intel / acon Goto Github PK

View Code? Open in Web Editor NEW

55.0 55.0 15.0 906 KB

License: Apache License 2.0

Shell 10.18% Go 37.35% Rust 51.78% C 0.69%

acon's People

Contributors

Stargazers

Watchers

Forkers

dcmiddle svenkata9 binxing xxu36 marcelamelara pdxjohnny yuhala jsun39 billionairiam ammarfaizi2 gmh5225 geminicarrie yanxue-intel xiangquanliu

acon's Issues

docs: How to use with k8s

Would be great to have some documentation or pointers to docs of how to use ACON as the container runtime with Kubernetes (as mentioned in https://community.intel.com/t5/Blogs/Products-and-Solutions/Security/Introducing-Attested-Containers/post/1539199)

TCP/vsock sockets allow a user to DoS a ACON TD belonging to a different user

Currently, we are forwarding a host TCP port to the acond TCP port on the guest. But TCP ports don't have access control, so any user logged in the host can connect to the TCP port of any ACON TD without its owner's permission. Vsock doesn't have access control either. That means some intrusive commands such as aconcli shutdown -f could allow one user to shutdown other users' ACON TDs.

A simple fix is to forward acond TCP port to a UNIX socket on the host. QEMU supports that option but we will need corresponding changes in aconcli. acond is NOT affected.

[aconcli] Encounter `unknown directive: toolchain` when fix GitHub Action errors

[liangma1@td-enclave aconcli]$ go clean
go: errors parsing go.mod:
/home/liangma1/github/ACON/aconcli/go.mod:5: unknown directive: toolchain

[OpenID test] `aconcli invoke` has no output

[sgx@sgx-emr02 test]$ ./aconcli invoke -c :5532 -e 2 CheckUid
2024/06/20 09:58:53 Service: Connecting :5532

Which works normally in --nologin mode.

[samples] `README.md` should be modified to suit the latest change

We don't have the sample-acon-startvm file now, so the caption The sample-acon-startvm file here is a QEMU VM start script which can be used as a reference when launching the server. is not suitable now.

ACON: Enable happy path test

Tasks

Build acond using scripts/acon-build.env script in happy path.
Add image spec test in happy path.
Add get quote test cases

acond: FIPS and Reproducible build

This issue captures/discusses options for building acond to achieve

Minimal TCB size
FIPS-140-3 compliance
Reproducible build

Minimal TCB Size

The objective is to achieve minimal initrd image but NOT acond binary.

Generally, static linking yields smaller acond binary because unused functions from standard libraries (e.g., libc, libssl, etc.). But the user may copy additional executables into initrd for functionalities like disk encryption or SSH support, and in those cases dynamic linking may reduce the overall size by sharing common libraries among all the executables.

Linking `acond` Statically

The size of libc affects acond binary size significantly. musl-libc is famous for its small size (when compared with glibc) so is preferred.

The easiest way to build acond as a static executable is to build it on musl based Linux distro like Alpine, using Rust target x86_64-unknown-linux-musl.

cargo build --release --target x86_64-unknown-linux-musl

Please note rustc generates statically linked PIE (Position Independent Executable) on musl target by default. PIEs must be relocated before being executed, hence acond by default still requires the dynamic linker (which is the musl libc shared object) to run. The flag -Crelocation-model=static instructs rustc to create the executable with a fixed base address to avoid depending on the dynamic linker.

Linking `acond` Dynamically

The command below links acond to the system libraries dynamically.

CARGO_BUILD_RUSTFLAGS=-Ctarget-feature=-crt-static cargo build --release

The flag -Ctarget-feature=-crt-static is necessary on musl targets where static linking is the default.

FIPS Compliance

OpenSSL is undergoing the certification process and likely to be the first crypto library to receive FIPS-140-3 certificates.

OpenSSL is certifying its FIPS module (fips.so), meaning any application must use the FIPS module as-is to stay compliant with FIPS, and that implies dynamic linking.

OpenSSL is only validated on Ubuntu and Debian distros, so a FIPS compliant acond must be built on Ubuntu/Debian.

Reproducible Build

nix seems the solution at first glance. However, it provides only glibc based OpenSSL (i.e., no musl based OpenSSL) build in its repo without static OpenSSL libs. With that said, the only choice on nix is to dynamically link to glibc, and that makes initrd much bigger. It also lacks FIPS support.

An alternative is the rust container, which has a tag for every rust release on every supported Linux distro. Builds seem reproducible for acond source. Please note such reproducibility is incomplete as it cannot prove the external libs (libc and OpenSSL libs) were built from particular source. We will have to rely on the Linux distro for reproducibility of those libs.

Conclusion/Proposal

Both static and dynamic linking should be supported.

Use rust:alpine container for small TCB builds. Both static and dynamic linking supports are needed.
- Publish rust and Alpine version for each ACON release - e.g., rust:1.72.0-alpine3.18.
- Alpine keeps only the latest version of every package in its official repo. We will need to capture (make a copy of) the dependent packages (musl-dev, openssl-dev, openssl-libs-static, and protobuf-dev) for each ACON release.
Use rust:slim container for FIPS builds. Only dynamic linking support is needed.
- Publish rust and Debian codename for each ACON release - e.g., rust:1.72.0-bookworm.
- Debian keeps all versions of every package in its repo, so no need to keep copies of dependent packages here.

