brickit/Dockerfile at master · Turnalek/brickit · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
FROM stagex/eif_build:0.2.2@sha256:291653f1ca528af48fd05858749c443300f6b24d2ffefa7f5a3a06c27c774566 AS eif_build
FROM stagex/gen_initramfs:6.8@sha256:f5b9271cca6003e952cbbb9ef041ffa92ba328894f563d1d77942e6b5cdeac1a AS gen_initramfs
# NB(scm): reverted to the old linux-nitro on the recommendation from Lance:
#  the latest linux kernel crashes the nitro enclave.
#FROM stagex/linux-nitro:5.19.6@sha256:e6c8a861f9b18edfad56b1aa130feb822a25987c71e2b2932b020750dd7325bc AS linux-nitro
FROM stagex/linux-nitro:sx2024.03.0@sha256:073c4603686e3bdc0ed6755fee3203f6f6f1512e0ded09eaea8866b002b04264 AS linux-nitro

FROM ghcr.io/tkhq/base/rust:sha-2f7790d638553221661f477c8c61abef36af00d4@sha256:f35ee463ce91ac8108e5fc2b400a7ca36ff9ecffffd7a8ed02f63a8cdd9344d9 AS build
ADD . /src/

ENV CARGOFLAGS='--target x86_64-unknown-linux-musl --locked --release'
ENV CARGO_HOME=/tmp/rust
ENV RUSTFLAGS='-C target-feature=+crt-static'

FROM build AS build-init
WORKDIR /src
RUN cargo build ${CARGOFLAGS}
RUN cp target/x86_64-unknown-linux-musl/release/init /
RUN file /init | grep "static-pie"

FROM build AS build-eif
WORKDIR /build_cpio
COPY --from=eif_build . /
COPY --from=gen_initramfs . /
COPY --from=build-init /init .
COPY --from=linux-nitro /nsm.ko .
COPY <<-EOF initramfs.list
	file /init     init    0755 0 0
	file /nsm.ko   nsm.ko  0755 0 0
	dir  /run              0755 0 0
	dir  /tmp              0755 0 0
	dir  /etc              0755 0 0
	dir  /bin              0755 0 0
	dir  /sbin             0755 0 0
	dir  /proc             0755 0 0
	dir  /sys              0755 0 0
	dir  /usr              0755 0 0
	dir  /usr/bin          0755 0 0
	dir  /usr/sbin         0755 0 0
	dir  /dev              0755 0 0
	dir  /dev/shm          0755 0 0
	dir  /dev/pts          0755 0 0
	nod  /dev/console      0600 0 0 c 5 1
EOF
ENV CPIO_TIMESTAMP=1
ENV KBUILD_BUILD_TIMESTAMP=1
RUN <<-EOF
	find . -exec touch -hcd "@0" "{}" +
    mkdir /build_eif
	gen_init_cpio -t 1 initramfs.list > /build_eif/rootfs.cpio
	touch -hcd "@0" rootfs.cpio
EOF
WORKDIR /build_eif
COPY --from=linux-nitro /bzImage .
COPY --from=linux-nitro /linux.config .
RUN eif_build \
	--ramdisk rootfs.cpio \
	--kernel bzImage \
	--kernel_config linux.config \
	--pcrs_output /nitro.pcrs \
	--output /nitro.eif \
	--cmdline 'reboot=k initrd=0x2000000,3228672 root=/dev/ram0 panic=1 pci=off nomodules console=ttyS0 i8042.noaux i8042.nomux i8042.nopnp i8042.dumbkbd'

# Starting "FROM scratch" is important here given this interacts with the nitro enclave to boot it
# No shell, no access to "core", just the bare minimum.
FROM scratch AS package
COPY --from=build-eif /nitro.eif .
# COPY --from=build-eif /nitro.pcrs .
ENTRYPOINT ["/bin/bash"]