-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Designs the PAL API v4 changes #6
Comments
@YangLiang3 Most of it looks good. But why not call pal_create_process as pal_exec? |
Do I read the table correct: |
@ying2liu @bigdata-memory @qzheng527 Please ACK whether this is the formal matrix Gramine and Occlum will adapt to. |
hi Mikko, the change is due to the fact occlum and gramine have the requirements about combining the pal_create_process and pal_exec as one. So we make some change to it. pal_create_process name often confuse us, so I will suggest occlum team makes a change about it. |
Occlum NGO version had combined the pal_create_process and pal_exec and called it as pal_create_process. |
A question about the |
Even though naming doesn't impact Gramine PAL API implementation, I still think pal_exec is a better name. |
Essentially, PAL API is called by untrusted part. So the possible unordered calls to PAL API would happen and the trusted part should keep its internal state machine to prevent from the impact or even security issue caused by unordered calls to PAL API. |
hi Gordan, the libos will mange the state machine. For the occlum's view, if there is no pal_init, pal_exec can't find the enclave id, error will happen. |
My understanding is: When we are talking about the PAL API, actually we are talking about the LibOS wrapper/adapter interface name. The enclave CC would develop adapters for every LibOS or any detail implementation. So the rough design is used to make sure the sequence is good enough for all target LibOS. I think we should not only list the API names, the more important thing is to list all the API's behavior and the parameters. |
hi zongmin, the adaptor for every libos is unified, so we don't need to expose different adaptors layer. Unifying interface name is the step 1. And step 2 will be detailed parameters and API behavior. I need to confirm the API's parameter and API behavior reasonable, then expose them today. |
Another question about |
Enclave Runtime Programming Guide V41. BackgroundThe enclave runtime currently supported by runE are occlum and WAMR (WebAssembly Micro Runtime). In order to facilitate other libos programs to run in runE, a set of enclave runtime API interfaces is defined. Libos only needs to support this set of API interfaces to run as an enclave runtime in runE. 2. enclave runtime in runErunE enclave runtime is bounded by the enclave runtime pal API layer, below the API layer is runE, above the API layer is the enclave runtime, and the operating mode is libos. 2.1 enclave runtime pal API definitionstruct pal_attr_t {
const char* args;
const char* log_level;
char* user_priv;
};
struct stdio_fds {
int stdin, stdout, stderr;
};
struct pal_exec_args {
char *path;
char *argv[];
char *env[];
struct stdio_fds *stdio;
int pid;
int *exit_value;
}__attribute__((packed));
struct pal_evidence_args {
int ev_type;
bool result;
struct la {
char *target_info;
char *report;
};
struct ra {
char *quote;
int quote_len;
};
}
struct pal_kill_args {
int pid;
int sig;
}__attribute__((packed));
struct pal_opt {
int pal_version();
int pal_init(struct pal_attr_t *attr);
int pal_exec(struct pal_exec_args *args);
int pal_get_evidence(struct pal_evidence_args *args);
int pal_kill(struct pal_kill_args *args);
int pal_destroy();
}; 2.2 enclave runtime Library file naming and function naming rulesThe enclave runtime is generated as a so dynamic library, which is dynamically loaded by rune using dlopen; the enclave runtime needs to export symbols according to the function named in the previous chapter. 3. pal interface3.1 pal_get_version()DescriptionIndicate PAL API version number implemented by runelet and enclave runtime; runelet is compatible with any enclave runtimes equal to or less than the indicated value. If this symbol is undefined in enclave runtime, version 1 is assuemd by runelet. The value of this global variable is the version of pal api, refer to the implementation: int pal_get_version()
{
return 4;
} Prototypeint pal_get_version(); Parameters
Return value
3.2 pal_initThe main task of this interface should be to create an enclave space and complete the memory layout of the enclave space; libos also needs to complete the initialization of components such as VM, FS, and NET. Reference implementation: int pal_init(const struct pal_attr_t *attr)
{
...
sgx_launch_token_t token;
get_token(&token);
sgx_create_enclave(..., token, ...);
...
} DescriptionDo libos initialization according to the incoming attr parameters. Prototypestruct pal_attr_t {
const char *args;
const char *log_level;
char *user_priv;
};
int pal_init(struct pal_attr_t *attr); Parameters
Return value
3.3 pal_execThe main job of this interface is to run application in enclave, reference implementation: int pal_exec(struct pal_exec_args *args)
{
...
args->pid = libos_create_process(...);
libos_exec(args->pid);
...
} Descriptionrun the user application. Prototypestruct pal_stdio_fds {
int stdin, stdout, stderr;
};
struct pal_exec_args {
char *path;
char *argv[];
char *env[];
struct pal_stdio_fds *stdio;
int pid;
int *exit_value;
}__attribute__((packed));
int pal_exec(struct pal_exec_args *args); Parameters
Return value
3.4 pal_get_evidence()according to the input parameter, retrieving local attestation or remote attestation's evidence. int pal_get_evidence(struct pal_evidence_args *args)
{
...
caseLA:
args-> la = libos_verify_local_report(...);
case RA:
args -> ra = libos_get_ra_quote(...);
...
} DescriptionIf ev->type is LA, then complete LA verification, la->target_info is null, return -ENOSYS. If ev->type is RA, then get the application enclave's quote info. Prototype
Parameters
Return value
3.5 pal_killThe main job of this interface is to send a signal to the specified pid, refer to the implementation: int pal_kill(int pid, int sig)
{
...
libos_kill(...)
...
} DescriptionSend signals to processes running in enclave runtime. Prototypeint pal_kill(int pid, int sig); Parameters
Return value
3.6 pal_destroyThe main job of this interface is to destroy the entire enclave space. If it is libos, you need to do component de-initialization before destroying the enclave. Reference implementation: int pal_destroy(void) {
...
libos_uninitialize();
sgx_destroy_enclave(global_eid);
...
} DescriptionDestroy libos instance. Prototypeint pal_destroy(); Parameters
Return value
|
thanks gordan's feedback, for gramine, it's hard to implement this function. Let's align it in a meeting |
I'd also want to see the proposed changes documented like this: "v3 is not enough for enclave-cc because we need: ..." |
In fact, there are the following changes related to V3
|
In enclave-cc, where's |
rune is not bound to Agent enclave or Attestation-Agent. Rune is a independent runtime |
I know but this issue is to discuss PAL changes needed by agent enclave / enclave-cc. |
@jiazhang0 is this issue still relevant or can be closed? |
@jiazhang0 I'd think we could close this for now and re-open later if any PAL API changes become relevant. Agree? |
Agree to close it for now and re-open it if needed, thanks. |
closed for now, will reopen if needed |
This issue is used to address the definition of PAL API v4 for enclave-cc.
The text was updated successfully, but these errors were encountered: