Islet rmm memory handling issues

[L0czek]

While running the provisioning setup, we started encountering a truly random errors from various layers of the stack that could not be reproduced in tf-rmm. In detail, we encountered the following errors:

• TLS decrypt error during application installation,
• application image hash mismatch,
• some "inode already exists" error from the Linux kernel,
• disk image corruption (the file system wasn't preserved across realm reboots),
• TLS handshake error.

Since we couldn't reproduce them while running tf-rmm there might be some memory issue introduced by islet rmm. We first encountered this issue when we tried to test the application installation using a statically linked rust "hello world" application. It weights about 1MB, due to static linking and debug build. Every time we tried to install it while running islet, the installation process would fail with TLS decrypt error. We then switch to tf-rmm to check if the issue still persisted. To our surprise, it did not. In the next step, we created a lighter "hello world" application that weight only 1KB and managed to get it installed under Islet. This let us conclude that Islet introduces some memory instability that leads to arbitrary corruption when large amounts of data are processed.

Testcases

The big application example_app

This application consists of a simple loop that prints "I'm alive" with a number and then increments it.

use std::time::Duration;

fn main() {
    let mut i = 0usize;
    loop {
        println!("I'm alive {}", i);

        i += 1;

        std::thread::sleep(Duration::from_secs(1));
    }
}

After compiling and packaging the OCI container with this application weights about 1.2MB.

Using: create-application -n example_app -v latest -i image-registry.net:1337 -o 32 -d 32 -r 5156ae05-1da0-4e7b-a168-ec8d1869890e

Islet rmm

On islet this application failes everytime mostly with some TLS decryption error. Although, sometimes we observed an hash mismatch error suggesting that the TLS layer worked fine but the corruption happend during OCI container image validation.

2024-09-30T12:46:55.923Z DEBUG [ir_client::oci::client] Supported media types: application/vnd.oci.image.layer.v1.tar,application/vnd.oci.image.layer.v1.tar+gzip,application/vnd.oci.image.layer.v1.tar+zstd,application/vnd.oci.image.config.v1+json
2024-09-30T12:46:56.030Z DEBUG [ir_client::utils] Content-type: application/vnd.oci.image.layer.v1.tar
2024-09-30T12:46:56.068Z DEBUG [ir_client::utils] Content-length: 1232384
2024-09-30T12:46:56.095Z DEBUG [ir_client::utils] Content-type: application/vnd.oci.image.layer.v1.tar
2024-09-30T12:46:56.133Z DEBUG [ir_client::utils] docker-content-digest: sha256:50305deead7645d3889692db72e23c7890c3876b0a78e83e08a8037f6edfe96c
2024-09-30T12:46:56.714Z INFO  [app_manager::launcher::oci] Cleaning up, removing "/apps/dae4bc93-b494-4c6f-9251-13ecdc8c8cab/image/root/temp"
2024-09-30T12:46:56.777Z INFO  [app_manager::launcher::oci] Cleaning up, removing "/apps/dae4bc93-b494-4c6f-9251-13ecdc8c8cab/image/root/unpack"
2024-09-30T12:46:56.831Z ERROR [app_manager::launcher::oci] Failed to install applcation example_app:latest, reason: OciLauncher(UnpackError(IOError(Custom { kind: Other, error: reqwest::Error { kind: Decode, source: hyper::Error(Body, Custom { kind: InvalidData, error: DecryptError }) } })))
2024-09-30T12:46:56.922Z ERROR [app_manager::manager] Application installation error: OciLauncher(UnpackError(IOError(Custom { kind: Other, error: reqwest::Error { kind: Decode, source: hyper::Error(Body, Custom { kind: InvalidData, error: DecryptError }) } })))

tf-rmm

On tf-rmm this application works everytime.

