From 497e8ed2d5c09bcf305e76f3606c6f0f3bdb2338 Mon Sep 17 00:00:00 2001 From: Justin Plock Date: Mon, 3 Feb 2025 11:01:54 -0500 Subject: [PATCH] [fix] try using mimalloc on musl (#132) --- .github/workflows/deploy-docs.yml | 2 +- Cargo.lock | 87 +++++++++++++++++----------- api/dependencies/requirements.txt | 2 +- api/requirements-dev.txt | 2 +- canary/dependencies/requirements.txt | 2 +- canary/requirements-dev.txt | 2 +- ci_template.yml | 28 +++++++-- enclave/Cargo.toml | 7 ++- enclave/src/main.rs | 5 ++ parent/Cargo.toml | 2 +- vault_template.yml | 3 + 11 files changed, 94 insertions(+), 48 deletions(-) diff --git a/.github/workflows/deploy-docs.yml b/.github/workflows/deploy-docs.yml index 72a736d..b5e573e 100644 --- a/.github/workflows/deploy-docs.yml +++ b/.github/workflows/deploy-docs.yml @@ -29,7 +29,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 + - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0 with: python-version: 3.x cache: pip diff --git a/Cargo.lock b/Cargo.lock index c781967..9534ee0 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -142,9 +142,9 @@ dependencies = [ [[package]] name = "aws-sdk-sts" -version = "1.57.0" +version = "1.58.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "115fd4fb663817ed595a5ee4f1649d7aacd861d47462323cb37576ce89271b93" +checksum = "ba60e1d519d6f23a9df712c04fdeadd7872ac911c84b2f62a8bda92e129b7962" dependencies = [ "aws-credential-types", "aws-runtime", @@ -338,7 +338,7 @@ dependencies = [ "http 1.2.0", "http-body 1.0.1", "http-body-util", - "hyper 1.5.2", + "hyper 1.6.0", "hyper-util", "itoa", "matchit", @@ -476,9 +476,9 @@ checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b" [[package]] name = "bytes" -version = "1.9.0" +version = "1.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "325918d6fe32f23b19878fe4b34794ae41fc19ddbe53b10571a4874d44ffd39b" +checksum = "f61dac84819c6588b558454b194026eb1f09c293b9036ae9b159e74e73ab6cf9" [[package]] name = "bytes-utils" @@ -492,9 +492,9 @@ dependencies = [ [[package]] name = "cc" -version = "1.2.10" +version = "1.2.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "13208fcbb66eaeffe09b99fffbe1af420f00a7b35aa99ad683dfc1aa76145229" +checksum = "e4730490333d58093109dc02c23174c3f4d490998c3fed3cc8e82d57afedb9cf" dependencies = [ "jobserver", "libc", @@ -610,9 +610,9 @@ checksum = "f46ad14479a25103f283c0f10005961cf086d8dc42205bb44c46ac563475dca6" [[package]] name = "cmake" -version = "0.1.52" +version = "0.1.53" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c682c223677e0e5b6b7f63a64b9351844c3f1b1678a68b7ee617e30fb082620e" +checksum = "e24a03c8b52922d68a1589ad61032f2c1aa5a8158d2aa0d93c6e9534944bbad6" dependencies = [ "cc", ] @@ -720,7 +720,8 @@ dependencies = [ "cel-interpreter", "chrono", "data-encoding", - "rustls 0.23.21", + "mimalloc", + "rustls 0.23.22", "serde", "serde_json", "vsock", @@ -961,9 +962,9 @@ dependencies = [ [[package]] name = "httparse" -version = "1.9.5" +version = "1.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7d71d3574edd2771538b901e6549113b4006ece66150fb69c0fb6d9a2adae946" +checksum = "f2d708df4e7140240a16cd6ab0ab65c972d7433ab77819ea693fde9c43811e2a" [[package]] name = "httpdate" @@ -997,9 +998,9 @@ dependencies = [ [[package]] name = "hyper" -version = "1.5.2" +version = "1.