From 311a95b0fe8c704c42f806d49bb317a19c33eb6f Mon Sep 17 00:00:00 2001 From: Peter Nose Date: Tue, 17 Dec 2024 01:56:36 +0100 Subject: [PATCH 1/6] go/worker/keymanager/secrets: Log next checksum --- go/worker/keymanager/secrets.go | 1 + 1 file changed, 1 insertion(+) diff --git a/go/worker/keymanager/secrets.go b/go/worker/keymanager/secrets.go index 12e6de24536..8d655df0a43 100644 --- a/go/worker/keymanager/secrets.go +++ b/go/worker/keymanager/secrets.go @@ -601,6 +601,7 @@ func (w *secretsWorker) registerNode(rsp *secrets.SignedInitResponse, version ve w.logger.Info("registering key manager", "is_secure", rsp.InitResponse.IsSecure, "checksum", hex.EncodeToString(rsp.InitResponse.Checksum), + "next_checksum", hex.EncodeToString(rsp.InitResponse.NextChecksum), "policy_checksum", hex.EncodeToString(rsp.InitResponse.PolicyChecksum), "rsk", rsp.InitResponse.RSK, "next_rsk", rsp.InitResponse.NextRSK, From 2e1b6b79fce482a5f611977f5dd2341f25426dc1 Mon Sep 17 00:00:00 2001 From: Peter Nose Date: Tue, 7 Jan 2025 13:48:34 +0100 Subject: [PATCH 2/6] go/runtime/config: Remove ELF runtime environment --- go/runtime/config/config.go | 6 ------ go/runtime/registry/config.go | 3 +-- 2 files changed, 1 insertion(+), 8 deletions(-) diff --git a/go/runtime/config/config.go b/go/runtime/config/config.go index ff8b507e677..b107fa810f1 100644 --- a/go/runtime/config/config.go +++ b/go/runtime/config/config.go @@ -61,11 +61,6 @@ const ( // Use of this runtime environment is only allowed if DebugDontBlameOasis flag is set. RuntimeEnvironmentSGXMock RuntimeEnvironment = "sgx-mock" - // RuntimeEnvironmentELF specifies to run the runtime in the OS address space. - // - // Use of this runtime environment is only allowed if DebugDontBlameOasis flag is set. - RuntimeEnvironmentELF RuntimeEnvironment = "elf" - // RuntimeEnvironmentAuto specifies to run the runtime in the most appropriate location. RuntimeEnvironmentAuto RuntimeEnvironment = "auto" ) @@ -231,7 +226,6 @@ func (c *Config) Validate() error { return fmt.Errorf("sgx_loader must be set when using sgx environment") } case RuntimeEnvironmentSGXMock: - case RuntimeEnvironmentELF: case RuntimeEnvironmentAuto: default: return fmt.Errorf("unknown runtime environment: %s", c.Environment) diff --git a/go/runtime/registry/config.go b/go/runtime/registry/config.go index c74aaafa398..8fa2f1e8f71 100644 --- a/go/runtime/registry/config.go +++ b/go/runtime/registry/config.go @@ -134,8 +134,7 @@ func createProvisioner( }() isEnvSGX := runtimeEnv == rtConfig.RuntimeEnvironmentSGX || runtimeEnv == rtConfig.RuntimeEnvironmentSGXMock - forceNoSGX := (config.GlobalConfig.Mode.IsClientOnly() && !isEnvSGX) || - (cmdFlags.DebugDontBlameOasis() && runtimeEnv == rtConfig.RuntimeEnvironmentELF) + forceNoSGX := config.GlobalConfig.Mode.IsClientOnly() && !isEnvSGX // Register provisioners based on the configured provisioner. var insecureNoSandbox bool From 566f60cf91da772e82df2a06e8dc8ce0e83ad494 Mon Sep 17 00:00:00 2001 From: Peter Nose Date: Tue, 17 Dec 2024 01:57:59 +0100 Subject: [PATCH 3/6] go/runtime/registry: Simplify creation of provisioners --- go/runtime/registry/config.go | 88 ++++++++++----------------------- go/runtime/registry/registry.go | 21 +++----- 2 files changed, 33 insertions(+), 76 deletions(-) diff --git a/go/runtime/registry/config.go b/go/runtime/registry/config.go index 8fa2f1e8f71..4c86db8a334 100644 --- a/go/runtime/registry/config.go +++ b/go/runtime/registry/config.go @@ -107,39 +107,18 @@ func createProvisioner( identity *identity.Identity, consensus consensus.Backend, hostInfo *hostProtocol.HostInfo, - bundleRegistry bundle.Registry, ias []ias.Endpoint, qs pcs.QuoteService, ) (runtimeHost.Provisioner, error) { var err error + var insecureNoSandbox bool - // By default start with the environment specified in configuration. + attestInterval := config.GlobalConfig.Runtime.AttestInterval + sandboxBinary := config.GlobalConfig.Runtime.SandboxBinary + sgxLoader := config.GlobalConfig.Runtime.SGXLoader runtimeEnv := config.GlobalConfig.Runtime.Environment - // If the runtime environment is set to automatic selection and at least - // one bundle has a component that requires the use of a TEE, force a TEE - // environment to simplify configuration. - func() { - if runtimeEnv != rtConfig.RuntimeEnvironmentAuto { - return - } - for _, manifest := range bundleRegistry.GetManifests() { - for _, comp := range manifest.GetAvailableComponents() { - if comp.IsTEERequired() { - runtimeEnv = rtConfig.RuntimeEnvironmentSGX - return - } - } - } - }() - - isEnvSGX := runtimeEnv == rtConfig.RuntimeEnvironmentSGX || runtimeEnv == rtConfig.RuntimeEnvironmentSGXMock - forceNoSGX := config.GlobalConfig.Mode.IsClientOnly() && !isEnvSGX - // Register provisioners based on the configured provisioner. - var insecureNoSandbox bool - sandboxBinary := config.GlobalConfig.Runtime.SandboxBinary - attestInterval := config.GlobalConfig.Runtime.AttestInterval provisioners := make(map[component.TEEKind]runtimeHost.Provisioner) switch p := config.GlobalConfig.Runtime.Provisioner; p { case rtConfig.RuntimeProvisionerMock: @@ -177,46 +156,31 @@ func createProvisioner( } // Configure the Intel SGX provisioner. - switch sgxLoader := config.GlobalConfig.Runtime.SGXLoader; { - case forceNoSGX: - // Remap SGX to non-SGX when forced to do so. - provisioners[component.TEEKindSGX], err = hostSandbox.New(hostSandbox.Config{ - HostInfo: hostInfo, - InsecureNoSandbox: insecureNoSandbox, - SandboxBinaryPath: sandboxBinary, - }) - if err != nil { - return nil, fmt.Errorf("failed to create runtime provisioner: %w", err) - } - case sgxLoader == "" && runtimeEnv == rtConfig.RuntimeEnvironmentSGX: - // SGX environment is forced, but we don't have the needed loader. - return nil, fmt.Errorf("SGX runtime environment requires setting the SGX loader") - case sgxLoader == "" && runtimeEnv != rtConfig.RuntimeEnvironmentSGXMock: + insecureMock := runtimeEnv == rtConfig.RuntimeEnvironmentSGXMock + if insecureMock && !cmdFlags.DebugDontBlameOasis() { + return nil, fmt.Errorf("mock SGX requires use of unsafe debug flags") + } + + if !insecureMock && sgxLoader == "" { // SGX may be needed, but we don't have a loader configured. break - default: - // Configure mock SGX if configured and we are in a debug mode. - insecureMock := runtimeEnv == rtConfig.RuntimeEnvironmentSGXMock - if insecureMock && !cmdFlags.DebugDontBlameOasis() { - return nil, fmt.Errorf("mock SGX requires use of unsafe debug flags") - } + } - provisioners[component.TEEKindSGX], err = hostSgx.New(hostSgx.Config{ - HostInfo: hostInfo, - CommonStore: commonStore, - LoaderPath: sgxLoader, - IAS: ias, - PCS: qs, - Consensus: consensus, - Identity: identity, - SandboxBinaryPath: sandboxBinary, - InsecureNoSandbox: insecureNoSandbox, - InsecureMock: insecureMock, - RuntimeAttestInterval: attestInterval, - }) - if err != nil { - return nil, fmt.Errorf("failed to create SGX runtime provisioner: %w", err) - } + provisioners[component.TEEKindSGX], err = hostSgx.New(hostSgx.Config{ + HostInfo: hostInfo, + CommonStore: commonStore, + LoaderPath: sgxLoader, + IAS: ias, + PCS: qs, + Consensus: consensus, + Identity: identity, + SandboxBinaryPath: sandboxBinary, + InsecureNoSandbox: insecureNoSandbox, + InsecureMock: insecureMock, + RuntimeAttestInterval: attestInterval, + }) + if err != nil { + return nil, fmt.Errorf("failed to create SGX runtime provisioner: %w", err) } default: return nil, fmt.Errorf("unsupported runtime provisioner: %s", p) diff --git a/go/runtime/registry/registry.go b/go/runtime/registry/registry.go index 147d961f56d..f0af8a54943 100644 --- a/go/runtime/registry/registry.go +++ b/go/runtime/registry/registry.go @@ -698,21 +698,9 @@ func New( consensus consensus.Backend, ias []ias.Endpoint, ) (Registry, error) { - // Create bundle registry. + // Create bundle registry and discovery. bundleRegistry := bundle.NewRegistry(dataDir) - - // Fill the registry with local bundles. - // - // This enables the provisioner to determine which runtime environment - // to use when the configuration is set to 'auto'. - // - // FIXME: Handle cases where the configuration is set to 'auto' but - // no bundles are configured. After addressing this, move the - // initialization to the bottom for better organization. bundleDiscovery := bundle.NewDiscovery(dataDir, bundleRegistry) - if err := bundleDiscovery.Init(); err != nil { - return nil, err - } // Create history keeper factory. historyFactory, err := createHistoryFactory() @@ -733,7 +721,7 @@ func New( } // Create runtime provisioner. - provisioner, err := createProvisioner(commonStore, identity, consensus, hostInfo, bundleRegistry, ias, qs) + provisioner, err := createProvisioner(commonStore, identity, consensus, hostInfo, ias, qs) if err != nil { return nil, err } @@ -751,6 +739,11 @@ func New( bundleDiscovery: bundleDiscovery, } + // Fill the registry with local bundles. + if err := bundleDiscovery.Init(); err != nil { + return nil, err + } + // Initialize the runtime registry. if err = r.Init(ctx); err != nil { return nil, err From 0883633249cde608bc4a3ae90116e90386316ad0 Mon Sep 17 00:00:00 2001 From: Peter Nose Date: Tue, 7 Jan 2025 13:55:59 +0100 Subject: [PATCH 4/6] go/runtime/config: Add DebugMockTEE flag --- go/oasis-test-runner/oasis/network.go | 3 +-- go/runtime/bundle/component.go | 5 ----- go/runtime/config/config.go | 8 +++++++- go/runtime/registry/config.go | 9 +++++++-- 4 files changed, 15 insertions(+), 10 deletions(-) diff --git a/go/oasis-test-runner/oasis/network.go b/go/oasis-test-runner/oasis/network.go index d558c0d02c4..6a099226241 100644 --- a/go/oasis-test-runner/oasis/network.go +++ b/go/oasis-test-runner/oasis/network.go @@ -41,7 +41,6 @@ import ( "github.com/oasisprotocol/oasis-core/go/oasis-test-runner/log" "github.com/oasisprotocol/oasis-core/go/oasis-test-runner/oasis/cli" roothash "github.com/oasisprotocol/oasis-core/go/roothash/api" - runtimeConfig "github.com/oasisprotocol/oasis-core/go/runtime/config" scheduler "github.com/oasisprotocol/oasis-core/go/scheduler/api" staking "github.com/oasisprotocol/oasis-core/go/staking/api" ) @@ -684,7 +683,7 @@ func (net *Network) startOasisNode( extraArgs = extraArgs.debugTCBLaxVerify() } if os.Getenv("OASIS_UNSAFE_MOCK_SGX") != "" { - cfg.Runtime.Environment = runtimeConfig.RuntimeEnvironmentSGXMock + cfg.Runtime.DebugMockTEE = true } } else { baseArgs = append(baseArgs, "--"+cmdFlags.CfgGenesisFile, net.GenesisPath()) diff --git a/go/runtime/bundle/component.go b/go/runtime/bundle/component.go index 2f5b9c54130..ac2bdb77982 100644 --- a/go/runtime/bundle/component.go +++ b/go/runtime/bundle/component.go @@ -132,11 +132,6 @@ func (c *Component) IsNetworkAllowed() bool { } } -// IsTEERequired returns true iff the component only provides TEE executables. -func (c *Component) IsTEERequired() bool { - return c.Executable == "" && c.ELF == nil && c.TEEKind() != component.TEEKindNone -} - // TEEKind returns the kind of TEE supported by the component. func (c *Component) TEEKind() component.TEEKind { switch { diff --git a/go/runtime/config/config.go b/go/runtime/config/config.go index b107fa810f1..6a6c322b401 100644 --- a/go/runtime/config/config.go +++ b/go/runtime/config/config.go @@ -79,10 +79,11 @@ type Config struct { // Path to the sandbox binary (bubblewrap). SandboxBinary string `yaml:"sandbox_binary,omitempty"` - // Path to SGXS runtime loader binary (for SGX runtimes). + // Path to SGX runtime loader binary (for SGX runtimes). SGXLoader string `yaml:"sgx_loader,omitempty"` // The runtime environment (sgx, elf, auto). + // NOTE: This may go away in the future, use `DebugMockTEE` instead. Environment RuntimeEnvironment `yaml:"environment,omitempty"` // History pruner configuration. @@ -117,6 +118,11 @@ type Config struct { // // If not specified, a default value is used. MaxBundleSize string `yaml:"max_bundle_size,omitempty"` + + // DebugMockTEE enables mocking of the Trusted Execution Environment (TEE). + // + // This flag can only be used if the DebugDontBlameOasis flag is set. + DebugMockTEE bool `yaml:"debug_mock_tee,omitempty"` } // GetComponent returns the configuration for the given component diff --git a/go/runtime/registry/config.go b/go/runtime/registry/config.go index 4c86db8a334..d86aff68241 100644 --- a/go/runtime/registry/config.go +++ b/go/runtime/registry/config.go @@ -116,7 +116,13 @@ func createProvisioner( attestInterval := config.GlobalConfig.Runtime.AttestInterval sandboxBinary := config.GlobalConfig.Runtime.SandboxBinary sgxLoader := config.GlobalConfig.Runtime.SGXLoader - runtimeEnv := config.GlobalConfig.Runtime.Environment + insecureMock := config.GlobalConfig.Runtime.DebugMockTEE + + // Support legacy configuration where the runtime environment determines + // whether the TEE should be mocked. + if config.GlobalConfig.Runtime.Environment == rtConfig.RuntimeEnvironmentSGXMock { + insecureMock = true + } // Register provisioners based on the configured provisioner. provisioners := make(map[component.TEEKind]runtimeHost.Provisioner) @@ -156,7 +162,6 @@ func createProvisioner( } // Configure the Intel SGX provisioner. - insecureMock := runtimeEnv == rtConfig.RuntimeEnvironmentSGXMock if insecureMock && !cmdFlags.DebugDontBlameOasis() { return nil, fmt.Errorf("mock SGX requires use of unsafe debug flags") } From 91146aa04a9d4d720e8e6ca9fbee263ce0ca4b51 Mon Sep 17 00:00:00 2001 From: Peter Nose Date: Tue, 7 Jan 2025 14:18:19 +0100 Subject: [PATCH 5/6] go/oasis-test-runner: Generalize OASIS_UNSAFE_MOCK_SGX flag --- .buildkite/code.pipeline.yml | 2 +- .changelog/5975.internal.md | 3 +++ common.mk | 4 ++-- go/oasis-test-runner/oasis/network.go | 2 +- 4 files changed, 7 insertions(+), 4 deletions(-) create mode 100644 .changelog/5975.internal.md diff --git a/.buildkite/code.pipeline.yml b/.buildkite/code.pipeline.yml index e606e8cb57d..e41e0440595 100644 --- a/.buildkite/code.pipeline.yml +++ b/.buildkite/code.pipeline.yml @@ -354,7 +354,7 @@ steps: - .buildkite/scripts/test_e2e.sh --timeout 20m --scenario e2e/runtime/runtime-encryption env: OASIS_TEE_HARDWARE: intel-sgx - OASIS_UNSAFE_MOCK_SGX: "1" + OASIS_UNSAFE_MOCK_TEE: "1" OASIS_UNSAFE_SKIP_AVR_VERIFY: "1" OASIS_E2E_COVERAGE: enable TEST_BASE_DIR: /tmp diff --git a/.changelog/5975.internal.md b/.changelog/5975.internal.md new file mode 100644 index 00000000000..080da388134 --- /dev/null +++ b/.changelog/5975.internal.md @@ -0,0 +1,3 @@ +go/oasis-test-runner: Generalize OASIS_UNSAFE_MOCK_SGX flag + +Flag OASIS_UNSAFE_MOCK_SGX was renamed to OASIS_UNSAFE_MOCK_TEE. diff --git a/common.mk b/common.mk index 8c025abde4e..9a0cfa72cca 100644 --- a/common.mk +++ b/common.mk @@ -352,8 +352,8 @@ endif # https://goreleaser.com/customization/build/#define-build-tag export GORELEASER_CURRENT_TAG := $(RELEASE_TAG) -# If mock SGX is configured, define extra runtime build flags. -ifdef OASIS_UNSAFE_MOCK_SGX +# If mock TEE is configured, define extra runtime build flags. +ifdef OASIS_UNSAFE_MOCK_TEE OASIS_RUNTIME_NONSGX_FLAGS := --features debug-mock-sgx else OASIS_RUNTIME_NONSGX_FLAGS := diff --git a/go/oasis-test-runner/oasis/network.go b/go/oasis-test-runner/oasis/network.go index 6a099226241..9155e482ba6 100644 --- a/go/oasis-test-runner/oasis/network.go +++ b/go/oasis-test-runner/oasis/network.go @@ -682,7 +682,7 @@ func (net *Network) startOasisNode( if os.Getenv("OASIS_UNSAFE_LAX_AVR_VERIFY") != "" { extraArgs = extraArgs.debugTCBLaxVerify() } - if os.Getenv("OASIS_UNSAFE_MOCK_SGX") != "" { + if os.Getenv("OASIS_UNSAFE_MOCK_TEE") != "" { cfg.Runtime.DebugMockTEE = true } } else { From 00d4b91fa1e4573f2a5b6aedff01bade4e8f95a3 Mon Sep 17 00:00:00 2001 From: Peter Nose Date: Wed, 8 Jan 2025 03:30:24 +0100 Subject: [PATCH 6/6] go/runtime/config: Support selection of TEE kind --- .changelog/5975.cfg.md | 47 ++++++++++++++++++ go/runtime/bundle/component.go | 4 ++ go/runtime/bundle/registry.go | 18 +++++++ go/runtime/config/config.go | 68 ++++++++++++++++++++++++++ go/runtime/host/composite/composite.go | 4 +- go/runtime/host/sgx/sgx.go | 2 +- go/runtime/host/tdx/qemu.go | 2 +- 7 files changed, 141 insertions(+), 4 deletions(-) create mode 100644 .changelog/5975.cfg.md diff --git a/.changelog/5975.cfg.md b/.changelog/5975.cfg.md new file mode 100644 index 00000000000..77f116a4ea8 --- /dev/null +++ b/.changelog/5975.cfg.md @@ -0,0 +1,47 @@ +go/runtime/config: Support selection of TEE kind + +The node operator can now specify the kind of Trusted Execution Environment +(TEE) in which the runtime component should run. If no TEE is specified, +it is automatically selected, with TDX and SGX taking precedence over ELF. + +The following configuration option has been deprecated: + +- `runtime.environment` + +The following configuration options have been added: + +- `runtime.debug_mock_tee` to enable TEE mocking for testing, + +- `runtime.runtimes.components.tee` to specify the TEE for a component. + +These changes affect the configuration of the client node if the runtime +bundle contains both TEE and non-TEE binaries. In such cases, the node +operator must explicitly configure the runtime to avoid running in a TEE +environment. + +Configuring non-TEE Paratime Client Node: + +``` +mode: client +# ... sections not relevant are omitted ... +runtime: + paths: + - {{ runtime_orc_path }} + runtimes: + - id: {{ runtime_id }} + components: + - id: ronl + tee: none # Don't run in SGX or TDX! +``` + +Configuring TEE Paratime Client Node: + +``` +mode: client +# ... sections not relevant are omitted ... +runtime: + paths: + - {{ runtime_orc_path }} + sgx_loader: /node/bin/oasis-core-runtime-loader + # environment: sgx # Deprecated, can be removed. +``` diff --git a/go/runtime/bundle/component.go b/go/runtime/bundle/component.go index ac2bdb77982..ac3ad46126c 100644 --- a/go/runtime/bundle/component.go +++ b/go/runtime/bundle/component.go @@ -14,6 +14,10 @@ import ( type ExplodedComponent struct { *Component + // TEEKind specifies the kind of Trusted Execution Environment (TEE) + // in which the component should run. + TEEKind component.TEEKind + // Detached is true iff the bundle containing the component does not // include a RONL component. Detached bool diff --git a/go/runtime/bundle/registry.go b/go/runtime/bundle/registry.go index 18b581f976a..aa084249fd9 100644 --- a/go/runtime/bundle/registry.go +++ b/go/runtime/bundle/registry.go @@ -17,6 +17,7 @@ import ( "github.com/oasisprotocol/oasis-core/go/config" cmdFlags "github.com/oasisprotocol/oasis-core/go/oasis-node/cmd/common/flags" "github.com/oasisprotocol/oasis-core/go/runtime/bundle/component" + rtConfig "github.com/oasisprotocol/oasis-core/go/runtime/config" ) // CfgDebugMockIDs configures mock runtime IDs for the purpose of testing. @@ -153,6 +154,22 @@ func (r *registry) AddBundle(path string, manifestHash hash.Hash) error { // Add components to the registry. for compID, comp := range components { + teeKind := comp.TEEKind() + if compCfg, ok := config.GlobalConfig.Runtime.GetComponent(bnd.Manifest.ID, compID); ok { + if kind, ok := compCfg.TEEKind(); ok { + teeKind = kind + } + } else { + // Support legacy configuration where the runtime environment determines + // whether the client node should run the runtime in an SGX environment. + isEnvAuto := config.GlobalConfig.Runtime.Environment == rtConfig.RuntimeEnvironmentAuto + hasSGXLoader := config.GlobalConfig.Runtime.SGXLoader != "" + insecureMock := config.GlobalConfig.Runtime.DebugMockTEE + if comp.ID().IsRONL() && config.GlobalConfig.Mode.IsClientOnly() && isEnvAuto && !hasSGXLoader && !insecureMock { + teeKind = component.TEEKindNone + } + } + runtimeComponents, ok := r.components[bnd.Manifest.ID] if !ok { runtimeComponents = make(map[component.ID]map[version.Version]*ExplodedComponent) @@ -167,6 +184,7 @@ func (r *registry) AddBundle(path string, manifestHash hash.Hash) error { componentVersions[comp.Version] = &ExplodedComponent{ Component: comp, + TEEKind: teeKind, Detached: detached, ExplodedDataDir: explodedDataDir, } diff --git a/go/runtime/config/config.go b/go/runtime/config/config.go index 6a6c322b401..a201def9433 100644 --- a/go/runtime/config/config.go +++ b/go/runtime/config/config.go @@ -65,6 +65,23 @@ const ( RuntimeEnvironmentAuto RuntimeEnvironment = "auto" ) +// TEESelectMode is the selection mode for the Trusted Execution Environment (TEE). +type TEESelectMode string + +const ( + // TEESelectModeAuto specifies that the runtime should run in the most appropriate TEE. + TEESelectModeAuto TEESelectMode = "" + + // TEESelectModeNone specifies that the runtime should run without using any TEE. + TEESelectModeNone TEESelectMode = "none" + + // TEESelectModeSGX specifies that the runtime should run in an SGX environment. + TEESelectModeSGX TEESelectMode = "sgx" + + // TEESelectModeTDX specifies that the runtime should run in a TDX environment. + TEESelectModeTDX TEESelectMode = "tdx" +) + // Config is the runtime registry configuration structure. type Config struct { // Runtimes is the list of runtimes to configure. @@ -171,16 +188,61 @@ type RuntimeConfig struct { Repositories []string `yaml:"repositories,omitempty"` } +// Validate validates the runtime