This repository was archived by the owner on Sep 19, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathMakefile
248 lines (207 loc) · 8.3 KB
/
Makefile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
# OPA requires floats
EMULATE_FLOATS := 1
ccflags-y += -foptimize-sibling-calls \
-Dd_m3RecordBacktraces=1 \
-DDEBUG=1 \
-Dd_m3HasFloat=$(EMULATE_FLOATS) \
-I$(PWD)/include \
-I$(PWD)/third-party/BearSSL/inc/ \
-I$(PWD)/third-party/wasm3/source/ \
-I$(PWD)/third-party/base64 \
-I$(PWD)/third-party/parson \
-I$(PWD)/third-party/picohttpparser \
-Wall -g \
#-Dd_m3LogCompile=1
# The wasm compiler module is not sanitized since it does a lot of recursion at the
# beginning and it's causing a stack overflow together with the sanitized code.
KASAN_SANITIZE_m3_compile.o := n
# Enable floating point arithmetic
ARCH := $(shell uname -m)
ifeq ($(ARCH), x86_64)
ifeq ($(EMULATE_FLOATS), 1)
ccflags-remove-y += -mno-sse -mno-sse2
endif
# TODO: Otherwise __popcountdi2 is undefined.
# https://stackoverflow.com/questions/52161596/why-is-builtin-popcount-slower-than-my-own-bit-counting-function
# ccflags-y += -march=native
endif
ifeq ($(ARCH), aarch64)
# TODO: Otherwise __popcountdi2 is undefined.
# https://www.kernel.org/doc/Documentation/kbuild/makefiles.rst
# Anyhow, float emulation works only with this flag removed.
ccflags-remove-y += -mgeneral-regs-only
endif
KBUILD_EXTRA_SYMBOLS = $(PWD)/third-party/BearSSL/Module.symvers
ccflags-remove-y += -Wdeclaration-after-statement
VERBOSE ?=
DYNDBG ?= dyndbg==_
ifeq ($(VERBOSE), 1)
DYNDBG =
endif
# obj-m specifies we're a kernel module.
obj-m += camblet.o
camblet-objs := third-party/wasm3/source/m3_api_libc.o \
third-party/wasm3/source/m3_compile.o \
third-party/wasm3/source/m3_api_meta_wasi.o \
third-party/wasm3/source/m3_api_tracer.o \
third-party/wasm3/source/m3_api_uvwasi.o \
third-party/wasm3/source/m3_api_wasi.o \
third-party/wasm3/source/m3_bind.o \
third-party/wasm3/source/m3_code.o \
third-party/wasm3/source/m3_core.o \
third-party/wasm3/source/m3_env.o \
third-party/wasm3/source/m3_exec.o \
third-party/wasm3/source/m3_function.o \
third-party/wasm3/source/m3_info.o \
third-party/wasm3/source/m3_module.o \
third-party/wasm3/source/m3_parse.o \
third-party/base64/base64.o \
third-party/parson/json.o \
third-party/picohttpparser/picohttpparser.o \
src/buffer.o \
src/device_driver.o \
src/main.o \
src/csr.o \
src/rsa_tools.o \
src/cert_tools.o \
src/wasm.o \
src/opa.o \
src/proxywasm.o \
src/socket.o \
src/task_context.o \
src/tls.o \
src/commands.o \
src/string.o \
src/augmentation.o \
src/config.o \
src/sd.o \
src/trace.o \
src/http.o \
src/spiffe.o
# Set the path to the Kernel build utils.
KBUILD=/lib/modules/$(shell uname -r)/build/
default: bearssl
$(MAKE) -C $(KBUILD) M=$(PWD) V=$(VERBOSE) modules
bearssl:
cd third-party/BearSSL && $(MAKE) VERBOSE=$(VERBOSE) linux-km
bearssl_clean:
cd third-party/BearSSL && $(MAKE) VERBOSE=$(VERBOSE) linux-km-clean
static/socket_wasm.h: socket.rego
opa build -t wasm -e "socket/allow" socket.rego -o bundle.tar.gz
tar zxf bundle.tar.gz /policy.wasm
mv policy.wasm socket.wasm
xxd -i socket.wasm include/static/socket_wasm.h
static/csr_wasm.h: wasm-modules/csr-rust/**/*.rs
cargo build --release --target=wasm32-unknown-unknown
cp target/wasm32-unknown-unknown/release/csr-rust.wasm csr.wasm
xxd -i csr.wasm include/static/csr_wasm.h
opa-test:
opa test *.rego -v
clean: bearssl_clean
$(MAKE) -C $(KBUILD) M=$(PWD) clean
rm -rf target/
help:
$(MAKE) -C $(KBUILD) M=$(PWD) help
logs:
sudo dmesg -T --follow
insmod-tls:
@find /lib/modules/$(uname -r) -type f -name '*.ko*' | grep -w tls > /dev/null && sudo modprobe tls || echo "tls module not available"
insmod-bearssl: insmod-tls
sudo insmod third-party/BearSSL/bearssl.ko
insmod: insmod-bearssl
$(eval ktls_available := $(shell lsmod | grep -w tls > /dev/null && echo 1 || echo 0))
sudo insmod camblet.ko $(DYNDBG) ktls_available=$(ktls_available)
insmod-with-proxywasm: insmod-bearssl
sudo insmod camblet.ko proxywasm_modules=1
rmmod:
sudo rmmod camblet
sudo rmmod bearssl
_debian_deps:
sudo apt update
sudo apt install -y dkms dwarves
ifndef GITHUB_ACTION
