-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
generate SLSA provenance by default #378
Conversation
The provenance report generation assumes that it's running from within the sdk docker container. Generated reports are in |
I didn't fully understand it yet: Is calling |
If the toolchains are built with annotation, then no changes to the existing image build flow are necessary. With un-annotated toolchains, it would be necessary to run
It's only for development with unannotated sdk containers. The current failure in the github workflow is because it does not rebuild sdk/toolchains and I didn't add that |
This is the current gap between slsa package list and the actual list of packages in the image. The torcx packages are understandable (and SLSA data is in --- slsa.pkgs.list 2022-07-14 09:58:27.284946297 +0200
+++ image.pkgs.list 2022-07-14 09:58:33.784946094 +0200
@@ -75,7 +75,12 @@ app-crypt/tpmpolicy-20160404
app-crypt/trousers-0.3.14-r2
app-editors/vim-8.2.4328
app-emulation/actool-0.8.11
+app-emulation/containerd-1.6.6
app-emulation/cri-tools-1.19.0
+app-emulation/docker-20.10.17
+app-emulation/docker-cli-20.10.17
+app-emulation/docker-proxy-0.8.0_p20210525
+app-emulation/docker-runc-1.1.3
app-emulation/xenserver-pv-version-6.2.0
app-emulation/xenstore-4.14.2-r1
app-misc/ca-certificates-3.80
@@ -115,6 +120,7 @@ dev-libs/libgcrypt-1.9.4
dev-libs/libgpg-error-1.42
dev-libs/libksba-1.5.1
dev-libs/liblinear-243
+dev-libs/libltdl-2.4.6
dev-libs/libnl-3.5.0
dev-libs/libpcre2-10.40
dev-libs/libpcre-8.44
@@ -228,6 +234,7 @@ sys-boot/efibootmgr-17
sys-cluster/ipvsadm-1.27-r1
sys-devel/binutils-config-5.4
sys-devel/gcc-10.3.0-r2
+sys-firmware/intel-microcode-20220510_p20220508
sys-fs/btrfs-progs-5.15.1
sys-fs/cryptsetup-2.4.3-r1
sys-fs/dosfstools-4.2
@@ -238,6 +245,7 @@ sys-fs/mdadm-4.2-r1
sys-fs/multipath-tools-0.8.7
sys-fs/quota-4.06
sys-fs/xfsprogs-5.14.2
+sys-kernel/bootengine-0.0.38-r13
sys-kernel/coreos-firmware-20220610
sys-kernel/coreos-kernel-5.15.51
sys-kernel/coreos-modules-5.15.51
@@ -267,6 +275,7 @@ sys-power/acpid-2.0.33
sys-process/audit-3.0.6
sys-process/lsof-4.94.0-r1
sys-process/procps-3.3.17-r1
+sys-process/tini-0.19.0-r1
virtual/awk-1
virtual/editor-0-r3
virtual/krb5-0-r1 |
Probably because bootengine uses cros-workon, which sets |
That part works fine, but bootengine is not actually present in the image, the entry in the packages.txt list comes from here: https://github.com/flatcar-linux/scripts/blob/main/build_library/build_image_util.sh#L278-L290. Bootengine only consists of dracut modules and the update-bootengine script, nothing used at runtime. |
Should we merge it with the missing bootengine info or is there a way to add a workaround somewhere? |
ae72a1a
to
f143828
Compare
bootengine info is now included thanks to f143828. So this is in mergeable/reviewable shape. |
Picking this up; started reviewing the PR.
