Skip to content

Commit

Permalink
blobs: Update linuxkit binaries to version based on v1.2.0
Browse files Browse the repository at this point in the history
The linuxkit blobs provided as part of this repository have been a sore
point with regards to how these are built and where they come from. This
updates them to a new version that is based on top of the latest
upstream release v1.2.0 and can be reproducibly build from
aws-nitro-enclaves-sdk-bootstrap d55087f7f405 [0].

With the update linuxkit has changed the format of its command line
options from the -<option> format to the --<option> format.
Further, linuxkit introduced functionality to add an SBOM file with
non-deterministic unique IDs, which breaks our image reproducibility.
Pass `--no-sbom` to disable that SBOM creation.

The patches we carry on top of that upstream release are now available
through aws-nitro-enclaves-sdk-bootstrap package, which now also
provides a way to reproducibly build these binaries using nix.

With the update we have cleaned up our downstream patches, which entail
some changes on how we invoke linuxkit:

1) The downstream `prefix` functionality has been moved into the
   configuration yaml files instead of having it as a CLI option.
2) We use a new output type `kernel+initrd-nogz` which produces the
   initrd with cpio instead of the standard cpio.gz.

As we have always had functionally similar patches on top of upstream
linuxkit there are no functional changes.

[0] aws/aws-nitro-enclaves-sdk-bootstrap@d55087f7f405

Signed-off-by: Leonard Foerster <foersleo@amazon.com>
  • Loading branch information
foersleo committed Jun 6, 2024
1 parent f165f19 commit 3680b30
Show file tree
Hide file tree
Showing 4 changed files with 12 additions and 9 deletions.
Binary file modified blobs/aarch64/linuxkit
Binary file not shown.
Binary file modified blobs/x86_64/linuxkit
Binary file not shown.
18 changes: 9 additions & 9 deletions enclave_build/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -225,10 +225,11 @@ impl<'a> Docker2Eif<'a> {
let output = Command::new(&self.linuxkit_path)
.args([
"build",
"-name",
"--name",
&bootstrap_ramfs,
"-format",
"kernel+initrd",
"--format",
"kernel+initrd-nogz",
"--no-sbom",
ramfs_config_file.path().to_str().unwrap(),
])
.output()
Expand All @@ -245,13 +246,12 @@ impl<'a> Docker2Eif<'a> {
let output = Command::new(&self.linuxkit_path)
.args([
"build",
"-docker",
"-name",
"--docker",
"--name",
&customer_ramfs,
"-format",
"kernel+initrd",
"-prefix",
"rootfs/",
"--format",
"kernel+initrd-nogz",
"--no-sbom",
ramfs_with_rootfs_config_file.path().to_str().unwrap(),
])
.output()
Expand Down
3 changes: 3 additions & 0 deletions enclave_build/src/yaml_generator.rs
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ struct BootstrapRamfsTemplate {

#[derive(Debug, Serialize, Deserialize)]
struct CustomerRamfsTemplate {
prefix: String,
init: Vec<String>,
files: (
DirTemplate,
Expand Down Expand Up @@ -102,6 +103,7 @@ impl YamlGenerator {

pub fn get_customer_ramfs(&self) -> Result<NamedTempFile, YamlGeneratorError> {
let ramfs = CustomerRamfsTemplate {
prefix: "rootfs/".to_string(),
init: vec![self.docker_image.clone()],
// Each directory must stay under rootfs, as expected by init
files: (
Expand Down Expand Up @@ -204,6 +206,7 @@ mod tests {
assert_eq!(
customer_data,
"---\
\nprefix: rootfs/\
\ninit:\
\n - docker_image\
\nfiles:\
Expand Down

0 comments on commit 3680b30

Please sign in to comment.