From d619dcbf56f272c11a138b8f783eb012a62dc51b Mon Sep 17 00:00:00 2001
From: Tom Binder <tbinder@google.com>
Date: Fri, 24 May 2024 16:21:09 +0000
Subject: [PATCH] Single attest steps

---
 .github/workflows/build.yaml                  | 43 +++++--------------
 buildconfigs/key_xor_test_app.sh              |  4 +-
 buildconfigs/oak_containers_kernel.sh         |  7 +--
 buildconfigs/oak_containers_orchestrator.sh   |  4 +-
 buildconfigs/oak_containers_stage1.sh         |  4 +-
 buildconfigs/oak_containers_syslogd.sh        |  4 +-
 buildconfigs/oak_containers_system_image.sh   |  4 +-
 buildconfigs/oak_echo_enclave_app.sh          |  4 +-
 buildconfigs/oak_echo_raw_enclave_app.sh      |  4 +-
 buildconfigs/oak_functions_enclave_app.sh     |  4 +-
 .../oak_functions_insecure_enclave_app.sh     |  4 +-
 buildconfigs/oak_ml_transparency_eval.sh      |  4 +-
 buildconfigs/oak_orchestrator.sh              |  4 +-
 ...ed_kernel_simple_io_init_rd_wrapper_bin.sh |  7 +--
 buildconfigs/stage0_bin.sh                    |  4 +-
 justfile                                      |  8 ++--
 16 files changed, 36 insertions(+), 77 deletions(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 02c93c05af7..d0932bb9ff7 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -64,8 +64,7 @@ jobs:
           set -o pipefail
           source ${{ matrix.buildconfig }}
           echo "package-name=${PACKAGE_NAME}" >> "${GITHUB_OUTPUT}"
-          echo "binary-path=${BINARY_PATH}" >> "${GITHUB_OUTPUT}"
-          echo "additional-subjects=${ADDITIONAL_SUBJECTS}" >> "${GITHUB_OUTPUT}"
+          echo "subject-paths=${SUBJECT_PATHS}" >> "${GITHUB_OUTPUT}"
 
       - name: Show values
         run: |
@@ -74,8 +73,7 @@ jobs:
           set -o pipefail
           gsutil --version
           echo "package_name: ${{ steps.parse.outputs.package-name }}"
-          echo "binary_path: ${{ steps.parse.outputs.binary-path }}"
-          echo "additional_subjects: ${{ steps.parse.outputs.additional-subjects }}"
+          echo "subject_paths: ${{ steps.parse.outputs.subject-paths }}"
           echo "GITHUB_SHA: ${GITHUB_SHA}"
 
       - name: Build
@@ -93,39 +91,20 @@ jobs:
 
       - name: Show build artifact
         run: |
-          echo "${{ steps.parse.outputs.binary-path }}"
-          ls -la "${{ steps.parse.outputs.binary-path }}"
-          subjects="${{ steps.parse.outputs.additional-subjects }}"
-          if [ -n "${subjects}" ]; then
-            echo "${subjects}"
-            ls -la ${subjects}
-          fi
-
-      - name: Attest main binary
-        id: attest1
-        uses: actions/attest-build-provenance@v1.1.1
-        with:
-          subject-path: ${{ steps.parse.outputs.binary-path }}
+          echo "${{ steps.parse.outputs.subject-paths }}"
+          ls -la "${{ steps.parse.outputs.subject-paths }}"
 
-      - name: Attest additional subjects
-        id: attest2
-        if: ${{ steps.parse.outputs.additional-subjects != '' }}
+      - name: Attest
+        id: attest
         uses: actions/attest-build-provenance@v1.1.1
         with:
-          subject-path: ${{ steps.parse.outputs.additional-subjects }}
+          subject-path: ${{ steps.parse.outputs.subject-paths }}
 
       - name: Show bundle
         run: |
-          echo "${{ steps.attest1.outputs.bundle-path }}"
-          ls -la "${{ steps.attest1.outputs.bundle-path }}"
-          cat "${{ steps.attest1.outputs.bundle-path }}"
-
-      - name: Show additional bundle
-        if: ${{ steps.parse.outputs.additional-subjects != '' }}
-        run: |
-          echo "${{ steps.attest2.outputs.bundle-path }}"
-          ls -la "${{ steps.attest2.outputs.bundle-path }}"
-          cat "${{ steps.attest2.outputs.bundle-path }}"
+          echo "${{ steps.attest.outputs.bundle-path }}"
+          ls -la "${{ steps.attest.outputs.bundle-path }}"
+          cat "${{ steps.attest.outputs.bundle-path }}"
 
