Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

image: build and upload as one step #2798

Merged
merged 8 commits into from
Jan 15, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
548 changes: 31 additions & 517 deletions .github/workflows/build-os-image.yml

Large diffs are not rendered by default.

22 changes: 22 additions & 0 deletions WORKSPACE.bazel
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,13 @@ nixpkgs_flake_package(
package = "mkosi",
)

nixpkgs_flake_package(
name = "uplosi",
nix_flake_file = "//:flake.nix",
nix_flake_lock_file = "//:flake.lock",
package = "uplosi",
)

nixpkgs_package(
name = "diffutils",
repository = "@nixpkgs",
Expand Down Expand Up @@ -96,6 +103,21 @@ nixpkgs_package(
repository = "@nixpkgs",
)

nixpkgs_package(
name = "parallel",
repository = "@nixpkgs",
)

nixpkgs_package(
name = "cosign",
repository = "@nixpkgs",
)

nixpkgs_package(
name = "rekor-cli",
repository = "@nixpkgs",
)

load("//nix/cc:nixpkgs_cc_libraries.bzl", "nixpkgs_cc_library_deps")

nixpkgs_cc_library_deps()
Expand Down
1 change: 1 addition & 0 deletions bazel/osimage/BUILD.bazel
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
exports_files(["upload_os_images.sh.in"])
104 changes: 104 additions & 0 deletions bazel/osimage/upload_os_images.bzl
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
""" Bazel rule for uploading a set of OS images to cloud providers. """

def _upload_os_images_impl(ctx):
executable = ctx.actions.declare_file("upload_os_images_%s.sh" % ctx.label.name)
files = []
files.extend(ctx.files.image_dirs)
files.append(ctx.file._version)
files.append(ctx.file._upload_cli)
files.append(ctx.file._measured_boot)
files.append(ctx.file._uplosi)
files.append(ctx.file._dissect_toolchain)
files.append(ctx.file._cosign)
files.append(ctx.file._rekor_cli)
files.append(ctx.file._parallel)
raw_image_paths = []
for image_dir in ctx.files.image_dirs:
raw_image_paths.append("%s/constellation.raw" % image_dir.short_path)
substitutions = {
"@@COSIGN@@": ctx.executable._cosign.short_path,
"@@DISSECT_TOOLCHAIN@@": ctx.executable._dissect_toolchain.short_path,
"@@FILES@@": " ".join(raw_image_paths),
"@@MEASURED_BOOT@@": ctx.executable._measured_boot.short_path,
"@@PARALLEL@@": ctx.executable._parallel.short_path,
"@@REKOR_CLI@@": ctx.executable._rekor_cli.short_path,
"@@UPLOAD_CLI@@": ctx.executable._upload_cli.short_path,
"@@UPLOSI@@": ctx.executable._uplosi.short_path,
"@@VERSION@@": ctx.file._version.short_path,
}
ctx.actions.expand_template(
template = ctx.file._upload_sh_tpl,
output = executable,
is_executable = True,
substitutions = substitutions,
)
runfiles = ctx.runfiles(files = files)
runfiles = runfiles.merge(ctx.attr._uplosi[DefaultInfo].data_runfiles)
runfiles = runfiles.merge(ctx.attr._dissect_toolchain[DefaultInfo].data_runfiles)
runfiles = runfiles.merge(ctx.attr._cosign[DefaultInfo].data_runfiles)
runfiles = runfiles.merge(ctx.attr._rekor_cli[DefaultInfo].data_runfiles)
runfiles = runfiles.merge(ctx.attr._parallel[DefaultInfo].data_runfiles)
runfiles = runfiles.merge(ctx.attr._upload_cli[DefaultInfo].data_runfiles)
runfiles = runfiles.merge(ctx.attr._measured_boot[DefaultInfo].data_runfiles)

return DefaultInfo(executable = executable, runfiles = runfiles)

upload_os_images = rule(
implementation = _upload_os_images_impl,
attrs = {
"image_dirs": attr.label_list(
doc = "List of directories containing OS images to upload.",
),
"_cosign": attr.label(
default = Label("@cosign//:bin/cosign"),
allow_single_file = True,
executable = True,
cfg = "exec",
),
"_dissect_toolchain": attr.label(
default = Label("@systemd//:bin/systemd-dissect"),
allow_single_file = True,
executable = True,
cfg = "exec",
),
"_measured_boot": attr.label(
default = Label("//image/measured-boot/cmd"),
allow_single_file = True,
executable = True,
cfg = "exec",
),
"_parallel": attr.label(
default = Label("@parallel//:bin/parallel"),
allow_single_file = True,
executable = True,
cfg = "exec",
),
"_rekor_cli": attr.label(
default = Label("@rekor-cli//:bin/rekor-cli"),
allow_single_file = True,
executable = True,
cfg = "exec",
),
"_upload_cli": attr.label(
default = Label("//image/upload"),
allow_single_file = True,
executable = True,
cfg = "exec",
),
"_upload_sh_tpl": attr.label(
default = "upload_os_images.sh.in",
allow_single_file = True,
),
"_uplosi": attr.label(
default = Label("@uplosi//:bin/uplosi"),
allow_single_file = True,
executable = True,
cfg = "exec",
),
"_version": attr.label(
default = Label("//bazel/settings:tag"),
allow_single_file = True,
),
},
executable = True,
)
144 changes: 144 additions & 0 deletions bazel/osimage/upload_os_images.sh.in
Original file line number Diff line number Diff line change
@@ -0,0 +1,144 @@
#!/usr/bin/env bash

set -euo pipefail
shopt -s inherit_errexit

# This script handles the upload of OS images and their corresponding image info.

POSITIONAL_ARGS=()

ref=""
upload_signed_measurements=0
fake_sign=0

while [[ $# -gt 0 ]]; do
case $1 in
--ref)
ref="$2"
shift # past argument
shift # past value
;;
--upload-measurements)
upload_signed_measurements=1
shift # past argument
;;
--fake-sign)
fake_sign=1
shift # past argument
;;
-*)
echo "Unknown option $1"
exit 1
;;
*)
POSITIONAL_ARGS+=("$1") # save positional arg
shift # past argument
;;
esac
done

set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters

if [[ $# -ne 0 ]]; then
echo "Unknown positional arguments: $*"
exit 1
fi

if [[ -z ${ref} ]]; then
echo "Missing required argument --ref"
exit 1
fi

version_file=$(realpath @@VERSION@@)
stat "${version_file}" >> /dev/null
version=$(cat "${version_file}")

uplosi=$(realpath @@UPLOSI@@)
stat "${uplosi}" >> /dev/null

systemd_dissect=$(realpath @@DISSECT_TOOLCHAIN@@)
stat "${systemd_dissect}" >> /dev/null
export DISSECT_TOOLCHAIN="${systemd_dissect}"

cosign=$(realpath @@COSIGN@@)
stat "${cosign}" >> /dev/null

rekor_cli=$(realpath @@REKOR_CLI@@)
stat "${rekor_cli}" >> /dev/null

upload_cli=$(realpath @@UPLOAD_CLI@@)
stat "${upload_cli}" >> /dev/null

measured_boot=$(realpath @@MEASURED_BOOT@@)
stat "${measured_boot}" >> /dev/null

parallel=$(realpath @@PARALLEL@@)
stat "${parallel}" >> /dev/null

FILES=(@@FILES@@)

workspace=$(mktemp -d)
# shellcheck disable=SC2064
trap "rm -rf ${workspace}" EXIT

echo Uploading "${#FILES[@]}" OS images. This may take a while... >&2

"${parallel}" --will-cite \
"${upload_cli}" uplosi \
--uplosi-path "${uplosi}" \
--version "${version}" \
--ref "${ref}" \
--raw-image {} \
--out "${workspace}/image-upload-{#}.json" \
::: "${FILES[@]}"

"${upload_cli}" info "${workspace}/"image-upload-*.json

if [[ ${upload_signed_measurements} -eq 0 ]]; then
echo "Skipping signed measurements upload. Enable by setting --upload-measurements" >&2
exit 0
fi

echo Uploading signed measurements. This requires sudo and a signing key. >&2
i=1
for file in "${FILES[@]}"; do
combined_name=$(basename "$(dirname "${file}")")
IFS="_" read -r csp attestation_variant stream <<< "${combined_name}"
sudo -E "${measured_boot}" "${file}" "${workspace}/pcrs-${i}.json"
sudo chown "$(id -u -n)" "${workspace}/pcrs-${i}.json"
"${upload_cli}" measurements envelope \
--in "${workspace}/pcrs-${i}.json" \
--out "${workspace}/pcrs-${i}.json" \
--version "ref/${ref}/stream/${stream}/${version}" \
--csp "${csp}" \
--attestation-variant "${attestation_variant}"
i=$((i + 1))
done

"${upload_cli}" measurements merge \
--out "${workspace}/measurements.json" \
"${workspace}"/pcrs-*.json

