build: create unified libOS bundle

Signed-off-by: Mikko Ylinen <[email protected]>
confidential-containers · Nov 15, 2023 · c463171 · c463171
1 parent d0390cd
commit c463171
Show file tree

Hide file tree

Showing 18 changed files with 152 additions and 189 deletions.
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
@@ -81,31 +81,25 @@ jobs:
           sed -e 's#\(.*container_instance = "\)\(.*\)$#\1'$PAYLOAD_ARTIFACTS'\2#g' config/config.toml | sudo tee /etc/enclave-cc/config.toml
         working-directory: ${{ github.workspace }}/src/github.com/confidential-containers/enclave-cc/src/shim
 
-      - name: Build agent-enclave bundle
+      - name: Build unified bundle
         run: |
           mkdir $PAYLOAD_ARTIFACTS
-          docker build . -f tools/packaging/build/agent-enclave-bundle/Dockerfile --build-arg SGX_MODE=${SGX_MODE} --build-arg KBC=${KBC} -t agent-instance:build
-          docker export $(docker create agent-instance:build) | tee > ${PAYLOAD_ARTIFACTS}/agent-instance.tar
+          docker build . -f tools/packaging/build/unified-bundle/Dockerfile --build-arg SGX_MODE=${SGX_MODE} --build-arg KBC=${KBC} -t unified-instance:build
+          docker export $(docker create unified-instance:build) | tee > ${PAYLOAD_ARTIFACTS}/unified-instance.tar
         working-directory: ${{ github.workspace }}/src/github.com/confidential-containers/enclave-cc
 
       - name: Install config.json for agent-enclave bundle
         run: |
           jq -a -f sgx-mode-config.filter config.json.template | tee ${PAYLOAD_ARTIFACTS}/config.json
-        working-directory: ${{ github.workspace }}/src/github.com/confidential-containers/enclave-cc/tools/packaging/build/agent-enclave-bundle
-
-      - name: Build boot-instance bundle
-        run: |
-          docker build . -f tools/packaging/build/boot-instance-bundle/Dockerfile --build-arg SGX_MODE=${SGX_MODE} -t boot-instance:build
-          docker export $(docker create boot-instance:build) | tee > ${PAYLOAD_ARTIFACTS}/boot-instance.tar
-        working-directory: ${{ github.workspace }}/src/github.com/confidential-containers/enclave-cc
+        working-directory: ${{ github.workspace }}/src/github.com/confidential-containers/enclave-cc/tools/packaging/build/unified-bundle
 
       - name: Install enclave-cc bundles
         run: |
           mkdir -p opt/confidential-containers/share/enclave-cc-agent-instance/rootfs
-          sudo tar -xf agent-instance.tar -C opt/confidential-containers/share/enclave-cc-agent-instance/rootfs
+          sudo tar -xf unified-instance.tar -C opt/confidential-containers/share/enclave-cc-agent-instance/rootfs
           cp config.json opt/confidential-containers/share/enclave-cc-agent-instance/
           mkdir -p opt/confidential-containers/share/enclave-cc-boot-instance/rootfs
-          sudo tar -xf boot-instance.tar -C opt/confidential-containers/share/enclave-cc-boot-instance/rootfs
+          sudo tar -xf unified-instance.tar -C opt/confidential-containers/share/enclave-cc-boot-instance/rootfs
         working-directory: ${{env.PAYLOAD_ARTIFACTS}}
 
       - name: Install decrypt_config.conf and ocicrypt.conf for agent-enclave bundle

diff --git a/src/runtime-boot/init/src/main.rs b/src/runtime-boot/init/src/main.rs
@@ -4,6 +4,7 @@ extern crate serde_json;
 
 use libc::syscall;
 
+use std::env;
 use std::error::Error;
 use std::fs::File;
 use std::io::prelude::*;
@@ -59,7 +60,14 @@ fn main() -> Result<(), Box<dyn Error>> {
         envp: envp.as_ptr(),
     };
 
-    let ret = unsafe { syscall(SYS_MOUNT_FS, key_ptr, &rootfs_config) };
+    let agent_boot = matches!(env::var("ENCLAVE_AGENT"), Ok(val) if val == "true" || val == "TRUE" || val == "1");
+    let ret = match agent_boot {
+        true => {
+            let root_config_ptr: *const i8 = std::ptr::null();
+            unsafe { syscall(SYS_MOUNT_FS, root_config_ptr) }
+        }
+        false => unsafe { syscall(SYS_MOUNT_FS, key_ptr, &rootfs_config) },
+    };
     if ret < 0 {
         return Err(Box::new(std::io::Error::last_os_error()));
     }

