Rework on the native module interface using the linux named pipeline.

minor:
- remove libveracruz.

crates/examples/rust-examples/aesctr-native/src/main.rs

@@ -57,13 +57,15 @@ fn main() -> anyhow::Result<()> {
     let aes_ctr_enc_input = AesCtrInput {
         key,
         iv,
-        input_path: PathBuf::from("/output/data.dat"),
-        output_path: PathBuf::from("/output/enc.dat"),
+        input_path: PathBuf::from("./output/data.dat"),
+        output_path: PathBuf::from("./output/enc.dat"),
         is_encryption: true,
     };
     write(&aes_ctr_enc_input.input_path, input)?;
     let aes_ctr_enc_input_bytes = postcard::to_allocvec(&aes_ctr_enc_input)?;
-    write("/services/aesctr.dat", aes_ctr_enc_input_bytes)?;
+    write("/tmp/aes/input", aes_ctr_enc_input_bytes)?;
+    // wait the service finish
+    let _ = read("/tmp/aes/output");
     let output = read(aes_ctr_enc_input.output_path)?;
     if output != expected_output {
         failed = true;
@@ -82,20 +84,22 @@ fn main() -> anyhow::Result<()> {
     let aes_ctr_enc_input = AesCtrInput {
         key,
         iv,
-        input_path: PathBuf::from("/output/data.dat"),
-        output_path: PathBuf::from("/output/dec.dat"),
+        input_path: PathBuf::from("./output/data.dat"),
+        output_path: PathBuf::from("./output/dec.dat"),
         is_encryption: false,
     };
     write(&aes_ctr_enc_input.input_path, input)?;
     let aes_ctr_enc_input_bytes = postcard::to_allocvec(&aes_ctr_enc_input)?;
-    write("/services/aesctr.dat", aes_ctr_enc_input_bytes)?;
+    write("/tmp/aes/input", aes_ctr_enc_input_bytes)?;
+    // wait the service finish
+    let _ = read("/tmp/aes/output");
     let output = read(aes_ctr_enc_input.output_path)?;
     if output != expected_output {
         failed = true;
     }
 
     if !failed {
-        write("/output/aesctr_native_pass.txt", [])?;
+        write("./output/aesctr_native_pass.txt", [])?;
     }
     Ok(())
 }

crates/examples/rust-examples/postcard-native/src/main.rs

@@ -15,11 +15,12 @@
 //! See the file `LICENSE.md` in the Veracruz root directory for licensing
 //! and copyright information.
 
-use std::fs;
+use std::fs::{read, write};
+
 fn main() -> anyhow::Result<()> {
-    let input = fs::read("./input/postcard.dat")?;
-    fs::write("./services/postcard_string.dat", input)?;
-    let rst = fs::read("./services/postcard_result.dat")?;
-    fs::write("./output/postcard_native.txt", &rst)?;
+    let input = read("./input/postcard.dat")?;
+    write("/tmp/postcard/input", input)?;
+    let rst = read("/tmp/postcard/output")?;
+    write("./output/postcard_native.txt", &rst)?;
     Ok(())
 }

crates/execution-engine/Cargo.toml

@@ -22,7 +22,7 @@ anyhow = "1"
 cfg-if = "1"
 lazy_static = { version = "1.4.0", features = ["spin_no_std"] }
 mbedtls = { path = "../third-party/rust-mbedtls/mbedtls", default-features = false, features = ["std", "aesni", "padlock", "tls13"] }
-nix = { version = "0.26", optional = true }
+nix = { version = "0.26", optional = true, features=["fs"] }
 postcard = { version = "1.0.0", features = [ "alloc", "use-std" ] }
 platform-services = { path = "../platform-services" }
 policy-utils = { path = "../policy-utils", features = ["std"] }

crates/execution-engine/src/engines/common.rs

@@ -30,9 +30,9 @@ use std::vec::Vec;
 /// added to this trait and implemented for all supported implementation
 /// strategies.
 pub trait ExecutionEngine: Send {
-    /// Entry point for the execution engine: invokes the `program` binary,
-    /// Returns `Ok(c)` if it successfully executed and returned a
-    /// success/error code, `c`, or returns `Err(e)` if some fatal execution
+    /// Entry point for the execution engine: invokes the program at `path`,
+    /// Returns `Ok(())` if it successfully executed, 
+    /// or returns `Err(e)` if some fatal execution
     /// engine error occurred at runtime causing the pipeline to abort.
-    fn invoke_entry_point(&mut self, program: Vec<u8>) -> Result<u32>;
+    fn serve(&mut self, path: &Path) -> Result<()>;
 }

crates/execution-engine/src/engines/wasmtime.rs

@@ -22,7 +22,7 @@ use std::{
     fs::{create_dir_all, File},
 };
 use wasmtime::{Config, Engine, Linker, Module, Store};
-use wasmtime_wasi::sync::{Dir, WasiCtxBuilder, TcpListener};
+use wasmtime_wasi::sync::{Dir, WasiCtxBuilder};
 use policy_utils::principal::PrincipalPermission;
 