2024-09-30T13:17:56.725Z INFO  [ir_client::client] Image unpacked succesfully
2024-09-30T13:17:56.753Z INFO  [app_manager::launcher::oci] Installation finished, moving "/apps/a5643230-6faf-4586-8aa8-dabbb230eff1/image/root/unpack" to "/apps/a5643230-6faf-4586-8aa8-dabbb230eff1/image/root/img"
2024-09-30T13:17:56.829Z INFO  [app_manager::launcher::oci] Cleaning up, removing "/apps/a5643230-6faf-4586-8aa8-dabbb230eff1/image/root/temp"
2024-09-30T13:17:56.880Z INFO  [app_manager::launcher::oci] Cleaning up, removing "/apps/a5643230-6faf-4586-8aa8-dabbb230eff1/image/root/unpack"
2024-09-30T13:17:56.927Z ERROR [app_manager::launcher::oci] Failed to cleanup "/apps/a5643230-6faf-4586-8aa8-dabbb230eff1/image/root/unpack", error Fs(RmRfError(Os { code: 2, kind: NotFound, message: "No such file or directory" }))
2024-09-30T13:17:57.005Z DEBUG [rustls::common_state] Sending warning alert CloseNotify
2024-09-30T13:17:57.041Z DEBUG [devicemapper::core::dm] Creating device crypt_f2d05483-8673-4f68-b403-e79a2cc1bff4 (uuid=None)
2024-09-30T13:17:57.116Z DEBUG [devicemapper::core::dm] Resuming device crypt_f2d05483-8673-4f68-b403-e79a2cc1bff4
2024-09-30T13:17:57.153Z INFO  [app_manager::app] Mounting data partition
[   78.968507] EXT2-fs (dm-1): error: can't find an ext2 filesystem on dev dm-1.
Filesystem label=data
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
8192 inodes, 32768 blocks
1638 blocks (5%) reserved for the super user
First data block=1
Maximum filesystem blocks=262144
4 block groups
8192 blocks per group, 8192 fragments per group
2048 inodes per group
Superblock backups stored on blocks:
8193, 24577
[   82.360373] ext2 filesystem being mounted at /apps/a5643230-6faf-4586-8aa8-dabbb230eff1/data supports timestamps until 2038-01-19 (0x7fffffff)
2024-09-30T13:18:00.613Z INFO  [app_manager::app] Mounting overlayfs
[   82.486228] overlayfs: upper fs does not support RENAME_WHITEOUT.
[   82.505571] overlayfs: failed to set xattr on upper
[   82.521103] overlayfs: ...falling back to redirect_dir=nofollow.
[   82.540275] overlayfs: ...falling back to uuid=null.
2024-09-30T13:18:00.774Z DEBUG [app_manager::launcher::oci] Launching from config: ExecConfig { exec: "/bin/exampleapp", argv: ["/bin/exampleapp"], envp: {"PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"}, uid: Uid(0), gid: Gid(0), chroot: Some("/apps/a5643230-6faf-4586-8aa8-dabbb230eff1/overlay/img"), chdir: Some("/") }
2024-09-30T13:18:00.877Z INFO  [app_manager::manager] Finished installing a5643230-6faf-4586-8aa8-dabbb230eff1
2024-09-30T13:18:00.914Z INFO  [app_manager::manager] Measuring app a5643230-6faf-4586-8aa8-dabbb230eff1
2024-09-30T13:18:00.949Z DEBUG [app_manager::manager] Extending Rem0 with [48, 118, 48, 16, 6, 7, 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 34, 3, 98, 0, 4, 188, 11, 173, 130, 233, 89, 218, 18, 203, 113, 142, 124, 149, 56, 37, 64, 129, 164, 252, 224, 127, 207, 110, 30, 155, 0, 4, 119, 190, 96, 240, 176, 22, 1, 84, 132, 210, 228, 104, 121]
[   82.837042] rsi: device rsi open
[   82.847525] rsi: ioctl: measurement_extend: 1, 64
[   82.863361] rsi: RSI measurement extend, ret: RSI_SUCCESS
[   82.880122] rsi: device rsi released

