From fee4db7f9ffd3836663e299774d4938ac1f8b858 Mon Sep 17 00:00:00 2001 From: Nikita Shyrei Date: Fri, 29 Nov 2024 16:43:06 +0100 Subject: [PATCH] Check application configuration hash when requesting application configuration (#11) * - adds app config hash check * - fixed unit tests * - use updated em-app * - returned back old fn name * - code review changes * - cargo fmt * code review changes * - usage of new type * - updated em-client * - updated em-client * - use latest em-client * - lock file after conflicts fix * - update to use Sha256 type from em-client * - update em-client crate * - code review changes --- vsock-proxy/Cargo.lock | 187 ++++--------------- vsock-proxy/Cargo.toml | 8 + vsock-proxy/enclave/Cargo.toml | 7 +- vsock-proxy/enclave/src/app_configuration.rs | 107 ++++------- vsock-proxy/enclave/src/enclave.rs | 9 +- vsock-proxy/enclave/src/file_system.rs | 2 +- vsock-proxy/parent/Cargo.toml | 2 +- 7 files changed, 90 insertions(+), 232 deletions(-) diff --git a/vsock-proxy/Cargo.lock b/vsock-proxy/Cargo.lock index 5fdcf10..4765d4a 100644 --- a/vsock-proxy/Cargo.lock +++ b/vsock-proxy/Cargo.lock @@ -140,12 +140,6 @@ dependencies = [ "winapi", ] -[[package]] -name = "autocfg" -version = "0.1.7" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1d49d90015b3c36167a20fe2810c5cd875ad504b39cff3d4eae7977e6b7c1cb2" - [[package]] name = "autocfg" version = "1.1.0" @@ -364,15 +358,6 @@ dependencies = [ "vec_map", ] -[[package]] -name = "cloudabi" -version = "0.0.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ddfc5b9aa5d4507acaf872de71051dfd0e309860e88966e1051e462a077aac4f" -dependencies = [ - "bitflags", -] - [[package]] name = "cmake" version = "0.1.46" @@ -464,7 +449,7 @@ version = "0.9.15" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ae211234986c545741a7dc064309f67ee1e5ad243d0e48335adc0484d960bcc7" dependencies = [ - "autocfg 1.1.0", + "autocfg", "cfg-if 1.0.0", "crossbeam-utils", "memoffset 0.9.0", @@ -539,14 +524,14 @@ checksum = "e78d4f1cc4ae33bbfc157ed5d5a5ef3bc29227303d595861deb238fcec4e9457" [[package]] name = "em-app" version = "0.4.0" -source = "git+https://github.com/fortanix/rust-sgx.git#c9028cffb8d80fe325f10eefb26f1f912c235c21" +source = "git+https://github.com/fortanix/rust-sgx.git#9bcd71b7426ca0154a3445ea2165c0a6a23bc8af" dependencies = [ "aws-nitro-enclaves-nsm-api", "b64-ct", "em-client", "em-node-agent-client", "hyper", - "mbedtls 0.9.3", + "mbedtls", "pkix", "rustc-serialize", "sdkms", @@ -558,16 +543,15 @@ dependencies = [ "sgx_pkix", "url 1.7.2", "uuid 0.6.5", - "uuid 0.7.4", + "uuid 0.8.2", "vme-pkix", "yasna 0.3.2", ] [[package]] name = "em-client" -version = "3.0.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f0bd923300728ad79f8c36f689f96d928d224524a2120a204fa2bb7801991e7c" +version = "4.0.0" +source = "git+https://github.com/fortanix/em-client-rust#af7d698e603c3f0e728998f3f4612b01af678472" dependencies = [ "base64 0.10.1", "bitflags", @@ -576,6 +560,7 @@ dependencies = [ "hyper", "lazy_static 1.4.0", "log 0.3.9", + "mbedtls", "mime", "serde", "serde_derive", @@ -617,6 +602,7 @@ dependencies = [ "clap", "const_format", "em-app", + "em-client", "env_logger 0.7.1", "futures 0.3.16", "hyper", @@ -624,8 +610,7 @@ dependencies = [ "ipnetwork", "lazy_static 1.4.0", "log 0.4.14", - "mbedtls 0.12.1", - "mbedtls 0.9.3", + "mbedtls", "nix 0.15.0", "parent_lib", "pkix", @@ -1153,24 +1138,6 @@ version = "0.1.9" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a3e378b66a060d48947b590737b30a1be76706c8dd7b8ba0f2fe3989c68a853f" -[[package]] -name = "mbedtls" -version = "0.9.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a3a846b1d4b990bc3d900554a12528dfe4b3ab920eac016ee5b314aef4f8e4a9" -dependencies = [ - "bitflags", - "byteorder", - "cc", - "cfg-if 1.0.0", - "mbedtls-platform-support", - "mbedtls-sys-auto", - "rs-libc", - "serde", - "serde_derive", - "yasna 0.2.2", -] - [[package]] name = "mbedtls" version = "0.12.1" @@ -1229,7 +1196,7 @@ version = "0.6.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5aa361d4faea93603064a027415f07bd8e1d5c88c9fbf68bf56a285428fd79ce" dependencies = [ - "autocfg 1.1.0", + "autocfg", ] [[package]] @@ -1238,7 +1205,7 @@ version = "0.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5de893c32cde5f383baa4c04c5d6dbdd735cfd4a794b0debdb2bb1b421da5ff4" dependencies = [ - "autocfg 1.1.0", + "autocfg", ] [[package]] @@ -1247,7 +1214,7 @@ version = "0.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5a634b1c61a95585bd15607c6ab0c4e5b226e695ff2800ba0cdccddf208c406c" dependencies = [ - "autocfg 1.1.0", + "autocfg", ] [[package]] @@ -1443,7 +1410,7 @@ version = "0.2.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "090c7f9998ee0ff65aa5b723e4009f7b217707f1fb5ea551329cc4d6231fb304" dependencies = [ - "autocfg 1.1.0", + "autocfg", "num-integer", "num-traits 0.2.14", ] @@ -1454,7 +1421,7 @@ version = "0.1.44" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d2cc698a63b549a70bc047073d2949cce27cd1c7b0a4a862d08a8031bc2801db" dependencies = [ - "autocfg 1.1.0", + "autocfg", "num-traits 0.2.14", ] @@ -1473,7 +1440,7 @@ version = "0.2.14" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9a64b1ec5cda2586e284722486d802acf1f7dbdc623e2bfc57e65ca1cd099290" dependencies = [ - "autocfg 1.1.0", + "autocfg", ] [[package]] @@ -1530,7 +1497,7 @@ version = "0.9.80" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "23bbbf7854cd45b83958ebe919f0e8e516793727652e27fda10a8384cfc790b7" dependencies = [ - "autocfg 1.1.0", + "autocfg", "cc", "libc", "pkg-config", @@ -1711,25 +1678,6 @@ dependencies = [ "winapi", ] -[[package]] -name = "rand" -version = "0.6.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6d71dacdc3c88c1fde3885a3be3fbab9f35724e6ce99467f7d9c5026132184ca" -dependencies = [ - "autocfg 0.1.7", - "libc", - "rand_chacha 0.1.1", - "rand_core 0.4.2", - "rand_hc", - "rand_isaac", - "rand_jitter", - "rand_os", - "rand_pcg", - "rand_xorshift", - "winapi", -] - [[package]] name = "rand" version = "0.8.5" @@ -1737,20 +1685,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404" dependencies = [ "libc", - "rand_chacha 0.3.1", + "rand_chacha", "rand_core 0.6.4", ] -[[package]] -name = "rand_chacha" -version = "0.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "556d3a1ca6600bfcbab7c7c91ccb085ac7fbbcd70e008a98742e7847f4f7bcef" -dependencies = [ - "autocfg 0.1.7", - "rand_core 0.3.1", -] - [[package]] name = "rand_chacha" version = "0.3.1" @@ -1785,68 +1723,6 @@ dependencies = [ "getrandom", ] -[[package]] -name = "rand_hc" -version = "0.1.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7b40677c7be09ae76218dc623efbf7b18e34bced3f38883af07bb75630a21bc4" -dependencies = [ - "rand_core 0.3.1", -] - -[[package]] -name = "rand_isaac" -version = "0.