From 8776594c522b1fedee5c0dab68f8761d838ecf04 Mon Sep 17 00:00:00 2001 From: Eero Kelly Date: Wed, 20 Mar 2024 17:36:41 +0000 Subject: [PATCH] [NODE-1242] Remove remaining SEV code --- Cargo.Bazel.Fuzzing.json.lock | 515 +---------------- Cargo.Bazel.Fuzzing.toml.lock | 107 +--- Cargo.Bazel.json.lock | 517 +----------------- Cargo.Bazel.toml.lock | 107 +--- Cargo.lock | 89 +-- Cargo.toml | 1 - WORKSPACE.bazel | 7 - bazel/external_crates.bzl | 6 - gitlab-ci/config/base-images-build.yml | 13 - gitlab-ci/config/zz-generated-gitlab-ci.yaml | 50 -- ...trivy_container_ic_scanner_periodic_job.py | 6 - ic-os/README.adoc | 2 +- ic-os/boundary-guestos/defs.bzl | 15 +- ic-os/boundary-guestos/docs/Build.adoc | 3 - ic-os/boundary-guestos/docs/README.adoc | 1 - ic-os/boundary-guestos/docs/SEV.adoc | 22 - .../boundary-guestos/envs/dev-sev/BUILD.bazel | 13 - .../build_container_filesystem_config.txt | 6 - ic-os/boundary-guestos/envs/dev/BUILD.bazel | 1 - .../envs/prod-sev/BUILD.bazel | 11 - .../build_container_filesystem_config.txt | 6 - ic-os/boundary-guestos/envs/prod/BUILD.bazel | 1 - ic-os/boundary-guestos/rootfs/Dockerfile | 16 - ic-os/boundary-guestos/rootfs/Dockerfile.base | 82 +-- ic-os/boundary-guestos/rootfs/docker-base.snp | 1 - ic-os/boundary-guestos/rootfs/etc/incron.tb | 2 - .../rootfs/etc/nginx/fcgiwrap.conf | 8 - .../rootfs/etc/nginx/nginx.conf | 1 - .../etc/systemd/system/setup-bn-key.service | 12 - .../rootfs/opt/ic/bin/copy_certs.sh | 14 - .../rootfs/opt/ic/bin/setup-bn-key.sh | 41 -- .../opt/ic/bin/setup-conf-encryption.sh | 12 +- .../rootfs/opt/ic/bin/setup-encryption.sh | 12 +- .../rootfs/opt/ic/bin/setup-nginx.sh | 13 - .../rootfs/opt/ic/bin/setup-var-encryption.sh | 12 +- .../rootfs/var/www/cgi-bin/bn-attest.sh | 150 ----- .../rootfs/var/www/cgi-bin/bn-cert-receive.sh | 75 --- .../rootfs/var/www/cgi-bin/bn-priv-send.sh | 135 ----- ic-os/defs.bzl | 6 +- ic-os/docs/Upgrades.adoc | 2 +- .../accounts_ssh_authorized_keys/admin | 1 - .../bn-virsh/data/bn_config/bn_vars.conf | 9 - .../bn-virsh/data/bn_config/denylist.map | 0 .../bn-virsh/data/bn_config/network.conf | 7 - .../scripts/bn-virsh/data/bn_config/nns.conf | 1 - .../data/bn_config/nns_public_key.pem | 5 - ic-os/scripts/bn-virsh/data/bn_sev_vm.xml | 257 --------- ic-os/scripts/bn-virsh/prepare-for-virsh.sh | 45 -- ic-os/sevtool/BUILD.sevtool.bazel | 48 -- publish/binaries/BUILD.bazel | 3 - rs/ic_os/launch-single-vm/src/main.rs | 2 - rs/ic_os/snptool/BUILD.bazel | 26 - rs/ic_os/snptool/Cargo.toml | 18 - rs/ic_os/snptool/src/main.rs | 124 ----- rs/messaging/src/message_routing/tests.rs | 4 +- rs/orchestrator/src/registration.rs | 9 +- rs/prep/src/bin/README.adoc | 2 - rs/prep/src/bin/prep.rs | 34 +- rs/prep/src/internet_computer.rs | 7 +- rs/prep/src/node.rs | 5 - rs/prep/src/prep_state_directory.rs | 2 - rs/registry/admin/src/main.rs | 6 +- rs/registry/regedit/src/tests.rs | 2 - rs/replica_tests/src/lib.rs | 2 - rs/starter/src/main.rs | 5 +- rs/tests/Cargo.toml | 4 - rs/tests/boundary_nodes/BUILD.bazel | 12 +- .../boundary_nodes/boundary_nodes_snp_test.rs | 28 - rs/tests/common.bzl | 5 - .../src/boundary_nodes/boundary_nodes_snp.rs | 73 --- rs/tests/src/boundary_nodes/constants.rs | 1 - rs/tests/src/boundary_nodes/mod.rs | 1 - rs/tests/src/driver/bootstrap.rs | 2 - rs/tests/src/driver/boundary_node.rs | 39 +- rs/tests/src/driver/test_env_api.rs | 15 - 75 files changed, 25 insertions(+), 2872 deletions(-) delete mode 100644 ic-os/boundary-guestos/docs/SEV.adoc delete mode 100644 ic-os/boundary-guestos/envs/dev-sev/BUILD.bazel delete mode 100644 ic-os/boundary-guestos/envs/dev-sev/build_container_filesystem_config.txt delete mode 100644 ic-os/boundary-guestos/envs/prod-sev/BUILD.bazel delete mode 100644 ic-os/boundary-guestos/envs/prod-sev/build_container_filesystem_config.txt delete mode 100644 ic-os/boundary-guestos/rootfs/docker-base.snp delete mode 100644 ic-os/boundary-guestos/rootfs/etc/incron.tb delete mode 100644 ic-os/boundary-guestos/rootfs/etc/nginx/fcgiwrap.conf delete mode 100644 ic-os/boundary-guestos/rootfs/etc/systemd/system/setup-bn-key.service delete mode 100755 ic-os/boundary-guestos/rootfs/opt/ic/bin/copy_certs.sh delete mode 100644 ic-os/boundary-guestos/rootfs/opt/ic/bin/setup-bn-key.sh delete mode 100644 ic-os/boundary-guestos/rootfs/var/www/cgi-bin/bn-attest.sh delete mode 100644 ic-os/boundary-guestos/rootfs/var/www/cgi-bin/bn-cert-receive.sh delete mode 100644 ic-os/boundary-guestos/rootfs/var/www/cgi-bin/bn-priv-send.sh delete mode 100644 ic-os/scripts/bn-virsh/data/bn_config/accounts_ssh_authorized_keys/admin delete mode 100644 ic-os/scripts/bn-virsh/data/bn_config/bn_vars.conf delete mode 100644 ic-os/scripts/bn-virsh/data/bn_config/denylist.map delete mode 100644 ic-os/scripts/bn-virsh/data/bn_config/network.conf delete mode 100644 ic-os/scripts/bn-virsh/data/bn_config/nns.conf delete mode 100644 ic-os/scripts/bn-virsh/data/bn_config/nns_public_key.pem delete mode 100644 ic-os/scripts/bn-virsh/data/bn_sev_vm.xml delete mode 100755 ic-os/scripts/bn-virsh/prepare-for-virsh.sh delete mode 100644 ic-os/sevtool/BUILD.sevtool.bazel delete mode 100644 rs/ic_os/snptool/BUILD.bazel delete mode 100644 rs/ic_os/snptool/Cargo.toml delete mode 100644 rs/ic_os/snptool/src/main.rs delete mode 100644 rs/tests/boundary_nodes/boundary_nodes_snp_test.rs delete mode 100644 rs/tests/src/boundary_nodes/boundary_nodes_snp.rs diff --git a/Cargo.Bazel.Fuzzing.json.lock b/Cargo.Bazel.Fuzzing.json.lock index 15508fc0c5d..c886887f12f 100644 --- a/Cargo.Bazel.Fuzzing.json.lock +++ b/Cargo.Bazel.Fuzzing.json.lock @@ -1,5 +1,5 @@ { - "checksum": "96109841999994ca7f02563fe26336d69ad9a63268d107e22dff78f99a13eed6", + "checksum": "e1a8d7d312809f68f71b13489e8b0857279899eafc1ebe0e6150cd1ea410572f", "crates": { "abnf 0.12.0": { "name": "abnf", @@ -6078,36 +6078,6 @@ }, "license": "MIT" }, - "bitfield 0.13.2": { - "name": "bitfield", - "version": "0.13.2", - "repository": { - "Http": { - "url": "https://static.crates.io/crates/bitfield/0.13.2/download", - "sha256": "46afbd2983a5d5a7bd740ccb198caf5b82f45c40c09c0eed36052d91cb92e719" - } - }, - "targets": [ - { - "Library": { - "crate_name": "bitfield", - "crate_root": "src/lib.rs", - "srcs": [ - "**/*.rs" - ] - } - } - ], - "library_target_name": "bitfield", - "common_attrs": { - "compile_data_glob": [ - "**" - ], - "edition": "2015", - "version": "0.13.2" - }, - "license": "MIT OR Apache-2.0" - }, "bitflags 1.3.2": { "name": "bitflags", "version": "1.3.2", @@ -10004,36 +9974,6 @@ }, "license": "Apache-2.0" }, - "codicon 3.0.0": { - "name": "codicon", - "version": "3.0.0", - "repository": { - "Http": { - "url": "https://static.crates.io/crates/codicon/3.0.0/download", - "sha256": "12170080f3533d6f09a19f81596f836854d0fa4867dc32c8172b8474b4e9de61" - } - }, - "targets": [ - { - "Library": { - "crate_name": "codicon", - "crate_root": "src/lib.rs", - "srcs": [ - "**/*.rs" - ] - } - } - ], - "library_target_name": "codicon", - "common_attrs": { - "compile_data_glob": [ - "**" - ], - "edition": "2018", - "version": "3.0.0" - }, - "license": "Apache-2.0" - }, "colorchoice 1.0.0": { "name": "colorchoice", "version": "1.0.0", @@ -15334,10 +15274,6 @@ "id": "serde_yaml 0.9.30", "target": "serde_yaml" }, - { - "id": "sev 2.0.2", - "target": "sev" - }, { "id": "sha2 0.10.8", "target": "sha2" @@ -15776,45 +15712,6 @@ }, "license": "MIT OR Apache-2.0" }, - "dirs 5.0.1": { - "name": "dirs", - "version": "5.0.1", - "repository": { - "Http": { - "url": "https://static.crates.io/crates/dirs/5.0.1/download", - "sha256": "44c45a9d03d6676652bcb5e724c7e988de1acad23a711b5217ab9cbecbec2225" - } - }, - "targets": [ - { - "Library": { - "crate_name": "dirs", - "crate_root": "src/lib.rs", - "srcs": [ - "**/*.rs" - ] - } - } - ], - "library_target_name": "dirs", - "common_attrs": { - "compile_data_glob": [ - "**" - ], - "deps": { - "common": [ - { - "id": "dirs-sys 0.4.1", - "target": "dirs_sys" - } - ], - "selects": {} - }, - "edition": "2015", - "version": "5.0.1" - }, - "license": "MIT OR Apache-2.0" - }, "dirs-next 2.0.0": { "name": "dirs-next", "version": "2.0.0", @@ -15911,64 +15808,6 @@ }, "license": "MIT OR Apache-2.0" }, - "dirs-sys 0.4.1": { - "name": "dirs-sys", - "version": "0.4.1", - "repository": { - "Http": { - "url": "https://static.crates.io/crates/dirs-sys/0.4.1/download", - "sha256": "520f05a5cbd335fae5a99ff7a6ab8627577660ee5cfd6a94a6a929b52ff0321c" - } - }, - "targets": [ - { - "Library": { - "crate_name": "dirs_sys", - "crate_root": "src/lib.rs", - "srcs": [ - "**/*.rs" - ] - } - } - ], - "library_target_name": "dirs_sys", - "common_attrs": { - "compile_data_glob": [ - "**" - ], - "deps": { - "common": [ - { - "id": "option-ext 0.2.0", - "target": "option_ext" - } - ], - "selects": { - "cfg(target_os = \"redox\")": [ - { - "id": "redox_users 0.4.3", - "target": "redox_users" - } - ], - "cfg(unix)": [ - { - "id": "libc 0.2.152", - "target": "libc" - } - ], - "cfg(windows)": [ - { - "id": "windows-sys 0.48.0", - "target": "windows_sys" - } - ] - } - }, - "edition": "2015", - "version": "0.4.1" - }, - "license": "MIT OR Apache-2.0" - }, "dirs-sys-next 0.1.2": { "name": "dirs-sys-next", "version": "0.1.2", @@ -16808,7 +16647,6 @@ "alloc", "arithmetic", "digest", - "ecdh", "ff", "group", "hazmat", @@ -16845,10 +16683,6 @@ "id": "group 0.13.0", "target": "group" }, - { - "id": "hkdf 0.12.3", - "target": "hkdf" - }, { "id": "pem-rfc7468 0.7.0", "target": "pem_rfc7468" @@ -21691,45 +21525,6 @@ }, "license": "CC0-1.0" }, - "hkdf 0.12.3": { - "name": "hkdf", - "version": "0.12.3", - "repository": { - "Http": { - "url": "https://static.crates.io/crates/hkdf/0.12.3/download", - "sha256": "791a029f6b9fc27657f6f188ec6e5e43f6911f6f878e0dc5501396e09809d437" - } - }, - "targets": [ - { - "Library": { - "crate_name": "hkdf", - "crate_root": "src/lib.rs", - "srcs": [ - "**/*.rs" - ] - } - } - ], - "library_target_name": "hkdf", - "common_attrs": { - "compile_data_glob": [ - "**" - ], - "deps": { - "common": [ - { - "id": "hmac 0.12.1", - "target": "hmac" - } - ], - "selects": {} - }, - "edition": "2018", - "version": "0.12.3" - }, - "license": "MIT OR Apache-2.0" - }, "hmac 0.12.1": { "name": "hmac", "version": "0.12.1", @@ -26500,36 +26295,6 @@ }, "license": "Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT" }, - "iocuddle 0.1.1": { - "name": "iocuddle", - "version": "0.1.1", - "repository": { - "Http": { - "url": "https://static.crates.io/crates/iocuddle/0.1.1/download", - "sha256": "d8972d5be69940353d5347a1344cb375d9b457d6809b428b05bb1ca2fb9ce007" - } - }, - "targets": [ - { - "Library": { - "crate_name": "iocuddle", - "crate_root": "src/lib.rs", - "srcs": [ - "**/*.rs" - ] - } - } - ], - "library_target_name": "iocuddle", - "common_attrs": { - "compile_data_glob": [ - "**" - ], - "edition": "2018", - "version": "0.1.1" - }, - "license": "Apache-2.0" - }, "iovec 0.1.4": { "name": "iovec", "version": "0.1.4", @@ -36209,36 +35974,6 @@ }, "license": "Apache-2.0" }, - "option-ext 0.2.0": { - "name": "option-ext", - "version": "0.2.0", - "repository": { - "Http": { - "url": "https://static.crates.io/crates/option-ext/0.2.0/download", - "sha256": "04744f49eae99ab78e0d5c0b603ab218f515ea8cfe5a456d7629ad883a3b6e7d" - } - }, - "targets": [ - { - "Library": { - "crate_name": "option_ext", - "crate_root": "src/lib.rs", - "srcs": [ - "**/*.rs" - ] - } - } - ], - "library_target_name": "option_ext", - "common_attrs": { - "compile_data_glob": [ - "**" - ], - "edition": "2015", - "version": "0.2.0" - }, - "license": "MPL-2.0" - }, "ordered-float 2.10.1": { "name": "ordered-float", "version": "2.10.1", @@ -36515,75 +36250,6 @@ }, "license": "Apache-2.0 OR MIT" }, - "p384 0.13.0": { - "name": "p384", - "version": "0.13.0", - "repository": { - "Http": { - "url": "https://static.crates.io/crates/p384/0.13.0/download", - "sha256": "70786f51bcc69f6a4c0360e063a4cac5419ef7c5cd5b3c99ad70f3be5ba79209" - } - }, - "targets": [ - { - "Library": { - "crate_name": "p384", - "crate_root": "src/lib.rs", - "srcs": [ - "**/*.rs" - ] - } - } - ], - "library_target_name": "p384", - "common_attrs": { - "compile_data_glob": [ - "**" - ], - "crate_features": { - "common": [ - "alloc", - "arithmetic", - "default", - "digest", - "ecdh", - "ecdsa", - "ecdsa-core", - "pem", - "pkcs8", - "sha2", - "sha384", - "std" - ], - "selects": {} - }, - "deps": { - "common": [ - { - "id": "ecdsa 0.16.8", - "target": "ecdsa", - "alias": "ecdsa_core" - }, - { - "id": "elliptic-curve 0.13.8", - "target": "elliptic_curve" - }, - { - "id": "primeorder 0.13.2", - "target": "primeorder" - }, - { - "id": "sha2 0.10.8", - "target": "sha2" - } - ], - "selects": {} - }, - "edition": "2021", - "version": "0.13.0" - }, - "license": "Apache-2.0 OR MIT" - }, "pairing 0.22.0": { "name": "pairing", "version": "0.22.0", @@ -47589,45 +47255,6 @@ }, "license": "MIT OR Apache-2.0" }, - "serde-big-array 0.5.1": { - "name": "serde-big-array", - "version": "0.5.1", - "repository": { - "Http": { - "url": "https://static.crates.io/crates/serde-big-array/0.5.1/download", - "sha256": "11fc7cc2c76d73e0f27ee52abbd64eec84d46f370c88371120433196934e4b7f" - } - }, - "targets": [ - { - "Library": { - "crate_name": "serde_big_array", - "crate_root": "src/lib.rs", - "srcs": [ - "**/*.rs" - ] - } - } - ], - "library_target_name": "serde_big_array", - "common_attrs": { - "compile_data_glob": [ - "**" - ], - "deps": { - "common": [ - { - "id": "serde 1.0.195", - "target": "serde" - } - ], - "selects": {} - }, - "edition": "2021", - "version": "0.5.1" - }, - "license": "MIT OR Apache-2.0" - }, "serde-bytes-repr 0.1.5": { "name": "serde-bytes-repr", "version": "0.1.5", @@ -48643,143 +48270,6 @@ }, "license": "MIT/Apache-2.0" }, - "sev 2.0.2": { - "name": "sev", - "version": "2.0.2", - "repository": { - "Http": { - "url": "https://static.crates.io/crates/sev/2.0.2/download", - "sha256": "77e9de97c6e3c65e4e67997d48ad506d258da10edc10894277093da679441f23" - } - }, - "targets": [ - { - "Library": { - "crate_name": "sev", - "crate_root": "src/lib.rs", - "srcs": [ - "**/*.rs" - ] - } - }, - { - "BuildScript": { - "crate_name": "build_script_build", - "crate_root": "build.rs", - "srcs": [ - "**/*.rs" - ] - } - } - ], - "library_target_name": "sev", - "common_attrs": { - "compile_data_glob": [ - "**" - ], - "crate_features": { - "common": [ - "crypto_nossl", - "default", - "sev", - "snp" - ], - "selects": {} - }, - "deps": { - "common": [ - { - "id": "bincode 1.3.3", - "target": "bincode" - }, - { - "id": "bitfield 0.13.2", - "target": "bitfield" - }, - { - "id": "bitflags 1.3.2", - "target": "bitflags" - }, - { - "id": "codicon 3.0.0", - "target": "codicon" - }, - { - "id": "dirs 5.0.1", - "target": "dirs" - }, - { - "id": "hex 0.4.3", - "target": "hex" - }, - { - "id": "lazy_static 1.4.0", - "target": "lazy_static" - }, - { - "id": "libc 0.2.152", - "target": "libc" - }, - { - "id": "p384 0.13.0", - "target": "p384" - }, - { - "id": "rsa 0.9.2", - "target": "rsa" - }, - { - "id": "serde 1.0.195", - "target": "serde" - }, - { - "id": "serde-big-array 0.5.1", - "target": "serde_big_array" - }, - { - "id": "serde_bytes 0.11.14", - "target": "serde_bytes" - }, - { - "id": "sev 2.0.2", - "target": "build_script_build" - }, - { - "id": "sha2 0.10.8", - "target": "sha2" - }, - { - "id": "static_assertions 1.1.0", - "target": "static_assertions" - }, - { - "id": "uuid 1.5.0", - "target": "uuid" - }, - { - "id": "x509-cert 0.2.4", - "target": "x509_cert" - } - ], - "selects": { - "cfg(target_os = \"linux\")": [ - { - "id": "iocuddle 0.1.1", - "target": "iocuddle" - } - ] - } - }, - "edition": "2018", - "version": "2.0.2" - }, - "build_script_attrs": { - "data_glob": [ - "**" - ] - }, - "license": "Apache-2.0" - }, "sha1 0.10.6": { "name": "sha1", "version": "0.10.6", @@ -60993,7 +60483,6 @@ "common": [ "Win32", "Win32_Foundation", - "Win32_Globalization", "Win32_NetworkManagement", "Win32_NetworkManagement_IpHelper", "Win32_NetworkManagement_Ndis", @@ -61007,7 +60496,6 @@ "Win32_Storage", "Win32_Storage_FileSystem", "Win32_System", - "Win32_System_Com", "Win32_System_Console", "Win32_System_Diagnostics", "Win32_System_Diagnostics_Debug", @@ -64942,7 +64430,6 @@ "serde_json 1.0.107", "serde_with 1.14.0", "serde_yaml 0.9.30", - "sev 2.0.2", "sha2 0.10.8", "sha2 0.9.9", "sha3 0.9.1", diff --git a/Cargo.Bazel.Fuzzing.toml.lock b/Cargo.Bazel.Fuzzing.toml.lock index 83f9803f4fd..0142456a270 100644 --- a/Cargo.Bazel.Fuzzing.toml.lock +++ b/Cargo.Bazel.Fuzzing.toml.lock @@ -1192,12 +1192,6 @@ dependencies = [ "which", ] -[[package]] -name = "bitfield" -version = "0.13.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "46afbd2983a5d5a7bd740ccb198caf5b82f45c40c09c0eed36052d91cb92e719" - [[package]] name = "bitflags" version = "1.3.2" @@ -1961,12 +1955,6 @@ dependencies = [ "unicode-width", ] -[[package]] -name = "codicon" -version = "3.0.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "12170080f3533d6f09a19f81596f836854d0fa4867dc32c8172b8474b4e9de61" - [[package]] name = "colorchoice" version = "1.0.0" @@ -3068,7 +3056,6 @@ dependencies = [ "serde_json", "serde_with", "serde_yaml 0.9.30", - "sev", "sha2 0.10.8", "sha2 0.9.9", "sha3 0.9.1", @@ -3160,16 +3147,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "13aea89a5c93364a98e9b37b2fa237effbb694d5cfe01c5b70941f7eb087d5e3" dependencies = [ "cfg-if 0.1.10", - "dirs-sys 0.3.7", -] - -[[package]] -name = "dirs" -version = "5.0.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "44c45a9d03d6676652bcb5e724c7e988de1acad23a711b5217ab9cbecbec2225" -dependencies = [ - "dirs-sys 0.4.1", + "dirs-sys", ] [[package]] @@ -3193,18 +3171,6 @@ dependencies = [ "winapi 0.3.9", ] -[[package]] -name = "dirs-sys" -version = "0.4.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "520f05a5cbd335fae5a99ff7a6ab8627577660ee5cfd6a94a6a929b52ff0321c" -dependencies = [ - "libc", - "option-ext", - "redox_users", - "windows-sys 0.48.0", -] - [[package]] name = "dirs-sys-next" version = "0.1.2" @@ -3371,7 +3337,6 @@ dependencies = [ "ff 0.13.0", "generic-array", "group 0.13.0", - "hkdf", "pem-rfc7468", "pkcs8", "rand_core 0.6.4", @@ -4323,15 +4288,6 @@ version = "0.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "dfa686283ad6dd069f105e5ab091b04c62850d3e4cf5d67debad1933f55023df" -[[package]] -name = "hkdf" -version = "0.12.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "791a029f6b9fc27657f6f188ec6e5e43f6911f6f878e0dc5501396e09809d437" -dependencies = [ - "hmac 0.12.1", -] - [[package]] name = "hmac" version = "0.8.1" @@ -5310,12 +5266,6 @@ dependencies = [ "windows-sys 0.48.0", ] -[[package]] -name = "iocuddle" -version = "0.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d8972d5be69940353d5347a1344cb375d9b457d6809b428b05bb1ca2fb9ce007" - [[package]] name = "iovec" version = "0.1.4" @@ -7080,12 +7030,6 @@ dependencies = [ "tokio-stream", ] -[[package]] -name = "option-ext" -version = "0.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "04744f49eae99ab78e0d5c0b603ab218f515ea8cfe5a456d7629ad883a3b6e7d" - [[package]] name = "ordered-float" version = "2.10.1" @@ -7137,18 +7081,6 @@ dependencies = [ "sha2 0.10.8", ] -[[package]] -name = "p384" -version = "0.13.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "70786f51bcc69f6a4c0360e063a4cac5419ef7c5cd5b3c99ad70f3be5ba79209" -dependencies = [ - "ecdsa", - "elliptic-curve", - "primeorder", - "sha2 0.10.8", -] - [[package]] name = "pairing" version = "0.22.0" @@ -9229,15 +9161,6 @@ dependencies = [ "serde_derive", ] -[[package]] -name = "serde-big-array" -version = "0.5.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "11fc7cc2c76d73e0f27ee52abbd64eec84d46f370c88371120433196934e4b7f" -dependencies = [ - "serde", -] - [[package]] name = "serde-bytes-repr" version = "0.1.5" @@ -9458,32 +9381,6 @@ dependencies = [ "stable_deref_trait", ] -[[package]] -name = "sev" -version = "2.0.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "77e9de97c6e3c65e4e67997d48ad506d258da10edc10894277093da679441f23" -dependencies = [ - "bincode", - "bitfield", - "bitflags 1.3.2", - "codicon", - "dirs 5.0.1", - "hex", - "iocuddle", - "lazy_static", - "libc", - "p384", - "rsa", - "serde", - "serde-big-array", - "serde_bytes", - "sha2 0.10.8", - "static_assertions", - "uuid 1.5.0", - "x509-cert", -] - [[package]] name = "sha1" version = "0.10.6" @@ -10202,7 +10099,7 @@ version = "0.