Use SLSA to build system image and generate provenance.

This is now working, without hanging, thanks to the amazing bug-hunting skills of julsh@. Fixes: 335277885 Change-Id: If4be76878a6668995e40ab137403226df7bbdb7d
project-oak · Apr 17, 2024 · 8263919 · 8263919
1 parent 3a40942
commit 8263919
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 1 deletion.
diff --git a/.github/workflows/provenance.yaml b/.github/workflows/provenance.yaml
@@ -28,6 +28,7 @@ jobs:
           - buildconfigs/key_xor_test_app.toml
           - buildconfigs/oak_containers_kernel.toml
           - buildconfigs/oak_containers_stage1.toml
+          - buildconfigs/oak_containers_system_image.toml
           - buildconfigs/oak_echo_enclave_app.toml
           - buildconfigs/oak_echo_raw_enclave_app.toml
           - buildconfigs/oak_functions_enclave_app.toml

diff --git a/.github/workflows/reusable_provenance.yaml b/.github/workflows/reusable_provenance.yaml
@@ -75,7 +75,12 @@ jobs:
       actions: read
       id-token: write
       contents: write # For uploading provenances.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/builder_container-based_slsa3.yml@v1.10.0
+    # We are using a patched version that emits stdout and stderr as the build progresses, rather than waiting until the very end to
+    # read everything in. This works around some issues we encountered when the
+    # output is very large. If our patch is eventually accepted upstream (or any other fix), we can switch back to using the main
+    # repository.
+    # See: https://github.com/slsa-framework/slsa-github-generator/issues/3571
+    uses: jul-sh/slsa-github-generator/.github/workflows/builder_container-based_slsa3.yml@oak
     with:
       builder-image: 'europe-west2-docker.pkg.dev/oak-ci/oak-development/oak-development'
       builder-digest: ${{ needs.get_inputs.outputs.builder-digest }}

diff --git a/buildconfigs/oak_containers_system_image.toml b/buildconfigs/oak_containers_system_image.toml
@@ -0,0 +1,12 @@
+# This is the static build configuration that we use with the docker-based SLSA3 generator for
+# building the `stage1` binary, and its provenance.
+# See https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/docker.
+command = [
+  "nix",
+  "develop",
+  ".#systemImageProvenance",
+  "--command",
+  "just",
+  "oak_containers_system_image",
+]
+artifact_path = "./oak_containers_system_image/target/image.tar.xz"
diff --git a/flake.nix b/flake.nix
@@ -235,6 +235,15 @@
                 strip-nondeterminism
               ];
             };
+            systemImageProvenance = with pkgs; mkShell {
+              inputsFrom = [
+                bazel
+                bazel-buildtools
+                jdk11_headless
+                rust
+              ];
+              packages = [ ];
+            };
             # Shell for most CI steps (i.e. without contaniners support).
             ci = pkgs.mkShell {
               inputsFrom = [