blobs: Update linuxkit binaries to version based on v1.2.0
The linuxkit blobs provided as part of this repository have been a sore
point with regards to how these are built and where they come from. This
updates them to a new version that is based on top of the latest
upstream release v1.2.0 and can be reproducibly build from
aws-nitro-enclaves-sdk-bootstrap d55087f7f405 [0].
With the update linuxkit has changed the format of its command line
options from the -<option> format to the --<option> format.
Further, linuxkit introduced functionality to add an SBOM file with
non-deterministic unique IDs, which breaks our image reproducibility.
Pass `--no-sbom` to disable that SBOM creation.
The patches we carry on top of that upstream release are now available
through aws-nitro-enclaves-sdk-bootstrap package, which now also
provides a way to reproducibly build these binaries using nix.
With the update we have cleaned up our downstream patches, which entail
some changes on how we invoke linuxkit:
1) The downstream `prefix` functionality has been moved into the
configuration yaml files instead of having it as a CLI option.
2) We use a new output type `kernel+initrd-nogz` which produces the
initrd with cpio instead of the standard cpio.gz.
As we have always had functionally similar patches on top of upstream
linuxkit there are no functional changes.
[0] https://github.com/aws/aws-nitro-enclaves-sdk-bootstrap/commit/d55087f7f405
Testing done:
I ran the testing under script/run_tests.sh on both architectures to ensure the linuxkit update is transparent and produces the same ramdisk files and by extension the same EIF files as without this change.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
Issue #, if available: -
Description of changes: Pull in updated linuxkit binaries, built reproducibly from https://github.com/aws/aws-nitro-enclaves-sdk-bootstrap/commit/d55087f7f405a21220f22ced2ea9b7a438544ee0
Testing done:
I ran the testing under
script/run_tests.shon both architectures to ensure the linuxkit update is transparent and produces the same ramdisk files and by extension the same EIF files as without this change.By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.