No layer hashes getting produced on using dmverity-vhd 1.2

[gaurav137]

I updated my confcom cli extension to v1.1 and post that noticed that on running acipolicygen on my laptop the layers section in the output rego was having empty entries.

On some debugging I noticed the change in where the dmverity-vhd image is getting picked from in the CLI:

On experimenting with invoking dmverity-vhd -i here is the difference when using the binary from the hcsshim release url vs the integrity-vhd release url: Below is what comes with confcom 1.1

PS /home/gsinha/src/azure-cleanroom>docker pull hello-world
PS /home/gsinha/src/azure-cleanroom> /home/gsinha/.azure/cliextensions/confcom/azext_confcom/bin/dmverity-vhd -v -d roothash -i hello-world
Layer 0 root hash: 

Below is the output of downloading the binary from https://github.com/microsoft/hcsshim/releases/download/v0.12.9/dmverity-vhd:

PS /home/gsinha/src/azure-cleanroom> /home/gsinha/dmverity-vhd-hcsshim -v -d roothash -i hello-world                                       
DEBU Image id: sha256:d211f485f2dd1dee407a80973c8f129f00d54604d2c90732e8e320e5038a0348 
DEBU 1 layers found                               
DEBU uncompressed layer                            layerDiff="sha256:ac28800ec8bb38d5c35b49d45a6ac4777544941199075dff8c4eb63e093aa81e" layerNumber=0
Layer 0 root hash: 3e4c44521989fe563964cb7ff77d5e5cfa55725723a70dad62fff81841ef5647

Filing the issue to check why the tool from integrity-vhd release path is not behaving as expected.

[gaurav137]

@KenGordon @SethHollandsworth FYI

[gaurav137]

Looks like there is a change in behavior around the -d flag which is bringing up this difference. dmverity-vhd from 0.12.9 hcsshim release behaves the same with or without -d flag:

> ~/dmverity-vhd-hcsshim roothash -i alpine:3.12         
Layer 0 root hash: 71702a459fa5e6574337e014d9d3936bcf7cb448aaffe3814883caa01fbb4827
> ~/dmverity-vhd-hcsshim -d roothash -i alpine:3.12
Layer 0 root hash: 71702a459fa5e6574337e014d9d3936bcf7cb448aaffe3814883caa01fbb4827

dmverity-vhd from 1.2 integrity-vhd release does not return root hash with -d flag:

> ~/dmverity-vhd-integrity-vhd roothash -i alpine:3.12
Layer 0 root hash: 71702a459fa5e6574337e014d9d3936bcf7cb448aaffe3814883caa01fbb4827
> ~/dmverity-vhd-integrity-vhd -d roothash -i alpine:3.12
Layer 0 root hash: 

Similarly:

# Without -d
> ~/dmverity-vhd-integrity-vhd roothash -i cleanroomregistry.azurecr.io/ccf/app/run-js/snp@sha256:e8d859e3c59bfa8d6b6e2f1bcf1
b0c1e65aaa8318f9e0d2b31597ff61c3396dc
Layer 0 root hash: 3f61e43c03c18bda3c34c47a15d4025f4d4f2166e6db4c70218c39e8da8ef8da
Layer 1 root hash: 4dd9e232e51c10ea79612c479315dc931fa19883ae833b51da29326b86dcd2d1
Layer 2 root hash: 896fa45f8fe599a3dd2f964cc3dea6e6359c65e219b36b739bcfdaa3c55e40d3
Layer 3 root hash: 12eb7d5fcfba16426d3fb21557458f6fee2b0a6ebad5c1ad0a5d9a21f931b350
Layer 4 root hash: 3fe7f1c96852c01409ca4e1d44ef32718761de7f2e64e31d827df1a61c6ccca9
Layer 5 root hash: 8b4842f06982817534a75bcf71865213b09dfa8313229c384e5201dadbd75e25

# With -d
> ~/dmverity-vhd-integrity-vhd -d roothash -i cleanroomregistry.azurecr.io/ccf/app/run-js/snp@sha256:e8d859e3c59bfa8d6b6e2f1b
cf1b0c1e65aaa8318f9e0d2b31597ff61c3396dc
Layer 0 root hash: 3f61e43c03c18bda3c34c47a15d4025f4d4f2166e6db4c70218c39e8da8ef8da
Layer 1 root hash: 4dd9e232e51c10ea79612c479315dc931fa19883ae833b51da29326b86dcd2d1
Layer 2 root hash: 896fa45f8fe599a3dd2f964cc3dea6e6359c65e219b36b739bcfdaa3c55e40d3
Layer 3 root hash: 12eb7d5fcfba16426d3fb21557458f6fee2b0a6ebad5c1ad0a5d9a21f931b350
Layer 4 root hash: 3fe7f1c96852c01409ca4e1d44ef32718761de7f2e64e31d827df1a61c6ccca9
Layer 5 root hash: 

As confcom is invoking the dmverity-vhd tooling with -d I believe that is the reason that acipolicygen command with the new tooling is showing this behavior.

[SethHollandsworth]

Thanks for raising an issue, we'll take a look and get back to you