Reproducible Kettle builds#36
Merged
Merged
Conversation
f96cd7f to
e211b87
Compare
Collaborator
Author
|
Okay, built a version with attestation enabled, attested something on the TEE using the reproducible build, and verified it: |
93cfb44 to
bd029b0
Compare
8c11434 to
2f53302
Compare
These three crates are vendored as-is from crates.io (versions 0.6.0, 7.7.0, 0.8.1 respectively) so we can patch them in-tree to bypass the tctildr dlopen-based TCTI loader, which doesn't work in our static reproducible build. These files are unmodified, and the patches are in later commits.
2f53302 to
f53df4d
Compare
In a static binary that includes glibc, libtss2-tctildr can't use dlopen
to load any TCTI plugins at runtime, so attestation::detect() always
fails with NoPlatformDetected even when the host has /dev/tpm0 wired up.
This commit patches the three vendored crates so a Device TCTI can be
initialized directly, without going through tctildr:
* tss-esapi-sys: also pkg_config-probe tss2-tcti-device, and declare
Tss2_Tcti_Device_Init in the FFI surface.
* tss-esapi: add TctiContext::initialize_device_direct and
Context::new_device_direct, which malloc the TCTI buffer and call
Tss2_Tcti_Device_Init in place. Track init mode in TctiContext so
Drop calls the matching finalizer — Tss2_TctiLdr_Finalize for
loader-allocated contexts, and the TCTI's own finalize fn pointer
+ libc free for direct-init contexts (TctiLdr_Finalize would cast
the buffer to a TSS2_TCTILDR_CONTEXT and dereference loader-only
fields that don't exist, which is very bad).
* az-cvm-vtpm: switch the four Context::new(TctiNameConf::Device(..))
callsites in vtpm/mod.rs to Context::new_device_direct.
f53df4d to
ac42f09
Compare
75b4a80 to
10bdf2b
Compare
9966c8f to
fef4065
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Run
bin/reproduce-buildto build Kettle statically using musl libc inside Docker, using the fully-reproducible rustc provided by stagex.tools.With Kettle fully reproducible by anyone on demand, we can publish our own builds and invite anyone to run their own build to verify Kettle itself. A clean build from a brand new repo checkout takes no more than 2 minutes on a machine with 16+ cores.