       # Upload binary and provenance to GCS and index via http://static.space
       # so that, regardless of the GCS bucket and path, it can easily be
@@ -145,7 +124,7 @@ jobs:
           bucket=oak-bins
           package_name=${{ steps.parse.outputs.package-name }}
           binary_path=${{ steps.parse.outputs.binary-path }}
-          provenance_path=${{ steps.attest1.outputs.bundle-path }}
+          provenance_path=${{ steps.attest.outputs.bundle-path }}
 
           gcs_binary_path="binary/${GITHUB_SHA}/${package_name}/binary"
           gcs_provenance_path="provenance/${GITHUB_SHA}/${package_name}/attestation.jsonl"
diff --git a/buildconfigs/key_xor_test_app.sh b/buildconfigs/key_xor_test_app.sh
index 986af897b1a..b21c264707e 100644
--- a/buildconfigs/key_xor_test_app.sh
+++ b/buildconfigs/key_xor_test_app.sh
@@ -16,6 +16,4 @@ export BUILD_COMMAND=(
   --release
 )
 
-export BINARY_PATH=enclave_apps/target/x86_64-unknown-none/release/key_xor_test_app
-
-export ADDITIONAL_SUBJECTS=
+export SUBJECT_PATHS=enclave_apps/target/x86_64-unknown-none/release/key_xor_test_app
diff --git a/buildconfigs/oak_containers_kernel.sh b/buildconfigs/oak_containers_kernel.sh
index bbd46db2507..1266d3553f8 100644
--- a/buildconfigs/oak_containers_kernel.sh
+++ b/buildconfigs/oak_containers_kernel.sh
@@ -14,6 +14,7 @@ export BUILD_COMMAND=(
   oak_containers_kernel
 )
 
-export BINARY_PATH=oak_containers_kernel/target/bzImage
-
-export ADDITIONAL_SUBJECTS="oak_containers_kernel/target/subjects/*"
+export SUBJECT_PATHS="\
+oak_containers_kernel/target/bzImage \
+oak_containers_kernel/target/subjects/oak_containers_kernel_image \
+oak_containers_kernel/target/subjects/oak_containers_kernel_setup_data"
diff --git a/buildconfigs/oak_containers_orchestrator.sh b/buildconfigs/oak_containers_orchestrator.sh
index e7945b4df39..0444661af40 100644
--- a/buildconfigs/oak_containers_orchestrator.sh
+++ b/buildconfigs/oak_containers_orchestrator.sh
@@ -13,6 +13,4 @@ export BUILD_COMMAND=(
   oak_containers_orchestrator
 )
 
-export BINARY_PATH=oak_containers_orchestrator/target/oak_containers_orchestrator
-
-export ADDITIONAL_SUBJECTS=
+export SUBJECT_PATHS=oak_containers_orchestrator/target/oak_containers_orchestrator
diff --git a/buildconfigs/oak_containers_stage1.sh b/buildconfigs/oak_containers_stage1.sh
index b9ac4636010..ede3513fbea 100644
--- a/buildconfigs/oak_containers_stage1.sh
+++ b/buildconfigs/oak_containers_stage1.sh
@@ -14,6 +14,4 @@ export BUILD_COMMAND=(
   make
 )
 
-export BINARY_PATH=target/stage1.cpio
-
-export ADDITIONAL_SUBJECTS=
+export SUBJECT_PATHS=target/stage1.cpio
diff --git a/buildconfigs/oak_containers_syslogd.sh b/buildconfigs/oak_containers_syslogd.sh
index ef1fc8681ca..b0fb0ed28f0 100644
--- a/buildconfigs/oak_containers_syslogd.sh
+++ b/buildconfigs/oak_containers_syslogd.sh
@@ -13,6 +13,4 @@ export BUILD_COMMAND=(
   oak_containers_syslogd
 )
 
