Add new builder for enclaves

Add new EnclaveBuilder class which allows to build initrd-only image types. The first enclave implementation covers aws-nitro images produced via the eif_build tooling.
OSInside · Sep 7, 2024 · 0506844 · 0506844
1 parent 322eb33
commit 0506844
Show file tree

Hide file tree

Showing 16 changed files with 574 additions and 4 deletions.
diff --git a/build-tests/x86/tumbleweed/test-image-nitro-enclave/appliance.kiwi b/build-tests/x86/tumbleweed/test-image-nitro-enclave/appliance.kiwi
@@ -0,0 +1,60 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<image schemaversion="7.5" name="kiwi-test-image-nitro-enclave">
+    <description type="system">
+        <author>Marcus Schäfer</author>
+        <contact>[email protected]</contact>
+        <specification>AWS Nitro Enclave test build</specification>
+    </description>
+    <profiles>
+        <profile name="default" description="CPIO: default profile" import="true"/>
+        <profile name="std" description="KERNEL: default kernel" import="true"/>
+    </profiles>
+    <preferences>
+        <version>1.1.1</version>
+        <packagemanager>zypper</packagemanager>
+        <rpm-excludedocs>true</rpm-excludedocs>
+        <rpm-check-signatures>false</rpm-check-signatures>
+    </preferences>
+    <preferences>
+        <type image="enclave" enclave_format="aws-nitro" kernelcmdline="reboot=k panic=30 pci=off console=ttyS0 i8042.noaux i8042.nomux i8042.nopnp i8042.dumbkbd random.trust_cpu=on rdinit=/sbin/init"/>
+    </preferences>
+    <repository type="rpm-md">
+        <source path="obsrepositories:/"/>
+    </repository>
+    <!-- temporary repo to fetch nitro-enclave-alive -->
+    <repository type="rpm-md">
+        <source path="obs://home:agraf/openSUSE_Tumbleweed"/>
+    </repository>
+    <users>
+        <user password="$1$wYJUgpM5$RXMMeASDc035eX.NbYWFl0" home="/root" name="root" groups="root"/>
+    </users>
+    <packages type="image" profiles="std">
+        <package name="kernel-default"/>
+    </packages>
+    <packages type="image">
+        <package name="systemd"/>
+        <package name="systemd-experimental"/>
+        <package name="iputils"/>
+        <package name="openssh"/>
+        <package name="iproute2"/>
+        <package name="less"/>
+        <package name="NetworkManager"/>
+        <package name="timezone"/>
+        <package name="nitro-enclave-alive"/>
+    </packages>
+    <packages type="bootstrap">
+        <package name="gawk"/>
+        <package name="grep"/>
+        <package name="gzip"/>
+        <package name="udev"/>
+        <package name="xz"/>
+        <package name="shadow"/>
+        <package name="filesystem"/>
+        <package name="glibc-locale"/>
+        <package name="cracklib-dict-full"/>
+        <package name="ca-certificates"/>
+        <package name="ca-certificates-mozilla"/>
+        <package name="openSUSE-release"/>
+    </packages>
+</image>
diff --git a/build-tests/x86/tumbleweed/test-image-nitro-enclave/config.sh b/build-tests/x86/tumbleweed/test-image-nitro-enclave/config.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+set -ex
+
+declare kiwi_iname=${kiwi_iname}
+
+echo "Configure image: [${kiwi_iname}]..."
+
+#======================================
+# Setup services
+#--------------------------------------
+for service in nitro-enclave-alive sshd;do
+    systemctl enable "${service}"
+done
+
+#======================================
+# Allow ssh root login
+#--------------------------------------
+echo "PermitRootLogin yes" > /etc/ssh/sshd_config.d/root.conf
+
+#======================================
+# load virtio_mmio
+#--------------------------------------
+echo virtio_mmio > /etc/modules-load.d/virtio-mmio.conf
diff --git a/doc/source/building_images.rst b/doc/source/building_images.rst
@@ -17,3 +17,4 @@ Building Images for Supported Types
    building_images/build_container_image
    building_images/build_wsl_container
    building_images/build_kis
+   building_images/build_enclave
diff --git a/doc/source/building_images/build_enclave.rst b/doc/source/building_images/build_enclave.rst
@@ -0,0 +1,103 @@
+.. _eif:
+
+Build an AWS Nitro Enclave
+==============================
+
+.. sidebar:: Abstract
+
+   This page explains how to build AWS Nitro Enclaves. It covers the following topics:
+
+   * how to build an AWS Nitro Enclave
+   * how to test the enclave via QEMU
+
+AWS Nitro Enclaves enables customers to create isolated compute environments
+to further protect and securely process highly sensitive data such as personally
+identifiable information (PII), healthcare, financial, and intellectual property
+data within their Amazon EC2 instances. Nitro Enclaves uses the same Nitro
+Hypervisor technology that provides CPU and memory isolation for EC2 instances.
