fix

Signed-off-by: turuslan <[email protected]>
qdrvm · Dec 12, 2024 · 5858be5 · 5858be5
1 parent 54cad0f
commit 5858be5
Show file tree

Hide file tree

Showing 7 changed files with 61 additions and 43 deletions.
diff --git a/core/application/impl/kagome_application_impl.cpp b/core/application/impl/kagome_application_impl.cpp
@@ -125,28 +125,6 @@ namespace kagome::application {
       metric_build_info->set(1);
     }
 
-#ifdef __linux__
-    if (not app_config_->disableSecureMode() and app_config_->usePvfSubprocess()
-        and app_config_->roles().isAuthority()) {
-      auto res = parachain::runSecureModeCheckProcess(
-          *injector_.injectIoContext(), app_config_->runtimeCacheDirPath());
-      if (!res) {
-        SL_ERROR(logger_, "Secure mode check failed: {}", res.error());
-        exit(EXIT_FAILURE);
-      }
-      if (!res.assume_value().isTotallySupported()) {
-        SL_ERROR(logger_,
-                 "Secure mode is not supported completely. You can disable it "
-                 "using --insecure-validator-i-know-what-i-do.");
-        exit(EXIT_FAILURE);
-      }
-    }
-#else
-    SL_WARN(logger_,
-            "Secure validator mode is not implemented for the current "
-            "platform. Proceed at your own risk.");
-#endif
-
     if (app_config_->enableDbMigration()) {
       if (auto res = storage::migrations::runMigrations(injector_); !res) {
         SL_ERROR(logger_, "Failed to migrate the database: {}", res.error());

diff --git a/core/injector/application_injector.cpp b/core/injector/application_injector.cpp
@@ -47,10 +47,10 @@
 #include "application/app_configuration.hpp"
 #include "application/impl/app_state_manager_impl.hpp"
 #include "application/impl/chain_spec_impl.hpp"
+#include "application/modes/key.hpp"
 #include "application/modes/precompile_wasm.hpp"
 #include "application/modes/print_chain_info_mode.hpp"
 #include "application/modes/recovery_mode.hpp"
-#include "application/modes/key.hpp"
 #include "authority_discovery/publisher/address_publisher.hpp"
 #include "authority_discovery/query/audi_store_impl.hpp"
 #include "authority_discovery/query/query_impl.hpp"
@@ -195,6 +195,7 @@
 #include "runtime/runtime_api/impl/transaction_payment_api.hpp"
 #include "runtime/wabt/instrument.hpp"
 #include "runtime/wasm_compiler_definitions.hpp"  // this header-file is generated
+#include "utils/sptr.hpp"
 
 #if KAGOME_WASM_COMPILER_WASM_EDGE == 1
 
@@ -797,6 +798,32 @@ namespace {
             di::bind<parachain::BackedCandidatesSource>.template to<parachain::ParachainProcessorImpl>(),
             di::bind<network::CanDisconnect>.template to<parachain::statement_distribution::StatementDistribution>(),
             di::bind<parachain::Pvf>.template to<parachain::PvfImpl>(),
+            bind_by_lambda<parachain::SecureModeSupport>([config](const auto &) {
+              auto support = parachain::SecureModeSupport::none();
+              auto log = log::createLogger("Application", "application");
+#ifdef __linux__
+              if (not config->disableSecureMode() and config->usePvfSubprocess()
+                  and config->roles().isAuthority()) {
+                auto res = parachain::runSecureModeCheckProcess(config->runtimeCacheDirPath());
+                if (!res) {
+                  SL_ERROR(log, "Secure mode check failed: {}", res.error());
+                  exit(EXIT_FAILURE);
+                }
+                support = res.value();
+                if (not support.isTotallySupported()) {
+                  SL_ERROR(log,
+                          "Secure mode is not supported completely. You can disable it "
+                          "using --insecure-validator-i-know-what-i-do.");
+                  exit(EXIT_FAILURE);
+                }
+              }
+#else
+              SL_WARN(log,
+                      "Secure validator mode is not implemented for the current "
+                      "platform. Proceed at your own risk.");
+#endif
+              return toSptr(support);
+            }),
             di::bind<network::CollationObserver>.template to<parachain::ParachainObserverImpl>(),
             di::bind<network::ValidationObserver>.template to<parachain::ParachainObserverImpl>(),
             di::bind<network::ReqCollationObserver>.template to<parachain::ParachainObserverImpl>(),
@@ -942,7 +969,7 @@ namespace kagome::injector {
   KagomeNodeInjector::KagomeNodeInjector(
       sptr<application::AppConfiguration> app_config)
       : pimpl_{std::make_unique<KagomeNodeInjectorImpl>(
-            makeKagomeNodeInjector(std::move(app_config)))} {}
+          makeKagomeNodeInjector(std::move(app_config)))} {}
 
   sptr<application::AppConfiguration> KagomeNodeInjector::injectAppConfig() {
     return pimpl_->injector_

diff --git a/core/parachain/pvf/secure_mode_precheck.cpp b/core/parachain/pvf/secure_mode_precheck.cpp
@@ -37,8 +37,17 @@ namespace kagome::parachain {
     std::filesystem::path cache_dir = original_cache_dir;
     SecureModeSupport support = SecureModeSupport::none();
     auto logger = log::createLogger("CheckSecureMode", "parachain");
+    if (auto res = clone::check()) {
+      support.can_do_secure_clone = true;
+    } else {
+      SL_WARN(logger,
+              "Secure mode incomplete, cannot enable clone for PVF "
+              "worker: {}",
+              res.error());
+    }
     if (auto res = changeRoot(cache_dir)) {
       support.chroot = true;
+      cache_dir = "/";
     } else {
       SL_WARN(
           logger,
@@ -47,7 +56,6 @@ namespace kagome::parachain {
           cache_dir.c_str(),
           res.error());
     }
-    cache_dir = "/";
 
     if (auto res = enableLandlock(cache_dir)) {
       support.landlock = true;
@@ -66,21 +74,13 @@ namespace kagome::parachain {
               "worker: {}",
               res.error());
     }
-    if (auto res = clone::check()) {
-      support.can_do_secure_clone = true;
-    } else {
-      SL_WARN(logger,
-              "Secure mode incomplete, cannot enable clone for PVF "
-              "worker: {}",
-              res.error());
-    }
     return support;
 #endif
   }
 
   SecureModeOutcome<SecureModeSupport> runSecureModeCheckProcess(
-      boost::asio::io_context &io_context,
       const std::filesystem::path &cache_dir) {
+    boost::asio::io_context io_context;
     namespace process_v2 = boost::process::v2;
     boost::asio::readable_pipe pipe{io_context};
     // input passed as CLI arguments to enable users to manually run the check

diff --git a/core/parachain/pvf/secure_mode_precheck.hpp b/core/parachain/pvf/secure_mode_precheck.hpp
@@ -12,10 +12,6 @@
 #include "qtils/outcome.hpp"
 #include "scale/tie.hpp"
 
-namespace boost::asio {
-  class io_context;
-}  // namespace boost::asio
-
 namespace kagome::parachain {
 
   /**
@@ -62,7 +58,6 @@ namespace kagome::parachain {
    * Spawns a child process that executes checkSecureMode
    */
   SecureModeOutcome<SecureModeSupport> runSecureModeCheckProcess(
-      boost::asio::io_context &io_context,
       const std::filesystem::path &cache_dir);
 
   /**

diff --git a/core/parachain/pvf/workers.cpp b/core/parachain/pvf/workers.cpp
@@ -122,6 +122,7 @@ namespace kagome::parachain {
 
   PvfWorkers::PvfWorkers(const application::AppConfiguration &app_config,
                          common::MainThreadPool &main_thread_pool,
+                         SecureModeSupport secure_mode_support,
                          std::shared_ptr<libp2p::basic::Scheduler> scheduler)
       : io_context_{main_thread_pool.io_context()},
         main_pool_handler_{main_thread_pool.handlerStarted()},
@@ -133,6 +134,7 @@ namespace kagome::parachain {
             .cache_dir = app_config.runtimeCacheDirPath(),
             .log_params = app_config.log(),
             .force_disable_secure_mode = app_config.disableSecureMode(),
+            .secure_mode_support = secure_mode_support,
         } {}
 
   void PvfWorkers::execute(Job &&job) {
@@ -157,10 +159,9 @@ namespace kagome::parachain {
             if (not r) {
               return job.cb(r.error());
             }
-            self->writeCode(
-                std::move(job),
-                {.process = std::move(process)},
-                std::move(used));
+            self->writeCode(std::move(job),
+                            {.process = std::move(process)},
+                            std::move(used));
           });
       return;
     }

diff --git a/core/parachain/pvf/workers.hpp b/core/parachain/pvf/workers.hpp
@@ -39,6 +39,7 @@ namespace kagome::parachain {
    public:
     PvfWorkers(const application::AppConfiguration &app_config,
                common::MainThreadPool &main_thread_pool,
+               SecureModeSupport secure_mode_support,
                std::shared_ptr<libp2p::basic::Scheduler> scheduler);
 
     using Cb = std::function<void(outcome::result<Buffer>)>;

diff --git a/core/utils/sptr.hpp b/core/utils/sptr.hpp
@@ -0,0 +1,16 @@
+/**
+ * Copyright Quadrivium LLC
+ * All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+#pragma once
+
+#include <memory>
+
+namespace kagome {
+  template <typename T>
+  auto toSptr(T &&t) {
+    return std::make_shared<std::decay_t<T>>(std::forward<T>(t));
+  }
+}  // namespace kagome