Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AS: Add support for selectable verifier suites #571

Merged
merged 1 commit into from
Nov 15, 2024

Conversation

Xynnn007
Copy link
Member

@Xynnn007 Xynnn007 commented Nov 11, 2024

Proposed in #565 by @tylerfanelli

We soon have two needs when building an AS binary / docker image to decouple verifier dependencies.

  1. Select specific verifier suites when building AS binary
  2. Install specific verifier software stack due to the selected verifier suites when build docker images

This patch accomplish 1, by disabling all verifiers in CoCoAS basic code and providing a VERIFIER env for makefile to specify the verifier suites.

For 2, we add make dockerfile function which also follows VERIFIER env to install related verifier software stack.
By default the generation of dockerfiles will use all-verifier.

We add target platform detecting logic to the KBS crate cargo toml to determine the built-in AS features.

Also, the CI pipeline of CoCoAS is updated.

Close #568

The RVPS features are a little messy. It will be tidied in #553

cc @tylerfanelli @fitzthum @mkulke

@Xynnn007 Xynnn007 requested a review from a team as a code owner November 11, 2024 07:41
@Xynnn007 Xynnn007 force-pushed the fix-se-ci branch 2 times, most recently from 2cedc9b to 226ab25 Compare November 11, 2024 07:58
@Xynnn007 Xynnn007 changed the title AS: Replace dockerfile generation logic AS: Add support for selectable verifier suites Nov 11, 2024
@Xynnn007 Xynnn007 marked this pull request as draft November 11, 2024 08:02
@Xynnn007 Xynnn007 force-pushed the fix-se-ci branch 2 times, most recently from 9a2e2d6 to dc25447 Compare November 11, 2024 08:35
@Xynnn007 Xynnn007 marked this pull request as ready for review November 11, 2024 09:06
Copy link
Contributor

@mkulke mkulke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder whether we can get avoid the dockerfile templating: would something like this work:

# Define the build argument with a default value
ARG INSTALL_EXTRA_DEPS=false

# Use the argument in a conditional statement within the RUN command
RUN if [ "$INSTALL_EXTRA_DEPS" = "true" ]; then \
      echo "Installing extra dependencies" && \
      apt-get update && \
      apt-get install -y some-extra-package; \
    else \
      echo "Skipping extra dependencies"; \
    fi

@Xynnn007
Copy link
Member Author

@mkulke all work but not for COPY command for tss libraries here.

If we add extra RUN rm ... the image will still be huge because the original layer exists.

I did not have a good way for this. Do you have any ideas / Is it a reason?

@mkulke
Copy link
Contributor

mkulke commented Nov 11, 2024

@mkulke all work but not for COPY command for tss libraries here.

If we add extra RUN rm ... the image will still be huge because the original layer exists.

I did not have a good way for this. Do you have any ideas / Is it a reason?

why do we copy the tss runtime libraries install of installing them via apt?

edit: the tpm runtime libs should amount to ~1mb on the filesystem, so I wouldn't bother about a toggle for them

Comment on lines 11 to 19
FEATURES ?=
VERIFIER ?= all-verifier

ifdef FEATURES
OPTIONAL_FEATURES := ,$(FEATURES)
default-features := --no-default-features
else
OPTIONAL_FEATURES :=
default-features :=
endif
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The FEATURES flag was specifically not named VERIFIER because it could be used for more than just verifiers. For example, it could be used like:

FEATURES=restful-bin,rvps-grpc,snp-verifier make grpc-as

to expand to:

cargo build --bin grpc-as --release \
                        --no-default-features \
                        --features grpc-bin,restful-bin,rvps-grpc,snp-verifier

snp-verifier was only one feature that was conditionally enabled. I'm not sure if removing this altogether and just specifying a VERIFIER flag without an alternative for other features is desired.

Copy link
Member Author

@Xynnn007 Xynnn007 Nov 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yea, I had thought about this by checking inside the existing features. They are three types

  1. verifiers: Specify which platform can be supported to verify
  2. rvps-*: indicate how to integrate rvps. (grpc or builtin)
  3. *-bin: grpc or restful extra dependencies of the binary

1 must be included to Makefile env.

3 is determined by the target binary to be built. If grpc-bin is enabled when building restful-bin, the binary size will not grow. Thus it is not needed to be included in the Makefile env.

