Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Push AS, RVPS, KBS and KBS Client for arm64 #639

Merged
merged 2 commits into from
Dec 23, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 23 additions & 9 deletions .github/workflows/build-as-image.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,10 @@ jobs:
strategy:
fail-fast: false
matrix:
instance:
- ubuntu-latest
target_arch:
- x86_64
- s390x
- aarch64
name:
- RESTful CoCo-AS
- gRPC CoCo-AS
Expand All @@ -31,11 +32,22 @@ jobs:
- name: RVPS
docker_file: rvps/docker/Dockerfile
tag: rvps
# add verifier flag to arch
- instance: ubuntu-latest
# add instance and verifier flag to target
- target_arch: x86_64
target_platform: linux/amd64
build_platform: linux/amd64
instance: ubuntu-latest
verifier: all-verifier
- instance: s390x
- target_arch: s390x
target_platform: linux/s390x
build_platform: linux/s390x
instance: s390x
verifier: se-verifier
- target_arch: aarch64
target_platform: linux/arm64
build_platform: linux/amd64
instance: ubuntu-latest
verifier: cca-verifier
runs-on: ${{ matrix.instance }}

steps:
Expand All @@ -55,8 +67,10 @@ jobs:
- name: Build ${{ matrix.name }} Container Image
run: |
commit_sha=${{ github.sha }}
arch=$(uname -m)
DOCKER_BUILDKIT=1 docker build -f "${{ matrix.docker_file }}" ${{ inputs.build_option }} --build-arg ARCH="${arch}" \
docker buildx build --platform "${{ matrix.target_platform }}" \
-f "${{ matrix.docker_file }}" ${{ inputs.build_option }} \
--build-arg BUILDPLATFORM="${{ matrix.build_platform }}" \
--build-arg ARCH="${{ matrix.target_arch }}" \
--build-arg VERIFIER="${{ matrix.verifier }}" \
-t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-${arch}" \
-t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-${arch}" .
-t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-${{ matrix.target_arch }}" \
-t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-${{ matrix.target_arch }}" .
38 changes: 29 additions & 9 deletions .github/workflows/build-kbs-image.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,20 +13,26 @@ jobs:
strategy:
fail-fast: false
matrix:
instance:
- ubuntu-latest
target_arch:
- x86_64
- s390x
- aarch64
tag:
- kbs
- kbs-grpc-as
- kbs-ita-as
- rhel-ubi
exclude:
- instance: s390x
- target_arch: s390x
tag: kbs-ita-as
- instance: s390x
- target_arch: s390x
tag: rhel-ubi
- target_arch: aarch64
tag: kbs-ita-as
- target_arch: aarch64
tag: rhel-ubi
include:
# add docker_file + name to each tag
- tag: kbs
docker_file: kbs/docker/Dockerfile
name: build-in AS
Expand All @@ -39,6 +45,19 @@ jobs:
- tag: rhel-ubi
docker_file: kbs/docker/rhel-ubi/Dockerfile
name: RHEL UBI AS
# add instance flag to target
- target_arch: x86_64
target_platform: linux/amd64
build_platform: linux/amd64
instance: ubuntu-latest
- target_arch: s390x
target_platform: linux/s390x
build_platform: linux/s390x
instance: s390x
- target_arch: aarch64
target_platform: linux/arm64
build_platform: linux/amd64
instance: ubuntu-latest

runs-on: ${{ matrix.instance }}

Expand All @@ -59,8 +78,9 @@ jobs:
- name: Build Container Image KBS (${{ matrix.name }})
run: |
commit_sha=${{ github.sha }}
arch=$(uname -m)
DOCKER_BUILDKIT=1 docker build -f "${{ matrix.docker_file }}" ${{ inputs.build_option }} \
-t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-${arch}" \
-t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-${arch}" \
--build-arg ARCH="${arch}" .
docker buildx build --platform "${{ matrix.target_platform }}" \
-f "${{ matrix.docker_file }}" ${{ inputs.build_option }} \
-t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-${{ matrix.target_arch }}" \
-t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-${{ matrix.target_arch }}" \
--build-arg BUILDPLATFORM="${{ matrix.build_platform }}" \
--build-arg ARCH="${{ matrix.target_arch }}" .
2 changes: 2 additions & 0 deletions .github/workflows/push-as-image-to-ghcr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -49,9 +49,11 @@ jobs:
commit_sha=${{ github.sha }}
docker manifest create "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}" \
--amend "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-s390x" \
--amend "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-aarch64" \
--amend "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-x86_64"
docker manifest push "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}"
docker manifest create "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest" \
--amend "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-s390x" \
--amend "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-aarch64" \
--amend "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-x86_64"
docker manifest push "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest"
19 changes: 7 additions & 12 deletions .github/workflows/push-kbs-client-to-ghcr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,8 @@ jobs:
arch:
- x86_64
- s390x
env:
RUSTC_VERSION: 1.76.0
runs-on: ${{ matrix.arch == 'x86_64' && 'ubuntu-22.04' || 's390x' }}
- aarch64
runs-on: ${{ matrix.arch == 's390x' && 's390x' || 'ubuntu-22.04' }}
permissions:
contents: read
packages: write
Expand All @@ -24,11 +23,8 @@ jobs:
- name: Check out code
uses: actions/checkout@v4