2024-09-30T13:18:01.699Z INFO  [app_manager::manager] Starting app a5643230-6faf-4586-8aa8-dabbb230eff1
2024-09-30T13:18:01.748Z INFO  [app_manager::manager] Provisioning finished
[2024-09-30T13:35:47Z DEBUG warden_daemon::socket::vsocket_server] Received realm's response: Ok(
        Success,
    )
[2024-09-30T13:35:47Z INFO  warden_daemon::client_handler::client_command_handler] Started realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e.
[2024-09-30T13:35:47Z INFO  cmd_client] Command handled successfully.
[2024-09-30T13:35:47Z INFO  cmd_client] Insert new command:
$
2024-09-30T13:18:01.780Z INFO  [app_manager] Applications started entering event loop
2024-09-30T13:18:01.812Z INFO  [app_manager::launcher::handler] Application stdout: I'm alive 0
2024-09-30T13:18:02.851Z INFO  [app_manager::launcher::handler] Application stdout: I'm alive 1

The light application light_app

This application acts similarly but was made to be as small as possible. For this reason, it is written in C and utilizes syscalls directly.

static void syscall(long n, long arg1, long arg2, long arg3)
{
    __asm__ volatile (
        "mov x8, %0\n"
        "mov x0, %1\n"
        "mov x1, %2\n"
        "mov x2, %3\n"
        "svc 0\n"
        :
        : "r" (n), "r" (arg1), "r" (arg2), "r" (arg3) : "x0", "x1", "x2", "x8", "memory"
        );
}

struct __kernel_timespec {
    long tv_sec;
    long tv_nsec;
};

int _start()
{
    struct __kernel_timespec req, rem;
    req.tv_sec = 1;
    req.tv_nsec = 0;
    rem.tv_sec = 0;
    rem.tv_nsec = 0;

    for(;;) {
        syscall(0x40, 1, (long)"Example Application\n", 20);
        syscall(0x65, (long)&req, (long)&rem, 0);
    }
}

After compiling and packaging, the OCI container with this application weights about 13KB.

Using: create-application -n light_app -v latest -i image-registry.net:1337 -o 32 -d 32 -r 5156ae05-1da0-4e7b-a168-ec8d1869890e

Islet rmm

Thanks to the lowered application size we were able to launch the light_app:

Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: 2024-09-30T13:43:44.983Z INFO  [ir_client::client] Unpacking layer /apps/9074f2e0-7268-4e33-944e-b078b065e81a/image/root/temp/layer_0.tar onto /apps/9074f2e0-7268-4e33-944e-b078b065e81a/image/root/unpack
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: 2024-09-30T13:43:45.048Z DEBUG [ir_client::layer] Unpacking layer: /apps/9074f2e0-7268-4e33-944e-b078b065e81a/image/root/temp/layer_0.tar onto directory: /apps/9074f2e0-7268-4e33-944e-b078b065e81a/image/root/unpack
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: 2024-09-30T13:43:45.116Z DEBUG [ir_client::layer] Processing whiteouts
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: 2024-09-30T13:43:45.143Z DEBUG [ir_client::layer] Validating diff_id: eb1b886d236dda5242cc06bf60e03e1d2d1dd765242befb49b57211965d6bd99
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: 2024-09-30T13:43:45.189Z DEBUG [ir_client::layer] Unpacking entry: print onto: /apps/9074f2e0-7268-4e33-944e-b078b065e81a/image/root/unpack/print
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: 2024-09-30T13:43:45.247Z INFO  [ir_client::client] Image unpacked succesfully
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: 2024-09-30T13:43:45.276Z INFO  [app_manager::launcher::oci] Installation finished, moving "/apps/9074f2e0-7268-4e33-944e-b078b065e81a/image/root/unpack" to "/apps/9074f2e0-7268-4e33-944e-b078b065e81a/image/root/img"
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: 2024-09-30T13:43:45.357Z INFO  [app_manager::launcher::oci] Cleaning up, removing "/apps/9074f2e0-7268-4e33-944e-b078b065e81a/image/root/temp"
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: 2024-09-30T13:43:45.408Z INFO  [app_manager::launcher::oci] Cleaning up, removing "/apps/9074f2e0-7268-4e33-944e-b078b065e81a/image/root/unpack"
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: 2024-09-30T13:43:45.457Z ERROR [app_manager::launcher::oci] Failed to cleanup "/apps/9074f2e0-7268-4e33-944e-b078b065e81a/image/root/unpack", error Fs(RmRfError(Os { code: 2, kind: NotFound, message: "No such file or directory" }))
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: 2024-09-30T13:43:45.535Z DEBUG [rustls::common_state] Sending warning alert CloseNotify
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: 2024-09-30T13:43:45.571Z DEBUG [devicemapper::core::dm] Creating device crypt_56a29695-0f54-4ba1-a7dd-279fc0337595 (uuid=None)
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: 2024-09-30T13:43:45.637Z DEBUG [devicemapper::core::dm] Resuming device crypt_56a29695-0f54-4ba1-a7dd-279fc0337595
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: 2024-09-30T13:43:45.677Z INFO  [app_manager::app] Mounting data partition
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: [   90.949521] EXT2-fs (dm-1): error: can't find an ext2 filesystem on dev dm-1.
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: Filesystem label=data
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: OS type: Linux
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: Block size=1024 (log=0)
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: Fragment size=1024 (log=0)
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: 8192 inodes, 32768 blocks
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: 1638 blocks (5%) reserved for the super user
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: First data block=1
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: Maximum filesystem blocks=262144
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: 4 block groups
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: 8192 blocks per group, 8192 fragments per group
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: 2048 inodes per group
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: Superblock backups stored on blocks:
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: 8193, 24577
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: [   93.641719] ext2 filesystem being mounted at /apps/9074f2e0-7268-4e33-944e-b078b065e81a/data supports timestamps until 2038-01-19 (0x7fffffff)
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: 2024-09-30T13:43:48.441Z INFO  [app_manager::app] Mounting overlayfs
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: [   93.759022] overlayfs: upper fs does not support RENAME_WHITEOUT.
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: [   93.779310] overlayfs: failed to set xattr on upper
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: [   93.794462] overlayfs: ...falling back to redirect_dir=nofollow.
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: [   93.814837] overlayfs: ...falling back to uuid=null.
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: 2024-09-30T13:43:48.591Z DEBUG [app_manager::launcher::oci] Launching from config: ExecConfig { exec: "/print", argv: ["/print"], envp: {"PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"}, uid: Uid(0), gid: Gid(0), chroot: Some("/apps/9074f2e0-7268-4e33-944e-b078b065e81a/overlay/img"), chdir: Some("/") }
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: 2024-09-30T13:43:48.693Z INFO  [app_manager::manager] Finished installing 9074f2e0-7268-4e33-944e-b078b065e81a
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: 2024-09-30T13:43:48.731Z INFO  [app_manager::manager] Measuring app 9074f2e0-7268-4e33-944e-b078b065e81a
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: 2024-09-30T13:43:48.768Z DEBUG [app_manager::manager] Extending Rem0 with [48, 118, 48, 16, 6, 7, 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 34, 3, 98, 0, 4, 188, 11, 173, 130, 233, 89, 218, 18, 203, 113, 142, 124, 149, 56, 37, 64, 129, 164, 252, 224, 127, 207, 110, 30, 155, 0, 4, 119, 190, 96, 240, 176, 22, 1, 84, 132, 210, 228, 104, 121]
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: [   94.117000] rsi: device rsi open
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: [   94.127211] rsi: ioctl: measurement_extend: 1, 64
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: [   94.143297] rsi: RSI measurement extend, ret: RSI_SUCCESS
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: [   94.159455] rsi: device rsi released
[...]
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: 2024-09-30T13:43:49.533Z INFO  [app_manager::manager] Starting app 9074f2e0-7268-4e33-944e-b078b065e81a
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: 2024-09-30T13:43:49.577Z INFO  [app_manager::manager] Provisioning finished
[2024-09-30T14:18:12Z DEBUG warden_daemon::socket::vsocket_server] Received realm's response: Ok(
        Success,
    )
[2024-09-30T14:18:12Z INFO  warden_daemon::client_handler::client_command_handler] Started realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e.
[2024-09-30T14:18:12Z INFO  cmd_client] Command handled successfully.
[2024-09-30T14:18:12Z INFO  cmd_client] Insert new command:
$ Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: 2024-09-30T13:43:49.604Z INFO  [app_manager::launcher::handler] Application stdout: Example Application
2024-09-30T13:43:49.646Z INFO  [app_manager] Applications started entering event loop
2024-09-30T13:43:50.578Z INFO  [app_manager::launcher::handler] Application stdout: Example Application
2024-09-30T13:43:51.582Z INFO  [app_manager::launcher::handler] Application stdout: Example Application
2024-09-30T13:43:52.586Z INFO  [app_manager::launcher::handler] Application stdout: Example Application

Unfortunately, lowering the container size only made error less frequent. We are still noticing error similar to this:

Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: 2024-09-30T13:38:13.755Z INFO  [app_manager::launcher::oci] Unpacking application to "/apps/337cb15f-451b-4e04-beec-5f9f3b0574cd/image/root/unpack" using "/apps/337cb15f-451b-4e04-beec-5f9f3b0574cd/image/root/temp" as temp dir
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: 2024-09-30T13:38:13.827Z INFO  [ir_client::client] Image has 1 layer(s)
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: 2024-09-30T13:38:13.868Z INFO  [app_manager::launcher::oci] Cleaning up, removing "/apps/337cb15f-451b-4e04-beec-5f9f3b0574cd/image/root/temp"
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: 2024-09-30T13:38:13.925Z INFO  [app_manager::launcher::oci] Cleaning up, removing "/apps/337cb15f-451b-4e04-beec-5f9f3b0574cd/image/root/unpack"
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: 2024-09-30T13:38:13.978Z ERROR [app_manager::launcher::oci] Failed to install applcation light_app:latest, reason: OciLauncher(UnpackError(DigestInvalidError))
Realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e: 2024-09-30T13:38:14.030Z ERROR [app_manager::manager] Application installation error: OciLauncher(UnpackError(DigestInvalidError))

tf-rmm

On tf-rmm everything works just like with the bigger application.

2024-09-30T14:12:39.107Z INFO  [ir_client::client] Unpacking layer /apps/0480f400-39b8-47fd-b8cb-60db70abec03/image/root/temp/layer_0.tar onto /apps/0480f400-39b8-47fd-b8cb-60db70abec03/image/root/unpack
2024-09-30T14:12:39.169Z DEBUG [ir_client::layer] Unpacking layer: /apps/0480f400-39b8-47fd-b8cb-60db70abec03/image/root/temp/layer_0.tar onto directory: /apps/0480f400-39b8-47fd-b8cb-60db70abec03/image/root/unpack
2024-09-30T14:12:39.235Z DEBUG [ir_client::layer] Processing whiteouts
2024-09-30T14:12:39.261Z DEBUG [ir_client::layer] Validating diff_id: eb1b886d236dda5242cc06bf60e03e1d2d1dd765242befb49b57211965d6bd99
2024-09-30T14:12:39.306Z DEBUG [ir_client::layer] Unpacking entry: print onto: /apps/0480f400-39b8-47fd-b8cb-60db70abec03/image/root/unpack/print
2024-09-30T14:12:39.366Z INFO  [ir_client::client] Image unpacked succesfully
2024-09-30T14:12:39.394Z INFO  [app_manager::launcher::oci] Installation finished, moving "/apps/0480f400-39b8-47fd-b8cb-60db70abec03/image/root/unpack" to "/apps/0480f400-39b8-47fd-b8cb-60db70abec03/image/root/img"
2024-09-30T14:12:39.470Z INFO  [app_manager::launcher::oci] Cleaning up, removing "/apps/0480f400-39b8-47fd-b8cb-60db70abec03/image/root/temp"
2024-09-30T14:12:39.521Z INFO  [app_manager::launcher::oci] Cleaning up, removing "/apps/0480f400-39b8-47fd-b8cb-60db70abec03/image/root/unpack"
2024-09-30T14:12:39.567Z ERROR [app_manager::launcher::oci] Failed to cleanup "/apps/0480f400-39b8-47fd-b8cb-60db70abec03/image/root/unpack", error Fs(RmRfError(Os { code: 2, kind: NotFound, message: "No such file or directory" }))
2024-09-30T14:12:39.643Z DEBUG [rustls::common_state] Sending warning alert CloseNotify
2024-09-30T14:12:39.679Z DEBUG [devicemapper::core::dm] Creating device crypt_64c718eb-ba00-45ff-8241-d82c177b7463 (uuid=None)
2024-09-30T14:12:39.755Z DEBUG [devicemapper::core::dm] Resuming device crypt_64c718eb-ba00-45ff-8241-d82c177b7463
2024-09-30T14:12:39.795Z INFO  [app_manager::app] Mounting data partition
[  120.211781] EXT2-fs (dm-1): error: can't find an ext2 filesystem on dev dm-1.
Filesystem label=data
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
8192 inodes, 32768 blocks
1638 blocks (5%) reserved for the super user
First data block=1
Maximum filesystem blocks=262144
4 block groups
8192 blocks per group, 8192 fragments per group
2048 inodes per group
Superblock backups stored on blocks:
8193, 24577
[  123.532117] ext2 filesystem being mounted at /apps/0480f400-39b8-47fd-b8cb-60db70abec03/data supports timestamps until 2038-01-19 (0x7fffffff)
2024-09-30T14:12:43.186Z INFO  [app_manager::app] Mounting overlayfs
[  123.657670] overlayfs: upper fs does not support RENAME_WHITEOUT.
[  123.675508] overlayfs: failed to set xattr on upper
[  123.691290] overlayfs: ...falling back to redirect_dir=nofollow.
[  123.710353] overlayfs: ...falling back to uuid=null.
2024-09-30T14:12:43.342Z DEBUG [app_manager::launcher::oci] Launching from config: ExecConfig { exec: "/print", argv: ["/print"], envp: {"PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"}, uid: Uid(0), gid: Gid(0), chroot: Some("/apps/0480f400-39b8-47fd-b8cb-60db70abec03/overlay/img"), chdir: Some("/") }
2024-09-30T14:12:43.440Z INFO  [app_manager::manager] Finished installing 0480f400-39b8-47fd-b8cb-60db70abec03
2024-09-30T14:12:43.475Z INFO  [app_manager::manager] Measuring app 0480f400-39b8-47fd-b8cb-60db70abec03
2024-09-30T14:12:43.510Z DEBUG [app_manager::manager] Extending Rem0 with [48, 118, 48, 16, 6, 7, 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 34, 3, 98, 0, 4, 188, 11, 173, 130, 233, 89, 218, 18, 203, 113, 142, 124, 149, 56, 37, 64, 129, 164, 252, 224, 127, 207, 110, 30, 155, 0, 4, 119, 190, 96, 240, 176, 22, 1, 84, 132, 210, 228, 104, 121]
[  123.997001] rsi: device rsi open
[  124.007158] rsi: ioctl: measurement_extend: 1, 64
[  124.022961] rsi: RSI measurement extend, ret: RSI_SUCCESS
[  124.040201] rsi: device rsi released
[...]
2024-09-30T14:12:44.257Z INFO  [app_manager::manager] Starting app 0480f400-39b8-47fd-b8cb-60db70abec03
2024-09-30T14:12:44.303Z INFO  [app_manager::launcher::handler] Application stdout: Example Application

2024-09-30T14:12:44.335Z INFO  [app_manager::manager] Provisioning finished
[2024-09-30T16:27:21Z DEBUG warden_daemon::socket::vsocket_server] Received realm's response: Ok(
        Success,
    )
[2024-09-30T16:27:21Z INFO  warden_daemon::client_handler::client_command_handler] Started realm: 5156ae05-1da0-4e7b-a168-ec8d1869890e.
[2024-09-30T16:27:21Z INFO  cmd_client] Command handled successfully.
[2024-09-30T16:27:21Z INFO  cmd_client] Insert new command:
$ 
2024-09-30T14:12:44.371Z INFO  [app_manager] Applications started entering event loop
2024-09-30T14:12:45.305Z INFO  [app_manager::launcher::handler] Application stdout: Example Application

2024-09-30T14:12:46.345Z INFO  [app_manager::launcher::handler] Application stdout: Example Application

2024-09-30T14:12:47.349Z INFO  [app_manager::launcher::handler] Application stdout: Example Application

Reproduction

To reproduce this issue you can follow the application provisioning instruction.

Naturally, the realm image was compiled once to ensure that the build process doesn't interfere with the results. I only changed between islet and tf-rmm using the commandline:

• ./scripts/fvp-cca --normal-world=linux-net --realm=linux --rmm=tf-rmm --hes --rmm-log-level info for tf-rmm,
• ./scripts/fvp-cca --normal-world=linux-net --realm=linux --rmm=islet --hes --rmm-log-level info for islet.

The rest is exaclty as spcecified in the instruction. The building of test applications used in this issue is also explained in the instruction.

[bokdeuk-jeong]

Before reproducing the problem with the provisioning example, I checked if it still has problem with large size files in a simplied setup using virtio-9p in a linux realm.

File sizes -rw-r--r-- 1 16M linux.realm -rw-r--r-- 1 16M linux.realm2 (copy of linux.realm) rwxr-xr-x 1 4.5M sdk-example

execution in a linux realm.

# diff linux.realm linux.realm2  // read large size files and compared the content successfully
# ./sdk-example   // executed a large size execution binary successfully
Getting an attestation report on aarch64. 
Failed to get an attestation report. ENOENT
Attestation result Err(Report)
Sealing result Ok(())

Most of the memory operations are involved during the realm launch and virtio usages. So, I don't suspect this as a memory issue but will check by reproducing the problem with the app provisioning example.

[jinbpark]

@bokdeuk-jeong , I recently came across a similar issue where it works with tf-rmm but does not with islet. Here is how to reproduce it- (I believe it is an easier way to reproduce a similar issue)

1. https://github.com/islet-project/islet/releases/tag/debian-realm-v0.5 --> check out this release and download debian12.img.xz and decompress it and copies debian12.img to /your/islet/out/shared/
2. modify scripts/fvp/launch-realm-debian.sh as follows to reproduce this issue.
   • remove this line: cp -f /shared/debian12.img /
   • replace -d /debian12.img with -d /shared/debian12.img. (it forces it to load debian12.img from 9p)
3. (Host) ./scripts/fvp-cca --normal-world=linux-net --realm=linux --rmm=islet --hes --no-telnet --rmm-log-level=info (run realm with islet)
4. (FVP Host) ./launch-realm-debian.sh
   • problem: it can't get into the root shell.
5. (Host) /scripts/fvp-cca --normal-world=linux-net --realm=linux --rmm=tf-rmm --hes --no-telnet --rmm-log-level=info (run realm with tf-rmm)
6. (FVP Host) ./launch-realm-debian.sh
   • it can get into the root shell as follows. root@islet:~#

[bokdeuk-jeong]

@jinbpark

Unfortunately(?), islet and tf-rmm show the same results with the debian12.img. They both presents the message :

[   53.506242] I/O error, dev vda, sector 0 op 0x1:(WRITE) flags 0x800 phys_seg 1 prio class 2
[   53.578298] Buffer I/O error on dev vda, logical block 0, lost sync page write
[   53.900748] EXT4-fs (vda): I/O error while writing superblock
[   53.952137] systemd[1]: proc-sys-fs-binfmt_misc.mount: Failed with result 'exit-code'.

and

You are in emergency mode. After logging in, type "journalctl -xb" to view
system logs, "systemctl reboot" to reboot, "systemctl default" or "exit"
to boot into default mode.
Press Enter for maintenance
(or press Control-D to continue):
root@islet:  // Bokdeuk: login prompts here