-export BINARY_PATH=oak_containers_syslogd/target/oak_containers_syslogd_patched
-
-export ADDITIONAL_SUBJECTS=
+export SUBJECT_PATHS=oak_containers_syslogd/target/oak_containers_syslogd_patched
diff --git a/buildconfigs/oak_containers_system_image.sh b/buildconfigs/oak_containers_system_image.sh
index c199e04cc77..2a7ef52582f 100644
--- a/buildconfigs/oak_containers_system_image.sh
+++ b/buildconfigs/oak_containers_system_image.sh
@@ -13,6 +13,4 @@ export BUILD_COMMAND=(
   oak_containers_system_image
 )
 
-export BINARY_PATH=oak_containers_system_image/target/image.tar.xz
-
-export ADDITIONAL_SUBJECTS=
+export SUBJECT_PATHS=oak_containers_system_image/target/image.tar.xz
diff --git a/buildconfigs/oak_echo_enclave_app.sh b/buildconfigs/oak_echo_enclave_app.sh
index e8d7c591210..7397af13bce 100644
--- a/buildconfigs/oak_echo_enclave_app.sh
+++ b/buildconfigs/oak_echo_enclave_app.sh
@@ -16,6 +16,4 @@ export BUILD_COMMAND=(
   --release
 )
 
-export BINARY_PATH=enclave_apps/target/x86_64-unknown-none/release/oak_echo_enclave_app
-
-export ADDITIONAL_SUBJECTS=
+export SUBJECT_PATHS=enclave_apps/target/x86_64-unknown-none/release/oak_echo_enclave_app
diff --git a/buildconfigs/oak_echo_raw_enclave_app.sh b/buildconfigs/oak_echo_raw_enclave_app.sh
index a3483583dda..c8901bca3ee 100644
--- a/buildconfigs/oak_echo_raw_enclave_app.sh
+++ b/buildconfigs/oak_echo_raw_enclave_app.sh
@@ -16,6 +16,4 @@ export BUILD_COMMAND=(
   --release
 )
 
-export BINARY_PATH=enclave_apps/target/x86_64-unknown-none/release/oak_echo_raw_enclave_app
-
-export ADDITIONAL_SUBJECTS=
+export SUBJECT_PATHS=enclave_apps/target/x86_64-unknown-none/release/oak_echo_raw_enclave_app
diff --git a/buildconfigs/oak_functions_enclave_app.sh b/buildconfigs/oak_functions_enclave_app.sh
index 0314e4367ff..672e1286c8f 100644
--- a/buildconfigs/oak_functions_enclave_app.sh
+++ b/buildconfigs/oak_functions_enclave_app.sh
@@ -16,6 +16,4 @@ export BUILD_COMMAND=(
   --release
 )
 
-export BINARY_PATH=enclave_apps/target/x86_64-unknown-none/release/oak_functions_enclave_app
-
-export ADDITIONAL_SUBJECTS=
+export SUBJECT_PATHS=enclave_apps/target/x86_64-unknown-none/release/oak_functions_enclave_app
diff --git a/buildconfigs/oak_functions_insecure_enclave_app.sh b/buildconfigs/oak_functions_insecure_enclave_app.sh
index 7a39a7d0315..d0c249566d4 100644
--- a/buildconfigs/oak_functions_insecure_enclave_app.sh
+++ b/buildconfigs/oak_functions_insecure_enclave_app.sh
@@ -18,6 +18,4 @@ export BUILD_COMMAND=(
   --features=allow_sensitive_logging
 )
 
-export BINARY_PATH=enclave_apps/target/x86_64-unknown-none/release/oak_functions_insecure_enclave_app
-
-export ADDITIONAL_SUBJECTS=
+export SUBJECT_PATHS=enclave_apps/target/x86_64-unknown-none/release/oak_functions_insecure_enclave_app
diff --git a/buildconfigs/oak_ml_transparency_eval.sh b/buildconfigs/oak_ml_transparency_eval.sh
index 0a192508dc0..7b493bb0873 100644
--- a/buildconfigs/oak_ml_transparency_eval.sh
+++ b/buildconfigs/oak_ml_transparency_eval.sh
@@ -14,6 +14,4 @@ export BUILD_COMMAND=(
   --output=claim.json
 )
 
-export BINARY_PATH=oak_ml_transparency/mnist/claim.json
-
-export ADDITIONAL_SUBJECTS=
+export SUBJECT_PATHS=oak_ml_transparency/mnist/claim.json
diff --git a/buildconfigs/oak_orchestrator.sh b/buildconfigs/oak_orchestrator.sh
index 33d11ba4745..9ebc70d0895 100644
--- a/buildconfigs/oak_orchestrator.sh
+++ b/buildconfigs/oak_orchestrator.sh
@@ -16,6 +16,4 @@ export BUILD_COMMAND=(
   --release
 )
 