Tasks

@billionairiam - Implement above build processes (static and dynamic linking on rust:alpine and dynamic linking on rust:slim) in CI/CD.
@binxing - Clean up acond's Makefile and README.md to describe the above processes.
@binxing - Create a script to capture dependent .apk files on Alpine - See #15
~~@binxing - Create a script to capture exact versions of .deb packages on Debian~~ - Tracked by a separate issue (#4) as FIPS support is out of scope for the upcoming release.

[`aconcli`] Suggested to remove `EntrypointName` from `config.go`

Seems we don't need it in our current image spec.

acond/aconcli: Add signal/kill interface

Per latest image spec, an ACON container image may specify a list of "safe" signals that could be sent to the container process by untrusted code. acond should provide an interface for sending such signals and aconcli should provide a command line interface.

acond: define Signal/Kill interface including the corresponding structures in proto file
acond: implement Signal/Kill interface
aconcli: implement Signal/Kill command line

[`acond`] Encountered `gosu` issues when enable `postgreSQL`

The entrypoint script for postgreSQL runs the command exec gosu postgres "$BASH_SOURCE" "$@", resulting in the error message: error: failed switching to "postgres": invalid argument.

The /etc/passwd file in the PostgreSQL Docker container contains the following entries:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
postgres:x:999:999::/var/lib/postgresql:/bin/bash

Additionally, the user ID 999 has been added to the JSON file.

Running either exec gosu postgres:postgres "$BASH_SOURCE" "$@" or exec gosu 999:999 "$BASH_SOURCE" "$@" would resolve the issue, but these commands would modify the scripts. It appears that gosu might interpret the first command as an attempt to switch to a user named "postgres" without specifying a group.

[acond] Encounter `apr_sockaddr_info_get() failed for vm` error when enable apache httpd docker

Below is the log info:

EFI stub: Loaded initrd from LINUX_EFI_INITRD_MEDIA_GUID device path
NET: Registered PF_PACKET protocol family
NET: Registered PF_VSOCK protocol family
IPI shorthand broadcast: enabled
sched_clock: Marking stable (28325170, 1904684)->(49526218, -19296364)
Sending DHCP requests ., OK
IP-Config: Got DHCP answer from 10.0.2.2, my address is 10.0.2.15
IP-Config: Complete:
     device=eth0, hwaddr=52:54:00:12:34:56, ipaddr=10.0.2.15, mask=255.255.255.0, gw=10.0.2.2
     host=vm, domain=, nis-domain=(none)
     bootserver=10.0.2.2, rootserver=10.0.2.2, rootpath=
     nameserver0=10.0.2.3
Freeing unused kernel image (initmem) memory: 1144K
Write protecting the kernel read-only data: 8192k
Freeing unused kernel image (rodata/data gap) memory: 1488K
Run /init as init process
mount_fstab: Mounted /proc
mount_fstab: Mounted /dev
mount_fstab: Mounted /dev/pts
mount_fstab: Mounted /sys
mount_fstab: Mounted /tmp
mount_fstab: Mounted /run
mount_fstab: Mounted /shared
dm_format: dmsetup not found -- vda@
2024/01/09 09:50:55 Service: Connected
Failed to open /dev/tdx_guest
Failed to open /dev/tdx_guest
2024/01/09 09:50:55 Received ACON Manifest, ID: sha384/433834aed76eb2531dfbea9447157e61507652c52ac83e11f570442d52aa56cdffd4579fa588204e99daf81056edc419/9cf2d02e1d88c15c1475367149ecfb93a10e7eb77c8609166f460990ad246a60d7dea8acb4a93c0c44acf69fec2b8673
2024/01/09 09:50:55 Missing layers:
2024/01/09 09:50:55     [0]: "sha384/bb05751aa7b6532b77bc34d7bf07c8af59a8128a98f58d2d7ffec931519f0510767996ee0638453ce699d674bc51ebe6"
2024/01/09 09:50:55     [1]: "sha384/3975adffa1ade28bfb2dc784c514018f92a46c45051a62c4c7df5ee1a3ecfb0c6efc9a0c4c7eb6ef3b4801f2c6b37db3"
2024/01/09 09:50:55     [2]: "sha384/ccdfa1aec6214bf6db74b4addaca7f87ab5980bcfdbf6f5fcab8d8425bc2169ca3bc9dd6046b26e4b1da6ba33c31dfb0"
2024/01/09 09:50:55     [3]: "sha384/53865452755cde5d2af5c0124565a435477854acb6cf77d9dee39628efd864946d96314efe26e0093cb05d78ec907a02"
2024/01/09 09:50:55     [4]: "sha384/36dbb6375e6a827e59967a1265b5e3fde04539093ef72c4940c6ceefc296d4246b7143bf791ac11945f602ba1b5b42b4"
2024/01/09 09:50:55     [5]: "sha384/8d245d4771a1704535982c6d995bb386eddbd94c2c7318cfbc3320893aa6beb0b761469eb799135dad7cb6c75022ef76"
2024/01/09 09:50:55     [6]: "sha384/53b002a6893ca33e6340c0f50ba63b4da1ef97824363a7637e604f3e54f775c150aac1c3071036904b9cfa691a05c164"
2024/01/09 09:50:57 Added File System Layer: sha384/bb05751aa7b6532b77bc34d7bf07c8af59a8128a98f58d2d7ffec931519f0510767996ee0638453ce699d674bc51ebe6
2024/01/09 09:50:57 Added File System Layer: sha384/3975adffa1ade28bfb2dc784c514018f92a46c45051a62c4c7df5ee1a3ecfb0c6efc9a0c4c7eb6ef3b4801f2c6b37db3
2024/01/09 09:50:57 Added File System Layer: sha384/ccdfa1aec6214bf6db74b4addaca7f87ab5980bcfdbf6f5fcab8d8425bc2169ca3bc9dd6046b26e4b1da6ba33c31dfb0
2024/01/09 09:50:57 Added File System Layer: sha384/53865452755cde5d2af5c0124565a435477854acb6cf77d9dee39628efd864946d96314efe26e0093cb05d78ec907a02
2024/01/09 09:50:58 Added File System Layer: sha384/36dbb6375e6a827e59967a1265b5e3fde04539093ef72c4940c6ceefc296d4246b7143bf791ac11945f602ba1b5b42b4
2024/01/09 09:50:58 Added File System Layer: sha384/8d245d4771a1704535982c6d995bb386eddbd94c2c7318cfbc3320893aa6beb0b761469eb799135dad7cb6c75022ef76
2024/01/09 09:50:58 Added File System Layer: sha384/53b002a6893ca33e6340c0f50ba63b4da1ef97824363a7637e604f3e54f775c150aac1c3071036904b9cfa691a05c164
2024/01/09 09:50:58 Started ACON Instance, ID: 2
AH00557: httpd: apr_sockaddr_info_get() failed for vm
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
(13)Permission denied: AH00091: httpd: could not open error log file /proc/self/fd/2.
AH00015: Unable to open logs

[`aconcli`&`scripts`] Environment variable `ATD_TCPFWD` will be overridden by `aconcli`

The ATD_TCPFWD env set by command line will be overridden by the function below:

func prepareEnvTcp(connTarget string) []string {
	return []string{
		fmt.Sprintf("ATD_TCPFWD=%v:1025", connTarget)}
}

acond/aconcli: Add remote attestation sample code

An example is needed to showcase remote attestation flow. The example could be comprised of a trusted server and an untrusted client. The server runs in an ACON container while the client mimics a RRP (Remote Relying Party) that verifies the quote. Below is the proposed workflow of the example.

Start the ACON container containing the server part of the example.
The server starts and listens on some TCP port.
The untrusted client connects to the server requesting a quote.
The server requests a quote via the Unix socket exposed by acond, along with some unique info as the "attestation data".
The server receives the quote in return and responds to the client with the quote.
The client verifies the quote and extracts/displays the ID (in the form of HASH/SIGNER/MANIFEST) of the ACON container and the associated attestation data (set by the server in step 4).

Tasks

acond: Add Quote support.
@xiangquanliu: Wrap/Revise the trusted part of the existing TDX attestation example into an ACON container for quote generation.
@xxu36: Revise existing untrusted code to verify quote from ACON container.
@xxu36: Extract attestation from quote
~~[ ] @xxu36: Save Quote along with RTMR log and report data - in JSON format?~~
aconcli: Add command line option to generate a quote (in lieu of a REPORT).
@xxu36 & @xiangquanliu: samples/quote/README.md to describe how to build/run sample code.
Sample code paths - samples/quote/container/ and samples/quote/client/?

[`aconcli`] Build error

When I run go generate && go build
It will report

# aconcli/service
service/service.go:160:13: r.GetReport undefined (type *__.ReportResponse has no field or method GetReport)

And I didn't find GetReport function in struct ReportResponse , Maybe the interface changed.

[sample/quote] Need to modify writableFS's value to 'true' in server.json

Default writableFS value is 'false' in sample/quote's manifest, which caused failure of running workload.

[`Acond`] Encounter `chown` issues when enabling `MySQL` container

When I run MySQL docker as a mysql user inside Acon.
I encountered a chown issues:

find: '/var/lib/mysql-files': Permission denied
chown: changing ownership of '/var/run/mysqld': Invalid argument
chown: changing ownership of '/var/run/mysqld/.wh..wh..opq': Invalid argument
chown: changing ownership of '/var/lib/mysql-files': Invalid argument
chown: changing ownership of '/var/lib/mysql/': Invalid argument
chown: changing ownership of '/var/lib/mysql/.wh..wh..opq': Invalid argument
chown: changing ownership of '/var/lib/mysql/auto.cnf': Invalid argument
chown: changing ownership of '/var/lib/mysql/binlog.index': Invalid argument
chown: changing ownership of '/var/lib/mysql': Invalid argument
chown: changing ownership of '/var/lib/mysql/.wh..wh..opq': Invalid argument
chown: changing ownership of '/var/lib/mysql/auto.cnf': Invalid argument
chown: changing ownership of '/var/lib/mysql/binlog.index': Invalid argument

It seems that the entrypoint script will give the user mysql root authority which is
not allowed.

Maybe it is caused by the pty

o	sh: cannot set terminal process group (-1): Inappropriate ioctl for device
o	sh: no job control in this shell
o	sh: /root/.profile: Permission denied

Tasks

Create symlinks (/dev/fd, /dev/stdin, /dev/stdout, /dev/stderr) in acond
Create symlinks (/dev/fd, /dev/stdin, /dev/stdout, /dev/stderr) in sample /init script file

scripts: Reproduce build env on Debian

OpenSSL seems certifying its FIPS module on Debian/Ubuntu only. Building acond on Debain (and generating an initrd image from Debian docker image) seems necessary for a FIPS compliant build.

This issue tracks tasks necessary for reproducing acond on Debian, as well as FIPS related discussions.

`acond`: Proposed to add `lib.rs` file

In Rust, the lib.rs file plays a significant role in defining the behavior and public API of a Rust library crate.
When I was doing fuzz tests for acond using cargo fuzz, I needed to add lib.rs manually to reuse the codes.

Defining Library Modules: lib.rs is typically the entry point for defining the modules and code that make up your library. It acts as the root module of your crate. You organize your code into modules and submodules within this file.

Public API Definition: It defines the public API of your library by marking modules, functions, and types as pub (public). Anything marked as pub in lib.rs is accessible to external code that depends on your library.

Re-Exporting: You can re-export items (functions, types, modules) from other modules within your crate or even from external dependencies. This allows you to present a clean and coherent public API.

Dependencies and Imports: You declare your external dependencies and import them in lib.rs. This makes it clear what your library depends on and which external symbols are used within your library.

Entry Point for Tests and Examples: If you include tests and examples within your library crate (typically in the same directory as lib.rs), this file is often used as the entry point for running tests and examples associated with the library.

[OpenID test] aconcli run command not support `--nologin`

[sgx@sgx-emr02 test]$ ./aconcli run --nologin
Error: unknown flag: --nologin
Usage:
  aconcli run [manifest]... [flags]

Flags:
  -A, --all                load/start all images in the current ACON image repo
  -a, --auto               load dependencies automatically
  -c, --connect string     connect target url
      --env strings        set environment variables inside new containers
  -f, --file string        path to the executable for launching ACON TD/VM (default "/home/sgx/maliang/ACON/test/acon-startvm")
      --finalize           finalize the process of loading images to ACON TD/VM (default true)
  -h, --help               help for run
  -i, --interactive        run ACON TD/VM in foreground (usually for debugging)
  -l, --loadonly strings   load (but do not start) the specified images
  -n, --new                start a new ACON TD/VM
  -p, --proxy string       http proxy for ACON VM
  -t, --timetolive int     shut down the TD/VM after being idle for specified number of seconds (default 60)
  -u, --user string        user ID for OpenID authentication

Global Flags:
  -C, --directory string   change working directory before performing any operations

aconcli: Issues in command line syntax/flags

This issue tracks several (minor) problems in aconcli command line syntax/flags. These problems should be easy to fix.

[scripts] `start_rust_buildenv` can't work in GitHub actions

start_rust_buildenv use

docker run $RM -it --name $cname --label ACON=$ACON -v $ACON:/acon -w /acon/acond \
                -e HTTPS_PROXY -e https_proxy ${U:+-e U=${U/#.*/$(id -u):$(id -g)}} $rustimg sh -c "
                . /etc/os-release || {
                    echo -e \"${_err}/etc/os-release: Not found\" >&2
                    exit 1
                }

to start a container which will cause Error "The input device is not a TTY".
So I suggest use docker run $RM -i instead.
2. When the action starts, it will delete the repo and redownload it. but it doesn't have enough permission to delete the folder of scripts/deps.

[Doc] Broken link in aconcli README

ACON/aconcli/README.md

Line 23 in e0b78f5

    
           All supported `aconcli` usages and detailed descriptions can be found [here](https://github.com/intel-innersource/frameworks.security.confidential-computing.tee.td-enclave/blob/master/doc/Utility.md).

refers to an intel internal link for Utility.md, so I thought it is just a minor issue to fix the link to external (this) repo,, but, I could not find the file even in the internal repo.

Could you also review all the other links to make sure we are good?

