From ff9e27bb1eca349b3bb4c6e4010c760c5cf221fa Mon Sep 17 00:00:00 2001 From: Tom Binder Date: Tue, 14 May 2024 15:59:00 +0000 Subject: [PATCH] Complete matrix --- .github/workflows/provenance5.yaml | 80 ++++++++++--------- buildconfigs/key_xor_test_app.sh | 4 +- buildconfigs/oak_containers_kernel.sh | 19 +++++ buildconfigs/oak_containers_orchestrator.sh | 17 ++++ buildconfigs/oak_containers_stage1.sh | 18 +++++ buildconfigs/oak_containers_syslogd.sh | 17 ++++ buildconfigs/oak_containers_system_image.sh | 4 +- buildconfigs/oak_echo_enclave_app.sh | 20 +++++ buildconfigs/oak_echo_raw_enclave_app.sh | 10 ++- buildconfigs/oak_functions_enclave_app.sh | 20 +++++ .../oak_functions_insecure_enclave_app.sh | 22 +++++ buildconfigs/oak_ml_transparency_eval.sh | 18 +++++ buildconfigs/oak_orchestrator.sh | 20 +++++ ...ed_kernel_simple_io_init_rd_wrapper_bin.sh | 19 +++++ buildconfigs/stage0_bin.sh | 21 +++++ 15 files changed, 267 insertions(+), 42 deletions(-) create mode 100644 buildconfigs/oak_containers_kernel.sh create mode 100644 buildconfigs/oak_containers_orchestrator.sh create mode 100644 buildconfigs/oak_containers_stage1.sh create mode 100644 buildconfigs/oak_containers_syslogd.sh create mode 100644 buildconfigs/oak_echo_enclave_app.sh create mode 100644 buildconfigs/oak_functions_enclave_app.sh create mode 100644 buildconfigs/oak_functions_insecure_enclave_app.sh create mode 100644 buildconfigs/oak_ml_transparency_eval.sh create mode 100644 buildconfigs/oak_orchestrator.sh create mode 100644 buildconfigs/oak_restricted_kernel_simple_io_init_rd_wrapper_bin.sh create mode 100644 buildconfigs/stage0_bin.sh diff --git a/.github/workflows/provenance5.yaml b/.github/workflows/provenance5.yaml index 3c2f773a8c8..651cb3550ed 100644 --- a/.github/workflows/provenance5.yaml +++ b/.github/workflows/provenance5.yaml @@ -15,8 +15,18 @@ jobs: matrix: buildconfig: - buildconfigs/key_xor_test_app.sh + - buildconfigs/oak_containers_kernel.sh + - buildconfigs/oak_containers_orchestrator.sh + - buildconfigs/oak_containers_stage1.sh + - buildconfigs/oak_containers_syslogd.sh - buildconfigs/oak_containers_system_image.sh + - buildconfigs/oak_echo_enclave_app.sh - buildconfigs/oak_echo_raw_enclave_app.sh + - buildconfigs/oak_functions_enclave_app.sh + - buildconfigs/oak_functions_insecure_enclave_app.sh + - buildconfigs/oak_restricted_kernel_simple_io_init_rd_wrapper_bin.sh + - buildconfigs/stage0_bin.sh + - buildconfigs/oak_orchestrator.sh permissions: actions: read @@ -24,14 +34,12 @@ jobs: attestations: write contents: read runs-on: ubuntu-20.04 - secrets: - GCP_SERVICE_ACCOUNT_KEY_JSON: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY_JSON }} steps: - - name: Authenticate to Google Cloud - uses: google-github-actions/auth@v2 - with: - credentials_json: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY_JSON }} + # - name: Authenticate to Google Cloud + # uses: google-github-actions/auth@v2 + # with: + # credentials_json: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY_JSON }} - name: Setup Google Cloud uses: google-github-actions/setup-gcloud@v2 @@ -92,33 +100,33 @@ jobs: # Upload binary and provenance to GCS and index via http://static.space # so that, regardless of the GCS bucket and path, it can easily be # located by its digest. - - name: Upload - id: upload - run: | - set -o errexit - set -o nounset - set -o pipefail - - bucket=oak-bins - package_name=${{ steps.parse.outputs.package-name }} - binary_path=${{ steps.parse.outputs.binary-path }} - provenance_path=${{ steps.attest.outputs.bundle-path }} - - gcs_binary_path="binary/${GITHUB_SHA}/${package_name}/$(basename ${binary_path})" - gcs_provenance_path="provenance/${GITHUB_SHA}/${package_name}/$(basename ${provenance_path})" - binary_url="https://storage.googleapis.com/${bucket}/${binary_path}" - provenance_url="https://storage.googleapis.com/${bucket}/${provenance_path}" - - gsutil cp "${binary_path}" "gs://${bucket}/${gcs_binary_path}" - gsutil cp "${provenance_path}" "gs://${bucket}/${gcs_provenance_path}" - - curl --fail \ - --request POST \ - --header 'Content-Type: application/json' \ - --data "{ \"url\": \"${binary_url}\" }" \ - https://api.static.space/v1/snapshot - curl --fail \ - --request POST \ - --header 'Content-Type: application/json' \ - --data "{ \"url\": \"${provenance_url}\" }" \ - https://api.static.space/v1/snapshot + # - name: Upload + # id: upload + # run: | + # set -o errexit + # set -o nounset + # set -o pipefail + + # bucket=oak-bins + # package_name=${{ steps.parse.outputs.package-name }} + # binary_path=${{ steps.parse.outputs.binary-path }} + # provenance_path=${{ steps.attest.outputs.bundle-path }} + + # gcs_binary_path="binary/${GITHUB_SHA}/${package_name}/$(basename ${binary_path})" + # gcs_provenance_path="provenance/${GITHUB_SHA}/${package_name}/$(basename ${provenance_path})" + # binary_url="https://storage.googleapis.com/${bucket}/${binary_path}" + # provenance_url="https://storage.googleapis.com/${bucket}/${provenance_path}" + + # gsutil cp "${binary_path}" "gs://${bucket}/${gcs_binary_path}" + # gsutil cp "${provenance_path}" "gs://${bucket}/${gcs_provenance_path}" + + # curl --fail \ + # --request POST \ + # --header 'Content-Type: application/json' \ + # --data "{ \"url\": \"${binary_url}\" }" \ + # https://api.static.space/v1/snapshot + # curl --fail \ + # --request POST \ + # --header 'Content-Type: application/json' \ + # --data "{ \"url\": \"${provenance_url}\" }" \ + # https://api.static.space/v1/snapshot diff --git a/buildconfigs/key_xor_test_app.sh b/buildconfigs/key_xor_test_app.sh index c9f3a34cac6..3bc8acbcb74 100644 --- a/buildconfigs/key_xor_test_app.sh +++ b/buildconfigs/key_xor_test_app.sh @@ -1,5 +1,7 @@ #!/bin/sh - +# +# Build configuration for key_xor_test_app. +# package_name=key_xor_test_app declare -a build_command=( diff --git a/buildconfigs/oak_containers_kernel.sh b/buildconfigs/oak_containers_kernel.sh new file mode 100644 index 00000000000..ea5aa6a1cdb --- /dev/null +++ b/buildconfigs/oak_containers_kernel.sh @@ -0,0 +1,19 @@ +#!/bin/sh +# +# Build configuration for oak_containers_kernel. +# +# TODO: b/333745447 - Replace this file with its counterparts in ./buildconfigs_full_provenance. +package_name=oak_containers_kernel + +declare -a build_command=( + nix + develop + .#bzImageProvenance + --command + env + --chdir=oak_containers_kernel + make +) + +binary_path=oak_containers_kernel/target/bzImage +subject_path="${binary_path}" diff --git a/buildconfigs/oak_containers_orchestrator.sh b/buildconfigs/oak_containers_orchestrator.sh new file mode 100644 index 00000000000..47672701d94 --- /dev/null +++ b/buildconfigs/oak_containers_orchestrator.sh @@ -0,0 +1,17 @@ +#!/bin/sh +# +# Build configuration for oak_containers_orchestrator. +# +package_name=oak_containers_orchestrator + +declare -a build_command=( + nix + develop + .