From a4c9b8f4013503d707ff8b13a6ae8c56b04d1ad5 Mon Sep 17 00:00:00 2001 From: Conrad Grobler Date: Wed, 15 May 2024 17:44:26 +0000 Subject: [PATCH] Remove initrd feature from the restricted kernel Change-Id: I2edeae4750c3b16de301091113c123d9501098e6 --- justfile | 10 +--- kokoro/build_binaries_rust.sh | 2 - oak_restricted_kernel/BUILD | 1 - oak_restricted_kernel/Cargo.toml | 5 +- oak_restricted_kernel/src/lib.rs | 46 +------------------ oak_restricted_kernel/src/mm/mod.rs | 32 ++++--------- .../src/syscall/dice_data.rs | 9 ---- oak_restricted_kernel/src/syscall/key.rs | 23 ++-------- oak_restricted_kernel/src/syscall/mod.rs | 20 ++------ oak_restricted_kernel_bin/Cargo.toml | 19 +------- 10 files changed, 23 insertions(+), 144 deletions(-) diff --git a/justfile b/justfile index 00ec27d83df..b68dbebbb04 100644 --- a/justfile +++ b/justfile @@ -58,14 +58,8 @@ bzimage_provenance_subjects kernel_name output_dir_provenance_subjects bzimage_p oak_restricted_kernel_wrapper: oak_restricted_kernel_bin just restricted_kernel_bzimage_and_provenance_subjects oak_restricted_kernel -oak_restricted_kernel_simple_io_bin: - env --chdir=oak_restricted_kernel_bin cargo build --release --no-default-features --features=simple_io_channel --bin=oak_restricted_kernel_simple_io_bin - -oak_restricted_kernel_simple_io_wrapper: oak_restricted_kernel_simple_io_bin - just restricted_kernel_bzimage_and_provenance_subjects oak_restricted_kernel_simple_io - oak_restricted_kernel_simple_io_init_rd_bin: - env --chdir=oak_restricted_kernel_bin cargo build --release --no-default-features --features=simple_io_channel,initrd --bin=oak_restricted_kernel_simple_io_init_rd_bin + env --chdir=oak_restricted_kernel_bin cargo build --release --no-default-features --features=simple_io_channel --bin=oak_restricted_kernel_simple_io_init_rd_bin oak_restricted_kernel_simple_io_init_rd_wrapper: oak_restricted_kernel_simple_io_init_rd_bin just restricted_kernel_bzimage_and_provenance_subjects oak_restricted_kernel_simple_io_init_rd @@ -160,7 +154,7 @@ all_ensure_no_std: (ensure_no_std "micro_rpc") (ensure_no_std "oak_attestation_v # Entry points for Kokoro CI. -kokoro_build_binaries_rust: all_enclave_apps oak_restricted_kernel_bin oak_restricted_kernel_simple_io_bin oak_restricted_kernel_simple_io_wrapper oak_restricted_kernel_simple_io_init_rd_wrapper stage0_bin +kokoro_build_binaries_rust: all_enclave_apps oak_restricted_kernel_bin oak_restricted_kernel_simple_io_init_rd_wrapper stage0_bin kokoro_oak_containers: all_oak_containers_binaries oak_functions_containers_container_bundle_tar RUST_LOG="debug" cargo nextest run --all-targets --hide-progress-bar --package='oak_containers_hello_world_untrusted_app' diff --git a/kokoro/build_binaries_rust.sh b/kokoro/build_binaries_rust.sh index 2812350261c..531af42ca83 100755 --- a/kokoro/build_binaries_rust.sh +++ b/kokoro/build_binaries_rust.sh @@ -20,7 +20,6 @@ touch "${KOKORO_ARTIFACTS_DIR}/binaries/git_commit_${KOKORO_GIT_COMMIT_oak:?