- name: Install Rust toolchain (${{ env.RUSTC_VERSION }})
uses: actions-rust-lang/setup-rust-toolchain@v1
with:
toolchain: ${{ env.RUSTC_VERSION }}
components: rustfmt, clippy
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Log in to ghcr.io
uses: docker/login-action@v3
Expand All @@ -38,17 +34,16 @@ jobs:
password: ${{ secrets.GITHUB_TOKEN }}

- name: Build a statically linked kbs-client for ${{ matrix.arch }} linux
working-directory: kbs
run: |
make cli-static-linux
docker buildx build -f kbs/docker/kbs-client/Dockerfile \
--build-arg ARCH="${{ matrix.arch }}" --output ./ .

- name: Push to ghcr.io
working-directory: target/${{ matrix.arch }}-unknown-linux-gnu/release
run: |
commit_sha=${{ github.sha }}
oras push \
ghcr.io/confidential-containers/staged-images/kbs-client:sample_only-${{ matrix.arch }}-linux-gnu-${commit_sha},latest-${{ matrix.arch }} \
kbs-client
if [ "$(uname -m)" = "x86_64" ]; then
if [ "${{ matrix.arch }}" = "x86_64" ]; then
oras push ghcr.io/confidential-containers/staged-images/kbs-client:latest kbs-client
fi
4 changes: 3 additions & 1 deletion .github/workflows/push-kbs-image-to-ghcr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -39,9 +39,11 @@ jobs:
commit_sha=${{ github.sha }}
docker manifest create "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:${commit_sha}" \
--amend "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:${commit_sha}-x86_64" \
--amend "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:${commit_sha}-aarch64" \
--amend "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:${commit_sha}-s390x"
docker manifest push "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:${commit_sha}"
docker manifest create "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:latest" \
--amend "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:latest-x86_64" \
--amend "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:latest-aarch64" \
--amend "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:latest-s390x"
docker manifest push "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:latest"
docker manifest push "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:latest"
14 changes: 12 additions & 2 deletions attestation-service/docker/as-grpc/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@
# Licensed under the Apache License, Version 2.0, see LICENSE for details.
# SPDX-License-Identifier: Apache-2.0

FROM rust:latest AS builder
FROM --platform=$BUILDPLATFORM rust:latest AS builder
ARG BUILDPLATFORM=linux/amd64
ARG ARCH=x86_64
ARG VERIFIER=all-verifier

Expand All @@ -18,7 +19,16 @@ RUN if [ "${ARCH}" = "x86_64" ]; then curl -L https://download.01.org/intel-sgx/
apt-get update && apt-get install -y libsgx-dcap-quote-verify-dev; fi

# Build and Install gRPC attestation-service
RUN cargo install --path attestation-service --bin grpc-as --features grpc-bin,${VERIFIER} --locked
RUN if [ "$(uname -m)" != "${ARCH}" ]; then \
export GCC_PACKAGE="gcc-${ARCH}-linux-gnu"; \
export GCC_COMPILER="${ARCH}-linux-gnu-gcc"; \
export RUSTC_TARGET="${ARCH}-unknown-linux-gnu"; \
export TARGET_FLAG="--target ${RUSTC_TARGET}"; \
export RUSTFLAGS_ARGS=" -C linker=${GCC_COMPILER}"; \
export RUSTFLAGS="${RUSTFLAGS_ARGS}"; \
apt-get install -y ${GCC_PACKAGE}; \
rustup target add ${RUSTC_TARGET}; fi; \
cargo install --path attestation-service --bin grpc-as --features grpc-bin,${VERIFIER} --locked ${TARGET_FLAG}