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "256fb8d4bd6413123cc9d91832d78325c48ff41677595be797d90f42969beae0" +checksum = "cc2b571658e38e0c01b1fdca3bbbe93c00d3d71693ff2770043f8c29bc7d6f80" dependencies = [ "bytes", "futures-channel", @@ -1040,7 +1041,7 @@ dependencies = [ "futures-util", "http 1.2.0", "http-body 1.0.1", - "hyper 1.5.2", + "hyper 1.6.0", "pin-project-lite", "tokio", "tower-service", @@ -1297,6 +1298,16 @@ dependencies = [ "windows-targets", ] +[[package]] +name = "libmimalloc-sys" +version = "0.1.39" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "23aa6811d3bd4deb8a84dde645f943476d13b248d818edcf8ce0b2f37f036b44" +dependencies = [ + "cc", + "libc", +] + [[package]] name = "linux-raw-sys" version = "0.4.15" @@ -1355,6 +1366,15 @@ dependencies = [ "autocfg", ] +[[package]] +name = "mimalloc" +version = "0.1.43" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "68914350ae34959d83f732418d51e2427a794055d0b9529f48259ac07af65633" +dependencies = [ + "libmimalloc-sys", +] + [[package]] name = "mime" version = "0.3.17" @@ -1552,9 +1572,9 @@ dependencies = [ [[package]] name = "phf_shared" -version = "0.10.0" +version = "0.11.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b6796ad771acdc0123d2a88dc428b5e38ef24456743ddb1744ed628f9815c096" +checksum = "67eabc2ef2a60eb7faa00097bd1ffdb5bd28e62bf39990626a582201b7a754e5" dependencies = [ "siphasher", ] @@ -1739,9 +1759,9 @@ dependencies = [ [[package]] name = "rustls" -version = "0.23.21" +version = "0.23.22" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8f287924602bf649d949c63dc8ac8b235fa5387d394020705b80c4eb597ce5b8" +checksum = "9fb9263ab4eb695e42321db096e3b8fbd715a59b154d5c88d82db2175b681ba7" dependencies = [ "aws-lc-rs", "once_cell", @@ -1774,9 +1794,9 @@ dependencies = [ [[package]] name = "rustls-pki-types" -version = "1.10.1" +version = "1.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d2bf47e6ff922db3825eb750c4e2ff784c6ff8fb9e13046ef6a1d1c5401b0b37" +checksum = "917ce264624a4b4db1c364dcc35bfca9ded014d0a958cd47ad3e960e988ea51c" [[package]] name = "rustls-webpki" @@ -1808,9 +1828,9 @@ checksum = "f7c45b9784283f1b2e7fb61b42047c2fd678ef0960d4f6f1eba131594cc369d4" [[package]] name = "ryu" -version = "1.0.18" +version = "1.0.19" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f3cb5ba0dc43242ce17de99c180e96db90b235b8a9fdc9543c96d2209116bd9f" +checksum = "6ea1a2d0a644769cc99faa24c3ad26b379b786fe7c36fd3c546254801650e6dd" [[package]] name = "same-file" @@ -1897,9 +1917,9 @@ dependencies = [ [[package]] name = "serde_json" -version = "1.0.137" +version = "1.0.138" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "930cfb6e6abf99298aaad7d29abbef7a9999a9a8806a40088f55f0dcec03146b" +checksum = "d434192e7da787e94a6ea7e9670b26a036d0ca41e0b7efb2676dd32bae872949" dependencies = [ "itoa", "memchr", @@ -1964,9 +1984,9 @@ dependencies = [ [[package]] name = "siphasher" -version = "0.3.11" +version = "1.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "38b58827f4464d87d377d175e90bf58eb00fd8716ff0a62f80356b5e61555d0d" +checksum = "56199f7ddabf13fe5074ce809e7d3f42b42ae711800501b5b16ea82ad029c39d" [[package]] name = "slab" @@ -2007,12 +2027,11 @@ checksum = "a8f112729512f8e442d81f95a8a7ddf2b7c6b8a1a6f509a95864142b30cab2d3" [[package]] name = "string_cache" -version = "0.8.7" +version = "0.8.