confidential-containers
diff --git a/‎.github/workflows/build-test-containers.yaml‎
Lines changed: 98 additions & 0 deletions b/‎.github/workflows/build-test-containers.yaml‎
Lines changed: 98 additions & 0 deletions
diff --git a/‎container-images/Makefile‎
Lines changed: 250 additions & 0 deletions b/‎container-images/Makefile‎
Lines changed: 250 additions & 0 deletions
diff --git a/‎container-images/configs/ocicrypt.conf‎
Lines changed: 7 additions & 0 deletions b/‎container-images/configs/ocicrypt.conf‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎container-images/dockerfiles/alpine-with-sshd/Dockerfile‎
Lines changed: 21 additions & 0 deletions b/‎container-images/dockerfiles/alpine-with-sshd/Dockerfile‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎container-images/dockerfiles/busybox/Dockerfile‎
Lines changed: 3 additions & 0 deletions b/‎container-images/dockerfiles/busybox/Dockerfile‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎container-images/keys/encrypt/key1‎
Lines changed: 1 addition & 0 deletions b/‎container-images/keys/encrypt/key1‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎container-images/keys/encrypt/ssh-demo-key‎
Lines changed: 1 addition & 0 deletions b/‎container-images/keys/encrypt/ssh-demo-key‎
Lines changed: 1 addition & 0 deletions
@@ -0,0 +1,98 @@
+name: Build Test Containers
+run-name: Build Test Containers
+
+on:
+  workflow_dispatch:
+    inputs:
+      target:
+        description: "Make target to run (default: all)"
+        required: false
+        default: "all"
+        type: choice
+        options:
+          - all
+          - multi-arch-encrypted
+          - multi-arch-encrypted-cosign-sig
+          - unsig
+          - cosign-sig
+          - simple-sig
+          - enc-unsig
+          - enc-cosign-sig
+          - test-container-unencrypted
+          - test-container-encrypted
+          - busybox
+  push:
+    branches:
+      - "main"
+    paths:
+      - "container-images/**"
+      - ".github/workflows/build-test-containers.yaml"
+
+jobs:
+  build-test-containers:
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      packages: write
+
+    env:
+      REGISTRY: ghcr.io
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+
+      - name: Log in to GHCR
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Check out guest-components
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          repository: confidential-containers/guest-components
+          ref: refs/heads/main
+          path: ./guest-components
+
+      - name: Build coco-keyprovider container
+        run: |
+          docker build -t coco-keyprovider \
+            -f guest-components/attestation-agent/docker/Dockerfile.keyprovider \
+            guest-components/
+
+      - name: Start coco-keyprovider
+        run: |
+          docker run -d --rm --network host --name coco-keyprovider coco-keyprovider
+          echo "Waiting for coco-keyprovider on localhost:50000"
+          timeout 30 bash -c 'until nc -z localhost 50000; do sleep 1; done'
+          echo "coco-keyprovider is ready"
+
+      - name: Install tools
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y skopeo jq
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
+
+      - name: Import GPG key
+        working-directory: container-images
+        run: gpg --batch --import keys/sign/github-runner.keys
+
+      - name: Run make target
+        env:
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+        working-directory: container-images
+        run: make ${{ github.event.inputs.target || 'all' }}
+
+      - name: Stop coco-keyprovider
+        if: always()
+        run: docker stop coco-keyprovider 2>/dev/null || true
@@ -0,0 +1,250 @@
+#
+# This makefile's targets rebuild various container images that can be used
+# for development and testing in the CoCo project.
+# They also are intended to serve as an up-to-date reference for creating
+# new images.
+#
+# Note: The targets push to ghcr, which requires proper credentials and
+# `docker login`.