diff --git a/test/e2e/hello-world-encrypted-HW-cc-kbc.json b/test/e2e/hello-world-encrypted-HW-cc-kbc.json
@@ -9,10 +9,10 @@
     {"key": "OCCLUM_RELEASE_ENCLAVE", "value": "1"}
   ],
   "command": [
-    "/run/rune/boot_instance/build/bin/occlum-run",
+    "/run/rune/occlum_instance/build/bin/occlum-run",
     "/bin/hello_world"
   ],
-  "working_dir": "/run/rune/boot_instance/",
+  "working_dir": "/run/rune/occlum_instance/",
   "log_path":"hello.log",
   "devices": [
     {"container_path": "/dev/sgx_enclave", "host_path": "/dev/sgx_enclave", "permissions": "rw"}

diff --git a/test/e2e/hello-world-encrypted-SIM-sample-kbc.json b/test/e2e/hello-world-encrypted-SIM-sample-kbc.json
@@ -9,10 +9,10 @@
     {"key": "OCCLUM_RELEASE_ENCLAVE", "value": "0"}
   ],
   "command": [
-    "/run/rune/boot_instance/build/bin/occlum-run",
+    "/run/rune/occlum_instance/build/bin/occlum-run",
     "/bin/hello_world"
   ],
-  "working_dir": "/run/rune/boot_instance/",
+  "working_dir": "/run/rune/occlum_instance/",
   "log_path":"hello.log",
   "linux": {
   }

diff --git a/test/e2e/hello-world-unencrypted-SIM.json b/test/e2e/hello-world-unencrypted-SIM.json
@@ -9,10 +9,10 @@
     {"key": "OCCLUM_RELEASE_ENCLAVE", "value": "0"}
   ],
   "command": [
-    "/run/rune/boot_instance/build/bin/occlum-run",
+    "/run/rune/occlum_instance/build/bin/occlum-run",
     "/bin/hello_world"
   ],
-  "working_dir": "/run/rune/boot_instance/",
+  "working_dir": "/run/rune/occlum_instance/",
   "log_path":"hello.log",
   "linux": {
   }

diff --git a/tools/packaging/build/agent-enclave-bundle/Dockerfile b/tools/packaging/build/agent-enclave-bundle/Dockerfile
diff --git a/tools/packaging/build/boot-instance-bundle/Dockerfile b/tools/packaging/build/boot-instance-bundle/Dockerfile
diff --git a/tools/packaging/build/boot-instance-bundle/jq.filter b/tools/packaging/build/boot-instance-bundle/jq.filter
diff --git a/tools/packaging/build/build_payload.sh b/tools/packaging/build/build_payload.sh
@@ -22,16 +22,12 @@ export PAYLOAD_ARTIFACTS="${SCRIPT_ROOT}/payload_artifacts"
 mkdir -p ${PAYLOAD_ARTIFACTS}
 
 # build pre-installed OCI bundle for agent enclave container
-pushd ${SCRIPT_ROOT}/agent-enclave-bundle
-docker build ${ENCLAVE_CC_ROOT} -f ${SCRIPT_ROOT}/agent-enclave-bundle/Dockerfile --build-arg SGX_MODE=${SGX_MODE} --build-arg KBC=${KBC} -t agent-instance
+pushd ${SCRIPT_ROOT}/unified-bundle
+docker build ${ENCLAVE_CC_ROOT} -f ${SCRIPT_ROOT}/unified-bundle/Dockerfile --build-arg SGX_MODE=${SGX_MODE} --build-arg KBC=${KBC} -t unified-instance
 jq -a -f sgx-mode-config.filter config.json.template | tee ${PAYLOAD_ARTIFACTS}/config.json
-docker export $(docker create agent-instance) | tee > ${PAYLOAD_ARTIFACTS}/agent-instance.tar
+docker export $(docker create unified-instance) | tee > ${PAYLOAD_ARTIFACTS}/unified-instance.tar
 popd
 
-# build pre-installed OCI bundle for boot instance
-docker build ${ENCLAVE_CC_ROOT} -f ${SCRIPT_ROOT}/boot-instance-bundle/Dockerfile --build-arg SGX_MODE=${SGX_MODE} -t boot-instance
-docker export $(docker create boot-instance) | tee > ${PAYLOAD_ARTIFACTS}/boot-instance.tar
-
 # build shim-rune binary: "containerd-shim-rune-v2"
 pushd ${ENCLAVE_CC_ROOT}/src/shim
 docker run --pull always -t -v ${PWD}:/build --workdir /build golang:${GO_VERSION}-bookworm make binaries
@@ -55,5 +51,5 @@ fi
 popd
 
 #cleanup
-docker rmi ${IMAGE} boot-instance agent-instance -f
+docker rmi ${IMAGE} unified-instance -f
 rm -rf payload_artifacts