From c5b820a5cd82bdf22e80bd71c0628859d6fa521f Mon Sep 17 00:00:00 2001 From: Ivan Petrov Date: Thu, 10 Dec 2020 11:49:27 +0000 Subject: [PATCH] Fix Wasm module reproducibility Update hashes Use fake user ID in Docker Update Aggregator hash TEST_CI: chwon oak files TEST_CI: add ci_init TEST_CI: change order TEST_CI: check user TEST_CI: check user TEST_CI: check user TEST_CI: check user TEST_CI: check user TEST_CI: check user TEST_CI: check user TEST_CI: chown oak TEST_CI: chown oak TEST_CI: chown oak TEST_CI: chown oak TEST_CI: fix order TEST_CI: fix order TEST_CI: fix order TEST_CI: fix order TEST_CI: fix order TEST_CI: fix order TEST_CI: fix order Init github CI Test github CI Test github CI Test github CI Test github CI Remove test code Remove test code Remove test code Update signature Update Dockerfile --- Dockerfile | 5 ++++- examples/aggregator/README.md | 2 -- examples/aggregator/client/android/cpp/client.cc | 2 +- examples/aggregator/client/cpp/aggregator.cc | 2 +- examples/aggregator/config.toml | 2 +- examples/aggregator/oak_app_manifest.toml | 2 +- examples/private_set_intersection/README.md | 3 --- examples/private_set_intersection/oak_app_manifest.toml | 3 +-- .../private_set_intersection_handler.sign | 6 +++--- scripts/docker_build | 2 -- 10 files changed, 12 insertions(+), 17 deletions(-) diff --git a/Dockerfile b/Dockerfile index 73aa88f0db6..45ce3af3967 100644 --- a/Dockerfile +++ b/Dockerfile @@ -281,9 +281,12 @@ RUN make depend && make -j"$(nproc)"&& make install_sw install_ssldirs ENV PKG_CONFIG_ALLOW_CROSS 1 ENV OPENSSL_STATIC 1 +# We use the `docker` user in order to maintain library paths on different +# machines and to make Wasm modules reproducible. +ARG USERNAME=docker + # Placeholder args that are expected to be passed in at image build time. # See https://code.visualstudio.com/docs/remote/containers-advanced#_creating-a-nonroot-user -ARG USERNAME=user-name-goes-here ARG USER_UID=1000 ARG USER_GID=${USER_UID} diff --git a/examples/aggregator/README.md b/examples/aggregator/README.md index a9a1903c5ed..ec4beddb7ae 100644 --- a/examples/aggregator/README.md +++ b/examples/aggregator/README.md @@ -152,8 +152,6 @@ gcloud monitoring dashboards list 1. Build the example, including the Wasm module 1. Get module SHA256 hash via `sha256sum examples/aggregator/bin/aggregator.wasm` -1. Push the module to GS via `./scripts/push_example -e aggregator` -1. Fix the URL and hash in [`./oak_app_manifest.toml`](./oak_app_manifest.toml) 1. Fix module hash in the following files: - `examples/aggregator/config.toml` diff --git a/examples/aggregator/client/android/cpp/client.cc b/examples/aggregator/client/android/cpp/client.cc index 1c095a628be..8902ba9fa69 100644 --- a/examples/aggregator/client/android/cpp/client.cc +++ b/examples/aggregator/client/android/cpp/client.cc @@ -55,7 +55,7 @@ JNIEXPORT void JNICALL Java_com_google_oak_aggregator_MainActivity_createChannel // The particular value corresponds to the hash on the `aggregator.wasm` line in // https://github.com/project-oak/oak/blob/hashes/reproducibility_index. oak::label::Label label = oak::WebAssemblyModuleHashLabel( - absl::HexStringToBytes("2d33ea304486337108d2fc23ee583947bd8f91f0c526637bd330db39251b9ec7")); + absl::HexStringToBytes("9ad1f44640141bf54a90942310695a311ced743d164effd54942fad9593e740a")); kChannel = Aggregator::NewStub(oak::ApplicationClient::CreateChannel( address, oak::ApplicationClient::GetTlsChannelCredentials(ca_cert), label)); JNI_LOG("gRPC channel has been created"); diff --git a/examples/aggregator/client/cpp/aggregator.cc b/examples/aggregator/client/cpp/aggregator.cc index dac193c82b9..6e1181143b2 100644 --- a/examples/aggregator/client/cpp/aggregator.cc +++ b/examples/aggregator/client/cpp/aggregator.cc @@ -80,7 +80,7 @@ int main(int argc, char** argv) { // https://github.com/project-oak/oak/blob/hashes/reproducibility_index. // TODO(#1674): Add appropriate TLS endpoint tag to the label as well. oak::label::Label label = oak::WebAssemblyModuleHashLabel( - absl::HexStringToBytes("2d33ea304486337108d2fc23ee583947bd8f91f0c526637bd330db39251b9ec7")); + absl::HexStringToBytes("9ad1f44640141bf54a90942310695a311ced743d164effd54942fad9593e740a")); // Connect to the Oak