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ded997c9d5f13925be2a6fd7e66bf1872597f759fd9dd93513dd7e92e5a5ee08" -dependencies = [ - "rand_core 0.3.1", -] - -[[package]] -name = "rand_jitter" -version = "0.1.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1166d5c91dc97b88d1decc3285bb0a99ed84b05cfd0bc2341bdf2d43fc41e39b" -dependencies = [ - "libc", - "rand_core 0.4.2", - "winapi", -] - -[[package]] -name = "rand_os" -version = "0.1.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7b75f676a1e053fc562eafbb47838d67c84801e38fc1ba459e8f180deabd5071" -dependencies = [ - "cloudabi", - "fuchsia-cprng", - "libc", - "rand_core 0.4.2", - "rdrand", - "winapi", -] - -[[package]] -name = "rand_pcg" -version = "0.1.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "abf9b09b01790cfe0364f52bf32995ea3c39f4d2dd011eac241d2914146d0b44" -dependencies = [ - "autocfg 0.1.7", - "rand_core 0.4.2", -] - -[[package]] -name = "rand_xorshift" -version = "0.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cbf7e9e623549b0e21f6e97cf8ecf247c1a8fd2e8a992ae265314300b2455d5c" -dependencies = [ - "rand_core 0.3.1", -] - [[package]] name = "rayon" version = "1.7.0" @@ -2007,9 +1883,9 @@ checksum = "9c8132065adcfd6e02db789d9285a0deb2f3fcb04002865ab67d5fb103533898" [[package]] name = "sdkms" -version = "0.2.1" +version = "0.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c843377a2ed87d63e487c7b41b1a82446ab7dc836addd66d63010ea05b14aaf7" +checksum = "5b12e3cb05862db268118482cbad26eee384b479de1924fe5404028e3444481a" dependencies = [ "bitflags", "chrono", @@ -2018,10 +1894,9 @@ dependencies = [ "log 0.4.14", "rustc-serialize", "serde", - "serde_derive", "serde_json 1.0.68", "url 1.7.2", - "uuid 0.7.4", + "uuid 0.8.2", ] [[package]] @@ -2058,9 +1933,9 @@ dependencies = [ [[package]] name = "serde_bytes" -version = "0.11.5" +version = "0.11.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "16ae07dd2f88a366f15bd0632ba725227018c69a1c8550a927324f8eb8368bb9" +checksum = "f3c5113243e4a3a1c96587342d067f3e6b0f50790b6cf40d2868eb647a3eef0e" dependencies = [ "serde", ] @@ -2121,7 +1996,7 @@ dependencies = [ [[package]] name = "sgx-isa" version = "0.4.1" -source = "git+https://github.com/fortanix/rust-sgx.git#c9028cffb8d80fe325f10eefb26f1f912c235c21" +source = "git+https://github.com/fortanix/rust-sgx.git#9bcd71b7426ca0154a3445ea2165c0a6a23bc8af" dependencies = [ "bitflags", ] @@ -2129,7 +2004,7 @@ dependencies = [ [[package]] name = "sgx_pkix" version = "0.2.2" -source = "git+https://github.com/fortanix/rust-sgx.git#c9028cffb8d80fe325f10eefb26f1f912c235c21" +source = "git+https://github.com/fortanix/rust-sgx.git#9bcd71b7426ca0154a3445ea2165c0a6a23bc8af" dependencies = [ "byteorder", "lazy_static 1.4.0", @@ -2348,7 +2223,7 @@ version = "1.21.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0020c875007ad96677dcc890298f4b942882c5d4eb7cc8f439fc3bf813dc9c95" dependencies = [ - "autocfg 1.1.0", + "autocfg", "bytes 1.0.1", "libc", "memchr", @@ -2519,8 +2394,14 @@ name = "uuid" version = "0.7.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "90dbc611eb48397705a6b0f6e917da23ae517e4d127123d2cf7674206627d32a" + +[[package]] +name = "uuid" +version = "0.8.