Ensure necessary embed strings are present for each target (#105)

transparency-dev · Dec 12, 2023 · 3d749d3 · 3d749d3
1 parent d2887f6
commit 3d749d3
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 18 deletions.
diff --git a/.github/workflows/pr_build.yml b/.github/workflows/pr_build.yml
@@ -12,6 +12,9 @@ jobs:
       TAMAGO: /usr/local/tamago-go/bin/go
       APPLET_PRIVATE_KEY: /tmp/applet.sec
       APPLET_PUBLIC_KEY: /tmp/applet.pub
+      LOG_ORIGIN: TEST-LOG
+      LOG_PRIVATE_KEY: /tmp/log.sec
+      LOG_PUBLIC_KEY: /tmp/log.pub
       OS_PRIVATE_KEY1: /tmp/os1.sec
       OS_PUBLIC_KEY1: /tmp/os1.pub
       OS_PRIVATE_KEY2: /tmp/os2.sec
@@ -31,6 +34,7 @@ jobs:
     - name: Create throwaway keys & fake embed
       run: |
         go run github.com/transparency-dev/serverless-log/cmd/generate_keys@14ed652b57527bb17e065e921eb0fcce3cbc8a49 --key_name="TEST-APPLET" --out_priv=${APPLET_PRIVATE_KEY} --out_pub=${APPLET_PUBLIC_KEY}
+        go run github.com/transparency-dev/serverless-log/cmd/generate_keys@14ed652b57527bb17e065e921eb0fcce3cbc8a49 --key_name="TEST-LOG" --out_priv=${LOG_PRIVATE_KEY} --out_pub=${LOG_PUBLIC_KEY}
         go run github.com/transparency-dev/serverless-log/cmd/generate_keys@14ed652b57527bb17e065e921eb0fcce3cbc8a49 --key_name="TEST-OS-1" --out_priv=${OS_PRIVATE_KEY1} --out_pub=${OS_PUBLIC_KEY1}
         go run github.com/transparency-dev/serverless-log/cmd/generate_keys@14ed652b57527bb17e065e921eb0fcce3cbc8a49 --key_name="TEST-OS-2" --out_priv=${OS_PRIVATE_KEY2} --out_pub=${OS_PUBLIC_KEY2}
     - name: Make

diff --git a/Dockerfile b/Dockerfile
@@ -1,7 +1,7 @@
 FROM golang:1.21-bookworm
 
 ARG TAMAGO_VERSION
-ARG FT_LOG_ORIGIN
+ARG LOG_ORIGIN
 ARG LOG_PUBLIC_KEY
 ARG APPLET_PUBLIC_KEY
 ARG GIT_SEMVER_TAG
@@ -19,7 +19,7 @@ WORKDIR /build
 COPY . .
 
 # Firmware transparency parameters for output binary.
-ENV FT_LOG_ORIGIN=${FT_LOG_ORIGIN} \
+ENV LOG_ORIGIN=${LOG_ORIGIN} \
     LOG_PUBLIC_KEY=${LOG_PUBLIC_KEY} \
     APPLET_PUBLIC_KEY=${APPLET_PUBLIC_KEY} \
     GIT_SEMVER_TAG=${GIT_SEMVER_TAG}

diff --git a/Makefile b/Makefile
@@ -19,7 +19,6 @@ BUILD_EPOCH := $(shell /bin/date -u "+%s")
 BUILD_TAGS = linkramsize,linkramstart,disable_fr_auth,linkprintk
 BUILD = ${BUILD_USER}@${BUILD_HOST} on ${BUILD_DATE}
 REV = $(shell git rev-parse --short HEAD 2> /dev/null)
-LOG_ORIGIN ?= "DEV.armoredwitness.transparency.dev/${USER}"
 GIT_SEMVER_TAG ?= $(shell (git describe --tags --exact-match --match 'v*.*.*' 2>/dev/null || git describe --match 'v*.*.*' --tags 2>/dev/null || git describe --tags 2>/dev/null || echo -n v0.0.${BUILD_EPOCH}+`git rev-parse HEAD`) | tail -c +2 )
 
 PROTOC ?= /usr/bin/protoc
@@ -69,11 +68,11 @@ all: trusted_os_embedded_applet witnessctl
 # change in development and require re-compilation of protos.
 trusted_os: APP=trusted_os
 trusted_os: DIR=$(CURDIR)/trusted_os
-trusted_os: create_dummy_applet proto elf manifest
+trusted_os: check_embed_env create_dummy_applet proto elf manifest
 
 trusted_os_embedded_applet: APP=trusted_os
 trusted_os_embedded_applet: DIR=$(CURDIR)/trusted_os
-trusted_os_embedded_applet: check_os_env copy_applet proto elf manifest imx
+trusted_os_embedded_applet: check_embed_env copy_applet proto elf manifest imx
 trusted_os_embedded_applet:
 
 witnessctl: check_tamago
@@ -86,7 +85,7 @@ witnessctl: check_tamago
 # used by the GCP build process and signed there.
 trusted_os_release: APP=trusted_os
 trusted_os_release: DIR=$(CURDIR)/trusted_os
-trusted_os_release: create_dummy_applet elf 
+trusted_os_release: check_embed_env create_dummy_applet elf
 