+For further details please visit https://aws.amazon.com/ec2/nitro/nitro-enclaves
+
+To add an enclave build to your appliance, create a `type` element with
+`image` set to `enclave` in the :file:`config.xml` file as shown below:
+
+.. code:: xml
+
+   <image schemaversion="{schema_version}" name="Tumbleweed_enclave">
+     <!-- snip -->
+     <profiles>
+       <profile name="default" description="CPIO: default profile" import="true"/>
+       <profile name="std" description="KERNEL: default kernel" import="true"/>
+     </profiles>
+     <preferences>
+       <type image="enclave" enclave_format="aws-nitro" kernelcmdline="reboot=k panic=30 pci=off console=ttyS0 i8042.noaux i8042.nomux i8042.nopnp i8042.dumbkbd random.trust_cpu=on rdinit=/sbin/init"/>
+       <!-- additional preferences -->
+     </preferences>
+     <packages type="image" profiles="std">
+        <package name="kernel-default"/>
+     </packages>
+     <!-- more packages -->
+     <!-- snip -->
+   </image>
+
+The following attributes of the `type` element are relevant:
+
+- `enclave_format`: Specifies the enclave target
+
+  As of today only the `aws-nitro` enclave target is supported
+
+
+- `kernelcmdline`: Specifies the kernel commandline suitable for the enclave
+
+  An enclave is a system that runs completely in RAM loaded from
+  an enclave binary format which includes the kernel, initrd and
+  the kernel commandline suitable for the target system.
+
+With the appropriate settings specified in :file:`config.xml`, you can build an
+image using {kiwi}:
+
+.. code:: bash
+
+   $ sudo kiwi-ng system build \
+         --description kiwi/build-tests/{exc_description_enclave} \
+         --set-repo {exc_repo_tumbleweed} \
+         --target-dir /tmp/myimage
+
+The resulting image is saved in :file:`/tmp/myimage`, and the image can
+be tested with QEMU:
+
+.. code:: bash
+
+   $ sudo qemu-system-x86_64 \
+         -M nitro-enclave,vsock=c \
+         -m 4G \
+         -nographic \
+         -chardev socket,id=c,path=/tmp/vhost4.socket \
+         -kernel {exc_image_base_name_enclave}.eif
+
+The image is now complete and ready to use. Access to the system is
+possible via ssh through a vsock connection into the guest. To establish
+a vsock connection it's required to forward the connection through the
+guest AF_VSOCK socket. This can be done via a ProxyCommand setup of the
+host ssh as follows:
+
+.. code:: bash
+
+   $ vi ~/bin/vsock-ssh.sh
+
+   #!/bin/bash
+   CID=$(echo "$1" | cut -d . -f 1)
+   socat - VSOCK-CONNECT:$CID:22
+
+.. code:: bash
+
+   $ vi ~/.ssh/config
+
+   host *.vsock
+     ProxyCommand ~/bin/vsock-ssh.sh %h
+
+After the ssh proxy setup login to the enclave with a custom vsock port
+as follows:
+
+.. code:: bash
+
+   $ ssh [email protected]
diff --git a/doc/source/conf.py b/doc/source/conf.py
@@ -70,6 +70,7 @@ def setup(app):
     '{exc_image_base_name_disk_simple}': 'kiwi-test-image-disk-simple',
     '{exc_image_base_name_live}': 'kiwi-test-image-live',
     '{exc_image_base_name_docker}': 'kiwi-test-image-docker',
+    '{exc_image_base_name_enclave}': 'kiwi-test-image-nitro-enclave',
     '{exc_netboot}': 'netboot/suse-tumbleweed',
     '{exc_description_pxe}': 'x86/tumbleweed/test-image-pxe',
     '{exc_description_vagrant}': 'x86/leap/test-image-vagrant',
@@ -78,6 +79,7 @@ def setup(app):
     '{exc_description_live}': 'x86/leap/test-image-live',
     '{exc_description_wsl}': 'x86/tumbleweed/test-image-wsl',
     '{exc_description_docker}': 'x86/leap/test-image-docker',
+    '{exc_description_enclave}': 'x86/tumbleweed/test-image-nitro-enclave',
     '{exc_os_version}': '15.5',
     '{exc_image_version}': '1.15.3',
     '{exc_repo_leap}': 'obs://openSUSE:Leap:15.5/standard',

diff --git a/doc/source/image_types_and_results.rst b/doc/source/image_types_and_results.rst
@@ -48,6 +48,11 @@ KIS Root File System Image
   Many different deployment strategies are possible.
   For further details refer to: :ref:`kis`
 
+AWS Nitro Enclave
+  An initrd based image using the `eif` binary format. The image is
+  expected to be used in the AWS Nitro Enclave system or for testing
+  in QEMU. For further details refer to: :ref:`eif`
+
 Image Results
 -------------
 

diff --git a/kiwi/builder/__init__.py b/kiwi/builder/__init__.py
@@ -49,6 +49,8 @@ def new(
             name_token = ('live', 'LiveImageBuilder')
         elif image_type in Defaults.get_kis_image_types():
             name_token = ('kis', 'KisBuilder')
+        elif image_type in Defaults.get_enclaves_image_types():
+            name_token = ('enclave', 'EnclaveBuilder')
         elif image_type in Defaults.get_archive_image_types():
             name_token = ('archive', 'ArchiveBuilder')
         elif image_type in Defaults.get_container_image_types():