From 728e6269e24011b7205ecf15f6cf5591a1eaeb75 Mon Sep 17 00:00:00 2001 From: Ivan Petrov Date: Thu, 10 Dec 2020 11:49:27 +0000 Subject: [PATCH] Fix Wasm module reproducibility Update hashes Use fake user ID in Docker Update Aggregator hash TEST_CI: chwon oak files TEST_CI: add ci_init TEST_CI: change order TEST_CI: check user TEST_CI: check user TEST_CI: check user TEST_CI: check user TEST_CI: check user TEST_CI: check user TEST_CI: check user TEST_CI: chown oak TEST_CI: chown oak TEST_CI: chown oak TEST_CI: chown oak TEST_CI: fix order TEST_CI: fix order TEST_CI: fix order TEST_CI: fix order TEST_CI: fix order TEST_CI: fix order TEST_CI: fix order Init github CI Test github CI Test github CI Test github CI Test github CI Remove test code Remove test code Remove test code Update signature Update Dockerfile Test CI Test CI Update hashes --- Dockerfile | 5 ++++- examples/aggregator/README.md | 2 -- examples/aggregator/client/android/cpp/client.cc | 2 +- examples/aggregator/client/cpp/aggregator.cc | 2 +- examples/aggregator/config.toml | 2 +- examples/aggregator/oak_app_manifest.toml | 2 +- examples/private_set_intersection/README.md | 3 --- examples/private_set_intersection/oak_app_manifest.toml | 3 +-- .../private_set_intersection_handler.sign | 6 +++--- scripts/docker_build | 2 -- 10 files changed, 12 insertions(+), 17 deletions(-) diff --git a/Dockerfile b/Dockerfile index 73aa88f0db6..45ce3af3967 100644 --- a/Dockerfile +++ b/Dockerfile @@ -281,9 +281,12 @@ RUN make depend && make -j"$(nproc)"&& make install_sw install_ssldirs ENV PKG_CONFIG_ALLOW_CROSS 1 ENV OPENSSL_STATIC 1 +# We use the `docker` user in order to maintain library paths on different +# machines and to make Wasm modules reproducible. +ARG USERNAME=docker + # Placeholder args that are expected to be passed in at image build time. # See https://code.visualstudio.com/docs/remote/containers-advanced#_creating-a-nonroot-user -ARG USERNAME=user-name-goes-here ARG USER_UID=1000 ARG USER_GID=${USER_UID} diff --git a/examples/aggregator/README.md b/examples/aggregator/README.md index a9a1903c5ed..ec4beddb7ae 100644 --- a/examples/aggregator/README.md +++ b/examples/aggregator/README.md @@ -152,8 +152,6 @@ gcloud monitoring dashboards list 1. Build the example, including the Wasm module 1. Get module SHA256 hash via `sha256sum examples/aggregator/bin/aggregator.wasm` -1. Push the module to GS via `./scripts/push_example -e aggregator` -1. Fix the URL and hash in [`./oak_app_manifest.toml`](./oak_app_manifest.toml) 1. Fix module hash in the following files: - `examples/aggregator/config.toml` diff --git a/examples/aggregator/client/android/cpp/client.cc b/examples/aggregator/client/android/cpp/client.cc index 1c095a628be..848d0f089ef 100644 --- a/examples/aggregator/client/android/cpp/client.cc +++ b/examples/aggregator/client/android/cpp/client.cc @@ -55,7 +55,7 @@ JNIEXPORT void JNICALL Java_com_google_oak_aggregator_MainActivity_createChannel // The particular value corresponds to the hash on the `aggregator.wasm` line in // https://github.com/project-oak/oak/blob/hashes/reproducibility_index. oak::label::Label label = oak::WebAssemblyModuleHashLabel( - absl::HexStringToBytes("2d33ea304486337108d2fc23ee583947bd8f91f0c526637bd330db39251b9ec7")); + absl::HexStringToBytes("87dd6f0375b1fcea0e5b8b13adda6cbe6ca9a9eef4ab8557b65f90ac593d9cb7")); kChannel = Aggregator::NewStub(oak::ApplicationClient::CreateChannel( address, oak::ApplicationClient::GetTlsChannelCredentials(ca_cert), label)); JNI_LOG("gRPC channel has been created"); diff --git a/examples/aggregator/client/cpp/aggregator.cc b/examples/aggregator/client/cpp/aggregator.cc index dac193c82b9..6a081142ada 100644 --- a/examples/aggregator/client/cpp/aggregator.cc +++ b/examples/aggregator/client/cpp/aggregator.cc @@ -80,7 +80,7 @@ int main(int argc, char** argv) { // https://github.com/project-oak/oak/blob/hashes/reproducibility_index. // TODO(#1674): Add appropriate TLS endpoint tag to the label as well. oak::label::Label label = oak::WebAssemblyModuleHashLabel( - absl::HexStringToBytes("2d33ea304486337108d2fc23ee583947bd8f91f0c526637bd330db39251b9ec7")); + absl::HexStringToBytes("87dd6f0375b1fcea0e5b8b13adda6cbe6ca9a9eef4ab8557b65f90ac593d9cb7")); // Connect to the Oak Application. auto stub = Aggregator::NewStub(oak::ApplicationClient::CreateChannel( address, oak::ApplicationClient::GetTlsChannelCredentials(ca_cert), label)); diff --git a/examples/aggregator/config.toml b/examples/aggregator/config.toml index 0295e718018..4763211e5dd 100644 --- a/examples/aggregator/config.toml +++ b/examples/aggregator/config.toml @@ -1,3 +1,3 @@ grpc_server_listen_address = "[::]:8080" backend_server_address = "https://localhost:8888" -aggregator_module_hash = "2d33ea304486337108d2fc23ee583947bd8f91f0c526637bd330db39251b9ec7" +aggregator_module_hash = "87dd6f0375b1fcea0e5b8b13adda6cbe6ca9a9eef4ab8557b65f90ac593d9cb7" diff --git a/examples/aggregator/oak_app_manifest.toml b/examples/aggregator/oak_app_manifest.toml index b0748eb8a6c..fe8c9186b84 100644 --- a/examples/aggregator/oak_app_manifest.toml +++ b/examples/aggregator/oak_app_manifest.toml @@ -1,4 +1,4 @@ name = "aggregator" [modules] -app = { external = { url = "https://storage.googleapis.com/oak-modules/aggregator/2d33ea304486337108d2fc23ee583947bd8f91f0c526637bd330db39251b9ec7", sha256 = "2d33ea304486337108d2fc23ee583947bd8f91f0c526637bd330db39251b9ec7" } } +app = { path = "examples/aggregator/bin/aggregator.wasm" } diff --git a/examples/private_set_intersection/README.md b/examples/private_set_intersection/README.md index a638fd7cf1a..a01b0b8ae75 100644 --- a/examples/private_set_intersection/README.md +++ b/examples/private_set_intersection/README.md @@ -6,9 +6,6 @@ This example requires a valid signature of the `handler` module. So, whenever the code is modified, the wasm module and the signature must be regenerated: 1. Build the example, including the Wasm module -1. Push the module to GS via - `./scripts/push_example -e private_set_intersection` -1. Fix the URL and hash in [`./oak_app_manifest.toml`](./oak_app_manifest.toml) 1. Sign the module with the test key that is checked in the repository (only for test / debug use): diff --git a/examples/private_set_intersection/oak_app_manifest.toml b/examples/private_set_intersection/oak_app_manifest.toml index c74aa332ee6..5cb65ccd70b 100644 --- a/examples/private_set_intersection/oak_app_manifest.toml +++ b/examples/private_set_intersection/oak_app_manifest.toml @@ -5,5 +5,4 @@ signature_manifests = [ [modules] app = { path = "examples/private_set_intersection/bin/private_set_intersection.wasm" } -# TODO(865): Use locally built module once reproducibility is fixed. -handler = { external = { url = "https://storage.googleapis.com/oak-modules/private_set_intersection_handler/a3e3fce0b23273a5117efd7d94632091990c3637536d80ed1874a2013c8f0f07", sha256 = "a3e3fce0b23273a5117efd7d94632091990c3637536d80ed1874a2013c8f0f07" } } +handler = { path = "examples/private_set_intersection/bin/private_set_intersection_handler.wasm" } diff --git a/examples/private_set_intersection/private_set_intersection_handler.sign b/examples/private_set_intersection/private_set_intersection_handler.sign index 7e4a8f334ce..043daa7f180 100644 --- a/examples/private_set_intersection/private_set_intersection_handler.sign +++ b/examples/private_set_intersection/private_set_intersection_handler.sign @@ -3,10 +3,10 @@ f41SClNtR4i46v2Tuh1fQLbt/ZqRr1lENajCW92jyP4= -----END PUBLIC KEY----- -----BEGIN SIGNATURE----- -ITXOClpnflN81KsB2TGBPBkYNnSJu8uhOWH7YDg2UgVXdRFdguAWagQmVFlgt6gb -qY6f7zg0TfenVKihsYMdCw== +jQBzS8VmHEM+rUdc35w/sPe9YFF4dFkI65oiXIqUQ6bx+wontkCtHZgk7ph/rFEM +A3mCko3gxkaXdBRjRphXAQ== -----END SIGNATURE----- -----BEGIN HASH----- -o+P84LIyc6URfv19lGMgkZkMNjdTbYDtGHSiATyPDwc= +hzIp2c/Pr7PP4YMXSRXtfFy2F1tv8UsZDKrwCDnpZbQ= -----END HASH----- diff --git a/scripts/docker_build b/scripts/docker_build index 106a5a95b22..5e9ab2a4c27 100755 --- a/scripts/docker_build +++ b/scripts/docker_build @@ -11,12 +11,10 @@ source "$SCRIPTS_DIR/common" # https://github.com/googleapis/google-cloud-cpp/blob/a186208b79d900b4ec71c6f9df3acf7638f01dc6/ci/kokoro/docker/build.sh#L147-L152 readonly DOCKER_UID="${UID:-0}" readonly DOCKER_GID="$(id -g)" -readonly DOCKER_USER="${USER:-root}" docker build \ --cache-from="$DOCKER_IMAGE_NAME:latest" \ --tag="$DOCKER_IMAGE_NAME:latest" \ - --build-arg=USERNAME="$DOCKER_USER" \ --build-arg=USER_UID="$DOCKER_UID" \ --build-arg=USER_GID="$DOCKER_GID" \ . 1>&2