nitro: Use cached EIF file if none configured

With the underlying application decoupled from the EIF file, create and
cache a stock EIF file that can be used to run enclaves with.
Applications that want to run "standard" containzerized applications can
now do so without specifying an EIF file.

Update the nitro example to not require an EIF file.

Signed-off-by: Tyler Fanelli <[email protected]>

Author: tylerfanelli

Cargo.lock

@@ -34,7 +34,6 @@ static void print_help(char *const name)
         "OPTIONS: \n"
         "        -h    --help                Show help\n"
         "\n"
-        "ENCLAVE_IMAGE:     The enclave image to run\n"
         "NEWROOT:           The root directory of the VM\n"
         "NVCPUS:            The amount of vCPUs for running the enclave\n"
         "RAM_MIB:           The amount of RAM (MiB) allocated for enclave\n",
@@ -49,7 +48,6 @@ static const struct option long_options[] = {
 
 struct cmdline {
     bool show_help;
-    const char *eif_path;
     const char *new_root;
     unsigned int nvcpus;
     unsigned int ram_mib;
@@ -64,7 +62,6 @@ bool parse_cmdline(int argc, char *const argv[], struct cmdline *cmdline)
     // set the defaults
     *cmdline = (struct cmdline){
         .show_help = false,
-        .eif_path = NULL,
     };
 
     // the '+' in optstring is a GNU extension that disables permutating argv
@@ -81,22 +78,19 @@ bool parse_cmdline(int argc, char *const argv[], struct cmdline *cmdline)
         }
     }
 
-    if (optind < argc - 3) {
-        cmdline->eif_path = argv[optind];
-        cmdline->new_root = argv[optind + 1];
-        cmdline->nvcpus = strtoul(argv[optind + 2], NULL, 10);
-        cmdline->ram_mib = strtoul(argv[optind + 3], NULL, 10);
+    if (optind < argc - 2) {
+        cmdline->new_root = argv[optind];
+        cmdline->nvcpus = strtoul(argv[optind + 1], NULL, 10);
+        cmdline->ram_mib = strtoul(argv[optind + 2], NULL, 10);
         return true;
     }
 
-    if (optind >= argc - 3)
-        fprintf(stderr, "Missing RAM_MIB argument\n");
     if (optind >= argc - 2)
-        fprintf(stderr, "Missing VCPUS argument\n");
+        fprintf(stderr, "Missing RAM_MIB argument\n");
     if (optind >= argc - 1)
-        fprintf(stderr, "Missing NEWROOT argument\n");
+        fprintf(stderr, "Missing VCPUS argument\n");
     if (optind == argc)
-        fprintf(stderr, "Missing ENCLAVE_IMAGE argument\n");
+        fprintf(stderr, "Missing NEWROOT argument\n");
 
     return false;
 }
@@ -197,15 +191,6 @@ int main(int argc, char *const argv[])
         return -1;
     }
 
-    // Set the nitro enclave image specified on the command line.
-    if (err = krun_nitro_set_image(ctx_id, cmdline.eif_path,
-                                   KRUN_NITRO_IMG_TYPE_EIF)) {
-        errno = -err;
-        perror("Error configuring nitro enclave image");
-        return -1;
-
-    }
-
     // Configure the nitro enclave to run in debug mode.
     if (err = krun_nitro_set_start_flags(ctx_id, KRUN_NITRO_START_FLAG_DEBUG)) {
         errno = -err;

examples/nitro

@@ -41,7 +41,7 @@ hvf = { path = "../hvf" }
 kvm-bindings = { version = ">=0.11", features = ["fam-wrappers"] }
 kvm-ioctls = ">=0.21"
 nitro = { path = "../nitro", optional = true }
-nitro-enclaves = { version = "0.3.0", optional = true }
+nitro-enclaves = { version = "0.5.0", optional = true }
 vm-memory = { version = ">=0.13", features = ["backend-mmap"] }
 
 [lib]

examples/nitro.c

@@ -363,16 +363,6 @@ impl TryFrom<ContextConfig> for NitroEnclave {
             return Err(-libc::EINVAL);
         };
 
-        let Some(image_path) = ctx.nitro_image_path else {
-            error!("nitro image not configured");
-            return Err(-libc::EINVAL);
-        };
-
-        let Ok(image) = File::open(&image_path) else {
-            error!("unable to open {}", image_path.display());
-            return Err(-libc::EINVAL);
-        };
-
         let rootfs = {
             if ctx.vmr.fs.len() != 1 {
                 error!("one rootfs path required");
@@ -407,7 +397,7 @@ impl TryFrom<ContextConfig> for NitroEnclave {
         };
 
         Ok(Self {
-            image,
+            _image_path: ctx.nitro_image_path,
             mem_size_mib,
             vcpus,
             rootfs,

examples/test_data/hello.eif

@@ -7,10 +7,11 @@ edition = "2021"
 nitro = []
 
