From 1d358fdc3be96bac7cde7620887f12dc92146f65 Mon Sep 17 00:00:00 2001 From: Justin Plock Date: Wed, 11 Jun 2025 06:35:23 -0400 Subject: [PATCH 1/7] [feat] Graviton support --- ci_template.yml | 7 ++----- docker-bake.hcl | 8 ++++---- enclave/Makefile | 4 ++-- parent/Makefile | 4 ++-- vault_template.yml | 5 ++--- 5 files changed, 12 insertions(+), 16 deletions(-) diff --git a/ci_template.yml b/ci_template.yml index a1203ef..878b8e7 100644 --- a/ci_template.yml +++ b/ci_template.yml @@ -1121,9 +1121,6 @@ Resources: Environment: ComputeType: BUILD_GENERAL1_SMALL EnvironmentVariables: - - Name: ARCH - Type: PLAINTEXT - Value: x86_64 - Name: INSTANCE_ROLE_ARN Type: PLAINTEXT Value: !GetAtt rInstanceRole.Arn @@ -1140,10 +1137,10 @@ Resources: - cUseCodeBuildFleet - FleetArn: !Ref rCodeBuildFleet - !Ref "AWS::NoValue" - Image: aws/codebuild/amazonlinux-x86_64-standard:5.0 + Image: aws/codebuild/amazonlinux-aarch64-standard:3.0 ImagePullCredentialsType: CODEBUILD PrivilegedMode: true - Type: LINUX_CONTAINER + Type: ARM_CONTAINER LogsConfig: CloudWatchLogs: Status: ENABLED diff --git a/docker-bake.hcl b/docker-bake.hcl index 766ecac..7b12988 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -6,9 +6,9 @@ target "parent" { context = "./parent" dockerfile = "Dockerfile" args = { - TARGETPLATFORM = "x86_64-unknown-linux-gnu" + TARGETPLATFORM = "aarch64-unknown-linux-gnu" } - platforms = ["linux/amd64"] + platforms = ["linux/arm64"] tags = ["parent-vault:latest"] cache-to = ["type=gha,ignore-error=true,mode=max,scope=parent"] cache-from = ["type=gha,scope=parent"] @@ -18,9 +18,9 @@ target "enclave" { context = "./enclave" dockerfile = "Dockerfile" args = { - TARGETPLATFORM = "x86_64-unknown-linux-musl" + TARGETPLATFORM = "aarch64-unknown-linux-musl" } - platforms = ["linux/amd64"] + platforms = ["linux/arm64"] tags = ["enclave-vault:latest"] cache-to = ["type=gha,ignore-error=true,mode=max,scope=enclave"] cache-from = ["type=gha,scope=enclave"] diff --git a/enclave/Makefile b/enclave/Makefile index d988a1d..71d10c0 100644 --- a/enclave/Makefile +++ b/enclave/Makefile @@ -1,7 +1,7 @@ .PHONY: build build-docker build-enclave run-enclave create-private-key clean -ARCH := x86_64 -# ARCH := aarch64 +# ARCH := x86_64 +ARCH := aarch64 RUST_DIR := $(shell readlink -m $(shell dirname $(firstword $(MAKEFILE_LIST)))) diff --git a/parent/Makefile b/parent/Makefile index 9fe10b8..efca583 100644 --- a/parent/Makefile +++ b/parent/Makefile @@ -1,7 +1,7 @@ .PHONY: build build-docker clean -ARCH := x86_64 -# ARCH := aarch64 +# ARCH := x86_64 +ARCH := aarch64 RUST_DIR := $(shell readlink -m $(shell dirname $(firstword $(MAKEFILE_LIST)))) diff --git a/vault_template.yml b/vault_template.yml index ce7831f..d51090b 100644 --- a/vault_template.yml +++ b/vault_template.yml @@ -629,8 +629,7 @@ Resources: BareMetal: excluded BurstablePerformance: excluded CpuManufacturers: - - intel - - amd + - amazon-web-services ExcludedInstanceTypes: - "a1*" - "c6g*" @@ -651,7 +650,7 @@ Resources: Min: 8192 VCpuCount: Min: 8 - ImageId: "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2023-ami-minimal-kernel-6.12-x86_64}}" + ImageId: "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2023-ami-minimal-kernel-6.12-arm64}}" MetadataOptions: HttpEndpoint: enabled HttpPutResponseHopLimit: 1 From 66a383aaad0ae37946b36cce88815231282fe66c Mon Sep 17 00:00:00 2001 From: Justin Plock Date: Wed, 11 Jun 2025 06:47:47 -0400 Subject: [PATCH 2/7] [fix] update codebuild fleet --- ci_template.