@binxing @xxu36

The kernel panic occurs when adding blobs using image layer with size 0

The panic seems to be triggered by acond code (src/server.rs) at line 237, where it attempts to unwrap a ‘None‘’ value.

blobs details:
[tdx@localhost .acon]$ ll blobs/sha384/38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b.tar -rw------- 1 tdx tdx 0 Apr 1 14:39 blobs/sha384/38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b.tar

painc details:
2024/04/01 15:28:03 Missing layers:
2024/04/01 15:28:03 [0]: "sha384/38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b"
2024/04/01 15:28:03 [1]: "sha384/38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b"
2024/04/01 15:28:03 [2]: "sha384/38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b"
2024/04/01 15:28:03 [3]: "sha384/38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b"
2024/04/01 15:28:03 AddBlob, URL:
https://:10020/api/v1/blob/38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b.tar?alg=2
2024/04/01 15:28:03 build multiform for data using 38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b.tar ...
thread 'main' panicked at src/server.rs:237:44:
called Option::unwrap() on a None value
note: run with RUST_BACKTRACE=1 environment variable to display a backtrace
traps: acond[1] general protection fault ip:7fd99a396719 sp:7ffebe75cb60 error:0 in acond[7fd99a1b8000+4e1000]
Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
CPU: 0 PID: 1 Comm: acond Not tainted 6.3.0-rc6-tde-20230418-00119-gdb5e84a614bb #3
Call Trace:

0xffffffffaed059c7
0xffffffffae8a5a03
0xffffffffae8aa290
0xffffffffae8aa5fc
0xffffffffae8b5552
0xffffffffae816679
? 0xffffffffae8b2bd6
0xffffffffae908bea
0xffffffffaed2f719
0xffffffffaed2bcd5
0xffffffffaee011c6
RIP: 0033:0x00007fd99a396719
Code: 00 00 4c 89 c6 48 63 78 30 b8 c8 00 00 00 0f 05 b8 0e 00 00 00 48 8d 74 24 08 bf 01 00 00 00 48 c7 44 24 08 20 00 00 00 0f 05 bf 09 00 00 00 e8 c2 49 00 00 bf 7f 00 00 00 e8 a9 7d 00 00 53
RSP: 002b:00007ffebe75cb60 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000001 RCX: 00007fd99a396719
RDX: 0000000000000000 RSI: 00007ffebe75cb68 RDI: 0000000000000001
RBP: 00007ffebe75e068 R08: 0000000000000006 R09: 0000000000000000
R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000001
R13: 00007fd99a749048 R14: 00007fd99a0fd230 R15: 0000000000000000

Kernel Offset: 0x2d800000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b ]---
2024/04/01 15:28:13 Failed, AddBlob sha384/38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b: AddBlob: error send request: Put "
https://:10020/api/v1/blob/38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b.tar?alg=2":
context deadline exceeded (Client.Timeout exceeded while awaiting headers)

[`scripts`] Could not set up host forwarding rule 'tcp::5532-:1025'

When I execute the following command on the main brach:

ATD_RD=initrd.img ATD_BIOS=OVMF.fd ATD_KERNEL=kernel.img ./aconcli run -n "$docker_id.json" -f "$acon_root/scripts/acon-startvm" -c :5532 -i

I received the following output:

ATD          = (not set)   # launch vm
ATD_QEMU     = qemu-kvm    # QEMU executable
ATD_CID      = (not set)   # VSOCK CID
ATD_MEMSZ    = 1g          # memory size
ATD_NVP      = 1           # number of virtual processors
ATD_TCPFWD   = 5532:1025   # TCP port forwarding rules
ATD_BIOS     = OVMF.fd     # BIOS image path
ATD_RD       = initrd.img  # initrd image path
ATD_KERNEL   = kernel.img  # kernel path
ATD_KPARAMS  = (not set)   # additional kernel cmdline parameters
qemu-kvm: -nic user,model=virtio,ipv6=off,ipv4=on,hostname=vm,hostfwd=tcp::5532-:1025: Could not set up host forwarding rule 'tcp::5532-:1025'
2023/11/01 09:29:03 Created Virtual Machine, PID: 1497681, Connection: tcp://:5532
2023/11/01 09:29:03 Service: Connecting tcp://:5532
Run: cannot connect to tcp://:5532: context deadline exceeded
Error: context deadline exceeded
Usage:
  aconcli run [manifest]... [flags]

Flags:
  -A, --all                load/start all images in the current ACON image repo
  -a, --auto               load dependencies automatically
  -c, --connect string     connect target url
      --env strings        set environment variables inside new containers
  -f, --file string        path to the executable for launching ACON TD/VM (default "/home/liang/ACON/test/acon-startvm")
  -h, --help               help for run
  -i, --interactive        run ACON TD/VM in foreground (usually for debugging)
  -l, --loadonly strings   load (but do not start) the specified images
  -n, --new                start a new ACON TD/VM
  -t, --timetolive int     shut down the TD/VM after being idle for specified number of seconds (default 60)

Global Flags:
  -C, --directory string   change working directory before performing any operations

2023-11-01 09:29:33+08:00 [ERROR] Run TDVM error will stop ACON instances

The main problem is Could not set up host forwarding rule 'tcp::5532-:1025', But I don't know the root cause.

Unexpected errors while running `make clean` under samples/quote.

Steps to reproduce:

Go to directory under samples/quote.
Run make clean and will get error like below.
docker rmi -f sampleserver
Error response from daemon: No such image: sampleserver:latest

Expected:
Not let users to see errors like this?

acond: Handle HTTP requests in deprivileged process

As a defense-in-depth measure, the HTTP server should be hosted in a deprivileged process separate from the main acond process.