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bc5cf98d8186244414c848017f0e2676b3fcb46807f6668a97dfe67359a3c4b7" dependencies = [ - "rand 0.6.5", + "getrandom", "serde", ] @@ -2550,8 +2431,8 @@ checksum = "5fecdca9a5291cc2b8dcf7dc02453fee791a280f3743cb0905f8822ae463b3fe" [[package]] name = "vme-pkix" -version = "0.1.0" -source = "git+https://github.com/fortanix/rust-sgx.git#c9028cffb8d80fe325f10eefb26f1f912c235c21" +version = "0.1.1" +source = "git+https://github.com/fortanix/rust-sgx.git#9bcd71b7426ca0154a3445ea2165c0a6a23bc8af" dependencies = [ "lazy_static 1.4.0", "pkix", diff --git a/vsock-proxy/Cargo.toml b/vsock-proxy/Cargo.toml index 3b0191e..3fb3fa1 100644 --- a/vsock-proxy/Cargo.toml +++ b/vsock-proxy/Cargo.toml @@ -5,3 +5,11 @@ members = [ "parent", "enclave", ] + +[workspace.dependencies] +em-app = { version = "0.4.0" } +em-client = { version = "4.0.0" } + +[patch.crates-io] +em-app = { git = "https://github.com/fortanix/rust-sgx.git" } +em-client = { git = "https://github.com/fortanix/em-client-rust" } diff --git a/vsock-proxy/enclave/Cargo.toml b/vsock-proxy/enclave/Cargo.toml index f2632af..c98496e 100644 --- a/vsock-proxy/enclave/Cargo.toml +++ b/vsock-proxy/enclave/Cargo.toml @@ -15,19 +15,20 @@ async-trait = "0.1.51" base64 = "0.13.0" clap = "2.33" const_format = "0.2.32" -em-app = { git = "https://github.com/fortanix/rust-sgx.git" } +em-app = { workspace = true } +em-client = { workspace = true } env_logger = "0.7" futures = "0.3" hyper = "0.10" interfaces = "0.0.8" ipnetwork = { version = "0.18.0", features = ["serde"] } log = "0.4" -mbedtls = { version = "0.9.3" } +mbedtls = { version = "0.12.1" } nix = "0.15.0" pkix = "0.1.2" rand = "0.8.5" rtnetlink = "0.8.0" -sdkms = { version = "0.2.1", default-features = false, features = ["hyper-native-tls"] } +sdkms = { version = "0.3", default-features = false, features = ["hyper-native-tls"] } serde = { version = "1.0.127", features = ["derive"] } serde_cbor = "0.11.2" serde_json = { git = "https://github.com/fortanix/serde-json.git", branch = "base64_bytes" } diff --git a/vsock-proxy/enclave/src/app_configuration.rs b/vsock-proxy/enclave/src/app_configuration.rs index 68873f7..55051e2 100644 --- a/vsock-proxy/enclave/src/app_configuration.rs +++ b/vsock-proxy/enclave/src/app_configuration.rs @@ -12,17 +12,16 @@ use std::sync::Arc; use em_app::utils::models::{ ApplicationConfigContents, ApplicationConfigExtra, ApplicationConfigSdkmsCredentials, RuntimeAppConfig, }; +use em_client::Sha256Hash; use log::{info, warn}; use mbedtls::alloc::List as MbedtlsList; use mbedtls::pk::Pk; use mbedtls::x509::Certificate; use sdkms::api_model::Blob; -use shared::models::CCMBackendUrl; +use shared::models::{CCMBackendUrl}; use crate::certificate::CertificateResult; use crate::enclave::write_to_file; -use em_app::compute_app_config_hash; -use em_app::utils::models; // All of the paths below are purposefully made relative because they are joined with the path pointing to the chroot environment. pub const APPLICATION_CONFIG_DIR: &str = "opt/fortanix/enclave-os/app-config/rw"; @@ -49,7 +48,7 @@ pub(crate) fn setup_application_configuration( ccm_backend_url: &CCMBackendUrl, api: T, fs_root: &Path, - app_config_id: Blob + app_config_id: &Sha256Hash ) -> Result<(), String> where T: ApplicationConfiguration, @@ -58,15 +57,7 @@ where let app_config = api .runtime_config_api() - .get_runtime_configuration(&ccm_backend_url, em_app_credentials)?; - - let _app_config_id_check = check_application_config_id(&app_config.config, app_config_id); - - // reverts https://fortanix.atlassian.net/browse/SALM-113 until we figure out how to properly handle debug - // enclave in ccm.test - /*if !app_config_id_check.unwrap_or(false) { - return Err(format!