#systemImageProvenance + --command + just + oak_containers_orchestrator +) + +binary_path=oak_containers_orchestrator/target/oak_containers_orchestrator +subject_path="${binary_path}" diff --git a/buildconfigs/oak_containers_stage1.sh b/buildconfigs/oak_containers_stage1.sh new file mode 100644 index 00000000000..23105677001 --- /dev/null +++ b/buildconfigs/oak_containers_stage1.sh @@ -0,0 +1,18 @@ +#!/bin/sh +# +# Build configuration for oak_containers_stage1. +# +package_name=oak_containers_stage1 + +declare -a build_command=( + nix + develop + .#stage1Provenance + --command + env + --chdir=oak_containers_stage1 + make +) + +binary_path=target/stage1.cpio +subject_path="${binary_path}" diff --git a/buildconfigs/oak_containers_syslogd.sh b/buildconfigs/oak_containers_syslogd.sh new file mode 100644 index 00000000000..388e43032fb --- /dev/null +++ b/buildconfigs/oak_containers_syslogd.sh @@ -0,0 +1,17 @@ +#!/bin/sh +# +# Build configuration for oak_containers_syslogd. +# +package_name=oak_containers_syslogd + +declare -a build_command=( + nix + develop + .#systemImageProvenance + --command + just + oak_containers_syslogd +) + +binary_path=oak_containers_syslogd/target/oak_containers_syslogd_patched +subject_path="${binary_path}" diff --git a/buildconfigs/oak_containers_system_image.sh b/buildconfigs/oak_containers_system_image.sh index 111f3f3aa13..c6a85b3ca27 100644 --- a/buildconfigs/oak_containers_system_image.sh +++ b/buildconfigs/oak_containers_system_image.sh @@ -1,5 +1,7 @@ #!/bin/sh - +# +# Build configuration for oak_containers_system_image. +# package_name=oak_containers_system_image declare -a build_command=( diff --git a/buildconfigs/oak_echo_enclave_app.sh b/buildconfigs/oak_echo_enclave_app.sh new file mode 100644 index 00000000000..ab070443eb7 --- /dev/null +++ b/buildconfigs/oak_echo_enclave_app.sh @@ -0,0 +1,20 @@ +#!/bin/sh +# +# Build configuration for oak_echo_enclave_app. +# +package_name=oak_echo_enclave_app + +declare -a build_command=( + nix + develop + .#rust + --command + env + --chdir=enclave_apps/oak_echo_enclave_app + cargo + build + --release +) + +binary_path=enclave_apps/target/x86_64-unknown-none/release/oak_echo_enclave_app +subject_path="${binary_path}" diff --git a/buildconfigs/oak_echo_raw_enclave_app.sh b/buildconfigs/oak_echo_raw_enclave_app.sh index 4fa3a5f54ef..1d24a9eac52 100644 --- a/buildconfigs/oak_echo_raw_enclave_app.sh +++ b/buildconfigs/oak_echo_raw_enclave_app.sh @@ -1,6 +1,8 @@ #!/bin/sh - -package_name=oak_echo_enclave_app +# +# Build configuration for oak_echo_raw_enclave_app. +# +package_name=oak_echo_raw_enclave_app declare -a build_command=( nix @@ -8,11 +10,11 @@ declare -a build_command=( .#rust --command env - --chdir=enclave_apps/oak_echo_enclave_app + --chdir=enclave_apps/oak_echo_raw_enclave_app cargo build --release ) -binary_path=enclave_apps/target/x86_64-unknown-none/release/oak_echo_enclave_app +binary_path=enclave_apps/target/x86_64-unknown-none/release/oak_echo_raw_enclave_app subject_path="${binary_path}" diff --git a/buildconfigs/oak_functions_enclave_app.sh b/buildconfigs/oak_functions_enclave_app.sh new file mode 100644 index 00000000000..089919a947b --- /dev/null +++ b/buildconfigs/oak_functions_enclave_app.sh @@ -0,0 +1,20 @@ +#!/bin/sh +# +# Build configuration for oak_functions_enclave_app. +# +package_name=oak_functions_enclave_app + +declare -a build_command=( + nix + develop + .