Introduce the krun_set_data_disk API.

This API adds the possibility to introduce a second block device, to a TEE. It is assumed that the root disk contains a symmetric key (secret), and code to encrypt/decrypt the data disk before use. The recommended setup is to included cryptsetup on the root disk and use that to safely access the data disk. Signed-off-by: Zalan Blenessy <[email protected]>
containers · Jan 25, 2023 · 57c59dc · 57c59dc
1 parent 7412f15
commit 57c59dc
Show file tree

Hide file tree

Showing 7 changed files with 87 additions and 14 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Makefile b/Makefile
@@ -2,7 +2,7 @@ LIBRARY_HEADER = include/libkrun.h
 INIT_BINARY = init/init
 
 ABI_VERSION=1
-FULL_VERSION=1.4.10
+FULL_VERSION=1.5.0
 
 ifeq ($(SEV),1)
     VARIANT = -sev

diff --git a/examples/launch-tee.c b/examples/launch-tee.c
@@ -38,9 +38,9 @@ int main(int argc, char *const argv[])
     int err;
     int i;
 
-    if (argc != 3) {
+    if (argc < 3 || argc > 4) {
         printf("Invalid arguments\n");
-        printf("Usage: %s DISK_IMAGE TEE_CONFIG_FILE\n", argv[0]);
+        printf("Usage: %s ROOT_DISK_IMAGE TEE_CONFIG_FILE [DATA_DISK_IMAGE]\n", argv[0]);
         return -1;
     }
 
@@ -74,6 +74,15 @@ int main(int argc, char *const argv[])
         return -1;
     }
 
+    // Use the third (optional) command line argument as the disk image containing a data disk.
+    if (argc > 3) {
+        if (err = krun_set_data_disk(ctx_id, argv[3])) {
+            errno = -err;
+            perror("Error configuring data disk image");
+            return -1;
+        }
+    }
+
     if (getcwd(&current_path[0], MAX_PATH) == NULL) {
         errno = -err;
         perror("Error getting current directory");

diff --git a/include/libkrun.h b/include/libkrun.h
@@ -75,6 +75,20 @@ int32_t krun_set_root(uint32_t ctx_id, const char *root_path);
  */
 int32_t krun_set_root_disk(uint32_t ctx_id, const char *disk_path);
 
+/*
+ * Sets the path to the disk image that contains the file-system to be used as a data partition for the microVM.
+ * The only supported image format is "raw". Only available in libkrun-SEV.
+ *
+ * Arguments:
+ *  "ctx_id"    - the configuration context ID.
+ *  "disk_path" - a null-terminated string representing the path leading to the disk image that
+ *                contains the root file-system.
+ *
+ * Returns:
+ *  Zero on success or a negative error number on failure.
+ */
+int32_t krun_set_data_disk(uint32_t ctx_id, const char *disk_path);
+
 /*
  * Configures the mapped volumes for the microVM. Only supported on macOS, on Linux use
  * user_namespaces and bind-mounts instead. Not available in libkrun-SEV.

diff --git a/src/libkrun/Cargo.toml b/src/libkrun/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "libkrun"
-version = "1.4.10"
+version = "1.5.0"
 authors = ["Sergio Lopez <[email protected]>"]
 edition = "2021"
 build = "build.rs"

diff --git a/src/libkrun/src/lib.rs b/src/libkrun/src/lib.rs
@@ -55,7 +55,9 @@ struct ContextConfig {
     #[cfg(not(feature = "tee"))]
     fs_cfg: Option<FsDeviceConfig>,
     #[cfg(feature = "tee")]
-    block_cfg: Option<BlockDeviceConfig>,
+    root_block_cfg: Option<BlockDeviceConfig>,
+    #[cfg(feature = "tee")]
+    data_block_cfg: Option<BlockDeviceConfig>,
     port_map: Option<HashMap<u16, u16>>,
     #[cfg(feature = "tee")]
     tee_config_file: Option<PathBuf>,
@@ -128,13 +130,23 @@ impl ContextConfig {
     }
 