-export BINARY_PATH=enclave_apps/target/x86_64-unknown-none/release/oak_orchestrator
-
-export ADDITIONAL_SUBJECTS=
+export SUBJECT_PATHS=enclave_apps/target/x86_64-unknown-none/release/oak_orchestrator
diff --git a/buildconfigs/oak_restricted_kernel_simple_io_init_rd_wrapper_bin.sh b/buildconfigs/oak_restricted_kernel_simple_io_init_rd_wrapper_bin.sh
index 6884073dd0b..b9675a4dfd8 100644
--- a/buildconfigs/oak_restricted_kernel_simple_io_init_rd_wrapper_bin.sh
+++ b/buildconfigs/oak_restricted_kernel_simple_io_init_rd_wrapper_bin.sh
@@ -13,6 +13,7 @@ export BUILD_COMMAND=(
   oak_restricted_kernel_simple_io_init_rd_wrapper
 )
 
-export BINARY_PATH=oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/oak_restricted_kernel_simple_io_init_rd_wrapper_bin
-
-export ADDITIONAL_SUBJECTS="oak_restricted_kernel_wrapper/target/oak_restricted_kernel_simple_io_init_rd/subjects/*"
+export SUBJECT_PATHS="\
+oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/oak_restricted_kernel_simple_io_init_rd_wrapper_bin \
+oak_restricted_kernel_wrapper/target/oak_restricted_kernel_simple_io_init_rd/subjects/oak_restricted_kernel_simple_io_init_rd_image \
+oak_restricted_kernel_wrapper/target/oak_restricted_kernel_simple_io_init_rd/subjects/oak_restricted_kernel_simple_io_init_rd_setup_data"
diff --git a/buildconfigs/stage0_bin.sh b/buildconfigs/stage0_bin.sh
index 2275bf79c63..69361262ef2 100644
--- a/buildconfigs/stage0_bin.sh
+++ b/buildconfigs/stage0_bin.sh
@@ -19,6 +19,4 @@ export BUILD_COMMAND=(
   target/x86_64-unknown-none/release/stage0_bin
 )
 
-export BINARY_PATH=stage0_bin/target/x86_64-unknown-none/release/stage0_bin
-
-export ADDITIONAL_SUBJECTS=
+export SUBJECT_PATHS=stage0_bin/target/x86_64-unknown-none/release/stage0_bin
diff --git a/justfile b/justfile
index 403bef46bfa..992bbcd2ee6 100644
--- a/justfile
+++ b/justfile
@@ -39,18 +39,19 @@ restricted_kernel_bzimage_and_provenance_subjects kernel_bin_prefix:
         oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/oak_restricted_kernel_wrapper \
         oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/{{kernel_bin_prefix}}_wrapper_bin
     just bzimage_provenance_subjects \
+         {{kernel_bin_prefix}} \
         oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/{{kernel_bin_prefix}}_wrapper_bin \
         oak_restricted_kernel_wrapper/target/{{kernel_bin_prefix}}/subjects
 
 # Create provenance subjects for a kernel bzImage, by extracting the setup data
 # and image to the output directory.
-bzimage_provenance_subjects bzimage_path output_dir:
+bzimage_provenance_subjects kernel_name bzimage_path output_dir:
     rm --recursive --force {{output_dir}}
     mkdir --parents {{output_dir}}
     cargo run --package=oak_kernel_measurement -- \
         --kernel={{bzimage_path}} \
-        --kernel-setup-data-output={{output_dir}}/kernel_setup_data \
-        --kernel-image-output={{output_dir}}/kernel_image
+        --kernel-setup-data-output={{output_dir}}/{{kernel_name}}_setup_data \
+        --kernel-image-output={{output_dir}}/{{kernel_name}}_image
 
 oak_restricted_kernel_wrapper: oak_restricted_kernel_bin
     just restricted_kernel_bzimage_and_provenance_subjects oak_restricted_kernel
@@ -79,6 +80,7 @@ stage1_cpio:
 oak_containers_kernel:
     env --chdir=oak_containers_kernel make
     just bzimage_provenance_subjects \
+        oak_containers_kernel \
         oak_containers_kernel/target/bzImage \
         oak_containers_kernel/target/subjects