Skip to content

Commit

Permalink
Add Cloud Build configs for releasing the recovery tool.
Browse files Browse the repository at this point in the history
  • Loading branch information
jiggoha committed Dec 19, 2023
1 parent 0e05eea commit 267fcc7
Show file tree
Hide file tree
Showing 3 changed files with 234 additions and 1 deletion.
39 changes: 38 additions & 1 deletion recovery/README.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,47 @@
# Recovery

The Dockerfile in this directory is used for building an image to be used as a
recovery/provisioning tool for the armored witness.
recovery/provisioning tool for the Armored Witness.

We currently use the firmware in the github.com/usbarmory/armory-ums repo as
the recovery tool.

While that repo does offer prebuilt binary releases, we rebuild from scratch
here so we can be sure about which TamaGo toolchain version is used, etc.

## Build and Release Process

A
[Cloud Build trigger](https://cloud.google.com/build/docs/automating-builds/create-manage-triggers)
is defined by a yaml config file. The Transparency.dev team invokes it manually
when we want to publish a release.

The pipeline includes two main steps: building and making available the recovery
tool files, and writing the release metadata (Claimant Model Statement) to the
firmware transparency log.

1. Cloud Build builds the recovery builder Docker image and copies the compiled
recovery imx file to a public Google Cloud Storage bucket.
1. Cloud Build runs the
[`manifest`](https://github.com/transparency-dev/armored-witness/tree/main/cmd/manifest)
tool to construct the Claimant Model Statement with arguments specific to
this release. It signs the Statement with the
[`sign`](https://github.com/transparency-dev/armored-witness/tree/main/cmd/sign)
tool and adds the resulting signed Statement as an entry to the public
firmware transparency log.

TODO: add links for the GCS buckets once public.

## Claimant Model

| Role | Description |
| ----------- | ----------- |
| **Claimant** | Transparency.dev team |
| **Claim** | <ol><li>The digest of the recovery tool is derived from this source Github repository, and is reproducible.</li><li>The recovery tool is issued by the Transparency.dev team.</li></ol> |
| **Believer** | Armored Witness devices |
| **Verifier** | <ol><li>For Claim #1: third party auditing the Transparency.dev team</li><li>For Claim #2: the Transparency.dev team</li></ol> |
| **Arbiter** | Log ecosystem participants and reliers |

