Add buildconfigs for containers stage1 and kernel (#4692)

It's been a little trickier to get the system image provenance build working, so that will be in a follow up PR.
project-oak · Jan 26, 2024 · 2805871 · 2805871
1 parent 9c491aa
commit 2805871
Show file tree

Hide file tree

Showing 4 changed files with 55 additions and 1 deletion.
diff --git a/.github/workflows/provenance.yaml b/.github/workflows/provenance.yaml
@@ -19,17 +19,20 @@ jobs:
     if: |
       github.event_name == 'push' ||
       contains(github.event.pull_request.labels.*.name, 'provenance:force-run')
+
     # We use the same job template to generate provenances for multiple binaries.
     strategy:
       fail-fast: false
       matrix:
         buildconfig:
           - buildconfigs/key_xor_test_app.toml
+          - buildconfigs/oak_containers_kernel_bzimage.toml
+          - buildconfigs/oak_containers_stage1_cpio.toml
           - buildconfigs/oak_echo_enclave_app.toml
           - buildconfigs/oak_echo_raw_enclave_app.toml
-          - buildconfigs/oak_restricted_kernel_simple_io_wrapper.toml
           - buildconfigs/oak_functions_enclave_app.toml
           - buildconfigs/oak_functions_insecure_enclave_app.toml
+          - buildconfigs/oak_restricted_kernel_simple_io_wrapper.toml
           - buildconfigs/stage0_bin.toml
 
     permissions:

diff --git a/buildconfigs/oak_containers_kernel_bzimage.toml b/buildconfigs/oak_containers_kernel_bzimage.toml
@@ -0,0 +1,13 @@
+# This is the static build configuration that we use with the docker-based SLSA3 generator for
+# building the `oak_containers_kernel` binary, and its provenance.
+# See https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/docker.
+command = [
+  "nix",
+  "develop",
+  ".#bzImageProvenance",
+  "--command",
+  "env",
+  "--chdir=oak_containers_kernel",
+  "make",
+]
+artifact_path = "./oak_containers_kernel/target/bzImage"
diff --git a/buildconfigs/oak_containers_stage1_cpio.toml b/buildconfigs/oak_containers_stage1_cpio.toml
@@ -0,0 +1,13 @@
+# This is the static build configuration that we use with the docker-based SLSA3 generator for
+# building the `stage1` binary, and its provenance.
+# See https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/docker.
+command = [
+  "nix",
+  "develop",
+  ".#stage1Provenance",
+  "--command",
+  "env",
+  "--chdir=oak_containers_stage1",
+  "make",
+]
+artifact_path = "./target/stage1.cpio"
diff --git a/flake.nix b/flake.nix
@@ -173,6 +173,31 @@
                 umoci
               ];
             };
+            # Shell for container kernel image provenance workflow.
+            bzImageProvenance = with pkgs; mkShell {
+              inputsFrom = [
+                rust
+              ];
+              packages = [
+                bc
+                bison
+                curl
+                elfutils
+                flex
+                libelf
+              ];
+            };
+            # Shell for container stage 1 image provenance workflow.
+            stage1Provenance = with pkgs; mkShell {
+              inputsFrom = [
+                rust
+              ];
+              packages = [
+                cpio
+                glibc
+                glibc.static
+              ];
+            };
             # Shell for most CI steps (i.e. without contaniners support).
             ci = pkgs.mkShell {
               inputsFrom = [