If toolchains is all we need then it should be sufficient to start with @jepio could you please have a look at the remaining feedback on flatcar-archive/coreos-overlay#2027 ? |
If we're building provenance by default should we set |
4988742
to
53e0691
Compare
The change to |
Ah gotcha, thanks. I went with with |
c20e270
to
c935bbb
Compare
This currently fails at the (Oddly enough |
@jepio The PR looks good to me but currently fails CI. I did local testing and did not encounter the CI breakage (see previous comment). Local tests done:
PR LGTM as far as I am concerned as soon as the CI issue is fixed. |
c935bbb
to
a5a8897
Compare
Ugh, I actually hit the same issue as well and that's why i open-coded this: I thought something like this should work: I've pushed a fix and have restarted the CI. |
371805a
to
62b51ee
Compare
`./setup_board --nousepkg --nogetbinpkg` currently fails with a circular dependency due to pulling in the whole systemd-cryptsetup-udev dependency chain. This is due to several issue: * `emerge --root=$ROOT --emptytree` considers ROOT=/ to also be empty, so it pulls in all host packages. This must've not always been the case. So we need to pipe the dependency package list through `egrep $ROOT` to filter only those that would get installed into the desired ROOT * if SYSROOT=/ and not SYSROOT=ROOT, then virtual/os-headers is missing from $ROOT package list * the final filter expression tries to previously looked like this: (=sys-devel/gcc|sys-devel/binutils-0.9) which also matches sys-devel/gcc-config and sys-devel/binutils-config, which are necessary dependencies. Rework the match expression to not filter those out.
install_cross_libs installs TOOLCHAIN_PKGS deps into /usr/$BOARD_CHOST, so that TOOLCHAIN_PKGS binpkgs can be built. We also need binpkgs for the TOOLCHAIN_PKGS deps so that we can install them into /build/$BOARD later together with TOOLCHAIN_PKGS. This is where the flow is currently broken. Due to a change in semantics, --emptyroot tries to rebuild host packages as well, and dropping it leaves --onlydeps which results in no binpkgs being built because they are already installed. We can solve resolve this by reusing the dependency list generated by install_cross_libs, and explicitly building those binpkgs. It is worth remarking that this flow of building the toolchain binpkgs through setup_board is not in use in Flatcar, because we normally build toolchains with catalyst. We are interested in reviving it because we want to build everything with SLSA provenance information.
Catalyst runs builds with copies of the portage/coreos overlays in a chroot, which prevents us from accessing the git metadata necessary to create provenance information. Copy some files over into the root_overlay used by the toolchains catalyst build so that provenance can be correctly captured.
This needs to be done in setup_board for ROOT=/build/$BOARD, but also in toolchain_util because basic toolchains packages are built through catalyst.
Prod images need libstdc++.so and other libraries produced by sys-devel/gcc build, but because we don't want all of gcc in the image, the binpkg is manually unpacked instead of installed with emerge. Make sure to preserve SLSA metadata when unpacking as well.
Some packages are currently missing from the /usr/share/SLSA directory compared to flatcar_production_image_packages.txt. For torcx packages, extract the reports from the torcx bundle when adding it to the rootfs. For initramfs packages, as a substitute we enumerate build dependencies of coreos-kernel (image_packages_implicit()). At this time these are bootengine and intel-microcode.
62b51ee
to
658f79f
Compare
Image build seems to have failed with (see the output):
|
658f79f
to
bdd464d
Compare
It failed because binary packages from 3305.0.0 were used... I'll try again. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The job succeeded, I think it's good to take it in. After resolving the conflict, that is. :)
bdd464d
to
3f39f48
Compare
generate SLSA provenance by default
Enable SLSA provenance report generation by default for board packages (including toolchains). SLSA provenance generation happens through a profile.bashrc file in profiles/coreos/base, it is enabled by defining GENERATE_SLSA_PROVENANCE=true in make.conf (or environment).
Digging deeper, provenance generation is enabled during
./build_packages
but also during./build_toolchains
, because that is where we get binpkgs for board glibc/gcc and their dependencies (some 23 packages) from. An alternative way is available:./setup_board --nousepkg --nogetbinpkg --board=amd64-usr
has been revived and can be used to skip./build_toolchains
.How to use
Build a full image starting from toolchains (or sdk in case of container pipeline).
Testing done
http://jenkins.infra.kinvolk.io:8080/job/os/job/manifest/6068/cldsv/
changelog/
directory (user-facing change, bug fix, security fix, update)