}" # Copy the generated binaries to Placer. The timestamps are used to convey # the creation time. readonly generated_binaries=( - ./oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/oak_restricted_kernel_simple_io_wrapper_bin ./oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/oak_restricted_kernel_simple_io_init_rd_wrapper_bin ./oak_restricted_kernel_wrapper/cmd_line_regex.txt ./stage0_bin/target/x86_64-unknown-none/release/stage0_bin @@ -32,7 +31,6 @@ readonly generated_binaries=( ./enclave_apps/target/x86_64-unknown-none/release/oak_orchestrator ) readonly binary_names=( - oak_restricted_kernel_simple_io_wrapper_bin oak_restricted_kernel_simple_io_init_rd_wrapper_bin oak_restricted_kernel_simple_io_wrapper_cmd_line_regex stage0_bin diff --git a/oak_restricted_kernel/BUILD b/oak_restricted_kernel/BUILD index 7991ddc5bdc..6fd323c5d58 100644 --- a/oak_restricted_kernel/BUILD +++ b/oak_restricted_kernel/BUILD @@ -66,7 +66,6 @@ rust_library( compile_data = ["src/boot/boot.s"], crate_features = [ "virtio_console_channel", - "initrd", ], deps = _OAK_RESTRICTED_KERNEL_DEPS, ) diff --git a/oak_restricted_kernel/Cargo.toml b/oak_restricted_kernel/Cargo.toml index 2b26e6bd120..326abbc93a0 100644 --- a/oak_restricted_kernel/Cargo.toml +++ b/oak_restricted_kernel/Cargo.toml @@ -6,10 +6,7 @@ edition = "2021" license = "Apache-2.0" [features] -default = ["vsock_channel", "initrd"] -# Ability to load an application from initrd, the measurement of which was already taken by stage0. -# In this case, instead of creating a dice layer, the kernel will expose stage0 dice data to the application. -initrd = [] +default = ["vsock_channel"] virtio_console_channel = ["virtio-drivers"] vsock_channel = ["oak_virtio"] serial_channel = ["uart_16550"] diff --git a/oak_restricted_kernel/src/lib.rs b/oak_restricted_kernel/src/lib.rs index f7c93504343..1b9e4ad11aa 100644 --- a/oak_restricted_kernel/src/lib.rs +++ b/oak_restricted_kernel/src/lib.rs @@ -170,16 +170,10 @@ pub fn start_kernel(info: &BootParams) -> ! { // at 0x200000. let program_headers = unsafe { elf::get_phdrs(VirtAddr::new(0x20_0000)) }; - #[cfg(feature = "initrd")] let ramdisk = info.ramdisk().expect("expected to find a ramdisk"); // Physical frame allocator - mm::init( - info.e820_table(), - program_headers, - #[cfg(feature = "initrd")] - &ramdisk, - ); + mm::init(info.e820_table(), program_headers, &ramdisk); // Note: `info` will not be valid after calling this! { @@ -384,15 +378,9 @@ pub fn start_kernel(info: &BootParams) -> ! { } }; - #[cfg(not(feature = "initrd"))] - let mut channel = - get_channel(&kernel_args, GUEST_HOST_HEAP.get().unwrap(), acpi.as_mut(), sev_status); - - #[cfg(feature = "initrd")] let channel = get_channel(&kernel_args, GUEST_HOST_HEAP.get().unwrap(), acpi.as_mut(), sev_status); - #[cfg(feature = "initrd")] let application_bytes: Box<[u8]> = { let virt_addr = { let pt_guard = PAGE_TABLES.lock(); @@ -430,46 +418,14 @@ pub fn start_kernel(info: &BootParams) -> ! { owned_slice }; - #[cfg(not(feature = "initrd"))] - let application_bytes: Box<[u8]> = { - // We need to load the application binary before we hand the channel over to the - // syscalls, which expose it to the user space. - info!("Loading application binary..."); - oak_channel::basic_framed::receive_raw::(&mut *channel) - .expect("failed to load application binary from channel") - .into_boxed_slice() - }; - log::info!("Binary loaded, size: {}", application_bytes.len()); - #[cfg(not(feature = "initrd"))] - let (derived_key, restricted_kernel_dice_data) = { - let app_digest = - oak_restricted_kernel_dice::measure_app_digest_sha2_256(&application_bytes); - log::info!( - "Application digest (sha2-256): {}", - app_digest.map(|x| alloc::format!