[fix] try using mimalloc on musl (#132)

aws-samples · Feb 3, 2025 · 497e8ed · 497e8ed
1 parent 8b441a8
commit 497e8ed
Show file tree

Hide file tree

Showing 11 changed files with 94 additions and 48 deletions.
diff --git a/.github/workflows/deploy-docs.yml b/.github/workflows/deploy-docs.yml
@@ -29,7 +29,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
           python-version: 3.x
           cache: pip

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/api/dependencies/requirements.txt b/api/dependencies/requirements.txt
@@ -1,4 +1,4 @@
-aws-lambda-powertools[tracer,parser]==3.4.1
+aws-lambda-powertools[tracer,parser]==3.5.0
 cryptography==43.0.3
 hpke==0.3.2
 pksuid==1.1.2

diff --git a/api/requirements-dev.txt b/api/requirements-dev.txt
@@ -1,3 +1,3 @@
 black==24.10.0
-aws-lambda-powertools[all,aws-sdk]==3.4.1
+aws-lambda-powertools[all,aws-sdk]==3.5.0
 boto3-stubs[dynamodb,kms]
diff --git a/canary/dependencies/requirements.txt b/canary/dependencies/requirements.txt
@@ -1 +1 @@
-aws-lambda-powertools==3.4.1
+aws-lambda-powertools==3.5.0
diff --git a/canary/requirements-dev.txt b/canary/requirements-dev.txt
@@ -1,3 +1,3 @@
 black==24.10.0
-aws-lambda-powertools[all,aws-sdk]==3.4.1
+aws-lambda-powertools[all,aws-sdk]==3.5.0
 boto3-stubs[dynamodb,kms]
diff --git a/ci_template.yml b/ci_template.yml
@@ -913,12 +913,6 @@ Resources:
               - Effect: Allow
                 Action: "s3:ListBucket"  # required for Lambda code signing
                 Resource: !GetAtt rArtifactBucket.Arn
-              - Effect: Allow
-                Action: "secretsmanager:GetSecretValue"
-                Resource: !Ref rSigningSecret
-              - Effect: Allow
-                Action: "secretsmanager:PutSecretValue"
-                Resource: !Ref rMeasurementSecret
               - Effect: Allow
                 Action: "signer:StartSigningJob"
                 Resource: !Ref rSigningProfile
@@ -937,6 +931,28 @@ Resources:
         - Key: "dp:exclude:network"
           Value: "true"
 
+  rSecretsManagerPolicy:
+    Type: "AWS::IAM::Policy"
+    Properties:
+      PolicyName: SecretsManager
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Action: "secretsmanager:GetSecretValue"
+            Resource: !Ref rSigningSecret
+            Condition:
+              ArnEquals:
+                "codebuild:projectArn": !GetAtt rVaultCodeBuildProject.Arn
+          - Effect: Allow
+            Action: "secretsmanager:PutSecretValue"
+            Resource: !Ref rMeasurementSecret
+            Condition:
+              ArnEquals:
+                "codebuild:projectArn": !GetAtt rVaultCodeBuildProject.Arn
+      Roles:
+        - !Ref rCodeBuildRole
+
   rCloudWatchLogsPolicy:
     Type: "AWS::IAM::Policy"
     Properties:

diff --git a/enclave/Cargo.toml b/enclave/Cargo.toml
@@ -20,7 +20,10 @@ cel-interpreter = { version = "=0.9.0", default-features = false, features = ["j
 chrono = { version = "=0.4.39", default-features = false, features = ["now"] }
 data-encoding = { version = "=2.7.0", default-features = false, features = ["alloc"] }
 serde = { version = "=1.0.217", default-features = false, features = ["derive"] }
-serde_json = { version = "=1.0.137", default-features = false }
-rustls = { version = "=0.23.21", default-features = false, features = ["aws_lc_rs"] }
+serde_json = { version = "=1.0.138", default-features = false }
+rustls = { version = "=0.23.22", default-features = false, features = ["aws_lc_rs"] }
 vsock = { version = "=0.5.1", default-features = false }
 zeroize = { version = "=1.8.1", default-features = false, features = ["zeroize_derive"] }
+
+[target.'cfg(target_env = "musl")'.dependencies]
+mimalloc = { version = "=0.1.43", default-features = false, features = ["secure"] }
diff --git a/enclave/src/main.rs b/enclave/src/main.rs
@@ -13,6 +13,11 @@ use enclave_vault::{
 use rustls::crypto::hpke::HpkePrivateKey;
 use vsock::{VsockAddr, VsockListener, VsockStream, VMADDR_CID_ANY};
 
+// Avoid musl's default allocator due to terrible performance
+#[cfg(target_env = "musl")]
+#[global_allocator]
+static GLOBAL: mimalloc::MiMalloc = mimalloc::MiMalloc;
+
 #[inline]
 fn parse_payload(payload_buffer: &[u8]) -> Result<EnclaveRequest> {
     let payload: EnclaveRequest = serde_json::from_slice(payload_buffer)

diff --git a/parent/Cargo.toml b/parent/Cargo.toml
@@ -23,7 +23,7 @@ byteorder = { version = "=1.5.0", default-features = false }
 clap = { version = "=4.5.27", default-features = false, features = ["std", "derive", "env"] }
 fastrand = { version = "=2.3.0", default-features = false }
 serde = { version = "=1.0.217", default-features = false, features = ["derive"] }
-serde_json = { version = "=1.0.137", default-features = false }
+serde_json = { version = "=1.0.138", default-features = false }
 thiserror = { version = "=2.0.11", default-features = false }
 tokio = { version = "=1.43.0", default-features = false, features = ["rt-multi-thread", "process", "tracing"] }
 tracing = { version = "=0.1.41", default-features = false, features = ["log"] }

diff --git a/vault_template.yml b/vault_template.yml
@@ -170,6 +170,9 @@ Resources:
           - Effect: Allow
             Action: "s3:GetObject"
             Resource: !Sub "arn:${AWS::Partition}:s3:::${pArtifactBucketName}/${pArtifactObjectKey}"
+            Condition:
+              StringEquals:
+                "aws:ResourceAccount": !Ref "AWS::AccountId"
           - Effect: Allow
             Action:
               - "cloudformation:DescribeStackResource"
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		aws-lambda-powertools==3.4.1
		aws-lambda-powertools==3.5.0