Directly issue kernel provenance for attestation measurements #4976
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Previously the provenance created by the SLSA builder was just for the bzImage. Not the artifact that would be measured in the attestation. With this PR the provenance subjects should include binaries measured in the attestation. Change-Id: I16e3234d0d65e3790319294c416c378cd7611681
jul-sh
commented
Apr 3, 2024
Comment on lines
+29
to
+37
| rm -rf oak_restricted_kernel_wrapper/target/released_bin_with_components_{{kernel_bin_prefix}} | ||
| mkdir -p oak_restricted_kernel_wrapper/target/released_bin_with_components_{{kernel_bin_prefix}} | ||
| cp \ | ||
| oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/{{kernel_bin_prefix}}_wrapper_bin \ | ||
| oak_restricted_kernel_wrapper/target/released_bin_with_components_{{kernel_bin_prefix}}/bzimage | ||
| cargo run --package oak_kernel_measurement -- \ | ||
| --kernel=oak_restricted_kernel_wrapper/target/released_bin_with_components_{{kernel_bin_prefix}}/bzimage \ | ||
| --kernel-setup-data-output=oak_restricted_kernel_wrapper/target/released_bin_with_components_{{kernel_bin_prefix}}/kernel_setup_data \ | ||
| --kernel-image-output=oak_restricted_kernel_wrapper/target/released_bin_with_components_{{kernel_bin_prefix}}/kernel_image |
There was a problem hiding this comment.
it's not pretty, but all in all I find the justfile to be very ergonomic.
jul-sh
commented
Apr 3, 2024
| @@ -6,4 +6,4 @@ command = [ | |||
| "just", | |||
| "oak_restricted_kernel_simple_io_init_rd_wrapper", | |||
| ] | |||
| artifact_path = "./oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/oak_restricted_kernel_simple_io_init_rd_wrapper_bin" | |||
| artifact_path = "./oak_restricted_kernel_wrapper/target/released_bin_with_components_oak_restricted_kernel_simple_io_init_rd/*" | |||
There was a problem hiding this comment.
in theory this means the slsa builder should record all three binaries in this folder as the provenance subjects: bzImage, kernel_setup_data, kernel_image
tiziano88
approved these changes
Apr 3, 2024
| @@ -26,6 +26,15 @@ oak_restricted_kernel_bin: | |||
| _wrap_kernel kernel_bin_prefix: | |||
| env --chdir=oak_restricted_kernel_wrapper OAK_RESTRICTED_KERNEL_FILE_NAME={{kernel_bin_prefix}}_bin cargo build --release | |||
| rust-objcopy --output-target=binary oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/oak_restricted_kernel_wrapper oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/{{kernel_bin_prefix}}_wrapper_bin | |||
| rm -rf oak_restricted_kernel_wrapper/target/released_bin_with_components_{{kernel_bin_prefix}} | |||
There was a problem hiding this comment.
I am not sure whether we should be moving / changing stuff in the Rust target dir. Maybe we should just do it outside, in some out dir or similar?
| @@ -26,6 +26,15 @@ oak_restricted_kernel_bin: | |||
| _wrap_kernel kernel_bin_prefix: | |||
| env --chdir=oak_restricted_kernel_wrapper OAK_RESTRICTED_KERNEL_FILE_NAME={{kernel_bin_prefix}}_bin cargo build --release | |||
| rust-objcopy --output-target=binary oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/oak_restricted_kernel_wrapper oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/{{kernel_bin_prefix}}_wrapper_bin | |||
| rm -rf oak_restricted_kernel_wrapper/target/released_bin_with_components_{{kernel_bin_prefix}} | |||
There was a problem hiding this comment.
I think this logic would benefit from some comment -- I imagine a new starter would find it quite difficult to figure out what's going on and why. We may even want to have a paragraph in some readme and refer to that, since it probably won't fit in an inline comment here.
| cp \ | ||
| oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/{{kernel_bin_prefix}}_wrapper_bin \ | ||
| oak_restricted_kernel_wrapper/target/released_bin_with_components_{{kernel_bin_prefix}}/bzimage | ||
| cargo run --package oak_kernel_measurement -- \ |
There was a problem hiding this comment.
Suggested change
| cargo run --package oak_kernel_measurement -- \ | |
| cargo run --package=oak_kernel_measurement -- \ |
| @@ -26,6 +26,15 @@ oak_restricted_kernel_bin: | |||
| _wrap_kernel kernel_bin_prefix: | |||
| env --chdir=oak_restricted_kernel_wrapper OAK_RESTRICTED_KERNEL_FILE_NAME={{kernel_bin_prefix}}_bin cargo build --release | |||
| rust-objcopy --output-target=binary oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/oak_restricted_kernel_wrapper oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/{{kernel_bin_prefix}}_wrapper_bin | |||
| rm -rf oak_restricted_kernel_wrapper/target/released_bin_with_components_{{kernel_bin_prefix}} | |||
| mkdir -p oak_restricted_kernel_wrapper/target/released_bin_with_components_{{kernel_bin_prefix}} | |||
There was a problem hiding this comment.
