From f0a76130f7f5eb5e15ff0e1d29f5708ad3fccef7 Mon Sep 17 00:00:00 2001 From: Mateusz Morusiewicz <11313015+Ruteri@users.noreply.github.com> Date: Tue, 8 Apr 2025 19:26:25 +0200 Subject: [PATCH 1/5] Adds an autoprovisioning test target --- autoprovision-test.conf | 4 ++++ autoprovision-test/autoprovision-test.conf | 8 ++++++++ autoprovision-test/autoprovision.service | 15 +++++++++++++++ autoprovision-test/mkosi.build | 6 ++++++ autoprovision-test/mkosi.postinst | 8 ++++++++ 5 files changed, 41 insertions(+) create mode 100644 autoprovision-test.conf create mode 100644 autoprovision-test/autoprovision-test.conf create mode 100644 autoprovision-test/autoprovision.service create mode 100755 autoprovision-test/mkosi.build create mode 100755 autoprovision-test/mkosi.postinst diff --git a/autoprovision-test.conf b/autoprovision-test.conf new file mode 100644 index 0000000..176db7e --- /dev/null +++ b/autoprovision-test.conf @@ -0,0 +1,4 @@ +[Config] +Include=base/base.conf +Include=autoprovision-test/autoprovision-test.conf +Include=devtools/devtools.conf diff --git a/autoprovision-test/autoprovision-test.conf b/autoprovision-test/autoprovision-test.conf new file mode 100644 index 0000000..7db4f5b --- /dev/null +++ b/autoprovision-test/autoprovision-test.conf @@ -0,0 +1,8 @@ +[Content] +WithNetwork=true +BuildScripts=autoprovision-test/mkosi.build +BuildPackages=ca-certificates + golang-go + git +Packages=cryptsetup +PostInstallationScripts=autoprovision-test/mkosi.postinst diff --git a/autoprovision-test/autoprovision.service b/autoprovision-test/autoprovision.service new file mode 100644 index 0000000..8483f87 --- /dev/null +++ b/autoprovision-test/autoprovision.service @@ -0,0 +1,15 @@ +[Unit] +Description=Autoprovisioner +After=network-setup.service +Wants=network-setup.service + +[Service] +Type=oneshot +User=root +Group=root +ExecStart=/usr/bin/autoprovision --app-contract 0000000000000000000000000000000000000000 --debug-local-provider --device-glob /dev/sda +StandardOutput=journal +StandardError=journal + +[Install] +WantedBy=minimal.target diff --git a/autoprovision-test/mkosi.build b/autoprovision-test/mkosi.build new file mode 100755 index 0000000..32d8fb2 --- /dev/null +++ b/autoprovision-test/mkosi.build @@ -0,0 +1,6 @@ +#!/bin/bash +set -euxo pipefail + +source scripts/make_git_package.sh + +make_git_package "tee-service-provisioning-backend" "main" "https://github.com/Ruteri/tee-service-provisioning-backend" 'go build -trimpath -ldflags "-s -w -buildid= " -v -o ./build/autoprovision ./instanceutils/autoprovision' "build/autoprovision:/usr/bin/autoprovision" diff --git a/autoprovision-test/mkosi.postinst b/autoprovision-test/mkosi.postinst new file mode 100755 index 0000000..351d6ab --- /dev/null +++ b/autoprovision-test/mkosi.postinst @@ -0,0 +1,8 @@ +#!