├── env_files
├── bob_yocto_build_config.env
├── tdx-base_yocto_build_config.env
└── buildernet_yocto_build_config.env
├── reproducible-build
├── measure.sh
├── Dockerfile
├── build.sh
└── measurements.Dockerfile
├── config_files
├── Makefile
├── tdx-base
│ ├── README.md
│ ├── setup
│ └── patches
│ │ └── patch-local.conf
├── tdx-bob
│ ├── README.md
│ ├── setup
│ └── patches
│ │ └── patch-local.conf
└── tdx-buildernet
│ ├── README.md
│ ├── setup
│ └── patches
│ └── patch-local.conf
├── tdx-base.xml
├── LICENSE
├── tdx-bob.xml
├── tdx-buildernet.xml
├── Makefile
└── README.md
/env_files/bob_yocto_build_config.env:
--------------------------------------------------------------------------------
1 | SEARCHER_SSH_KEY=
2 |
--------------------------------------------------------------------------------
/env_files/tdx-base_yocto_build_config.env:
--------------------------------------------------------------------------------
1 | DEBUG_TWEAKS_ENABLED=1
2 | # DISK_ENCRYPTION_KEY_STORAGE=
3 |
--------------------------------------------------------------------------------
/reproducible-build/measure.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | set -e
4 |
5 | source /build/srcs/poky/oe-init-build-env
6 |
7 | for image in /artifacts/*.vhd
8 | do
9 | image_name=$(basename $image | sed -e "s|\..*||")
10 | output_file=measurement-${image_name}.json
11 | /app/measured-boot $image /artifacts/$output_file
12 | done
13 |
--------------------------------------------------------------------------------
/reproducible-build/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM docker.io/crops/poky@sha256:f51ae3279f98768514273061336421e686e13d0a42fdb056c0b88c9afeec8c56 as builder
2 |
3 | USER root
4 | RUN apt install -y repo
5 |
6 | ADD build.sh /usr/bin/build
7 | RUN chmod +x /usr/bin/build
8 |
9 | ARG MANIFEST
10 | ARG REVISION=main
11 | ENV MANIFEST_FILE=${MANIFEST}
12 | ENV REVISION=${REVISION}
13 |
14 | CMD /usr/bin/build
15 |
--------------------------------------------------------------------------------
/reproducible-build/build.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | set -e
4 |
5 | mkdir -p ~/.ssh
6 | ssh-keyscan github.com >> ~/.ssh/known_hosts
7 | git config --global user.email "you@example.com"
8 | git config --global user.name "Your Name"
9 | git config --global color.ui true
10 |
11 | cd /build
12 |
13 | repo init -u https://github.com/flashbots/yocto-manifests.git -b ${REVISION} -m ${MANIFEST_FILE}
14 | repo sync
15 |
16 | source setup || true
17 |
18 | make build || true
19 |
20 | cp --dereference /build/srcs/poky/build/tmp/deploy/images/tdx/* /artifacts/.
21 |
--------------------------------------------------------------------------------
/config_files/Makefile:
--------------------------------------------------------------------------------
1 | .PHONY: build gen-measurements
2 |
3 | build:
4 | cd srcs/poky/ && bitbake cvm-image-azure
5 |
6 | gen-measurements:
7 | mkdir -p measurements
8 | CURRENT_DIR=$(shell pwd) && \
9 | IMAGE_DIR=$$CURRENT_DIR/srcs/poky/build/tmp/deploy/images/tdx && \
10 | cd srcs/poky/meta-confidential-compute/scripts/measured-boot && \
11 | for script in precalculate_pcr*; do \
12 | output_file="$$CURRENT_DIR/measurements/$$(basename $$script .sh | sed 's/precalculate_//')_output.json"; \
13 | ./$$script $$IMAGE_DIR/cvm-image-azure-tdx.rootfs.wic.vhd $$output_file >/dev/null; \
14 | done
15 |
--------------------------------------------------------------------------------
/env_files/buildernet_yocto_build_config.env:
--------------------------------------------------------------------------------
1 | DEBUG_TWEAKS_ENABLED=0
2 | INCLUDE_RCLONE=1
3 | INIT_CONFIG_URL=https://hub-atls.builder.flashbots.net
4 | DISK_ENCRYPTION_KEY_STORAGE=file
5 | SSH_PUBKEY="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC0pOBvkodollnRqGkt4A1Kw75wWy4vOvH1ftDiE7S4XRI/NckSsyfNJUfjBsSElDqeKF0lNRFtSSyXKjSofT+ESfuOsTQgm+HqZUx8yjog06kBI6n9wsWQ2iVcWGe1tOroKiNUhMJzUtLgmiz2t9aTvj1xdLAwexwRR2g0nMHYMI3UAi05bF0Qzj2YMCLG9QRgoLsHjquhvFgyxOXeo7Ht8G1C0YEqy9+TuH+/x3JqzJj+rmGHWnLX17T/GI08QYEojTtcu8oUd/c9ojSuVhZ0XRmmslZj4GH9NnN2JqC4TdE7AdTGcH4n7tZKtYkvUhSdJxMh+asEg65PJu/+R8wN+6Bdozvj44qxiTN3iAYUg5r9kah3oIEfgYSeOvKge8WCkqqk0+9c8bgCkgRtdTcJKy61Z3tOYhJjh9lUURIVBNsIUz6lKpt2TmRJXVL8ZeP36Iur0SLGMbjOb50DPWZ/bRO35UG0IPfzousSQHiX4wqk/UXdGPe2bDc5QN8d5jE= buildernet@flashbots.net"
6 | TARGET_LUN=10
7 |
--------------------------------------------------------------------------------
/reproducible-build/measurements.Dockerfile:
--------------------------------------------------------------------------------
1 | # syntax=docker/dockerfile:1
2 | FROM golang:1.22 as builder
3 | ARG VERSION
4 | WORKDIR /build
5 | RUN git clone https://github.com/flashbots/measured-boot.git /build
6 | RUN --mount=type=cache,target=/root/.cache/go-build CGO_ENABLED=0 GOOS=linux \
7 | go build \
8 | -trimpath \
9 | -ldflags "-s -X main.version=${VERSION}" \
10 | -v \
11 | -o measured-boot \
12 | measured-boot.go
13 |
14 | FROM ubuntu:22.04
15 | WORKDIR /app
16 |
17 | RUN apt update && apt install -y python3 parted libssl-dev python3-pip mtools
18 | RUN pip install signify
19 |
20 | COPY --from=builder /build/measured-boot /app/measured-boot
21 | ADD ./measure.sh /app/measure
22 | RUN chmod +x /app/measure
23 |
24 | CMD ["/app/measure"]
25 |
--------------------------------------------------------------------------------
/tdx-base.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2024 Flashbots
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/config_files/tdx-base/README.md:
--------------------------------------------------------------------------------
1 | # TDX Base Profile
2 |
3 | This is the minimal TEE-enabled profile that serves as a foundation for other specialized images. It provides basic AMD SEV-SNP/TDX support with essential security features.
4 |
5 | ## Features
6 | - Basic AMD SEV-SNP/TDX support
7 | - TPM2 integration
8 | - Minimal system footprint
9 |
10 | ## Included Layers
11 | - meta-confidential-compute: Core confidential computing support
12 | - meta-openembedded: Basic system utilities and libraries
13 | - poky: Base Yocto distribution
14 |
15 | ## Build Configuration
16 | - Image Type: `cvm-image-azure`
17 | - Package Format: IPK
18 | - Supported Machine: tdx
19 | - Distribution: cvm
20 |
21 | ## Environment Variables
22 | The following environment variables can be set to customize the build:
23 | - `DEBUG_TWEAKS_ENABLED`: Enable debug features (default: 1)
24 | - `DISK_ENCRYPTION_KEY_STORAGE`: Configure disk encryption key storage location (optional)
25 | - `TARGET_LUN`: The logical unit number of the attached disk (optiona, default: 10)
26 |
27 | ## Usage
28 | ```bash
29 | make image-base
30 | ```
31 |
32 | For measurement generation:
33 | ```bash
34 | make measurements-base
35 | ```
36 |
37 | Build artifacts will be available in `reproducible-build/artifacts-base/`.
38 |
--------------------------------------------------------------------------------
/config_files/tdx-bob/README.md:
--------------------------------------------------------------------------------
1 | # TDX BOB (Builder/Searcher) Profile
2 |
3 | This profile creates a specialized image for running searcher nodes in confidential compute environments. It includes podman support and searcher-specific configurations.
