Ensure necessary embed strings are present for each target (#173)

transparency-dev · Dec 12, 2023 · f3d5e3f · f3d5e3f
1 parent a1dc48d
commit f3d5e3f
Show file tree

Hide file tree

Showing 5 changed files with 48 additions and 20 deletions.
diff --git a/.github/workflows/pr_build.yml b/.github/workflows/pr_build.yml
@@ -12,17 +12,27 @@ jobs:
       TAMAGO: /usr/local/tamago-go/bin/go
       APPLET_PRIVATE_KEY: /tmp/applet.sec
       APPLET_PUBLIC_KEY: /tmp/applet.pub
+      LOG_ORIGIN: TEST-LOG
+      LOG_PRIVATE_KEY: /tmp/log.sec
+      LOG_PUBLIC_KEY: /tmp/log.pub
+      OS_PRIVATE_KEY1: /tmp/os1.sec
+      OS_PUBLIC_KEY1: /tmp/os1.pub
+      OS_PRIVATE_KEY2: /tmp/os2.sec
+      OS_PUBLIC_KEY2: /tmp/os2.pub
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - name: Install tools
       run: |
         wget -q https://github.com/usbarmory/tamago-go/releases/download/tamago-go${TAMAGO_VERSION}/tamago-go${TAMAGO_VERSION}.linux-amd64.tar.gz
         sudo tar -xf tamago-go${TAMAGO_VERSION}.linux-amd64.tar.gz -C /
-        sudo apt install protobuf-compiler protoc-gen-go signify-openbsd
+        sudo apt install protobuf-compiler protoc-gen-go 
     - name: Create throwaway keys
       run: |
         go run github.com/transparency-dev/serverless-log/cmd/generate_keys@HEAD --key_name="DEV-APPLET" --out_priv=${APPLET_PRIVATE_KEY} --out_pub=${APPLET_PUBLIC_KEY}
+        go run github.com/transparency-dev/serverless-log/cmd/generate_keys@HEAD --key_name="DEV-LOG" --out_priv=${LOG_PRIVATE_KEY} --out_pub=${LOG_PUBLIC_KEY}
+        go run github.com/transparency-dev/serverless-log/cmd/generate_keys@HEAD --key_name="DEV-OS1" --out_priv=${OS_PRIVATE_KEY1} --out_pub=${OS_PUBLIC_KEY1}
+        go run github.com/transparency-dev/serverless-log/cmd/generate_keys@HEAD --key_name="DEV-OS2" --out_priv=${OS_PRIVATE_KEY2} --out_pub=${OS_PUBLIC_KEY2}
     - name: Make
       run: |
         DEBUG=1 make trusted_applet
diff --git a/Dockerfile b/Dockerfile
@@ -1,9 +1,9 @@
 FROM golang:1.21-bookworm
 
 ARG TAMAGO_VERSION
-ARG FT_LOG_ORIGIN
 ARG FT_LOG_URL
 ARG FT_BIN_URL
+ARG LOG_ORIGIN
 ARG LOG_PUBLIC_KEY
 ARG APPLET_PUBLIC_KEY
 ARG OS_PUBLIC_KEY1
@@ -24,9 +24,9 @@ COPY . .
 ENV TAMAGO=/usr/local/tamago-go/bin/go
 
 # Firmware transparency parameters for output binary.
-ENV FT_LOG_ORIGIN=${FT_LOG_ORIGIN} \
-    FT_LOG_URL=${FT_LOG_URL} \
+ENV FT_LOG_URL=${FT_LOG_URL} \
     FT_BIN_URL=${FT_BIN_URL} \
+    LOG_ORIGIN=${LOG_ORIGIN} \
     LOG_PUBLIC_KEY=${LOG_PUBLIC_KEY} \
     APPLET_PUBLIC_KEY=${APPLET_PUBLIC_KEY} \
     OS_PUBLIC_KEY1=${OS_PUBLIC_KEY1} \

diff --git a/Makefile b/Makefile
@@ -19,11 +19,9 @@ BUILD_EPOCH := $(shell /bin/date -u "+%s")
 BUILD_TAGS = linkramsize,linkramstart,disable_fr_auth,linkprintk,nostatfs
 BUILD = ${BUILD_USER}@${BUILD_HOST} on ${BUILD_DATE}
 REV = $(shell git rev-parse --short HEAD 2> /dev/null)
-DEV_LOG_ORIGIN ?= "DEV.armoredwitness.transparency.dev/${USER}"
 GIT_SEMVER_TAG ?= $(shell (git describe --tags --exact-match --match 'v*.*.*' 2>/dev/null || git describe --match 'v*.*.*' --tags 2>/dev/null || git describe --tags 2>/dev/null || echo -n v0.0.${BUILD_EPOCH}+`git rev-parse HEAD`) | tail -c +2 )
 FT_BIN_URL ?= "http://$(shell hostname --fqdn):9944/artefacts/"
 FT_LOG_URL ?= "http://$(shell hostname --fqdn):9944/log/"
-FT_LOG_ORIGIN ?= $(DEV_LOG_ORIGIN)
 REST_DISTRIBUTOR_BASE_URL ?= "https://api.transparency.dev"
 
 TAMAGO_SEMVER = $(shell [ -n "${TAMAGO}" -a -x "${TAMAGO}" ] && ${TAMAGO} version | sed 's/.*go\([0-9]\.[0-9]*\.[0-9]*\).*/\1/')
@@ -47,11 +45,10 @@ ARCH = "arm"
 GOFLAGS = -tags ${BUILD_TAGS} -trimpath \
         -ldflags "-T ${TEXT_START} -E ${ENTRY_POINT} -R 0x1000 \
                   -X 'main.Build=${BUILD}' -X 'main.Revision=${REV}' -X 'main.Version=${GIT_SEMVER_TAG}' \
-                  -X 'main.PublicKey=$(shell test ${PUBLIC_KEY} && cat ${PUBLIC_KEY} | tail -n 1)' \
                   -X 'main.RestDistributorBaseURL=${REST_DISTRIBUTOR_BASE_URL}' \
                   -X 'main.updateBinariesURL=${FT_BIN_URL}' \
                   -X 'main.updateLogURL=${FT_LOG_URL}' \
-                  -X 'main.updateLogOrigin=${FT_LOG_ORIGIN}' \
+                  -X 'main.updateLogOrigin=${LOG_ORIGIN}' \
                   -X 'main.updateLogVerifier=$(shell cat ${LOG_PUBLIC_KEY})' \
                   -X 'main.updateAppletVerifier=$(shell cat ${APPLET_PUBLIC_KEY})' \
                   -X 'main.updateOSVerifier1=$(shell cat ${OS_PUBLIC_KEY1})' \
@@ -66,11 +63,11 @@ all: trusted_applet
 
 trusted_applet_nosign: APP=trusted_applet
 trusted_applet_nosign: DIR=$(CURDIR)/trusted_applet
-trusted_applet_nosign: elf
+trusted_applet_nosign: check_embed_env elf
 
 trusted_applet: APP=trusted_applet
 trusted_applet: DIR=$(CURDIR)/trusted_applet
-trusted_applet: check_signing_env elf manifest
+trusted_applet: check_embed_env elf manifest
 
 ## Targets for managing a local serverless log instance for dev/testing FT related bits.
 
@@ -79,7 +76,7 @@ log_initialise:
 	echo "(Re-)initialising log at ${LOG_STORAGE_DIR}"
 	go run github.com/transparency-dev/serverless-log/cmd/integrate@a56a93b5681e5dc231882ac9de435c21cb340846 \
 		--storage_dir=${LOG_STORAGE_DIR} \
-		--origin=${DEV_LOG_ORIGIN} \
+		--origin=${LOG_ORIGIN} \
 		--private_key=${LOG_PRIVATE_KEY} \
 		--public_key=${LOG_PUBLIC_KEY} \
 		--initialise
@@ -90,11 +87,11 @@ log_applet: LOG_ARTEFACT_DIR=$(DEV_LOG_DIR)/artefacts
 log_applet: ARTEFACT_HASH=$(shell sha256sum ${CURDIR}/bin/trusted_applet.elf | cut -f1 -d" ")
 log_applet:
 	@if [ "${LOG_PRIVATE_KEY}" == "" -o "${LOG_PUBLIC_KEY}" == "" ]; then \
-		@echo "You need to set LOG_PRIVATE_KEY and LOG_PUBLIC_KEY variables"; \
+		echo "You need to set LOG_PRIVATE_KEY and LOG_PUBLIC_KEY variables"; \
 		exit 1; \
 	fi
 	@if [ "${DEV_LOG_DIR}" == "" ]; then \
-		@echo "You need to set the DEV_LOG_DIR variable"; \
+		echo "You need to set the DEV_LOG_DIR variable"; \
 		exit 1; \
 	fi
 
