SPECS/aws-nitro-enclaves-cli.spec

# Copyright 2020-2024 Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0

%define ne_name nitro_enclaves
%define ne_group ne
%define ne_data_dir %{_datadir}/%{ne_name}
%define ne_include_dir %{_includedir}/%{ne_name}
%define ne_sysconf_dir %{_sysconfdir}/%{ne_name}
%define ne_log_dir %{_localstatedir}/log/%{ne_name}
%define ne_log_file %{ne_name}.log
%define ne_run_dir %{_rundir}/%{ne_name}

%define _src_dir %{_builddir}/%{name}-%{version}
%define _licenses_filename THIRD_PARTY_LICENSES
%define _third_party_licenses_file %{_datadir}/licenses/%{name}-%{version}/%{_licenses_filename}
%define _pkg_licenses_file %{_src_dir}/%{_licenses_filename}

# Stop mangling shebangs for scripts from examples
%global __brp_mangle_shebangs_exclude_from %{ne_data_dir}/examples/

Summary:    AWS Nitro Enclaves tools for managing enclaves
Name:       aws-nitro-enclaves-cli
Version:    1.3.4
Release:    0%{?dist}

License:    Apache 2.0

ExclusiveArch: x86_64 aarch64

Source0: aws-nitro-enclaves-cli.tar.gz
Source1: nitro-cli-dependencies.tar.gz

BuildRequires: openssl-devel
BuildRequires: rust >= 1.68
BuildRequires: cargo >= 1.68
BuildRequires: make
BuildRequires: llvm
BuildRequires: clang
BuildRequires: systemd

%systemd_requires

Requires: systemd
Requires: docker
Requires: openssl
Requires: openssl-libs
Requires: curl
Requires: jq

%description
AWS Nitro CLI a set of tools used for setting up and managing enclaves


%package integration-tests
Summary: RPM for running integration tests
Group: NitroEnclaves

Requires: python3-pip
Requires: python3

%description integration-tests
RPM for running integration tests for the AWS Nitro Enclaves CLI.


%package devel
Summary: Additional resources required by AWS Nitro CLI
Group: NitroEnclaves

%description devel
RPM containing additional resources required in order to build enclave images


%prep
%setup -a 1 -c %{name}
mkdir .cargo
cp tools/cargo_vendor_config_template .cargo/config


%build
make nitro-cli-native
make vsock-proxy-native


%install
# Main Nitro CLI tools installation
make NITRO_CLI_INSTALL_DIR=%{buildroot} BIN_DIR=%{_bindir} UNIT_DIR=%{_unitdir} VAR_DIR=%{_var} install-tools
install -D -m0644 %{_pkg_licenses_file} %{buildroot}%{_third_party_licenses_file}

# -devel package: sources and include headers
mkdir -p %{buildroot}%{ne_include_dir}
cp -r include/* %{buildroot}%{ne_include_dir}/

# -integration-tests package
install -D -m 0755 run-nitro-cli-integration-tests %{buildroot}%{_bindir}/run-nitro-cli-integration-tests
mkdir -p %{buildroot}%{ne_data_dir}/tests/integration
cp -r tests/integration/* %{buildroot}%{ne_data_dir}/tests/integration/

%pre
groupadd -f %{ne_group}

%post
# Manually perform log file initialization steps
mkdir -p %{ne_log_dir}
chmod 775 %{ne_log_dir}
touch %{ne_log_dir}/%{ne_log_file}
chmod 664 %{ne_log_dir}/%{ne_log_file}
chown -R root:%{ne_group} %{ne_log_dir}

# Create tmpfs directory
echo "d " %{ne_run_dir} " 0775 root "%{ne_group} > /usr/lib/tmpfiles.d/%{ne_name}.conf
# Make directory available even without rebooting the system
systemd-tmpfiles --create /usr/lib/tmpfiles.d/%{ne_name}.conf

# Configure setup steps for the Nitro Enclaves driver (groups & udev rule)
echo "KERNEL==\"nitro_enclaves\", SUBSYSTEM==\"misc\", OWNER=\"root\", GROUP=\""%{ne_group}"\", \
    MODE=\"0660\", TAG+=\"systemd\"" > /usr/lib/udev/rules.d/99-nitro_enclaves.rules
udevadm trigger -y nitro_enclaves
chgrp %{ne_group} /dev/%{ne_name}

echo -e "
    * In order to successfully run Nitro Enclaves, please add your user to group '"%{ne_group}"'"
echo -e "
    * Before being able to run enclaves, the system administrator must reserve the required
      resources (i.e. CPUs and memory). Edit the allocator configuration file at
      "%{ne_sysconf_dir}/allocator.yaml" and then start the allocator oneshot service:
      
        sudo systemctl start nitro-enclaves-allocator.service

      Resource allocation can be performed at system boot (recommended), by enabling
      the allocator service:

        sudo systemctl enable nitro-enclaves-allocator.service
"

