Skip to content

Commit

Permalink
Fix Wasm module reproducibility
Browse files Browse the repository at this point in the history
Update hashes

Use fake user ID in Docker

Update Aggregator hash

TEST_CI: chwon oak files

TEST_CI: add ci_init

TEST_CI: change order

TEST_CI: check user

TEST_CI: check user

TEST_CI: check user

TEST_CI: check user

TEST_CI: check user

TEST_CI: check user

TEST_CI: check user

TEST_CI: chown oak

TEST_CI: chown oak

TEST_CI: chown oak

TEST_CI: chown oak

TEST_CI: fix order

TEST_CI: fix order

TEST_CI: fix order

TEST_CI: fix order

TEST_CI: fix order

TEST_CI: fix order

TEST_CI: fix order

Init github CI

Test github CI

Test github CI

Test github CI

Test github CI

Remove test code

Remove test code

Remove test code

Update signature

Update Dockerfile
  • Loading branch information
ipetr0v committed Mar 1, 2021
1 parent 0b63f58 commit c5b820a
Show file tree
Hide file tree
Showing 10 changed files with 12 additions and 17 deletions.
5 changes: 4 additions & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -281,9 +281,12 @@ RUN make depend && make -j"$(nproc)"&& make install_sw install_ssldirs
ENV PKG_CONFIG_ALLOW_CROSS 1
ENV OPENSSL_STATIC 1

# We use the `docker` user in order to maintain library paths on different
# machines and to make Wasm modules reproducible.
ARG USERNAME=docker

# Placeholder args that are expected to be passed in at image build time.
# See https://code.visualstudio.com/docs/remote/containers-advanced#_creating-a-nonroot-user
ARG USERNAME=user-name-goes-here
ARG USER_UID=1000
ARG USER_GID=${USER_UID}

Expand Down
2 changes: 0 additions & 2 deletions examples/aggregator/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -152,8 +152,6 @@ gcloud monitoring dashboards list
1. Build the example, including the Wasm module
1. Get module SHA256 hash via
`sha256sum examples/aggregator/bin/aggregator.wasm`
1. Push the module to GS via `./scripts/push_example -e aggregator`
1. Fix the URL and hash in [`./oak_app_manifest.toml`](./oak_app_manifest.toml)
1. Fix module hash in the following files:

- `examples/aggregator/config.toml`
Expand Down
2 changes: 1 addition & 1 deletion examples/aggregator/client/android/cpp/client.cc
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ JNIEXPORT void JNICALL Java_com_google_oak_aggregator_MainActivity_createChannel
// The particular value corresponds to the hash on the `aggregator.wasm` line in
// https://github.com/project-oak/oak/blob/hashes/reproducibility_index.
oak::label::Label label = oak::WebAssemblyModuleHashLabel(
absl::HexStringToBytes("2d33ea304486337108d2fc23ee583947bd8f91f0c526637bd330db39251b9ec7"));
absl::HexStringToBytes("9ad1f44640141bf54a90942310695a311ced743d164effd54942fad9593e740a"));
kChannel = Aggregator::NewStub(oak::ApplicationClient::CreateChannel(
address, oak::ApplicationClient::GetTlsChannelCredentials(ca_cert), label));
JNI_LOG("gRPC channel has been created");
Expand Down
2 changes: 1 addition & 1 deletion examples/aggregator/client/cpp/aggregator.cc
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,7 @@ int main(int argc, char** argv) {
// https://github.com/project-oak/oak/blob/hashes/reproducibility_index.
// TODO(#1674): Add appropriate TLS endpoint tag to the label as well.
oak::label::Label label = oak::WebAssemblyModuleHashLabel(
absl::HexStringToBytes("2d33ea304486337108d2fc23ee583947bd8f91f0c526637bd330db39251b9ec7"));
absl::HexStringToBytes("9ad1f44640141bf54a90942310695a311ced743d164effd54942fad9593e740a"));
// Connect to the Oak Application.
auto stub = Aggregator::NewStub(oak::ApplicationClient::CreateChannel(
address, oak::ApplicationClient::GetTlsChannelCredentials(ca_cert), label));
Expand Down
2 changes: 1 addition & 1 deletion examples/aggregator/config.toml
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
grpc_server_listen_address = "[::]:8080"
backend_server_address = "https://localhost:8888"
aggregator_module_hash = "2d33ea304486337108d2fc23ee583947bd8f91f0c526637bd330db39251b9ec7"
aggregator_module_hash = "9ad1f44640141bf54a90942310695a311ced743d164effd54942fad9593e740a"
2 changes: 1 addition & 1 deletion examples/aggregator/oak_app_manifest.toml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name = "aggregator"

