From 597745c7a34d525d3ad9cd522a96eac5c68c4422 Mon Sep 17 00:00:00 2001 From: Jernej Kos Date: Sun, 14 Jan 2024 07:19:03 +0100 Subject: [PATCH 1/4] runtime: Increase number of processing threads in SGX --- .changelog/5523.internal.md | 1 + runtime/THREADS.md | 6 +++--- runtime/src/future.rs | 4 ++-- tests/runtimes/simple-keymanager/Cargo.toml | 4 ++-- tests/runtimes/simple-keyvalue/Cargo.toml | 4 ++-- 5 files changed, 10 insertions(+), 9 deletions(-) create mode 100644 .changelog/5523.internal.md diff --git a/.changelog/5523.internal.md b/.changelog/5523.internal.md new file mode 100644 index 00000000000..c53bbeaff4c --- /dev/null +++ b/.changelog/5523.internal.md @@ -0,0 +1 @@ +runtime: Increase number of processing threads in SGX diff --git a/runtime/THREADS.md b/runtime/THREADS.md index 5d6597ee061..c29e10b44b1 100644 --- a/runtime/THREADS.md +++ b/runtime/THREADS.md @@ -1,12 +1,12 @@ # Threads -The following **8 threads** are used by the runtime: +The following **26 threads** are used by the runtime: * 2 runtime host protocol I/O threads. * 1 consensus verifier thread. * 1 dispatcher main loop thread. -* 2 dispatcher worker threads. -* 2 dispatcher processing threads. +* 6 dispatcher worker threads. +* 16 dispatcher processing threads. This must be taken into account when building the runtime for SGX as all the thread control structures (TCS) must be defined in advance. diff --git a/runtime/src/future.rs b/runtime/src/future.rs index ffdb06dd129..2acf87b6d63 100644 --- a/runtime/src/future.rs +++ b/runtime/src/future.rs @@ -8,8 +8,8 @@ pub fn new_tokio_runtime() -> tokio::runtime::Runtime { // // Make sure to update THREADS.md if you change any of the thread-related settings. tokio::runtime::Builder::new_multi_thread() - .worker_threads(2) - .max_blocking_threads(2) + .worker_threads(6) + .max_blocking_threads(16) .thread_keep_alive(std::time::Duration::MAX) .build() .unwrap() diff --git a/tests/runtimes/simple-keymanager/Cargo.toml b/tests/runtimes/simple-keymanager/Cargo.toml index 1095b220ec0..44426f10ed7 100644 --- a/tests/runtimes/simple-keymanager/Cargo.toml +++ b/tests/runtimes/simple-keymanager/Cargo.toml @@ -15,9 +15,9 @@ doc = false path = "src/upgraded.rs" [package.metadata.fortanix-sgx] -heap-size = 134217728 +heap-size = 536870912 # 512 MiB stack-size = 2097152 -threads = 8 +threads = 26 [dependencies] oasis-core-runtime = { path = "../../../runtime" } diff --git a/tests/runtimes/simple-keyvalue/Cargo.toml b/tests/runtimes/simple-keyvalue/Cargo.toml index 0a97279d9db..41932429f6d 100644 --- a/tests/runtimes/simple-keyvalue/Cargo.toml +++ b/tests/runtimes/simple-keyvalue/Cargo.toml @@ -15,9 +15,9 @@ doc = false path = "src/upgraded.rs" [package.metadata.fortanix-sgx] -heap-size = 134217728 +heap-size = 536870912 # 512 MiB stack-size = 2097152 -threads = 8 +threads = 26 [dependencies] cbor = { version = "0.5.1", package = "oasis-cbor" } From 999508a9eaf3ffdeedb12776a6463b76e4fba52d Mon Sep 17 00:00:00 2001 From: Jernej Kos Date: Wed, 28 Feb 2024 09:22:33 +0100 Subject: [PATCH 2/4] go/common/sgx/pcs: Support update type when fetching TCB infos --- go/common/sgx/pcs/http.go | 8 +++++--- go/common/sgx/pcs/mock.go | 3 --- go/common/sgx/pcs/pcs.go | 14 +++++++++++++- 3 files changed, 18 insertions(+), 7 deletions(-) delete mode 100644 go/common/sgx/pcs/mock.go diff --git a/go/common/sgx/pcs/http.go b/go/common/sgx/pcs/http.go index dfdf07f3927..71bf6defdd4 100644 --- a/go/common/sgx/pcs/http.go +++ b/go/common/sgx/pcs/http.go @@ -88,15 +88,14 @@ func (hc *httpClient) getUrl(p string) *url.URL { // nolint: revive return &u } -func (hc *httpClient) GetTCBBundle(ctx context.Context, fmspc []byte) (*TCBBundle, error) { - // TODO: Cache based on FMSPC, with TTL that is less than expiration time. - +func (hc *httpClient) GetTCBBundle(ctx context.Context, fmspc []byte, update UpdateType) (*TCBBundle, error) { var tcbBundle TCBBundle // First fetch TCB info. u := hc.getUrl(pcsAPIGetTCBInfoPath) q := u.Query() q.Set("fmspc", hex.EncodeToString(fmspc)) + q.Set("update", string(update)) u.RawQuery = q.Encode() rsp, err := hc.doPCSRequest(ctx, u, http.MethodGet, "", nil, false) if err != nil { @@ -120,6 +119,9 @@ func (hc *httpClient) GetTCBBundle(ctx context.Context, fmspc []byte) (*TCBBundl // Then fetch QE identity. u = hc.getUrl(pcsAPIGetQEIdentityPath) + q = u.Query() + q.Set("update", string(update)) + u.RawQuery = q.Encode() rsp, err = hc.doPCSRequest(ctx, u, http.MethodGet, "", nil, false) if err != nil { return nil, fmt.Errorf("pcs: QE identity request failed: %w", err) diff --git a/go/common/sgx/pcs/mock.go b/go/common/sgx/pcs/mock.go deleted file mode 100644 index fae7cff373a..00000000000 --- a/go/common/sgx/pcs/mock.go +++ /dev/null @@ -1,3 +0,0 @@ -package pcs - -// TODO: Mock client. diff --git a/go/common/sgx/pcs/pcs.go b/go/common/sgx/pcs/pcs.go index 08ecf904e0c..a989d932192 100644 --- a/go/common/sgx/pcs/pcs.go +++ b/go/common/sgx/pcs/pcs.go @@ -14,10 +14,22 @@ var ( mrSignerBlacklist = make(map[sgx.MrSigner]bool) ) +// UpdateType is the type of update to TCB info. +type UpdateType string + +const ( + // UpdateStandard indicates standard access to updated TCB Info provided as part of a TCB + // recovery event. + UpdateStandard UpdateType = "standard" + // UpdateEarly indicates an early access to updated TCB Info provided as part of a TCB recovery + // event. + UpdateEarly UpdateType = "early" +) + // Client is an Intel SGX PCS client interface. type Client interface { // GetTCBBundle retrieves the signed TCB artifacts needed to verify a quote. - GetTCBBundle(ctx context.Context, fmspc []byte) (*TCBBundle, error) + GetTCBBundle(ctx context.Context, fmspc []byte, update UpdateType) (*TCBBundle, error) // GetPCKCertificateChain retrieves the PCK certificate chain for the given platform data or PPID. // From 73a565c15aac21592c66cd6e61b79b9d6600a23c Mon Sep 17 00:00:00 2001 From: Jernej Kos Date: Wed, 28 Feb 2024 09:23:06 +0100 Subject: [PATCH 3/4] go/runtime/host/sgx: Try both standard and early updates --- .changelog/5578.feature.md | 1 + go/runtime/host/sgx/ecdsa.go | 21 +++++++++++++++++---- 2 files changed, 18 insertions(+), 4 deletions(-) create mode 100644 .changelog/5578.feature.md diff --git a/.changelog/5578.feature.md b/.changelog/5578.feature.md new file mode 100644 index 00000000000..222c307155c --- /dev/null +++ b/.changelog/5578.feature.md @@ -0,0 +1 @@ +sgx: Support early updates for ECDSA TCB infos diff --git a/go/runtime/host/sgx/ecdsa.go b/go/runtime/host/sgx/ecdsa.go index b632ecf1b08..aab6e492449 100644 --- a/go/runtime/host/sgx/ecdsa.go +++ b/go/runtime/host/sgx/ecdsa.go @@ -144,14 +144,15 @@ func (ec *teeStateECDSA) Update(ctx context.Context, sp *sgxProvisioner, conn pr // also do their own verification). // Check bundles in order: fresh first, then cached, then try downloading again if there was // no scheduled refresh this time. - tcbBundle, err := func() (*pcs.TCBBundle, error) { + getTcbBundle := func(update pcs.UpdateType) (*pcs.TCBBundle, error) { var fresh *pcs.TCBBundle cached, refresh := ec.tcbCache.check(pckInfo.FMSPC) if refresh { - if fresh, err = sp.pcs.GetTCBBundle(ctx, pckInfo.FMSPC); err != nil { + if fresh, err = sp.pcs.GetTCBBundle(ctx, pckInfo.FMSPC, update); err != nil { sp.logger.Warn("error downloading TCB refresh", "err", err, + "update", update, ) } if err = ec.verifyBundle(quote, quotePolicy, fresh, sp, "fresh"); err == nil { @@ -160,6 +161,7 @@ func (ec *teeStateECDSA) Update(ctx context.Context, sp *sgxProvisioner, conn pr } sp.logger.Warn("error verifying downloaded TCB refresh", "err", err, + "update", update, ) } @@ -169,13 +171,18 @@ func (ec *teeStateECDSA) Update(ctx context.Context, sp *sgxProvisioner, conn pr // If downloaded already, don't try again but just return the last error. if refresh { + sp.logger.Warn("error verifying cached TCB", + "err", err, + "update", update, + ) return nil, fmt.Errorf("both fresh and cached TCB bundles failed verification, cached error: %w", err) } // If not downloaded yet this time round, try forcing. Any errors are fatal. - if fresh, err = sp.pcs.GetTCBBundle(ctx, pckInfo.FMSPC); err != nil { + if fresh, err = sp.pcs.GetTCBBundle(ctx, pckInfo.FMSPC, update); err != nil { sp.logger.Warn("error downloading TCB", "err", err, + "update", update, ) return nil, err } @@ -184,7 +191,13 @@ func (ec *teeStateECDSA) Update(ctx context.Context, sp *sgxProvisioner, conn pr } ec.tcbCache.cache(fresh, pckInfo.FMSPC) return fresh, nil - }() + } + var tcbBundle *pcs.TCBBundle + for _, update := range []pcs.UpdateType{pcs.UpdateStandard, pcs.UpdateEarly} { + if tcbBundle, err = getTcbBundle(update); err == nil { + break + } + } if err != nil { return nil, err } From 1cf88e38f472dfa95e46fcc013473e1518f9a774 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 26 Jan 2024 07:24:15 +0000 Subject: [PATCH 4/4] rust: bump snow from 0.9.3 to 0.9.6 Bumps [snow](https://github.com/mcginty/snow) from 0.9.3 to 0.9.6. - [Release notes](https://github.com/mcginty/snow/releases) - [Commits](https://github.com/mcginty/snow/compare/v0.9.3...v0.9.6) --- updated-dependencies: - dependency-name: snow dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Cargo.lock | 67 +++++++++++++++++++++++++++------------------- runtime/Cargo.toml | 2 +- 2 files changed, 40 insertions(+), 29 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 75b48df8b7c..0aff198e9bc 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -19,30 +19,30 @@ checksum = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe" [[package]] name = "aead" -version = "0.4.3" +version = "0.5.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0b613b8e1e3cf911a086f53f03bf286f52fd7a7258e4fa606f0ef220d39d8877" +checksum = "d122413f284cf2d62fb1b7db97e02edb8cda96d769b16e443a4f6195e35662b0" dependencies = [ + "crypto-common", "generic-array", ] [[package]] name = "aes" -version = "0.7.5" +version = "0.8.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9e8b47f52ea9bae42228d07ec09eb676433d7c4ed1ebdf0f1d1c29ed446f1ab8" +checksum = "ac1f845298e95f983ff1944b728ae08b8cebab80d684f0a832ed0fc74dfa27e2" dependencies = [ "cfg-if 1.0.0", "cipher", "cpufeatures", - "opaque-debug", ] [[package]] name = "aes-gcm" -version = "0.9.2" +version = "0.10.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bc3be92e19a7ef47457b8e6f90707e12b6ac5d20c6f3866584fa3be0787d839f" +checksum = "831010a0f742e1209b3bcea8fab6a8e149051ba6099432c8cb2cc117dec3ead1" dependencies = [ "aead", "aes", @@ -436,21 +436,20 @@ checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" [[package]] name = "chacha20" -version = "0.8.2" +version = "0.9.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5c80e5460aa66fe3b91d40bcbdab953a597b60053e34d684ac6903f863b680a6" +checksum = "c3613f74bd2eac03dad61bd53dbe620703d4371614fe0bc3b9f04dd36fe4e818" dependencies = [ "cfg-if 1.0.0", "cipher", "cpufeatures", - "zeroize", ] [[package]] name = "chacha20poly1305" -version = "0.9.1" +version = "0.10.