The **Statement** is defined in [api/log_entries.go](api/log_entries.go).
An example is available at
[api/example_firmware_release.json](api/example_firmware_release.json).
125 changes: 125 additions & 0 deletions recovery/cloudbuild_ci.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,125 @@
steps:
### Build the recovery binary and upload it to GCS.
# Build an image containing the trusted applet artifacts with the Dockerfile.
- name: gcr.io/cloud-builders/docker
args:
- build
- --build-arg
- TAMAGO_VERSION=${_TAMAGO_VERSION}
- --build-arg
- ARMORY_UMS_VERSION=${_ARMORY_UMS_VERSION}
- -t
- builder-image
- recovery
# Prepare a container with a copy of the artifacts.
- name: gcr.io/cloud-builders/docker
args:
- create
- --name
- builder_scratch
- builder-image
# Copy the artifacts from the container to the Cloud Build VM.
- name: gcr.io/cloud-builders/docker
args:
- cp
- builder_scratch:/build/armory-ums
- output
# List the artifacts.
- name: bash
args:
- ls
- output
# Copy the artifacts from the Cloud Build VM to GCS.
- name: gcr.io/cloud-builders/gcloud
entrypoint: bash
args:
- -c
- |
gcloud storage cp \
output/armory-ums.imx \
gs://${_FIRMWARE_BUCKET}/$(sha256sum output/armory-ums.imx | cut -f1 -d" ")
### Construct log entry / Claimant Model statement.
# This step needs to be a bash script in order to substitute the fake take
# in the command args.
- name: golang
entrypoint: bash
args:
- -c
- |
go run github.com/transparency-dev/armored-witness/cmd/manifest@${_ARMORED_WITNESS_REPO_VERSION} \
create \
--git_tag=${_MANUAL_TAG} \
--git_commit_fingerprint=$(cat output/armory-ums.imx.git-commit) \
--firmware_file=output/armory-ums.imx \
--firmware_type=RECOVERY \
--tamago_version=${_TAMAGO_VERSION} \
--raw \
--output_file=output/recovery_manifest_unsigned.json
# Sign the log entry.
- name: golang
args:
- go
- run
- github.com/transparency-dev/armored-witness/cmd/sign@${_ARMORED_WITNESS_REPO_VERSION}
- --project_name=${PROJECT_ID}
- --release=ci
- --artefact=recovery
- --manifest_file=output/recovery_manifest_unsigned.json
- --output_file=output/recovery_manifest
# Print the content of the signed manifest.
- name: bash
args:
- cat
- output/recovery_manifest
### Write the firmware release to the transparency log.
# Copy the log entry to the sequence bucket, preparing to write to log.
#
# Use the SHA256 of the manifest as the directory to contain the entry that
# this trigger instance is trying to add to the log. This allows multiple
# triggers to run without colliding.
- name: gcr.io/cloud-builders/gcloud
entrypoint: bash
args:
- -c
- |
gcloud storage cp output/recovery_manifest \
gs://${_LOG_NAME}/$(sha256sum output/recovery_manifest | cut -f1 -d" ")/recovery_manifest
# Sequence log entry.
- name: gcr.io/cloud-builders/gcloud
entrypoint: bash
args:
- -c
- |
gcloud functions call sequence \
--data "{\"entriesDir\": \"$(sha256sum output/recovery_manifest | cut -f1 -d" ")\", \"origin\": \"${_ORIGIN}\", \"bucket\": \"${_LOG_NAME}\", \"kmsKeyName\": \"ft-log-ci\", \"kmsKeyRing\": \"firmware-release-ci\", \"kmsKeyVersion\": ${_KEY_VERSION}, \"kmsKeyLocation\": \"global\", \"noteKeyName\": \"transparency.dev-aw-ftlog-ci\", \"checkpointCacheControl\": \"${_CHECKPOINT_CACHE}\"}"
# Integrate log entry.
- name: gcr.io/cloud-builders/gcloud
args:
- functions
- call
- integrate
- --data
- >-
{
"origin": "${_ORIGIN}",
"bucket": "${_LOG_NAME}",
"kmsKeyName": "ft-log-ci",
"kmsKeyRing": "firmware-release-ci",
"kmsKeyVersion": ${_KEY_VERSION},
"kmsKeyLocation": "global",
"noteKeyName": "transparency.dev-aw-ftlog-ci",
"checkpointCacheControl": "${_CHECKPOINT_CACHE}"
}
substitutions:
# Build-related.
_ARMORY_UMS_VERSION: v20231018
_FIRMWARE_BUCKET: armored-witness-firmware-ci-1
_MANUAL_TAG: 0.0.0
_TAMAGO_VERSION: '1.21.3'
# Log-related.
_ARMORED_WITNESS_REPO_VERSION: d37d6b19ec4dbd1cad3586ae8ba3ec913829d718
# This must correspond with the trailing number on the _FIRMWARE_BUCKET, _ORIGIN, _LOG_NAME values.
_KEY_VERSION: '1'
_LOG_NAME: armored-witness-firmware-log-ci-1
_ORIGIN: transparency.dev/armored-witness/firmware_transparency/ci/1
_CHECKPOINT_CACHE: 'public, max-age=30'
71 changes: 71 additions & 0 deletions recovery/cloudbuild_presubmit.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
steps:
### Build the recovery binary and upload it to GCS.
# Build an image containing the trusted applet artifacts with the Dockerfile.
- name: gcr.io/cloud-builders/docker
args:
- build
- --build-arg
- TAMAGO_VERSION=${_TAMAGO_VERSION}
- --build-arg
- ARMORY_UMS_VERSION=${_ARMORY_UMS_VERSION}
- -t
- builder-image
- recovery
# Prepare a container with a copy of the artifacts.
- name: gcr.io/cloud-builders/docker
args:
- create
- --name
- builder_scratch
- builder-image
# Copy the artifacts from the container to the Cloud Build VM.
- name: gcr.io/cloud-builders/docker
args:
- cp
- builder_scratch:/build/armory-ums
- output
# List the artifacts.
- name: bash
args:
- ls
- output
### Construct log entry / Claimant Model statement.
# This step needs to be a bash script in order to substitute the fake take
# in the command args.
- name: golang
entrypoint: bash
args:
- -c
- |
go run github.com/transparency-dev/armored-witness/cmd/manifest@${_ARMORED_WITNESS_REPO_VERSION} \
create \
--git_tag=${_MANUAL_TAG} \
--git_commit_fingerprint=$(cat output/armory-ums.imx.git-commit) \
--firmware_file=output/armory-ums.imx \
--firmware_type=RECOVERY \
--tamago_version=${_TAMAGO_VERSION} \
--raw \
--output_file=output/recovery_manifest_unsigned.json
# Sign the log entry.
- name: golang
args:
- go
- run
- github.com/transparency-dev/armored-witness/cmd/sign@${_ARMORED_WITNESS_REPO_VERSION}
- --project_name=${PROJECT_ID}
- --release=ci
- --artefact=recovery
- --manifest_file=output/recovery_manifest_unsigned.json
- --output_file=output/recovery_manifest
# Print the content of the signed manifest.
- name: bash
args:
- cat
- output/recovery_manifest
substitutions:
# Build-related.
_ARMORY_UMS_VERSION: v20231018
_MANUAL_TAG: 0.0.0
_TAMAGO_VERSION: '1.21.3'
# Log-related.
_ARMORED_WITNESS_REPO_VERSION: d37d6b19ec4dbd1cad3586ae8ba3ec913829d718

0 comments on commit 267fcc7

Please sign in to comment.