+
+    // Create the system directories not provided by the enclave rootfs.
+    for (i = 0; i < NUM_SYS_DIRS; i++) {
+        dir = sys_dirs[i];
+
+        ret = mkdir(dir, 0755);
+        if (ret < 0) {
+            fprintf(stderr, "mkdir %s: %s\n", dir, strerror(errno));
+            return -errno;
+        }
+    }
 
-    // Create the /proc filesystem.
-    ret =
-        mount("proc", "/proc", "proc", MS_NODEV | MS_NOSUID | MS_NOEXEC, NULL);
-    if (ret < 0) {
-        perror("mount /proc");
+    // Mount the /dev file system for device files.
+    ret = mount("/dev", "/dev", "devtmpfs", MS_NOSUID | MS_NOEXEC, NULL);
+    if (ret < -1 && errno != EBUSY) {
+        perror("mount /dev");
         return -errno;
     }
 
-    ret = symlink("/proc/self/fd", "/dev/fd");
-    if (ret < 0) {
-        perror("symlink add");
-        return -errno;
+    // Create the initial device files.
+    for (i = 0; i < NUM_DEV_DIRS; i++) {
+        dir = dev_dirs[i];
+
+        ret = mkdir(dir, 0755);
+        if (ret < 0) {
+            fprintf(stderr, "mkdir %s: %s\n", dir, strerror(errno));
+            return -errno;
+        }
     }
 
-    // Redirect the input/output/err file descriptors to /dev/std{err, in, out}.
-    ret = symlink("/proc/self/fd/0", "/dev/stdin");
+    ret = mount("shm", "/dev/shm", "tmpfs", MS_NODEV | MS_NOSUID | MS_NOEXEC,
+                NULL);
     if (ret < 0) {
-        perror("symlink add");
+        perror("mount /dev/shm");
         return -errno;
     }
 
-    ret = symlink("/proc/self/fd/1", "/dev/stdout");
+    ret = mount("devpts", "/dev/pts", "devpts", MS_NOSUID | MS_NOEXEC, NULL);
     if (ret < 0) {
-        perror("symlink add");
+        perror("mount /dev/pts");
         return -errno;
     }
 
-    ret = symlink("/proc/self/fd/2", "/dev/stderr");
+    /*
+     * Initialize the /proc file system for special files representing the
+     * current state of the kernel.
+     */
+    ret =
+        mount("/proc", "/proc", "proc", MS_NODEV | MS_NOSUID | MS_NOEXEC, NULL);
     if (ret < 0) {
-        perror("symlink add");
+        perror("mount /proc");
         return -errno;
     }
 
-    // Create the /tmp filesystem.
-    ret = mount("tmpfs", "/run", "tmpfs", MS_NODEV | MS_NOSUID | MS_NOEXEC,
-                "mode=0755");
+    ret = symlink("/proc/self/fd", "/dev/fd");
     if (ret < 0) {
-        perror("mount /run");
+        perror("symlink add");
         return -errno;
     }
 
-    ret =
-        mount("tmpfs", "/tmp", "tmpfs", MS_NODEV | MS_NOSUID | MS_NOEXEC, NULL);
+    ret = symlink("/proc/self/fd/0", "/dev/stdin");
     if (ret < 0) {
-        perror("mount /tmp");
+        perror("symlink add /dev/stdin");
         return -errno;
     }
 
-    // Create /dev/shm.
-    ret = mkdir("/dev/shm", 0755);
+    ret = symlink("/proc/self/fd/1", "/dev/stdout");
     if (ret < 0) {
-        perror("mkdir /dev/shm");
+        perror("symlink add /dev/stdout");
         return -errno;
     }
 
-    ret = mount("shm", "/dev/shm", "tmpfs", MS_NODEV | MS_NOSUID | MS_NOEXEC,
-                NULL);
+    ret = symlink("/proc/self/fd/2", "/dev/stderr");
     if (ret < 0) {
-        perror("mount /dev/shm");
+        perror("symlink add /dev/stderr");
         return -errno;
     }
 
-    // Initialize pseudo-terminal device filesystem.
-    ret = mkdir("/dev/pts", 0755);
+    /*
+     * Mount the /run directory to store volatile runtime data about the system
+     * since boot.
+     */
+    ret = mount("tmpfs", "/run", "tmpfs", MS_NODEV | MS_NOSUID | MS_NOEXEC,
+                "mode=0755");
     if (ret < 0) {
-        perror("mkdir /dev/pts");
+        perror("mount /run");
         return -errno;
     }
 
-    ret = mount("devpts", "/dev/pts", "devpts", MS_NOSUID | MS_NOEXEC, NULL);
+    /*
+     * Mount the /tmp directory for temporary files (cleared on reboot).
+     */
+    ret =
+        mount("tmpfs", "/tmp", "tmpfs", MS_NODEV | MS_NOSUID | MS_NOEXEC, NULL);
     if (ret < 0) {
-        perror("mount /dev/pts");
+        perror("mount /tmp");
         return -errno;
     }
 
-    // Initialize sysfs.
+    /*
+     * Mount the sysfs, accessed to set or obtain information about the kernel's
+     * view of the system.
+     */
     ret =
         mount("sysfs", "/sys", "sysfs", MS_NODEV | MS_NOSUID | MS_NOEXEC, NULL);
     if (ret < 0) {

init/nitro/include/fs.h → init/aws-nitro/include/fs.h

@@ -3,8 +3,8 @@
 #ifndef _FS_INIT_H
 #define _FS_INIT_H
 
-int console_init();
-int filesystem_init();
-int cgroups_init();
+int console_init(void);
+int filesystem_init(void);
+int cgroups_init(void);
 
 #endif // _FS_INIT_H

init/nitro/main.c → init/aws-nitro/main.c

@@ -497,13 +497,6 @@ int main(int argc, char *argv[])
     if (ret < 0)
         goto out;
 
-    // Ensure the container /dev is initialized as well.
-    ret = mount("dev", "/dev", "devtmpfs", MS_NOSUID | MS_NOEXEC, NULL);
-    if (ret < 0 && errno != EBUSY) {
-        perror("mount");
-        return ret;
-    }
-
     // Initialize the rest of the filesystem.
     ret = filesystem_init();
     if (ret < 0)

src/nitro/Cargo.toml → src/aws_nitro/Cargo.toml

@@ -1,10 +1,10 @@
 [package]
-name = "nitro"
+name = "aws-nitro"
 version = "0.1.0"
 edition = "2021"
 
 [features]
-nitro = []
+aws-nitro = []
 
 [dependencies]
 libc = "0.2.171"

src/nitro/src/enclave/args_writer.rs → src/aws_nitro/src/enclave/args_writer.rs

@@ -14,7 +14,7 @@ use std::{
 };
 use vsock::{VsockAddr, VsockListener, VsockStream, VMADDR_CID_ANY};
 
-// A known byte that libkrun-nitro and the enclave initramfs will exchange to confirm that startup
+// A known byte that libkrun-awsnitro and the enclave initramfs will exchange to confirm that startup
 // was successful and the initramfs is ready to begin reading enclave arguments.
 const ENCLAVE_VSOCK_LAUNCH_ARGS_READY: u8 = 0xb7;