Skip to content
This repository was archived by the owner on Feb 18, 2026. It is now read-only.

Kernel filesystem change#663

Open
ShaleXIONG wants to merge 36 commits into
veracruz-project:mainfrom
ShaleXIONG:kernel-filesystem
Open

Kernel filesystem change#663
ShaleXIONG wants to merge 36 commits into
veracruz-project:mainfrom
ShaleXIONG:kernel-filesystem

Conversation

@ShaleXIONG

@ShaleXIONG ShaleXIONG commented Oct 6, 2023
edited
Loading

Copy link
Copy Markdown
Member

Rework entirely on the execution engines and modify the policy accordingly.

  • Remove the support of WASMI since it only has an experimental support to WASI.
  • Remove the in-memory file system (FS) internally in Veracruz. For the remaining WASM engine, Wasmtime, we revert to the default implementation of WASI directly provided by the engine; such implementation links WASI calls to the kernel filesystem.
  • Rework on the Sandbox, to execute native binary. Remove all steps of copying between (no long exist) in-memory FS.
  • Rework on native module. It is renamed to "service". Now individual service which is excused in a separate thread, monitors a named pipe file, input, under the mounted directory, specified in the policy file. Any caller of this service should read output under the mounted directory.
  • WASM engine, Sandbox and services are now unified to the same trait, Execution, which requires two methods, name returning the name of this execution, and execute executing a path to a file, or a directory. The later case is useful for service, which is mounted in a directory.
  • Rework on the policy. Remove the old native module field, but treat native binary as a program too. For the service, we introduce a new service field, to specify the name of this service, and the mounted directory. Execution engine will mounted the service based on the name (matching). Also rework the permission specification, it uses rwx. Remove the old capability parameter, but combine the permission with entity by => symbol, for example "<CLIENT_CERT> => output:r, input:w".

Minor:

  • Rework policy generator and freestanding execution engine. Simplify the use of clap by using the derive features.

@ShaleXIONG ShaleXIONG force-pushed the kernel-filesystem branch 2 times, most recently from 82c0019 to 52284d4 Compare December 4, 2023 16:03
@ShaleXIONG ShaleXIONG force-pushed the kernel-filesystem branch 2 times, most recently from b6ee90c to b48ac99 Compare December 8, 2023 16:00
@ShaleXIONG ShaleXIONG changed the title WIP: Kernel filesystem change Kernel filesystem change Jan 29, 2024
@ShaleXIONG ShaleXIONG force-pushed the kernel-filesystem branch 4 times, most recently from cb7ba2b to c02e6e0 Compare April 3, 2024 09:40
ShaleXIONG added 18 commits April 5, 2024 16:42
@ShaleXIONG
Update the rust toolchain to 1.70.
ede4113
@ShaleXIONG
Update the lolrpop version.
b7eba4c
@ShaleXIONG
Update the wasmtime and wasmi version.
e7de1ee
@ShaleXIONG
Use the kernal file system in wasmtime, and wire into freestanding ex…
e4709b4 
…ecution engine.
@ShaleXIONG
Remove the vfs but use the kernel filesystem.
49ecc60
@ShaleXIONG
update the example to use relative path.
688e02d
@ShaleXIONG
Rework on the engine and related, use the kernel file system.
e5b23f8 
- Update the wasmtime to the newer version, that provide infra for WASI.
  such infrastructure assumes and uses the underline POSIX.
- Remove WASMI since there is no need.
- Rework on how to specify the permission in policy file, using the
  access control "rwx" now.
@ShaleXIONG
Update the makefiles for the new engine.
e133c37
@ShaleXIONG
Remove appending the root / in veracruz client when calling write f…
ffdb9a6 
…ile.
@ShaleXIONG
Update the test suite on the engine rework.
f1fcfe6
@ShaleXIONG
Fix a big in wrong import in freestanding.
fa0e80d
@ShaleXIONG
Temporarily comment out the test case for native module.
02aa1d6
@ShaleXIONG
Update all the cargo.toml file.
ec25967
@ShaleXIONG
Rework on the permission check for (remote) clients.
ade56f7
@ShaleXIONG
Remove dead code and unifies Cargo.toml.
b304a68
@ShaleXIONG
Rework on the native module interface using the linux named pipeline.
a7aea77 
minor:
- remove libveracruz.
@ShaleXIONG
Check the execution permission in the execution engine before running.
b943904
@ShaleXIONG
Rework and simplify on the Sandbox for native binary.
04fd9c2
ShaleXIONG and others added 17 commits April 5, 2024 16:42
@ShaleXIONG
Fix a bug caused by type check of policy.
67bd9ce
@ShaleXIONG
Rework on the generate policy, use derive from clap.
5a57695
@ShaleXIONG
Add the missing program hash when generating policy.
f817133
@ShaleXIONG
Update the generate policy script
0e3054e
@ShaleXIONG
Fix a bug due to whitespace in policy generation.
445ce36
@ShaleXIONG
Remove the application code for fd_create, which is no longer used.
8e3b2eb
@ShaleXIONG
Update the machnism to load internal native module by matching name.
786af80 
The policy needs to specify the service and the mounting directory.
While the engine will load the service based on the service name.
@ShaleXIONG
Generate the spec of the native service in the policy.
0e12d5a
@ShaleXIONG
Add the missing Execution Trait definition.
93913c3
@ShaleXIONG
Remove an unused mod in execution-engine.
3f14c48
@ShaleXIONG
Fix the quickstart test in the CI.
01caffe
@ShaleXIONG
Update the shamir example.
31f96a5
@ShaleXIONG
Update Cargo.lock.
8e1ee26
@ShaleXIONG
TEST minor
7f66daf
@ShaleXIONG
Fix the directory mapping in Sandbox.
258dc1f
@ShaleXIONG
fix a merge mistake
854c975
@ShaleXIONG
update cargo.lock
dbea580
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@gbryant-arm gbryant-arm Awaiting requested review from gbryant-arm

@dreemkiller dreemkiller Awaiting requested review from dreemkiller

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ShaleXIONG