 ////////////////////////////////////////////////////////////////////////////////
@@ -32,8 +32,6 @@ use policy_utils::principal::PrincipalPermission;
 pub struct WasmtimeRuntimeState {
     permissions: PrincipalPermission,
     environment: Environment,
-    // Careful on the type name conflict, here we want the TcpListener from std.
-    sockets: Vec<(u32,std::net::TcpListener)>,
 }
 
 ////////////////////////////////////////////////////////////////////////////////
@@ -42,12 +40,12 @@ pub struct WasmtimeRuntimeState {
 
 impl WasmtimeRuntimeState {
     /// Creates a new initial `HostProvisioningState`.
-    pub fn new(permissions: PrincipalPermission, environment: Environment) -> Result<Self> {
+    pub fn new(permissions: PrincipalPermission, environment: Environment
+        ) -> Result<Self> {
         info!("Wasmtime is initialised");
         Ok(Self {
             permissions,
             environment,
-            sockets: Vec::new(),
         })
     }
 }
@@ -90,9 +88,6 @@ impl ExecutionEngine for WasmtimeRuntimeState {
             .inherit_env()?
             .inherit_args()?;
 
-        // NOTE: the preview1 version API do not take in the permission, while the newer version
-        // in preview2 needs to give permission parameter. We can provide extra check over preview1
-        // API though it is does not worth the time.
         let wasm_build = self.permissions.keys().fold(Ok(wasm_build), |acc : Result<WasiCtxBuilder>, path| {
             let wasm_build = acc?;
             create_dir_all(path)?;
@@ -101,12 +96,6 @@ impl ExecutionEngine for WasmtimeRuntimeState {
             Ok(wasm_build.preopened_dir(Dir::from_std_file(file), path)?)
         })?;
 
-        let wasm_build = self.sockets.iter().fold(Ok(wasm_build), |acc : Result<WasiCtxBuilder>, (fd,listener)| {
-            let wasm_build = acc?;
-            info!("bind fd {:?}", fd);
-            Ok(wasm_build.preopened_socket(*fd, TcpListener::from_std(listener.try_clone()?))?)
-        })?;
-
         let wasi = wasm_build.build();
         let mut store = Store::new(&engine, wasi);
         let module = Module::new(&engine, program)?;

crates/execution-engine/src/lib.rs

@@ -23,12 +23,9 @@ mod engines;
 mod native_module_manager;
 mod native_modules;
 mod pipeline;
-// Expose the error to the external.
-//pub use engines::common::FatalEngineError;
 
-use policy_utils::{pipeline::Expr, principal::ExecutionStrategy};
+use policy_utils::{pipeline::Expr, principal::{PrincipalPermission, ExecutionStrategy}};
 use std::boxed::Box;
-use policy_utils::principal::PrincipalPermission;
 
 /// Runtime environment for a program.
 #[derive(Clone, Debug, Eq, Ord, PartialEq, PartialOrd, Default)]

crates/execution-engine/src/native_module_manager.rs

@@ -34,9 +34,6 @@
 //! information on licensing and copyright.
 
 use anyhow::{anyhow, Result};
-use crate::{
-    native_modules::common::STATIC_NATIVE_MODULES
-};
 use log::info;
 use policy_utils::principal::{NativeModule, NativeModuleType};
 use std::{
@@ -50,7 +47,7 @@ use nix::sys::signal;
 
 /// Path to the native module's manager sysroot on the kernel filesystem. Native
 /// module directories are created under this directory.
-const NATIVE_MODULE_MANAGER_SYSROOT: &str = "/tmp/nmm";
+const NATIVE_MODULE_MANAGER_SYSROOT: &str = "/tmp/nmm/foo/execute";
 
 /// Path to the native module sandboxer. This is the program that actually prepares
 /// the sandbox environment and runs the native module in it.
@@ -126,19 +123,9 @@ impl NativeModuleManager {
     /// native module's special file.
     pub fn execute(&mut self, input: Vec<u8>) -> Result<()> {
         if self.native_module.is_static() {
-            // Look up native module in the static native modules table
-            let mut nm = STATIC_NATIVE_MODULES
-                .lock()
-                .map_err(|_| anyhow!("Failed to lock STATIC_NATIVE_MODULES"))?;
-            let native_module_name = self.native_module.name();
-            let nm = nm
-                .get_mut(native_module_name)
-                .ok_or(anyhow!("cannot find native module: {}", native_module_name))?;
-            if nm.try_parse(&input)? {
-                nm.serve(&input)?;
-            }
         } else {
 