+#
+# For multi-arch targets, Docker buildx with QEMU is required:
+#   docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
+#   docker buildx create --name multiarch-coco --use
+#   docker buildx inspect --bootstrap
+#
+
+.PHONY: unsig \
+	cosign-sig \
+	simple-sig \
+	enc-unsig \
+	enc-cosign-sig \
+	test-container-unencrypted \
+	test-container-encrypted \
+	multi-arch-encrypted \
+	multi-arch-encrypted-cosign-sig \
+	busybox \
+	setup-buildx \
+	coco-keyprovider \
+	all
+
+SHELL := /bin/bash
+
+COCO_PKG := confidential-containers/test-container
+COCO_PKG_IMGRS := confidential-containers/test-container-image-rs
+REGISTRY := ghcr.io
+
+PLATFORMS := linux/amd64 linux/arm64 linux/s390x
+BUILDX_BUILDER := multiarch-coco
+KEYPROVIDER_IMAGE := coco-keyprovider
+
+SSH_DEMO_KEY_B64 := HUlOu8NWz8si11OZUzUJMnjiq/iZyHBJZMSD3BaqgMc=
+SSH_DEMO_KEY_ID := kbs:///default/key/ssh-demo
+
+WORK_DIR := /tmp/coco-multi-arch-build
+
+
+all: \
+	unsig \
+	cosign-sig \
+	simple-sig \
+	enc-unsig \
+	enc-cosign-sig \
+	test-container-unencrypted \
+	test-container-encrypted \
+	multi-arch-encrypted \
+	multi-arch-encrypted-cosign-sig \
+	busybox
+
+
+# ---------------------------------------------------------------------------
+# Setup targets
+# ---------------------------------------------------------------------------
+
+setup-buildx:
+	@if ! docker buildx inspect $(BUILDX_BUILDER) >/dev/null 2>&1; then \
+		echo "==> Setting up QEMU and buildx builder"; \
+		docker run --rm --privileged multiarch/qemu-user-static --reset -p yes; \
+		docker buildx create --name $(BUILDX_BUILDER) --use; \
+		docker buildx inspect --bootstrap; \
+	else \
+		docker buildx use $(BUILDX_BUILDER); \
+	fi
+
+coco-keyprovider:
+	@if ! docker image inspect $(KEYPROVIDER_IMAGE) >/dev/null 2>&1; then \
+		echo "==> Building coco-keyprovider from guest-components"; \
+		if [ ! -d /tmp/guest-components ]; then \
+			git clone --depth 1 https://github.com/confidential-containers/guest-components.git /tmp/guest-components; \
+		fi; \
+		docker build -t $(KEYPROVIDER_IMAGE) \
+			-f /tmp/guest-components/attestation-agent/docker/Dockerfile.keyprovider \
+			/tmp/guest-components/; \
+	else \
+		echo "==> coco-keyprovider image already exists"; \
+	fi
+
+
+# ---------------------------------------------------------------------------
+# Single-arch targets (build for host arch, push directly)
+# ---------------------------------------------------------------------------
+
+unsig:
+	docker build \
+		-t $(REGISTRY)/$(COCO_PKG):unsig \
+		-f dockerfiles/alpine-with-sshd/Dockerfile \
+		.
+	docker push $(REGISTRY)/$(COCO_PKG):unsig
+
+cosign-sig:
+	docker build \
+		-t $(REGISTRY)/$(COCO_PKG):cosign-sig \
+		-f dockerfiles/alpine-with-sshd/Dockerfile \
+		.
+	docker push $(REGISTRY)/$(COCO_PKG):cosign-sig
+	${CURDIR}/scripts/make-cosign-sig.sh $(COCO_PKG) cosign-sig $(REGISTRY)
+
+# NOTE: This depends on a gpg key owned by git@runner.com.
+# Before issuing this make target:
+#   gpg --batch --import ./keys/sign/github-runner.keys
+simple-sig: unsig
+	skopeo \
+		copy \
+		--debug \
+		--insecure-policy \
+		--sign-by git@runner.com \
+		--sign-passphrase-file $(shell pwd)/keys/sign/git-runner-password.txt \
+		docker-daemon:$(REGISTRY)/$(COCO_PKG):unsig \
+		docker://$(REGISTRY)/$(COCO_PKG):simple-sig
+
+# NOTE: This requires coco-keyprovider running on localhost:50000.
+# Use `make coco-keyprovider` to build the container, then run it:
+#   docker run --rm --network host coco-keyprovider
+enc-unsig: unsig
+	OCICRYPT_KEYPROVIDER_CONFIG="$(shell pwd)/configs/ocicrypt.conf" \
+	skopeo copy \
+		--insecure-policy \
+		--encryption-key provider:attestation-agent:keypath=$(shell pwd)/keys/encrypt/key1::keyid=kbs:///default/key/key_id1::algorithm=A256GCM \
+		docker-daemon:$(REGISTRY)/$(COCO_PKG):unsig \
+		docker://$(REGISTRY)/$(COCO_PKG):enc-unsig
+
+enc-cosign-sig: cosign-sig
+	OCICRYPT_KEYPROVIDER_CONFIG="$(shell pwd)/configs/ocicrypt.conf" \
+	skopeo copy \
+		--insecure-policy \
+		--encryption-key provider:attestation-agent:keypath=$(shell pwd)/keys/encrypt/key1::keyid=kbs:///default/key/key_id1::algorithm=A256GCM \
+		docker-daemon:$(REGISTRY)/$(COCO_PKG):cosign-sig \
+		docker://$(REGISTRY)/$(COCO_PKG):enc-cosign-sig
+	${CURDIR}/scripts/make-cosign-sig.sh $(COCO_PKG) enc-cosign-sig $(REGISTRY)
+
+test-container-unencrypted:
+	docker build \
+		-t $(REGISTRY)/$(COCO_PKG):unencrypted \
+		-f dockerfiles/alpine-with-sshd/Dockerfile \
+		.