("Received app config id doesn't match app config id from the user. The application won't start.")); - }*/ + .get_runtime_configuration(&ccm_backend_url, em_app_credentials, app_config_id)?; write_runtime_configuration_to_file(&app_config, fs_root)?; @@ -75,18 +66,6 @@ where setup_app_configs(&app_config.config.app_config, fs_root) } -fn check_application_config_id(received_app_config: &models::HashedConfig, app_config_id_from_user: Blob) -> Result { - let received_app_config_id = { - let json = serde_json::to_string(&received_app_config) - .map_err(|e| format!("Failed to serialize app config to json. {:?}", e))?; - - compute_app_config_hash(&json, mbedtls::hash::Type::Sha256) - .map_err(|e| format!("Failed to compute app config hash. App config is {}. {:?}", json, e))? - }; - - Ok(received_app_config_id == app_config_id_from_user) -} - fn write_runtime_configuration_to_file(app_config: &RuntimeAppConfig, fs_root: &Path) -> Result<(), String> { let data = serde_json::to_string(app_config).map_err(|err| format!("Failed serializing app config to string. {:?}", err))?; @@ -323,6 +302,7 @@ impl RuntimeConfiguration for EmAppRuntimeConfiguration { &self, ccm_backend_url: &CCMBackendUrl, credentials: &EmAppCredentials, + expected_hash: &Sha256Hash, ) -> Result { em_app::utils::get_runtime_configuration( &ccm_backend_url.host, @@ -331,6 +311,7 @@ impl RuntimeConfiguration for EmAppRuntimeConfiguration { credentials.key.clone(), credentials.root_certificate.clone(), None, + &expected_hash ) } } @@ -340,6 +321,7 @@ pub(crate) trait RuntimeConfiguration { &self, ccm_backend_url: &CCMBackendUrl, credentials: &EmAppCredentials, + expected_hash: &Sha256Hash, ) -> Result; } @@ -457,6 +439,8 @@ mod tests { use std::collections::BTreeMap; use std::fs; use std::path::Path; + use std::convert::TryFrom; + use crate::app_configuration::Sha256Hash; use em_app::utils::models::{ ApplicationConfigConnection, ApplicationConfigConnectionApplication, ApplicationConfigConnectionDataset, @@ -465,8 +449,11 @@ mod tests { use sdkms::api_model::Blob; use shared::models::CCMBackendUrl; - use crate::app_configuration::{normalize_path_and_make_relative, setup_app_configs, setup_datasets, ApplicationFiles, DataSetFiles, EmAppCredentials, RuntimeConfiguration, SdkmsDataset, ApplicationConfiguration, check_application_config_id}; - use em_app::compute_app_config_hash; + use crate::app_configuration::{ + normalize_path_and_make_relative, setup_app_configs, setup_datasets, + ApplicationConfiguration, ApplicationFiles, DataSetFiles, EmAppCredentials, + RuntimeConfiguration, SdkmsDataset, + }; const TEST_FOLDER: &'static str = "/tmp/salm-unit-test"; @@ -599,6 +586,7 @@ mod tests { struct MockDataSet { pub json_data: &'static str, + pub hash: Sha256Hash, } impl MockDataSet { @@ -635,8 +623,13 @@ mod tests { &self, _ccm_backend_url: &CCMBackendUrl, _credentials: &EmAppCredentials, + expected_hash: &Sha256Hash, ) -> Result { - Ok(serde_json::from_str(self.json_data).expect("Failed serializing test json")) + if self.hash != *expected_hash { + Err(format!