From 644abde35c31c0cf875b5be33785bf8f328c76bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 26 Jan 2024 14:30:07 +0100 Subject: [PATCH] packaging: coco-guest-components: Allow building the project MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Confidential Containers guest-components will, in the very short future, be part of the Kata Containers rootfs that's used by the Confidential Containers usecase. This commit introduces the ability to, standalone, build the component locally and as part of our CI, and this can be done by calling: `make coco-guest-components-tarball` Signed-off-by: Fabiano FidĂȘncio Signed-off-by: Linda Yu Co-authored-by: stevenhorsman Co-authored-by: Jakob Naucke Co-authored-by: Wang, Arron Co-authored-by: zhouliang121 Co-authored-by: Alex Carter Co-authored-by: Suraj Deshmukh Co-authored-by: Xynnn007 --- .../build-kata-static-tarball-amd64.yaml | 1 + .../build-kata-static-tarball-s390x.yaml | 1 + .../kata-deploy/local-build/Makefile | 3 + .../kata-deploy-binaries-in-docker.sh | 2 + .../local-build/kata-deploy-binaries.sh | 23 ++++++- tools/packaging/release/release-notes.sh | 1 + tools/packaging/scripts/lib.sh | 5 ++ .../coco-guest-components/Dockerfile | 28 +++++++++ .../build-static-coco-guest-components.sh | 63 +++++++++++++++++++ .../coco-guest-components/build.sh | 45 +++++++++++++ versions.yaml | 6 ++ 11 files changed, 177 insertions(+), 1 deletion(-) create mode 100644 tools/packaging/static-build/coco-guest-components/Dockerfile create mode 100755 tools/packaging/static-build/coco-guest-components/build-static-coco-guest-components.sh create mode 100755 tools/packaging/static-build/coco-guest-components/build.sh diff --git a/.github/workflows/build-kata-static-tarball-amd64.yaml b/.github/workflows/build-kata-static-tarball-amd64.yaml index a7bfc7a022..7427ad2bb1 100644 --- a/.github/workflows/build-kata-static-tarball-amd64.yaml +++ b/.github/workflows/build-kata-static-tarball-amd64.yaml @@ -32,6 +32,7 @@ jobs: - agent-ctl - cloud-hypervisor - cloud-hypervisor-glibc + - coco-guest-components - firecracker - genpolicy - kata-ctl diff --git a/.github/workflows/build-kata-static-tarball-s390x.yaml b/.github/workflows/build-kata-static-tarball-s390x.yaml index 4d0386e052..a735b6aa28 100644 --- a/.github/workflows/build-kata-static-tarball-s390x.yaml +++ b/.github/workflows/build-kata-static-tarball-s390x.yaml @@ -28,6 +28,7 @@ jobs: matrix: asset: - agent + - coco-guest-components - kernel - qemu - rootfs-image diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile index 289cb06d23..a1d5fa5d8c 100644 --- a/tools/packaging/kata-deploy/local-build/Makefile +++ b/tools/packaging/kata-deploy/local-build/Makefile @@ -88,6 +88,9 @@ agent-opa-tarball: copy-scripts-for-the-agent-build agent-ctl-tarball: ${MAKE} $@-build +coco-guest-components-tarball: + ${MAKE} $@-build + cloud-hypervisor-tarball: ${MAKE} $@-build diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh index 7e7a6d65b7..165c107c6f 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh @@ -86,6 +86,7 @@ TARGET_BRANCH="${TARGET_BRANCH:-}" BUILDER_REGISTRY="${BUILDER_REGISTRY:-}" PUSH_TO_REGISTRY="${PUSH_TO_REGISTRY:-"no"}" AGENT_CONTAINER_BUILDER="${AGENT_CONTAINER_BUILDER:-}" +COCO_GUEST_COMPONENTS_CONTAINER_BUILDER="${COCO_GUEST_COMPONENTS_CONTAINER_BUILDER:-}" INITRAMFS_CONTAINER_BUILDER="${INITRAMFS_CONTAINER_BUILDER:-}" KERNEL_CONTAINER_BUILDER="${KERNEL_CONTAINER_BUILDER:-}" OVMF_CONTAINER_BUILDER="${OVMF_CONTAINER_BUILDER:-}" @@ -110,6 +111,7 @@ docker run \ --env BUILDER_REGISTRY="${BUILDER_REGISTRY}" \ --env PUSH_TO_REGISTRY="${PUSH_TO_REGISTRY}" \ --env AGENT_CONTAINER_BUILDER="${AGENT_CONTAINER_BUILDER}" \ + --env COCO_GUEST_COMPONENTS_CONTAINER_BUILDER="${COCO_GUEST_COMPONENTS_CONTAINER_BUILDER}" \ --env INITRAMFS_CONTAINER_BUILDER="${INITRAMFS_CONTAINER_BUILDER}" \ --env KERNEL_CONTAINER_BUILDER="${KERNEL_CONTAINER_BUILDER}" \ --env OVMF_CONTAINER_BUILDER="${OVMF_CONTAINER_BUILDER}" \ diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index aa3f397a6d..589711d5c6 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -23,6 +23,7 @@ readonly version_file="${repo_root_dir}/VERSION" readonly versions_yaml="${repo_root_dir}/versions.yaml" readonly