From 33368859d907ef357073112f108f358872dd7a02 Mon Sep 17 00:00:00 2001 From: Julio Montes Date: Wed, 14 Aug 2019 17:41:31 +0000 Subject: [PATCH 1/4] qemu/nemu: remove blacklisted binaries Remove blacklisted binaries, since they are not needed in kata and may have CVEs. fixes #311 Signed-off-by: Julio Montes --- static-build/nemu/build-static-nemu.sh | 6 ++++ static-build/qemu.blacklist | 38 ++++++++++++++++++++++++++ static-build/qemu/build-static-qemu.sh | 6 ++++ 3 files changed, 50 insertions(+) create mode 100644 static-build/qemu.blacklist diff --git a/static-build/nemu/build-static-nemu.sh b/static-build/nemu/build-static-nemu.sh index 2e07da6ea4..f1027c2aa4 100755 --- a/static-build/nemu/build-static-nemu.sh +++ b/static-build/nemu/build-static-nemu.sh @@ -11,9 +11,11 @@ set -o pipefail script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" source "${script_dir}/../../scripts/lib.sh" +source "${script_dir}/../qemu.blacklist" config_dir="${script_dir}/../../scripts/" nemu_tar="kata-nemu-static.tar.gz" +nemu_tmp_tar="kata-nemu-static-tmp.tar.gz" Dockerfile="Dockerfile" if [ $# -ne 0 ];then @@ -94,3 +96,7 @@ sudo docker run \ mv "/tmp/nemu-static/${nemu_tar}" /share/ sudo chown ${USER}:${USER} "${PWD}/${nemu_tar}" + +# Remove blacklisted binaries +gzip -d < "${nemu_tar}" | tar --delete --wildcards -f - ${qemu_black_list[*]} | gzip > "${nemu_tmp_tar}" +mv -f "${nemu_tmp_tar}" "${nemu_tar}" diff --git a/static-build/qemu.blacklist b/static-build/qemu.blacklist new file mode 100644 index 0000000000..5584596767 --- /dev/null +++ b/static-build/qemu.blacklist @@ -0,0 +1,38 @@ +# +# List of blacklisted files that are not +# required in kata and may have CVEs. +# +qemu_black_list=( +*/bin/qemu-pr-helper +*/bin/virtfs-proxy-helper +*/libexec/ +*/share/*/applications/ +*/share/*/*.dtb +*/share/*/efi-e1000e.rom +*/share/*/efi-e1000.rom +*/share/*/efi-eepro100.rom +*/share/*/efi-ne2k_pci.rom +*/share/*/efi-pcnet.rom +*/share/*/efi-rtl8139.rom +*/share/*/efi-vmxnet3.rom +*/share/*/icons/ +*/share/*/*.img +*/share/*/keymaps/ +*/share/*/multiboot.bin +*/share/*/openbios-ppc +*/share/*/openbios-sparc32 +*/share/*/openbios-sparc64 +*/share/*/palcode-clipper +*/share/*/ppc_rom.bin +*/share/*/pvh.bin +*/share/*/pxe-* +*/share/*/QEMU,* +*/share/*/qemu_vga.ndrv +*/share/*/sgabios.bin +*/share/*/skiboot.lid +*/share/*/slof.bin +*/share/*/spapr-rtas.bin +*/share/*/trace-events-all +*/share/*/u-boot* +*/share/*/vgabios* +) diff --git a/static-build/qemu/build-static-qemu.sh b/static-build/qemu/build-static-qemu.sh index d2986897cd..030e142c5f 100755 --- a/static-build/qemu/build-static-qemu.sh +++ b/static-build/qemu/build-static-qemu.sh @@ -11,9 +11,11 @@ set -o pipefail script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" source "${script_dir}/../../scripts/lib.sh" +source "${script_dir}/../qemu.blacklist" packaging_dir="${script_dir}/../.." qemu_tar="kata-qemu-static.tar.gz" +qemu_tmp_tar="kata-qemu-static-tmp.tar.gz" qemu_repo="${qemu_repo:-}" qemu_version="${qemu_version:-}" @@ -54,3 +56,7 @@ sudo docker run \ mv "/tmp/qemu-static/${qemu_tar}" /share/ sudo chown ${USER}:${USER} "${PWD}/${qemu_tar}" + +# Remove blacklisted binaries +gzip -d < "${qemu_tar}" | tar --delete --wildcards -f - ${qemu_black_list[*]} | gzip > "${qemu_tmp_tar}" +mv -f "${qemu_tmp_tar}" "${qemu_tar}" From 7892608589f9abe5960e7b08b3bc4250b5ca4487 Mon Sep 17 00:00:00 2001 From: Julio Montes Date: Wed, 14 Aug 2019 17:48:28 +0000 Subject: [PATCH 2/4] static-build/qemu: use the latest ubuntu long term to build qemu In theory the latest ubuntu long term may have less CVE than previous versions, so let's use it to build the static QEMU. Signed-off-by: Julio Montes --- static-build/qemu/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/static-build/qemu/Dockerfile b/static-build/qemu/Dockerfile index 410a17e2c3..1bc492590a 100644 --- a/static-build/qemu/Dockerfile +++ b/static-build/qemu/Dockerfile @@ -1,4 +1,4 @@ -from ubuntu:16.04 +from ubuntu:18.04 ARG QEMU_REPO # commit/tag/branch From decb9de7df38ba302e82a2571374058f747990ff Mon Sep 17 00:00:00 2001 From: Julio Montes Date: Wed, 14 Aug 2019 17:53:22 +0000 Subject: [PATCH 3/4] static-build: do not use cache to build docker images Do not use cache to build the docker images that build static qemu and nemu. The latest version of the packages must be installed, since they may include the fixes for theirs CVEs. Signed-off-by: Julio Montes --- static-build/nemu/build-static-nemu.sh | 1 + static-build/qemu/build-static-qemu.sh | 1 + 2 files changed, 2 insertions(+) diff --git a/static-build/nemu/build-static-nemu.sh b/static-build/nemu/build-static-nemu.sh index f1027c2aa4..bc1f7957ee 100755 --- a/static-build/nemu/build-static-nemu.sh +++ b/static-build/nemu/build-static-nemu.sh @@ -76,6 +76,7 @@ https_proxy="${https_proxy:-}" prefix="${prefix:-"/opt/kata"}" sudo docker build \ + --no-cache \ --build-arg http_proxy="${http_proxy}" \ --build-arg https_proxy="${https_proxy}" \ --build-arg NEMU_REPO="${nemu_repo}" \ diff --git a/static-build/qemu/build-static-qemu.sh b/static-build/qemu/build-static-qemu.sh index 030e142c5f..7e46c837ec 100755 --- a/static-build/qemu/build-static-qemu.sh +++ b/static-build/qemu/build-static-qemu.sh @@ -41,6 +41,7 @@ https_proxy="${https_proxy:-}" prefix="${prefix:-"/opt/kata"}" sudo docker build \ + --no-cache \ --build-arg http_proxy="${http_proxy}" \ --build-arg https_proxy="${https_proxy}" \ --build-arg QEMU_REPO="${qemu_repo}" \ From c79a01b3f95450eedba3b4354334e1f3d55f3fa8 Mon Sep 17 00:00:00 2001 From: Julio Montes Date: Wed, 14 Aug 2019 17:57:26 +0000 Subject: [PATCH 4/4] static-build: upgrade the container before building qemu and nemu Upgrade the container before building qemu and nemu in order to install the latest fixes for the CVEs. fixes #676 Signed-off-by: Julio Montes --- static-build/nemu/Dockerfile | 2 +- static-build/qemu/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/static-build/nemu/Dockerfile b/static-build/nemu/Dockerfile index f8c52f29e5..61ea52420b 100644 --- a/static-build/nemu/Dockerfile +++ b/static-build/nemu/Dockerfile @@ -12,7 +12,7 @@ ARG VIRTIOFSD ARG PREFIX WORKDIR /root/nemu -RUN apt-get update +RUN apt-get update && apt-get upgrade -y RUN apt-get install -y \ autoconf \ automake \ diff --git a/static-build/qemu/Dockerfile b/static-build/qemu/Dockerfile index 1bc492590a..3d79f853d0 100644 --- a/static-build/qemu/Dockerfile +++ b/static-build/qemu/Dockerfile @@ -6,7 +6,7 @@ ARG QEMU_VERSION ARG PREFIX WORKDIR /root/qemu -RUN apt-get update +RUN apt-get update && apt-get upgrade -y RUN apt-get install -y \ autoconf \ automake \