("Expected hash: {:?} doesn't equal saved hash: {:?}", expected_hash, self.hash)) + } else { + Ok(serde_json::from_str(self.json_data).expect("Failed serializing test json")) + } } } @@ -679,9 +672,16 @@ mod tests { }; let credentials = EmAppCredentials::mock(); - let api: Box = Box::new(MockDataSet { json_data }); - - let result = api.get_runtime_configuration(&backend_url, &credentials); + let api: Box = Box::new(MockDataSet { + json_data, + hash: Sha256Hash::try_from("e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855").unwrap(), + }); + + let result = api.get_runtime_configuration( + &backend_url, + &credentials, + &Sha256Hash::try_from("e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855").unwrap(), + ); assert!(result.is_ok(), "{:?}", result); result.unwrap() @@ -693,6 +693,7 @@ mod tests { let credentials = EmAppCredentials::mock(); let api = MockDataSet { json_data: VALID_APP_CONF, + hash: Sha256Hash::try_from("e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855").unwrap(), }; let result = setup_datasets(&config, &credentials, &api, Path::new("/")); @@ -709,11 +710,12 @@ mod tests { let credentials = EmAppCredentials::mock(); let api = MockDataSet { json_data: VALID_APP_CONF, + hash: Sha256Hash::try_from("e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855").unwrap(), }; let test_folder_path = Path::new(TEST_FOLDER).join("datasets"); let test_folder = TempDir(&test_folder_path); - let files = DataSetFiles::new("test_location", "test_port", test_folder.0.clone()); + let files = DataSetFiles::new("test_location", "test_port", test_folder.0); let _temp_dataset_dir = TempDir(&files.dataset_dir); let result = setup_datasets(&config, &credentials, &api, &test_folder.0); @@ -751,12 +753,13 @@ mod tests { let credentials = EmAppCredentials::mock(); let api = MockDataSet { json_data: VALID_APP_CONF, + hash: Sha256Hash::try_from("e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855").unwrap(), }; let test_folder_path = Path::new(TEST_FOLDER).join("appconfig-location"); let test_folder = TempDir(&test_folder_path); - let files = ApplicationFiles::new("test_location", "test_port", &test_folder.0.clone()); + let files = ApplicationFiles::new("test_location", "test_port", &test_folder.0); let _temp_dir = TempDir(&files.application_dir); let result = setup_datasets(&config, &credentials, &api, &test_folder.0); @@ -847,42 +850,4 @@ mod tests { assert!(normalize_path_and_make_relative("/a/b/c/.").is_err()); assert!(normalize_path_and_make_relative("/a/b/c/..").is_err()); } - - #[test] - fn check_application_config_id_correct_hash() { - let credentials = EmAppCredentials::mock(); - let api = MockDataSet { - json_data: VALID_APP_CONF, - }; - let backend_url = CCMBackendUrl::default(); - let runtime_config = api.runtime_config_api().get_runtime_configuration(&backend_url, &credentials).expect("Get test data fail"); - - let app_config_id = { - let json = serde_json::to_string(&runtime_config.config).expect("Config to json fail"); - - compute_app_config_hash(&json, mbedtls::hash::Type::Sha256).expect("Compute hash fail") - }; - - let result = check_application_config_id(&runtime_config.config, app_config_id); - - assert!(result.is_ok()); - assert_eq!