Basic orchestrator enclave app (#4765)

* Basic orchestrator enclave app * wip * remove unused deps * remove more deps * update lock files
project-oak · Feb 7, 2024 · 2980d12 · 2980d12
1 parent c53adf7
commit 2980d12
Show file tree

Hide file tree

Showing 11 changed files with 122 additions and 21 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -51,6 +51,7 @@ members = [
   "oak_restricted_kernel_interface",
   "oak_restricted_kernel_sdk",
   "oak_restricted_kernel_launcher",
+  "oak_restricted_kernel_orchestrator",
   "oak_sev_guest",
   "oak_sev_snp_attestation_report",
   "oak_simple_io",
@@ -123,6 +124,7 @@ oak_restricted_kernel_dice = { path = "./oak_restricted_kernel_dice" }
 oak_restricted_kernel_sdk = { path = "./oak_restricted_kernel_sdk" }
 oak_restricted_kernel_sdk_proc_macro = { path = "./oak_restricted_kernel_sdk_proc_macro" }
 oak_restricted_kernel_interface = { path = "./oak_restricted_kernel_interface" }
+oak_restricted_kernel_orchestrator = { path = "./oak_restricted_kernel_orchestrator" }
 oak_sev_guest = { path = "./oak_sev_guest", default-features = false }
 oak_sev_snp_attestation_report = { path = "./oak_sev_snp_attestation_report" }
 oak_stage0_dice = { path = "./stage0_dice" }

diff --git a/enclave_apps/Cargo.lock b/enclave_apps/Cargo.lock
diff --git a/enclave_apps/Cargo.toml b/enclave_apps/Cargo.toml
@@ -11,5 +11,7 @@ members = [
 [workspace.dependencies]
 micro_rpc = { path = "../micro_rpc" }
 oak_channel = { path = "../oak_channel" }
+oak_dice = { path = "../oak_dice" }
 oak_restricted_kernel_sdk = { path = "../oak_restricted_kernel_sdk" }
 oak_restricted_kernel_interface = { path = "../oak_restricted_kernel_interface" }
+zerocopy = "*"
diff --git a/enclave_apps/oak_orchestrator/Cargo.toml b/enclave_apps/oak_orchestrator/Cargo.toml
@@ -7,8 +7,10 @@ license = "Apache-2.0"
 
 [dependencies]
 oak_restricted_kernel_sdk = { workspace = true }
-oak_channel = { workspace = true }
-log = "*"
+oak_restricted_kernel_interface = { workspace = true }
+oak_restricted_kernel_orchestrator = { path = "../../oak_restricted_kernel_orchestrator" }
+oak_dice = { workspace = true }
+zerocopy = "*"
 
 [[bin]]
 name = "oak_orchestrator"

diff --git a/enclave_apps/oak_orchestrator/src/main.rs b/enclave_apps/oak_orchestrator/src/main.rs
@@ -20,17 +20,22 @@
 
 extern crate alloc;
 
-use oak_channel::basic_framed::load_raw;
+use oak_dice::evidence::Stage0DiceData;
+use oak_restricted_kernel_interface::{syscall::read, DICE_DATA_FD};
 use oak_restricted_kernel_sdk::{channel::FileDescriptorChannel, entrypoint};
+use zerocopy::{AsBytes, FromZeroes};
+
+fn read_stage0_dice_data() -> Stage0DiceData {
+    let mut result = Stage0DiceData::new_zeroed();
+    let buffer = result.as_bytes_mut();
+    let len = read(DICE_DATA_FD, buffer).expect("failed to read dice data");
+    assert!(len == buffer.len(), "invalid dice data size");
+    result
+}
 
 #[entrypoint]
 fn start() -> ! {
-    log::info!("Orchestrator will load enclave app binary",);
-    let mut channel = FileDescriptorChannel::default();
-    let app = load_raw::<FileDescriptorChannel, 4096>(&mut channel).expect("failed to load");
-    log::info!(
-        "Orchestrator loaded enclave app binary, size: {}",
-        app.len()
-    );
-    unimplemented!();
+    let dice_data = read_stage0_dice_data();
+    let channel = FileDescriptorChannel::default();
+    oak_restricted_kernel_orchestrator::entrypoint(channel, dice_data)
 }
diff --git a/justfile b/justfile
@@ -36,6 +36,12 @@ oak_restricted_kernel_simple_io_bin:
 oak_restricted_kernel_simple_io_wrapper: oak_restricted_kernel_simple_io_bin
     just _wrap_kernel oak_restricted_kernel_simple_io
 