@@ -103,12 +100,12 @@ log_applet:
 	fi
 	go run github.com/transparency-dev/serverless-log/cmd/sequence@a56a93b5681e5dc231882ac9de435c21cb340846 \
 		--storage_dir=${LOG_STORAGE_DIR} \
-		--origin=${DEV_LOG_ORIGIN} \
+		--origin=${LOG_ORIGIN} \
 		--public_key=${LOG_PUBLIC_KEY} \
 		--entries=${CURDIR}/bin/trusted_applet_manifest
 	-go run github.com/transparency-dev/serverless-log/cmd/integrate@a56a93b5681e5dc231882ac9de435c21cb340846 \
 		--storage_dir=${LOG_STORAGE_DIR} \
-		--origin=${DEV_LOG_ORIGIN} \
+		--origin=${LOG_ORIGIN} \
 		--private_key=${LOG_PRIVATE_KEY} \
 		--public_key=${LOG_PUBLIC_KEY}
 	@mkdir -p ${LOG_ARTEFACT_DIR}
@@ -121,9 +118,26 @@ manifest: $(APP)_manifest
 
 #### utilities ####
 
-check_signing_env:
-	@if [ "${APPLET_PRIVATE_KEY}" == "" ] || [ ! -f "${APPLET_PRIVATE_KEY}" ]; then \
-		echo 'You need to set the APPLET_PRIVATE_KEY variable to a valid signing key path'; \
+# Various strings need to be embedded into the binary, keys, log info, etc. check they are present.
+check_embed_env:
+	@if [ "${LOG_ORIGIN}" == "" ]; then \
+		echo 'You need to set the LOG_ORIGIN variable'; \
+		exit 1; \
+	fi
+	@if [ "${LOG_PUBLIC_KEY}" == "" ] || [ ! -f "${LOG_PUBLIC_KEY}" ]; then \
+		echo 'You need to set the LOG_PUBLIC_KEY variable to a valid note verifier key path'; \
+		exit 1; \
+	fi
+	@if [ "${APPLET_PUBLIC_KEY}" == "" ] || [ ! -f "${APPLET_PUBLIC_KEY}" ]; then \
+		echo 'You need to set the APPLET_PUBLIC_KEY variable to a valid note verifier key path'; \
+		exit 1; \
+	fi
+	@if [ "${OS_PUBLIC_KEY1}" == "" ] || [ ! -f "${OS_PUBLIC_KEY1}" ]; then \
+		echo 'You need to set the OS_PUBLIC_KEY1 variable to a valid note verifier key path'; \
+		exit 1; \
+	fi
+	@if [ "${OS_PUBLIC_KEY2}" == "" ] || [ ! -f "${OS_PUBLIC_KEY2}" ]; then \
+		echo 'You need to set the OS_PUBLIC_KEY2 variable to a valid note verifier key path'; \
 		exit 1; \
 	fi
 
@@ -147,6 +161,10 @@ $(APP).elf: check_tamago
 
 
 $(APP)_manifest:
+	@if [ "${APPLET_PRIVATE_KEY}" == "" ] || [ ! -f "${APPLET_PRIVATE_KEY}" ]; then \
+		echo 'You need to set the APPLET_PRIVATE_KEY variable to a valid note signing key path'; \
+		exit 1; \
+	fi
 	# Create manifest
 	@echo ---------- Manifest --------------
 	go run github.com/transparency-dev/armored-witness/cmd/manifest@228f2f6432babe1f1657e150ce0ca4a96ab394da \

diff --git a/release/cloudbuild.yaml b/release/cloudbuild.yaml
@@ -5,9 +5,9 @@ steps:
     args:
       - build
       - --build-arg=TAMAGO_VERSION=${_TAMAGO_VERSION}
-      - --build-arg=FT_LOG_ORIGIN=${_ORIGIN}
       - --build-arg=FT_LOG_URL=${_LOG_BASE_URL}
       - --build-arg=FT_BIN_URL=${_BIN_BASE_URL}
+      - --build-arg=LOG_ORIGIN=${_ORIGIN}
       - --build-arg=LOG_PUBLIC_KEY=${_LOG_PUBLIC_KEY}
       - --build-arg=APPLET_PUBLIC_KEY=${_APPLET_PUBLIC_KEY}
       - --build-arg=OS_PUBLIC_KEY1=${_OS_PUBLIC_KEY1}

diff --git a/release/cloudbuild_ci.yaml b/release/cloudbuild_ci.yaml
@@ -18,9 +18,9 @@ steps:
       - |
         docker build \
           --build-arg=TAMAGO_VERSION=${_TAMAGO_VERSION} \
-          --build-arg=FT_LOG_ORIGIN=${_ORIGIN} \
           --build-arg=FT_LOG_URL=${_LOG_BASE_URL} \
           --build-arg=FT_BIN_URL=${_BIN_BASE_URL} \
+          --build-arg=LOG_ORIGIN=${_ORIGIN} \
           --build-arg=LOG_PUBLIC_KEY=${_LOG_PUBLIC_KEY} \
           --build-arg=APPLET_PUBLIC_KEY=${_APPLET_PUBLIC_KEY} \
           --build-arg=OS_PUBLIC_KEY1=${_OS_PUBLIC_KEY1} \