agent_builder="${static_build_dir}/agent/build.sh" +readonly coco_guest_components_builder="${static_build_dir}/coco-guest-components/build.sh" readonly clh_builder="${static_build_dir}/cloud-hypervisor/build-static-clh.sh" readonly firecracker_builder="${static_build_dir}/firecracker/build-static-firecracker.sh" readonly kernel_builder="${static_build_dir}/kernel/build.sh" @@ -87,6 +88,7 @@ options: agent-opa agent-ctl boot-image-se + coco-guest-components cloud-hypervisor cloud-hypervisor-glibc firecracker @@ -710,6 +712,22 @@ install_agent_opa() { install_agent_helper "yes" } +install_coco_guest_components() { + latest_artefact="$(get_from_kata_deps "externals.coco-guest-components.version")-$(get_from_kata_deps "externals.coco-guest-components.toolchain")" + latest_builder_image="$(get_coco_guest_components_image_name)" + + install_cached_tarball_component \ + "${build_target}" \ + "${latest_artefact}" \ + "${latest_builder_image}" \ + "${final_tarball_name}" \ + "${final_tarball_path}" \ + && return 0 + + info "build static coco-guest-components" + "${coco_guest_components_builder}" +} + install_tools_helper() { tool=${1} @@ -821,9 +839,11 @@ handle_build() { agent-opa) install_agent_opa ;; agent-ctl) install_agent_ctl ;; - + boot-image-se) install_se_image ;; + coco-guest-components) install_coco_guest_components ;; + cloud-hypervisor) install_clh ;; cloud-hypervisor-glibc) install_clh_glibc ;; @@ -941,6 +961,7 @@ main() { agent-opa agent-ctl cloud-hypervisor + coco-guest-components firecracker genpolicy kata-ctl diff --git a/tools/packaging/release/release-notes.sh b/tools/packaging/release/release-notes.sh index 734028dc07..13b594cbb5 100755 --- a/tools/packaging/release/release-notes.sh +++ b/tools/packaging/release/release-notes.sh @@ -151,6 +151,7 @@ used to build the release artefacts. The users who want to rebuild the tarballs using exactly the same images can simply use the following environment variables: * \`AGENT_CONTAINER_BUILDER\` +* \`COCO_GUEST_COMPONENTS_CONTAINER_BUILDER\` * \`KERNEL_CONTAINER_BUILDER\` * \`OVMF_CONTAINER_BUILDER\` * \`QEMU_CONTAINER_BUILDER\` diff --git a/tools/packaging/scripts/lib.sh b/tools/packaging/scripts/lib.sh index 7311fb9a0b..5815b7e023 100644 --- a/tools/packaging/scripts/lib.sh +++ b/tools/packaging/scripts/lib.sh @@ -216,3 +216,8 @@ get_agent_image_name() { echo "${BUILDER_REGISTRY}:agent-$(get_last_modification ${libs_dir})-$(get_last_modification ${agent_dir})-$(uname -m)" } + +get_coco_guest_components_image_name() { + coco_guest_components_script_dir="${repo_root_dir}/tools/packaging/static-build/coco-guest-components" + echo "${BUILDER_REGISTRY}:coco-guest-components-$(get_from_kata_deps "externals.coco-guest-components.toolchain")-$(get_last_modification ${coco_guest_components_script_dir})-$(uname -m)" +} diff --git a/tools/packaging/static-build/coco-guest-components/Dockerfile b/tools/packaging/static-build/coco-guest-components/Dockerfile new file mode 100644 index 0000000000..cc80da32e7 --- /dev/null +++ b/tools/packaging/static-build/coco-guest-components/Dockerfile @@ -0,0 +1,28 @@ +# Copyright (c) 2024 Intel +# +# SPDX-License-Identifier: Apache-2.0 + +FROM ubuntu:22.04 +ARG RUST_TOOLCHAIN + +ENV DEBIAN_FRONTEND=noninteractive + +SHELL ["/bin/bash", "-o", "pipefail", "-c"] +RUN apt-get update && \ + apt-get --no-install-recommends -y install \ + binutils \ + ca-certificates \ + clang \ + curl \ + g++ \ + gcc \ + git \ + gnupg \ + libssl-dev \ + make \ + musl-tools \ + openssl \ + perl \ + protobuf-compiler && \ + apt-get clean && rm -rf /var/lib/apt/lists/ && \ + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain ${RUST_TOOLCHAIN} diff --git a/tools/packaging/static-build/coco-guest-components/build-static-coco-guest-components.sh b/tools/packaging/static-build/coco-guest-components/build-static-coco-guest-components.sh new file mode 100755 index 0000000000..09afb2c2b0 --- /dev/null +++ b/tools/packaging/static-build/coco-guest-components/build-static-coco-guest-components.sh @@ -0,0 +1,63 @@ +#!