+	docker push $(REGISTRY)/$(COCO_PKG):unencrypted
+
+test-container-encrypted: test-container-unencrypted
+	OCICRYPT_KEYPROVIDER_CONFIG="$(shell pwd)/configs/ocicrypt.conf" \
+	skopeo copy \
+		--insecure-policy \
+		--encryption-key provider:attestation-agent:keypath=$(shell pwd)/keys/encrypt/key1::keyid=kbs:///default/key/key_id1::algorithm=A256GCM \
+		docker-daemon:$(REGISTRY)/$(COCO_PKG):unencrypted \
+		docker://$(REGISTRY)/$(COCO_PKG):encrypted
+
+busybox:
+	docker build \
+		-t $(REGISTRY)/$(COCO_PKG_IMGRS):busybox \
+		-f dockerfiles/busybox/Dockerfile \
+		dockerfiles/busybox
+	docker push $(REGISTRY)/$(COCO_PKG_IMGRS):busybox
+
+
+# ---------------------------------------------------------------------------
+# Multi-arch encrypted target
+#
+# Builds the ccv0-ssh image for each platform, encrypts with the
+# coco-keyprovider container, pushes per-arch images, and assembles
+# a multi-arch manifest.
+#
+# Encryption key: from demos/ssh-demo/aa-offline_fs_kbc-keys.json
+# Key ID:         kbs:///default/key/ssh-demo
+# ---------------------------------------------------------------------------
+
+multi-arch-encrypted: setup-buildx coco-keyprovider
+	@echo "==> Building multi-arch-encrypted for: $(PLATFORMS)"
+	@mkdir -p $(WORK_DIR)
+	@for platform in $(PLATFORMS); do \
+		arch=$$(echo $$platform | cut -d/ -f2); \
+		arch_dir="$(WORK_DIR)/$$arch"; \
+		per_arch_tag="$(REGISTRY)/$(COCO_PKG):encrypted-$$arch"; \
+		\
+		echo "==> [$$arch] Building unencrypted image"; \
+		docker buildx build \
+			--platform "$$platform" \
+			--provenance=false \
+			-t "ccv0-ssh:$$arch" \
+			--load \
+			-f dockerfiles/alpine-with-sshd/Dockerfile \
+			. ; \
+		\
+		echo "==> [$$arch] Exporting to OCI directory"; \
+		mkdir -p "$$arch_dir"/{input,output}; \
+		skopeo copy --override-arch "$$arch" \
+			"docker-daemon:ccv0-ssh:$$arch" \
+			"dir:$$arch_dir/input"; \
+		\
+		echo "==> [$$arch] Encrypting with coco-keyprovider"; \
+		docker run --rm \
+			-v "$$arch_dir:/oci" \
+			$(KEYPROVIDER_IMAGE) \
+			/encrypt.sh \
+				-k "$(SSH_DEMO_KEY_B64)" \
+				-i "$(SSH_DEMO_KEY_ID)" \
+				-s "dir:/oci/input" \
+				-d "dir:/oci/output"; \
+		\
+		echo "==> [$$arch] Verifying encryption annotations"; \
+		skopeo inspect "dir:$$arch_dir/output" \
+			| jq -e 'any(.LayersData[]?; .Annotations?["org.opencontainers.image.enc.keys.provider.attestation-agent"] != null)' \
+			|| { echo "ERROR: [$$arch] No encryption annotation"; exit 1; }; \
+		\
+		echo "==> [$$arch] Pushing encrypted image"; \
+		skopeo copy "dir:$$arch_dir/output" "docker://$$per_arch_tag"; \
+	done
+	@echo "==> Creating multi-arch manifest"
+	@docker manifest rm $(REGISTRY)/$(COCO_PKG):multi-arch-encrypted 2>/dev/null || true
+	@docker manifest create $(REGISTRY)/$(COCO_PKG):multi-arch-encrypted \
+		$(foreach p,$(PLATFORMS),$(REGISTRY)/$(COCO_PKG):encrypted-$(lastword $(subst /, ,$(p))))
+	@$(foreach p,$(PLATFORMS), \
+		docker manifest annotate $(REGISTRY)/$(COCO_PKG):multi-arch-encrypted \
+			$(REGISTRY)/$(COCO_PKG):encrypted-$(lastword $(subst /, ,$(p))) \
+			--os linux --arch $(lastword $(subst /, ,$(p))) ; \
+	)
+	@echo "==> Pushing multi-arch manifest"
+	@docker manifest push $(REGISTRY)/$(COCO_PKG):multi-arch-encrypted
+	@echo "==> Done! Image: $(REGISTRY)/$(COCO_PKG):multi-arch-encrypted"
+
+
+# ---------------------------------------------------------------------------
+# Multi-arch encrypted + cosign-signed target
+#
+# Re-tags the per-arch encrypted images under a new manifest and
+# cosign-signs it, producing an image that is both encrypted and
+# cosign-signed under a separate tag.
