From 7788160cbbb86862d659405325b444b488ccdbd1 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Tue, 28 Nov 2023 09:27:36 -0500 Subject: [PATCH 1/3] internal/mkcw/embed/entrypoint.gz: compress with -n9 Compress the unencrypted entry point binary for confidential workload images using gzip's `-n` flag, to omit the original file's timestamp from the compressed copy. Add a -f and -9 to always overwrite the output file and sacrifice speed to shave off a few more bytes. [NO NEW TESTS NEEDED] Signed-off-by: Nalin Dahyabhai --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 0fda9ae6eb..3d2d9a76d6 100644 --- a/Makefile +++ b/Makefile @@ -75,7 +75,7 @@ bin/buildah: $(SOURCES) cmd/buildah/*.go internal/mkcw/embed/entrypoint.gz ifneq ($(shell as --version | grep x86_64),) internal/mkcw/embed/entrypoint.gz: internal/mkcw/embed/entrypoint $(RM) $@ - gzip -k $^ + gzip -k9nf $^ internal/mkcw/embed/entrypoint: internal/mkcw/embed/entrypoint.s $(AS) -o $(patsubst %.s,%.o,$^) $^ From 3b795dd4bca9b757d4f6bbaa63f6816799b6cd28 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Mon, 27 Nov 2023 15:22:52 -0500 Subject: [PATCH 2/3] internal/mkcw/embed/entrypoint.gz: rename to include the arch Include the arch in the name of the static entrypoint binary, in case we find ourselves needing to support other architectures in the same area in the future. Signed-off-by: Nalin Dahyabhai --- Makefile | 7 +++---- .../embed/{entrypoint.gz => entrypoint_amd64.gz} | Bin .../mkcw/embed/{entrypoint.s => entrypoint_amd64.s} | 12 ++++++------ internal/mkcw/entrypoint.go | 2 +- 4 files changed, 10 insertions(+), 11 deletions(-) rename internal/mkcw/embed/{entrypoint.gz => entrypoint_amd64.gz} (100%) rename internal/mkcw/embed/{entrypoint.s => entrypoint_amd64.s} (62%) diff --git a/Makefile b/Makefile index 3d2d9a76d6..7a521601bd 100644 --- a/Makefile +++ b/Makefile @@ -69,15 +69,14 @@ static: mkdir -p ./bin cp -rfp ./result/bin/* ./bin/ -bin/buildah: $(SOURCES) cmd/buildah/*.go internal/mkcw/embed/entrypoint.gz +bin/buildah: $(SOURCES) cmd/buildah/*.go internal/mkcw/embed/entrypoint_amd64.gz $(GO_BUILD) $(BUILDAH_LDFLAGS) $(GO_GCFLAGS) "$(GOGCFLAGS)" -o $@ $(BUILDFLAGS) ./cmd/buildah ifneq ($(shell as --version | grep x86_64),) -internal/mkcw/embed/entrypoint.gz: internal/mkcw/embed/entrypoint - $(RM) $@ +internal/mkcw/embed/entrypoint_amd64.gz: internal/mkcw/embed/entrypoint_amd64 gzip -k9nf $^ -internal/mkcw/embed/entrypoint: internal/mkcw/embed/entrypoint.s +internal/mkcw/embed/entrypoint_amd64: internal/mkcw/embed/entrypoint_amd64.s $(AS) -o $(patsubst %.s,%.o,$^) $^ $(LD) -o $@ $(patsubst %.s,%.o,$^) strip $@ diff --git a/internal/mkcw/embed/entrypoint.gz b/internal/mkcw/embed/entrypoint_amd64.gz similarity index 100% rename from internal/mkcw/embed/entrypoint.gz rename to internal/mkcw/embed/entrypoint_amd64.gz diff --git a/internal/mkcw/embed/entrypoint.s b/internal/mkcw/embed/entrypoint_amd64.s similarity index 62% rename from internal/mkcw/embed/entrypoint.s rename to internal/mkcw/embed/entrypoint_amd64.s index 0e4429cfb4..8af880cd5b 100644 --- a/internal/mkcw/embed/entrypoint.s +++ b/internal/mkcw/embed/entrypoint_amd64.s @@ -5,12 +5,12 @@ msg: .globl _start .type _start,@function _start: - movq $1, %rax # write - movq $2, %rdi # fd=stderr_fileno - movq $msg, %rsi # message - movq $75, %rdx # length + movq $1, %rax # write + movq $2, %rdi # fd=stderr_fileno + movq $msg, %rsi # message + movq $75, %rdx # length syscall - movq $60, %rax # exit - movq $1, %rdi # status=1 + movq $60, %rax # exit + movq $1, %rdi # status=1 syscall .section .note.GNU-stack,"",@progbits diff --git a/internal/mkcw/entrypoint.go b/internal/mkcw/entrypoint.go index d720321685..c69a4a3406 100644 --- a/internal/mkcw/entrypoint.go +++ b/internal/mkcw/entrypoint.go @@ -2,5 +2,5 @@ package mkcw import _ "embed" -//go:embed "embed/entrypoint.gz" +//go:embed "embed/entrypoint_amd64.gz" var entrypointCompressedBytes []byte From 1f9103562b7c56d9a4d339a309f48e296a3cfbe9 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Tue, 28 Nov 2023 10:57:20 -0500 Subject: [PATCH 3/3] run.bats: use --quiet --pull=false when using a prefetched image When creating a container using a prefetched image, use --quiet and --pull=false for the pair of tests which didn't, bringing them in line with the rest of the tests in the file. Signed-off-by: Nalin Dahyabhai --- tests/run.bats | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/run.bats b/tests/run.bats index e20d881323..dc40c081fe 100644 --- a/tests/run.bats +++ b/tests/run.bats @@ -371,7 +371,7 @@ function configure_and_check_user() { # Create the container. _prefetch alpine - run_buildah from $WITH_POLICY_JSON alpine + run_buildah from --quiet --pull=false $WITH_POLICY_JSON alpine ctr="$output" # Test user can create file in the mounted volume. @@ -387,7 +387,7 @@ function configure_and_check_user() { # Create the container. _prefetch alpine - run_buildah from $WITH_POLICY_JSON alpine + run_buildah from --quiet --pull=false $WITH_POLICY_JSON alpine ctr="$output" # Run with uid:gid 1000:1000 and verify if gid is present in additional groups