Suggested change
| mkdir -p oak_restricted_kernel_wrapper/target/released_bin_with_components_{{kernel_bin_prefix}} | |
| mkdir --parents oak_restricted_kernel_wrapper/target/released_bin_with_components_{{kernel_bin_prefix}} |
thmsbinder
reviewed
Apr 4, 2024
| #[arg(long, help = "The location of output the extracted kernel setup data file to")] | ||
| kernel_setup_data_output: Option<PathBuf>, | ||
| #[arg(long, help = "The location of output the extracted kernel image file to")] | ||
| kernel_image_output: Option<PathBuf>, |
There was a problem hiding this comment.
--kernel is a required input parameter, --kernel_setup_data_output and --kernel_image_output are optional output parameters.
How about making the flag naming consistent regarding input/output - simply remove the "*_output" from the flag name?
Mention the optionality in the arg help?
| @@ -26,6 +26,15 @@ oak_restricted_kernel_bin: | |||
| _wrap_kernel kernel_bin_prefix: | |||
| env --chdir=oak_restricted_kernel_wrapper OAK_RESTRICTED_KERNEL_FILE_NAME={{kernel_bin_prefix}}_bin cargo build --release | |||
| rust-objcopy --output-target=binary oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/oak_restricted_kernel_wrapper oak_restricted_kernel_wrapper/target/x86_64-unknown-none/release/{{kernel_bin_prefix}}_wrapper_bin | |||
| rm -rf oak_restricted_kernel_wrapper/target/released_bin_with_components_{{kernel_bin_prefix}} | |||
| mkdir -p oak_restricted_kernel_wrapper/target/released_bin_with_components_{{kernel_bin_prefix}} | |||
| cp \ | |||
There was a problem hiding this comment.
cp --preserve=timestamps
as elsewhere, when copying any kind of binary. The file mtimes are of interest for Transparent Release.
jul-sh
added a commit
to jul-sh/oak
that referenced
this pull request
Apr 4, 2024
current workflow breaks: https://github.com/project-oak/oak/actions/runs/8544823048/job/23412049549, while slsa's wildcard workflow succeeds: https://github.com/slsa-framework/example-package/blob/e51524d7e65531856d3028bff6b1ac846ea85913/.github/configs-docker/app-config.toml . Maybe it's that we use more exhaustive wildcard. Worth trying if it fixes it. There's some other issues to resolve from project-oak#4976 we'll get to them if and once this works Change-Id: I0b13863f30a7cd6778997f174dfbcdc634ffac8b
jul-sh
added a commit
to jul-sh/oak
that referenced
this pull request
Apr 4, 2024
current workflow breaks: https://github.com/project-oak/oak/actions/runs/8544823048/job/23412049549, while slsa's wildcard workflow succeeds: https://github.com/slsa-framework/example-package/blob/e51524d7e65531856d3028bff6b1ac846ea85913/.github/configs-docker/app-config.toml . Maybe it's that we use an older worther. Worth trying if updating fixes it. There's some other issues to resolve from project-oak#4976 we'll get to them if and once this works Change-Id: I82cc4a7194980d71318b12e0eeb8f35d6d1f2711
This was referenced Apr 4, 2024
jul-sh
added a commit
that referenced
this pull request
Apr 4, 2024
current workflow breaks: https://github.com/project-oak/oak/actions/runs/8544823048/job/23412049549, while slsa's wildcard workflow succeeds: https://github.com/slsa-framework/example-package/blob/e51524d7e65531856d3028bff6b1ac846ea85913/.github/configs-docker/app-config.toml . Maybe it's that we use more exhaustive wildcard. Worth trying if it fixes it. There's some other issues to resolve from #4976 we'll get to them if and once this works Change-Id: I0b13863f30a7cd6778997f174dfbcdc634ffac8b
jul-sh
added a commit
that referenced
this pull request
Apr 4, 2024
current workflow breaks: https://github.com/project-oak/oak/actions/runs/8544823048/job/23412049549, while slsa's wildcard workflow succeeds: https://github.com/slsa-framework/example-package/blob/e51524d7e65531856d3028bff6b1ac846ea85913/.github/configs-docker/app-config.toml . Maybe it's that we use an older worther. Worth trying if updating fixes it. There's some other issues to resolve from #4976 we'll get to them if and once this works Change-Id: I82cc4a7194980d71318b12e0eeb8f35d6d1f2711
copybara-service bot
pushed a commit
that referenced
this pull request
Apr 9, 2024
Squashed commit of the following: commit 1b24ec1 Author: Tiziano Santoro <[email protected]> Date: Thu Apr 4 00:50:26 2024 +0100 Update nix deps (#4979) Among other things, this update xz to v. 5.4.6 commit f68df2b Author: Tiziano Santoro <[email protected]> Date: Thu Apr 4 00:46:45 2024 +0100 Align with internal linter (#4978) b/332740854 commit 8bdd773 Author: jblebrun <[email protected]> Date: Wed Apr 3 21:43:20 2024 +0000 Update h2 to resolve vulnerability discovered by deny (#4977) https://rustsec.org/advisories/RUSTSEC-2024-0332 commit 5bc91be Author: jul-sh <[email protected]> Date: Wed Apr 3 16:05:06 2024 -0400 Directly issue kernel provenance for attestation measurements (#4976) * Directly issue kernel provenance attestation measurements Previously the provenance created by the SLSA builder was just for the bzImage. Not the artifact that would be measured in the attestation. With this PR the provenance subjects should include binaries measured in the attestation. Change-Id: I16e3234d0d65e3790319294c416c378cd7611681 * fix typo Change-Id: I3d078256d085ef05171e5997743d7497fc530ad0 commit 2ae6255 Author: Andri Saar <[email protected]> Date: Tue Apr 2 20:55:51 2024 +0000 Do a page state change operation before invoking `PVALIDATE` commit 8452885 Author: conradgrobler <[email protected]> Date: Wed Apr 3 17:54:04 2024 +0100 Ensure CPUID triggered the #VC exception (#4974) We want to make sure that the instruction pointer in a #VC exception really pointed to a CPUID instruction since it is the only #VC exception type we support. commit 4ad534f Author: thmsbinder <[email protected]> Date: Wed Apr 3 18:09:46 2024 +0200 Add and verify endorsement field for text reference value (#4973) The kernel command line reference value now follows the pattern from other reference values: skip, TR endorsement, or direct verification. When using TR endorsements in conjunction with the kernel command line the regex feature needs to be enabled. commit fa50670 Author: Patrick McGrath <[email protected]> Date: Tue Apr 2 10:43:22 2024 -0700 Unary gRPC transport template class (#4970) Implement unary transport class template for future Oak clients that use the unary interface. commit 65f6b46 Author: k-naliuka <[email protected]> Date: Fri Mar 29 00:33:37 2024 +0100 Add go and java options to the TcbVersion proto (#4969) commit cefb3c3 Author: Andri Saar <[email protected]> Date: Thu Mar 28 15:46:31 2024 +0000 Collect, and print out, some `PVALIDATE` stats in stage0 commit 579e92c Author: k-naliuka <[email protected]> Date: Wed Mar 27 20:49:53 2024 +0100 Refactor text reference values matching (#4965) Allow literal string comparison and make regex optional commit 121a6b0 Author: Ivan Petrov <[email protected]> Date: Wed Mar 27 19:13:14 2024 +0000 Sign group keys as part of Key Provisioning (#4961) This PR adds the ability to sign group keys in the attestation evidence as part of Key Provisioning. Ref #4442 commit 2a57cd6 Author: jul-sh <[email protected]> Date: Wed Mar 27 12:10:56 2024 -0400 Revert "Increase the size of the certificate in Stage0 DICE data (#4946)" (#4966) This reverts commit c869644, as it introduced a breaking change that broke imports. commit 57a8f73 Author: Ivan Petrov <[email protected]> Date: Wed Mar 27 15:29:07 2024 +0000 Add GroupEncryptionKeyHandle to C++ Containers SDK (#4964) Ref #4442 commit 863ee00 Author: k-naliuka <[email protected]> Date: Wed Mar 27 14:15:48 2024 +0100 Include regex in Bazel oak_crates_index (#4960) commit 83d881d Author: Tiziano Santoro <[email protected]> Date: Wed Mar 27 09:53:32 2024 +0000 Fix username and host when building kernel (#4963) b/330744888 Change-Id: Iac4a71c2d14238ccaca13c3997f47aa265a789ba
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Previously the provenance created by the SLSA builder was just for the bzImage. Not the artifact that would be measured in the attestation. With this PR the provenance subjects should include binaries measured in the attestation.
Change-Id: I16e3234d0d65e3790319294c416c378cd7611681
http://b/332723461