/bin/bash +set -euxo pipefail + +# Install systemd service units +SERVICE_DIR="$BUILDROOT/etc/systemd/system" +mkdir -p "$SERVICE_DIR" + +install -m 644 "autoprovision-test/autoprovision.service" "$SERVICE_DIR/" From d0f0dedd27e7ec0fcba9cee45d4b14b294bc29b3 Mon Sep 17 00:00:00 2001 From: Mateusz Morusiewicz <11313015+Ruteri@users.noreply.github.com> Date: Thu, 10 Apr 2025 13:38:43 +0200 Subject: [PATCH 2/5] Adds a simple remote provisioner image --- provisioner.conf | 5 +++++ provisioner/measurements.json | 14 ++++++++++++++ provisioner/mkosi.build | 7 +++++++ provisioner/mkosi.postinst | 10 ++++++++++ provisioner/provisioner.conf | 8 ++++++++ provisioner/provisioner.service | 17 +++++++++++++++++ provisioner/proxy-server.service | 17 +++++++++++++++++ scripts/make_git_package.sh | 2 -- tdx-dummy.conf | 1 + 9 files changed, 79 insertions(+), 2 deletions(-) create mode 100644 provisioner.conf create mode 100644 provisioner/measurements.json create mode 100755 provisioner/mkosi.build create mode 100755 provisioner/mkosi.postinst create mode 100644 provisioner/provisioner.conf create mode 100644 provisioner/provisioner.service create mode 100644 provisioner/proxy-server.service diff --git a/provisioner.conf b/provisioner.conf new file mode 100644 index 0000000..2ed1ab2 --- /dev/null +++ b/provisioner.conf @@ -0,0 +1,5 @@ +[Config] +Mirror=https://snapshot.debian.org/archive/debian/20250331T024311Z/ +Include=base/base.conf +Include=provisioner/provisioner.conf +Include=devtools/devtools.conf diff --git a/provisioner/measurements.json b/provisioner/measurements.json new file mode 100644 index 0000000..1d28377 --- /dev/null +++ b/provisioner/measurements.json @@ -0,0 +1,14 @@ +[ + { + "measurement_id": "azure-tdx", + "attestation_type": "azure-tdx", + "measurements": { + } + }, + { + "measurement_id": "dcap-tdx", + "attestation_type": "dcap-tdx", + "measurements": { + } + } +] diff --git a/provisioner/mkosi.build b/provisioner/mkosi.build new file mode 100755 index 0000000..e56ba59 --- /dev/null +++ b/provisioner/mkosi.build @@ -0,0 +1,7 @@ +#!/bin/bash +set -euxo pipefail + +source scripts/make_git_package.sh + +make_git_package "tee-service-provisioning-backend" "main" "https://github.com/Ruteri/tee-service-provisioning-backend" 'go build -trimpath -ldflags "-s -w -buildid= " -v -o ./build/provisioner ./cmd/httpserver' "build/provisioner:/usr/bin/provisioner" +make_git_package "cvm-reverse-proxy" "main" "https://github.com/flashbots/cvm-reverse-proxy" "make build-proxy-server" "build/proxy-server:/usr/bin/proxy-server" diff --git a/provisioner/mkosi.postinst b/provisioner/mkosi.postinst new file mode 100755 index 0000000..66de19b --- /dev/null +++ b/provisioner/mkosi.postinst @@ -0,0 +1,10 @@ +#!/bin/bash +set -euxo pipefail + +# Install systemd service units +SERVICE_DIR="$BUILDROOT/etc/systemd/system" +mkdir -p "$SERVICE_DIR" + +install -m 644 "provisioner/provisioner.service" "$SERVICE_DIR/" +install -m 644 "provisioner/proxy-server.service" "$SERVICE_DIR/" +install -m 644 "provisioner/measurements.json" "$BUILDROOT/measurements" diff --git a/provisioner/provisioner.conf b/provisioner/provisioner.conf new file mode 100644 index 0000000..2a603e6 --- /dev/null +++ b/provisioner/provisioner.conf @@ -0,0 +1,8 @@ +[Content] +WithNetwork=true +BuildScripts=provisioner/mkosi.build +BuildPackages=ca-certificates + golang-go + git +Packages=cryptsetup +PostInstallationScripts=provisioner/mkosi.postinst diff --git a/provisioner/provisioner.service b/provisioner/provisioner.service new file mode 100644 index 0000000..cff155b --- /dev/null +++ b/provisioner/provisioner.service @@ -0,0 +1,17 @@ +[Unit] +Description=Provisioner +After=network-setup.service +Wants=network-setup.service + +[Service] +Type=exec +User=root +Group=root +ExecStart=/usr/bin/provisioner --rpc-addr https://1rpc.io/sepolia --listen-addr localhost:8080 --simple-kms-seed 0000000000000000000000000000000000000000000000000000000000000000 --remote-attestation-provider http://ns31695324.ip-141-94-163.eu:10080 +Restart=on-failure +RestartSec=10 +StandardOutput=journal +StandardError=journal + +[Install] +WantedBy=minimal.target diff --git a/provisioner/proxy-server.service b/provisioner/proxy-server.service new file mode 100644 index 0000000..22279fa --- /dev/null +++ b/provisioner/proxy-server.service @@ -0,0 +1,17 @@ +[Unit] +Description=Provisioner CVM Proxy +After=provisioner.service +Wants=provisioner.service + +[Service] +Type=exec +User=root +Group=root +ExecStart=/usr/bin/proxy-server --listen-addr 0.0.0.0:8079 --target-addr http://localhost:8080 --server-attestation-type dummy --dev-dummy-dcap http://ns31695324.ip-141-94-163.eu:10080 --client-measurements /measurements.json +Restart=on-failure +RestartSec=10 +StandardOutput=journal +StandardError=journal + +[Install] +WantedBy=minimal.target diff --git a/scripts/make_git_package.sh b/scripts/make_git_package.sh index f81afe8..44dce81 100644 --- a/scripts/make_git_package.sh +++ b/scripts/make_git_package.sh @@ -1,6 +1,4 @@ #!/bin/bash -# -# Note env variables: DESTDIR, BUILDROOT, GOCACHE make_git_package() { local package="$1" diff --git a/tdx-dummy.conf b/tdx-dummy.conf index 462dc4b..7c86091 100644 --- a/tdx-dummy.conf +++ b/tdx-dummy.conf @@ -1,4 +1,5 @@ [Config] +Mirror=https://snapshot.debian.org/archive/debian/20250331T024311Z/ Include=base/base.conf Include=tdx-dummy/tdx-dummy.conf Include=devtools/devtools.conf From 920dcff5d2f7a2a6ff9935538d07807381fa145e Mon Sep 17 00:00:00 2001 From: Mateusz Morusiewicz <11313015+Ruteri@users.noreply.github.com> Date: Thu, 10 Apr 2025 14:16:07 +0200 Subject: [PATCH 3/5] Adjustments --- provisioner.conf | 1 - provisioner/mkosi.build | 2 +- provisioner/mkosi.postinst | 2 +- provisioner/provisioner.conf | 6 +++--- provisioner/provisioner.service | 2 +- provisioner/proxy-server.service | 2 +- tdx-dummy.conf | 1 - 7 files changed, 7 insertions(+), 9 deletions(-) diff --git a/provisioner.conf b/provisioner.conf index 2ed1ab2..a9003c7 100644 --- a/provisioner.conf +++ b/provisioner.conf @@ -1,5 +1,4 @@ [Config] -Mirror=https://snapshot.debian.org/archive/debian/20250331T024311Z/ Include=base/base.conf Include=provisioner/provisioner.conf Include=devtools/devtools.conf diff --git a/provisioner/mkosi.build b/provisioner/mkosi.build index e56ba59..1c9a13c 100755 --- a/provisioner/mkosi.build +++ b/provisioner/mkosi.build @@ -4,4 +4,4 @@ set -euxo pipefail source scripts/make_git_package.sh make_git_package "tee-service-provisioning-backend" "main" "https://github.com/Ruteri/tee-service-provisioning-backend" 'go build -trimpath -ldflags "-s -w -buildid= " -v -o ./build/provisioner ./cmd/httpserver' "build/provisioner:/usr/bin/provisioner" -make_git_package "cvm-reverse-proxy" "main" "https://github.com/flashbots/cvm-reverse-proxy" "make build-proxy-server" "build/proxy-server:/usr/bin/proxy-server" +make_git_package "cvm-reverse-proxy" "remote-tdx-provider" "https://github.com/flashbots/cvm-reverse-proxy" "make build-proxy-server" "build/proxy-server:/usr/bin/proxy-server" diff --git a/provisioner/mkosi.postinst b/provisioner/mkosi.postinst index 66de19b..56ca082 100755 --- a/provisioner/mkosi.postinst +++ b/provisioner/mkosi.postinst @@ -7,4 +7,4 @@ mkdir -p "$SERVICE_DIR" install -m 644 "provisioner/provisioner.service" "$SERVICE_DIR/" install -m 644 "provisioner/proxy-server.service" "$SERVICE_DIR/" -install -m 644 "provisioner/measurements.json" "$BUILDROOT/measurements" +install -m 644 "provisioner/measurements.json" "$BUILDROOT/measurements.json" diff --git a/provisioner/provisioner.conf b/provisioner/provisioner.conf index 2a603e6..1a5ddb7 100644 --- a/provisioner/provisioner.conf +++ b/provisioner/provisioner.conf @@ -2,7 +2,7 @@ WithNetwork=true BuildScripts=provisioner/mkosi.build BuildPackages=ca-certificates - golang-go - git -Packages=cryptsetup + golang-go + git +Packages=ca-certificates PostInstallationScripts=provisioner/mkosi.postinst diff --git a/provisioner/provisioner.service b/provisioner/provisioner.service index cff155b..cc8c67d 100644 --- a/provisioner/provisioner.service +++ b/provisioner/provisioner.service @@ -7,7 +7,7 @@ Wants=network-setup.service Type=exec User=root Group=root -ExecStart=/usr/bin/provisioner --rpc-addr https://1rpc.io/sepolia --listen-addr localhost:8080 --simple-kms-seed 0000000000000000000000000000000000000000000000000000000000000000 --remote-attestation-provider http://ns31695324.ip-141-94-163.eu:10080 +ExecStart=/usr/bin/provisioner --rpc-addr https://1rpc.io/sepolia --listen-addr 127.0.0.1:8080 --simple-kms-seed 0000000000000000000000000000000000000000000000000000000000000000 --remote-attestation-provider http://ns31695324.ip-141-94-163.eu:10080 Restart=on-failure RestartSec=10 StandardOutput=journal diff --git a/provisioner/proxy-server.service b/provisioner/proxy-server.service index 22279fa..a0a83fb 100644 --- a/provisioner/proxy-server.service +++ b/provisioner/proxy-server.service @@ -7,7 +7,7 @@ Wants=provisioner.service Type=exec User=root Group=root -ExecStart=/usr/bin/proxy-server --listen-addr 0.0.0.0:8079 --target-addr http://localhost:8080 --server-attestation-type dummy --dev-dummy-dcap http://ns31695324.ip-141-94-163.eu:10080 --client-measurements /measurements.json +ExecStart=/usr/bin/proxy-server --listen-addr 0.0.0.0:8079 --target-addr http://127.0.0.1:8080 --server-attestation-type dummy --dev-dummy-dcap http://ns31695324.ip-141-94-163.eu:10080 --client-measurements /measurements.json Restart=on-failure RestartSec=10 StandardOutput=journal diff --git a/tdx-dummy.conf b/tdx-dummy.conf index 7c86091..462dc4b 100644 --- a/tdx-dummy.conf +++ b/tdx-dummy.conf @@ -1,5 +1,4 @@ [Config] -Mirror=https://snapshot.debian.org/archive/debian/20250331T024311Z/ Include=base/base.conf Include=tdx-dummy/tdx-dummy.conf Include=devtools/devtools.conf From fd0245085de83f71a8a3c85391259920cf27ca66 Mon Sep 17 00:00:00 2001 From: Mateusz Morusiewicz <11313015+Ruteri@users.noreply.github.com> Date: Thu, 10 Apr 2025 14:25:33 +0200 Subject: [PATCH 4/5] Updates autoprovisioner to use a regular contract