configuration. +func (c *RuntimeConfig) Validate() error { + for _, comp := range c.Components { + if err := comp.Validate(); err != nil { + return err + } + } + return nil +} + // ComponentConfig is the component configuration. type ComponentConfig struct { // ID is the component identifier. ID component.ID `yaml:"id"` + // TEE specifies the kind of Trusted Execution Environment (TEE) + // in which the component should run (none, sgx, tdx). + // + // If not provided, the TEE kind is selected automatically. + TEE TEESelectMode `yaml:"tee,omitempty"` + // Disabled specifies whether the component is disabled. If a component is specified and not // disabled, it is enabled. Disabled bool `yaml:"disabled,omitempty"` } +// Validate validates the component configuration. +func (c *ComponentConfig) Validate() error { + switch c.TEE { + case TEESelectModeAuto: + case TEESelectModeNone: + case TEESelectModeSGX: + case TEESelectModeTDX: + default: + return fmt.Errorf("unknown TEE select mode: %s", c.TEE) + } + + return nil +} + +// TEEKind returns the kind of Trusted Execution Environment (TEE) +// in which the component should run, if it is specified. +func (c *ComponentConfig) TEEKind() (component.TEEKind, bool) { + switch c.TEE { + case TEESelectModeNone: + return component.TEEKindNone, true + case TEESelectModeSGX: + return component.TEEKindSGX, true + case TEESelectModeTDX: + return component.TEEKindTDX, true + default: + return 0, false + } +} + // UnmarshalYAML implements yaml.Unmarshaler. func (c *ComponentConfig) UnmarshalYAML(value *yaml.Node) error { switch value.ShortTag() { @@ -251,6 +313,12 @@ func (c *Config) Validate() error { return fmt.Errorf("cannot specify more than 128 instances for load balancing") } + for _, rt := range c.Runtimes { + if err := rt.Validate(); err != nil { + return err + } + } + return nil } diff --git a/go/runtime/host/composite/composite.go b/go/runtime/host/composite/composite.go index c4b01124156..1cf0a5e2c88 100644 --- a/go/runtime/host/composite/composite.go +++ b/go/runtime/host/composite/composite.go @@ -203,9 +203,9 @@ func (p *provisioner) NewRuntime(cfg host.Config) (host.Runtime, error) { if comp == nil { return nil, fmt.Errorf("host/composite: component not available") } - provisioner, ok := p.kinds[comp.TEEKind()] + provisioner, ok := p.kinds[comp.TEEKind] if !ok { - return nil, fmt.Errorf("host/composite: provisioner for kind '%s' is not available", comp.TEEKind()) + return nil, fmt.Errorf("host/composite: provisioner for kind '%s' is not available", comp.TEEKind) } return provisioner.NewRuntime(cfg) } diff --git a/go/runtime/host/sgx/sgx.go b/go/runtime/host/sgx/sgx.go index e57091ffe3b..0e13a0387cc 100644 --- a/go/runtime/host/sgx/sgx.go +++ b/go/runtime/host/sgx/sgx.go @@ -284,7 +284,7 @@ func (s *sgxProvisioner) getSandboxConfig(rtCfg host.Config, conn sandbox.Connec return cfg, nil } - if comp.TEEKind() != component.TEEKindSGX { + if comp.SGX == nil { return process.Config{}, fmt.Errorf("component '%s' is not an SGX component", comp.ID()) } diff --git a/go/runtime/host/tdx/qemu.go b/go/runtime/host/tdx/qemu.go index fd84008b48a..0c4fa961082 100644 --- a/go/runtime/host/tdx/qemu.go +++ b/go/runtime/host/tdx/qemu.go @@ -109,7 +109,7 @@ func (q *qemuProvisioner) getSandboxConfig(rtCfg host.Config, _ sandbox.Connecto if err != nil { return process.Config{}, err } - if comp.TEEKind() != component.TEEKindTDX { + if comp.TDX == nil { return process.Config{}, fmt.Errorf("component '%s' is not a TDX component", comp.ID()) }