Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[RFC] td-shim release tagging process #502

Open
jyao1 opened this issue Jan 18, 2023 · 5 comments
Open

[RFC] td-shim release tagging process #502

jyao1 opened this issue Jan 18, 2023 · 5 comments
Assignees

Comments

@jyao1
Copy link
Member

jyao1 commented Jan 18, 2023

Hi I would like to discuss td-shim release tagging process.

[Background & requirement]
Ideally, we need to support reproducible build for td-shim.
It means: For a release image + same build environment (compiler + toolchain), we can reproduce same binary at any time and on any system.

Reference: #256

[Problem]
Currently, we do have release tag - which indicates the source code version of td-shim.
But we do not have cargo.lock - that means: Even with same source code, we might not be able to reproduce same binary, because the dependency crate might be upgraded.
That breaks the rule.

Reference: https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html

Cargo.lock can be used to lock the version. However, we do want to keep using the latest crate to bug fix, or security fix.
We may consider putting Cargo.lock for the project, if we treat Td-Shim as an end project.
But if we want to treat Td-Payload as an end project, the locking td-shim is not a good idea.

Reference: https://doc.rust-lang.org/cargo/faq.html#why-do-binaries-have-cargolock-in-version-control-but-not-libraries

[Possible Solution]
When we create a release for td-shim, we also create the release specific cargo.lock. That can deterministically reproduce the same release image.

@fidencio
Copy link
Member

We must consider pinning a version of llvm, llvm-ar, and nasm as well.

One possible way to do so is providing a container image, which could be updated on every change of some parts of the project*, and also provide this container image as part of the tagging process.

Changes to track:

  • Cargo.toml
  • Cargo.lock
  • Toolchain

This process could be fully automated via GitHub actions, as we already do something similar for Kata Containers, and users would be able to use this whenever they "recreate" the build.

@jyao1
Copy link
Member Author

jyao1 commented Jan 18, 2023

@fidencio , sounds great. May I assign this to you?

@fidencio fidencio self-assigned this Jan 20, 2023
@fidencio
Copy link
Member

@fidencio , sounds great. May I assign this to you?

I just did, thanks!

@dimakuv
Copy link

dimakuv commented Nov 8, 2023

@jyao1 @fidencio Could you elaborate on the status of reproducible builds with TD-Shim?

If reproducible builds are implemented, does this apply to TD-Shim + payloads? In the TDX Migration TD Design Guide document, there is a section on Reproducibility, but it doesn't contain any specific information on whether it is truly supported and how to achieve it exactly (what are the steps to take).

I mention TDX Migration TD simply because IIUC it is TD-Shim + payload, similar to my case.

@jyao1
Copy link
Member Author

jyao1 commented Nov 8, 2023

Currently, td-shim supports reproducible build with same user id.

Currently, we use docker - see #605.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants