Single attest steps

.github/workflows/build.yaml

@@ -64,8 +64,7 @@ jobs:
           set -o pipefail
           source ${{ matrix.buildconfig }}
           echo "package-name=${PACKAGE_NAME}" >> "${GITHUB_OUTPUT}"
-          echo "binary-path=${BINARY_PATH}" >> "${GITHUB_OUTPUT}"
-          echo "additional-subjects=${ADDITIONAL_SUBJECTS}" >> "${GITHUB_OUTPUT}"
+          echo "subject-paths=${SUBJECT_PATHS}" >> "${GITHUB_OUTPUT}"
 
       - name: Show values
         run: |
@@ -74,8 +73,7 @@ jobs:
           set -o pipefail
           gsutil --version
           echo "package_name: ${{ steps.parse.outputs.package-name }}"
-          echo "binary_path: ${{ steps.parse.outputs.binary-path }}"
-          echo "additional_subjects: ${{ steps.parse.outputs.additional-subjects }}"
+          echo "subject_paths: ${{ steps.parse.outputs.subject-paths }}"
           echo "GITHUB_SHA: ${GITHUB_SHA}"
 
       - name: Build
@@ -93,39 +91,20 @@ jobs:
 
       - name: Show build artifact
         run: |
-          echo "${{ steps.parse.outputs.binary-path }}"
-          ls -la "${{ steps.parse.outputs.binary-path }}"
-          subjects="${{ steps.parse.outputs.additional-subjects }}"
-          if [ -n "${subjects}" ]; then
-            echo "${subjects}"
-            ls -la ${subjects}
-          fi
-
-      - name: Attest main binary
-        id: attest1
-        uses: actions/[email protected]
-        with:
-          subject-path: ${{ steps.parse.outputs.binary-path }}
+          echo "${{ steps.parse.outputs.subject-paths }}"
+          ls -la "${{ steps.parse.outputs.subject-paths }}"
 
-      - name: Attest additional subjects
-        id: attest2
-        if: ${{ steps.parse.outputs.additional-subjects != '' }}
+      - name: Attest
+        id: attest
         uses: actions/[email protected]
         with:
-          subject-path: ${{ steps.parse.outputs.additional-subjects }}
+          subject-path: ${{ steps.parse.outputs.subject-paths }}
 
       - name: Show bundle
         run: |
-          echo "${{ steps.attest1.outputs.bundle-path }}"
-          ls -la "${{ steps.attest1.outputs.bundle-path }}"
-          cat "${{ steps.attest1.outputs.bundle-path }}"
-
-      - name: Show additional bundle
-        if: ${{ steps.parse.outputs.additional-subjects != '' }}
-        run: |
-          echo "${{ steps.attest2.outputs.bundle-path }}"
-          ls -la "${{ steps.attest2.outputs.bundle-path }}"
-          cat "${{ steps.attest2.outputs.bundle-path }}"
+          echo "${{ steps.attest.outputs.bundle-path }}"
+          ls -la "${{ steps.attest.outputs.bundle-path }}"
+          cat "${{ steps.attest.outputs.bundle-path }}"
 
       # Upload binary and provenance to GCS and index via http://static.space
       # so that, regardless of the GCS bucket and path, it can easily be
@@ -145,7 +124,7 @@ jobs:
           bucket=oak-bins
           package_name=${{ steps.parse.outputs.package-name }}
           binary_path=${{ steps.parse.outputs.binary-path }}
-          provenance_path=${{ steps.attest1.outputs.bundle-path }}
+          provenance_path=${{ steps.attest.outputs.bundle-path }}
 
           gcs_binary_path="binary/${GITHUB_SHA}/${package_name}/binary"
           gcs_provenance_path="provenance/${GITHUB_SHA}/${package_name}/attestation.jsonl"

buildconfigs/key_xor_test_app.sh

@@ -16,6 +16,4 @@ export BUILD_COMMAND=(
   --release
 )
 
-export BINARY_PATH=enclave_apps/target/x86_64-unknown-none/release/key_xor_test_app
-
-export ADDITIONAL_SUBJECTS=
+export SUBJECT_PATHS=enclave_apps/target/x86_64-unknown-none/release/key_xor_test_app

buildconfigs/oak_containers_kernel.sh

@@ -14,6 +14,7 @@ export BUILD_COMMAND=(
   oak_containers_kernel
 )
 
-export BINARY_PATH=oak_containers_kernel/target/bzImage
-
-export ADDITIONAL_SUBJECTS="oak_containers_kernel/target/subjects/*"
+export SUBJECT_PATHS="\
+oak_containers_kernel/target/bzImage \
+oak_containers_kernel/target/subjects/oak_containers_kernel_image \
+oak_containers_kernel/target/subjects/oak_containers_kernel_setup_data"

buildconfigs/oak_containers_orchestrator.sh

@@ -13,6 +13,4 @@ export BUILD_COMMAND=(
   oak_containers_orchestrator
 )
 
-export BINARY_PATH=oak_containers_orchestrator/target/oak_containers_orchestrator
-
-export ADDITIONAL_SUBJECTS=
+export SUBJECT_PATHS=oak_containers_orchestrator/target/oak_containers_orchestrator

buildconfigs/oak_containers_stage1.sh

@@ -14,6 +14,4 @@ export BUILD_COMMAND=(
   make
 )
 
-export BINARY_PATH=target/stage1.cpio
-
-export ADDITIONAL_SUBJECTS=
+export SUBJECT_PATHS=target/stage1.cpio

buildconfigs/oak_containers_syslogd.sh

@@ -13,6 +13,4 @@ export BUILD_COMMAND=(
   oak_containers_syslogd
 )
 
-export BINARY_PATH=oak_containers_syslogd/target/oak_containers_syslogd_patched
-
-export ADDITIONAL_SUBJECTS=
+export SUBJECT_PATHS=oak_containers_syslogd/target/oak_containers_syslogd_patched

buildconfigs/oak_containers_system_image.sh

@@ -13,6 +13,4 @@ export BUILD_COMMAND=(
   oak_containers_system_image
 )
 
-export BINARY_PATH=oak_containers_system_image/target/image.tar.xz
-
-export ADDITIONAL_SUBJECTS=
+export SUBJECT_PATHS=oak_containers_system_image/target/image.tar.xz

buildconfigs/oak_echo_enclave_app.sh

@@ -16,6 +16,4 @@ export BUILD_COMMAND=(
   --release
 )
 
-export BINARY_PATH=enclave_apps/target/x86_64-unknown-none/release/oak_echo_enclave_app
-
-export ADDITIONAL_SUBJECTS=
+export SUBJECT_PATHS=enclave_apps/target/x86_64-unknown-none/release/oak_echo_enclave_app

buildconfigs/oak_echo_raw_enclave_app.sh

@@ -16,6 +16,4 @@ export BUILD_COMMAND=(
   --release
 )
 
-export BINARY_PATH=enclave_apps/target/x86_64-unknown-none/release/oak_echo_raw_enclave_app
-
-export ADDITIONAL_SUBJECTS=
+export SUBJECT_PATHS=enclave_apps/target/x86_64-unknown-none/release/oak_echo_raw_enclave_app

buildconfigs/oak_functions_enclave_app.sh

@@ -16,6 +16,4 @@ export BUILD_COMMAND=(
   --release
 )
 
-export BINARY_PATH=enclave_apps/target/x86_64-unknown-none/release/oak_functions_enclave_app
-
-export ADDITIONAL_SUBJECTS=
+export SUBJECT_PATHS=enclave_apps/target/x86_64-unknown-none/release/oak_functions_enclave_app

buildconfigs/oak_functions_insecure_enclave_app.sh

@@ -18,6 +18,4 @@ export BUILD_COMMAND=(
   --features=allow_sensitive_logging
 )
 
-export BINARY_PATH=enclave_apps/target/x86_64-unknown-none/release/oak_functions_insecure_enclave_app
-
-export ADDITIONAL_SUBJECTS=
+export SUBJECT_PATHS=enclave_apps/target/x86_64-unknown-none/release/oak_functions_insecure_enclave_app

buildconfigs/oak_ml_transparency_eval.sh

@@ -14,6 +14,4 @@ export BUILD_COMMAND=(
   --output=claim.json
 )
 
-export BINARY_PATH=oak_ml_transparency/mnist/claim.json
-
-export ADDITIONAL_SUBJECTS=
+export SUBJECT_PATHS=oak_ml_transparency/mnist/claim.json

buildconfigs/oak_orchestrator.sh

@@ -16,6 +16,4 @@ export BUILD_COMMAND=(
   --release
 )
 
-export BINARY_PATH=enclave_apps/target/x86_64-unknown-none/release/oak_orchestrator
-
-export ADDITIONAL_SUBJECTS=
+export SUBJECT_PATHS=enclave_apps/target/x86_64-unknown-none/release/oak_orchestrator

buildconfigs/oak_restricted_kernel_simple_io_init_rd_wrapper_bin.sh

@@ -13,6 +13,7 @@ export BUILD_COMMAND=(
   oak_restricted_kernel_simple_io_init_rd_wrapper
 )
 
-export BINARY_PATH=oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/oak_restricted_kernel_simple_io_init_rd_wrapper_bin
-
-export ADDITIONAL_SUBJECTS="oak_restricted_kernel_wrapper/target/oak_restricted_kernel_simple_io_init_rd/subjects/*"
+export SUBJECT_PATHS="\
+oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/oak_restricted_kernel_simple_io_init_rd_wrapper_bin \
+oak_restricted_kernel_wrapper/target/oak_restricted_kernel_simple_io_init_rd/subjects/oak_restricted_kernel_simple_io_init_rd_image \
+oak_restricted_kernel_wrapper/target/oak_restricted_kernel_simple_io_init_rd/subjects/oak_restricted_kernel_simple_io_init_rd_setup_data"

buildconfigs/stage0_bin.sh

@@ -19,6 +19,4 @@ export BUILD_COMMAND=(
   target/x86_64-unknown-none/release/stage0_bin
 )
 
-export BINARY_PATH=stage0_bin/target/x86_64-unknown-none/release/stage0_bin
-
-export ADDITIONAL_SUBJECTS=
+export SUBJECT_PATHS=stage0_bin/target/x86_64-unknown-none/release/stage0_bin

justfile

@@ -39,18 +39,19 @@ restricted_kernel_bzimage_and_provenance_subjects kernel_bin_prefix:
         oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/oak_restricted_kernel_wrapper \
         oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/{{kernel_bin_prefix}}_wrapper_bin
     just bzimage_provenance_subjects \
+         {{kernel_bin_prefix}} \
         oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/{{kernel_bin_prefix}}_wrapper_bin \
         oak_restricted_kernel_wrapper/target/{{kernel_bin_prefix}}/subjects
 
 # Create provenance subjects for a kernel bzImage, by extracting the setup data
 # and image to the output directory.
-bzimage_provenance_subjects bzimage_path output_dir:
+bzimage_provenance_subjects kernel_name bzimage_path output_dir:
     rm --recursive --force {{output_dir}}
     mkdir --parents {{output_dir}}
     cargo run --package=oak_kernel_measurement -- \
         --kernel={{bzimage_path}} \
-        --kernel-setup-data-output={{output_dir}}/kernel_setup_data \
-        --kernel-image-output={{output_dir}}/kernel_image
+        --kernel-setup-data-output={{output_dir}}/{{kernel_name}}_setup_data \
+        --kernel-image-output={{output_dir}}/{{kernel_name}}_image
 
 oak_restricted_kernel_wrapper: oak_restricted_kernel_bin
     just restricted_kernel_bzimage_and_provenance_subjects oak_restricted_kernel
@@ -79,6 +80,7 @@ stage1_cpio:
 oak_containers_kernel:
     env --chdir=oak_containers_kernel make
     just bzimage_provenance_subjects \
+        oak_containers_kernel \
         oak_containers_kernel/target/bzImage \
         oak_containers_kernel/target/subjects