4 |
5 | ## Features
6 | - AMD SEV-SNP/TDX support
7 | - Secure container runtime isolation via podman
8 | - SSH key-based authentication
9 | - TPM2 measurements and attestation
10 |
11 | ## Included Layers
12 | - meta-confidential-compute: Core confidential computing support
13 | - meta-openembedded: System utilities and libraries
14 | - meta-secure-core: Security features
15 | - meta-virtualization: Container support
16 | - meta-custom-podman: Customized podman configuration
17 | - meta-searcher: Searcher-specific features
18 | - poky: Base Yocto distribution
19 |
20 | ## Build Configuration
21 | - Image Type: `cvm-image-azure`
22 | - Package Format: IPK
23 | - Supported Machine: tdx
24 | - Distribution: cvm
25 |
26 | ## Required Configuration
27 | Before building, you must set the following in env_files/bob_yocto_build_config.env:
28 | - `SEARCHER_SSH_KEY`: SSH public key for searcher access (required)
29 |
30 | ## Usage
31 | ```bash
32 | # First set SEARCHER_SSH_KEY in env_files/bob_yocto_build_config.env
33 | make image-bob
34 | ```
35 |
36 | For measurement generation:
37 | ```bash
38 | make measurements-bob
39 | ```
40 |
41 | Build artifacts will be available in `reproducible-build/artifacts-bob/`.
42 |
43 | ## Notes
44 | - Ensure SSH key is properly configured before building
45 | - The image is optimized for searcher workloads
46 | - Includes container management capabilities
47 |
--------------------------------------------------------------------------------
/config_files/tdx-base/setup:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | # Check if the first argument is -v or --verbose
4 | verbose=0
5 | if [[ $1 == "-v" ]] || [[ $1 == "--verbose" ]]; then
6 | verbose=1
7 | # Shift the positional parameters to the left, effectively removing the first argument
8 | shift
9 | fi
10 |
11 | # Define a function for verbose output
12 | function verbose_output {
13 | if [[ $verbose -eq 1 ]]; then
14 | echo "$1"
15 | fi
16 | }
17 |
18 | # Set CURRENT_PATH to the current working directory
19 | CURRENT_PATH=$(pwd)
20 | verbose_output "Set CURRENT_PATH to $CURRENT_PATH"
21 |
22 | # Switch to the oe-init-build-env directory
23 | pushd $CURRENT_PATH/srcs/poky/
24 | verbose_output "Switched to $(pwd)"
25 |
26 | # Source the oe-init-build-env script
27 | source oe-init-build-env
28 | verbose_output "Sourced the oe-init-build-env script"
29 |
30 | # Add the meta-evm, meta-confidential-compute to bblayers.conf
31 | bitbake-layers add-layer ../meta-confidential-compute
32 |
33 | verbose_output "Added the meta-confidential-compute layer to bblayers.conf"
34 |
35 | # Return to the original directory
36 | popd
37 | verbose_output "Returned to $(pwd)"
38 |
39 | # Apply patches
40 | for patch in $CURRENT_PATH/srcs/yocto-manifests/config_files/tdx-base/patches/patch-*; do
41 | # Extract the filename from the patch file and remove the "patch-" prefix
42 | filename=$(basename $patch | sed 's/^patch-//')
43 | verbose_output "Processing patch file $patch"
44 |
45 | # Apply the patch to the corresponding file in srcs/poky/build/conf/
46 | patch -N $CURRENT_PATH/srcs/poky/build/conf/$filename -i $patch
47 | verbose_output "Applied patch to $CURRENT_PATH/srcs/poky/build/conf/$filename"
48 | done
49 |
--------------------------------------------------------------------------------
/config_files/tdx-buildernet/README.md:
--------------------------------------------------------------------------------
1 | # TDX BuilderNet Profile
2 |
3 | This profile creates an image to run as part of [BuilderNet](https://buildernet.org/). Includes Lighthouse, Reth, and rbuilder.
