search

intel / ccc-linux-guest-hardening

Linux Security Hardening for Confidential Compute
https://intel.github.io/ccc-linux-guest-hardening-docs
MIT License
65 stars 13 forks source link

Add VM image creation to ansible #23

Closed il-steffen closed 1 year ago

il-steffen commented 2 years ago

For usermode harnesses, we create small VM images using buildroot (the big brother of busybox). The base image with patches+config template should be automated as part of ansible.

Current version: https://github.com/il-steffen/ccc-linux-guest-hardening/blob/run_experiments/bkc/kafl/userspace/gen_buildroot.sh

We need some additional steps based on nyx-packer repo, but they are probably better left for the user/workflow automation. There is only a minor make step here:

  1. "bless" the initrd based on some tools in nyx_packer: https://github.com/il-steffen/ccc-linux-guest-hardening/blob/run_experiments/bkc/kafl/userspace/bless_initrd.sh
  2. generate a corresponding sharedir on the host side which includes additional nyx_packer components: https://github.com/il-steffen/ccc-linux-guest-hardening/blob/run_experiments/bkc/kafl/userspace/gen_sharedir.sh
il-steffen commented 1 year ago

24 switches to busybox and encapsulates initrd creation in make prepare.