Deplatforming #7049
Deplatforming #7049
Conversation
…EST_PLATFORM for some test control
| endif() | ||
|
|
||
| add_library(qcbor.host STATIC ${QCBOR_SRCS}) | ||
| add_library(qcbor STATIC ${QCBOR_SRCS}) |
There was a problem hiding this comment.
GitHub's diff view doesn't make this very obvious, but really what we had for almost all of our libraries was this:
if(SNP)
add_library(XXX.snp)
options(XXX.snp OPTIONS MORE_OPTIONS)
also_options(XXX.snp MOOOOORE)
if(CCF_DEVEL)
install(XXX.snp)
endif()
endif()
add_library(XXX.host)
options(XXX.host OPTIONS MORE_OPTIONS)
also_options(XXX.host MOOOOORE)
if(INSTALL_VIRTUAL_LIBRARIES)
install(XXX.host)
endif()
And now we just have one library, called XXX, built unconditionally.
add_library(XXX)
options(XXX OPTIONS MORE_OPTIONS)
also_options(XXX MOOOOORE)
if(CCF_DEVEL)
install(XXX)
endif()
I think that in all cases the options and more_options and etc etc calls were providing all of the same arguments, but I may have missed some. So a risk of this big change is that we miss a subtle option from one of these. Feel free to scan a few, and let's see what the tests say.
I think the difference between INSTALL_VIRTUAL_LIBRARIES and CCF_DEVEL was basically a bug, that we never noticed because of the options we passed in practice? Regardless, the consolidation is to a single library that checks CCF_DEVEL to decide if it should be installed - there are no virtual-specific libraries, and no more INSTALL_VIRTUAL_LIBRARIES.
src/enclave/main.cpp
Outdated
| @@ -46,6 +46,7 @@ extern "C" | |||
| size_t* enclave_version_len, | |||
| StartType start_type, | |||
| ccf::LoggerLevel enclave_log_level, | |||
| ccf::pal::Platform platform, | |||
There was a problem hiding this comment.
Because the .so no longer knows what platform it is at build-time, we need to pass this through from the host. Ugly to add more args here, but we'll nuke the whole thing shortly.
| if (!ccf::pal::snp::supports_sev_snp()) | ||
| { | ||
| std::cout << "Skipping all tests as this is not running in SEV-SNP" | ||
| << std::endl; | ||
| return 0; | ||
| } |
There was a problem hiding this comment.
Previously disabled at build-time somewhere in CMake. Now built and run all the time, and a run-time capability probe determines whether it's actually testing anything.
| # Install tree | ||
| PLATFORM_FILE="${PATH_HERE}"/../share/PLATFORM | ||
| # If not there, try locally | ||
| if [ ! -f "${VERSION_FILE}" ]; then | ||
| PLATFORM_FILE=PLATFORM | ||
| fi | ||
| platform=$(<"${PLATFORM_FILE}") | ||
|
|
There was a problem hiding this comment.
When platform was a build-time decision, we created a file named PLATFORM and installed it, so that that sandbox.sh could automatically infer what type of binaries it was surrounded by. This doesn't exist anymore - it's surrounded by platform-agnostic binaries. --enclave-platform can still be passed explicitly to sandbox.sh/start_network.py/similar wrappers, and is inserted for all of our e2e tests, but doesn't come from file checks.
CMakeLists.txt
Outdated
| set(CCF_TEST_PLATFORM | ||
| "virtual" |
There was a problem hiding this comment.
I argue that although this diff is small, this is fundamentally a new arg, so I'm not changing a default. We're not making things less secure (the default build still produces SNP-capable binaries, that default to using SNP logic), but our tests default to using the "virtual" attestations unless told otherwise. As a result, we don't have to pass -DCOMPILE_TARGET=virtual (or -DCCF_TEST_PLATFORM=virtual) in all of our CI yamls and whenever we're telling people how to build, the default is the majority-option and the few things that want to explicitly try SNP-networks can do so.
There was a problem hiding this comment.
I think the tests should detect the platform the same way the binaries do, and enforce their opinion of the platform when they act as the consortium that agrees to open the network. Telling them to do otherwise should require an override. Let's discuss.
tests/connections.py
Outdated
| @@ -191,7 +190,7 @@ def create_connections_until_exhaustion( | |||
| client.post( | |||
| "/log/private", | |||
| {"id": 42, "msg": "foo"}, | |||
| timeout=3 if IS_SNP else 1, | |||
| timeout=3 if args.enclave_platform == "snp" else 1, | |||
There was a problem hiding this comment.
