services/utils/service_enclave_utils/src/lib.rs

// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements.  See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership.  The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License.  You may obtain a copy of the License at
//
//   http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied.  See the License for the
// specific language governing permissions and limitations
// under the License.

#![feature(concat_idents)]

#[cfg(feature = "mesalock_sgx")]
extern crate sgx_trts;

use anyhow::Result;
use log::debug;
use log::error;
#[cfg(not(feature = "mesalock_sgx"))]
use std::fs;
use std::path::PathBuf;
use std::sync::{Arc, RwLock};
#[cfg(feature = "mesalock_sgx")]
use std::untrusted::{fs, path::PathEx};
use teaclave_attestation::verifier::AttestationReportVerificationFn;
use teaclave_attestation::AttestedTlsConfig;
use teaclave_config::RuntimeConfig;
use teaclave_types::{EnclaveInfo, TeeServiceResult};

mod macros;

#[cfg(feature = "cov")]
#[sgx_macros::global_dtor]
fn cov_exit() {
    println!("sgx_cov finished!");
    sgx_cov::cov_writeout();
}

extern "C" {
    pub static g_peak_heap_used: isize;
    pub static g_peak_rsrv_mem_committed: isize;
}

pub struct ServiceEnclave;

impl ServiceEnclave {
    pub fn init(_name: &str) -> TeeServiceResult<()> {
        let env = env_logger::Env::new()
            .filter_or("TEACLAVE_LOG", "RUST_LOG")
            .write_style_or("TEACLAVE_LOG_STYLE", "RUST_LOG_STYLE");
        let env_logger = env_logger::Builder::from_env(env).build();
        teaclave_logger::Builder::new()
            .secondary_logger(env_logger)
            .init();

        debug!("Enclave initializing");
        #[cfg(feature = "mesalock_sgx")]
        if std::backtrace::enable_backtrace(std::backtrace::PrintFormat::Full).is_err() {
            error!("Cannot enable backtrace");
            return Err(teaclave_types::TeeServiceError::SgxError);
        }

        Ok(())
    }

    pub fn finalize() -> TeeServiceResult<()> {
        debug!("Enclave finalizing");
        unsafe {
            debug!("g_peak_heap_used: {}", g_peak_heap_used);
            debug!("g_peak_rsrv_mem_committed: {}", g_peak_rsrv_mem_committed);
        }

        #[cfg(feature = "cov")]
        sgx_cov::cov_writeout();

        Ok(())
    }
}

pub fn base_dir_for_db(config: &RuntimeConfig) -> Result<PathBuf> {
    base_dir(config, "database")
}

pub fn base_dir_for_offload_functions(config: &RuntimeConfig) -> Result<PathBuf> {
    base_dir(config, "functions")
}

fn base_dir(config: &RuntimeConfig, sub_name: &str) -> Result<PathBuf> {
    let fusion_base = config.mount.fusion_base_dir.as_path();
    // We only create this base directory in test_mode
    // This directory should be mounted in release mode
    #[cfg(test_mode)]
    fs::create_dir_all(fusion_base)?;
    if !fusion_base.exists() {
        error!(
            "Fusion base directory is not mounted: {}",
            fusion_base.display()
        );
        anyhow::bail!("fusion_base not mounted");
    }

    let sub_base = fusion_base.join(sub_name);
    fs::create_dir_all(&sub_base)?;

    if !sub_base.exists() {
        error!(
            "Offload base directory is not mounted: {}",
            sub_base.display()
        );
        anyhow::bail!("sub_base not mounted");
    }
    Ok(sub_base)
}

macro_rules! impl_create_trusted_endpoint_fn {
    ($fn_name:ident, $enclave_attr:literal) => {
        pub fn $fn_name(
            advertised_address: &str,
            enclave_info: &EnclaveInfo,
            as_root_ca_cert: &[u8],
            verifier: AttestationReportVerificationFn,
            attested_tls_config: Arc<RwLock<AttestedTlsConfig>>,
        ) -> Result<teaclave_rpc::transport::channel::Endpoint> {
            let service_enclave_attrs = enclave_info
                .get_enclave_attr($enclave_attr)
                .expect("enclave attr");
            let client_tls_config =
                teaclave_rpc::config::SgxTrustedTlsClientConfig::from_attested_tls_config(
                    attested_tls_config,
                )?
                .attestation_report_verifier(vec![service_enclave_attrs], as_root_ca_cert, verifier)
                .into();

            let dst = advertised_address.parse::<teaclave_rpc::transport::Uri>()?;
            if dst.scheme().is_none() {
                anyhow::bail!(format!(
                    "Missing schema in {} advertised address",
                    stringify!($enclave_attr)
                ));
            };
            let endpoint = teaclave_rpc::transport::Channel::builder(dst)
                .tls_config(client_tls_config)?
                .connect_timeout(std::time::Duration::from_secs(30));
            Ok(endpoint)
        }
    };
}

impl_create_trusted_endpoint_fn!(create_trusted_storage_endpoint, "teaclave_storage_service");
impl_create_trusted_endpoint_fn!(
    create_trusted_authentication_endpoint,
    "teaclave_authentication_service"
);
impl_create_trusted_endpoint_fn!(
    create_trusted_management_endpoint,
    "teaclave_management_service"
);
impl_create_trusted_endpoint_fn!(
    create_trusted_scheduler_endpoint,
    "teaclave_scheduler_service"
);
impl_create_trusted_endpoint_fn!(
    create_trusted_access_control_endpoint,
    "teaclave_access_control_service"
);