(result.unwrap(), true) - } - - #[test] - fn check_application_config_id_incorrect_hash() { - let credentials = EmAppCredentials::mock(); - let api = MockDataSet { - json_data: VALID_APP_CONF, - }; - let backend_url = CCMBackendUrl::default(); - let runtime_config = api.runtime_config_api().get_runtime_configuration(&backend_url, &credentials).expect("Get test data fail"); - - let app_config_id = Blob::from("This_is_not_a_valid_hash"); - - let result = check_application_config_id(&runtime_config.config, app_config_id); - - assert!(result.is_ok()); - assert_eq!(result.unwrap(), false) - } } diff --git a/vsock-proxy/enclave/src/enclave.rs b/vsock-proxy/enclave/src/enclave.rs index 8b5eeaf..aa44e7a 100644 --- a/vsock-proxy/enclave/src/enclave.rs +++ b/vsock-proxy/enclave/src/enclave.rs @@ -4,7 +4,7 @@ * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ -use std::convert::From; +use std::convert::{From, TryFrom}; use std::fs; use std::path::Path; use std::process::Stdio; @@ -14,12 +14,12 @@ use api_model::converter::CertificateConfig; use api_model::enclave::EnclaveManifest; use async_process::{Child, Command}; use async_trait::async_trait; +use em_client::Sha256Hash; use futures::io::{BufReader, Lines}; use futures::stream::FuturesUnordered; use futures::{AsyncBufReadExt, StreamExt}; use log::{debug, info, warn}; use nix::net::if_::if_nametoindex; -use sdkms::api_model::Blob; use shared::models::{ ApplicationConfiguration, NBDConfiguration, NetworkDeviceSettings, PrivateNetworkDeviceSettings, SetupMessages, UserProgramExitStatus, @@ -214,12 +214,15 @@ fn setup_app_configuration( info!("Setting up application configuration."); + let app_config_id = Sha256Hash::try_from(id.as_str()) + .map_err(|err| format!("App config id is not a valid SHA-256 string. App config id is {}. Error {:?}", &id, err))?; + setup_application_configuration( &credentials, &app_config.ccm_backend_url, api, Path::new(ENCLAVE_FS_OVERLAY_ROOT), - Blob::from(id.as_str()), + &app_config_id, ) } else { Ok(()) diff --git a/vsock-proxy/enclave/src/file_system.rs b/vsock-proxy/enclave/src/file_system.rs index a9afe69..60a9eea 100644 --- a/vsock-proxy/enclave/src/file_system.rs +++ b/vsock-proxy/enclave/src/file_system.rs @@ -82,7 +82,7 @@ pub(crate) async fn mount_file_system_nodes(nodes: &[FileSystemNode], mount_opti FileSystemNode::TreeNode(node_path) => { let formatted_mount_point_str = format!("{}{node_path}", ENCLAVE_FS_OVERLAY_ROOT, node_path = node_path); let mut mount_args = vec!["--rbind", node_path, &formatted_mount_point_str]; - if node_path.clone() == "/tmp" && mount_options.is_tmp_exec { + if *node_path == "/tmp" && mount_options.is_tmp_exec { mount_args.push("-o"); mount_args.push("exec"); // Make the tmp directory of the enclave base image executable first diff --git a/vsock-proxy/parent/Cargo.toml b/vsock-proxy/parent/Cargo.toml index 91be8d6..53bf54a 100644 --- a/vsock-proxy/parent/Cargo.toml +++ b/vsock-proxy/parent/Cargo.toml @@ -12,7 +12,7 @@ repository = "https://github.com/fortanix/salmiac" api-model = { path = "../../api-model" } async-process = "1.2.0" clap = "2.33" -em-app = { git = "https://github.com/fortanix/rust-sgx.git" } +em-app = { workspace = true } env_logger = "0.7" etherparse = { git = "https://github.com/fortanix/etherparse.git", branch = "udp_checksum_from_slice" } futures = "0.3"