[modules]
app = { external = { url = "https://storage.googleapis.com/oak-modules/aggregator/2d33ea304486337108d2fc23ee583947bd8f91f0c526637bd330db39251b9ec7", sha256 = "2d33ea304486337108d2fc23ee583947bd8f91f0c526637bd330db39251b9ec7" } }
app = { path = "examples/aggregator/bin/aggregator.wasm" }
3 changes: 0 additions & 3 deletions examples/private_set_intersection/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,6 @@ This example requires a valid signature of the `handler` module. So, whenever
the code is modified, the wasm module and the signature must be regenerated:

1. Build the example, including the Wasm module
1. Push the module to GS via
`./scripts/push_example -e private_set_intersection`
1. Fix the URL and hash in [`./oak_app_manifest.toml`](./oak_app_manifest.toml)
1. Sign the module with the test key that is checked in the repository (only for
test / debug use):

Expand Down
3 changes: 1 addition & 2 deletions examples/private_set_intersection/oak_app_manifest.toml
Original file line number Diff line number Diff line change
Expand Up @@ -5,5 +5,4 @@ signature_manifests = [

[modules]
app = { path = "examples/private_set_intersection/bin/private_set_intersection.wasm" }
# TODO(865): Use locally built module once reproducibility is fixed.
handler = { external = { url = "https://storage.googleapis.com/oak-modules/private_set_intersection_handler/a3e3fce0b23273a5117efd7d94632091990c3637536d80ed1874a2013c8f0f07", sha256 = "a3e3fce0b23273a5117efd7d94632091990c3637536d80ed1874a2013c8f0f07" } }
handler = { path = "examples/private_set_intersection/bin/private_set_intersection_handler.wasm" }
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,10 @@ f41SClNtR4i46v2Tuh1fQLbt/ZqRr1lENajCW92jyP4=
-----END PUBLIC KEY-----

-----BEGIN SIGNATURE-----
ITXOClpnflN81KsB2TGBPBkYNnSJu8uhOWH7YDg2UgVXdRFdguAWagQmVFlgt6gb
qY6f7zg0TfenVKihsYMdCw==
88gbczoj6FP9naBtl7+7/A9Q6QOncNbbjIpKyOEgfAvfdeqKKRTCrnv9T0xyttS2
fMaYz8bUJ895o4R7G6rBBg==
-----END SIGNATURE-----

-----BEGIN HASH-----
o+P84LIyc6URfv19lGMgkZkMNjdTbYDtGHSiATyPDwc=
lNX8iDN/gtF2CzrlokJPL1LbFCa4nGjKB6L4ih7Tcg8=
-----END HASH-----
2 changes: 0 additions & 2 deletions scripts/docker_build
Original file line number Diff line number Diff line change
Expand Up @@ -11,12 +11,10 @@ source "$SCRIPTS_DIR/common"
# https://github.com/googleapis/google-cloud-cpp/blob/a186208b79d900b4ec71c6f9df3acf7638f01dc6/ci/kokoro/docker/build.sh#L147-L152
readonly DOCKER_UID="${UID:-0}"
readonly DOCKER_GID="$(id -g)"
readonly DOCKER_USER="${USER:-root}"

docker build \
--cache-from="$DOCKER_IMAGE_NAME:latest" \
--tag="$DOCKER_IMAGE_NAME:latest" \
--build-arg=USERNAME="$DOCKER_USER" \
--build-arg=USER_UID="$DOCKER_UID" \
--build-arg=USER_GID="$DOCKER_GID" \
. 1>&2

0 comments on commit c5b820a

Please sign in to comment.