FROM ubuntu:22.04
Expand Down
14 changes: 12 additions & 2 deletions attestation-service/docker/as-restful/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@
# Licensed under the Apache License, Version 2.0, see LICENSE for details.
# SPDX-License-Identifier: Apache-2.0

FROM rust:latest AS builder
FROM --platform=$BUILDPLATFORM rust:latest AS builder
ARG BUILDPLATFORM=linux/amd64
ARG ARCH=x86_64
ARG VERIFIER=all-verifier

Expand All @@ -18,7 +19,16 @@ RUN if [ "${ARCH}" = "x86_64" ]; then curl -L https://download.01.org/intel-sgx/
apt-get update && apt-get install -y libsgx-dcap-quote-verify-dev; fi

# Build and Install RESTful attestation-service
RUN cargo install --path attestation-service --bin restful-as --features restful-bin,${VERIFIER} --locked
RUN if [ "$(uname -m)" != "${ARCH}" ]; then \
export GCC_PACKAGE="gcc-${ARCH}-linux-gnu"; \
export GCC_COMPILER="${ARCH}-linux-gnu-gcc"; \
export RUSTC_TARGET="${ARCH}-unknown-linux-gnu"; \
export TARGET_FLAG="--target ${RUSTC_TARGET}"; \
export RUSTFLAGS_ARGS=" -C linker=${GCC_COMPILER}"; \
export RUSTFLAGS="${RUSTFLAGS_ARGS}"; \
apt-get install -y ${GCC_PACKAGE}; \
rustup target add ${RUSTC_TARGET}; fi; \
cargo install --path attestation-service --bin restful-as --features restful-bin,${VERIFIER} --locked ${TARGET_FLAG}

FROM ubuntu:22.04
ARG ARCH=x86_64
Expand Down
7 changes: 6 additions & 1 deletion kbs/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ openssl = "0.10.55"
az-cvm-vtpm = { version = "0.7.0", default-features = false, optional = true }
derivative = "2.2.0"

[target.'cfg(not(target_arch = "s390x"))'.dependencies]
[target.'cfg(not(any(target_arch = "s390x", target_arch = "aarch64")))'.dependencies]
attestation-service = { path = "../attestation-service", default-features = false, features = [
"all-verifier",
], optional = true }
Expand All @@ -82,6 +82,11 @@ attestation-service = { path = "../attestation-service", default-features = fals
"se-verifier",
], optional = true }

[target.'cfg(target_arch = "aarch64")'.dependencies]
attestation-service = { path = "../attestation-service", default-features = false, features = [
"cca-verifier",
], optional = true }


[dev-dependencies]
tempfile.workspace = true
Expand Down
47 changes: 35 additions & 12 deletions kbs/Makefile
Original file line number Diff line number Diff line change
@@ -1,12 +1,35 @@
AS_TYPE ?= coco-as
ALIYUN ?= false

ARCH := $(shell uname -m)
BUILD_ARCH := $(shell uname -m)
ARCH ?= $(shell uname -m)
# Check if ARCH is supported, otehrwise return error
ifeq ($(filter $(ARCH),x86_64 s390x),)
ifeq ($(filter $(ARCH),x86_64 s390x aarch64),)
$(error "Unsupported architecture: $(ARCH)")
endif

RELEASE_DIR := ../target/release
TARGET_FLAG :=
CARGO_ENV :=
ifneq ($(BUILD_ARCH), $(ARCH))
ifneq (,$(wildcard /etc/debian_version))
GCC_PACKAGE := gcc-$(ARCH)-linux-gnu
GCC_COMPILER := $(ARCH)-linux-gnu-gcc
RUSTC_TARGET := $(ARCH)-unknown-linux-gnu
GCC_INSTALL := $(shell sudo apt-get install -y ${GCC_PACKAGE})
RUST_INSTALL := $(shell rustup target add ${RUSTC_TARGET})
RUSTFLAGS_ARGS := -C linker=$(GCC_COMPILER)
TARGET_FLAG := --target $(RUSTC_TARGET)
RELEASE_DIR := ../target/$(RUSTC_TARGET)/release
OS_ARCH := $(ARCH)
OS_ARCH := $(OS_ARCH:x86_64=amd64)
OS_ARCH := $(OS_ARCH:aarch64=arm64)
CARGO_ENV := OPENSSL_INCLUDE_DIR=/usr/include/$(ARCH)-linux-gnu OPENSSL_LIB_DIR=/usr/lib/$(ARCH)-linux-gnu RUSTFLAGS="$(RUSTFLAGS_ARGS)"
else
$(error ERROR: Cross-compiling is only tested on Debian-like OSes)
endif
endif