if [[ ${fake_sign} -eq 1 ]]; then
echo "Skipping signing of measurements and using fake signature instead (--fake-sign is set)." >&2
echo "THOSE MEASUREMENTS BELONG TO A DEBUG IMAGE. THOSE ARE NOT SINGED BY ANY KEY." > "${workspace}/measurements.json.sig"
else
# shellcheck disable=SC2016
echo 'Creating real signature with keys referenced in $COSIGN_PUBLIC_KEY_PATH, $COSIGN_PRIVATE_KEY and $COSIGN_PASSWORD. Set "--fake-sign" for debugging purposes.' >&2
# Enabling experimental mode also publishes signature to Rekor
COSIGN_EXPERIMENTAL=1 "${cosign}" sign-blob --yes --key env://COSIGN_PRIVATE_KEY \
"${workspace}/measurements.json" > "${workspace}/measurements.json.sig"
# Verify - As documentation & check
# Local Signature (input: artifact, key, signature)
"${cosign}" verify-blob --key "${COSIGN_PUBLIC_KEY_PATH}" \
--signature "${workspace}/measurements.json.sig" \
"${workspace}/measurements.json"
# Transparency Log Signature (input: artifact, key)
uuid=$("${rekor_cli}" search --artifact "${workspace}/measurements.json" | tail -n 1)
sig=$("${rekor_cli}" get --uuid="${uuid}" --format=json | jq -r .Body.HashedRekordObj.signature.content)
"${cosign}" verify-blob --key "${COSIGN_PUBLIC_KEY_PATH}" --signature <(echo "${sig}") "${workspace}/measurements.json"
fi

"${upload_cli}" measurements upload \
--measurements "${workspace}/measurements.json" \
--signature "${workspace}/measurements.json.sig"
11 changes: 11 additions & 0 deletions flake.nix
Original file line number Diff line number Diff line change
Expand Up @@ -47,12 +47,23 @@
]);
}));

uplosiDev = (pkgsUnstable.uplosi.overrideAttrs (oldAttrs: rec {
src = pkgsUnstable.fetchFromGitHub {
owner = "edgelesssys";
repo = "uplosi";
rev = "0190e8c548b5811066b7e2d9db5e3167f51c005f";
hash = "sha256-AHj3XTX+vd8QP4hWGPAt2iJnrIGoiH61UgQMK7vlYU0=";
};
}));

openssl-static = pkgsUnstable.openssl.override { static = true; };

in
{
packages.mkosi = mkosiDev;

packages.uplosi = uplosiDev;

packages.openssl = callPackage ./nix/cc/openssl.nix { pkgs = pkgsUnstable; };

packages.cryptsetup = callPackage ./nix/cc/cryptsetup.nix { pkgs = pkgsUnstable; pkgsLinux = import nixpkgsUnstable { system = "x86_64-linux"; }; };
Expand Down
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -176,7 +176,7 @@ require (
github.com/Azure/go-autorest/logger v0.2.1 // indirect
github.com/Azure/go-autorest/tracing v0.6.0 // indirect
github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1 // indirect
github.com/BurntSushi/toml v1.3.2 // indirect
github.com/BurntSushi/toml v1.3.2
github.com/MakeNowJust/heredoc v1.0.0 // indirect
github.com/Masterminds/goutils v1.1.1 // indirect
github.com/Masterminds/semver/v3 v3.2.1 // indirect
Expand Down
22 changes: 22 additions & 0 deletions image/system/BUILD.bazel
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
load("//bazel/mkosi:mkosi_image.bzl", "mkosi_image")
load("//bazel/osimage:upload_os_images.bzl", "upload_os_images")
load(":variants.bzl", "CSPS", "STREAMS", "VARIANTS", "autologin", "constellation_packages", "images_for_csp", "images_for_csp_and_stream", "images_for_stream", "kernel_command_line", "kernel_command_line_dict")

[
Expand Down Expand Up @@ -38,6 +39,16 @@ load(":variants.bzl", "CSPS", "STREAMS", "VARIANTS", "autologin", "constellation
"no-cache",
],
version_file = "//bazel/settings:tag",
visibility = ["//visibility:public"],
)
for variant in VARIANTS
for stream in STREAMS
]

[
upload_os_images(
name = "upload_" + variant["csp"] + "_" + variant["attestation_variant"] + "_" + stream,
image_dirs = [":" + variant["csp"] + "_" + variant["attestation_variant"] + "_" + stream],
)
for variant in VARIANTS
for stream in STREAMS
Expand All @@ -51,6 +62,15 @@ load(":variants.bzl", "CSPS", "STREAMS", "VARIANTS", "autologin", "constellation
"manual",
"no-cache",
],
visibility = ["//visibility:public"],
)
for stream in STREAMS
]

[
upload_os_images(
name = "upload_" + stream,
image_dirs = [":" + stream],
)
for stream in STREAMS
]
Expand All @@ -63,6 +83,7 @@ load(":variants.bzl", "CSPS", "STREAMS", "VARIANTS", "autologin", "constellation
"manual",
"no-cache",
],
visibility = ["//visibility:public"],
)
for csp in CSPS
]
Expand All @@ -75,6 +96,7 @@ load(":variants.bzl", "CSPS", "STREAMS", "VARIANTS", "autologin", "constellation
"manual",
"no-cache",
],
visibility = ["//visibility:public"],
)
for csp in CSPS
for stream in STREAMS
Expand Down
Loading