IGVM reproducible build #202
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ git rev-parse cc-msft-prototypes 328e440 $ git checkout cc-msft-prototypes src/tools/genpolicy/ $ git checkout cc-msft-prototypes src/agent/samples/policy/
$ git rev-parse cc-msft-prototypes 328e440 $ git checkout cc-msft-prototypes src/utarfs $ git checkout cc-msft-prototypes src/tarfs $ git checkout cc-msft-prototypes src/overlay $ git checkout cc-msft-prototypes src/tardev-snapshotter $ git checkout cc-msft-prototypes Makefile
Add option to use an IGVM image in the UVM Signed-off-by: Dallas Delaney <dadelan@microsoft.com>
Add configuration file configuration-clh-snp.toml with SNP related settings enabled Signed-off-by: Dallas Delaney <dadelan@microsoft.com>
* Remove unused param from CLH SNP config * Remove extra package definition from cbl-mariner rootfs config
* Enable SNP=on with CH conf-guest enabled and add dummy host_data value * Add IGVM, HostData, Snp to config markdown doc * sanitize clh-snp.toml.in and clh.toml.in * Further changes required for SEV SNP enablement * Remove unnecessary debug output * Update outdated comment in config
Signed-off-by: Dallas Delaney <dadelan@microsoft.com>
* Set PCI segments in all cases * Clean-up
This makes it so that any container has access to /dev/sev-guest out of
the box with no privileges required.
Since /dev/sev-guest isn't available yet, I've validated this change
using /dev/cpu_dma_latency (original chmod 600) by:
1. Verifying that the device is present in the container.
2. Verifying that reading from the device from a container yields
the same result as from the VM context.
Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
Add image build macro to change partition format for kernel's "dm-mod.create" command, and allow for igvm + image usecase in kata shim Signed-off-by: Dallas Delaney <dadelan@microsoft.com>
This is a workaround for kata-containers#7993. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
* rootfs: delete some of the mariner packages Delete some of the mariner packages from the Guest image, for faster TEE memory measurement. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
The shell is useful for debugging. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Useful for debugging. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Useful for debugging. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Make sure the hash of an incoming Policy matches the value of the SNP Host Data field. The value of Host Data will be validated through Remote Attestation, outside of this patch. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
There are 10 segments in the ACPI tables, and CLH works better when it uses all of them. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
When a request cannot be evaluated to true, OPA can return an empty response. It doesn't respond with "response = false" unless a default value of false has been defined. Handle empry responses the same way as "response = false", thus allowing users to bypass those responses by using AllowRequestsFailingPolicy := true. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
This is needed when enabling dm-verity. `udevd` reads kernel uevents that announce the creation of `/dev/dm-XXX` devices, and then creates devices with the actual names under `/dev/mapper/`. Signed-off-by: Wedson Almeida Filho <walmeida@microsoft.com>
This allows us to avoid repeating paths when they're the same. Signed-off-by: Wedson Almeida Filho <walmeida@microsoft.com>
This replicates Wedson's changes in 0935263 in a way that is aligned with the upstream implementation introduced in kata-containers#7200. NOTE: This will require compiling the runtime with DEFSHAREDFS_CLH_SNP_VIRTIOFS=none.
Upstream now uses the new DEFSTATICRESOURCEMGMT_TEE variable to set static resource management for TEEs so we align on that. It's true by default so we don't have to update our build script for this. NOTE: For non-tee CH, upstream now uses DEFSTATICRESOURCEMGMT_CLH (already in our codebase) instead of DEFSTATICRESOURCEMGMT. It's still false by default so we WILL have to update our build script for this one.
The layer string is now base64-encoded, so decode it before inspecting the fields. Signed-off-by: Wedson Almeida Filho <walmeida@microsoft.com>
Newer versions of depmod are failing without the -a option. They get confused with the kernel version and expect it to start with a slash: depmod: FATAL: modules: not absolute path. Signed-off-by: Wedson Almeida Filho <walmeida@microsoft.com>
This allows the agent to ensure the integrity of the device. Signed-off-by: Wedson Almeida Filho <walmeida@microsoft.com>
This allows snapshotters to skip the path to layers. They can, naturally, still specify the full path to other locations when needed. Signed-off-by: Wedson Almeida Filho <walmeida@microsoft.com>
This allows us to tell, from the error, what the agent was attempting to do with the devicemapper. Signed-off-by: Wedson Almeida Filho <walmeida@microsoft.com>
This is so that dependents are removed first, so that depencies don't have references anymore when they're unmounted. Signed-off-by: Wedson Almeida Filho <walmeida@microsoft.com>
clh: isClhRunning waits for full timeout when clh exits
rootfs: Stop building and shipping OPA
We've discussed this over and over. Let's try to get to an agreement here. I will use this issue to remove the mandatory Issue - PR dependency. Fixes: kata-containers#9500 Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
ci: cherry-pick relaxed commit check from upstream
This adds a GitHub Action workflow to check that the policy samples have been updated with each PR. We'll add it as a required check to catch policy errors earlier in the dev process. I also tweaked the update script to have better error handling, and I simplified the PR template to make it more readable. Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
ci: add check for policy samples
Allow all users to pull images by using containerd instead of having to worry about this tool potentially creating files that the caller of update_policy_samples.py doesn't own. Granting all users access to containerd is also consistent with the behavior of upstream Kata CI. If any users really need to execute genpolicy as root, hopefully executing this entire script as root is good enough for them. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
…cket samples: don't execute genpolicy as root user
Update azure-file-secrets.yaml ans use better azureFile shareName Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
update docker sample annotation for latest image version Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
Save under /tmp the policy text when updating sample YAML files - just in case someone needs to read/debug these policy files. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Update deployment-docker-busybox.yaml policy to match the latest version of the busybox container. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
samples: update docker sample and shareName
This branch starts introducing additional scripting to build, deploy and evaluate the components used in AKS' Pod Sandboxing and Confidential Containers preview features. This includes the capability to build the IGVM file and its reference measurement file for remote attestation. Signed-off-by: Manuel Huber <mahuber@microsoft.com>
tools: Add initial igvm-builder and node-builder/azure-linux scripting
samples: save decoded policy text
Enable genpolicy's dm-verity root hash cache when updating the sample files, to potentially achieve faster update policy script execution. Also, this is an additional opportunity to test multiple instances of genpolicy synchronizing their access to the cache files. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
samples: use the dm-verity root hash cache
Update the sev parameter to sev_snp in the cloud-hypervisor.yaml file to match cloud-hypervisor 38.0.72. See https://github.com/microsoft/cloud-hypervisor/blob/msft/v38.0.72/vmm /src/config.rs#L687 Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
virtcontainers: update sev_snp param serialization
This change adds support for volume claim templates for stateful sets. This is useful for stateful sets that require persistent storage, using cc-azurefile-csi, cc-azuredisk-csi or other storage providers. Signed-off-by: Archana Choudhary <archana1@microsoft.com>
This patch updates the samples to include the support for persistant storage for statefulsets. Signed-off-by: Archana Choudhary <archana1@microsoft.com>
genpolicy: add persistent storage support for stateful sets
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Merge Checklist
upstream/missinglabel (orupstream/not-needed) has been set on the PR.Summary
Test Methodology