When using a higher version(26.0.0) of Docker, aconcli generates an FS layer with a size of 0

[tdx@localhost quote]$ make
openssl ecparam -genkey -name secp384r1 -out signer.pem
openssl req -x509 -sha384 -key signer.pem -out signer.cer -outform der -subj /CN=self-signed-signer.pem
aconcli init
Initialized empty ACON repository in .acon
docker build -t sampleserver -f server/Dockerfile /home/tdx/ACON/samples/quote/../..
[+] Building 2.8s (11/11) FINISHED docker:default
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 535B 0.0s
=> [internal] load metadata for docker.io/library/alpine:latest 2.6s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [builder 1/5] FROM docker.io/library/alpine:latest@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad 0.0s
=> [internal] load build context 0.0s
=> => transferring context: 357B 0.0s
=> CACHED [builder 2/5] RUN
apk update && apk add g++ libc++-static 0.0s
=> CACHED [builder 3/5] WORKDIR /work 0.0s
=> CACHED [builder 4/5] COPY sdk/ samples/quote/server/ ./ 0.0s
=> CACHED [builder 5/5] RUN c++ -std=c++14 -Os -static-pie -flto -Iinclude/ -Wl,--gc-sections,-s src/*.cpp -o quote_server 0.0s
=> CACHED [stage-1 1/1] COPY --from=builder /work/quote_server / 0.0s
=> exporting to image 0.0s
=> => exporting layers 0.0s
=> => writing image sha256:6b45e840f5cd5169b6ebed7ce7f5f791dd032b717d43ec57b59d2498828dfd24 0.0s
=> => naming to docker.io/library/sampleserver 0.0s
aconcli generate -i sampleserver server.json
aconcli sign -k signer.pem -c signer.cer server.json
CGO_ENABLED=0 go -C client build -v

[tdx@localhost quote]$ ll .acon/blobs/sha384/
total 0
-rw------- 1 tdx tdx 0 Apr 2 16:33 38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b.tar

[sgx@sgx-emr02 test]$ ./aconcli status --nologin

Total Runing ACON VMs: [1246473]
Inspect Virtual Machine: 1246473
2024/06/13 13:51:00 Service: Connecting :5532
******* TLS *******
e244c4efd3a8efd96f26332cc679018e58747085199c2219bbc0f7abf07ff9bad71c6599ef404c36dc9085cd012647aa
******* TLS *******

Total 1 ACON container(s) in VM :5532
[0]     Instance ID:            2
        Instance state:         S
        Instance wstatus:       0
        Instance bundle ID:     sha384/147157f71c3b/42e8a94a71a2
        Instance exe path:      sh[/bin/sh]

Below is the invoke output:

[sgx@sgx-emr02 test]$ ./aconcli invoke -c :5532 -e 1246473 Whoami --nologin
2024/06/13 13:50:13 Service: Connecting :5532
******* TLS *******
e244c4efd3a8efd96f26332cc679018e58747085199c2219bbc0f7abf07ff9bad71c6599ef404c36dc9085cd012647aa
******* TLS *******
Invoke: cannot call 'invoke' service: Invoke: error read response: http status: 400 Bad Request
Error: Invoke: error read response: http status: 400 Bad Request
Usage:
  aconcli invoke custom_command [args]... [flags]

Flags:
  -c, --connect string     protocol/address of the ACON TD/VM
  -e, --container uint32   the ACON container to execute the custom command
  -h, --help               help for invoke
  -i, --input string       optional file serving as stdin to the command
  -s, --size uint          capture up to this number of bytes of the command output (default 131072)
  -t, --timeout uint       capture up to this number of seconds of the command output (default 30)

Global Flags:
  -C, --directory string   change working directory before performing any operations
      --nologin            if set, login as an anonymous user

`acond`: Debug mode does not display log information

When I use ./aconcli run -n mysql.json -c :5531 -i in testing MySQL docker.
It didn't show the log information.