%preun
# Uninstall services
%systemd_preun nitro-enclaves-vsock-proxy.service
%systemd_preun nitro-enclaves-allocator.service


%postun
if [ $1 -ne 1 ]; then
    # Any operation except for package upgrade
    # Remove any directory which was created by the driver as well as unload the driver
    rm -f /usr/lib/modules-load.d/nitro_enclaves.conf
    rm -f /usr/lib/udev/rules.d/99-nitro_enclaves.rules
    rm -f /usr/lib/tmpfiles.d/nitro_enclaves.conf
    rm -rf %{ne_run_dir}
    rm -rf %{ne_log_dir}
fi


%triggerpostun -- aws-nitro-enclaves-cli = 1.0
# When uninstalling v1.0-5 of aws-nitro-enclaves-cli (during an update),
# make sure to bring in again files removed by the buggy version
if [ $1 -eq 2 ]; then
    mkdir -p %{ne_log_dir}
    chmod 775 %{ne_log_dir}
    touch %{ne_log_dir}/%{ne_log_file}
    chmod 664 %{ne_log_dir}/%{ne_log_file}
    chown -R root:%{ne_group} %{ne_log_dir}

    # (Re)create tmpfs directory
    echo "d " %{ne_run_dir} " 0775 root "%{ne_group} > /usr/lib/tmpfiles.d/%{ne_name}.conf
    # Make directory available even without rebooting the system
    systemd-tmpfiles --create /usr/lib/tmpfiles.d/%{ne_name}.conf

    # (Re)configure setup steps for the Nitro Enclaves driver (groups & udev rule)
    echo "KERNEL==\"nitro_enclaves\", SUBSYSTEM==\"misc\", OWNER=\"root\", GROUP=\""%{ne_group}"\", \
        MODE=\"0660\", TAG+=\"systemd\"" > /usr/lib/udev/rules.d/99-nitro_enclaves.rules
    udevadm trigger -y nitro_enclaves
    chgrp %{ne_group} /dev/%{ne_name}
fi


%files
%{_bindir}/nitro-cli
%{_bindir}/vsock-proxy
%{_bindir}/nitro-enclaves-allocator
%{_third_party_licenses_file}
%{_unitdir}/nitro-enclaves-vsock-proxy.service
%{_unitdir}/nitro-enclaves-allocator.service
%config(noreplace) %{ne_sysconf_dir}/vsock-proxy.yaml
%config(noreplace) %{ne_sysconf_dir}/allocator.yaml


%files integration-tests
%{_bindir}/run-nitro-cli-integration-tests
%{ne_data_dir}/tests/*


%files devel
%{ne_data_dir}/blobs/*
%{ne_data_dir}/examples/*
%{ne_include_dir}/*

%changelog
* Mon Oct 21 2024 Leonard Foerster <foersleo@amazon.com> - 1.3.4-0
- blobs: Update linuxkit to version 1.5.2

* Thu Sep 5 2024 Leonard Foerster <foersleo@amazon.com> - 1.3.3-0
- blobs: Update linuxkit to version 1.5.0
- Update sources for 1.3.2 release

* Wed Jul 24 2024 Eugene Koira <eugkoira@amazon.com> - 1.3.2-0
- nitro-cli: Update enclave boot timeout based on allocated memory
- clippy: resolve build errors for Rust 1.79
- blobs: Update linuxkit binaries to version based on v1.2.0
- scripts/run_tests.sh: Add check dependencies

* Mon Jun 3 2024 Erdem Meydanli <meydanli@amazon.com> - 1.3.1-0
- vsock-proxy: Bump version to 1.0.1
- vsock_proxy: Use system-configured nameservers for DNS resolution
- Update init blob to support user namespaces
- clippy: resolve build errors for Rust 1.78

