blobs: Update linuxkit binaries to version based on v1.2.0

The linuxkit blobs provided as part of this repository have been a sore point with regards to how these are built and where they come from. This updates them to a new version that is based on top of the latest upstream release v1.2.0 and can be reproducibly build from aws-nitro-enclaves-sdk-bootstrap d55087f7f405 [0]. With the update linuxkit has changed the format of its command line options from the -<option> format to the --<option> format. Further, linuxkit introduced functionality to add an SBOM file with non-deterministic unique IDs, which breaks our image reproducibility. Pass `--no-sbom` to disable that SBOM creation. The patches we carry on top of that upstream release are now available through aws-nitro-enclaves-sdk-bootstrap package, which now also provides a way to reproducibly build these binaries using nix. With the update we have cleaned up our downstream patches, which entail some changes on how we invoke linuxkit: 1) The downstream `prefix` functionality has been moved into the configuration yaml files instead of having it as a CLI option. 2) We use a new output type `kernel+initrd-nogz` which produces the initrd with cpio instead of the standard cpio.gz. As we have always had functionally similar patches on top of upstream linuxkit there are no functional changes. [0] aws/aws-nitro-enclaves-sdk-bootstrap@d55087f7f405 Signed-off-by: Leonard Foerster <[email protected]>
aws · Jun 6, 2024 · 3680b30 · 3680b30
1 parent f165f19
commit 3680b30
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 9 deletions.
diff --git a/blobs/aarch64/linuxkit b/blobs/aarch64/linuxkit
diff --git a/blobs/x86_64/linuxkit b/blobs/x86_64/linuxkit
diff --git a/enclave_build/src/lib.rs b/enclave_build/src/lib.rs
@@ -225,10 +225,11 @@ impl<'a> Docker2Eif<'a> {
         let output = Command::new(&self.linuxkit_path)
             .args([
                 "build",
-                "-name",
+                "--name",
                 &bootstrap_ramfs,
-                "-format",
-                "kernel+initrd",
+                "--format",
+                "kernel+initrd-nogz",
+                "--no-sbom",
                 ramfs_config_file.path().to_str().unwrap(),
             ])
             .output()
@@ -245,13 +246,12 @@ impl<'a> Docker2Eif<'a> {
         let output = Command::new(&self.linuxkit_path)
             .args([
                 "build",
-                "-docker",
-                "-name",
+                "--docker",
+                "--name",
                 &customer_ramfs,
-                "-format",
-                "kernel+initrd",
-                "-prefix",
-                "rootfs/",
+                "--format",
+                "kernel+initrd-nogz",
+                "--no-sbom",
                 ramfs_with_rootfs_config_file.path().to_str().unwrap(),
             ])
             .output()

diff --git a/enclave_build/src/yaml_generator.rs b/enclave_build/src/yaml_generator.rs
@@ -12,6 +12,7 @@ struct BootstrapRamfsTemplate {
 
 #[derive(Debug, Serialize, Deserialize)]
 struct CustomerRamfsTemplate {
+    prefix: String,
     init: Vec<String>,
     files: (
         DirTemplate,
@@ -102,6 +103,7 @@ impl YamlGenerator {
 
     pub fn get_customer_ramfs(&self) -> Result<NamedTempFile, YamlGeneratorError> {
         let ramfs = CustomerRamfsTemplate {
+            prefix: "rootfs/".to_string(),
             init: vec![self.docker_image.clone()],
             // Each directory must stay under rootfs, as expected by init
             files: (
@@ -204,6 +206,7 @@ mod tests {
         assert_eq!(
             customer_data,
             "---\
+             \nprefix: rootfs/\
              \ninit:\
              \n  - docker_image\
              \nfiles:\