Application. auto stub = Aggregator::NewStub(oak::ApplicationClient::CreateChannel( address, oak::ApplicationClient::GetTlsChannelCredentials(ca_cert), label)); diff --git a/examples/aggregator/config.toml b/examples/aggregator/config.toml index 0295e718018..e6364047e13 100644 --- a/examples/aggregator/config.toml +++ b/examples/aggregator/config.toml @@ -1,3 +1,3 @@ grpc_server_listen_address = "[::]:8080" backend_server_address = "https://localhost:8888" -aggregator_module_hash = "2d33ea304486337108d2fc23ee583947bd8f91f0c526637bd330db39251b9ec7" +aggregator_module_hash = "9ad1f44640141bf54a90942310695a311ced743d164effd54942fad9593e740a" diff --git a/examples/aggregator/oak_app_manifest.toml b/examples/aggregator/oak_app_manifest.toml index b0748eb8a6c..fe8c9186b84 100644 --- a/examples/aggregator/oak_app_manifest.toml +++ b/examples/aggregator/oak_app_manifest.toml @@ -1,4 +1,4 @@ name = "aggregator" [modules] -app = { external = { url = "https://storage.googleapis.com/oak-modules/aggregator/2d33ea304486337108d2fc23ee583947bd8f91f0c526637bd330db39251b9ec7", sha256 = "2d33ea304486337108d2fc23ee583947bd8f91f0c526637bd330db39251b9ec7" } } +app = { path = "examples/aggregator/bin/aggregator.wasm" } diff --git a/examples/private_set_intersection/README.md b/examples/private_set_intersection/README.md index a638fd7cf1a..a01b0b8ae75 100644 --- a/examples/private_set_intersection/README.md +++ b/examples/private_set_intersection/README.md @@ -6,9 +6,6 @@ This example requires a valid signature of the `handler` module. So, whenever the code is modified, the wasm module and the signature must be regenerated: 1. Build the example, including the Wasm module -1. Push the module to GS via - `./scripts/push_example -e private_set_intersection` -1. Fix the URL and hash in [`./oak_app_manifest.toml`](./oak_app_manifest.toml) 1. Sign the module with the test key that is checked in the repository (only for test / debug use): diff --git a/examples/private_set_intersection/oak_app_manifest.toml b/examples/private_set_intersection/oak_app_manifest.toml index c74aa332ee6..5cb65ccd70b 100644 --- a/examples/private_set_intersection/oak_app_manifest.toml +++ b/examples/private_set_intersection/oak_app_manifest.toml @@ -5,5 +5,4 @@ signature_manifests = [ [modules] app = { path = "examples/private_set_intersection/bin/private_set_intersection.wasm" } -# TODO(865): Use locally built module once reproducibility is fixed. -handler = { external = { url = "https://storage.googleapis.com/oak-modules/private_set_intersection_handler/a3e3fce0b23273a5117efd7d94632091990c3637536d80ed1874a2013c8f0f07", sha256 = "a3e3fce0b23273a5117efd7d94632091990c3637536d80ed1874a2013c8f0f07" } } +handler = { path = "examples/private_set_intersection/bin/private_set_intersection_handler.wasm" } diff --git a/examples/private_set_intersection/private_set_intersection_handler.sign b/examples/private_set_intersection/private_set_intersection_handler.sign index 7e4a8f334ce..d94d6bd84f4 100644 --- a/examples/private_set_intersection/private_set_intersection_handler.sign +++ b/examples/private_set_intersection/private_set_intersection_handler.sign @@ -3,10 +3,10 @@ f41SClNtR4i46v2Tuh1fQLbt/ZqRr1lENajCW92jyP4= -----END PUBLIC KEY----- -----BEGIN SIGNATURE----- -ITXOClpnflN81KsB2TGBPBkYNnSJu8uhOWH7YDg2UgVXdRFdguAWagQmVFlgt6gb -qY6f7zg0TfenVKihsYMdCw== +88gbczoj6FP9naBtl7+7/A9Q6QOncNbbjIpKyOEgfAvfdeqKKRTCrnv9T0xyttS2 +fMaYz8bUJ895o4R7G6rBBg== -----END SIGNATURE----- -----BEGIN HASH----- -o+P84LIyc6URfv19lGMgkZkMNjdTbYDtGHSiATyPDwc= +lNX8iDN/gtF2CzrlokJPL1LbFCa4nGjKB6L4ih7Tcg8= -----END HASH----- diff --git a/scripts/docker_build b/scripts/docker_build index 106a5a95b22..5e9ab2a4c27 100755 --- a/scripts/docker_build +++ b/scripts/docker_build @@ -11,12 +11,10 @@ source "$SCRIPTS_DIR/common" # https://github.com/googleapis/google-cloud-cpp/blob/a186208b79d900b4ec71c6f9df3acf7638f01dc6/ci/kokoro/docker/build.sh#L147-L152 readonly DOCKER_UID="${UID:-0}" readonly DOCKER_GID="$(id -g)" -readonly DOCKER_USER="${USER:-root}" docker build \ --cache-from="$DOCKER_IMAGE_NAME:latest" \ --tag="$DOCKER_IMAGE_NAME:latest" \ - --build-arg=USERNAME="$DOCKER_USER" \ --build-arg=USER_UID="$DOCKER_UID" \ --build-arg=USER_GID="$DOCKER_GID" \ . 1>&2