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c0863a3345e70f61d613eab32ee046ccd1bcc5f9105fe402c61fcd0c13eeb8b5" dependencies = [ - "dirs 2.0.2", + "dirs", "winapi 0.3.9", ] diff --git a/Cargo.Bazel.json.lock b/Cargo.Bazel.json.lock index 2a836d02624..c0d3d77626a 100644 --- a/Cargo.Bazel.json.lock +++ b/Cargo.Bazel.json.lock @@ -1,5 +1,5 @@ { - "checksum": "fc46bd142766b200e05a789554b23cfb623c877684d9f851c4f3380ced1bab8e", + "checksum": "ba25579539fdd6f9991a7027db3753019f43ece7558dfe50f55fde0100a2269f", "crates": { "abnf 0.12.0": { "name": "abnf", @@ -6032,36 +6032,6 @@ }, "license": "MIT" }, - "bitfield 0.13.2": { - "name": "bitfield", - "version": "0.13.2", - "repository": { - "Http": { - "url": "https://static.crates.io/crates/bitfield/0.13.2/download", - "sha256": "46afbd2983a5d5a7bd740ccb198caf5b82f45c40c09c0eed36052d91cb92e719" - } - }, - "targets": [ - { - "Library": { - "crate_name": "bitfield", - "crate_root": "src/lib.rs", - "srcs": [ - "**/*.rs" - ] - } - } - ], - "library_target_name": "bitfield", - "common_attrs": { - "compile_data_glob": [ - "**" - ], - "edition": "2015", - "version": "0.13.2" - }, - "license": "MIT OR Apache-2.0" - }, "bitflags 1.3.2": { "name": "bitflags", "version": "1.3.2", @@ -9939,36 +9909,6 @@ }, "license": "Apache-2.0" }, - "codicon 3.0.0": { - "name": "codicon", - "version": "3.0.0", - "repository": { - "Http": { - "url": "https://static.crates.io/crates/codicon/3.0.0/download", - "sha256": "12170080f3533d6f09a19f81596f836854d0fa4867dc32c8172b8474b4e9de61" - } - }, - "targets": [ - { - "Library": { - "crate_name": "codicon", - "crate_root": "src/lib.rs", - "srcs": [ - "**/*.rs" - ] - } - } - ], - "library_target_name": "codicon", - "common_attrs": { - "compile_data_glob": [ - "**" - ], - "edition": "2018", - "version": "3.0.0" - }, - "license": "Apache-2.0" - }, "colorchoice 1.0.0": { "name": "colorchoice", "version": "1.0.0", @@ -15210,10 +15150,6 @@ "id": "serde_yaml 0.9.30", "target": "serde_yaml" }, - { - "id": "sev 2.0.2", - "target": "sev" - }, { "id": "sha2 0.10.8", "target": "sha2" @@ -15652,45 +15588,6 @@ }, "license": "MIT OR Apache-2.0" }, - "dirs 5.0.1": { - "name": "dirs", - "version": "5.0.1", - "repository": { - "Http": { - "url": "https://static.crates.io/crates/dirs/5.0.1/download", - "sha256": "44c45a9d03d6676652bcb5e724c7e988de1acad23a711b5217ab9cbecbec2225" - } - }, - "targets": [ - { - "Library": { - "crate_name": "dirs", - "crate_root": "src/lib.rs", - "srcs": [ - "**/*.rs" - ] - } - } - ], - "library_target_name": "dirs", - "common_attrs": { - "compile_data_glob": [ - "**" - ], - "deps": { - "common": [ - { - "id": "dirs-sys 0.4.1", - "target": "dirs_sys" - } - ], - "selects": {} - }, - "edition": "2015", - "version": "5.0.1" - }, - "license": "MIT OR Apache-2.0" - }, "dirs-next 2.0.0": { "name": "dirs-next", "version": "2.0.0", @@ -15787,64 +15684,6 @@ }, "license": "MIT OR Apache-2.0" }, - "dirs-sys 0.4.1": { - "name": "dirs-sys", - "version": "0.4.1", - "repository": { - "Http": { - "url": "https://static.crates.io/crates/dirs-sys/0.4.1/download", - "sha256": "520f05a5cbd335fae5a99ff7a6ab8627577660ee5cfd6a94a6a929b52ff0321c" - } - }, - "targets": [ - { - "Library": { - "crate_name": "dirs_sys", - "crate_root": "src/lib.rs", - "srcs": [ - "**/*.rs" - ] - } - } - ], - "library_target_name": "dirs_sys", - "common_attrs": { - "compile_data_glob": [ - "**" - ], - "deps": { - "common": [ - { - "id": "option-ext 0.2.0", - "target": "option_ext" - } - ], - "selects": { - "cfg(target_os = \"redox\")": [ - { - "id": "redox_users 0.4.3", - "target": "redox_users" - } - ], - "cfg(unix)": [ - { - "id": "libc 0.2.150", - "target": "libc" - } - ], - "cfg(windows)": [ - { - "id": "windows-sys 0.48.0", - "target": "windows_sys" - } - ] - } - }, - "edition": "2015", - "version": "0.4.1" - }, - "license": "MIT OR Apache-2.0" - }, "dirs-sys-next 0.1.2": { "name": "dirs-sys-next", "version": "0.1.2", @@ -16684,7 +16523,6 @@ "alloc", "arithmetic", "digest", - "ecdh", "ff", "group", "hazmat", @@ -16721,10 +16559,6 @@ "id": "group 0.13.0", "target": "group" }, - { - "id": "hkdf 0.12.3", - "target": "hkdf" - }, { "id": "pem-rfc7468 0.7.0", "target": "pem_rfc7468" @@ -21592,45 +21426,6 @@ }, "license": "CC0-1.0" }, - "hkdf 0.12.3": { - "name": "hkdf", - "version": "0.12.3", - "repository": { - "Http": { - "url": "https://static.crates.io/crates/hkdf/0.12.3/download", - "sha256": "791a029f6b9fc27657f6f188ec6e5e43f6911f6f878e0dc5501396e09809d437" - } - }, - "targets": [ - { - "Library": { - "crate_name": "hkdf", - "crate_root": "src/lib.rs", - "srcs": [ - "**/*.rs" - ] - } - } - ], - "library_target_name": "hkdf", - "common_attrs": { - "compile_data_glob": [ - "**" - ], - "deps": { - "common": [ - { - "id": "hmac 0.12.1", - "target": "hmac" - } - ], - "selects": {} - }, - "edition": "2018", - "version": "0.12.3" - }, - "license": "MIT OR Apache-2.0" - }, "hmac 0.12.1": { "name": "hmac", "version": "0.12.1", @@ -26401,36 +26196,6 @@ }, "license": "Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT" }, - "iocuddle 0.1.1": { - "name": "iocuddle", - "version": "0.1.1", - "repository": { - "Http": { - "url": "https://static.crates.io/crates/iocuddle/0.1.1/download", - "sha256": "d8972d5be69940353d5347a1344cb375d9b457d6809b428b05bb1ca2fb9ce007" - } - }, - "targets": [ - { - "Library": { - "crate_name": "iocuddle", - "crate_root": "src/lib.rs", - "srcs": [ - "**/*.rs" - ] - } - } - ], - "library_target_name": "iocuddle", - "common_attrs": { - "compile_data_glob": [ - "**" - ], - "edition": "2018", - "version": "0.1.1" - }, - "license": "Apache-2.0" - }, "iovec 0.1.4": { "name": "iovec", "version": "0.1.4", @@ -36111,36 +35876,6 @@ }, "license": "Apache-2.0" }, - "option-ext 0.2.0": { - "name": "option-ext", - "version": "0.2.0", - "repository": { - "Http": { - "url": "https://static.crates.io/crates/option-ext/0.2.0/download", - "sha256": "04744f49eae99ab78e0d5c0b603ab218f515ea8cfe5a456d7629ad883a3b6e7d" - } - }, - "targets": [ - { - "Library": { - "crate_name": "option_ext", - "crate_root": "src/lib.rs", - "srcs": [ - "**/*.rs" - ] - } - } - ], - "library_target_name": "option_ext", - "common_attrs": { - "compile_data_glob": [ - "**" - ], - "edition": "2015", - "version": "0.2.0" - }, - "license": "MPL-2.0" - }, "ordered-float 2.10.0": { "name": "ordered-float", "version": "2.10.0", @@ -36417,75 +36152,6 @@ }, "license": "Apache-2.0 OR MIT" }, - "p384 0.13.0": { - "name": "p384", - "version": "0.13.0", - "repository": { - "Http": { - "url": "https://static.crates.io/crates/p384/0.13.0/download", - "sha256": "70786f51bcc69f6a4c0360e063a4cac5419ef7c5cd5b3c99ad70f3be5ba79209" - } - }, - "targets": [ - { - "Library": { - "crate_name": "p384", - "crate_root": "src/lib.rs", - "srcs": [ - "**/*.rs" - ] - } - } - ], - "library_target_name": "p384", - "common_attrs": { - "compile_data_glob": [ - "**" - ], - "crate_features": { - "common": [ - "alloc", - "arithmetic", - "default", - "digest", - "ecdh", - "ecdsa", - "ecdsa-core", - "pem", - "pkcs8", - "sha2", - "sha384", - "std" - ], - "selects": {} - }, - "deps": { - "common": [ - { - "id": "ecdsa 0.16.9", - "target": "ecdsa", - "alias": "ecdsa_core" - }, - { - "id": "elliptic-curve 0.13.8", - "target": "elliptic_curve" - }, - { - "id": "primeorder 0.13.2", - "target": "primeorder" - }, - { - "id": "sha2 0.10.8", - "target": "sha2" - } - ], - "selects": {} - }, - "edition": "2021", - "version": "0.13.0" - }, - "license": "Apache-2.0 OR MIT" - }, "pairing 0.22.0": { "name": "pairing", "version": "0.22.0", @@ -47560,45 +47226,6 @@ }, "license": "MIT OR Apache-2.0" }, - "serde-big-array 0.5.1": { - "name": "serde-big-array", - "version": "0.5.1", - "repository": { - "Http": { - "url": "https://static.crates.io/crates/serde-big-array/0.5.1/download", - "sha256": "11fc7cc2c76d73e0f27ee52abbd64eec84d46f370c88371120433196934e4b7f" - } - }, - "targets": [ - { - "Library": { - "crate_name": "serde_big_array", - "crate_root": "src/lib.rs", - "srcs": [ - "**/*.rs" - ] - } - } - ], - "library_target_name": "serde_big_array", - "common_attrs": { - "compile_data_glob": [ - "**" - ], - "deps": { - "common": [ - { - "id": "serde 1.0.195", - "target": "serde" - } - ], - "selects": {} - }, - "edition": "2021", - "version": "0.5.1" - }, - "license": "MIT OR Apache-2.0" - }, "serde-bytes-repr 0.1.5": { "name": "serde-bytes-repr", "version": "0.1.5", @@ -48614,143 +48241,6 @@ }, "license": "MIT/Apache-2.0" }, - "sev 2.0.2": { - "name": "sev", - "version": "2.0.2", - "repository": { - "Http": { - "url": "https://static.crates.io/crates/sev/2.0.2/download", - "sha256": "77e9de97c6e3c65e4e67997d48ad506d258da10edc10894277093da679441f23" - } - }, - "targets": [ - { - "Library": { - "crate_name": "sev", - "crate_root": "src/lib.rs", - "srcs": [ - "**/*.rs" - ] - } - }, - { - "BuildScript": { - "crate_name": "build_script_build", - "crate_root": "build.rs", - "srcs": [ - "**/*.rs" - ] - } - } - ], - "library_target_name": "sev", - "common_attrs": { - "compile_data_glob": [ - "**" - ], - "crate_features": { - "common": [ - "crypto_nossl", - "default", - "sev", - "snp" - ], - "selects": {} - }, - "deps": { - "common": [ - { - "id": "bincode 1.3.3", - "target": "bincode" - }, - { - "id": "bitfield 0.13.2", - "target": "bitfield" - }, - { - "id": "bitflags 1.3.2", - "target": "bitflags" - }, - { - "id": "codicon 3.0.0", - "target": "codicon" - }, - { - "id": "dirs 5.0.1", - "target": "dirs" - }, - { - "id": "hex 0.4.3", - "target": "hex" - }, - { - "id": "lazy_static 1.4.0", - "target": "lazy_static" - }, - { - "id": "libc 0.2.150", - "target": "libc" - }, - { - "id": "p384 0.13.0", - "target": "p384" - }, - { - "id": "rsa 0.9.2", - "target": "rsa" - }, - { - "id": "serde 1.0.195", - "target": "serde" - }, - { - "id": "serde-big-array 0.5.1", - "target": "serde_big_array" - }, - { - "id": "serde_bytes 0.11.14", - "target": "serde_bytes" - }, - { - "id": "sev 2.0.2", - "target": "build_script_build" - }, - { - "id": "sha2 0.10.8", - "target": "sha2" - }, - { - "id": "static_assertions 1.1.0", - "target": "static_assertions" - }, - { - "id": "uuid 1.5.0", - "target": "uuid" - }, - { - "id": "x509-cert 0.2.4", - "target": "x509_cert" - } - ], - "selects": { - "cfg(target_os = \"linux\")": [ - { - "id": "iocuddle 0.1.1", - "target": "iocuddle" - } - ] - } - }, - "edition": "2018", - "version": "2.0.2" - }, - "build_script_attrs": { - "data_glob": [ - "**" - ] - }, - "license": "Apache-2.0" - }, "sha1 0.10.5": { "name": "sha1", "version": "0.10.5", @@ -60966,7 +60456,6 @@ "common": [ "Win32", "Win32_Foundation", - "Win32_Globalization", "Win32_NetworkManagement", "Win32_NetworkManagement_IpHelper", "Win32_NetworkManagement_Ndis", @@ -60980,7 +60469,6 @@ "Win32_Storage", "Win32_Storage_FileSystem", "Win32_System", - "Win32_System_Com", "Win32_System_Console", "Win32_System_Diagnostics", "Win32_System_Diagnostics_Debug", @@ -60992,8 +60480,6 @@ "Win32_System_Threading", "Win32_System_Time", "Win32_System_WindowsProgramming", - "Win32_UI", - "Win32_UI_Shell", "default" ], "selects": {} @@ -64871,7 +64357,6 @@ "serde_json 1.0.108", "serde_with 1.14.0", "serde_yaml 0.9.30", - "sev 2.0.2", "sha2 0.10.8", "sha2 0.9.9", "sha3 0.9.1", diff --git a/Cargo.Bazel.toml.lock b/Cargo.Bazel.toml.lock index 509ac3fdebc..6bd528d8b27 100644 --- a/Cargo.Bazel.toml.lock +++ b/Cargo.Bazel.toml.lock @@ -1194,12 +1194,6 @@ dependencies = [ "which", ] -[[package]] -name = "bitfield" -version = "0.13.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "46afbd2983a5d5a7bd740ccb198caf5b82f45c40c09c0eed36052d91cb92e719" - [[package]] name = "bitflags" version = "1.3.2" @@ -1963,12 +1957,6 @@ dependencies = [ "unicode-width", ] -[[package]] -name = "codicon" -version = "3.0.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "12170080f3533d6f09a19f81596f836854d0fa4867dc32c8172b8474b4e9de61" - [[package]] name = "colorchoice" version = "1.0.0" @@ -3058,7 +3046,6 @@ dependencies = [ "serde_json", "serde_with", "serde_yaml 0.9.30", - "sev", "sha2 0.10.8", "sha2 0.9.9", "sha3 0.9.1", @@ -3150,16 +3137,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "13aea89a5c93364a98e9b37b2fa237effbb694d5cfe01c5b70941f7eb087d5e3" dependencies = [ "cfg-if 0.1.10", - "dirs-sys 0.3.7", -] - -[[package]] -name = "dirs" -version = "5.0.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "44c45a9d03d6676652bcb5e724c7e988de1acad23a711b5217ab9cbecbec2225" -dependencies = [ - "dirs-sys 0.4.1", + "dirs-sys", ] [[package]] @@ -3183,18 +3161,6 @@ dependencies = [ "winapi 0.3.9", ] -[[package]] -name = "dirs-sys" -version = "0.4.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "520f05a5cbd335fae5a99ff7a6ab8627577660ee5cfd6a94a6a929b52ff0321c" -dependencies = [ - "libc", - "option-ext", - "redox_users", - "windows-sys 0.48.0", -] - [[package]] name = "dirs-sys-next" version = "0.1.2" @@ -3361,7 +3327,6 @@ dependencies = [ "ff 0.13.0", "generic-array", "group 0.13.0", - "hkdf", "pem-rfc7468", "pkcs8", "rand_core 0.6.4", @@ -4315,15 +4280,6 @@ version = "0.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "dfa686283ad6dd069f105e5ab091b04c62850d3e4cf5d67debad1933f55023df" -[[package]] -name = "hkdf" -version = "0.12.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "791a029f6b9fc27657f6f188ec6e5e43f6911f6f878e0dc5501396e09809d437" -dependencies = [ - "hmac 0.12.1", -] - [[package]] name = "hmac" version = "0.8.1" @@ -5302,12 +5258,6 @@ dependencies = [ "windows-sys 0.48.0", ] -[[package]] -name = "iocuddle" -version = "0.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d8972d5be69940353d5347a1344cb375d9b457d6809b428b05bb1ca2fb9ce007" - [[package]] name = "iovec" version = "0.1.4" @@ -7088,12 +7038,6 @@ dependencies = [ "tokio-stream", ] -[[package]] -name = "option-ext" -version = "0.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "04744f49eae99ab78e0d5c0b603ab218f515ea8cfe5a456d7629ad883a3b6e7d" - [[package]] name = "ordered-float" version = "2.10.0" @@ -7145,18 +7089,6 @@ dependencies = [ "sha2 0.10.8", ] -[[package]] -name = "p384" -version = "0.13.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "70786f51bcc69f6a4c0360e063a4cac5419ef7c5cd5b3c99ad70f3be5ba79209" -dependencies = [ - "ecdsa", - "elliptic-curve", - "primeorder", - "sha2 0.10.8", -] - [[package]] name = "pairing" version = "0.22.0" @@ -9248,15 +9180,6 @@ dependencies = [ "serde_derive", ] -[[package]] -name = "serde-big-array" -version = "0.5.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "11fc7cc2c76d73e0f27ee52abbd64eec84d46f370c88371120433196934e4b7f" -dependencies = [ - "serde", -] - [[package]] name = "serde-bytes-repr" version = "0.1.5" @@ -9477,32 +9400,6 @@ dependencies = [ "stable_deref_trait", ] -[[package]] -name = "sev" -version = "2.0.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "77e9de97c6e3c65e4e67997d48ad506d258da10edc10894277093da679441f23" -dependencies = [ - "bincode", - "bitfield", - "bitflags 1.3.2", - "codicon", - "dirs 5.0.1", - "hex", - "iocuddle", - "lazy_static", - "libc", - "p384", - "rsa", - "serde", - "serde-big-array", - "serde_bytes", - "sha2 0.10.8", - "static_assertions", - "uuid 1.5.0", - "x509-cert", -] - [[package]] name = "sha1" version = "0.10.5" @@ -10222,7 +10119,7 @@ version = "0.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c0863a3345e70f61d613eab32ee046ccd1bcc5f9105fe402c61fcd0c13eeb8b5" dependencies = [ - "dirs 2.0.2", + "dirs", "winapi 0.3.9", ] diff --git a/Cargo.lock b/Cargo.lock index a01e3797180..6a4ba18447c 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1205,12 +1205,6 @@ dependencies = [ "which", ] -[[package]] -name = "bitfield" -version = "0.13.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "46afbd2983a5d5a7bd740ccb198caf5b82f45c40c09c0eed36052d91cb92e719" - [[package]] name = "bitflags" version = "1.3.2" @@ -2186,12 +2180,6 @@ dependencies = [ "unicode-width", ] -[[package]] -name = "codicon" -version = "3.0.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "12170080f3533d6f09a19f81596f836854d0fa4867dc32c8172b8474b4e9de61" - [[package]] name = "colorchoice" version = "1.0.0" @@ -3247,16 +3235,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "13aea89a5c93364a98e9b37b2fa237effbb694d5cfe01c5b70941f7eb087d5e3" dependencies = [ "cfg-if 0.1.10", - "dirs-sys 0.3.7", -] - -[[package]] -name = "dirs" -version = "5.0.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "44c45a9d03d6676652bcb5e724c7e988de1acad23a711b5217ab9cbecbec2225" -dependencies = [ - "dirs-sys 0.4.1", + "dirs-sys", ] [[package]] @@ -3280,18 +3259,6 @@ dependencies = [ "winapi 0.3.9", ] -[[package]] -name = "dirs-sys" -version = "0.4.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "520f05a5cbd335fae5a99ff7a6ab8627577660ee5cfd6a94a6a929b52ff0321c" -dependencies = [ - "libc", - "option-ext", - "redox_users", - "windows-sys 0.48.0", -] - [[package]] name = "dirs-sys-next" version = "0.1.2" @@ -12639,12 +12606,6 @@ dependencies = [ "windows-sys 0.48.0", ] -[[package]] -name = "iocuddle" -version = "0.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d8972d5be69940353d5347a1344cb375d9b457d6809b428b05bb1ca2fb9ce007" - [[package]] name = "ipconfig" version = "0.3.1" @@ -14446,12 +14407,6 @@ dependencies = [ "thiserror", ] -[[package]] -name = "option-ext" -version = "0.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "04744f49eae99ab78e0d5c0b603ab218f515ea8cfe5a456d7629ad883a3b6e7d" - [[package]] name = "orchestrator" version = "0.9.0" @@ -16900,15 +16855,6 @@ dependencies = [ "serde_derive", ] -[[package]] -name = "serde-big-array" -version = "0.5.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "11fc7cc2c76d73e0f27ee52abbd64eec84d46f370c88371120433196934e4b7f" -dependencies = [ - "serde", -] - [[package]] name = "serde-bytes-repr" version = "0.1.5" @@ -17167,28 +17113,6 @@ dependencies = [ "utils", ] -[[package]] -name = "sev" -version = "2.0.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "77e9de97c6e3c65e4e67997d48ad506d258da10edc10894277093da679441f23" -dependencies = [ - "bincode", - "bitfield", - "bitflags 1.3.2", - "codicon", - "dirs 5.0.1", - "hex", - "iocuddle", - "lazy_static", - "libc", - "serde", - "serde-big-array", - "serde_bytes", - "static_assertions", - "uuid 1.6.1", -] - [[package]] name = "sha1" version = "0.10.5" @@ -17482,15 +17406,6 @@ version = "1.13.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e6ecd384b10a64542d77071bd64bd7b231f4ed5940fba55e98c3de13824cf3d7" -[[package]] -name = "snptool" -version = "0.1.0" -dependencies = [ - "anyhow", - "clap 3.2.25", - "sev", -] - [[package]] name = "sns_tests" version = "0.9.0" @@ -17974,7 +17889,7 @@ version = "0.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c0863a3345e70f61d613eab32ee046ccd1bcc5f9105fe402c61fcd0c13eeb8b5" dependencies = [ - "dirs 2.0.2", + "dirs", "winapi 0.3.9", ] diff --git a/Cargo.toml b/Cargo.toml index 6fb9bcb5db3..b15952424c6 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -137,7 +137,6 @@ members = [ "rs/ic_os/setupos-disable-checks", "rs/ic_os/setupos_tool", "rs/ic_os/utils", - "rs/ic_os/snptool", "rs/ic_os/vsock/guest", "rs/ic_os/vsock/host", "rs/ic_os/vsock/vsock_lib", diff --git a/WORKSPACE.bazel b/WORKSPACE.bazel index 68c9e4b7e24..3fa65156a22 100644 --- a/WORKSPACE.bazel +++ b/WORKSPACE.bazel @@ -359,13 +359,6 @@ load("@buildifier_prebuilt//:defs.bzl", "buildifier_prebuilt_register_toolchains buildifier_prebuilt_register_toolchains() -new_git_repository( - name = "sevtool", - build_file = "//ic-os:sevtool/BUILD.sevtool.bazel", - commit = "3e6418e09f5ca91d789e115d0751ead1227aab47", - remote = "https://github.com/AMDESE/sev-tool.git", -) - # Rosetta CLI load("//bazel:rosetta_cli.bzl", "rosetta_cli_repository") diff --git a/bazel/external_crates.bzl b/bazel/external_crates.bzl index 097c9c1f9f5..f9fa8d13290 100644 --- a/bazel/external_crates.bzl +++ b/bazel/external_crates.bzl @@ -1069,12 +1069,6 @@ def external_crates_repository(name, cargo_lockfile, lockfile, sanitizers_enable "serde_yaml": crate.spec( version = "^0.9.29", ), - "sev": crate.spec( - version = "^2.0.2", - features = [ - "crypto_nossl", - ], - ), "sha2": crate.spec( version = "^0.10.8", ), diff --git a/gitlab-ci/config/base-images-build.yml b/gitlab-ci/config/base-images-build.yml index 112905f57f2..6f53f5edef4 100644 --- a/gitlab-ci/config/base-images-build.yml +++ b/gitlab-ci/config/base-images-build.yml @@ -73,17 +73,6 @@ build-boundaryos-base: IMAGE: "boundaryos-base" REF_FILE: "ic-os/boundary-guestos/rootfs/docker-base.prod" -build-boundaryos-base-snp: - extends: - - .build-base-image-job - variables: - CONTEXT: "${CI_PROJECT_DIR}/ic-os/boundary-guestos/rootfs" - IMAGE: "boundaryos-base-snp" - REF_FILE: "ic-os/boundary-guestos/rootfs/docker-base.snp" - script: - - BUILD_ARGS=(--build-arg "CPU_SUPPORT=snp") - - *build-base-image - build-hostos-base: extends: - .build-base-image-job @@ -129,7 +118,6 @@ build-base-images-ref-update: - build-guestos-base - build-guestos-base-dev - build-boundaryos-base - - build-boundaryos-base-snp - build-hostos-base - build-hostos-base-dev - build-setupos-base @@ -138,7 +126,6 @@ build-base-images-ref-update: - build-guestos-base - build-guestos-base-dev - build-boundaryos-base - - build-boundaryos-base-snp - build-hostos-base - build-hostos-base-dev - build-setupos-base diff --git a/gitlab-ci/config/zz-generated-gitlab-ci.yaml b/gitlab-ci/config/zz-generated-gitlab-ci.yaml index cae2ba74879..5573b47dbf3 100644 --- a/gitlab-ci/config/zz-generated-gitlab-ci.yaml +++ b/gitlab-ci/config/zz-generated-gitlab-ci.yaml @@ -1620,7 +1620,6 @@ build-base-images-ref-update: - build-guestos-base - build-guestos-base-dev - build-boundaryos-base - - build-boundaryos-base-snp - build-hostos-base - build-hostos-base-dev - build-setupos-base @@ -1631,7 +1630,6 @@ build-base-images-ref-update: - build-guestos-base - build-guestos-base-dev - build-boundaryos-base - - build-boundaryos-base-snp - build-hostos-base - build-hostos-base-dev - build-setupos-base @@ -1734,54 +1732,6 @@ build-boundaryos-base: CONTEXT: "${CI_PROJECT_DIR}/ic-os/boundary-guestos/rootfs" IMAGE: boundaryos-base REF_FILE: ic-os/boundary-guestos/rootfs/docker-base.prod -build-boundaryos-base-snp: - artifacts: - paths: - - digestfile* - extends: - - ".build-base-image-job" - needs: [] - rules: - - if: $CI_PIPELINE_SOURCE == "schedule" && $SCHEDULE_NAME == "build-push-base-images" - - allow_failure: true - if: $CI_COMMIT_BRANCH == "master" && $CI_PIPELINE_SOURCE == "schedule" && $SCHEDULE_NAME == "run-all-master" - when: manual - - changes: - - gitlab-ci/config/base-images-build.yml - - ic-os/boundary-guestos/rootfs/Dockerfile.base - - ic-os/guestos/rootfs/Dockerfile.base - - ic-os/guestos/rootfs/packages.common - - ic-os/guestos/rootfs/packages.dev - - ic-os/hostos/rootfs/Dockerfile.base - - ic-os/hostos/rootfs/packages.common - - ic-os/hostos/rootfs/packages.dev - - ic-os/setupos/rootfs/Dockerfile.base - - ic-os/setupos/rootfs/packages.common - - ic-os/setupos/rootfs/packages.dev - if: $CI_PIPELINE_SOURCE == "merge_request_event" - script: - - BUILD_ARGS=(--build-arg "CPU_SUPPORT=snp") - - | - set -euo pipefail - - TAG=$(date '+%Y-%m-%d-%H%M') - echo -e "\e[0Ksection_start:$(date +%s):${IMAGE}[collapsed=true]\r\e[0KClick here to see the ${IMAGE} build" - pushd "$CONTEXT" - podman build "${BUILD_ARGS[@]}" --squash-all --no-cache -t "docker.io/dfinity/${IMAGE}:${TAG}" -f Dockerfile.base . - popd - echo -e "\e[0Ksection_end:$(date +%s):${IMAGE}\r\e[0K" - - if [ "${CI_COMMIT_REF_NAME:-}" == "master" ]; then - podman login -u "$DOCKER_HUB_USER" -p "$DOCKER_HUB_PASSWORD" docker.io - podman push "dfinity/${IMAGE}:${TAG}" --digestfile digestfile - echo "dfinity/${IMAGE}@$(cat digestfile)" > "digestfile-${IMAGE}" - echo "$REF_FILE" >> "digestfile-${IMAGE}" - rm -f digestfile - fi - variables: - CONTEXT: "${CI_PROJECT_DIR}/ic-os/boundary-guestos/rootfs" - IMAGE: boundaryos-base-snp - REF_FILE: ic-os/boundary-guestos/rootfs/docker-base.snp build-determinism: extends: - ".rules-master-pipeline-no-merge-train" diff --git a/gitlab-ci/src/dependencies/job/bazel_trivy_container_ic_scanner_periodic_job.py b/gitlab-ci/src/dependencies/job/bazel_trivy_container_ic_scanner_periodic_job.py index 9759411d909..9a25bb3cc18 100644 --- a/gitlab-ci/src/dependencies/job/bazel_trivy_container_ic_scanner_periodic_job.py +++ b/gitlab-ci/src/dependencies/job/bazel_trivy_container_ic_scanner_periodic_job.py @@ -23,12 +23,6 @@ link="https://gitlab.com/dfinity-lab/public/ic/-/tree/master/ic-os/boundary-guestos/rootfs", owner=Team.BOUNDARY_NODE_TEAM, ), - Project( - name="boundary-guestos", - path="ic/ic-os/boundary-guestos/envs/prod-sev", - link="https://gitlab.com/dfinity-lab/public/ic/-/tree/master/ic-os/boundary-guestos/rootfs", - owner=Team.BOUNDARY_NODE_TEAM, - ), Project( name="guestos", path="ic/ic-os/guestos/envs/prod", diff --git a/ic-os/README.adoc b/ic-os/README.adoc index dffe58b7107..20ec11c9e9b 100644 --- a/ic-os/README.adoc +++ b/ic-os/README.adoc @@ -30,7 +30,7 @@ Each image has its own build targets, which are variations of the image: * SetupOS: `prod`, `dev` * HostOS: `prod`, `dev` * GuestOS: `prod`, `dev`, `dev-malicious` -* BoundaryGuestOS: `prod`, `prod-sev`, `dev`, `dev-sev` +* BoundaryGuestOS: `prod`, `dev` The difference between production and development images is that the console can be accessed on `dev` images, but not on `prod` images. diff --git a/ic-os/boundary-guestos/defs.bzl b/ic-os/boundary-guestos/defs.bzl index 03b96c291fd..99dde5de9fe 100644 --- a/ic-os/boundary-guestos/defs.bzl +++ b/ic-os/boundary-guestos/defs.bzl @@ -7,13 +7,12 @@ Hold manifest common to all Boundary GuestOS variants. # compute the hash over all inputs going into the image and derive the # "version.txt" file from it. -def image_deps(mode, sev = False): +def image_deps(mode): """ Define all Boundary GuestOS inputs. Args: mode: Variant to be built, dev or prod. - sev: if True, build an SEV-SNP enabled image Returns: A dict containing all file inputs to build this image. """ @@ -50,23 +49,11 @@ def image_deps(mode, sev = False): "dev": { "build_container_filesystem_config_file": "//ic-os/boundary-guestos/envs/dev:build_container_filesystem_config.txt", }, - "dev-sev": { - "build_container_filesystem_config_file": "//ic-os/boundary-guestos/envs/dev-sev:build_container_filesystem_config.txt", - }, "prod": { "build_container_filesystem_config_file": "//ic-os/boundary-guestos/envs/prod:build_container_filesystem_config.txt", }, - "prod-sev": { - "build_container_filesystem_config_file": "//ic-os/boundary-guestos/envs/prod-sev:build_container_filesystem_config.txt", - }, } deps.update(extra_deps[mode]) - if sev: - sev_rootfs_deps = { - "@sevtool": "/opt/ic/bin/sevtool:0755", - } - deps["rootfs"].update(sev_rootfs_deps) - return deps diff --git a/ic-os/boundary-guestos/docs/Build.adoc b/ic-os/boundary-guestos/docs/Build.adoc index 2cfd1e42c73..24e2103f2f8 100644 --- a/ic-os/boundary-guestos/docs/Build.adoc +++ b/ic-os/boundary-guestos/docs/Build.adoc @@ -24,9 +24,6 @@ It allows to build `prod` and `dev` images. The `dev` images use the local servi worker from the branch and allow for console access using the username `root` and the password `root`. -Both the `prod` and `dev` image can be built with SEV-SNP enabled by appending -`sev` to the target (e.g., `prod-sev`). - See notes below on the individual build steps. == Constructing the system using docker diff --git a/ic-os/boundary-guestos/docs/README.adoc b/ic-os/boundary-guestos/docs/README.adoc index 5b0dc4e84e9..20599967cec 100644 --- a/ic-os/boundary-guestos/docs/README.adoc +++ b/ic-os/boundary-guestos/docs/README.adoc @@ -10,4 +10,3 @@ Refer to detailed documentation on: * link:Build{outfilesuffix}[Disk image build] * link:Components{outfilesuffix}[Components of the Boundary Node] * link:Network{outfilesuffix}[Network settings] -* link:SEV{outfilesuffix}[SEV Trusted Execution] diff --git a/ic-os/boundary-guestos/docs/SEV.adoc b/ic-os/boundary-guestos/docs/SEV.adoc deleted file mode 100644 index eee64057779..00000000000 --- a/ic-os/boundary-guestos/docs/SEV.adoc +++ /dev/null @@ -1,22 +0,0 @@ -= SEV Trusted Execution - -== SEV Keys - -=== ARK -ARK is the AMD Root key which is an RSA 2048 key pair. It is the root of trust of AMD and its signatures signify AMD authenticity. The public part is stored in the VM as a constant. - - -=== ASK -ASK is the AMD SEV Signing Key (ASK), which is signed by the AMD root signing key (ARK). There is a different key for each hardware series, e.g., for Milan, Rome and Naples link:https://developer.amd.com/sev/[sev]. At best it comes from the host level so the VM does not need to know it just gets the right one depending on the platform from the host and checks if it is signed by the hardcoded ARK. - - -=== VCEK -VCEK is the Versioned Chip Endorsement Key (VCEK). It is specific to the firmware of the secure processor of the platform and the chip_id. It is signed by the ASK of the platform - - -== References - -=== AMD Keyserver Interface - -There are additional details about the AMD keyserver interface where one can get the VCEK here link:https://www.amd.com/system/files/TechDocs/57230.pdf[techdoc]. - diff --git a/ic-os/boundary-guestos/envs/dev-sev/BUILD.bazel b/ic-os/boundary-guestos/envs/dev-sev/BUILD.bazel deleted file mode 100644 index 9d8bf114276..00000000000 --- a/ic-os/boundary-guestos/envs/dev-sev/BUILD.bazel +++ /dev/null @@ -1,13 +0,0 @@ -load("//ic-os:defs.bzl", "boundary_node_icos_build") -load("//ic-os/boundary-guestos:defs.bzl", "image_deps") - -exports_files(["build_container_filesystem_config.txt"]) - -boundary_node_icos_build( - name = "dev-sev", - ic_version = "//bazel:rc_only_version.txt", - image_deps_func = image_deps, - mode = "dev", - sev = True, - visibility = ["//visibility:public"], -) diff --git a/ic-os/boundary-guestos/envs/dev-sev/build_container_filesystem_config.txt b/ic-os/boundary-guestos/envs/dev-sev/build_container_filesystem_config.txt deleted file mode 100644 index 79bc5c3f4c4..00000000000 --- a/ic-os/boundary-guestos/envs/dev-sev/build_container_filesystem_config.txt +++ /dev/null @@ -1,6 +0,0 @@ -# Config file for build_container_filesystem_tar.py -# CLI args will override these values -# For more info: `build_container_filesystem_tar.py --help` -dockerfile=Dockerfile -build-arg:["BUILD_TYPE=dev","ROOT_PASSWORD=root"] -file-build-arg="BASE_IMAGE=docker-base.snp" diff --git a/ic-os/boundary-guestos/envs/dev/BUILD.bazel b/ic-os/boundary-guestos/envs/dev/BUILD.bazel index 49f5ad44c91..92c7b2231ce 100644 --- a/ic-os/boundary-guestos/envs/dev/BUILD.bazel +++ b/ic-os/boundary-guestos/envs/dev/BUILD.bazel @@ -11,6 +11,5 @@ boundary_node_icos_build( name = "dev", ic_version = "//bazel:rc_only_version.txt", image_deps_func = image_deps, - sev = False, visibility = ["//visibility:public"], ) diff --git a/ic-os/boundary-guestos/envs/prod-sev/BUILD.bazel