Unsure if we still need SNP-specific timeouts? But plausible, so leaving them for now.
| @@ -540,7 +539,7 @@ def _setup_common_folder(self, constitution): | |||
| ), f"Could not copy governance {fragment} to {self.common_dir}" | |||
| # It is more convenient to create a symlink in the common directory than generate | |||
| # certs and keys in the top directory and move them across | |||
| cmd = ["cp"] if IS_SNP else ["ln", "-s"] | |||
| cmd = ["ln", "-s"] | |||
There was a problem hiding this comment.
Taking a punt here, assuming it's now safe to symlink everywhere? If I'm missing something, we can restore this branch based on SNP-support, or something more precise.
It seems to me that in 99% of cases, this can be automatically decided without security implications, because either the join policy, or the consortium-issued transition service to open decide whether the attestation is acceptable. Having a way to force virtual is likely useful, either through an env var or through the configuration, but is not security critical for the reason above. Whether that's good usability is arguable.
Because we (still) use ctest as a launcher, I agree that this is good, but that's something we could decide to revisit, as the decrease in compile-time parameters also diminishes the value of that layer. |
100% |
I'm coming round to the idea of automatic platform detection, let's discuss tomorrow. Just listing a few discussion points:
|
I assume you mean a virtual attestation? I would say yes, not because I can think of a reason why it might be useful, but because it seems really easy to do, and could come in handy when isolating failures.
So long as the tests/test infra enforce a specific platform is being tested, I don't think so? If we are worried that the test auto-detection can fail silently too, we could push the number of tests run to bencher, and set up a threshold alert?
The attestation gets stored in Tx0. I think we want to tighten the initial consortium check to only open if we're happy with the platform, and we should be good from there. |
|
I'm currently convinced that auto-detection is fine, and we don't need any explicit/tested overrides. In my head: This means a CCF node will look for SNP IOCTL devices, and produce an SNP attestation if it finds them (at this point requiring some additional SNP endorsement server config), else it'll fall back and produce a virtual attestation. The Python infra will do the same check independently, to decide whether it is expecting SNP attestations (with associated tests), and to confirm the attestation format before submitting service open. CMake needs no knowledge of what platforms the tests are running on/targeting, so this can go entirely (I think - maybe something about test labels that need to contain platform info, but I think that can be inserted later). Then we convince ourselves that some of the tests are actually running on SNP, by writing a standalone "confirm_this_is_snp" script/util, and calling that early in the appropriate CI jobs. Possible future things we can support in future:
|
…est everywhere, checking a real current attestation is a platform-only subjob
|
I think I've decided this is good-to-go, but the lts compat test is going to fail until we have a 7.x tag (because of reasons). So parking this, briefly. |
The build-time distinction between SNP and Virtual is unhelpful, results in a huge amount of duplication in our CMake. This was necessary on SGX, where the targets had significantly different build options, but is no longer doing anything.
This PR removes the
COMPILE_TARGEToption from CMake. This has a bunch of knock-on effects, that I think fall into a few distinct camps:ccf_kv.hostandccf_kv.snp, we just haveccf_kv. I've manually tried to verify in each instance that the calls to each target were always identical, but I may have missed some.PLATFORM_preprocessor define. Most places were#if PLATFORM_VIRTUAL || PLATFORM_SNP, so the#if/#endifpair can be trivially removed. Deciding what kind of quote we produce is now a run-time decision (each binary is capable of trying to produce either format), based on the existingenclave.platformconfig argument. I think that ought to be promoted to a CLI argument (security critical), but that's deferred.cchostand then a.sofor each "enclave" application. But those applications are nowlibjs_generic.so, rather thanlibjs_generic.virtual.so/libjs_generic.snp.so.COMPILE_TARGET, but it's now calledCCF_TEST_PLATFORM, and hopefully used in few enough places to clarify intent. Perhaps the default value should be derived from capability detection? TBD.I've only run a handful of builds and tests locally, this is likely missing some obvious breakages, so opening as a Draft initially and awaiting CI coverage.
Also, I think this is a big enough breaking change that it shouldn't affect
6.0, so I propose arelease/6.xbranch.Follow-ups:
lts_story, but I think right now we can be pretty aggressive? But let's do it separately to derisk.