-
Notifications
You must be signed in to change notification settings - Fork 152
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add new EnclaveBuilder class which allows to build initrd-only image types. The first enclave implementation covers aws-nitro images produced via the eif_build tooling.
- Loading branch information
Showing
16 changed files
with
574 additions
and
4 deletions.
There are no files selected for viewing
60 changes: 60 additions & 0 deletions
60
build-tests/x86/tumbleweed/test-image-nitro-enclave/appliance.kiwi
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
<?xml version="1.0" encoding="utf-8"?> | ||
|
||
<image schemaversion="7.5" name="kiwi-test-image-nitro-enclave"> | ||
<description type="system"> | ||
<author>Marcus Schäfer</author> | ||
<contact>[email protected]</contact> | ||
<specification>AWS Nitro Enclave test build</specification> | ||
</description> | ||
<profiles> | ||
<profile name="default" description="CPIO: default profile" import="true"/> | ||
<profile name="std" description="KERNEL: default kernel" import="true"/> | ||
</profiles> | ||
<preferences> | ||
<version>1.1.1</version> | ||
<packagemanager>zypper</packagemanager> | ||
<rpm-excludedocs>true</rpm-excludedocs> | ||
<rpm-check-signatures>false</rpm-check-signatures> | ||
</preferences> | ||
<preferences> | ||
<type image="enclave" enclave_format="aws-nitro" kernelcmdline="reboot=k panic=30 pci=off console=ttyS0 i8042.noaux i8042.nomux i8042.nopnp i8042.dumbkbd random.trust_cpu=on rdinit=/sbin/init"/> | ||
</preferences> | ||
<repository type="rpm-md"> | ||
<source path="obsrepositories:/"/> | ||
</repository> | ||
<!-- temporary repo to fetch nitro-enclave-alive --> | ||
<repository type="rpm-md"> | ||
<source path="obs://home:agraf/openSUSE_Tumbleweed"/> | ||
</repository> | ||
<users> | ||
<user password="$1$wYJUgpM5$RXMMeASDc035eX.NbYWFl0" home="/root" name="root" groups="root"/> | ||
</users> | ||
<packages type="image" profiles="std"> | ||
<package name="kernel-default"/> | ||
</packages> | ||
<packages type="image"> | ||
<package name="systemd"/> | ||
<package name="systemd-experimental"/> | ||
<package name="iputils"/> | ||
<package name="openssh"/> | ||
<package name="iproute2"/> | ||
<package name="less"/> | ||
<package name="NetworkManager"/> | ||
<package name="timezone"/> | ||
<package name="nitro-enclave-alive"/> | ||
</packages> | ||
<packages type="bootstrap"> | ||
<package name="gawk"/> | ||
<package name="grep"/> | ||
<package name="gzip"/> | ||
<package name="udev"/> | ||
<package name="xz"/> | ||
<package name="shadow"/> | ||
<package name="filesystem"/> | ||
<package name="glibc-locale"/> | ||
<package name="cracklib-dict-full"/> | ||
<package name="ca-certificates"/> | ||
<package name="ca-certificates-mozilla"/> | ||
<package name="openSUSE-release"/> | ||
</packages> | ||
</image> |
24 changes: 24 additions & 0 deletions
24
build-tests/x86/tumbleweed/test-image-nitro-enclave/config.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
#!/bin/bash | ||
|
||
set -ex | ||
|
||
declare kiwi_iname=${kiwi_iname} | ||
|
||
echo "Configure image: [${kiwi_iname}]..." | ||
|
||
#====================================== | ||
# Setup services | ||
#-------------------------------------- | ||
for service in nitro-enclave-alive sshd;do | ||
systemctl enable "${service}" | ||
done | ||
|
||
#====================================== | ||
# Allow ssh root login | ||
#-------------------------------------- | ||
echo "PermitRootLogin yes" > /etc/ssh/sshd_config.d/root.conf | ||
|
||
#====================================== | ||
# load virtio_mmio | ||
#-------------------------------------- | ||
