diff --git a/.github/actions/install-intel-dcap/action.yml b/.github/actions/install-intel-dcap/action.yml new file mode 100644 index 000000000..1e08af3d1 --- /dev/null +++ b/.github/actions/install-intel-dcap/action.yml @@ -0,0 +1,15 @@ +name: 'Install Intel DCAP libraries' +inputs: + ubuntu-version: + required: true +runs: + using: "composite" + steps: + - name: Install TDX dependencies + id: install-tdx-dependencies + shell: bash + run: | + curl -sL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo gpg --dearmor --output /usr/share/keyrings/intel-sgx.gpg + echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu ${{ inputs.ubuntu-version }} main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list + sudo apt-get update + sudo apt-get install -y --no-install-recommends libtdx-attest-dev diff --git a/.github/workflows/aa_basic.yml b/.github/workflows/aa_basic.yml index 0eff512a0..725143b83 100644 --- a/.github/workflows/aa_basic.yml +++ b/.github/workflows/aa_basic.yml @@ -65,12 +65,9 @@ jobs: run: | sudo apt-get update && sudo apt-get install -y protobuf-compiler - - name: Install TDX dependencies - run: | - sudo curl -sL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo gpg --dearmor --output /usr/share/keyrings/intel-sgx.gpg - sudo echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list - sudo apt-get update - sudo apt-get install -y --no-install-recommends libtdx-attest-dev + - uses: ./.github/actions/install-intel-dcap + with: + ubuntu-version: jammy if: matrix.instance == 'ubuntu-22.04' - name: Install TPM dependencies diff --git a/.github/workflows/aa_cc_kbc.yml b/.github/workflows/aa_cc_kbc.yml index 701b4533d..b5686dac4 100644 --- a/.github/workflows/aa_cc_kbc.yml +++ b/.github/workflows/aa_cc_kbc.yml @@ -55,12 +55,9 @@ jobs: override: true components: rustfmt - - name: Install TDX dependencies - run: | - sudo curl -sL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo gpg --dearmor --output /usr/share/keyrings/intel-sgx.gpg - sudo echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list - sudo apt-get update - sudo apt-get install -y --no-install-recommends libtdx-attest-dev + - uses: ./.github/actions/install-intel-dcap + with: + ubuntu-version: jammy - name: Install TPM dependencies run: | diff --git a/.github/workflows/image_rs_build.yml b/.github/workflows/image_rs_build.yml index 11e42fadf..1e0fb13b3 100644 --- a/.github/workflows/image_rs_build.yml +++ b/.github/workflows/image_rs_build.yml @@ -56,12 +56,9 @@ jobs: run: | sudo apt install -y clang llvm pkg-config nettle-dev protobuf-compiler libprotobuf-dev - - name: Install TDX dependencies - run: | - sudo curl -sL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo gpg --dearmor --output /usr/share/keyrings/intel-sgx.gpg - sudo echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list - sudo apt-get update - sudo apt-get install -y --no-install-recommends libtdx-attest-dev + - uses: ./.github/actions/install-intel-dcap + with: + ubuntu-version: jammy if: matrix.instance == 'ubuntu-latest' - name: Install TPM dependencies diff --git a/.github/workflows/publish-artifacts.yml b/.github/workflows/publish-artifacts.yml new file mode 100644 index 000000000..cbd3f4f19 --- /dev/null +++ b/.github/workflows/publish-artifacts.yml @@ -0,0 +1,188 @@ +name: Publish artifacts with ORAS + +on: + push: + branches: + - main + +env: + RUST_TOOLCHAIN: 1.76.0 + +jobs: + publish-aa: + permissions: + contents: read + packages: write + id-token: write + attestations: write + strategy: + matrix: + platform: [ + { tee: none, arch: x86_64, libc: musl }, + { tee: none, arch: s390x, libc: gnu }, + { tee: amd, arch: x86_64, libc: musl }, + { tee: az-cvm-vtpm, arch: x86_64, libc: gnu }, + { tee: tdx, arch: x86_64, libc: gnu }, + { tee: cca, arch: x86_64, libc: musl }, + { tee: se, arch: s390x, libc: gnu }, + ] + runs-on: ${{ matrix.platform.arch == 's390x' && 's390x' || 'ubuntu-22.04' }} + env: + TEE_PLATFORM: ${{ matrix.platform.tee }} + LIBC: ${{ matrix.platform.libc }} + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + RUST_TARGET: ${{ matrix.platform.arch }}-unknown-linux-${{ matrix.platform.libc }} + steps: + - name: Log in to the Container registry + uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - uses: oras-project/setup-oras@v1 + with: + version: 1.2.0 + + - uses: actions/checkout@v4 + + - uses: actions-rust-lang/setup-rust-toolchain@v1 + with: + toolchain: ${{ env.RUST_TOOLCHAIN }} + target: ${{ env.RUST_TARGET }} + override: true + + - name: Install tpm dependencies + if: matrix.platform.tee == 'az-cvm-vtpm' + run: | + sudo apt-get install -y --no-install-recommends libtss2-dev + + - uses: ./.github/actions/install-intel-dcap + with: + ubuntu-version: jammy + if: matrix.platform.tee == 'tdx' + + - uses: actions/checkout@v4 + + - name: Build + run: make ./target/${{ env.RUST_TARGET }}/release/attestation-agent + + - name: Publish with ORAS + id: publish + env: + OCI_ARCH: ${{ matrix.platform.arch == 'x86_64' && 'amd64' || matrix.platform.arch }} + run: | + mkdir oras + cd oras + cp ../target/${{ env.RUST_TARGET }}/release/attestation-agent . + tar cJf attestation-agent.tar.xz attestation-agent + arch_tag="${{ github.sha }}-${{ matrix.tee }}_${{ matrix.arch }}" + image="${REGISTRY}/${IMAGE_NAME}/attestation-agent" + tag="${{ github.sha }}-${{ matrix.tee }}" + arch_tag="${tag}_${ARCH}" + oras push "${image}:${arch_tag}" attestation-agent.tar.xz + # We need to create the platform annotations with docker, since oras 1.2 doesn't support + # pushing with platform yet. + docker manifest create "${image}:${tag}" --amend "${image}:${arch_tag}" + docker manifest annotate --arch "$OCI_ARCH" --os linux "${image}:${tag}" "${image}:${arch_tag}" + docker manifest push "${image}:${tag}" + # add image and digest to output for attestation + echo "image=${image}" >> "$GITHUB_OUTPUT" + digest="$(oras manifest fetch "${image}:${arch_tag}" --descriptor | jq -r .digest)" + echo "digest=${digest}" >> "$GITHUB_OUTPUT" + + - uses: actions/attest-build-provenance@v1 + with: + subject-name: ${{ steps.publish.outputs.image }} + subject-digest: ${{ steps.publish.outputs.digest }} + push-to-registry: true + + publish-cdh-and-asr: + permissions: + contents: read + packages: write + id-token: write + attestations: write + strategy: + matrix: + arch: + - x86_64 + - s390x + include: + - arch: x86_64 + libc: musl + - arch: s390x + libc: gnu + runs-on: ${{ matrix.arch == 's390x' && 's390x' || 'ubuntu-22.04' }} + env: + LIBC: ${{ matrix.libc }} + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + RUST_TARGET: ${{ matrix.arch }}-unknown-linux-${{ matrix.libc }} + steps: + - name: Log in to the Container registry + uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - uses: oras-project/setup-oras@v1 + with: + version: 1.2.0 + + - uses: actions-rust-lang/setup-rust-toolchain@v1 + with: + toolchain: ${{ env.RUST_TOOLCHAIN }} + target: ${{ env.RUST_TARGET }} + override: true + + - name: Install dependencies + run: | + sudo apt-get update + sudo apt-get install -y --no-install-recommends \ + libdevmapper-dev \ + protobuf-compiler + + - uses: actions/checkout@v4 + + - name: Build CDH + run: make ./target/${{ env.RUST_TARGET }}/release/confidential-data-hub + + - name: Build ASR + run: make ./target/${{ env.RUST_TARGET }}/release/api-server-rest + + - name: Publish CDH + ASR with ORAS + id: publish + run: | + tag="${{ github.sha }}-${{ matrix.arch }}" + mkdir oras + cd oras + cp ../target/${{ env.RUST_TARGET }}/release/{confidential-data-hub,api-server-rest} . + + tar cJf confidential-data-hub.tar.xz confidential-data-hub + image="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}/confidential-data-hub" + oras push "${image}:${tag}" confidential-data-hub.tar.xz + echo "cdh-image=${image}" >> "$GITHUB_OUTPUT" + digest="$(oras manifest fetch "${image}:${tag}" --descriptor | jq -r .digest)" + echo "cdh-digest=${digest}" >> "$GITHUB_OUTPUT" + + tar cJf api-server-rest.tar.xz api-server-rest + image="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}/api-server-rest" + oras push "${image}:${tag}" api-server-rest.tar.xz + echo "asr-image=${image}" >> "$GITHUB_OUTPUT" + digest="$(oras manifest fetch "${image}:${tag}" --descriptor | jq -r .digest)" + echo "asr-digest=${digest}" >> "$GITHUB_OUTPUT" + + - uses: actions/attest-build-provenance@v1 + with: + subject-name: ${{ steps.publish.outputs.cdh-image }} + subject-digest: ${{ steps.publish.outputs.cdh-digest }} + push-to-registry: true + + - uses: actions/attest-build-provenance@v1 + with: + subject-name: ${{ steps.publish.outputs.asr-image }} + subject-digest: ${{ steps.publish.outputs.asr-digest }} + push-to-registry: true diff --git a/Makefile b/Makefile index b6bd23eb1..c6bfa895d 100644 --- a/Makefile +++ b/Makefile @@ -21,8 +21,8 @@ else ifeq ($(TEE_PLATFORM), fs) ATTESTER = none else ifeq ($(TEE_PLATFORM), tdx) ATTESTER = tdx-attester -else ifeq ($(TEE_PLATFORM), az-tdx-vtpm) - ATTESTER = az-tdx-vtpm-attester +else ifeq ($(TEE_PLATFORM), az-cvm-vtpm) + ATTESTER = az-snp-vtpm-attester,az-tdx-vtpm-attester else ifeq ($(TEE_PLATFORM), sev) ATTESTER = none ifeq ($(NO_RESOURCE_PROVIDER), true) @@ -32,8 +32,6 @@ else ifeq ($(TEE_PLATFORM), sev) endif else ifeq ($(TEE_PLATFORM), snp) ATTESTER = snp-attester -else ifeq ($(TEE_PLATFORM), az-snp-vtpm) - ATTESTER = az-snp-vtpm-attester else ifeq ($(TEE_PLATFORM), se) ATTESTER = se-attester else ifeq ($(TEE_PLATFORM), all)