4 |
5 | ## Features
6 | - AMD SEV-SNP/TDX support
7 | - Rust/Clang toolchain support
8 | - EVM integration
9 | - Observability tools
10 | - Secure container runtime isolation via podman
11 | - Builder/validator configuration
12 |
13 | ## Included Layers
14 | - meta-confidential-compute: Core confidential computing support
15 | - meta-openembedded: System utilities and libraries
16 | - meta-secure-core: Security features
17 | - meta-virtualization: Container support
18 | - meta-clang: LLVM/Clang compiler support
19 | - meta-evm: Ethereum Virtual Machine support
20 | - meta-rust-bin: Rust toolchain
21 | - meta-observability: Monitoring tools
22 | - meta-custom-podman: Container runtime
23 | - poky: Base Yocto distribution
24 |
25 | ## Build Configuration
26 | - Image Type: `cvm-image-azure`
27 | - Package Format: IPK
28 | - Supported Machine: tdx
29 | - Distribution: cvm
30 |
31 | ## Environment Variables
32 | The following environment variables can be set in env_files/buildernet_yocto_build_config.env:
33 | - `DEBUG_TWEAKS_ENABLED`: Enable debug features (default: 1)
34 | - `INCLUDE_RCLONE`: Include rclone tool (default: 1)
35 | - `INIT_CONFIG_URL`: Builder initialization config URL
36 | - `DISK_ENCRYPTION_KEY_STORAGE`: Configure disk encryption key storage location (optional)
37 | - `SSH_PUBKEY`: SSH public key for access (optional)
38 | - `TARGET_LUN`: The logical unit number of the attached disk (optional, default: 10)
39 |
40 | ## Usage
41 | ```bash
42 | make image-buildernet
43 | ```
44 |
45 | For measurement generation:
46 | ```bash
47 | make measurements-buildernet
48 | ```
49 |
50 | Build artifacts will be available in `reproducible-build/artifacts-buildernet/`.
51 |
52 | ## Notes
53 | - Includes full development toolchain
54 | - Enhanced monitoring capabilities
55 | - Container support for service isolation
56 |
--------------------------------------------------------------------------------
/tdx-bob.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
--------------------------------------------------------------------------------
/tdx-buildernet.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
--------------------------------------------------------------------------------
/config_files/tdx-bob/setup:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | # Check if the first argument is -v or --verbose
4 | verbose=0
5 | if [[ $1 == "-v" ]] || [[ $1 == "--verbose" ]]; then
6 | verbose=1
7 | # Shift the positional parameters to the left, effectively removing the first argument
8 | shift
9 | fi
10 |
11 | # Define a function for verbose output
12 | function verbose_output {
13 | if [[ $verbose -eq 1 ]]; then
14 | echo "$1"
15 | fi
16 | }
17 |
18 | # Set CURRENT_PATH to the current working directory
19 | CURRENT_PATH=$(pwd)
20 | verbose_output "Set CURRENT_PATH to $CURRENT_PATH"
21 |
22 | # Switch to the oe-init-build-env directory
23 | pushd $CURRENT_PATH/srcs/poky/
24 | verbose_output "Switched to $(pwd)"
25 |
26 | # Source the oe-init-build-env script
27 | source oe-init-build-env
28 | verbose_output "Sourced the oe-init-build-env script"
29 |
30 | # Add the necessary layers to bblayers.conf
31 | bitbake-layers add-layer ../meta-openembedded/meta-oe
32 | bitbake-layers add-layer ../meta-openembedded/meta-python
33 | bitbake-layers add-layer ../meta-openembedded/meta-networking
34 | bitbake-layers add-layer ../meta-openembedded/meta-filesystems
35 | verbose_output "Added the meta-openembedded layers to bblayers.conf"
36 |
37 | bitbake-layers add-layer ../meta-virtualization
38 | verbose_output "Added the meta-virtualization layer to bblayers.conf"
39 |
40 | bitbake-layers add-layer ../meta-secure-core/meta-tpm2
41 | verbose_output "Added the meta-tpm2 layer to bblayers.conf"
42 |
43 | bitbake-layers add-layer ../meta-confidential-compute
44 | verbose_output "Added the meta-confidential-compute layer to bblayers.conf"
45 |
46 | bitbake-layers add-layer ../meta-custom-podman
47 | verbose_output "Added the meta-custom-podman layer to bblayers.conf"
48 |
49 | bitbake-layers add-layer ../meta-searcher
50 | verbose_output "Added the meta-searcher layer to bblayers.conf"
51 |
52 | bitbake-layers add-layer ../meta-rust-bin
53 | verbose_output "Added the meta-rust-bin layer to bblayers.conf"
54 |
55 | bitbake-layers add-layer ../meta-clang
56 | verbose_output "Added the meta-clang layer to bblayers.conf"
57 |
58 | # Return to the original directory
59 | popd
60 | verbose_output "Returned to $(pwd)"