 [dependencies]
+flate2 = "1.1.5"
 libc = "0.2.171"
 nix = { version = "0.30.1", features = ["ioctl", "poll"] }
 tar = "0.4.44"
 vsock = "0.5.1"
 
 [target.'cfg(target_os = "linux")'.dependencies]
-nitro-enclaves = "0.3.0"
+nitro-enclaves = "0.5.0"

src/libkrun/Cargo.toml

@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: Apache-2.0
 
 use super::error::NitroError;
+use flate2::read::GzDecoder;
 use libc::c_int;
 use nitro_enclaves::{
     launch::{ImageType, Launcher, MemoryInfo, PollTimeout, StartFlags},
@@ -9,16 +10,19 @@ use nitro_enclaves::{
 use nix::poll::{poll, PollFd, PollFlags, PollTimeout as NixPollTimeout};
 use std::{
     ffi::CString,
-    fs::File,
     io::{Read, Write},
     os::fd::AsFd,
     path::PathBuf,
     str::FromStr,
 };
+use tar::Archive;
 use vsock::{VsockAddr, VsockListener, VsockStream};
 
 type Result<T> = std::result::Result<T, NitroError>;
 
+const KRUN_NITRO_EIF_TAR: &[u8] = include_bytes!("runtime-data/eif.tar.gz");
+const KRUN_NITRO_EIF_FILE_NAME: &str = "krun-nitro.eif";
+
 const ENCLAVE_READY_VSOCK_PORT: u32 = 9000;
 
 const VMADDR_CID_PARENT: u32 = 3;
@@ -27,8 +31,9 @@ const HEART_BEAT: u8 = 0xb7;
 
 /// Nitro Enclave data.
 pub struct NitroEnclave {
-    /// Enclave image.
-    pub image: File,
+    /// Path to configurable enclave image. Will default to KRUN_NITRO_ENCLAVE_EIF if one external
+    /// enclave provided.
+    pub _image_path: Option<PathBuf>,
     /// Amount of RAM (in MiB).
     pub mem_size_mib: usize,
     /// Number of vCPUs.
@@ -93,12 +98,12 @@ impl NitroEnclave {
         Ok(())
     }
 
-    fn launch(&mut self) -> Result<u32> {
+    fn launch(&mut self, eif: &[u8]) -> Result<u32> {
         let device = Device::open().map_err(NitroError::DeviceOpen)?;
 
         let mut launcher = Launcher::new(&device).map_err(NitroError::VmCreate)?;
 
-        let mem = MemoryInfo::new(ImageType::Eif(&mut self.image), self.mem_size_mib);
+        let mem = MemoryInfo::new(ImageType::Eif(eif), self.mem_size_mib);
         launcher.set_memory(mem).map_err(NitroError::VmMemorySet)?;
 
         for _ in 0..self.vcpus {
@@ -112,8 +117,8 @@ impl NitroEnclave {
         Ok(cid.try_into().unwrap()) // Safe to unwrap.
     }
 
-    fn poll(&self, listener: &VsockListener) -> Result<()> {
-        let poll_timeout = PollTimeout::try_from((&self.image, self.mem_size_mib << 20))
+    fn poll(&self, listener: &VsockListener, eif: &[u8]) -> Result<()> {
+        let poll_timeout = PollTimeout::try_from((eif, self.mem_size_mib << 20))
             .map_err(NitroError::PollTimeoutCalculate)?;
 
         let mut poll_fds = [PollFd::new(listener.as_fd(), PollFlags::POLLIN)];
@@ -136,9 +141,10 @@ impl NitroEnclave {
     fn start(&mut self) -> Result<(u32, VsockStream)> {
         let sockaddr = VsockAddr::new(VMADDR_CID_PARENT, ENCLAVE_READY_VSOCK_PORT);
         let listener = VsockListener::bind(&sockaddr).map_err(NitroError::HeartbeatBind)?;
+        let eif = eif()?;
 
-        let cid = self.launch()?;
-        self.poll(&listener)?;
+        let cid = self.launch(&eif)?;
+        self.poll(&listener, &eif)?;
 
         let mut stream = listener.accept().map_err(NitroError::HeartbeatAccept)?;
 
@@ -205,3 +211,24 @@ fn vsock_write_bytes(bytes: &[u8], stream: &mut VsockStream) -> Result<()> {
 
     Ok(())
 }
+
+fn eif() -> Result<Vec<u8>> {
+    let gz = GzDecoder::new(KRUN_NITRO_EIF_TAR);
+    let mut archive = Archive::new(gz);
+
+    let mut buf = Vec::new();
+
+    for entry_result in archive.entries().unwrap() {
+        let mut entry = entry_result.unwrap();
+
+        let path = entry.path().unwrap();
+        let path_str = path.to_string_lossy();
+
+        if path_str == KRUN_NITRO_EIF_FILE_NAME {
+            entry.read_to_end(&mut buf).unwrap();
+            break;
+        }
+    }
+
+    Ok(buf)
+}