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci_template.yml b/ci_template.yml index 878b8e7..4406c1a 100644 --- a/ci_template.yml +++ b/ci_template.yml @@ -431,7 +431,7 @@ Resources: Properties: BaseCapacity: 1 ComputeType: BUILD_GENERAL1_SMALL - EnvironmentType: LINUX_CONTAINER + EnvironmentType: ARM_CONTAINER rPermissionsBoundary: Type: "AWS::IAM::ManagedPolicy" From 67088ec7e3dae4699a91cbdd498fe553133c8038 Mon Sep 17 00:00:00 2001 From: Justin Plock Date: Wed, 11 Jun 2025 07:22:49 -0400 Subject: [PATCH 3/7] Reduce CPU requirements on graviton --- parent/src/constants.rs | 2 +- vault_template.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/parent/src/constants.rs b/parent/src/constants.rs index cb9c2e4..e225201 100644 --- a/parent/src/constants.rs +++ b/parent/src/constants.rs @@ -9,7 +9,7 @@ pub const ENCLAVE_PORT: u32 = 5050; /// one enclave is consumed for the Nitro ACM service pub const MAX_ENCLAVES_PER_INSTANCE: usize = 3; pub const RUN_ENCLAVE_EIF_PATH: &str = "/home/ec2-user/enclave-vault.eif"; -pub const RUN_ENCLAVE_CPU_COUNT: &str = "2"; +pub const RUN_ENCLAVE_CPU_COUNT: &str = "1"; pub const RUN_ENCLAVE_MEMORY_SIZE: &str = "512"; pub const REFRESH_ENCLAVES_INTERVAL: Duration = Duration::from_secs(10); pub const IMDS_TOKEN_TTL: Duration = Duration::from_secs(300); // 5 minutes diff --git a/vault_template.yml b/vault_template.yml index d51090b..cec3a70 100644 --- a/vault_template.yml +++ b/vault_template.yml @@ -239,7 +239,7 @@ Resources: memory_mib: 4096 # # How many CPUs to reserve for enclaves. - cpu_count: 6 + cpu_count: 3 # # Alternatively, the exact CPUs to be reserved for the enclave can be explicitly # configured by using `cpu_pool` (like below), instead of `cpu_count`. @@ -647,9 +647,9 @@ Resources: InstanceGenerations: - current MemoryMiB: - Min: 8192 + Min: 4096 VCpuCount: - Min: 8 + Min: 4 ImageId: "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2023-ami-minimal-kernel-6.12-arm64}}" MetadataOptions: HttpEndpoint: enabled From b86ce116b1d40508949ea51fdf5c6d408e016c89 Mon Sep 17 00:00:00 2001 From: Justin Plock Date: Wed, 11 Jun 2025 09:05:09 -0400 Subject: [PATCH 4/7] [fix] reduce enclave count --- parent/src/constants.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/parent/src/constants.rs b/parent/src/constants.rs index e225201..1033127 100644 --- a/parent/src/constants.rs +++ b/parent/src/constants.rs @@ -7,7 +7,7 @@ pub const ENCLAVE_PREFIX: &str = "enclave-vault"; pub const ENCLAVE_PORT: u32 = 5050; /// https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html#nitro-enclave-considerations /// one enclave is consumed for the Nitro ACM service -pub const MAX_ENCLAVES_PER_INSTANCE: usize = 3; +pub const MAX_ENCLAVES_PER_INSTANCE: usize = 1; pub const RUN_ENCLAVE_EIF_PATH: &str = "/home/ec2-user/enclave-vault.eif"; pub const RUN_ENCLAVE_CPU_COUNT: &str = "1"; pub const RUN_ENCLAVE_MEMORY_SIZE: &str = "512"; From 13ac4eac697e8c29f6b985a60f6141b0afafdfb1 Mon Sep 17 00:00:00 2001 From: Justin Plock Date: Wed, 11 Jun 2025 09:17:49 -0400 Subject: [PATCH 5/7] [fix] launch the enclave --- parent/src/constants.