+oak_restricted_kernel_initrd_bin:
+    env --chdir=oak_restricted_kernel_bin cargo build --release --features=initrd --bin=oak_restricted_kernel_initrd_bin
+
+oak_restricted_kernel_initrd_bin_wrapper: oak_restricted_kernel_initrd_bin
+    just _wrap_kernel oak_restricted_kernel_initrd
+
 stage0_bin:
     env --chdir=stage0_bin cargo objcopy --release -- --output-target=binary target/x86_64-unknown-none/release/stage0_bin
 

diff --git a/oak_restricted_kernel_bin/Cargo.toml b/oak_restricted_kernel_bin/Cargo.toml
@@ -11,6 +11,7 @@ virtio_console_channel = ["oak_restricted_kernel/virtio_console_channel"]
 vsock_channel = ["oak_restricted_kernel/vsock_channel"]
 simple_io_channel = ["oak_restricted_kernel/simple_io_channel"]
 serial_channel = ["oak_restricted_kernel/serial_channel"]
+initrd = ["oak_restricted_kernel/initrd"]
 
 [workspace]
 resolver = "2"
@@ -27,6 +28,13 @@ test = false
 bench = false
 required-features = ["virtio_console_channel"]
 
+[[bin]]
+path = "src/main.rs"
+name = "oak_restricted_kernel_initrd_bin"
+test = false
+bench = false
+required-features = ["initrd"]
+
 [[bin]]
 path = "src/main.rs"
 name = "oak_restricted_kernel_simple_io_bin"

diff --git a/oak_restricted_kernel_launcher/README.md b/oak_restricted_kernel_launcher/README.md
@@ -16,20 +16,17 @@ must be built.
 
 (instructions gained from inspecting xtask, may change in the future)
 
-Stage0, the restricted kernel, and an enclave app may be built like so:
-
 ```shell
-just stage0_bin oak_restricted_kernel_wrapper oak_echo_raw_enclave_app
-```
+# Stage0, the restricted kernel, and an enclave app may be built like so:
+just stage0_bin oak_restricted_kernel_initrd_bin_wrapper oak_orchestrator && \
 
-After building dependencies, an enclave app may be run like so:
-
-```shell
+# After building dependencies, an enclave app may be run like so:
 RUST_LOG=DEBUG \
 cargo run --package=oak_restricted_kernel_launcher -- \
---kernel=oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/oak_restricted_kernel_wrapper_bin \
+--kernel=oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/oak_restricted_kernel_initrd_wrapper_bin \
 --vmm-binary=$(which qemu-system-x86_64) \
 --memory-size=8G \
 --bios-binary=stage0_bin/target/x86_64-unknown-none/release/stage0_bin \
+--initrd=enclave_apps/target/x86_64-unknown-none/release/oak_orchestrator \
 --app-binary=enclave_apps/target/x86_64-unknown-none/release/oak_echo_raw_enclave_app
 ```
diff --git a/oak_restricted_kernel_orchestrator/Cargo.toml b/oak_restricted_kernel_orchestrator/Cargo.toml
@@ -0,0 +1,12 @@
+[package]
+name = "oak_restricted_kernel_orchestrator"
+version = "0.1.0"
+authors = ["Juliette Pluto <[email protected]>"]
+edition = "2021"
+license = "Apache-2.0"
+
+[dependencies]
+oak_channel = { workspace = true }
+oak_dice = { workspace = true }
+oak_restricted_kernel_dice = { workspace = true }
+log = "*"
diff --git a/oak_restricted_kernel_orchestrator/src/lib.rs b/oak_restricted_kernel_orchestrator/src/lib.rs
@@ -0,0 +1,33 @@
+//
+// Copyright 2024 The Project Oak Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+#![no_std]
+
+extern crate alloc;
+
+use oak_channel::basic_framed::load_raw;
+use oak_dice::evidence::Stage0DiceData;
+
+pub fn entrypoint<C: oak_channel::Channel>(mut channel: C, _stage0_dice_data: Stage0DiceData) -> ! {
+    let application_bytes = load_raw::<C, 4096>(&mut channel).expect("failed to load");
+    log::info!("Binary loaded, size: {}", application_bytes.len());
+    let app_digest = oak_restricted_kernel_dice::measure_app_digest_sha2_256(&application_bytes);
+    log::info!(
+        "Application digest (sha2-256): {}",
+        app_digest.map(|x| alloc::format!("{:02x}", x)).join("")
+    );
+    unimplemented!();
+}