61 |
62 | # Apply patches
63 | for patch in $CURRENT_PATH/srcs/yocto-manifests/config_files/tdx-bob/patches/patch-*; do
64 | # Extract the filename from the patch file and remove the "patch-" prefix
65 | filename=$(basename $patch | sed 's/^patch-//')
66 | verbose_output "Processing patch file $patch"
67 |
68 | # Apply the patch to the corresponding file in srcs/poky/build/conf/
69 | patch -N $CURRENT_PATH/srcs/poky/build/conf/$filename -i $patch
70 | verbose_output "Applied patch to $CURRENT_PATH/srcs/poky/build/conf/$filename"
71 | done
72 |
--------------------------------------------------------------------------------
/config_files/tdx-buildernet/setup:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | # Check if the first argument is -v or --verbose
4 | verbose=0
5 | if [[ $1 == "-v" ]] || [[ $1 == "--verbose" ]]; then
6 | verbose=1
7 | # Shift the positional parameters to the left, effectively removing the first argument
8 | shift
9 | fi
10 |
11 | # Define a function for verbose output
12 | function verbose_output {
13 | if [[ $verbose -eq 1 ]]; then
14 | echo "$1"
15 | fi
16 | }
17 |
18 | # Set CURRENT_PATH to the current working directory
19 | CURRENT_PATH=$(pwd)
20 | verbose_output "Set CURRENT_PATH to $CURRENT_PATH"
21 |
22 | # Switch to the oe-init-build-env directory
23 | pushd $CURRENT_PATH/srcs/poky/
24 | verbose_output "Switched to $(pwd)"
25 |
26 | # Source the oe-init-build-env script
27 | source oe-init-build-env
28 | verbose_output "Sourced the oe-init-build-env script"
29 |
30 | # Add the necessary layers to bblayers.conf
31 | bitbake-layers add-layer ../meta-openembedded/meta-oe
32 | bitbake-layers add-layer ../meta-openembedded/meta-python
33 | bitbake-layers add-layer ../meta-openembedded/meta-networking
34 | bitbake-layers add-layer ../meta-openembedded/meta-filesystems
35 | verbose_output "Added the meta-openembedded layers to bblayers.conf"
36 |
37 | bitbake-layers add-layer ../meta-virtualization
38 | verbose_output "Added the meta-virtualization layer to bblayers.conf"
39 |
40 | bitbake-layers add-layer ../meta-secure-core/meta-tpm2
41 | verbose_output "Added the meta-tpm2 layer to bblayers.conf"
42 |
43 | bitbake-layers add-layer ../meta-confidential-compute
44 | verbose_output "Added the meta-confidential-compute layer to bblayers.conf"
45 |
46 | bitbake-layers add-layer ../meta-evm
47 | verbose_output "Added the meta-evm layer to bblayers.conf"
48 |
49 | bitbake-layers add-layer ../meta-rust-bin
50 | verbose_output "Added the meta-rust-bin layer to bblayers.conf"
51 |
52 | bitbake-layers add-layer ../meta-clang
53 | verbose_output "Added the meta-clang layer to bblayers.conf"
54 |
55 | bitbake-layers add-layer ../meta-observability
56 | verbose_output "Added the meta-observability layer to bblayers.conf"
57 |
58 | bitbake-layers add-layer ../meta-custom-podman
59 | verbose_output "Added the meta-custom-podman layer to bblayers.conf"
60 | # Return to the original directory
61 | popd
62 | verbose_output "Returned to $(pwd)"
63 |
64 |
65 | # Apply patches
66 | for patch in $CURRENT_PATH/srcs/yocto-manifests/config_files/tdx-buildernet/patches/patch-*; do
67 | # Extract the filename from the patch file and remove the "patch-" prefix
68 | filename=$(basename $patch | sed 's/^patch-//')
69 | verbose_output "Processing patch file $patch"
70 |
71 | # Apply the patch to the corresponding file in srcs/poky/build/conf/
72 | patch -N $CURRENT_PATH/srcs/poky/build/conf/$filename -i $patch
73 | verbose_output "Applied patch to $CURRENT_PATH/srcs/poky/build/conf/$filename"
74 | done
75 |
--------------------------------------------------------------------------------
/config_files/tdx-base/patches/patch-local.conf:
--------------------------------------------------------------------------------
1 | --- conf/local.conf 2024-06-03 15:49:59.294281280 +0000
2 | +++ /home/ubuntu/poky/build/conf/local.conf 2024-06-03 10:16:24.809382127 +0000
3 | @@ -36,7 +36,7 @@
4 | #MACHINE ?= "genericx86-64"
5 | #
6 | # This sets the default machine to be qemux86-64 if no other machine is selected:
7 | -MACHINE ??= "qemux86-64"
8 | +#MACHINE ??= "qemux86-64"
9 |
10 | # These are some of the more commonly used values. Looking at the files in the
11 | # meta/conf/machine directory, or the conf/machine directory of any additional layers
12 | @@ -91,7 +91,7 @@
13 | # Ultimately when creating custom policy, people will likely end up subclassing
14 | # these defaults.