("{:02x}", x)).join("") - ); - - let derived_key = - oak_restricted_kernel_dice::generate_derived_key(&stage0_dice_data, &app_digest); - let restricted_kernel_dice_data = - oak_restricted_kernel_dice::generate_dice_data(stage0_dice_data, &app_digest); - - (derived_key, restricted_kernel_dice_data) - }; - let application = payload::Application::new(application_bytes).expect("failed to parse application"); syscall::enable_syscalls( channel, - #[cfg(feature = "initrd")] syscall::dice_data::DiceData::Layer0(Box::new(stage0_dice_data)), - #[cfg(not(feature = "initrd"))] - syscall::dice_data::DiceData::Layer1(Box::new(restricted_kernel_dice_data)), - #[cfg(not(feature = "initrd"))] - derived_key, ); // Ensure new process is not dropped. diff --git a/oak_restricted_kernel/src/mm/mod.rs b/oak_restricted_kernel/src/mm/mod.rs index 054224ba184..1939d35316c 100644 --- a/oak_restricted_kernel/src/mm/mod.rs +++ b/oak_restricted_kernel/src/mm/mod.rs @@ -16,15 +16,12 @@ use goblin::{elf32::program_header::PT_LOAD, elf64::program_header::ProgramHeader}; use log::info; -#[cfg(feature = "initrd")] -use oak_linux_boot_params::Ramdisk; -use oak_linux_boot_params::{BootE820Entry, E820EntryType}; +use oak_linux_boot_params::{BootE820Entry, E820EntryType, Ramdisk}; use oak_sev_guest::msr::{get_sev_status, SevStatus}; -#[cfg(feature = "initrd")] -use x86_64::structures::paging::frame::PhysFrameRange; use x86_64::{ addr::{align_down, align_up}, structures::paging::{ + frame::PhysFrameRange, mapper::{FlagUpdateError, MapToError, MapperFlush, UnmapError}, FrameAllocator, Page, PageSize, PageTable, PageTableFlags as BasePageTableFlags, PhysFrame, Size2MiB, Size4KiB, @@ -168,11 +165,7 @@ pub trait Mapper { ) -> Result, FlagUpdateError>; } -pub fn init( - memory_map: &[BootE820Entry], - program_headers: &[ProgramHeader], - #[cfg(feature = "initrd")] ramdisk: &Ramdisk, -) { +pub fn init(memory_map: &[BootE820Entry], program_headers: &[ProgramHeader], ramdisk: &Ramdisk) { let mut alloc = FRAME_ALLOCATOR.lock(); /* Step 1: mark all RAM as available (event though it may contain data!) */ @@ -248,20 +241,15 @@ pub fn init( alloc.mark_valid(range, false) }); - // Thirdly, mark the ramdisk as reserved. - #[cfg(feature = "initrd")] - { - let ramdisk_range = ramdisk_range(ramdisk); - info!( - "marking [{:#018x}..{:#018x}) as reserved (ramdisk)", - ramdisk_range.start.start_address().as_u64(), - ramdisk_range.end.start_address().as_u64() - ); - alloc.mark_valid(ramdisk_range, false); - }; + let ramdisk_range = ramdisk_range(ramdisk); + info!( + "marking [{:#018x}..{:#018x}) as reserved (ramdisk)", + ramdisk_range.start.start_address().as_u64(), + ramdisk_range.end.start_address().as_u64() + ); + alloc.mark_valid(ramdisk_range, false); } -#[cfg(feature = "initrd")] pub fn ramdisk_range(ramdisk: &Ramdisk) -> PhysFrameRange { PhysFrame::range( PhysFrame::::from_start_address(PhysAddr::new( diff --git a/oak_restricted_kernel/src/syscall/dice_data.rs b/oak_restricted_kernel/src/syscall/dice_data.rs index d11869f7d1a..55bf4711f16 100644 --- a/oak_restricted_kernel/src/syscall/dice_data.rs +++ b/oak_restricted_kernel/src/syscall/dice_data.rs @@ -23,7 +23,6 @@ use zeroize::Zeroize; use super::fd::{copy_max_slice, FileDescriptor}; pub enum DiceData { - #[cfg(feature = "initrd")] Layer0(Box), Layer1(Box), } @@ -31,7 +30,6 @@ pub enum DiceData { impl DiceData { fn as_mut_slice(&mut self) -> &mut [u8] { match self { - #[cfg(feature = "initrd")] DiceData::Layer0(stage0_dice_data) => { ::as_bytes_mut(stage0_dice_data) } @@ -47,7 +45,6 @@ struct ReadState { index: usize, } -#[cfg(feature = "initrd")] struct WriteState { data: RestrictedKernelDiceData, index: usize, @@ -55,7 +52,6 @@ struct WriteState { enum DiceDataDescriptor { Readable(Box), - #[cfg(feature = "initrd")] Writeable(Box), } @@ -68,7 +64,6 @@ impl DiceDataDescriptor { impl FileDescriptor for DiceDataDescriptor { fn read(&mut self, buf: &mut [u8]) -> Result { match self { - #[cfg(feature = "initrd")] DiceDataDescriptor::Writeable(_write_state) => Err(Errno::EINVAL), DiceDataDescriptor::Readable(read_state) => { let data_as_slice = read_state.data.as_mut_slice(); @@ -88,7 +83,6 @@ impl FileDescriptor for DiceDataDescriptor { fn write(&mut self, buf: &[u8]) -> Result { match self { DiceDataDescriptor::Readable(read_state) => match &mut read_state.data { - #[cfg(feature = "initrd")] DiceData::Layer0(stage0_dice_data) => { ::as_bytes_mut(stage0_dice_data).zeroize(); let _ = core::mem::replace( @@ -102,7 +96,6 @@ impl FileDescriptor for DiceDataDescriptor { } _ => Err(Errno::EINVAL), }, - #[cfg(feature = "initrd")] DiceDataDescriptor::Writeable(write_state) => { let data_as_slice = ::as_bytes_mut( &mut write_state.data, @@ -148,7 +141,6 @@ pub fn register(data: DiceData) { .expect("DiceDataDescriptor already registered"); } -#[cfg(feature = "initrd")] #[test] fn fd_permits_one_full_write() { let layer0 = ::new_zeroed(); @@ -173,7 +165,6 @@ fn fd_permits_one_full_write() { assert!(fd.write(::as_bytes(&layer1)).is_err()); } -#[cfg(feature = "initrd")] #[test] fn fd_supports_partial_writes() { let layer0 = ::new_zeroed(); diff --git a/oak_restricted_kernel/src/syscall/key.rs b/oak_restricted_kernel/src/syscall/key.rs index a0680a6ce85..4f572892758 100644 --- a/oak_restricted_kernel/src/syscall/key.rs +++ b/oak_restricted_kernel/src/syscall/key.rs @@ -29,17 +29,10 @@ struct DerivedKeyState { enum DerivedKeyDescriptor { Readable(DerivedKeyState), - #[cfg(feature = "initrd")] Writeable(DerivedKeyState), } impl DerivedKeyDescriptor { - #[cfg(not(feature = "initrd"))] - fn new(key: DerivedKey) -> Self { - Self::Readable(DerivedKeyState { index: 0, data: key }) - } - - #[cfg(feature = "initrd")] fn new() -> Self { Self::Writeable(DerivedKeyState::default()) } @@ -48,7 +41,6 @@ impl DerivedKeyDescriptor { impl FileDescriptor for DerivedKeyDescriptor { fn read(&mut self, buf: &mut [u8]) -> Result { match self { - #[cfg(feature = "initrd")] DerivedKeyDescriptor::Writeable(_write_state) => Err(Errno::EINVAL), DerivedKeyDescriptor::Readable(read_state) => { let data_as_slice = read_state.data.as_mut_slice(); @@ -62,7 +54,6 @@ impl FileDescriptor for DerivedKeyDescriptor { fn write(&mut self, buf: &[u8]) -> Result { match self { DerivedKeyDescriptor::Readable(_read_state) => Err(Errno::EINVAL), - #[cfg(feature = "initrd")] DerivedKeyDescriptor::Writeable(write_state) => { let data_as_slice = ::as_bytes_mut(&mut write_state.data); @@ -97,14 +88,8 @@ impl FileDescriptor for DerivedKeyDescriptor { } /// Registers a file descriptor for reading a derived key (0x21) -pub fn register(#[cfg(not(feature = "initrd"))] key: DerivedKey) { - super::fd::register( - DERIVED_KEY_FD, - Box::new(DerivedKeyDescriptor::new( - #[cfg(not(feature = "initrd"))] - key, - )), - ) - .map_err(|_| ()) // throw away the box - .expect("DerivedKeyDescriptor already registered"); +pub fn register() { + super::fd::register(DERIVED_KEY_FD, Box::new(DerivedKeyDescriptor::new())) + .map_err(|_| ()) // throw away the box + .expect("DerivedKeyDescriptor already registered"); } diff --git a/oak_restricted_kernel/src/syscall/mod.rs b/oak_restricted_kernel/src/syscall/mod.rs index b15113c8af7..eeade106019 100644 --- a/oak_restricted_kernel/src/syscall/mod.rs +++ b/oak_restricted_kernel/src/syscall/mod.rs @@ -22,7 +22,6 @@ pub mod mmap; mod process; mod stdio; -#[cfg(feature = "initrd")] mod switch_process; #[cfg(test)] @@ -32,8 +31,6 @@ use alloc::boxed::Box; use core::{arch::asm, ffi::c_void}; use oak_channel::Channel; -#[cfg(not(feature = "initrd"))] -use oak_restricted_kernel_dice::DerivedKey; use oak_restricted_kernel_interface::{Errno, Syscall}; use x86_64::{ registers::{ @@ -43,12 +40,11 @@ use x86_64::{ VirtAddr, }; -#[cfg(feature = "initrd")] -use self::switch_process::syscall_unstable_switch_proccess; use self::{ fd::{syscall_fsync, syscall_read, syscall_write}, mmap::syscall_mmap, process::syscall_exit, + switch_process::syscall_unstable_switch_proccess, }; use crate::mm; @@ -73,17 +69,10 @@ struct GsData { user_flags: usize, } -pub fn enable_syscalls( - channel: Box, - dice_data: dice_data::DiceData, - #[cfg(not(feature = "initrd"))] derived_key: DerivedKey, -) { +pub fn enable_syscalls(channel: Box, dice_data: dice_data::DiceData) { channel::register(channel); stdio::register(); - key::register( - #[cfg(not(feature = "initrd"))] - derived_key, - ); + key::register(); dice_data::register(dice_data); // Allocate a stack for the system call handler. @@ -130,12 +119,9 @@ extern "sysv64" fn syscall_handler( syscall_mmap(arg1 as *const c_void, arg2, arg3, arg4, arg5 as i32, arg6) } Some(Syscall::Fsync) => syscall_fsync(arg1 as i32), - #[cfg(feature = "initrd")] Some(Syscall::UnstableSwitchProcess) => { syscall_unstable_switch_proccess(arg1 as *mut c_void, arg2) } - #[cfg(not(feature = "initrd"))] - Some(Syscall::UnstableSwitchProcess) => Errno::ENOSYS as isize, None => Errno::ENOSYS as isize, } } diff --git a/oak_restricted_kernel_bin/Cargo.toml b/oak_restricted_kernel_bin/Cargo.toml index 092d8e37392..f085c2437d9 100644 --- a/oak_restricted_kernel_bin/Cargo.toml +++ b/oak_restricted_kernel_bin/Cargo.toml @@ -6,12 +6,11 @@ edition = "2021" license = "Apache-2.0" [features] -default = ["virtio_console_channel", "initrd"] +default = ["virtio_console_channel"] virtio_console_channel = ["oak_restricted_kernel/virtio_console_channel"] vsock_channel = ["oak_restricted_kernel/vsock_channel"] simple_io_channel = ["oak_restricted_kernel/simple_io_channel"] serial_channel = ["oak_restricted_kernel/serial_channel"] -initrd = ["oak_restricted_kernel/initrd"] [workspace] resolver = "2" @@ -28,23 +27,9 @@ test = false bench = false required-features = ["virtio_console_channel"] -[[bin]] -path = "src/main.rs" -name = "oak_restricted_kernel_initrd_bin" -test = false -bench = false -required-features = ["initrd"] - -[[bin]] -path = "src/main.rs" -name = "oak_restricted_kernel_simple_io_bin" -test = false -bench = false -required-features = ["simple_io_channel"] - [[bin]] path = "src/main.rs" name = "oak_restricted_kernel_simple_io_init_rd_bin" test = false bench = false -required-features = ["simple_io_channel", "initrd"] +required-features = ["simple_io_channel"]