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a18446b09be63d457bbec447509e85f662f32952b035ce892290396bc0b0cff5" +checksum = "10cd79432192d1c0f4e1a0fef9527696cc039165d729fb41b3f4f4f354c2dc35" dependencies = [ "aead", "chacha20", @@ -476,11 +475,13 @@ dependencies = [ [[package]] name = "cipher" -version = "0.3.0" +version = "0.4.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7ee52072ec15386f770805afd189a01c8841be8696bed250fa2f13c4c0d6dfb7" +checksum = "773f3b9af64447d2ce9850330c473515014aa235e6a783b02db81ff39e4a3dad" dependencies = [ - "generic-array", + "crypto-common", + "inout", + "zeroize", ] [[package]] @@ -720,14 +721,15 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3" dependencies = [ "generic-array", + "rand_core 0.6.4", "typenum", ] [[package]] name = "ctr" -version = "0.7.0" +version = "0.9.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a232f92a03f37dd7d7dd2adc67166c77e9cd88de5b019b9a9eecfaeaf7bfd481" +checksum = "0369ee1ad671834580515889b80f2ea915f23b8be8d0daa4bbaf2ac5c7590835" dependencies = [ "cipher", ] @@ -1282,9 +1284,9 @@ dependencies = [ [[package]] name = "ghash" -version = "0.4.4" +version = "0.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1583cc1656d7839fd3732b80cf4f38850336cdb9b8ded1cd399ca62958de3c99" +checksum = "d930750de5717d2dd0b8c0d42c076c0e884c81a73e6cab859bbd2339c71e3e40" dependencies = [ "opaque-debug", "polyval", @@ -1442,6 +1444,15 @@ dependencies = [ "hashbrown 0.14.0", ] +[[package]] +name = "inout" +version = "0.1.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a0c10553d664a4d0bcff9f4215d0aac67a639cc68ef660840afe309b807bc9f5" +dependencies = [ + "generic-array", +] + [[package]] name = "intrusive-collections" version = "0.9.6" @@ -2341,9 +2352,9 @@ checksum = "e3d7ddaed09e0eb771a79ab0fd64609ba0afb0a8366421957936ad14cbd13630" [[package]] name = "poly1305" -version = "0.7.2" +version = "0.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "048aeb476be11a4b6ca432ca569e375810de9294ae78f4774e78ea98a9246ede" +checksum = "8159bd90725d2df49889a078b54f4f79e87f1f8a8444194cdca81d38f5393abf" dependencies = [ "cpufeatures", "opaque-debug", @@ -2352,9 +2363,9 @@ dependencies = [ [[package]] name = "polyval" -version = "0.5.3" +version = "0.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8419d2b623c7c0896ff2d5d96e2cb4ede590fed28fcc34934f4c33c036e620a1" +checksum = "d52cff9d1d4dee5fe6d03729099f4a310a41179e0a10dbf542039873f2e826fb" dependencies = [ "cfg-if 1.0.0", "cpufeatures", @@ -2947,9 +2958,9 @@ checksum = "62bb4feee49fdd9f707ef802e22365a35de4b7b299de4763d44bfea899442ff9" [[package]] name = "snow" -version = "0.9.3" +version = "0.9.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0c9d1425eb528a21de2755c75af4c9b5d57f50a0d4c3b7f1828a4cd03f8ba155" +checksum = "850948bee068e713b8ab860fe1adc4d109676ab4c3b621fd8147f06b261f2f85" dependencies = [ "aes-gcm", "blake2", @@ -3459,11 +3470,11 @@ checksum = "f962df74c8c05a667b5ee8bcf162993134c104e96440b663c8daa176dc772d8c" [[package]] name = "universal-hash" -version = "0.4.0" +version = "0.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8326b2c654932e3e4f9196e69d08fdf7cfd718e1dc6f66b347e6024a0c961402" +checksum = "fc1de2c688dc15305988b563c3854064043356019f97a4b46276fe734c4f07ea" dependencies = [ - "generic-array", + "crypto-common", "subtle", ] diff --git a/runtime/Cargo.toml b/runtime/Cargo.toml index f7a1ac9ac94..4b446731543 100644 --- a/runtime/Cargo.toml +++ b/runtime/Cargo.toml @@ -25,7 +25,7 @@ dcap-ql = { version = "0.3.4", default-features = false, features = ["verify"] } mbedtls = "0.8.1" yasna = { version = "0.5.0", features = ["num-bigint"] } bincode = "1.3.3" -snow = "0.9.3" +snow = "0.9.6" percent-encoding = "2.2.0" chrono = "0.4.19" base64 = "0.13.0"