* Tue Apr 16 2024 Erdem Meydanli <meydanli@amazon.com> - 1.3.0-0
+ This release focuses on resolving two critical issues:
the vsock-proxy DNS lookup limitation (#553) and the compatibility
problem with Docker versions 25 and later (#591). Furthermore, it
updates several important crate dependencies to their latest versions.
- cargo: Update cargo.lock to eliminate build failures
- build(deps): bump base64 from 0.21.4 to 0.22.0
- build(deps): bump tokio from 1.28.2 to 1.32.0
- fix(deps): downgrade crate versions due to compatibility issues
- version: Release vsock_proxy v1.0.0
- vsock_proxy: Introduce DnsResolutionInfo type
- vsock_proxy: add tests
- vsock_proxy: change function's signature
- clippy/cargo: resolve build errors and warnings
- vsock_proxy: Perform DNS resolution after the expiration of the TTL
- vsock_proxy: Handle allowlisting out of Proxy
- vsock_proxy: rename starter.rs
- vsock_proxy: Refactor DNS-related functionality
- vsock_proxy: refactor
- cargo: Upgrade num-derive to v0.4
- enclave_build: Extract stream output handling
- enclave_build: Refactor docker.rs for consistent Runtime creation
- enclave_build: Extract build_tarball method
- enclave_build: Extract parse_docker_host method
- enclave_build: Extract inspect method
- enclave_build: Add more tests
- fix: Switch to bollard for docker API interaction
- ci: use cargo-about v0.5.0
- ci: disable automatic license file generation
- enclave_build: fix clippy failure
- build(deps): bump inotify from 0.10.0 to 0.10.2
- build(deps): bump dns-lookup from 1.0.8 to 2.0.3
- vsock_proxy: set log level to warn
- github: update the action version
- clippy: eliminate warnings & errors
- rust: msrv version bump
- build(deps): bump mio from 0.8.6 to 0.8.11
- docs: Correct image signing manual

* Wed Jan 31 2024 Costin Lupu <lvpv@amazon.com> - 1.2.3-0
- Dependencies updates: base64 bindgen chrono env_logger flexi_logger futures
  idna inotify libc log nix num-traits openssl page_size rand rustix serde
  serde_json serde_yaml shlex signal-hook tempfile tokio url vmm-sys-util vsock
- Fix clippy errors and warnings after updates
- Added dependabot support
- Improve help text of the memory argument
- Use public containers in tests
- Update and refactor run_tests.sh

* Tue Mar 07 2023 Petre Eftime <epetre@amazon.com> - 1.2.2-0
- update third party crates license file
- update clap
- update bindgen
- update cpufeatures
- update chrono
- update tempfile
- update hyper
- Fix fmt issues
- Fix clippy issues after tokio update.
- build(deps): bump tokio from 1.18.4 to 1.18.5
- ci: reserve 2 cpus, not specific cpus
- ci: mark logs as plaintext
- CI: prevent tests from getting stuck
- CI: use get-login-password instead of get-login
- build(deps): bump tokio from 1.17.0 to 1.18.4
- clippy: fix minor issue
- cli/enclave_proc: handle EINTR for epoll_wait()
- use ubuntu from the public ECR gallery
- Update THIRD_PARTY_LICENSES_RUST_CRATES.html
- nitro-enclaves-allocator: Set local language to English
- do not re-run Actions checks during tests
- add license checks
- add audit step
- ci: add workflows build, clippy and format workflows
- fix clippy::explicit_auto_deref
- fix clippy::partialeq_to_none
- regenerate driver-bindings with Default
- enclave_build: Fix clippy warning (clippy::needless_borrow)
- vsock-proxy: Add "ap-southeast-3" endpoints to config

* Tue Oct 25 2022 Andra Paraschiv <andraprs@amazon.com> - 1.2.1-0
- Fix nitro-cli debug mode, when using attach_console and debug_mode options.
- Refactor Dockerfiles for faster builds and remove duplication.
- Mock input in nitro-cli unit tests to allow running them on systems without
  Nitro Enclaves support or having various CPU configurations.
- Refactor console disconnect timeout feature.
- Fix race condition in nitro-cli on command dispatch.
- Allow NITRO_CLI_INSTALL_DIR to be overriden in nitro-cli-env.sh.
- Use aws-nitro-enclaves-image-format crate.
- Allow NITRO_CLI_INSTALL_DIR be set for path to allocator.yaml.
- Use DOCKER_HOST env variable properly when interacting with the shiplift
  library.
- Update linuxkit blobs to v0.8+.
- Create driver-bindings crate with static bindings for the Nitro Enclaves
  kernel driver.
- Remove custom metadata structure restriction for EIF images.
- Add symlinks for the blobs used by the command executer sample.
- Fix clippy warnings.
- Bump Rust version to 1.58.1.
- Bump socket2 from 0.3.11 to 0.3.19 in vsock_proxy.
- Bump smallvec from 0.6.13 to 0.6.14 in vsock_proxy.
- Update clap crate to 3.2.
- Update nitro-cli crates dependencies to the latest version.
- Fix broken nitro-cli enclave proc doctest.
- Fix typos in the nitro-cli documentation.

