From fdd49a3d059b625296f5ac4c3d5b747cc5411e9c Mon Sep 17 00:00:00 2001 From: Paul Meyer <49727155+katexochen@users.noreply.github.com> Date: Fri, 9 Aug 2024 16:16:41 +0200 Subject: [PATCH] runtime-class-files: remove, calculate runtime hash from all files Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> --- packages/by-name/contrast/package.nix | 23 +++--- packages/by-name/hashDirs/package.nix | 22 ++++++ .../contrast-node-installer-image/package.nix | 69 ++++++++++------- .../kata/runtime-class-files/package.nix | 76 ------------------- .../contrast-node-installer-image/package.nix | 40 ++++++---- .../by-name/microsoft/kata-igvm/package.nix | 11 +++ .../microsoft/runtime-class-files/package.nix | 41 ---------- packages/by-name/ociImageLayout/package.nix | 3 +- packages/by-name/qemu-tdx-bin/package.nix | 13 ++++ 9 files changed, 125 insertions(+), 173 deletions(-) create mode 100644 packages/by-name/hashDirs/package.nix delete mode 100644 packages/by-name/kata/runtime-class-files/package.nix delete mode 100644 packages/by-name/microsoft/runtime-class-files/package.nix create mode 100644 packages/by-name/qemu-tdx-bin/package.nix diff --git a/packages/by-name/contrast/package.nix b/packages/by-name/contrast/package.nix index 518bdc06d0..5d5a11a01b 100644 --- a/packages/by-name/contrast/package.nix +++ b/packages/by-name/contrast/package.nix @@ -43,16 +43,13 @@ let embeddedReferenceValues = let runtimeHandler = - platform: - ( - launchDigestFile: - "contrast-cc-${platform}-${builtins.substring 0 8 (builtins.readFile launchDigestFile)}" - ); + platform: hashFile: + "contrast-cc-${platform}-${builtins.substring 0 8 (builtins.readFile hashFile)}"; - aks-clh-snp-handler = runtimeHandler "aks-clh-snp" "${microsoft.runtime-class-files}/runtime-hash.hex"; - k3s-qemu-tdx-handler = runtimeHandler "k3s-qemu-tdx" "${kata.runtime-class-files}/runtime-hash-tdx.hex"; - rke2-qemu-tdx-handler = runtimeHandler "rke2-qemu-tdx" "${kata.runtime-class-files}/runtime-hash-tdx.hex"; - k3s-qemu-snp-handler = runtimeHandler "k3s-qemu-snp" "${kata.runtime-class-files}/runtime-hash-snp.hex"; + aks-clh-snp-handler = runtimeHandler "aks-clh-snp" microsoft.contrast-node-installer-image.runtimeHash; + k3s-qemu-tdx-handler = runtimeHandler "k3s-qemu-tdx" kata.contrast-node-installer-image.runtimeHash; + rke2-qemu-tdx-handler = runtimeHandler "rke2-qemu-tdx" kata.contrast-node-installer-image.runtimeHash; + k3s-qemu-snp-handler = runtimeHandler "k3s-qemu-snp" kata.contrast-node-installer-image.runtimeHash; aksRefVals = { aks = { @@ -64,23 +61,21 @@ let microcodeVersion = 115; }; }; - trustedMeasurement = lib.removeSuffix "\n" ( - builtins.readFile "${microsoft.runtime-class-files}/launch-digest.hex" - ); + trustedMeasurement = lib.removeSuffix "\n" (builtins.readFile microsoft.kata-igvm.launch-digest); }; }; snpRefVals = { inherit (aksRefVals.aks) snp; trustedMeasurement = lib.removeSuffix "\n" ( - builtins.readFile "${kata.runtime-class-files}/launch-digest-snp.hex" + builtins.readFile "${kata.contrast-node-installer-image.runtimeHash}" ); }; tdxRefVals = { bareMetalTDX = { trustedMeasurement = lib.removeSuffix "\n" ( - builtins.readFile "${kata.runtime-class-files}/launch-digest-tdx.hex" + builtins.readFile "${kata.contrast-node-installer-image.runtimeHash}" ); }; }; diff --git a/packages/by-name/hashDirs/package.nix b/packages/by-name/hashDirs/package.nix new file mode 100644 index 0000000000..e63c05fe48 --- /dev/null +++ b/packages/by-name/hashDirs/package.nix @@ -0,0 +1,22 @@ +# Copyright 2024 Edgeless Systems GmbH +# SPDX-License-Identifier: AGPL-3.0-only + +{ + lib, + stdenvNoCC, + nix, +}: + +{ name, dirs }: + +stdenvNoCC.mkDerivation { + inherit name; + dontUnpack = true; + nativeBuildInputs = [ nix ]; + buildPhase = '' + nix --extra-experimental-features nix-command hash path ${lib.concatStringsSep " " dirs} | + LC_ALL=C sort | + sha256sum | + cut -d' ' -f1 > $out + ''; +} diff --git a/packages/by-name/kata/contrast-node-installer-image/package.nix b/packages/by-name/kata/contrast-node-installer-image/package.nix index bb3ee1a592..39d80be2bc 100644 --- a/packages/by-name/kata/contrast-node-installer-image/package.nix +++ b/packages/by-name/kata/contrast-node-installer-image/package.nix @@ -5,10 +5,18 @@ ociLayerTar, ociImageManifest, ociImageLayout, + writers, + hashDirs, + contrast, kata, pkgsStatic, - writers, + qemu-static, + qemu-tdx-bin, + OVMF-SNP, + OVMF, + + debugRuntime ? false, }: let @@ -91,7 +99,7 @@ let path = "/opt/edgeless/@@runtimeName@@/tdx/share/qemu/efi-virtio.rom"; } ]; - inherit (kata.runtime-class-files) debugRuntime; + inherit debugRuntime; }; destination = "/config/contrast-node-install.json"; } @@ -101,11 +109,11 @@ let kata-container-img = ociLayerTar { files = [ { - source = kata.runtime-class-files.image; + source = kata.kata-image; destination = "/opt/edgeless/share/kata-containers.img"; } { - source = kata.runtime-class-files.kernel; + source = "${kata.kata-kernel-uvm}/bzImage"; destination = "/opt/edgeless/share/kata-kernel"; } ]; @@ -114,7 +122,7 @@ let ovmf-snp = ociLayerTar { files = [ { - source = kata.runtime-class-files.ovmf-snp; + source = "${OVMF-SNP}/FV/OVMF.fd"; destination = "/opt/edgeless/snp/share/OVMF.fd"; } ]; @@ -123,19 +131,19 @@ let qemu-snp = ociLayerTar { files = [ { - source = kata.runtime-class-files.qemu-snp.bin; + source = "${qemu-static}/bin/qemu-system-x86_64"; destination = "/opt/edgeless/snp/bin/qemu-system-x86_64"; } { - source = "${kata.runtime-class-files.qemu-snp.share}/kvmvapic.bin"; + source = "${qemu-static}/share/qemu/kvmvapic.bin"; destination = "/opt/edgeless/snp/share/qemu/kvmvapic.bin"; } { - source = "${kata.runtime-class-files.qemu-snp.share}/linuxboot_dma.bin"; + source = "${qemu-static}/share/qemu/linuxboot_dma.bin"; destination = "/opt/edgeless/snp/share/qemu/linuxboot_dma.bin"; } { - source = "${kata.runtime-class-files.qemu-snp.share}/efi-virtio.rom"; + source = "${qemu-static}/share/qemu/efi-virtio.rom"; destination = "/opt/edgeless/snp/share/qemu/efi-virtio.rom"; } ]; @@ -144,7 +152,7 @@ let ovmf-tdx = ociLayerTar { files = [ { - source = kata.runtime-class-files.ovmf-tdx; + source = "${OVMF.fd}/FV/OVMF.fd"; destination = "/opt/edgeless/tdx/share/OVMF.fd"; } ]; @@ -153,19 +161,19 @@ let qemu-tdx = ociLayerTar { files = [ { - source = kata.runtime-class-files.qemu-tdx.bin; + source = "${qemu-tdx-bin}/bin/qemu-system-x86_64"; destination = "/opt/edgeless/tdx/bin/qemu-system-x86_64"; } { - source = "${kata.runtime-class-files.qemu-tdx.share}/kvmvapic.bin"; + source = "${qemu-tdx-bin}/share/qemu/kvmvapic.bin"; destination = "/opt/edgeless/tdx/share/qemu/kvmvapic.bin"; } { - source = "${kata.runtime-class-files.qemu-tdx.share}/linuxboot_dma.bin"; + source = "${qemu-tdx-bin}/share/qemu/linuxboot_dma.bin"; destination = "/opt/edgeless/tdx/share/qemu/linuxboot_dma.bin"; } { - source = "${kata.runtime-class-files.qemu-tdx.share}/efi_virtio.rom"; + source = "${qemu-tdx-bin}/share/qemu/efi_virtio.rom"; destination = "/opt/edgeless/tdx/share/qemu/efi-virtio.rom"; } ]; @@ -174,27 +182,28 @@ let kata-runtime = ociLayerTar { files = [ { - source = kata.runtime-class-files.kata-runtime; + source = "${kata.kata-runtime}/bin/kata-runtime"; destination = "/opt/edgeless/bin/kata-runtime"; } { - source = kata.runtime-class-files.containerd-shim-contrast-cc-v2; + source = "${kata.kata-runtime}/bin/containerd-shim-kata-v2"; destination = "/opt/edgeless/bin/containerd-shim-contrast-cc-v2"; } ]; }; + layers = [ + installer-config + kata-container-img + ovmf-snp + ovmf-tdx + qemu-snp + qemu-tdx + kata-runtime + ]; + manifest = ociImageManifest { - layers = [ - node-installer - installer-config - kata-container-img - ovmf-snp - ovmf-tdx - qemu-snp - qemu-tdx - kata-runtime - ]; + layers = layers ++ [ node-installer ]; extraConfig = { "config" = { "Env" = [ @@ -214,4 +223,10 @@ let }; in -ociImageLayout { manifests = [ manifest ]; } +ociImageLayout { + manifests = [ manifest ]; + passthru.runtimeHash = hashDirs { + dirs = layers; # Layers without node-installer, or we have a circular dependency! + name = "runtime-hash-kata"; + }; +} diff --git a/packages/by-name/kata/runtime-class-files/package.nix b/packages/by-name/kata/runtime-class-files/package.nix deleted file mode 100644 index 7f053e7512..0000000000 --- a/packages/by-name/kata/runtime-class-files/package.nix +++ /dev/null @@ -1,76 +0,0 @@ -# Copyright 2024 Edgeless Systems GmbH -# SPDX-License-Identifier: AGPL-3.0-only - -{ - stdenvNoCC, - kata, - OVMF-SNP, - OVMF, - debugRuntime ? false, - qemu-static, - fetchzip, -}: - -let - image = kata.kata-image; - kernel = "${kata.kata-kernel-uvm}/bzImage"; - - qemu-snp = { - bin = "${qemu-static}/bin/qemu-system-x86_64"; - share = "${qemu-static}/share/qemu"; - }; - - ovmf-snp = "${OVMF-SNP}/FV/OVMF.fd"; - - # TODO(msanft): Incorporate the Canonical TDX QEMU patches in our QEMU build for a dynamically - # built SEV / TDX QEMU binary. For now, take the blob from a build of the following, which matches - # what Canonical provides in Ubuntu 24.04. - # https://code.launchpad.net/~kobuk-team/+recipe/tdx-qemu-noble - qemu-tdx = - let - qemu-tdx-blob = fetchzip { - url = "https://cdn.confidential.cloud/contrast/node-components/1%3A8.2.2%2Bds-0ubuntu2%2Btdx1.0~tdx1.202407031834~ubuntu24.04.1/1%3A8.2.2%2Bds-0ubuntu2%2Btdx1.0~tdx1.202407031834~ubuntu24.04.1.zip"; - hash = "sha256-6TztmmmO2N1jk/cNKdvd/MMIf43N7lxPaasjKARRVik="; - }; - in - { - bin = "${qemu-tdx-blob}/bin/qemu-system-x86_64"; - share = "${qemu-tdx-blob}/share/qemu"; - }; - - ovmf-tdx = "${OVMF.fd}/FV/OVMF.fd"; - - containerd-shim-contrast-cc-v2 = "${kata.kata-runtime}/bin/containerd-shim-kata-v2"; - - kata-runtime = "${kata.kata-runtime}/bin/kata-runtime"; -in - -stdenvNoCC.mkDerivation { - name = "runtime-class-files"; - inherit (kata.kata-image) version; - - dontUnpack = true; - - # TODO(msanft): perform the actual launch digest calculation. - buildPhase = '' - mkdir -p $out - sha256sum ${image} ${kernel} ${qemu-tdx.bin} ${containerd-shim-contrast-cc-v2} ${ovmf-tdx} | sha256sum | cut -d " " -f 1 > $out/launch-digest-tdx.hex - cp $out/launch-digest-tdx.hex $out/runtime-hash-tdx.hex - sha256sum ${image} ${kernel} ${qemu-snp.bin} ${containerd-shim-contrast-cc-v2} ${ovmf-snp} | sha256sum | cut -d " " -f 1 > $out/launch-digest-snp.hex - cp $out/launch-digest-snp.hex $out/runtime-hash-snp.hex - ''; - - passthru = { - inherit - kernel - image - qemu-tdx - qemu-snp - containerd-shim-contrast-cc-v2 - ovmf-tdx - ovmf-snp - kata-runtime - debugRuntime - ; - }; -} diff --git a/packages/by-name/microsoft/contrast-node-installer-image/package.nix b/packages/by-name/microsoft/contrast-node-installer-image/package.nix index cc01da201d..1c56a2b66b 100644 --- a/packages/by-name/microsoft/contrast-node-installer-image/package.nix +++ b/packages/by-name/microsoft/contrast-node-installer-image/package.nix @@ -2,13 +2,18 @@ # SPDX-License-Identifier: AGPL-3.0-only { + lib, ociLayerTar, ociImageManifest, ociImageLayout, + writers, + hashDirs, + contrast, microsoft, pkgsStatic, - writers, + + debugRuntime ? false, }: let @@ -49,7 +54,7 @@ let executable = true; } ]; - inherit (microsoft.runtime-class-files) debugRuntime; + inherit debugRuntime; }; destination = "/config/contrast-node-install.json"; } @@ -59,11 +64,11 @@ let kata-container-img = ociLayerTar { files = [ { - source = microsoft.runtime-class-files.rootfs; + source = microsoft.kata-image; destination = "/opt/edgeless/share/kata-containers.img"; } { - source = microsoft.runtime-class-files.igvm; + source = if debugRuntime then microsoft.kata-igvm.debug else microsoft.kata-igvm; destination = "/opt/edgeless/share/kata-containers-igvm.img"; } ]; @@ -72,7 +77,7 @@ let cloud-hypervisor = ociLayerTar { files = [ { - source = microsoft.runtime-class-files.cloud-hypervisor-exe; + source = lib.getExe microsoft.cloud-hypervisor; destination = "/opt/edgeless/bin/cloud-hypervisor-snp"; } ]; @@ -81,20 +86,21 @@ let containerd-shim = ociLayerTar { files = [ { - source = microsoft.runtime-class-files.containerd-shim-contrast-cc-v2; + source = lib.getExe microsoft.kata-runtime; destination = "/opt/edgeless/bin/containerd-shim-contrast-cc-v2"; } ]; }; + layers = [ + installer-config + kata-container-img + cloud-hypervisor + containerd-shim + ]; + manifest = ociImageManifest { - layers = [ - node-installer - installer-config - kata-container-img - cloud-hypervisor - containerd-shim - ]; + layers = layers ++ [ node-installer ]; extraConfig = { "config" = { "Env" = [ @@ -114,4 +120,10 @@ let }; in -ociImageLayout { manifests = [ manifest ]; } +ociImageLayout { + manifests = [ manifest ]; + passthru.runtimeHash = hashDirs { + dirs = layers; # Layers without node-installer, or we have a circular dependency! + name = "runtime-hash-microsoft"; + }; +} diff --git a/packages/by-name/microsoft/kata-igvm/package.nix b/packages/by-name/microsoft/kata-igvm/package.nix index d41ff3b19b..2045723366 100644 --- a/packages/by-name/microsoft/kata-igvm/package.nix +++ b/packages/by-name/microsoft/kata-igvm/package.nix @@ -4,9 +4,11 @@ { lib, stdenv, + stdenvNoCC, microsoft, igvm-tooling, igvm-signing-keygen, + igvmmeasure, }: stdenv.mkDerivation rec { @@ -49,6 +51,15 @@ stdenv.mkDerivation rec { runHook postBuild ''; + passthru.launch-digest = stdenvNoCC.mkDerivation { + name = "launch-digest"; + dontUnpack = true; + buildInputs = [ igvmmeasure ]; + buildPhase = '' + igvmmeasure -b ${microsoft.kata-igvm} | dd conv=lcase > $out + ''; + }; + meta = { description = "The Contrast runtime IGVM file defines the initial state of a pod-VM."; license = lib.licenses.asl20; diff --git a/packages/by-name/microsoft/runtime-class-files/package.nix b/packages/by-name/microsoft/runtime-class-files/package.nix deleted file mode 100644 index 8938b3a20c..0000000000 --- a/packages/by-name/microsoft/runtime-class-files/package.nix +++ /dev/null @@ -1,41 +0,0 @@ -# Copyright 2024 Edgeless Systems GmbH -# SPDX-License-Identifier: AGPL-3.0-only - -{ - lib, - stdenvNoCC, - microsoft, - igvmmeasure, - debugRuntime ? false, -}: - -let - igvm = if debugRuntime then microsoft.kata-igvm.debug else microsoft.kata-igvm; - cloud-hypervisor-exe = lib.getExe microsoft.cloud-hypervisor; - containerd-shim-contrast-cc-v2 = lib.getExe microsoft.kata-runtime; -in - -stdenvNoCC.mkDerivation { - name = "runtime-class-files"; - inherit (microsoft.kata-igvm) version; - - dontUnpack = true; - - buildInputs = [ igvmmeasure ]; - - buildPhase = '' - mkdir -p $out - igvmmeasure -b ${igvm} | dd conv=lcase > $out/launch-digest.hex - sha256sum ${igvm} ${cloud-hypervisor-exe} ${containerd-shim-contrast-cc-v2}| cut -d " " -f 1 > $out/runtime-hash.hex - ''; - - passthru = { - inherit - debugRuntime - igvm - cloud-hypervisor-exe - containerd-shim-contrast-cc-v2 - ; - rootfs = microsoft.kata-image; - }; -} diff --git a/packages/by-name/ociImageLayout/package.nix b/packages/by-name/ociImageLayout/package.nix index 667beaa5f3..13e65c41aa 100644 --- a/packages/by-name/ociImageLayout/package.nix +++ b/packages/by-name/ociImageLayout/package.nix @@ -14,6 +14,7 @@ manifests ? [ ], # extraIndex is a set of additional fields to add to the index.json extraIndex ? { }, + passthru, }: let @@ -36,7 +37,7 @@ runCommand "oci-image-layout" { buildInputs = [ nix ]; blobDirs = lib.lists.map (manifest: manifest + "/blobs/sha256") manifests; - inherit index; + inherit index passthru; } '' # add the index.json, image-layout file and all blobs to the output diff --git a/packages/by-name/qemu-tdx-bin/package.nix b/packages/by-name/qemu-tdx-bin/package.nix new file mode 100644 index 0000000000..0ed9fe1643 --- /dev/null +++ b/packages/by-name/qemu-tdx-bin/package.nix @@ -0,0 +1,13 @@ +# Copyright 2024 Edgeless Systems GmbH +# SPDX-License-Identifier: AGPL-3.0-only + +{ fetchzip }: + +# TODO(msanft): Incorporate the Canonical TDX QEMU patches in our QEMU build for a dynamically +# built SEV / TDX QEMU binary. For now, take the blob from a build of the following, which matches +# what Canonical provides in Ubuntu 24.04. +# https://code.launchpad.net/~kobuk-team/+recipe/tdx-qemu-noble +fetchzip { + url = "https://cdn.confidential.cloud/contrast/node-components/1%3A8.2.2%2Bds-0ubuntu2%2Btdx1.0~tdx1.202407031834~ubuntu24.04.1/1%3A8.2.2%2Bds-0ubuntu2%2Btdx1.0~tdx1.202407031834~ubuntu24.04.1.zip"; + hash = "sha256-6TztmmmO2N1jk/cNKdvd/MMIf43N7lxPaasjKARRVik="; +}