b/ic-os/boundary-guestos/envs/prod-sev/BUILD.bazel deleted file mode 100644 index 423c8de7bb6..00000000000 --- a/ic-os/boundary-guestos/envs/prod-sev/BUILD.bazel +++ /dev/null @@ -1,11 +0,0 @@ -load("//ic-os:defs.bzl", "boundary_node_icos_build") -load("//ic-os/boundary-guestos:defs.bzl", "image_deps") - -exports_files(["build_container_filesystem_config.txt"]) - -boundary_node_icos_build( - name = "prod-sev", - image_deps_func = image_deps, - mode = "prod", - sev = True, -) diff --git a/ic-os/boundary-guestos/envs/prod-sev/build_container_filesystem_config.txt b/ic-os/boundary-guestos/envs/prod-sev/build_container_filesystem_config.txt deleted file mode 100644 index 7b9c6b02a2d..00000000000 --- a/ic-os/boundary-guestos/envs/prod-sev/build_container_filesystem_config.txt +++ /dev/null @@ -1,6 +0,0 @@ -# Config file for build_container_filesystem_tar.py -# CLI args will override these values -# For more info: `build_container_filesystem_tar.py --help` -dockerfile=Dockerfile -build-arg:["BUILD_TYPE=prod"] -file-build-arg="BASE_IMAGE=docker-base.snp" diff --git a/ic-os/boundary-guestos/envs/prod/BUILD.bazel b/ic-os/boundary-guestos/envs/prod/BUILD.bazel index cee81de18fb..0fa5575a4c1 100644 --- a/ic-os/boundary-guestos/envs/prod/BUILD.bazel +++ b/ic-os/boundary-guestos/envs/prod/BUILD.bazel @@ -10,6 +10,5 @@ exports_files(["build_container_filesystem_config.txt"]) boundary_node_icos_build( name = "prod", image_deps_func = image_deps, - sev = False, visibility = ["//testnet/tools:__pkg__"], ) diff --git a/ic-os/boundary-guestos/rootfs/Dockerfile b/ic-os/boundary-guestos/rootfs/Dockerfile index be46d214b8b..f18a2f375f8 100644 --- a/ic-os/boundary-guestos/rootfs/Dockerfile +++ b/ic-os/boundary-guestos/rootfs/Dockerfile @@ -195,18 +195,6 @@ RUN mkdir -p /var/www/html && chown www-data:www-data /var/www/html COPY var/www/html /var/www/html RUN chmod 0644 /var/www/html/* -# Install cgi-scripts -RUN mkdir -p /var/www/cgi-bin && \ - chown www-data:www-data /var/www/cgi-bin -COPY var/www/cgi-bin/* /var/www/cgi-bin/ -RUN mkdir -p /var/www/cgi-bin/artifacts && \ - mkdir -p /var/www/cgi-bin/artifacts/certs && \ - chown www-data:www-data /var/www/cgi-bin/artifacts && \ - chown www-data:www-data /var/www/cgi-bin/artifacts/certs && \ - touch /var/www/cgi-bin/cgi.log && \ - chown www-data:www-data /var/www/cgi-bin/* && \ - chmod 0755 /var/www/cgi-bin/* - # Clear all files that may lead to indeterministic build. RUN apt-get clean && \ rm -rf \ @@ -236,7 +224,3 @@ RUN chmod 0755 /etc/nginx/* && \ # Increase the default limit on the number of open files for all systemd services RUN sed -i '/^#DefaultLimitNOFILE=/c\DefaultLimitNOFILE=1048576:1048576' /etc/systemd/system.conf - -# Configure incron -COPY --chmod=644 etc/incron.tb /etc/incron.d/incron.tb -RUN echo root >> /etc/incron.allow diff --git a/ic-os/boundary-guestos/rootfs/Dockerfile.base b/ic-os/boundary-guestos/rootfs/Dockerfile.base index 838e508d149..afd4cb90f51 100644 --- a/ic-os/boundary-guestos/rootfs/Dockerfile.base +++ b/ic-os/boundary-guestos/rootfs/Dockerfile.base @@ -3,8 +3,6 @@ # Build steps: # - `docker build -t dfinity/boundaryos-base: -f Dockerfile.base .` # - `docker push/pull dfinity/boundaryos-base:` -# - `docker build -t dfinity/boundaryos-base-snp: --build-arg CPU_SUPPORT="snp" -f Dockerfile.base -# - `docker push/pull dfinity/boundaryos-base-snp:` # NOTE! If you edit this file, you will need to perform the following # operations to get your changes deployed. @@ -13,18 +11,6 @@ # 2. On the next hourly master pipeline (Run post-merge tests), click the "deploy-guest-os-baseimg" job # 3. Note the sha256 and update the sha256 reference in the neighboring Dockerfiles. -# AMD SEV-SNP support version and sha256 -ARG snp_tag=sev-snp-release-2022-06-01 -ARG snp_sha=d61ed4419c2e98925e28ccc6e55dbb0b2c5d4b1c -ARG snp_libc_host_sha=c3c6024b36aeb10a4414627088a642ab0795c660 -ARG snp_libc_guest_sha=9591f3b5f157a6ec985c9ab441f0f2529613323e - -ARG snp_kernel_version_guest=5.17.0-rc6-snp-guest-dfa5ba8348e4 -ARG snp_kernel_version_host=5.14.0-rc2-snp-host-6d4469b86f90 -ARG snp_kernel_pkg=linux-image-${snp_kernel_version_guest}_${snp_kernel_version_guest}-1_amd64.deb -ARG snp_kernel_libc_host=linux-libc-dev_${snp_kernel_version_host}-1_amd64.deb -ARG snp_kernel_libc_guest=linux-libc-dev_${snp_kernel_version_guest}-1_amd64.deb - # Crowdsec bouncer version to install ARG CROWDSEC_BOUNCER_VERSION=1.0.14 ARG CROWDSEC_BOUNCER_SHA=c99919c6ecc69904249ff71b32ea791ce2eec32e5a9e8d4c9c6554131a4fb331 @@ -67,15 +53,6 @@ RUN apt-get -y update && apt-get -y upgrade && apt-get -y --no-install-recommend WORKDIR /tmp -# Download SNP support -ARG snp_tag -ARG snp_sha -ARG snp_libc_host_sha -ARG snp_libc_guest_sha -ARG snp_kernel_pkg -ARG snp_kernel_libc_host -ARG snp_kernel_libc_guest - ARG CROWDSEC_BOUNCER_VERSION ARG CROWDSEC_BOUNCER_SHA ARG VECTOR_VERSION @@ -83,13 +60,6 @@ ARG VECTOR_SHA ARG NODE_EXPORTER_VERSION ARG NODE_EXPORTER_SHA -RUN curl -L -O https://github.com/dfinity/AMDSEV/releases/download/${snp_tag}/${snp_kernel_pkg} && \ - echo "${snp_sha} ${snp_kernel_pkg}" | shasum -c -RUN curl -L -O https://github.com/dfinity/AMDSEV/releases/download/${snp_tag}/${snp_kernel_libc_guest} && \ - echo "${snp_libc_guest_sha} ${snp_kernel_libc_guest}" | shasum -c -RUN curl -L -O https://github.com/dfinity/AMDSEV/releases/download/${snp_tag}/${snp_kernel_libc_host} && \ - echo "${snp_libc_host_sha} ${snp_kernel_libc_host}" | shasum -c - # Download and verify vector RUN \ curl -L -O https://packages.timber.io/vector/${VECTOR_VERSION}/vector_${VECTOR_VERSION}-1_amd64.deb && \ @@ -105,14 +75,6 @@ RUN \ curl -L -O https://github.com/blind-oracle/cs-firewall-bouncer/releases/download/v${CROWDSEC_BOUNCER_VERSION}/crowdsec-firewall-bouncer-nftables_${CROWDSEC_BOUNCER_VERSION}_amd64.deb && \ echo "${CROWDSEC_BOUNCER_SHA} crowdsec-firewall-bouncer-nftables_${CROWDSEC_BOUNCER_VERSION}_amd64.deb" | shasum -c -# Download and build sev-guest tool -RUN \ - git clone https://github.com/dfinity/sev-guest.git && \ - dpkg -i /tmp/${snp_kernel_libc_guest} && \ - dpkg -i /tmp/${snp_kernel_libc_host} && \ - dpkg -i /tmp/${snp_kernel_libc_guest} && \ - cd /tmp/sev-guest && make - # # Second build stage: # - Download and cache minimal Ubuntu Server 20.04 LTS Docker image @@ -182,49 +144,7 @@ RUN \ udev \ usbutils \ vim \ - zstd \ - fcgiwrap \ - incron - -# For the common image, just use common to use the default kernel of Ubuntu -# For the SEV-SNP image, use "snp" -- this can -# be set via docker build args (see above). -ARG CPU_SUPPORT=common - -# Copy AMD SEV-SNP kernel support -ARG snp_tag -ARG snp_kernel_pkg -ARG snp_kernel_libc_guest -ARG snp_kernel_libc_host -COPY --from=download /tmp/${snp_kernel_pkg} /tmp/${snp_kernel_pkg} - -# Copy sev-guest tool -COPY --from=download /tmp/sev-guest/sev-guest-get-report /opt/ic/bin/sev-guest-get-report -COPY --from=download /tmp/sev-guest/sev-guest-parse-report /opt/ic/bin/sev-guest-parse-report -COPY --from=download /tmp/sev-guest/sev-guest-kdf /opt/ic/bin/sev-guest-kdf - -# Install AMD SEV-SNP kernel support -ARG CPU_SUPPORT -ARG snp_tag -ARG snp_kernel_version_guest -ARG snp_kernel_pkg - -RUN \ - echo "CPU_SUPPORT: ${CPU_SUPPORT}" && \ - if [ "${CPU_SUPPORT}" = "snp" ] ; then \ - dpkg -i /tmp/${snp_kernel_pkg} && \ - # Create initrd for the new kernel - update-initramfs -b /boot -c -k ${snp_kernel_version_guest} && \ - # Create soft link for vmlinuz and initrd.img pointing to the updated images - cd /boot && \ - unlink vmlinuz && \ - unlink initrd.img && \ - ln -s vmlinuz-${snp_kernel_version_guest} vmlinuz && \ - ln -s initrd.img-${snp_kernel_version_guest} initrd.img ; \ - fi - -# Cleanup -RUN rm /tmp/${snp_kernel_pkg} + zstd # Install vector ARG VECTOR_VERSION diff --git a/ic-os/boundary-guestos/rootfs/docker-base.snp b/ic-os/boundary-guestos/rootfs/docker-base.snp deleted file mode 100644 index 9953b916de3..00000000000 --- a/ic-os/boundary-guestos/rootfs/docker-base.snp +++ /dev/null @@ -1 +0,0 @@ -docker.io/dfinity/boundaryos-base-snp@sha256:49b9384949abacc600a85af100bd28c977d2b2bbe2c7343e41637511a48150fc diff --git a/ic-os/boundary-guestos/rootfs/etc/incron.tb b/ic-os/boundary-guestos/rootfs/etc/incron.tb deleted file mode 100644 index be557bd8bcc..00000000000 --- a/ic-os/boundary-guestos/rootfs/etc/incron.tb +++ /dev/null @@ -1,2 +0,0 @@ -/var/www/cgi-bin/artifacts/certs IN_CLOSE_WRITE,IN_CREATE,IN_MOVED /opt/ic/bin/copy_certs.sh certs -/var/www/cgi-bin/artifacts/bn_priv.key IN_CLOSE_WRITE,IN_CREATE,IN_MOVED /opt/ic/bin/copy_certs.sh key diff --git a/ic-os/boundary-guestos/rootfs/etc/nginx/fcgiwrap.conf b/ic-os/boundary-guestos/rootfs/etc/nginx/fcgiwrap.conf deleted file mode 100644 index 7433ddfec2a..00000000000 --- a/ic-os/boundary-guestos/rootfs/etc/nginx/fcgiwrap.conf +++ /dev/null @@ -1,8 +0,0 @@ -location /cgi-bin/ { - gzip off; - root /var/www; - fastcgi_pass unix:/var/run/fcgiwrap.socket; - include /etc/nginx/fastcgi_params; - fastcgi_param SCRIPT_FILENAME /var/www$fastcgi_script_name; -} - diff --git a/ic-os/boundary-guestos/rootfs/etc/nginx/nginx.conf b/ic-os/boundary-guestos/rootfs/etc/nginx/nginx.conf index 1777244c4b8..91b54de0b50 100644 --- a/ic-os/boundary-guestos/rootfs/etc/nginx/nginx.conf +++ b/ic-os/boundary-guestos/rootfs/etc/nginx/nginx.conf @@ -173,5 +173,4 @@ http { ## include /etc/nginx/conf.d/*.conf; - include /run/ic-node/etc/nginx/conf.d/cgi.conf; } diff --git a/ic-os/boundary-guestos/rootfs/etc/systemd/system/setup-bn-key.service b/ic-os/boundary-guestos/rootfs/etc/systemd/system/setup-bn-key.service deleted file mode 100644 index 83b7a2f9526..00000000000 --- a/ic-os/boundary-guestos/rootfs/etc/systemd/system/setup-bn-key.service +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=Generate BN key pair on first boot -After=boot-config.mount -Requires=boot-config.mount - -[Install] -WantedBy=multi-user.target - -[Service] -Type=oneshot -RemainAfterExit=true -ExecStart=/opt/ic/bin/setup-bn-key.sh diff --git a/ic-os/boundary-guestos/rootfs/opt/ic/bin/copy_certs.sh b/ic-os/boundary-guestos/rootfs/opt/ic/bin/copy_certs.sh deleted file mode 100755 index 3e6d1cbacfb..00000000000 --- a/ic-os/boundary-guestos/rootfs/opt/ic/bin/copy_certs.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/bash - -set -e - -UPLOAD_DIR=/var/www/cgi-bin/artifacts -NGINX_DIR=/run/ic-node/etc/nginx - -if [ "$1" = "certs" ]; then - # Copy the new certificates in the right folder - cp -r ${UPLOAD_DIR}/certs/* ${NGINX_DIR}/certs/ -elif [ "$1" = "key" ]; then - # Move the private key in the right folder - mv ${UPLOAD_DIR}/bn_priv.key ${NGINX_DIR}/keys/bn_privkey.pem -fi diff --git a/ic-os/boundary-guestos/rootfs/opt/ic/bin/setup-bn-key.sh b/ic-os/boundary-guestos/rootfs/opt/ic/bin/setup-bn-key.sh deleted file mode 100644 index 4a6e33ef4c1..00000000000 --- a/ic-os/boundary-guestos/rootfs/opt/ic/bin/setup-bn-key.sh +++ /dev/null @@ -1,41 +0,0 @@ -#!/bin/bash - -set -e - -TOOL=/opt/ic/bin/sev-guest-get-report -DIR=/boot/config/sev -HTML_DIR=/var/www/html - -if [ -e /dev/sev-guest ]; then - # sev-snp enabled - if [[ ! -e "${DIR}/BN.csr" ]]; then - # first boot - mkdir -p ${DIR} - pushd ${DIR} - - # Create a key pair for the BN and a CSR according to the domain info - openssl req -out ${DIR}/BN.csr -new -newkey rsa:2048 -nodes -keyout ${DIR}/bn_priv.key -config /etc/csr.conf - openssl rsa -in ${DIR}/bn_priv.key -pubout >${DIR}/bn_pub.key - - # Create a pair of reports with a hash of the public key and the csr respectively - ${TOOL} -x -f ${DIR}/BN.csr ${DIR}/guest_report_csr.bin - ${TOOL} -x -f ${DIR}/bn_pub.key ${DIR}/guest_report_pem.bin - - # Rename the .cert files to .pem because of sevtool - for cert in *.cert; do - mv ${cert} ${cert%.cert}.pem - done - - # Create the corresponding tarballs for the nginx to deliver - tar -czvf ${HTML_DIR}/report_pem.tar.gz -C ${DIR} bn_pub.key guest_report_pem.bin vcek.pem ask.pem - tar -czvf ${HTML_DIR}/report_csr.tar.gz -C ${DIR} BN.csr guest_report_csr.bin vcek.pem ask.pem - - # Give the right permissions for the cgi scripts - chown www-data:www-data ${DIR}/bn_priv.key - chown www-data:www-data ${DIR}/guest_report_pem.bin - chown www-data:www-data /dev/sev-guest - - popd - - fi -fi diff --git a/ic-os/boundary-guestos/rootfs/opt/ic/bin/setup-conf-encryption.sh b/ic-os/boundary-guestos/rootfs/opt/ic/bin/setup-conf-encryption.sh index 18d8202f795..27d42182e36 100644 --- a/ic-os/boundary-guestos/rootfs/opt/ic/bin/setup-conf-encryption.sh +++ b/ic-os/boundary-guestos/rootfs/opt/ic/bin/setup-conf-encryption.sh @@ -6,16 +6,7 @@ set -e CONF_PARTITION="$1" -if [[ -e /dev/sev-guest ]]; then - # sev-snp enabled - KEYFILE=/run/key.snp - if [[ ! -f "${KEYFILE}" ]]; then - # Derive a sealing key based on the VM's measurement if it hasn't been created already - /opt/ic/bin/sev-guest-kdf -m "${KEYFILE}" - fi -else - KEYFILE=/boot/grub/store.keyfile -fi +KEYFILE=/boot/grub/store.keyfile # Check whether there is already a luks header in the partition. TYPE=$(blkid -o value --match-tag TYPE "${CONF_PARTITION}") @@ -26,7 +17,6 @@ if [ "${TYPE}" == "crypto_LUKS" ]; then else echo "No LUKS header found in partition ${CONF_PARTITION} for /boot/config. Setting it up on first boot." if [[ ! -f "${KEYFILE}" ]]; then - # Only in the non-sev case echo "Generating a key for encrypted partitions" umask 0077 dd if=/dev/random of="$KEYFILE" bs=16 count=1 diff --git a/ic-os/boundary-guestos/rootfs/opt/ic/bin/setup-encryption.sh b/ic-os/boundary-guestos/rootfs/opt/ic/bin/setup-encryption.sh index 9ce6e453d4a..a7ae860b467 100755 --- a/ic-os/boundary-guestos/rootfs/opt/ic/bin/setup-encryption.sh +++ b/ic-os/boundary-guestos/rootfs/opt/ic/bin/setup-encryption.sh @@ -2,16 +2,7 @@ set -e -if [[ -e /dev/sev-guest ]]; then - # sev-snp enabled - KEYFILE=/run/key.snp - if [[ ! -f "${KEYFILE}" ]]; then - # Derive a sealing key based on the VM's measurement if it hasn't been created already - /opt/ic/bin/sev-guest-kdf -m "${KEYFILE}" - fi -else - KEYFILE=/boot/grub/store.keyfile -fi +KEYFILE=/boot/grub/store.keyfile if [ -e /dev/vda10 ]; then #Fix for crypttab @@ -24,7 +15,6 @@ partprobe /dev/vda # Generate a key and initialize encrypted store with it. if [[ ! -f "${KEYFILE}" ]]; then - # Only in the non-sev case umask 0077 dd if=/dev/random of="$KEYFILE" bs=16 count=1 fi diff --git a/ic-os/boundary-guestos/rootfs/opt/ic/bin/setup-nginx.sh b/ic-os/boundary-guestos/rootfs/opt/ic/bin/setup-nginx.sh index a74436885ce..d5df5daab9c 100755 --- a/ic-os/boundary-guestos/rootfs/opt/ic/bin/setup-nginx.sh +++ b/ic-os/boundary-guestos/rootfs/opt/ic/bin/setup-nginx.sh @@ -130,24 +130,11 @@ function setup_custom_domains() { fi } -function setup_cgi() { - cat >"/run/ic-node/etc/nginx/conf.d/cgi.conf" <>${LOGFILE} -} - -cgi_response() { - local mimetype="text/html" - local title=$1 - local heading=$2 - local body=$3 - - echo "Content-type: ${mimetype}" - echo - echo "" - echo "${title}" - echo "" - echo "

${heading}

" - echo "${body}" - echo "" -} - -is_cert_chain_valid() { - local work_dir=${1} - ${SEV_TOOL} --ofolder ${work_dir} --validate_cert_chain_vcek \ - | grep "Command Successful" >/dev/null -} - -is_report_valid() { - local work_dir=${1} - ${SEV_TOOL} --ofolder ${work_dir} --validate_guest_report \ - | grep "Command Successful" >/dev/null -} - -is_measurement_valid() { - local work_dir=${1} - local meas=$(${SEV_GUEST_TOOL} ${dir}/guest_report.bin \ - | sed 'N;28q;d' | tr -d '[:space:]' >/dev/null 2>&1) - local my_meas=$(${SEV_GUEST_TOOL} /boot/config/sev/guest_report_pem.bin \ - | sed 'N;28q;d' | tr -d '[:space:]' >/dev/null 2>&1) - if [[ "${meas}" != "${my_meas}" ]]; then - log "Measurement does not match the expected one(mine)." - return -1 - fi -} - -validate_pubkey() { - local dir=$1 - local report_hash=$(${SEV_GUEST_TOOL} -d ${dir}/guest_report.bin \ - | sed -e '1d' -e '2{N}' -e 's/[ \n]*//g') - local pubkey_hash=$(sha512sum ${dir}/bn_pub.key | cut -d ' ' -f1) - - # Check that the report hash matches the pubkey and that the - # guest report and it's cert chain validate correctly - is_report_valid ${dir} && is_cert_chain_valid ${dir} && [ "${report_hash}" == "${pubkey_hash}" ] - # Verify the measurement - is_measurement_valid ${dir} -} - -# Encrypt the private key with the given public key of the BN -# and prepare a fresh report with the hash of the encrypted key. -# Place the relevant files in a directory named after the BN's IP. -encrypt_send() { - local bn_pub=$1/bn_pub.key - local BN_DIR=${UPLOAD_DIR}/${IP} - local KEYFILE=${BN_DIR}/rand.key - - mkdir -p ${BN_DIR} - pushd ${BN_DIR} >/dev/null - # Generate a random key to encrypt the private key. - # We need that, because bn_priv.key is too big for direct encryption - dd if=/dev/random of="${KEYFILE}" bs=16 count=1 >/dev/null 2>&1 - openssl enc -e -aes-256-cbc -pbkdf2 -kfile ${KEYFILE} -in /boot/config/sev/bn_priv.key -out ${BN_DIR}/bn_priv.enc -nosalt -iv 0 >/dev/null 2>&1 - # Encrypt the random key with the BN's pub key - openssl pkeyutl -in ${KEYFILE} -out ${BN_DIR}/rand.enc -pubin -inkey ${bn_pub} -encrypt >/dev/null 2>&1 - # Create a report with its hash - ${SEV_GUEST_TOOL_GET} -x -f ${BN_DIR}/bn_priv.enc ${BN_DIR}/guest_report.bin >/dev/null 2>&1 - # Rename the .cert files to .pem - # - # NOTE: .cert files are actually an AMD proprietary format described in - # Appendix C of https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf - # however the sev-host-set-cert-chain program does no verification and since we really need the PEM - # we can store those instead using that program. - for cert in *.cert; do - mv ${cert} ${cert%.cert}.pem - done - tar -czvf ${BN_DIR}/report_lead.tar.gz -C ${BN_DIR} bn_priv.enc rand.enc guest_report.bin ask.pem vcek.pem >/dev/null 2>&1 - curl --data-binary @${BN_DIR}/report_lead.tar.gz -H "Content-Type: application/octet-stream" http://${IP}/cgi-bin/bn-priv-send.sh >/dev/null 2>&1 - popd >/dev/null -} - -main() { - # Change to a safe temporary directory - local work_dir=$(mktemp -d /tmp/XXXXXX) - pushd ${work_dir} >/dev/null - - # Read the BN's IP to do the POST request later - read -N 13 IP - IP=${IP::-1} - log "IP=$IP" - - # Extract the tarball provided in the POST operation - # This will contain the public key and the report - tar -zxf /dev/stdin - if [ "$?" -ne "0" ]; then - cgi_response "BN Response" "Result" "Upload failed." - exit 1 - fi - - log "Report and public key received." - mv ${work_dir}/guest_report_pem.bin ${work_dir}/guest_report.bin - # Copy over hard coded root of trust ARK PEM. - cp "${ARK_PEM}" "${work_dir}/" - # Validate the guest report and its certificate chain - if validate_pubkey ${work_dir}; then - log "Guest report validated successfully!" - else - log "Validation failed!" - cgi_response "Attestation Response" "Result" "Validation failed." - exit 2 - fi - - encrypt_send ${work_dir} - - # Cleanup - popd >/dev/null - rm -rf ${work_dir} - - # Send the required CGI response message - cgi_response "BN Response" "Result" "SUCCESS" - exit 0 -} - -main $@ diff --git a/ic-os/boundary-guestos/rootfs/var/www/cgi-bin/bn-cert-receive.sh b/ic-os/boundary-guestos/rootfs/var/www/cgi-bin/bn-cert-receive.sh deleted file mode 100644 index 2341571b6ae..00000000000 --- a/ic-os/boundary-guestos/rootfs/var/www/cgi-bin/bn-cert-receive.sh +++ /dev/null @@ -1,75 +0,0 @@ -#!/usr/bin/bash -# -# Originated from SM, triggered on the BN-x -# This is meant to handle a POST request from the SM -# that is sending the SSL certs along with the IP -# of the chosen leader --BN-0 -set -e - -LOGFILE=/var/www/cgi-bin/cgi.log -UPLOAD_DIR=/var/www/cgi-bin/artifacts - -log() { - echo "[$(date --rfc-3339='ns')] $@" >>${LOGFILE} -} - -cgi_response() { - local mimetype="text/html" - local title=$1 - local heading=$2 - local body=$3 - - echo "Content-type: ${mimetype}" - echo - echo "" - echo "${title}" - echo "" - echo "

${heading}

