Complete matrix

project-oak · May 14, 2024 · ff9e27b · ff9e27b
1 parent e0103f6
commit ff9e27b
Show file tree

Hide file tree

Showing 15 changed files with 267 additions and 42 deletions.
diff --git a/.github/workflows/provenance5.yaml b/.github/workflows/provenance5.yaml
@@ -15,23 +15,31 @@ jobs:
       matrix:
         buildconfig:
           - buildconfigs/key_xor_test_app.sh
+          - buildconfigs/oak_containers_kernel.sh
+          - buildconfigs/oak_containers_orchestrator.sh
+          - buildconfigs/oak_containers_stage1.sh
+          - buildconfigs/oak_containers_syslogd.sh
           - buildconfigs/oak_containers_system_image.sh
+          - buildconfigs/oak_echo_enclave_app.sh
           - buildconfigs/oak_echo_raw_enclave_app.sh
+          - buildconfigs/oak_functions_enclave_app.sh
+          - buildconfigs/oak_functions_insecure_enclave_app.sh
+          - buildconfigs/oak_restricted_kernel_simple_io_init_rd_wrapper_bin.sh
+          - buildconfigs/stage0_bin.sh
+          - buildconfigs/oak_orchestrator.sh
 
     permissions:
       actions: read
       id-token: write
       attestations: write
       contents: read
     runs-on: ubuntu-20.04
-    secrets:
-      GCP_SERVICE_ACCOUNT_KEY_JSON: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY_JSON }}
 
     steps:
-      - name: Authenticate to Google Cloud
-        uses: google-github-actions/auth@v2
-        with:
-          credentials_json: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY_JSON }}
+      # - name: Authenticate to Google Cloud
+      #   uses: google-github-actions/auth@v2
+      #   with:
+      #     credentials_json: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY_JSON }}
 
       - name: Setup Google Cloud
         uses: google-github-actions/setup-gcloud@v2
@@ -92,33 +100,33 @@ jobs:
       # Upload binary and provenance to GCS and index via http://static.space
       # so that, regardless of the GCS bucket and path, it can easily be
       # located by its digest.
-      - name: Upload
-        id: upload
-        run: |
-          set -o errexit
-          set -o nounset
-          set -o pipefail
-
-          bucket=oak-bins
-          package_name=${{ steps.parse.outputs.package-name }}
-          binary_path=${{ steps.parse.outputs.binary-path }}
-          provenance_path=${{ steps.attest.outputs.bundle-path }}
-
-          gcs_binary_path="binary/${GITHUB_SHA}/${package_name}/$(basename ${binary_path})"
-          gcs_provenance_path="provenance/${GITHUB_SHA}/${package_name}/$(basename ${provenance_path})"
-          binary_url="https://storage.googleapis.com/${bucket}/${binary_path}"
-          provenance_url="https://storage.googleapis.com/${bucket}/${provenance_path}"
-
-          gsutil cp "${binary_path}" "gs://${bucket}/${gcs_binary_path}"
-          gsutil cp "${provenance_path}" "gs://${bucket}/${gcs_provenance_path}"
-
-          curl --fail \
-            --request POST \
-            --header 'Content-Type: application/json' \
-            --data "{ \"url\": \"${binary_url}\" }" \
-            https://api.static.space/v1/snapshot
-          curl --fail \
-            --request POST \
-            --header 'Content-Type: application/json' \
-            --data "{ \"url\": \"${provenance_url}\" }" \
-            https://api.static.space/v1/snapshot
+      # - name: Upload
+      #   id: upload
+      #   run: |
+      #     set -o errexit
+      #     set -o nounset
+      #     set -o pipefail
+
+      #     bucket=oak-bins
+      #     package_name=${{ steps.parse.outputs.package-name }}
+      #     binary_path=${{ steps.parse.outputs.binary-path }}
+      #     provenance_path=${{ steps.attest.outputs.bundle-path }}
+
+      #     gcs_binary_path="binary/${GITHUB_SHA}/${package_name}/$(basename ${binary_path})"
+      #     gcs_provenance_path="provenance/${GITHUB_SHA}/${package_name}/$(basename ${provenance_path})"
+      #     binary_url="https://storage.googleapis.com/${bucket}/${binary_path}"
+      #     provenance_url="https://storage.googleapis.com/${bucket}/${provenance_path}"
+
+      #     gsutil cp "${binary_path}" "gs://${bucket}/${gcs_binary_path}"
+      #     gsutil cp "${provenance_path}" "gs://${bucket}/${gcs_provenance_path}"
+
+      #     curl --fail \
+      #       --request POST \
+      #       --header 'Content-Type: application/json' \
+      #       --data "{ \"url\": \"${binary_url}\" }" \
+      #       https://api.static.space/v1/snapshot
+      #     curl --fail \
+      #       --request POST \
+      #       --header 'Content-Type: application/json' \
+      #       --data "{ \"url\": \"${provenance_url}\" }" \
+      #       https://api.static.space/v1/snapshot
diff --git a/buildconfigs/key_xor_test_app.sh b/buildconfigs/key_xor_test_app.sh
@@ -1,5 +1,7 @@
 #!/bin/sh
-
+#
+# Build configuration for key_xor_test_app.
+#
 package_name=key_xor_test_app
 
