From e47dd830ba9be338770ed909c5ff2390bec546a3 Mon Sep 17 00:00:00 2001
From: Mikko Ylinen <mikko.ylinen@intel.com>
Date: Sun, 6 Aug 2023 10:58:24 +0300
Subject: [PATCH 1/2] aa: update occlum_dcap to v0.29.7

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
---
 attestation-agent/attester/Cargo.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/attestation-agent/attester/Cargo.toml b/attestation-agent/attester/Cargo.toml
index 12751f1d2..0b36e8b40 100644
--- a/attestation-agent/attester/Cargo.toml
+++ b/attestation-agent/attester/Cargo.toml
@@ -11,7 +11,7 @@ async-trait.workspace = true
 az-snp-vtpm = { git = "https://github.com/kinvolk/azure-cvm-tooling", rev = "2c2e411", default-features = false, features = ["attester"], optional = true }
 base64.workspace = true
 log.workspace = true
-occlum_dcap = { git = "https://github.com/occlum/occlum", tag = "v0.29.6", optional = true }
+occlum_dcap = { git = "https://github.com/occlum/occlum", tag = "v0.29.7", optional = true }
 serde.workspace = true
 serde_json.workspace = true
 sev = { git = "https://github.com/virtee/sev", version = "1.2", default-features = false, features = ["snp"], optional = true }

From 4fbc8d9fc05d18b6920de1cb85b4a0be5f377edd Mon Sep 17 00:00:00 2001
From: Mikko Ylinen <mikko.ylinen@intel.com>
Date: Tue, 18 Jul 2023 09:05:47 +0300
Subject: [PATCH 2/2] image-rs: update Occlum snapshotter to match the latest
 version

Occlum 0.29.6 officially added the support for what enclave-cc needs
with some little changes (see Occlum commit 9089764). Adapt to those
changes to be able to move to "upstream" Occlum for enclave-cc.

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
---
 image-rs/src/snapshots/occlum/unionfs.rs | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/image-rs/src/snapshots/occlum/unionfs.rs b/image-rs/src/snapshots/occlum/unionfs.rs
index e9cdc3192..27d7ab96d 100644
--- a/image-rs/src/snapshots/occlum/unionfs.rs
+++ b/image-rs/src/snapshots/occlum/unionfs.rs
@@ -110,9 +110,7 @@ fn create_environment(mount_path: &Path) -> Result<()> {
 
 impl Snapshotter for Unionfs {
     fn mount(&mut self, layer_path: &[&str], mount_path: &Path) -> Result<MountPoint> {
-        // From the description of https://github.com/occlum/occlum/blob/master/docs/runtime_mount.md#1-mount-trusted-unionfs-consisting-of-sefss ,
-        // the source type of runtime mount is "unionfs".
-        let fs_type = String::from("unionfs");
+        let fs_type = String::from("sefs");
         let source = Path::new(&fs_type);
 
         if !mount_path.exists() {
@@ -125,18 +123,14 @@ impl Snapshotter for Unionfs {
             .ok_or(anyhow!("parent do not exist"))?
             .file_name()
             .ok_or(anyhow!("Unknown error: file name parse fail"))?;
-        let sefs_base = Path::new("/images").join(cid).join("sefs");
-        let unionfs_lowerdir = sefs_base.join("lower");
-        let unionfs_upperdir = sefs_base.join("upper");
 
         // For mounting trusted UnionFS at runtime of occlum,
         // you can refer to https://github.com/occlum/occlum/blob/master/docs/runtime_mount.md#1-mount-trusted-unionfs-consisting-of-sefss.
         // "c7-32-b3-ed-44-df-ec-7b-25-2d-9a-32-38-8d-58-61" is a hardcode key used to encrypt or decrypt the FS currently,
         // and it will be replaced with dynamic key in the near future.
         let options = format!(
-            "lowerdir={},upperdir={},key={}",
-            unionfs_lowerdir.display(),
-            unionfs_upperdir.display(),
+            "dir={},key={}",
+            Path::new("/images").join(cid).join("sefs/lower").display(),
             "c7-32-b3-ed-44-df-ec-7b-25-2d-9a-32-38-8d-58-61"
         );