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/parent/src/constants.rs b/parent/src/constants.rs index 1033127..3f36376 100644 --- a/parent/src/constants.rs +++ b/parent/src/constants.rs @@ -7,7 +7,7 @@ pub const ENCLAVE_PREFIX: &str = "enclave-vault"; pub const ENCLAVE_PORT: u32 = 5050; /// https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html#nitro-enclave-considerations /// one enclave is consumed for the Nitro ACM service -pub const MAX_ENCLAVES_PER_INSTANCE: usize = 1; +pub const MAX_ENCLAVES_PER_INSTANCE: usize = 2; pub const RUN_ENCLAVE_EIF_PATH: &str = "/home/ec2-user/enclave-vault.eif"; pub const RUN_ENCLAVE_CPU_COUNT: &str = "1"; pub const RUN_ENCLAVE_MEMORY_SIZE: &str = "512"; From 4a1c6e5bf71e56be8c9b2b63adec7b32ec620f63 Mon Sep 17 00:00:00 2001 From: Justin Plock Date: Wed, 11 Jun 2025 10:59:41 -0400 Subject: [PATCH 6/7] [fix] update github runs-on to ARM --- .github/workflows/docker-bake.yml | 2 +- .github/workflows/rust.yml | 2 +- .github/workflows/security_audit.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-bake.yml b/.github/workflows/docker-bake.yml index 87ecf07..54f54e0 100644 --- a/.github/workflows/docker-bake.yml +++ b/.github/workflows/docker-bake.yml @@ -20,7 +20,7 @@ env: jobs: docker: if: github.repository_owner == 'aws-samples' - runs-on: ubuntu-latest + runs-on: ubuntu-24.04-arm steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml index 25b0dc8..c290f49 100644 --- a/.github/workflows/rust.yml +++ b/.github/workflows/rust.yml @@ -20,7 +20,7 @@ env: jobs: test: if: github.repository_owner == 'aws-samples' - runs-on: ubuntu-latest + runs-on: ubuntu-24.04-arm steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/security_audit.yml b/.github/workflows/security_audit.yml index 163e05c..215e2f6 100644 --- a/.github/workflows/security_audit.yml +++ b/.github/workflows/security_audit.yml @@ -8,7 +8,7 @@ on: - '**/Cargo.lock' jobs: security_audit: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04-arm if: github.repository_owner == 'aws-samples' permissions: issues: write From 40c41c9483b73b53e9f55b5aa20ab6335e97171d Mon Sep 17 00:00:00 2001 From: Justin Plock Date: Wed, 11 Jun 2025 11:14:08 -0400 Subject: [PATCH 7/7] fix spacing --- ci_template.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci_template.yml b/ci_template.yml index 4406c1a..86be82e 100644 --- a/ci_template.yml +++ b/ci_template.yml @@ -1137,7 +1137,7 @@ Resources: - cUseCodeBuildFleet - FleetArn: !Ref rCodeBuildFleet - !Ref "AWS::NoValue" - Image: aws/codebuild/amazonlinux-aarch64-standard:3.0 + Image: aws/codebuild/amazonlinux-aarch64-standard:3.0 ImagePullCredentialsType: CODEBUILD PrivilegedMode: true Type: ARM_CONTAINER