 declare -a build_command=(

diff --git a/buildconfigs/oak_containers_kernel.sh b/buildconfigs/oak_containers_kernel.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+#
+# Build configuration for oak_containers_kernel.
+#
+# TODO: b/333745447 - Replace this file with its counterparts in ./buildconfigs_full_provenance.
+package_name=oak_containers_kernel
+
+declare -a build_command=(
+  nix
+  develop
+  .#bzImageProvenance
+  --command
+  env
+  --chdir=oak_containers_kernel
+  make
+)
+
+binary_path=oak_containers_kernel/target/bzImage
+subject_path="${binary_path}"
diff --git a/buildconfigs/oak_containers_orchestrator.sh b/buildconfigs/oak_containers_orchestrator.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# Build configuration for oak_containers_orchestrator.
+#
+package_name=oak_containers_orchestrator
+
+declare -a build_command=(
+  nix
+  develop
+  .#systemImageProvenance
+  --command
+  just
+  oak_containers_orchestrator
+)
+
+binary_path=oak_containers_orchestrator/target/oak_containers_orchestrator
+subject_path="${binary_path}"
diff --git a/buildconfigs/oak_containers_stage1.sh b/buildconfigs/oak_containers_stage1.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+#
+# Build configuration for oak_containers_stage1.
+#
+package_name=oak_containers_stage1
+
+declare -a build_command=(
+  nix
+  develop
+  .#stage1Provenance
+  --command
+  env
+  --chdir=oak_containers_stage1
+  make
+)
+
+binary_path=target/stage1.cpio
+subject_path="${binary_path}"
diff --git a/buildconfigs/oak_containers_syslogd.sh b/buildconfigs/oak_containers_syslogd.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# Build configuration for oak_containers_syslogd.
+#
+package_name=oak_containers_syslogd
+
+declare -a build_command=(
+  nix
+  develop
+  .#systemImageProvenance
+  --command
+  just
+  oak_containers_syslogd
+)
+
+binary_path=oak_containers_syslogd/target/oak_containers_syslogd_patched
+subject_path="${binary_path}"
diff --git a/buildconfigs/oak_containers_system_image.sh b/buildconfigs/oak_containers_system_image.sh
@@ -1,5 +1,7 @@
 #!/bin/sh
-
+#
+# Build configuration for oak_containers_system_image.
+#
 package_name=oak_containers_system_image
 
 declare -a build_command=(

diff --git a/buildconfigs/oak_echo_enclave_app.sh b/buildconfigs/oak_echo_enclave_app.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+#
+# Build configuration for oak_echo_enclave_app.
+#
+package_name=oak_echo_enclave_app
+
+declare -a build_command=(
+  nix
+  develop
+  .#rust
+  --command
+  env
+  --chdir=enclave_apps/oak_echo_enclave_app
+  cargo
+  build
+  --release
+)
+
+binary_path=enclave_apps/target/x86_64-unknown-none/release/oak_echo_enclave_app
+subject_path="${binary_path}"
diff --git a/buildconfigs/oak_echo_raw_enclave_app.sh b/buildconfigs/oak_echo_raw_enclave_app.sh
@@ -1,18 +1,20 @@
 #!/bin/sh
-
-package_name=oak_echo_enclave_app
+#
+# Build configuration for oak_echo_raw_enclave_app.
+#
+package_name=oak_echo_raw_enclave_app
 
 declare -a build_command=(
   nix
   develop
   .#rust
   --command
   env
-  --chdir=enclave_apps/oak_echo_enclave_app
+  --chdir=enclave_apps/oak_echo_raw_enclave_app
   cargo
   build
   --release
 )
 