echo virtio_mmio > /etc/modules-load.d/virtio-mmio.conf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,103 @@ | ||
.. _eif: | ||
|
||
Build an AWS Nitro Enclave | ||
============================== | ||
|
||
.. sidebar:: Abstract | ||
|
||
This page explains how to build AWS Nitro Enclaves. It covers the following topics: | ||
|
||
* how to build an AWS Nitro Enclave | ||
* how to test the enclave via QEMU | ||
|
||
AWS Nitro Enclaves enables customers to create isolated compute environments | ||
to further protect and securely process highly sensitive data such as personally | ||
identifiable information (PII), healthcare, financial, and intellectual property | ||
data within their Amazon EC2 instances. Nitro Enclaves uses the same Nitro | ||
Hypervisor technology that provides CPU and memory isolation for EC2 instances. | ||
For further details please visit https://aws.amazon.com/ec2/nitro/nitro-enclaves | ||
|
||
To add an enclave build to your appliance, create a `type` element with | ||
`image` set to `enclave` in the :file:`config.xml` file as shown below: | ||
|
||
.. code:: xml | ||
<image schemaversion="{schema_version}" name="Tumbleweed_enclave"> | ||
<!-- snip --> | ||
<profiles> | ||
<profile name="default" description="CPIO: default profile" import="true"/> | ||
<profile name="std" description="KERNEL: default kernel" import="true"/> | ||
</profiles> | ||
<preferences> | ||
<type image="enclave" enclave_format="aws-nitro" kernelcmdline="reboot=k panic=30 pci=off console=ttyS0 i8042.noaux i8042.nomux i8042.nopnp i8042.dumbkbd random.trust_cpu=on rdinit=/sbin/init"/> | ||
<!-- additional preferences --> | ||
</preferences> | ||
<packages type="image" profiles="std"> | ||
<package name="kernel-default"/> | ||
</packages> | ||
<!-- more packages --> | ||
<!-- snip --> | ||
</image> | ||
The following attributes of the `type` element are relevant: | ||
|
||
- `enclave_format`: Specifies the enclave target | ||
|
||
As of today only the `aws-nitro` enclave target is supported | ||
|
||
|
||
- `kernelcmdline`: Specifies the kernel commandline suitable for the enclave | ||
|
||
An enclave is a system that runs completely in RAM loaded from | ||
an enclave binary format which includes the kernel, initrd and | ||
the kernel commandline suitable for the target system. | ||
|
||
With the appropriate settings specified in :file:`config.xml`, you can build an | ||
image using {kiwi}: | ||
|
||
.. code:: bash | ||
$ sudo kiwi-ng system build \ | ||
--description kiwi/build-tests/{exc_description_enclave} \ | ||
--set-repo {exc_repo_tumbleweed} \ | ||
--target-dir /tmp/myimage | ||
The resulting image is saved in :file:`/tmp/myimage`, and the image can | ||
be tested with QEMU: | ||
|
||
.. code:: bash | ||
$ sudo qemu-system-x86_64 \ | ||
-M nitro-enclave,vsock=c \ | ||
-m 4G \ | ||
-nographic \ | ||
-chardev socket,id=c,path=/tmp/vhost4.socket \ | ||
-kernel {exc_image_base_name_enclave}.eif | ||
The image is now complete and ready to use. Access to the system is | ||
possible via ssh through a vsock connection into the guest. To establish | ||
a vsock connection it's required to forward the connection through the | ||
guest AF_VSOCK socket. This can be done via a ProxyCommand setup of the | ||
host ssh as follows: | ||
|
||
.. code:: bash | ||
$ vi ~/bin/vsock-ssh.sh | ||
#!/bin/bash | ||
CID=$(echo "$1" | cut -d . -f 1) | ||
socat - VSOCK-CONNECT:$CID:22 | ||
.. code:: bash | ||
$ vi ~/.ssh/config | ||
host *.vsock | ||
ProxyCommand ~/bin/vsock-ssh.sh %h | ||
After the ssh proxy setup login to the enclave with a custom vsock port | ||
as follows: | ||
|
||
.. code:: bash | ||
$ ssh [email protected] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.