* Tue Feb 22 2022 Eugene Koira <eugkoira@amazon.com> - 1.2.0-0
- Add support of building EIF with custom name, version and metadata.
- Add support of checking EIF metadata within describe-eif and describe-enclave commands.
- Upgrade EIF to v4 containing metadata section.
- Update enclave image blobs to latest v4.14 kernel version.
- Add option to attach the enclave console immediately after starting the enclave.
- Update dependencies to fix cargo audit warnings.
- Update README to include references to official documentation.
- Update init blob based on the latest codebase version.
- Use latest cargo-about and cargo-audit 
- Update cargo dependencies.
- Fix CI tests for ARM.

* Thu Oct 28 2021 Andra Paraschiv <andraprs@amazon.com> - 1.1.0-0
- Update the enclave image blobs e.g. enclave kernel and NSM driver, to include
  the hwrng functionality from the NSM driver for entropy seeding.
- Exit if the hugepages configuration fails in the nitro-enclaves-allocator
  service.
- Update the enclave boot timeout logic to consider the enclave image size.
- Verify the signing certificate of the enclave image and add explicit error
  handling.
- Add pcr command in the nitro-cli.
- Add support for enclave name in the nitro-cli commands.
- Add describe-eif command in the nitro-cli.
- Set correct group ownership for /dev/nitro_enclaves in the nitro-cli spec.
- Add --disconnect-timeout option to console command.
- Add pylint fixes to the nitro-cli tests.
- Update cargo-about and cargo-audit in the nitro-cli CI.
- Update tar and hyper crates in the nitro-cli.
- Fix remote server's matching against allowlist for vsock proxy.
- Add refs for Nitro CLI install from sources on a set of Linux distros in the
  nitro-cli docs.
- Update references to the AWS Nitro Enclaves COSE crate in the nitro-cli docs.
- Update vsock proxy configuration file location in the vsock proxy README.
- Update command executer sample README to reflect current state.
- Update Nitro CLI README to include information about enclave disk space.

* Thu Jul 15 2021 Alexandru Gheorghe <aggh@amazon.com> - 1.0.12-0
- Fix build-enclave when docker contains ENTRYPOINT command.

* Wed May 19 2021 Alexandru Gheorghe <aggh@amazon.com> - 1.0.11-0
- Updated documentation.
- Updated dependencies to exclude deprecated crates and unused ones.
- Switch vsock proxy to using IMDSv2.
- Minor bug fixes.

* Sat Feb 06 2021 Gabriel Bercaru <bercarug@amazon.com> - 1.0.10-1
- Changed release from 0 to 1

* Tue Feb 02 2021 Gabriel Bercaru <bercarug@amazon.com> - 1.0.10-0
- Removed the %posttrans scriptlet and delegated the task of
  re-performing resources initialization to a trigger script
  which runs only when uninstalling v1.0 or the package (during an update)
* Fri Nov 27 2020 Gabriel Bercaru <bercarug@amazon.com> - 1.0.9-0
- Added checks for the pre & post uninstallation hooks to check
  whether an upgrade or an uninstallation is being performed

* Tue Nov 24 2020 Gabriel Bercaru <bercarug@amazon.com> - 1.0-8
- Added third_party directory with linuxkit credit
- Improved 'insufficient resources' error messages
- Updated the allocator service
- Enforce an enclave memory lower limit of 4x the size of the EIF file
- Added a check wrt the enclave flags, when issuing a `console` command

* Thu Nov 05 2020 Gabriel Bercaru <bercarug@amazon.com> - 1.0-7
- Updated init blob file to reflect recent init code changes

* Wed Nov 04 2020 Gabriel Bercaru <bercarug@amzon.com> - 1.0-6
- Improved the error messages related to file operation failures
- Updated the documentation landing page reported in error logs

* Sun Oct 25 2020 Gabriel Bercaru <bercarug@amazon.com> - 1.0-5
- Refactored integration tests main scripts in order to use the allocator service

* Tue Oct 20 2020 Dan Horobeanu <dhr@amazon.com> - 1.0-4
- Removed dependency on `nitro_enclaves.device` for the allocator service
- Removed timeout from the allocator oneshot service

* Mon Oct 19 2020 Gabriel Bercaru <bercarug@amazon.com> - 1.0-3
- Updated license string to 'Apache 2.0'

* Sat Oct 17 2020 Dan Horobeanu <dhr@amazon.com> - 1.0-1
- Updated license to Apache-2.0
- General cleanup and resync with `make install` output

* Wed Oct 14 2020 Gabriel Bercaru <bercarug@amazon.com> - 1.0-0
- Include resources reservation service

* Wed Mar 25 2020 Alexandru Gheorghe <aggh@amazon.com> - 0.1-0
- Initial draft