     #[cfg(feature = "tee")]
-    fn set_block_cfg(&mut self, block_cfg: BlockDeviceConfig) {
-        self.block_cfg = Some(block_cfg);
+    fn set_root_block_cfg(&mut self, block_cfg: BlockDeviceConfig) {
+        self.root_block_cfg = Some(block_cfg);
+    }
+
+    #[cfg(feature = "tee")]
+    fn get_root_block_cfg(&self) -> Option<BlockDeviceConfig> {
+        self.root_block_cfg.clone()
+    }
+
+    #[cfg(feature = "tee")]
+    fn set_data_block_cfg(&mut self, block_cfg: BlockDeviceConfig) {
+        self.data_block_cfg = Some(block_cfg);
     }
 
     #[cfg(feature = "tee")]
-    fn get_block_cfg(&self) -> Option<BlockDeviceConfig> {
-        self.block_cfg.clone()
+    fn get_data_block_cfg(&self) -> Option<BlockDeviceConfig> {
+        self.data_block_cfg.clone()
     }
 
     fn set_port_map(&mut self, port_map: HashMap<u16, u16>) {
@@ -397,7 +409,37 @@ pub unsafe extern "C" fn krun_set_root_disk(ctx_id: u32, c_disk_path: *const c_c
                 is_disk_read_only: false,
                 is_disk_root: true,
             };
-            cfg.set_block_cfg(block_device_config);
+            cfg.set_root_block_cfg(block_device_config);
+        }
+        Entry::Vacant(_) => return -libc::ENOENT,
+    }
+
+    KRUN_SUCCESS
+}
+
+#[allow(clippy::missing_safety_doc)]
+#[no_mangle]
+#[cfg(feature = "tee")]
+pub unsafe extern "C" fn krun_set_data_disk(ctx_id: u32, c_disk_path: *const c_char) -> i32 {
+    let disk_path = match CStr::from_ptr(c_disk_path).to_str() {
+        Ok(disk) => disk,
+        Err(_) => return -libc::EINVAL,
+    };
+
+    //let fs_id = "/dev/root".to_string();
+    //let shared_dir = root_path.to_string();
+
+    match CTX_MAP.lock().unwrap().entry(ctx_id) {
+        Entry::Occupied(mut ctx_cfg) => {
+            let cfg = ctx_cfg.get_mut();
+            let block_device_config = BlockDeviceConfig {
+                block_id: "data".to_string(),
+                cache_type: CacheType::Writeback,
+                disk_image_path: disk_path.to_string(),
+                is_disk_read_only: false,
+                is_disk_root: false,
+            };
+            cfg.set_data_block_cfg(block_device_config);
         }
         Entry::Vacant(_) => return -libc::ENOENT,
     }
@@ -660,8 +702,16 @@ pub extern "C" fn krun_start_enter(ctx_id: u32) -> i32 {
     }
 
     #[cfg(feature = "tee")]
-    if let Some(block_cfg) = ctx_cfg.get_block_cfg() {
-        if ctx_cfg.vmr.set_block_device(block_cfg).is_err() {
+    if let Some(block_cfg) = ctx_cfg.get_root_block_cfg() {
+        if ctx_cfg.vmr.add_block_device(block_cfg).is_err() {
+            error!("Error configuring virtio-blk");
+            return -libc::EINVAL;
+        }
+    }
+
+    #[cfg(feature = "tee")]
+    if let Some(block_cfg) = ctx_cfg.get_data_block_cfg() {
+        if ctx_cfg.vmr.add_block_device(block_cfg).is_err() {
             error!("Error configuring virtio-blk");
             return -libc::EINVAL;
         }

diff --git a/src/vmm/src/resources.rs b/src/vmm/src/resources.rs
@@ -229,7 +229,7 @@ impl VmResources {
     }
 
     #[cfg(feature = "tee")]
-    pub fn set_block_device(&mut self, config: BlockDeviceConfig) -> Result<BlockConfigError> {
+    pub fn add_block_device(&mut self, config: BlockDeviceConfig) -> Result<BlockConfigError> {
         self.block.insert(config)
     }