#rust + --command + env + --chdir=enclave_apps/oak_functions_enclave_app + cargo + build + --release +) + +binary_path=enclave_apps/target/x86_64-unknown-none/release/oak_functions_enclave_app +subject_path="${binary_path}" diff --git a/buildconfigs/oak_functions_insecure_enclave_app.sh b/buildconfigs/oak_functions_insecure_enclave_app.sh new file mode 100644 index 00000000000..ac212c414a9 --- /dev/null +++ b/buildconfigs/oak_functions_insecure_enclave_app.sh @@ -0,0 +1,22 @@ +#!/bin/sh +# +# Build configuration for oak_functions_insecure_enclave_app. +# +package_name=oak_functions_insecure_enclave_app + +declare -a build_command=( + nix + develop + .#rust + --command + env + --chdir=enclave_apps/oak_functions_enclave_app + cargo + build + --release + --no-default-features + --features=allow_sensitive_logging +) + +binary_path=enclave_apps/target/x86_64-unknown-none/release/oak_functions_insecure_enclave_app +subject_path="${binary_path}" diff --git a/buildconfigs/oak_ml_transparency_eval.sh b/buildconfigs/oak_ml_transparency_eval.sh new file mode 100644 index 00000000000..10842fc2a34 --- /dev/null +++ b/buildconfigs/oak_ml_transparency_eval.sh @@ -0,0 +1,18 @@ +#!/bin/sh +# +# Build configuration for oak_ml_transparency. +# +package_name=oak_ml_transparency + +declare -a build_command=( + env + --chdir=oak_ml_transparency/mnist + /project/runner-musl + --model=/project/mnist_model.tar.gz + --model-name=mnist + --eval-script=/project/eval.py + --output=claim.json +) + +binary_path=oak_ml_transparency/mnist/claim.json +subject_path="${binary_path}" diff --git a/buildconfigs/oak_orchestrator.sh b/buildconfigs/oak_orchestrator.sh new file mode 100644 index 00000000000..f4938ab690e --- /dev/null +++ b/buildconfigs/oak_orchestrator.sh @@ -0,0 +1,20 @@ +#!/bin/sh +# +# Build configuration for oak_orchestrator. +# +package_name=oak_orchestrator + +declare -a build_command=( + nix + develop + .#rust + --command + env + --chdir=enclave_apps/oak_orchestrator + cargo + build + --release +) + +binary_path=enclave_apps/target/x86_64-unknown-none/release/oak_orchestrator +subject_path="${binary_path}" diff --git a/buildconfigs/oak_restricted_kernel_simple_io_init_rd_wrapper_bin.sh b/buildconfigs/oak_restricted_kernel_simple_io_init_rd_wrapper_bin.sh new file mode 100644 index 00000000000..cd5f5ec783f --- /dev/null +++ b/buildconfigs/oak_restricted_kernel_simple_io_init_rd_wrapper_bin.sh @@ -0,0 +1,19 @@ +#!/bin/sh +# +# Build configuration for oak_restricted_kernel_simple_io_init_rd_wrapper_bin. +# +# TODO: b/333745447 - Replace this file with its counterparts in ./buildconfigs_full_provenance. + +package_name=oak_restricted_kernel_simple_io_init_rd_wrapper_bin + +declare -a build_command=( + "nix", + "develop", + ".#rust", + "--command", + "just", + "oak_restricted_kernel_simple_io_init_rd_wrapper", +) + +binary_path=oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/oak_restricted_kernel_simple_io_init_rd_wrapper_bin +subject_path="${binary_path}" diff --git a/buildconfigs/stage0_bin.sh b/buildconfigs/stage0_bin.sh new file mode 100644 index 00000000000..9b646062a91 --- /dev/null +++ b/buildconfigs/stage0_bin.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +package_name=stage0_bin + +declare -a build_command=( + "nix", + "develop", + ".#rust", + "--command", + "env", + "--chdir=stage0_bin", + "cargo", + "objcopy", + "--release", + "--", + "--output-target=binary", + "target/x86_64-unknown-none/release/stage0_bin", +) + +binary_path=stage0_bin/target/x86_64-unknown-none/release/stage0_bin +subject_path="${binary_path}"