-binary_path=enclave_apps/target/x86_64-unknown-none/release/oak_echo_enclave_app
+binary_path=enclave_apps/target/x86_64-unknown-none/release/oak_echo_raw_enclave_app
 subject_path="${binary_path}"
diff --git a/buildconfigs/oak_functions_enclave_app.sh b/buildconfigs/oak_functions_enclave_app.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+#
+# Build configuration for oak_functions_enclave_app.
+#
+package_name=oak_functions_enclave_app
+
+declare -a build_command=(
+  nix
+  develop
+  .#rust
+  --command
+  env
+  --chdir=enclave_apps/oak_functions_enclave_app
+  cargo
+  build
+  --release
+)
+
+binary_path=enclave_apps/target/x86_64-unknown-none/release/oak_functions_enclave_app
+subject_path="${binary_path}"
diff --git a/buildconfigs/oak_functions_insecure_enclave_app.sh b/buildconfigs/oak_functions_insecure_enclave_app.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+#
+# Build configuration for oak_functions_insecure_enclave_app.
+#
+package_name=oak_functions_insecure_enclave_app
+
+declare -a build_command=(
+  nix
+  develop
+  .#rust
+  --command
+  env
+  --chdir=enclave_apps/oak_functions_enclave_app
+  cargo
+  build
+  --release
+  --no-default-features
+  --features=allow_sensitive_logging
+)
+
+binary_path=enclave_apps/target/x86_64-unknown-none/release/oak_functions_insecure_enclave_app
+subject_path="${binary_path}"
diff --git a/buildconfigs/oak_ml_transparency_eval.sh b/buildconfigs/oak_ml_transparency_eval.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+#
+# Build configuration for oak_ml_transparency.
+#
+package_name=oak_ml_transparency
+
+declare -a build_command=(
+  env
+  --chdir=oak_ml_transparency/mnist
+  /project/runner-musl
+  --model=/project/mnist_model.tar.gz
+  --model-name=mnist
+  --eval-script=/project/eval.py
+  --output=claim.json
+)
+
+binary_path=oak_ml_transparency/mnist/claim.json
+subject_path="${binary_path}"
diff --git a/buildconfigs/oak_orchestrator.sh b/buildconfigs/oak_orchestrator.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+#
+# Build configuration for oak_orchestrator.
+#
+package_name=oak_orchestrator
+
+declare -a build_command=(
+  nix
+  develop
+  .#rust
+  --command
+  env
+  --chdir=enclave_apps/oak_orchestrator
+  cargo
+  build
+  --release
+)
+
+binary_path=enclave_apps/target/x86_64-unknown-none/release/oak_orchestrator
+subject_path="${binary_path}"
diff --git a/buildconfigs/oak_restricted_kernel_simple_io_init_rd_wrapper_bin.sh b/buildconfigs/oak_restricted_kernel_simple_io_init_rd_wrapper_bin.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+#
+# Build configuration for oak_restricted_kernel_simple_io_init_rd_wrapper_bin.
+#
+# TODO: b/333745447 - Replace this file with its counterparts in ./buildconfigs_full_provenance.
+
+package_name=oak_restricted_kernel_simple_io_init_rd_wrapper_bin
+
+declare -a build_command=(
+  "nix",
+  "develop",
+  ".#rust",
+  "--command",
+  "just",
+  "oak_restricted_kernel_simple_io_init_rd_wrapper",
+)
+
+binary_path=oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/oak_restricted_kernel_simple_io_init_rd_wrapper_bin
+subject_path="${binary_path}"
diff --git a/buildconfigs/stage0_bin.sh b/buildconfigs/stage0_bin.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+package_name=stage0_bin
+
+declare -a build_command=(
+  "nix",
+  "develop",
+  ".#rust",
+  "--command",
+  "env",
+  "--chdir=stage0_bin",
+  "cargo",
+  "objcopy",
+  "--release",
+  "--",
+  "--output-target=binary",
+  "target/x86_64-unknown-none/release/stage0_bin",
+)
+
+binary_path=stage0_bin/target/x86_64-unknown-none/release/stage0_bin
+subject_path="${binary_path}"