" - echo "${body}" - echo "" -} - -# Check if the IP matches the one that BN has to verify if it's the leader. -# If no, then it should do a POST request to the leader -# with a tarball containing its report and its public key. -act_upon() { - my_IP=$(ip -brief -family inet address show scope global | grep -w UP | grep -o -m1 "[0-9]*\.[0-9*\.[0-9]*\.[0-9]*") - if [ ${my_IP} != $IP ]; then - log "Sending report tarball to BN-0 to get attested." - curl -d "${my_IP}" --data-binary @/var/www/html/report_pem.tar.gz -H "Content-Type: application/octet-stream" http://${IP}/cgi-bin/bn-attest.sh >/dev/null 2>&1 - fi -} - -main() { - # Change to a safe temporary directory - local work_dir=$(mktemp -d /tmp/XXXXXX) - pushd ${work_dir} >/dev/null - - # Read the leader's IP - read -N 13 IP - IP=${IP::-1} - - # Extract the tarball provided in the POST operation containing the cert files - tar -zxf /dev/stdin - if [ "$?" -ne "0" ]; then - cgi_response "BN Response" "Result" "Upload failed." - exit 1 - fi - - log "SSL certificates received. Ready to copy them in user's directory" - # incron job will install them in the right directory later - cp ./* ${UPLOAD_DIR}/certs >/dev/null - - # Trigger a POST request if the BN is not the leader - act_upon - - # Cleanup - popd >/dev/null - rm -rf ${work_dir} - - # Send the required CGI response message - cgi_response "BN Response" "Result" "SUCCESS" - exit 0 -} - -main $@ diff --git a/ic-os/boundary-guestos/rootfs/var/www/cgi-bin/bn-priv-send.sh b/ic-os/boundary-guestos/rootfs/var/www/cgi-bin/bn-priv-send.sh deleted file mode 100644 index 31d4aee26fd..00000000000 --- a/ic-os/boundary-guestos/rootfs/var/www/cgi-bin/bn-priv-send.sh +++ /dev/null @@ -1,135 +0,0 @@ -#!/usr/bin/bash -# -# Leader's priv. key exchange -# Request originated from the leader BN, triggered on the BN-x. -# This is meant to handle a POST request from the leader BN -# who is sending its attestation report along with its encrypted -# private key. The hash of the encrypted private key will be also -# included in the report's user data. The encryption is performed -# with a random symmetric key. The symmetric key is encrypted with -# BN's public key. - -set -e - -LOGFILE=/var/www/cgi-bin/cgi.log -UPLOAD_DIR=/var/www/cgi-bin/artifacts -SEV_TOOL=/opt/ic/bin/sevtool -SEV_GUEST_TOOL=/opt/ic/bin/sev-guest-parse-report -ARK_PEM=/opt/ic/share/ark.pem - -log() { - echo "[$(date --rfc-3339='ns')] $@" >>${LOGFILE} -} - -cgi_response() { - local mimetype="text/html" - local title=$1 - local heading=$2 - local body=$3 - - echo "Content-type: ${mimetype}" - echo - echo "" - echo "${title}" - echo "" - echo "

${heading}

" - echo "${body}" - echo "" -} - -is_cert_chain_valid() { - local work_dir=${1} - ${SEV_TOOL} --ofolder ${work_dir} --validate_cert_chain_vcek \ - | grep "Command Successful" >/dev/null -} - -is_report_valid() { - local work_dir=${1} - ${SEV_TOOL} --ofolder ${work_dir} --validate_guest_report \ - | grep "Command Successful" >/dev/null -} - -is_measurement_valid() { - local work_dir=${1} - local meas=$(${SEV_GUEST_TOOL} ${dir}/guest_report.bin \ - | sed 'N;28q;d' | tr -d '[:space:]' >/dev/null 2>&1) - local my_meas=$(${SEV_GUEST_TOOL} /boot/config/sev/guest_report_pem.bin \ - | sed 'N;28q;d' | tr -d '[:space:]' >/dev/null 2>&1) - if [[ "${meas}" != "${my_meas}" ]]; then - log "Measurement does not match the expected one(mine)." - return -1 - fi -} - -validate_privkey() { - local dir=$1 - local report_hash=$(${SEV_GUEST_TOOL} -d ${dir}/guest_report.bin \ - | sed -e '1d' -e '2{N}' -e 's/[ \n]*//g') - local privkey_hash=$(sha512sum ${dir}/bn_priv.enc | cut -d ' ' -f1) - - # Check that the report hash matches the pubkey and that the - # guest report and it's cert chain validate correctly - is_report_valid ${dir} && is_cert_chain_valid ${dir} && [ "${report_hash}" == "${privkey_hash}" ] - # Verify the measurement - is_measurement_valid ${dir} -} - -validate_ssl_chain() { - val1=$(openssl x509 -noout -modulus -in ${UPLOAD_DIR}/0001_cert.pem | openssl md5) - val2=$(openssl rsa -noout -modulus -in ${UPLOAD_DIR}/bn_priv.key | openssl md5) - if [ val1 == val2 ]; then - log "Successful validation." - else - log "SSL certificate does not match private key." - fi -} - -install_priv() { - local dir=$1 - openssl pkeyutl -in ${dir}/rand.enc -out ${dir}/rand -inkey /boot/config/sev/bn_priv.key -decrypt >/dev/null 2>&1 - openssl enc -d -aes-256-cbc -pbkdf2 -kfile ${dir}/rand -in ${dir}/bn_priv.enc -out ${dir}/bn_priv.key -nosalt -iv 0 >/dev/null 2>&1 - # incron job will install it in the right directory later - cp ${dir}/bn_priv.key ${UPLOAD_DIR} - #validate_ssl_chain -} - -main() { - # Change to a safe temporary directory - local work_dir=$(mktemp -d /tmp/XXXXXX) - pushd ${work_dir} >/dev/null - - # Extract the tarball provided in the POST operation - # This will contain the encrypted private key and the report - # which will have the latter one as user-data. - tar -zxf /dev/stdin - if [ "$?" -ne "0" ]; then - cgi_response "BN Response" "Result" "Upload failed." - exit 1 - fi - - log "Report and encrypted private key received." - - # Copy over hard coded root of trust ARK PEM. - cp "${ARK_PEM}" "${work_dir}/" - - # Validate the guest report and its certificate chain - if validate_privkey ${work_dir}; then - log "Leader's report validated successfully!" - else - log "Validation failed!" - cgi_response "Attestation Response" "Result" "Validation failed." - exit 2 - fi - - install_priv ${work_dir} - - # Cleanup - popd >/dev/null - rm -rf ${work_dir} - - # Send the required CGI response message - cgi_response "BN Response" "Result" "SUCCESS" - exit 0 -} - -main $@ diff --git a/ic-os/defs.bzl b/ic-os/defs.bzl index 951dfb32e00..cfcdd8e2ce6 100644 --- a/ic-os/defs.bzl +++ b/ic-os/defs.bzl @@ -605,7 +605,6 @@ def boundary_node_icos_build( name, image_deps_func, mode = None, - sev = False, visibility = None, ic_version = "//bazel:version.txt"): """ @@ -615,14 +614,13 @@ def boundary_node_icos_build( name: Name for the generated filegroup. image_deps_func: Function to be used to generate image manifest mode: dev, or prod. If not specified, will use the value of `name` - sev: if True, build an SEV-SNP enabled image visibility: See Bazel documentation ic_version: the label pointing to the target that returns IC version """ if mode == None: mode = name - image_deps = image_deps_func(mode, sev = sev) + image_deps = image_deps_func(mode) native.sh_binary( name = "vuln-scan", @@ -790,8 +788,6 @@ def boundary_node_icos_build( ) upload_suffix = "" - if sev: - upload_suffix += "-snp" if mode == "dev": upload_suffix += "-dev" diff --git a/ic-os/docs/Upgrades.adoc b/ic-os/docs/Upgrades.adoc index d3e1fbb1056..62fce97a521 100644 --- a/ic-os/docs/Upgrades.adoc +++ b/ic-os/docs/Upgrades.adoc @@ -31,7 +31,7 @@ The Bazel command used to build the HostOS/GuestOS images also generates a HostO $ bazel build //ic-os/{hostos,guestos}/envs//... -This command will output `update-img.tar{.gz,.zst}` in `/ic/bazel-bin/ic-os/{hostos,guestos}/envs/{prod,dev,dev-sev,dev-malicious}`, which is the tar archive of the HostOS/GuestOS update image. +This command will output `update-img.tar{.gz,.zst}` in `/ic/bazel-bin/ic-os/{hostos,guestos}/envs/{prod,dev,dev-malicious}`, which is the tar archive of the HostOS/GuestOS update image. Note that the upgrade images include only the boot and root partitions in a tar archive. Full images, on the other hand, include the entire partition table. diff --git a/ic-os/scripts/bn-virsh/data/bn_config/accounts_ssh_authorized_keys/admin b/ic-os/scripts/bn-virsh/data/bn_config/accounts_ssh_authorized_keys/admin deleted file mode 100644 index a96c64b11d2..00000000000 --- a/ic-os/scripts/bn-virsh/data/bn_config/accounts_ssh_authorized_keys/admin +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGyISe9exwMbx9MFClrtNk6frOR+fBXuMnq32txVvbyM khushboo@zh1-spm34.zh1.dfinity.network diff --git a/ic-os/scripts/bn-virsh/data/bn_config/bn_vars.conf b/ic-os/scripts/bn-virsh/data/bn_config/bn_vars.conf deleted file mode 100644 index c48aca341b0..00000000000 --- a/ic-os/scripts/bn-virsh/data/bn_config/bn_vars.conf +++ /dev/null @@ -1,9 +0,0 @@ -system_domains=ic0.app -application_domains=ic0.app -denylist_url= -elasticsearch_url=https://elasticsearch.testnet.dfinity.network -elasticsearch_tags=system_test, boundary_nodes_sev_snp_pre_master__boundary_nodes_sev_snp_pot-khushboo-zh1-spm34_zh1_dfinity_network-1668127719 -ipv4_http_ips=0.0.0.0/0 -ipv6_http_ips=::/0 -ipv6_debug_ips=::/0 -ipv6_monitoring_ips=::/0 diff --git a/ic-os/scripts/bn-virsh/data/bn_config/denylist.map b/ic-os/scripts/bn-virsh/data/bn_config/denylist.map deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/ic-os/scripts/bn-virsh/data/bn_config/network.conf b/ic-os/scripts/bn-virsh/data/bn_config/network.conf deleted file mode 100644 index aaab5033be3..00000000000 --- a/ic-os/scripts/bn-virsh/data/bn_config/network.conf +++ /dev/null @@ -1,7 +0,0 @@ -ipv6_address= -ipv6_gateway= -ipv4_address= -ipv4_gateway= -name_servers=2606:4700:4700::1111 2606:4700:4700::1001 -hostname=boundary-node-snp-1 -ipv6_replica_ips=2001:4d78:40d:0:509a:1bff:fe0c:21f7/32, diff --git a/ic-os/scripts/bn-virsh/data/bn_config/nns.conf b/ic-os/scripts/bn-virsh/data/bn_config/nns.conf deleted file mode 100644 index 5cdab1fcd4a..00000000000 --- a/ic-os/scripts/bn-virsh/data/bn_config/nns.conf +++ /dev/null @@ -1 +0,0 @@ -nns_url=http://[2001:4d78:40d:0:509a:1bff:fe0c:21f7]:8080/ diff --git a/ic-os/scripts/bn-virsh/data/bn_config/nns_public_key.pem b/ic-os/scripts/bn-virsh/data/bn_config/nns_public_key.pem deleted file mode 100644 index 85266e52c64..00000000000 --- a/ic-os/scripts/bn-virsh/data/bn_config/nns_public_key.pem +++ /dev/null @@ -1,5 +0,0 @@ ------BEGIN PUBLIC KEY----- -MIGCMB0GDSsGAQQBgtx8BQMBAgEGDCsGAQQBgtx8BQMCAQNhAKyelsUDvp1A6h1+ -RpPIq75fEGzjGnSTZWq/aWyftJXmLBv1HIT+TEeCX6Aj3SLPrgLPXPqhvSLQesaJ -5JKpuGUZkX/RWnYWa1Eklh8gXUtdeGUIJUS+F36Du7OCOHUsIQ== ------END PUBLIC KEY----- diff --git a/ic-os/scripts/bn-virsh/data/bn_sev_vm.xml b/ic-os/scripts/bn-virsh/data/bn_sev_vm.xml deleted file mode 100644 index 7e5ea48291f..00000000000 --- a/ic-os/scripts/bn-virsh/data/bn_sev_vm.xml +++ /dev/null @@ -1,257 +0,0 @@ - - boundary_nodes_sev_snp-USER - 0b373e31-4b99-4880-ba2b-f0ca13d4d1d1 - - - - - - 4194304 - 4194304 - - 4352592 - - 4 - - /machine - - - hvm - /usr/share/OVMF/OVMF.fd - /var/lib/libvirt/qemu/nvram/boundary-node-snp-1_VARS.fd - /tmp/USER-sev-vm/vmlinuz - /tmp/USER-sev-vm/initrd.img - - - - - - - - qemu64 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - destroy - restart - destroy - - - - - - /usr/local/bin/qemu-system-x86_64 - - - - - - -
- - - - - - - -
- - - -
- - - - -
- - - - -
- - - - -
- - - -
- - - - - - - - -
- - - - - -
- - - - - -
- - - - - -
- - - - - -
- - - - - -
- - - - - -
- - - -
- - - - - - - -
- - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - -