Documentation
¶
Overview ¶
Package bundle implements support for unified runtime bundles.
Index ¶
- func DetachedExplodedPath(dataDir string) string
- func ExplodedPath(dataDir string) string
- func HashAllData(d Data) (hash.Hash, error)
- func ReadAllData(d Data) ([]byte, error)
- type Bundle
- func (bnd *Bundle) Add(fn string, data Data) error
- func (bnd *Bundle) Close() error
- func (bnd *Bundle) EnclaveIdentity(id component.ID) (*sgx.EnclaveIdentity, error)
- func (bnd *Bundle) ExplodedPath(dataDir, fn string) string
- func (bnd *Bundle) MrEnclave(id component.ID) (*sgx.MrEnclave, error)
- func (bnd *Bundle) MrSigner(id component.ID) (*sgx.MrSigner, error)
- func (bnd *Bundle) ResetManifest()
- func (bnd *Bundle) Validate() error
- func (bnd *Bundle) Write(fn string) error
- func (bnd *Bundle) WriteExploded(dataDir string) error
- type Component
- type Data
- type Manifest
- type SGXMetadata
- type TDXMetadata
- type TDXResources
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func DetachedExplodedPath ¶ added in v0.2401.0
DetachedExplodedPath returns the path under the data directory that contains all of the detached exploded bundles.
func ExplodedPath ¶
ExplodedPath returns the path under the data directory that contains all of the exploded bundles.
func HashAllData ¶ added in v0.2403.0
HashAllData hashes all of the underlying data and returns the hash.
func ReadAllData ¶ added in v0.2403.0
ReadAllData reads all of the underlying data into a buffer and returns it.
Types ¶
type Bundle ¶
type Bundle struct {
Manifest *Manifest
Data map[string]Data
// contains filtered or unexported fields
}
Bundle is a runtime bundle instance.
func (*Bundle) EnclaveIdentity ¶ added in v0.2400.0
EnclaveIdentity returns the SGX enclave identity of the given component.
func (*Bundle) ExplodedPath ¶
ExplodedPath returns the path that the corresponding asset will be written to via WriteExploded.
func (*Bundle) MrSigner ¶ added in v0.2400.0
MrSigner returns the MRSIGNER that signed the SGX executable.
func (*Bundle) ResetManifest ¶ added in v0.2201.9
func (bnd *Bundle) ResetManifest()
ResetManifest removes the serialized manifest from the bundle so that it can be regenerated on the next call to Write.
This needs to be used after doing modifications to bundles.
func (*Bundle) WriteExploded ¶
WriteExploded writes the extracted runtime bundle to the appropriate location under the specified data directory.
type Component ¶ added in v0.2400.0
type Component struct {
// Kind is the component kind.
Kind component.Kind `json:"kind"`
// Name is the name of the component that can be used to filter components when multiple are
// provided by a runtime.
Name string `json:"name,omitempty"`
// Executable is the name of the runtime ELF executable file if any.
Executable string `json:"executable,omitempty"`
// SGX is the SGX specific manifest metadata if any.
SGX *SGXMetadata `json:"sgx,omitempty"`
// TDX is the TDX specific manifest metadata if any.
TDX *TDXMetadata `json:"tdx,omitempty"`
// Disabled specifies whether the component is disabled by default and needs to be explicitly
// enabled via node configuration to be used.
Disabled bool `json:"disabled,omitempty"`
}
Component is a runtime component.
func (*Component) IsNetworkAllowed ¶ added in v0.2400.0
IsNetworkAllowed returns true if network access should be allowed for the component.
func (*Component) IsTEERequired ¶ added in v0.2403.0
IsTEERequired returns true iff the component only provides TEE executables.
func (*Component) Matches ¶ added in v0.2400.0
Matches returns true iff the component matches the given component ID.
type Data ¶ added in v0.2403.0
type Data interface {
// Open returns an io.ReadCloser that can be used to access the underlying data.
Open() (io.ReadCloser, error)
}
Data is a data item in the bundle.
func NewBytesData ¶ added in v0.2403.0
NewBytesData creates a new Data instance from the given byte slice. The slice is not copied.
func NewFileData ¶ added in v0.2403.0
NewFileData creates a new Data instance that opens and reads the given file path.
type Manifest ¶
type Manifest struct {
// Name is the optional human readable runtime name.
Name string `json:"name,omitempty"`
// ID is the runtime ID.
ID common.Namespace `json:"id"`
// Version is the runtime version.
Version version.Version `json:"version,omitempty"`
// Executable is the name of the runtime ELF executable file.
// NOTE: This may go away in the future, use `Components` instead.
Executable string `json:"executable,omitempty"`
// SGX is the SGX specific manifest metadata if any.
// NOTE: This may go away in the future, use `Components` instead.
SGX *SGXMetadata `json:"sgx,omitempty"`
// Components are the additional runtime components.
Components []*Component `json:"components,omitempty"`
// Digests is the cryptographic digests of the bundle contents,
// excluding the manifest.
Digests map[string]hash.Hash `json:"digests"`
}
Manifest is a deserialized runtime bundle manifest.
func (*Manifest) GetAvailableComponents ¶ added in v0.2400.0
GetAvailableComponents collects all of the available components into a map.
func (*Manifest) GetComponentByID ¶ added in v0.2400.0
GetComponentByID returns the first component with the given kind.
func (*Manifest) Hash ¶ added in v0.2401.0
Hash returns a cryptographic hash of the CBOR-serialized manifest.
func (*Manifest) IsDetached ¶ added in v0.2401.0
IsDetached returns true iff the manifest does not include a RONL component. Such bundles require that the RONL component is provided out-of-band (e.g. in a separate bundle).
type SGXMetadata ¶
type SGXMetadata struct {
// Executable is the name of the SGX enclave executable file.
Executable string `json:"executable"`
// Signature is the name of the SGX enclave signature file.
Signature string `json:"signature"`
}
SGXMetadata is the SGX specific manifest metadata.
func (*SGXMetadata) Validate ¶ added in v0.2400.0
func (s *SGXMetadata) Validate() error
Validate validates the SGX metadata structure for well-formedness.
type TDXMetadata ¶ added in v0.2403.0
type TDXMetadata struct {
// Firmware is the name of the virtual firmware file. It should rarely change and multiple
// components may use the same firmware.
Firmware string `json:"firmware"`
// Kernel is the name of the kernel image file. It should rarely change and multiple components
// may use the same kernel.
Kernel string `json:"kernel,omitempty"`
// InitRD is the name of the initial RAM disk image file. It should rarely change and multiple
// components may use the same initrd.
InitRD string `json:"initrd,omitempty"`
// ExtraKernelOptions are the extra kernel options to pass to the kernel after any of the
// default options. Note that kernel options affect TD measurements.
ExtraKernelOptions []string `json:"extra_kernel_options,omitempty"`
// Stage2Image is the name of the stage 2 VM image file.
Stage2Image string `json:"stage2_image,omitempty"`
// Resources are the requested VM resources.
Resources TDXResources `json:"resources"`
}
TDXMetadata is the TDX specific manifest metadata.
Note that changes to these fields may change the TD measurements.
func (*TDXMetadata) HasInitRD ¶ added in v0.2403.0
func (t *TDXMetadata) HasInitRD() bool
HasInitRD returns true iff the TDX metadata indicates there is an initial RAM disk image present.
func (*TDXMetadata) HasKernel ¶ added in v0.2403.0
func (t *TDXMetadata) HasKernel() bool
HasKernel returns true iff the TDX metadata indicates there is a kernel present.
func (*TDXMetadata) HasStage2 ¶ added in v0.2403.0
func (t *TDXMetadata) HasStage2() bool
HasStage2 returns true iff the TDX metadata indicates there is a stage 2 image present.
func (*TDXMetadata) Validate ¶ added in v0.2403.0
func (t *TDXMetadata) Validate() error
Validate validates the TDX metadata structure for well-formedness.
type TDXResources ¶ added in v0.2403.0
type TDXResources struct {
// Memory is the requested VM memory amount in megabytes.
Memory uint64 `json:"memory"`
// CPUCount is the requested number of vCPUs.
CPUCount uint8 `json:"cpus"`
}
TDXResources are the requested VM resources for TDX VMs.
Note that changes to these fields may change the TD measurements.
func (*TDXResources) Validate ¶ added in v0.2403.0
func (r *TDXResources) Validate() error
Validate validates the VM resources.
Source Files
Directories