and remote provisioning service --- autoprovision-test/autoprovision-test.conf | 1 + autoprovision-test/autoprovision.service | 2 +- autoprovision-test/mkosi.build | 1 + autoprovision-test/mkosi.postinst | 1 + autoprovision-test/proxy-client.service | 17 +++++++++++++++++ 5 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 autoprovision-test/proxy-client.service diff --git a/autoprovision-test/autoprovision-test.conf b/autoprovision-test/autoprovision-test.conf index 7db4f5b..301aea5 100644 --- a/autoprovision-test/autoprovision-test.conf +++ b/autoprovision-test/autoprovision-test.conf @@ -5,4 +5,5 @@ BuildPackages=ca-certificates golang-go git Packages=cryptsetup + ca-certificates PostInstallationScripts=autoprovision-test/mkosi.postinst diff --git a/autoprovision-test/autoprovision.service b/autoprovision-test/autoprovision.service index 8483f87..4b0e146 100644 --- a/autoprovision-test/autoprovision.service +++ b/autoprovision-test/autoprovision.service @@ -7,7 +7,7 @@ Wants=network-setup.service Type=oneshot User=root Group=root -ExecStart=/usr/bin/autoprovision --app-contract 0000000000000000000000000000000000000000 --debug-local-provider --device-glob /dev/sda +ExecStart=/usr/bin/autoprovision --app-contract 0x05ED0BF33dd0c0D5a7292cec365de785322b8F04 --provisioning-server-addr http://127.0.0.1:8078 --device-glob /dev/sda StandardOutput=journal StandardError=journal diff --git a/autoprovision-test/mkosi.build b/autoprovision-test/mkosi.build index 32d8fb2..5e133eb 100755 --- a/autoprovision-test/mkosi.build +++ b/autoprovision-test/mkosi.build @@ -4,3 +4,4 @@ set -euxo pipefail source scripts/make_git_package.sh make_git_package "tee-service-provisioning-backend" "main" "https://github.com/Ruteri/tee-service-provisioning-backend" 'go build -trimpath -ldflags "-s -w -buildid= " -v -o ./build/autoprovision ./instanceutils/autoprovision' "build/autoprovision:/usr/bin/autoprovision" +make_git_package "cvm-reverse-proxy" "remote-tdx-provider" "https://github.com/flashbots/cvm-reverse-proxy" "make build-proxy-client" "build/proxy-client:/usr/bin/proxy-client" diff --git a/autoprovision-test/mkosi.postinst b/autoprovision-test/mkosi.postinst index 351d6ab..a445130 100755 --- a/autoprovision-test/mkosi.postinst +++ b/autoprovision-test/mkosi.postinst @@ -6,3 +6,4 @@ SERVICE_DIR="$BUILDROOT/etc/systemd/system" mkdir -p "$SERVICE_DIR" install -m 644 "autoprovision-test/autoprovision.service" "$SERVICE_DIR/" +install -m 644 "provisioner/proxy-client.service" "$SERVICE_DIR/" diff --git a/autoprovision-test/proxy-client.service b/autoprovision-test/proxy-client.service new file mode 100644 index 0000000..18634a3 --- /dev/null +++ b/autoprovision-test/proxy-client.service @@ -0,0 +1,17 @@ +[Unit] +Description=Provisioner client CVM Proxy +After=provisioner.service +Wants=provisioner.service + +[Service] +Type=exec +User=root +Group=root +ExecStart=/usr/bin/proxy-client --listen-addr 127.0.0.1:8078 --target-addr http://ns31695324.ip-141-94-163.eu:10079 --client-attestation-type dummy --dev-dummy-dcap http://ns31695324.ip-141-94-163.eu:10080 +Restart=on-failure +RestartSec=10 +StandardOutput=journal +StandardError=journal + +[Install] +WantedBy=minimal.target From e53f333cd0c95076e91d7b352ba8f7a9d2603a9c Mon Sep 17 00:00:00 2001 From: Mateusz Morusiewicz <11313015+Ruteri@users.noreply.github.com> Date: Thu, 10 Apr 2025 14:52:40 +0200 Subject: [PATCH 5/5] Adjustments --- autoprovision-test/autoprovision.service | 4 ++-- autoprovision-test/mkosi.build | 2 +- autoprovision-test/mkosi.postinst | 2 +- autoprovision-test/proxy-client.service | 6 +++--- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/autoprovision-test/autoprovision.service b/autoprovision-test/autoprovision.service index 4b0e146..372b3ae 100644 --- a/autoprovision-test/autoprovision.service +++ b/autoprovision-test/autoprovision.service @@ -1,7 +1,7 @@ [Unit] Description=Autoprovisioner -After=network-setup.service -Wants=network-setup.service +After=proxy-client.service +Wants=proxy-client.service [Service] Type=oneshot diff --git a/autoprovision-test/mkosi.build b/autoprovision-test/mkosi.build index 5e133eb..0661239 100755 --- a/autoprovision-test/mkosi.build +++ b/autoprovision-test/mkosi.build @@ -3,5 +3,5 @@ set -euxo pipefail source scripts/make_git_package.sh -make_git_package "tee-service-provisioning-backend" "main" "https://github.com/Ruteri/tee-service-provisioning-backend" 'go build -trimpath -ldflags "-s -w -buildid= " -v -o ./build/autoprovision ./instanceutils/autoprovision' "build/autoprovision:/usr/bin/autoprovision" +make_git_package "tee-service-provisioning-backend" "autoprovision-test" "https://github.com/Ruteri/tee-service-provisioning-backend" 'go build -trimpath -ldflags "-s -w -buildid= " -v -o ./build/autoprovision ./instanceutils/autoprovision' "build/autoprovision:/usr/bin/autoprovision" make_git_package "cvm-reverse-proxy" "remote-tdx-provider" "https://github.com/flashbots/cvm-reverse-proxy" "make build-proxy-client" "build/proxy-client:/usr/bin/proxy-client" diff --git a/autoprovision-test/mkosi.postinst b/autoprovision-test/mkosi.postinst index a445130..7520dcc 100755 --- a/autoprovision-test/mkosi.postinst +++ b/autoprovision-test/mkosi.postinst @@ -6,4 +6,4 @@ SERVICE_DIR="$BUILDROOT/etc/systemd/system" mkdir -p "$SERVICE_DIR" install -m 644 "autoprovision-test/autoprovision.service" "$SERVICE_DIR/" -install -m 644 "provisioner/proxy-client.service" "$SERVICE_DIR/" +install -m 644 "autoprovision-test/proxy-client.service" "$SERVICE_DIR/" diff --git a/autoprovision-test/proxy-client.service b/autoprovision-test/proxy-client.service index 18634a3..ed3dcc9 100644 --- a/autoprovision-test/proxy-client.service +++ b/autoprovision-test/proxy-client.service @@ -1,13 +1,13 @@ [Unit] Description=Provisioner client CVM Proxy -After=provisioner.service -Wants=provisioner.service +After=network-setup.service +Wants=network-setup.service [Service] Type=exec User=root Group=root -ExecStart=/usr/bin/proxy-client --listen-addr 127.0.0.1:8078 --target-addr http://ns31695324.ip-141-94-163.eu:10079 --client-attestation-type dummy --dev-dummy-dcap http://ns31695324.ip-141-94-163.eu:10080 +ExecStart=/usr/bin/proxy-client --listen-addr 127.0.0.1:8078 --target-addr https://ns31695324.ip-141-94-163.eu:10079 --client-attestation-type dummy --dev-dummy-dcap http://ns31695324.ip-141-94-163.eu:10080 Restart=on-failure RestartSec=10 StandardOutput=journal