CLI_FEATURES ?=
ATTESTER ?=
FEATURES ?=
Expand Down Expand Up @@ -37,25 +60,25 @@ build: background-check-kbs

.PHONY: background-check-kbs
background-check-kbs:
cargo build -p kbs --locked --release --no-default-features --features $(FEATURES),$(AS_FEATURE)
$(CARGO_ENV) cargo build -p kbs --locked --release --no-default-features --features $(FEATURES),$(AS_FEATURE) $(TARGET_FLAG)

.PHONY: passport-issuer-kbs
passport-issuer-kbs:
cargo build -p kbs --locked --release --no-default-features --features $(AS_FEATURE),$(FEATURES)
$(CARGO_ENV) cargo build -p kbs --locked --release --no-default-features --features $(AS_FEATURE),$(FEATURES) $(TARGET_FLAG)
mv ../target/release/kbs ../target/release/issuer-kbs

.PHONY: passport-resource-kbs
passport-resource-kbs:
cargo build -p kbs --locked --release --no-default-features --features $(FEATURES),
$(CARGO_ENV) cargo build -p kbs --locked --release --no-default-features --features $(FEATURES), $(TARGET_FLAG)
mv ../target/release/kbs ../target/release/resource-kbs

.PHONY: cli
cli:
cargo build -p kbs-client --locked --release --no-default-features --features $(CLI_FEATURES)
$(CARGO_ENV) cargo build -p kbs-client --locked --release --no-default-features --features $(CLI_FEATURES) $(TARGET_FLAG)

.PHONY: cli-static-linux
cli-static-linux:
cargo build \
$(CARGO_ENV) cargo build \
-p kbs-client \
--target=$(ARCH)-unknown-linux-gnu \
--config "target.$(ARCH)-unknown-linux-gnu.rustflags = '-C target-feature=+crt-static'" \
Expand All @@ -65,17 +88,17 @@ cli-static-linux:
--features sample_only

install-kbs:
install -D -m0755 ../target/release/kbs $(INSTALL_DESTDIR)
install -D -m0755 $(RELEASE_DIR)/kbs $(INSTALL_DESTDIR)

install-issuer-kbs:
install -D -m0755 ../target/release/issuer-kbs $(INSTALL_DESTDIR)
install -D -m0755 ../target/release/kbs-client $(INSTALL_DESTDIR)
install -D -m0755 $(RELEASE_DIR)/issuer-kbs $(INSTALL_DESTDIR)
install -D -m0755 $(RELEASE_DIR)/kbs-client $(INSTALL_DESTDIR)

install-resource-kbs:
install -D -m0755 ../target/release/resource-kbs $(INSTALL_DESTDIR)
install -D -m0755 $(RELEASE_DIR)/resource-kbs $(INSTALL_DESTDIR)

install-cli:
install -D -m0755 ../target/release/kbs-client $(INSTALL_DESTDIR)
install -D -m0755 $(RELEASE_DIR)/kbs-client $(INSTALL_DESTDIR)

uninstall:
rm -rf $(INSTALL_DESTDIR)/kbs $(INSTALL_DESTDIR)/kbs-client $(INSTALL_DESTDIR)/issuer-kbs $(INSTALL_DESTDIR)/resource-kbs
Expand Down
10 changes: 6 additions & 4 deletions kbs/docker/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
FROM rust:slim AS builder
FROM --platform=$BUILDPLATFORM rust:slim AS builder
ARG BUILDPLATFORM=linux/amd64
ARG ARCH=x86_64
ARG ALIYUN=false

Expand All @@ -9,7 +10,8 @@ RUN apt-get update && \
curl \
gpg \
gnupg-agent \
git
git \
sudo

RUN if [ "${ARCH}" = "x86_64" ]; then curl -fsSL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | \
gpg --dearmor --output /usr/share/keyrings/intel-sgx.gpg && \
Expand All @@ -36,8 +38,8 @@ RUN if [ "${ARCH}" = "x86_64" ]; then curl -fsSL https://download.01.org/intel-s
WORKDIR /usr/src/kbs
COPY . .

RUN cd kbs && make AS_FEATURE=coco-as-builtin ALIYUN=${ALIYUN} && \
make install-kbs
RUN cd kbs && make AS_FEATURE=coco-as-builtin ALIYUN=${ALIYUN} ARCH=${ARCH} && \
make ARCH=${ARCH} install-kbs

FROM ubuntu:22.04
ARG ARCH=x86_64
Expand Down
Loading
Loading