+# ---------------------------------------------------------------------------
+
+multi-arch-encrypted-cosign-sig: multi-arch-encrypted
+	@echo "==> Creating multi-arch-encrypted-cosign-sig manifest"
+	@docker manifest rm $(REGISTRY)/$(COCO_PKG):multi-arch-encrypted-cosign-sig 2>/dev/null || true
+	@docker manifest create $(REGISTRY)/$(COCO_PKG):multi-arch-encrypted-cosign-sig \
+		$(foreach p,$(PLATFORMS),$(REGISTRY)/$(COCO_PKG):encrypted-$(lastword $(subst /, ,$(p))))
+	@$(foreach p,$(PLATFORMS), \
+		docker manifest annotate $(REGISTRY)/$(COCO_PKG):multi-arch-encrypted-cosign-sig \
+			$(REGISTRY)/$(COCO_PKG):encrypted-$(lastword $(subst /, ,$(p))) \
+			--os linux --arch $(lastword $(subst /, ,$(p))) ; \
+	)
+	@echo "==> Pushing multi-arch-encrypted-cosign-sig manifest"
+	@docker manifest push $(REGISTRY)/$(COCO_PKG):multi-arch-encrypted-cosign-sig
+	@echo "==> Cosign-signing multi-arch-encrypted-cosign-sig"
+	${CURDIR}/scripts/make-cosign-sig.sh $(COCO_PKG) multi-arch-encrypted-cosign-sig $(REGISTRY)
+	@echo "==> Done! Image: $(REGISTRY)/$(COCO_PKG):multi-arch-encrypted-cosign-sig"
@@ -0,0 +1,7 @@
+{
+	"key-providers": {
+		"attestation-agent": {
+			"grpc": "localhost:50000"
+		}
+	}
+}
@@ -0,0 +1,21 @@
+FROM alpine:3.14
+RUN apk add --no-cache openssh-server
+
+# Use the ssh-demo image's legacy keys. To generate new ones, can do something
+# like:
+# RUN ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -P ""
+COPY keys/ssh/ssh_host_ed25519_key /etc/ssh/ssh_host_ed25519_key
+COPY keys/ssh/ssh_host_ed25519_key.pub /etc/ssh/ssh_host_ed25519_key.pub
+
+# A password needs to be set for login to work. An empty password is
+# unproblematic as password-based login to root is not allowed.
+RUN passwd -d root
+
+# Use the ssh-demo user/client's legacy keys. To generate new ones, can do
+# something like:
+# $ ssh-keygen -t ed25519 -f ccv0-ssh -P "" -C ""
+COPY keys/ssh/ccv0-ssh.pub /root/.ssh/authorized_keys
+RUN chmod 600 /etc/ssh/ssh_host_ed25519_key /root/.ssh/authorized_keys \
+    && chmod 644 /etc/ssh/ssh_host_ed25519_key.pub \
+    && chmod 700 /root/.ssh
+ENTRYPOINT ["/usr/sbin/sshd", "-D"]
@@ -0,0 +1,3 @@
+FROM busybox:1.36
+
+CMD ["sh"]
@@ -0,0 +1 @@
+DE�L'��tOY|��&m����7���h�e�@
@@ -0,0 +1 @@
+IN��V��"�S�S5	2x����pIdă����
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+FROM busybox:1.36`
	`2`	`+`
	`3`	`+CMD ["sh"]`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+DE�L'��tOY\|��&m��7��h�e�@`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+IN��V��"�S�S5 2x��pIdă��`