EFI stub: Loaded initrd from LINUX_EFI_INITRD_MEDIA_GUID device path
NET: Registered PF_PACKET protocol family
NET: Registered PF_VSOCK protocol family
IPI shorthand broadcast: enabled
sched_clock: Marking stable (37541887, 1485813)->(48471238, -9443538)
Sending DHCP requests ., OK
IP-Config: Got DHCP answer from 10.0.2.2, my address is 10.0.2.15
IP-Config: Complete:
     device=eth0, hwaddr=52:54:00:12:34:56, ipaddr=10.0.2.15, mask=255.255.255.0, gw=10.0.2.2
     host=vm, domain=, nis-domain=(none)
     bootserver=10.0.2.2, rootserver=10.0.2.2, rootpath=
     nameserver0=10.0.2.3
Freeing unused kernel image (initmem) memory: 1144K
Write protecting the kernel read-only data: 8192k
Freeing unused kernel image (rodata/data gap) memory: 1488K
Run /init as init process
[Acond]: 2023/09/25 12:25:13 Service: Connected
TDX attestation device /dev/tdx_guest doesn't exist.
TDX attestation device /dev/tdx_guest doesn't exist.
2023/09/25 12:25:13 Received ACON Manifest, ID: sha384/7da649d544ac33643c9f1142e3a019bdc642cdd0739fe90d84e5c1eb84bae7845d5de83dec5c59cc1179d7f729b87ebb/0ca91674eb63246d4bb151aebae145691f0e17c56d7ae3c4471fa552337292ea2228ed1f37b5861c81bc4fed3ca4f0ea
2023/09/25 12:25:13 Missing layers:
2023/09/25 12:25:13     [0]: "sha384/b7c8706658cf91b7801dca37a2d05740a7b11ee8c5d037f443e46753b38d4e7d3b1ca6ff06f76fcb715a248cc8d50a8b"
2023/09/25 12:25:13     [1]: "sha384/0149d141f97502ad71720cd69ec9656aaacd324b7dff8ff41eb3efbcd4c228f35883edca55304187a1bd25e5ba2d754f"
2023/09/25 12:25:13     [2]: "sha384/a2afbb4096618cbffb17bcf2ac798b111633d869546d1fa36fb9f829e9f1fec46f4146651665f30e1d16f09fef47c294"
2023/09/25 12:25:13     [3]: "sha384/85a6423ba82b8284771ae13f899c6dde0d8ca796faea7aa1f3ae14c8b9807412eb7e6af04df5c1699bba200df80a5bfe"
2023/09/25 12:25:13     [4]: "sha384/9efd3437b3db299ed240b2fce4fde2f8edeaab0a2d8f42f20a7d9799d167c0dbc3dd5396781609f8cf258647fa0a0bcd"
2023/09/25 12:25:13     [5]: "sha384/5d0d873bd24814b55d9db4952077f846af1fcf5f86feaba2ca221d86fe6141f4cf9e2e8eef53602b3525b1b215e5fdf5"
2023/09/25 12:25:13     [6]: "sha384/f65eb4977058a86518f24cd5ba592e2d90edf8496c711d63a565d4aacb6a3f8961b0bafff73260b326d5efa0216859cd"
2023/09/25 12:25:13     [7]: "sha384/83702d88ce0addf0e6345713df2127aecd983c2284c909846d10de729f83c85dc02fa26a1fc698c2948235275045fb2c"
2023/09/25 12:25:13     [8]: "sha384/44bf0b8267c837ea9b202648078929dd6740c3bcf8ab2b5a59cb325725985e0369a943b2ef77bf50bfb04c3ff28e9af5"
2023/09/25 12:25:13     [9]: "sha384/df46188ca0634b742bb753a87a40c8edd92b27f73c28ca9a3e6d1b525427e0fd101dc99be37fca9328e4a6bf32405282"
2023/09/25 12:25:13     [10]: "sha384/687a1ca750ce7fa2a3e33ea1a80bc628d6235da403a842a89caa184c0d76de92f21c876d4ba810817425b61a538e167e"
2023/09/25 12:25:13     [11]: "sha384/5c27586d7317cb37f8776e07492e6f574bcc1825095f3d44d86446ab918467aa99a8e15c1a1be821fd23686459e783b3"
2023/09/25 12:25:13     [12]: "sha384/d07418ad4d1276406705d788b3de330d37bc3a53715b7ecf8a30b520e14a585bdc67af6a4ec3f08de8c47b13268b813f"
2023/09/25 12:25:13     [13]: "sha384/ccdfa1aec6214bf6db74b4addaca7f87ab5980bcfdbf6f5fcab8d8425bc2169ca3bc9dd6046b26e4b1da6ba33c31dfb0"
2023/09/25 12:25:13     [14]: "sha384/19c51e65b988841ab3160392c36dcb0986b8223ed1fb14dae601fa9a82e1bb220392a9b28d4fdb3391889bca564d5a10"
2023/09/25 12:25:13     [15]: "sha384/1bdcf953c2b1bb5053c5076a8b6c304cee319320449adc0f23f8b8a82c9b0996b967f8ae971d7c7d65b39d92b51e8ff4"
2023/09/25 12:25:13     [16]: "sha384/6f2c79b05d8ed5a51cb3be5d03796ebe887fa987cc5e4e0a938913cdac75680587d6af32f9dd8fdb9b8c25aaf17c2cf9"
2023/09/25 12:25:13     [17]: "sha384/83a56f80a8fd8c81e23ceccaf5558e0defcb039115d603d2040640c49794d5848322e22237f6f4cf68ad84ccd5ffadc1"
2023/09/25 12:25:14 Added File System Layer: sha384/b7c8706658cf91b7801dca37a2d05740a7b11ee8c5d037f443e46753b38d4e7d3b1ca6ff06f76fcb715a248cc8d50a8b
2023/09/25 12:25:14 Added File System Layer: sha384/0149d141f97502ad71720cd69ec9656aaacd324b7dff8ff41eb3efbcd4c228f35883edca55304187a1bd25e5ba2d754f
2023/09/25 12:25:14 Added File System Layer: sha384/a2afbb4096618cbffb17bcf2ac798b111633d869546d1fa36fb9f829e9f1fec46f4146651665f30e1d16f09fef47c294
2023/09/25 12:25:14 Added File System Layer: sha384/85a6423ba82b8284771ae13f899c6dde0d8ca796faea7aa1f3ae14c8b9807412eb7e6af04df5c1699bba200df80a5bfe
2023/09/25 12:25:14 Added File System Layer: sha384/9efd3437b3db299ed240b2fce4fde2f8edeaab0a2d8f42f20a7d9799d167c0dbc3dd5396781609f8cf258647fa0a0bcd
2023/09/25 12:25:14 Added File System Layer: sha384/5d0d873bd24814b55d9db4952077f846af1fcf5f86feaba2ca221d86fe6141f4cf9e2e8eef53602b3525b1b215e5fdf5
2023/09/25 12:25:16 Added File System Layer: sha384/f65eb4977058a86518f24cd5ba592e2d90edf8496c711d63a565d4aacb6a3f8961b0bafff73260b326d5efa0216859cd
2023/09/25 12:25:16 Added File System Layer: sha384/83702d88ce0addf0e6345713df2127aecd983c2284c909846d10de729f83c85dc02fa26a1fc698c2948235275045fb2c
2023/09/25 12:25:19 Added File System Layer: sha384/44bf0b8267c837ea9b202648078929dd6740c3bcf8ab2b5a59cb325725985e0369a943b2ef77bf50bfb04c3ff28e9af5
2023/09/25 12:25:19 Added File System Layer: sha384/df46188ca0634b742bb753a87a40c8edd92b27f73c28ca9a3e6d1b525427e0fd101dc99be37fca9328e4a6bf32405282
2023/09/25 12:25:19 Added File System Layer: sha384/687a1ca750ce7fa2a3e33ea1a80bc628d6235da403a842a89caa184c0d76de92f21c876d4ba810817425b61a538e167e
2023/09/25 12:25:19 Added File System Layer: sha384/5c27586d7317cb37f8776e07492e6f574bcc1825095f3d44d86446ab918467aa99a8e15c1a1be821fd23686459e783b3
2023/09/25 12:25:19 Added File System Layer: sha384/d07418ad4d1276406705d788b3de330d37bc3a53715b7ecf8a30b520e14a585bdc67af6a4ec3f08de8c47b13268b813f
2023/09/25 12:25:19 Added File System Layer: sha384/ccdfa1aec6214bf6db74b4addaca7f87ab5980bcfdbf6f5fcab8d8425bc2169ca3bc9dd6046b26e4b1da6ba33c31dfb0
2023/09/25 12:25:19 Added File System Layer: sha384/19c51e65b988841ab3160392c36dcb0986b8223ed1fb14dae601fa9a82e1bb220392a9b28d4fdb3391889bca564d5a10
2023/09/25 12:25:19 Added File System Layer: sha384/1bdcf953c2b1bb5053c5076a8b6c304cee319320449adc0f23f8b8a82c9b0996b967f8ae971d7c7d65b39d92b51e8ff4
2023/09/25 12:25:19 Added File System Layer: sha384/6f2c79b05d8ed5a51cb3be5d03796ebe887fa987cc5e4e0a938913cdac75680587d6af32f9dd8fdb9b8c25aaf17c2cf9
2023/09/25 12:25:19 Added File System Layer: sha384/83a56f80a8fd8c81e23ceccaf5558e0defcb039115d603d2040640c49794d5848322e22237f6f4cf68ad84ccd5ffadc1
2023/09/25 12:25:19 Started ACON Instance, ID: 1