/usr/bin/env bash +# +# Copyright (c) 2024 Intel Corporation +# +# SPDX-License-Identifier: Apache-2.0 + +set -o errexit +set -o nounset +set -o pipefail + +script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" + +source "${script_dir}/../../scripts/lib.sh" + +[ -n "$coco_guest_components_repo" ] || die "failed to get coco-guest-components repo" +[ -n "$coco_guest_components_version" ] || die "failed to get coco-guest-components version" + +[ -d "guest-components" ] && rm -rf guest-components + +init_env() { + source "$HOME/.cargo/env" + + export LIBC=gnu + + ARCH=$(uname -m) + rust_arch="" + case ${ARCH} in + "aarch64") + rust_arch=${ARCH} + ;; + "ppc64le") + rust_arch="powerpc64le" + ;; + "x86_64") + rust_arch=${ARCH} + ;; + "s390x") + rust_arch=${ARCH} + ;; + esac + rustup target add ${rust_arch}-unknown-linux-${LIBC} +} + +build_coco_guest_components_from_source() { + echo "build coco-guest-components from source" + + init_env + + git clone --depth 1 ${coco_guest_components_repo} guest-components + pushd guest-components + + git fetch --depth=1 origin "${coco_guest_components_version}" + git checkout FETCH_HEAD + + TEE_PLATFORM=${TEE_PLATFORM} make build + strip target/${rust_arch}-unknown-linux-${LIBC}/release/confidential-data-hub + strip target/${rust_arch}-unknown-linux-${LIBC}/release/attestation-agent + strip target/${rust_arch}-unknown-linux-${LIBC}/release/api-server-rest + TEE_PLATFORM=${TEE_PLATFORM} make install + popd +} + +build_coco_guest_components_from_source $@ diff --git a/tools/packaging/static-build/coco-guest-components/build.sh b/tools/packaging/static-build/coco-guest-components/build.sh new file mode 100755 index 0000000000..60ede9623b --- /dev/null +++ b/tools/packaging/static-build/coco-guest-components/build.sh @@ -0,0 +1,45 @@ +#!/usr/bin/env bash +# +# Copyright (c) 2024 Intel +# +# SPDX-License-Identifier: Apache-2.0 + +set -o errexit +set -o nounset +set -o pipefail + +script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +readonly coco_guest_components_builder="${script_dir}/build-static-coco-guest-components.sh" + +source "${script_dir}/../../scripts/lib.sh" + +coco_guest_components_repo="${coco_guest_components_repo:-}" +coco_guest_components_version="${coco_guest_components_version:-}" +coco_guest_components_toolchain="${coco_guest_components_toolchain:-}" +package_output_dir="${package_output_dir:-}" + +[ -n "${coco_guest_components_repo}" ] || coco_guest_components_repo=$(get_from_kata_deps "externals.coco-guest-components.url") +[ -n "${coco_guest_components_version}" ] || coco_guest_components_version=$(get_from_kata_deps "externals.coco-guest-components.version") +[ -n "${coco_guest_components_toolchain}" ] || coco_guest_components_toolchain=$(get_from_kata_deps "externals.coco-guest-components.toolchain") + +[ -n "${coco_guest_components_repo}" ] || die "Failed to get coco-guest-components repo" +[ -n "${coco_guest_components_version}" ] || die "Failed to get coco-guest-components version or commit" +[ -n "${coco_guest_components_toolchain}" ] || die "Failed to get the rust toolchain to build coco-guest-components" + +container_image="${COCO_GUEST_COMPONENTS_CONTAINER_BUILDER:-$(get_coco_guest_components_image_name)}" +[ "${CROSS_BUILD}" == "true" ] && container_image="${container_image}-cross-build" + +sudo docker pull ${container_image} || \ + (sudo docker $BUILDX build $PLATFORM \ + --build-arg RUST_TOOLCHAIN="${coco_guest_components_toolchain}" \ + -t "${container_image}" "${script_dir}" && \ + # No-op unless PUSH_TO_REGISTRY is exported as "yes" + push_to_registry "${container_image}") + +sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ + -w "${PWD}" \ + --env TEE_PLATFORM=${TEE_PLATFORM:-all} \ + --env coco_guest_components_repo="${coco_guest_components_repo}" \ + --env coco_guest_components_version="${coco_guest_components_version}" \ + "${container_image}" \ + bash -c "${coco_guest_components_builder}" diff --git a/versions.yaml b/versions.yaml index d888613f2a..38f408386f 100644 --- a/versions.yaml +++ b/versions.yaml @@ -207,6 +207,12 @@ externals: url: "https://github.com/containernetworking/plugins" version: "v1.2.0" + coco-guest-components: + description: "Provides attested key unwrapping for image decryption" + url: "https://github.com/confidential-containers/guest-components/" + version: "42b7c9687ecd0907ef70da31cf290a60ee8432cd" + toolchain: "1.72.0" + conmon: description: "An OCI container runtime monitor" url: "https://github.com/containers/conmon"