What confuses is 2. There are two ways. The PR uses the relatively simplest way that by default both rvps-grpc and rvps-builtin are enabled. Another way is to add an extra flag to control the enablement of rvps-grpc and rvps-builtin. Seeing that cargo build could perform also any feature composition, I chose the way mentioned for ease.

Wdyt?

Copy link
Contributor

@tylerfanelli tylerfanelli Nov 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yea, I had thought about this by checking inside the existing features. They are three types

  1. verifiers: Specify which platform can be supported to verify

I think this is covered here. Either you specify the verifiers you want with VERIFIER= or it defaults to all-verifier. This sounds good to me.

  1. rvps-*: indicate how to integrate rvps. (grpc or builtin)
  2. *-bin: grpc or restful extra dependencies of the binary

1 must be included to Makefile env.

3 is determined by the target binary to be built. If grpc-bin is enabled when building restful-bin, the binary size will not grow. Thus it is not needed to be included in the Makefile env.

What confuses is 2. There are two ways. The PR uses the relatively simplest way that by default both rvps-grpc and rvps-builtin are enabled. Another way is to add an extra flag to control the enablement of rvps-grpc and rvps-builtin. Seeing that cargo build could perform also any feature composition, I chose the way mentioned for ease.

Wdyt?

There's no reason someone would want both rvps-grpc and rvps-builtin, correct? They're mutually exclusive. You could add a RVPS= variable, in which a user would specify:

RVPS=grpc make...
RVPS=builtin make...

And it defaults to one of those options...

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's no reason someone would want both rvps-grpc and rvps-builtin, correct? They're mutually exclusive. You could add a RVPS= variable, in which a user would specify:

This is only the build time choosing. The concrete behavior whether grpc or builtin would be used is determined by the config file at runtime. I know that
in customized scenarios, broad-spectrum support is not required, only one-to-one runtime requirements are supported.

Another flag is also good to me. I still want to listen to your ideas with my comments : )

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have a plan to merge rvps-builtin feature into AS code and deprecate the feature as 1) make the configs dependency relationship clear and 2) it does not imports many new crates in #553.

Then, based on your suggestion a flag named GRPC_RVPS can be added to Makefile to indicate whether rvps_grpc is enabled when building restful-as

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great, let me know when this is ready for another review.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. I have pushed the changes with a TODO indicating what is going on after this PR

@Xynnn007 Xynnn007 force-pushed the fix-se-ci branch 2 times, most recently from e4b1479 to 381d8d2 Compare November 13, 2024 01:25
attestation-service/docker/as-grpc/Dockerfile Outdated Show resolved Hide resolved
attestation-service/docker/as-restful/Dockerfile Outdated Show resolved Hide resolved
.github/workflows/push-as-image-to-ghcr.yml Show resolved Hide resolved
deps/verifier/src/lib.rs Show resolved Hide resolved
@Xynnn007
Copy link
Member Author

hi @tylerfanelli ptal if it looks good to you

Copy link
Member

@BbolroC BbolroC left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please, update what I've mentioned. Otherwise, the workflow push-as-image-to-ghcr.yaml will trigger unnecessary 6 failing jobs.

We have two needs to build an AS docker image.
1. Use specific verifier suites (also for AS binary)
2. Install specific verifier software stack due to verifier

This patch accomplish 1, by disabling all verifiers in CoCoAS basic
code and providing a VERIFIER env for makefile to specify the verifier
suites.

For 2, we add make dockerfile function which also follows VERIFIER env
to install related verifier software stack. By default the generation
of dockerfiles will use all-verifier.

We add target platform detecting logic to the KBS crate cargo toml to
determine the built-in AS features.

Also, the CI pipeline of CoCoAS is updated.

Signed-off-by: Xynnn007 <[email protected]>
Copy link
Member

@BbolroC BbolroC left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM thanks @Xynnn007 !

Copy link
Member

@fitzthum fitzthum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Let's merge this so we can try to sneak it into the Kata release

Copy link
Contributor

@tylerfanelli tylerfanelli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for addressing this.

@Xynnn007 Xynnn007 merged commit 5f2f053 into confidential-containers:main Nov 15, 2024
16 checks passed
@Xynnn007 Xynnn007 deleted the fix-se-ci branch November 15, 2024 04:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

s390x artifact build jobs failing
5 participants