[LibOS] Make all pipe and UDS names Gramine-instance-specific #1761
Conversation
dimakuv
force-pushed
the
dimakuv/force-pipe-uds-to-one-gramine-instance
branch
from
10349c8
to
b9f1c99
Compare
There was a problem hiding this comment.
Reviewed 2 of 2 files at r1, all commit messages.
Reviewable status: all files reviewed, 1 unresolved discussion, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel) (waiting on @dimakuv)
libos/src/libos_init.c line 585 at r1 (raw file):
*hdl = pipe; len = snprintf(uri, size, URI_PREFIX_PIPE "%lu/%s", g_pal_public_state->instance_id, pipename); assert(len < size); /* must hold because above we did the same but with longer prefix */
I don't like this, it silently assumes that one prefix is longer than the other and will silently turn into a bug if we rename the prefixes.
Please either add a static assert for the lengths or just turn this into a normal if.
There was a problem hiding this comment.
Reviewable status: 1 of 2 files reviewed, 1 unresolved discussion, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel), "fixup! " found in commit messages' one-liners (waiting on @mkow)
libos/src/libos_init.c line 585 at r1 (raw file):
Previously, mkow (Michał Kowalczyk) wrote…
I don't like this, it silently assumes that one prefix is longer than the other and will silently turn into a bug if we rename the prefixes.
Please either add a static assert for the lengths or just turn this into a normalif.
Done.
There was a problem hiding this comment.
Reviewed 1 of 1 files at r2, all commit messages.
Reviewable status: all files reviewed, 1 unresolved discussion, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel), "fixup! " found in commit messages' one-liners (waiting on @dimakuv)
libos/src/libos_init.c line 586 at r2 (raw file):
len = snprintf(uri, size, URI_PREFIX_PIPE "%lu/%s", g_pal_public_state->instance_id, pipename); static_assert(static_strlen(URI_PREFIX_PIPE) < static_strlen(URI_PREFIX_PIPE_SRV), "pipe prefixes are wrong");
Suggestion:
"without this condition the assert below should be changed into an `if`"
There was a problem hiding this comment.
Reviewable status: 1 of 2 files reviewed, 1 unresolved discussion, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel), "fixup! " found in commit messages' one-liners (waiting on @mkow)
libos/src/libos_init.c line 586 at r2 (raw file):
len = snprintf(uri, size, URI_PREFIX_PIPE "%lu/%s", g_pal_public_state->instance_id, pipename); static_assert(static_strlen(URI_PREFIX_PIPE) < static_strlen(URI_PREFIX_PIPE_SRV), "pipe prefixes are wrong");
Done.
There was a problem hiding this comment.
Reviewed 1 of 1 files at r3, all commit messages.
Reviewable status: all files reviewed, all discussions resolved, "fixup! " found in commit messages' one-liners
There was a problem hiding this comment.
Reviewed 1 of 2 files at r1, 1 of 1 files at r3, all commit messages.
Reviewable status: all files reviewed, all discussions resolved, "fixup! " found in commit messages' one-liners
Commit "[LibOS,PAL] Move assigning name to a pipe/UDS from PAL to LibOS" had a small bug: the new LibOS logic lost the Gramine-instance-specific part of the name for some pipes and all UNIX Domain Sockets (UDSes). This led to a benign but annoying bug of e.g. two `gramine-direct` Gramine instances being able to establish a common UDS. This could have been considered a feature, but two `gramine-sgx` Gramine instances would (correctly) fail to establish a common UDS, because each `gramine-sgx` instance has its own encryption key, and thus two UDSes would not be able to establish a secure TLS channel (even though they see each other because of this bug). To make behavior of `gramine-direct` and `gramine-sgx` uniform, this commit forces all pipe names and UDS names to have the Gramine-instance-specific part in the name. I.e., previously UDSes had names on the host Linux like `@/gramine/<hash-of-uds-name>` and now they have names like `@/gramine/<gramine-instance-id>/<hash-of-uds-name>`. Signed-off-by: Dmitrii Kuvaiskii <dmitrii.kuvaiskii@intel.com>
mkow
force-pushed
the
dimakuv/force-pipe-uds-to-one-gramine-instance
branch
from
31cff28
to
609e9af
Compare
There was a problem hiding this comment.
Reviewed all commit messages.
Reviewable status:complete! all files reviewed, all discussions resolved
There was a problem hiding this comment.
Reviewed all commit messages.
Reviewable status:
Description of the changes
Commit "[LibOS,PAL] Move assigning name to a pipe/UDS from PAL to LibOS" had a small bug: the new LibOS logic lost the Gramine-instance-specific part of the name for some pipes and all UNIX Domain Sockets (UDSes).
This led to a benign but annoying bug of e.g. two
gramine-directGramine instances being able to establish a common UDS. This could have been considered a feature, but twogramine-sgxGramine instances would (correctly) fail to establish a common UDS, because eachgramine-sgxinstance has its own encryption key, and thus two UDSes would not be able to establish a secure TLS channel (even though they see each other because of this bug).To make behavior of
gramine-directandgramine-sgxuniform, this commit forces all pipe names and UDS names to have the Gramine-instance-specific part in the name. I.e., previously UDSes had names on the host Linux like@/gramine/<hash-of-uds-name>and now they have names like@/gramine/<gramine-instance-id>/<hash-of-uds-name>.References:
How to test this PR?
Run two Gramine instances, one creating and listening on the UDS, another connecting to the same UDS.
gramine-directinstances will establish a connection. (gramine-sgxinstances won't because of failed TLS handshake.)gramine-directinstances will not be able to establish a connection.This change is