 ## Targets for managing a local serverless log instance for dev/testing FT related bits.
 
@@ -106,11 +105,11 @@ log_os: LOG_ARTEFACT_DIR=$(DEV_LOG_DIR)/artefacts
 log_os: ARTEFACT_HASH=$(shell sha256sum ${CURDIR}/bin/trusted_os.elf | cut -f1 -d" ")
 log_os:
 	@if [ "${LOG_PRIVATE_KEY}" == "" -o "${LOG_PUBLIC_KEY}" == "" ]; then \
-		@echo "You need to set LOG_PRIVATE_KEY and LOG_PUBLIC_KEY variables"; \
+		echo "You need to set LOG_PRIVATE_KEY and LOG_PUBLIC_KEY variables"; \
 		exit 1; \
 	fi
 	@if [ "${DEV_LOG_DIR}" == "" ]; then \
-		@echo "You need to set the DEV_LOG_DIR variable"; \
+		echo "You need to set the DEV_LOG_DIR variable"; \
 		exit 1; \
 	fi
 
@@ -165,26 +164,27 @@ $(APP).dcd: dcd
 
 #### utilities ####
 
-check_os_env:
-	@if [ "${OS_PRIVATE_KEY1}" == "" ] || [ ! -f "${OS_PRIVATE_KEY1}" ]; then \
-		echo 'You need to set the OS_PRIVATE_KEY1 variable to a valid signing key path'; \
+# Various strings need to be embedded into the binary, keys, log info, etc. check they are present.
+check_embed_env:
+	@if [ "${LOG_ORIGIN}" == "" ]; then \
+		echo 'You need to set the LOG_ORIGIN variable'; \
 		exit 1; \
 	fi
-	@if [ "${OS_PRIVATE_KEY2}" == "" ] || [ ! -f "${OS_PRIVATE_KEY2}" ]; then \
-		echo 'You need to set the OS_PRIVATE_KEY2 variable to a valid signing key path'; \
+	@if [ "${LOG_PUBLIC_KEY}" == "" ] || [ ! -f "${LOG_PUBLIC_KEY}" ]; then \
+		echo 'You need to set the LOG_PUBLIC_KEY variable to a valid note verifier key path'; \
 		exit 1; \
 	fi
 	@if [ "${APPLET_PUBLIC_KEY}" == "" ] || [ ! -f "${APPLET_PUBLIC_KEY}" ]; then \
-		echo 'You need to set the APPLET_PUBLIC_KEY variable to a valid authentication key path'; \
+		echo 'You need to set the APPLET_PUBLIC_KEY variable to a valid note verifier key path'; \
 		exit 1; \
 	fi
+
+copy_applet: LOG_URL=file://$(DEV_LOG_DIR)/log/
+copy_applet:
 	@if [ "${APPLET_PATH}" == "" ]; then \
 		echo 'You need to set the APPLET_PATH variable to a valid path for the directory holding applet elf and proof bundle files (e.g. path to armored-witness-applet/bin)'; \
 		exit 1; \
 	fi
-
-copy_applet: LOG_URL=file://$(DEV_LOG_DIR)/log/
-copy_applet:
 	mkdir -p ${CURDIR}/trusted_os/assets
 	cp ${APPLET_PATH}/trusted_applet.elf ${CURDIR}/trusted_os/assets/
 	cp ${APPLET_PATH}/trusted_applet_manifest ${CURDIR}/trusted_os/assets/
@@ -232,6 +232,14 @@ $(APP).elf: check_tamago
 	cd $(DIR) && $(GOENV) $(TAMAGO) build -tags ${BUILD_TAGS} $(GOFLAGS) -o $(CURDIR)/bin/$(APP).elf
 
 $(APP)_manifest:
+	@if [ "${OS_PRIVATE_KEY1}" == "" ] || [ ! -f "${OS_PRIVATE_KEY1}" ]; then \
+		echo 'You need to set the OS_PRIVATE_KEY1 variable to a valid note signing key path'; \
+		exit 1; \
+	fi
+	@if [ "${OS_PRIVATE_KEY2}" == "" ] || [ ! -f "${OS_PRIVATE_KEY2}" ]; then \
+		echo 'You need to set the OS_PRIVATE_KEY2 variable to a valid note signing key path'; \
+		exit 1; \
+	fi
 	# Create manifest
 	@echo ---------- Manifest --------------
 	go run github.com/transparency-dev/armored-witness/cmd/manifest@228f2f6432babe1f1657e150ce0ca4a96ab394da \

diff --git a/release/cloudbuild_ci.yaml b/release/cloudbuild_ci.yaml
@@ -18,7 +18,7 @@ steps:
       - |
         docker build \
           --build-arg=TAMAGO_VERSION=${_TAMAGO_VERSION} \
-          --build-arg=FT_LOG_ORIGIN=${_ORIGIN} \
+          --build-arg=LOG_ORIGIN=${_ORIGIN} \
           --build-arg=LOG_PUBLIC_KEY=${_LOG_PUBLIC_KEY} \
           --build-arg=APPLET_PUBLIC_KEY=${_APPLET_PUBLIC_KEY} \
           --build-arg=GIT_SEMVER_TAG=$(cat /workspace/fake_tag) \