I have no idea whether it is a success or not.

[OpenID test] `aconcli run` failed

This is the output that seems acond caused this:

Fingerprint of ACON-TD being connected: def528e21bc8
Error: Run: cannot login as user 1000: failed to parse access token from response: invalid character 'R' looking for beginning of value
Usage:
  aconcli run [manifest]... [flags]
 
Flags:
  -A, --all                load/start all images in the current ACON image repo
  -a, --auto               load dependencies automatically
  -c, --connect string     connect target url
      --env strings        set environment variables inside new containers
  -f, --file string        path to the executable for launching ACON TD/VM (default "/home/sgx/maliang/ACON_TEST/test/acon-startvm")
      --finalize           finalize the process of loading images to ACON TD/VM (default true)
  -h, --help               help for run
  -i, --interactive        run ACON TD/VM in foreground (usually for debugging)
  -l, --loadonly strings   load (but do not start) the specified images
  -n, --new                start a new ACON TD/VM
  -p, --proxy string       http proxy for ACON VM
  -t, --timetolive int     shut down the TD/VM after being idle for specified number of seconds (default 60)
  -u, --user string        user ID for OpenID authentication
 
Global Flags:
  -C, --directory string   change working directory before performing any operations
      --nologin            if set, login as an anonymous user

intel / acon Goto Github PK

acon's People

Contributors

Stargazers

Watchers

Forkers

acon's Issues

Tasks

Minimal TCB Size

Linking acond Statically

Linking acond Dynamically

FIPS Compliance

Reproducible Build

Conclusion/Proposal

Tasks

Tasks

Tasks

Recommend Projects

Recommend Topics

Recommend Org

Linking `acond` Statically

Linking `acond` Dynamically