sudo apt install -y golang flex bison iperf socat debhelper
endif
_archlinux_deps:
sudo pacman -Syu linux-headers dkms go strace bc iperf socat
_rhel_deps:
sudo dnf install -y --enablerepo epel dkms vim-common go
_install_opa:
sudo curl -L -o /usr/bin/opa https://openpolicyagent.org/downloads/v0.56.0/opa_linux_$(shell go version | cut -f2 -d'/')_static
sudo chmod +x /usr/bin/opa
_install_wasm_target:
ifndef GITHUB_ACTION
sudo curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
sudo ln -f -s $$HOME/.cargo/bin/* /usr/bin/
rustup default stable
rustup target add wasm32-unknown-unknown
sudo rustup default stable
sudo rustup target add wasm32-unknown-unknown
endif
setup-vm: _debian_deps _install_opa _install_wasm_target
setup-archlinux-vm: _archlinux_deps _install_opa _install_wasm_target
setup-dev-env:
test -f .vscode/c_cpp_properties.json || cp .vscode/c_cpp_properties.json.template .vscode/c_cpp_properties.json
brew tap messense/macos-cross-toolchains
brew install $(shell lima uname -m)-unknown-linux-gnu
test -d ../linux || git clone --depth=1 --branch v6.8 https://github.com/torvalds/linux.git ../linux
cd ../linux && lima make tinyconfig
cd ../linux && lima make -j2
# Usage: make debug LINE=get_command+0x88/0x130
debug:
sudo addr2line -e camblet.ko $(LINE)
deb:
$(eval PACKAGE_VERSION := $(shell dpkg-parsechangelog -S Version | cut -d'-' -f1))
make clean
rm -f ../camblet-driver_$(PACKAGE_VERSION).orig.tar.xz
tar --exclude='./.git' --exclude='third-party/wasm3/platforms' --exclude='third-party/wasm3/test' --exclude='test/bats' --exclude='test/test_helper/bats-assert' --exclude='test/test_helper/bats-support' --exclude='linux' --exclude='rpmbuild' --exclude 'debian' -cvJf ../camblet-driver_$(PACKAGE_VERSION).orig.tar.xz .
dpkg-buildpackage -tc
rpm:
$(eval PACKAGE_VERSION := $(shell rpm -q --qf '%{VERSION}' --specfile rpmbuild/SPECS/camblet-driver.spec))
make clean
rm -f rpmbuild/SOURCES/camblet-driver-*.tar.xz
mkdir -p rpmbuild/SOURCES
tar --exclude='./.git' --exclude='third-party/wasm3/platforms' --exclude='third-party/wasm3/test' --exclude='test/bats' --exclude='test/test_helper/bats-assert' --exclude='test/test_helper/bats-support' --exclude='linux' --exclude='rpmbuild' --exclude 'debian' -cvJf rpmbuild/SOURCES/camblet-driver-$(PACKAGE_VERSION).tar.xz .
rpmbuild -v -ba --define '_topdir ${PWD}/rpmbuild/' rpmbuild/SPECS/camblet-driver.spec
.PHONY: bump_version
bump_version:
$(eval latest_tag :=$(shell git fetch origin; git describe --tags --abbrev=0))
$(eval major := $(shell echo $(latest_tag) | cut -d. -f1))
$(eval minor := $(shell echo $(latest_tag) | cut -d. -f2))
$(eval patch := $(shell echo $(latest_tag) | cut -d. -f3))
$(eval minor_incr := $(shell echo $$(( $(minor) + 1))))
$(eval new_tag:= $(major).$(minor_incr).$(patch))
$(eval TAG ?= $(new_tag))
@echo "Preparing manifests with tag:$(TAG)"
@./scripts/update_versions.sh $(TAG) $(latest_tag)
.PHONY: setup-perf-test
setup-perf-test:
ifeq (,$(wildcard test/tls-perf/tls-perf))
sudo apt update
sudo apt install -y git libssl-dev make build-essential
cd test && git clone https://github.com/tempesta-tech/tls-perf.git
cd test/tls-perf && make
endif
# This target installs tls-perf tests the TLS Handshake only.
# It does not send or read any data after the handshake was done.
# To run it against nasp please make sure that the kernel module and the agent is installed and functional
# Since a simple python http server going to be used a proper policy must be configured.
# /etc/nasp/rules/python.yaml
# - selectors:
# - process:binary:path: /usr/bin/python3.10
# process:gid: "1000"
# process:name: python3
# process:uid: "501"
# properties:
# workloadID: python
# ttl: 24h0m0s
# policy:
# mtls: false
# To run the perf test please use the following command:
# cd test/tls-perf && ./tls-perf -l 1000 -t 2 -T 10 127.0.0.1 8000
minigun:
for i in `seq 1 100`; do curl \-4 -s localhost:8000/tls.c > /dev/null; echo $$?; done
tests:
KTLS_IN_USE=true envsubst '$$KTLS_IN_USE' < test/tests.bats.template > test/ktls.bats
KTLS_IN_USE=false envsubst '$$KTLS_IN_USE' < test/tests.bats.template > test/non-ktls.bats
./test/bats/bin/bats test/