+            // XXX Create file in kernel 
             // Inject execution configuration into the native module's directory
             let mut file = File::create(self.native_module_directory.join(EXECUTION_CONFIGURATION_FILE))?;
             file.write_all(&input)?;
@@ -163,6 +150,7 @@ impl NativeModuleManager {
             // TODO change in the future
             let mount_mappings = self.build_mappings(vec!["/".into()])?;
             let entry_point = match self.native_module.r#type() {
+                // directly mounted in the kernel file system
                 NativeModuleType::Dynamic { entry_point, .. } => entry_point.clone(),
                 NativeModuleType::Provisioned { entry_point } => self.native_module_directory.join(entry_point),
                 _ => panic!("should not happen"),

crates/execution-engine/src/native_modules/aead.rs

@@ -13,7 +13,7 @@ use anyhow::Result;
 use crate::native_modules::common::StaticNativeModule;
 use mbedtls::cipher::{Authenticated, Cipher, Decryption, Encryption, Fresh};
 use serde::Deserialize;
-use std::path::PathBuf;
+use std::path::{Path, PathBuf};
 use std::fs::{write, read};
 
 #[derive(Deserialize, Debug)]
@@ -42,26 +42,18 @@ impl StaticNativeModule for AeadService {
     /// Triggers the service. The details of the service can be found in function
     /// `encryption_decryption`.
     /// Here is the enter point. It also erase the state unconditionally afterwards.
-    fn serve(&mut self, _input: &[u8]) -> Result<()> {
+    fn serve(&mut self, input: &Path, output: &Path) -> Result<()> {
+        let buf = read(input)?;
+        let deserialized_input: AeadService = postcard::from_bytes(&buf)?;
+        *self = deserialized_input;
         // when reaching here, the `input` bytes are already parsed.
         let result = self.encryption_decryption();
         // NOTE: erase all the states.
         self.reset();
+        // Write an output to inform the callee
+        let _ = write(output, "0");
         result
     }
-
-    /// For the purpose of demonstration, we always return true. In reality,
-    /// this function may check validity of the `input`, and even buffer the result
-    /// for further uses.
-    fn try_parse(&mut self, input: &[u8]) -> Result<bool> {
-        let deserialized_input: AeadService =
-            match postcard::from_bytes(&input) {
-                Ok(o) => o,
-                Err(_) => return Ok(false),
-            };
-        *self = deserialized_input;
-        Ok(true)
-    }
 }
 
 impl AeadService {

crates/execution-engine/src/native_modules/aes.rs

@@ -13,7 +13,7 @@ use anyhow::Result;
 use crate::native_modules::common::StaticNativeModule;
 use mbedtls::cipher::{Cipher, Decryption, Encryption, Fresh, Traditional};
 use serde::Deserialize;
-use std::path::PathBuf;
+use std::path::{Path, PathBuf};
 use std::fs::{read, write};
 
 /// The interface between of the Counter mode AES module.
@@ -41,26 +41,18 @@ impl StaticNativeModule for AesCounterModeService {
     /// Triggers the service. The details of the service can be found in function
     /// `encryption_decryption`.
     /// Here is the enter point. It also erase the state unconditionally afterwards.
-    fn serve(&mut self, _input: &[u8]) -> Result<()> {
+    fn serve(&mut self, input: &Path, output: &Path) -> Result<()> {
+        let buf = read(input)?;
+        let deserialized_input: AesCounterModeService = postcard::from_bytes(&buf)?;
+        *self = deserialized_input;
         // when reaching here, the `input` bytes are already parsed.
         let result = self.encryption_decryption();
         // NOTE: erase all the states.
         self.reset();
+        // Write an output to inform the callee
+        let _ = write(output, "0");
         result
     }
-
-    /// For the purpose of demonstration, we always return true. In reality,
-    /// this function may check validity of the `input`, and even buffer the result
-    /// for further uses.
-    fn try_parse(&mut self, input: &[u8]) -> Result<bool> {
-        let deserialized_input: AesCounterModeService =
-            match postcard::from_bytes(&input) {
-                Ok(o) => o,
-                Err(_) => return Ok(false),
-            };
-        *self = deserialized_input;
-        Ok(true)
-    }
 }
 
 impl AesCounterModeService {