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f91138e76242f575eb1d3b38b4f1362f10d3a43f47d182a5b359af488a02293b" +checksum = "938d512196766101d333398efde81bc1f37b00cb42c2f8350e5df639f040bbbe" dependencies = [ "new_debug_unreachable", - "once_cell", "parking_lot", "phf_shared", "precomputed-hash", @@ -2026,9 +2045,9 @@ checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292" [[package]] name = "syn" -version = "2.0.96" +version = "2.0.98" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d5d0adab1ae378d7f53bdebc67a39f1f151407ef230f0ce2883572f5d8985c80" +checksum = "36147f1a48ae0ec2b5b3bc5b537d267457555a10dc06f3dbc8cb11ba3006d3b1" dependencies = [ "proc-macro2", "quote", @@ -2307,9 +2326,9 @@ checksum = "42ff0bf0c66b8238c6f3b578df37d0b7848e55df8577b3f74f92a69acceeb825" [[package]] name = "unicode-ident" -version = "1.0.15" +version = "1.0.16" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "11cd88e12b17c6494200a9c1b683a04fcac9573ed74cd1b62aeb2727c5592243" +checksum = "a210d160f08b701c8721ba1c726c11662f877ea6b7094007e1ca9a1041945034" [[package]] name = "unicode-xid" diff --git a/api/dependencies/requirements.txt b/api/dependencies/requirements.txt index 114efd8..4258f75 100644 --- a/api/dependencies/requirements.txt +++ b/api/dependencies/requirements.txt @@ -1,4 +1,4 @@ -aws-lambda-powertools[tracer,parser]==3.4.1 +aws-lambda-powertools[tracer,parser]==3.5.0 cryptography==43.0.3 hpke==0.3.2 pksuid==1.1.2 diff --git a/api/requirements-dev.txt b/api/requirements-dev.txt index 250ca8d..6682873 100644 --- a/api/requirements-dev.txt +++ b/api/requirements-dev.txt @@ -1,3 +1,3 @@ black==24.10.0 -aws-lambda-powertools[all,aws-sdk]==3.4.1 +aws-lambda-powertools[all,aws-sdk]==3.5.0 boto3-stubs[dynamodb,kms] diff --git a/canary/dependencies/requirements.txt b/canary/dependencies/requirements.txt index 53416bb..c1ec25d 100644 --- a/canary/dependencies/requirements.txt +++ b/canary/dependencies/requirements.txt @@ -1 +1 @@ -aws-lambda-powertools==3.4.1 +aws-lambda-powertools==3.5.0 diff --git a/canary/requirements-dev.txt b/canary/requirements-dev.txt index 250ca8d..6682873 100644 --- a/canary/requirements-dev.txt +++ b/canary/requirements-dev.txt @@ -1,3 +1,3 @@ black==24.10.0 -aws-lambda-powertools[all,aws-sdk]==3.4.1 +aws-lambda-powertools[all,aws-sdk]==3.5.0 boto3-stubs[dynamodb,kms] diff --git a/ci_template.yml b/ci_template.yml index fe14148..d64119c 100644 --- a/ci_template.yml +++ b/ci_template.yml @@ -913,12 +913,6 @@ Resources: - Effect: Allow Action: "s3:ListBucket" # required for Lambda code signing Resource: !GetAtt rArtifactBucket.Arn - - Effect: Allow - Action: "secretsmanager:GetSecretValue" - Resource: !Ref rSigningSecret - - Effect: Allow - Action: "secretsmanager:PutSecretValue" - Resource: !Ref rMeasurementSecret - Effect: Allow Action: "signer:StartSigningJob" Resource: !Ref rSigningProfile @@ -937,6 +931,28 @@ Resources: - Key: "dp:exclude:network" Value: "true" + rSecretsManagerPolicy: + Type: "AWS::IAM::Policy" + Properties: + PolicyName: SecretsManager + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: "secretsmanager:GetSecretValue" + Resource: !Ref rSigningSecret + Condition: + ArnEquals: + "codebuild:projectArn": !GetAtt rVaultCodeBuildProject.Arn + - Effect: Allow + Action: "secretsmanager:PutSecretValue" + Resource: !Ref rMeasurementSecret + Condition: + ArnEquals: + "codebuild:projectArn": !GetAtt rVaultCodeBuildProject.Arn + Roles: + - !Ref rCodeBuildRole + rCloudWatchLogsPolicy: Type: "AWS::IAM::Policy" Properties: diff --git a/enclave/Cargo.toml b/enclave/Cargo.toml index c925879..2893371 100644 --- a/enclave/Cargo.toml +++ b/enclave/Cargo.toml @@ -20,7 +20,10 @@ cel-interpreter = { version = "=0.9.0", default-features = false, features = ["j chrono = { version = "=0.4.39", default-features = false, features = ["now"] } data-encoding = { version = "=2.7.0", default-features = false, features = ["alloc"] } serde = { version = "=1.0.217", default-features = false, features = ["derive"] } -serde_json = { version = "=1.0.137", default-features = false } -rustls = { version = "=0.23.21", default-features = false, features = ["aws_lc_rs"] } +serde_json = { version = "=1.0.138", default-features = false } +rustls = { version = "=0.23.22", default-features = false, features = ["aws_lc_rs"] } vsock = { version = "=0.5.1", default-features = false } zeroize = { version = "=1.8.1", default-features = false, features = ["zeroize_derive"] } + +[target.'cfg(target_env = "musl")'.dependencies] +mimalloc = { version = "=0.1.43", default-features = false, features = ["secure"] } diff --git a/enclave/src/main.rs b/enclave/src/main.rs index 3461e0f..caf1b97 100644 --- a/enclave/src/main.rs +++ b/enclave/src/main.rs @@ -13,6 +13,11 @@ use enclave_vault::{ use rustls::crypto::hpke::HpkePrivateKey; use vsock::{VsockAddr, VsockListener, VsockStream, VMADDR_CID_ANY}; +// Avoid musl's default allocator due to terrible performance +#[cfg(target_env = "musl")] +#[global_allocator] +static GLOBAL: mimalloc::MiMalloc = mimalloc::MiMalloc; + #[inline] fn parse_payload(payload_buffer: &[u8]) -> Result { let payload: EnclaveRequest = serde_json::from_slice(payload_buffer) diff --git a/parent/Cargo.toml b/parent/Cargo.toml index 7277690..7160297 100644 --- a/parent/Cargo.toml +++ b/parent/Cargo.toml @@ -23,7 +23,7 @@ byteorder = { version = "=1.5.0", default-features = false } clap = { version = "=4.5.27", default-features = false, features = ["std", "derive", "env"] } fastrand = { version = "=2.3.0", default-features = false } serde = { version = "=1.0.217", default-features = false, features = ["derive"] } -serde_json = { version = "=1.0.137", default-features = false } +serde_json = { version = "=1.0.138", default-features = false } thiserror = { version = "=2.0.11", default-features = false } tokio = { version = "=1.43.0", default-features = false, features = ["rt-multi-thread", "process", "tracing"] } tracing = { version = "=0.1.41", default-features = false, features = ["log"] } diff --git a/vault_template.yml b/vault_template.yml index 74df3fd..52ecd14 100644 --- a/vault_template.yml +++ b/vault_template.yml @@ -170,6 +170,9 @@ Resources: - Effect: Allow Action: "s3:GetObject" Resource: !Sub "arn:${AWS::Partition}:s3:::${pArtifactBucketName}/${pArtifactObjectKey}" + Condition: + StringEquals: + "aws:ResourceAccount": !Ref "AWS::AccountId" - Effect: Allow Action: - "cloudformation:DescribeStackResource"