15 | #
16 | -DISTRO ?= "poky"
17 | +#DISTRO ?= "poky"
18 | # As an example of a subclass there is a "bleeding" edge policy configuration
19 | # where many versions are set to the absolute latest code from the upstream
20 | # source control systems. This is just mentioned here as an example, its not
21 | @@ -110,7 +110,7 @@
22 | # - 'package_rpm' for rpm style packages
23 | # E.g.: PACKAGE_CLASSES ?= "package_rpm package_deb package_ipk"
24 | # OE-Core defaults to ipkg, whilst Poky defaults to rpm:
25 | -# PACKAGE_CLASSES ?= "package_rpm"
26 | +PACKAGE_CLASSES ?= "package_ipk"
27 |
28 | #
29 | # SDK target architecture
30 | @@ -238,8 +238,8 @@
31 | # (CDN) kindly provided by JSDelivr, uncomment one of the SSTATE_MIRRORS lines, not both.
32 | # Using the CDN rather than the yoctoproject.org address is suggested/preferred.
33 | #
34 | -#BB_HASHSERVE_UPSTREAM = 'wss://hashserv.yoctoproject.org/ws'
35 | -#SSTATE_MIRRORS ?= "file://.* http://cdn.jsdelivr.net/yocto/sstate/all/PATH;downloadfilename=PATH"
36 | +BB_HASHSERVE_UPSTREAM = 'wss://hashserv.yoctoproject.org/ws'
37 | +SSTATE_MIRRORS ?= "file://.* http://cdn.jsdelivr.net/yocto/sstate/all/PATH;downloadfilename=PATH"
38 | #
39 | ###SSTATE_MIRRORS ?= "file://.* http://sstate.yoctoproject.org/all/PATH;downloadfilename=PATH"
40 |
41 | @@ -249,7 +249,7 @@
42 | #
43 | # By default native qemu will build with a builtin VNC server where graphical output can be
44 | # seen. The line below enables the SDL UI frontend too.
45 | -PACKAGECONFIG:append:pn-qemu-system-native = " sdl"
46 | +# PACKAGECONFIG:append:pn-qemu-system-native = " sdl"
47 | # By default libsdl2-native will be built, if you want to use your host's libSDL instead of
48 | # the minimal libsdl built by libsdl2-native then uncomment the ASSUME_PROVIDED line below.
49 | #ASSUME_PROVIDED += "libsdl2-native"
50 | @@ -269,8 +269,8 @@
51 | #
52 | # A shared hash equivalent server can be set with ":" format
53 | #
54 | -#BB_HASHSERVE = "auto"
55 | -#BB_SIGNATURE_HANDLER = "OEEquivHash"
56 | +BB_HASHSERVE = "auto"
57 | +BB_SIGNATURE_HANDLER = "OEEquivHash"
58 |
59 | #
60 | # Memory Resident Bitbake
61 | @@ -286,3 +286,9 @@
62 | # track the version of this file when it was generated. This can safely be ignored if
63 | # this doesn't mean anything to you.
64 | CONF_VERSION = "2"
65 | +MACHINE_FEATURES_NATIVE:append = " efi"
66 | +MACHINE_FEATURES:append = " efi"
67 | +EXTRA_IMAGEDEPENDS += "ovmf"
68 | +
69 | +MACHINE ?= "tdx"
70 | +DISTRO ?= "cvm"
71 |
--------------------------------------------------------------------------------
/config_files/tdx-bob/patches/patch-local.conf:
--------------------------------------------------------------------------------
1 | --- conf/local.conf 2024-06-03 15:49:59.294281280 +0000
2 | +++ /home/ubuntu/poky/build/conf/local.conf 2024-06-03 10:16:24.809382127 +0000
3 | @@ -36,7 +36,7 @@
4 | #MACHINE ?= "genericx86-64"
5 | #
6 | # This sets the default machine to be qemux86-64 if no other machine is selected:
7 | -MACHINE ??= "qemux86-64"
8 | +#MACHINE ??= "qemux86-64"
9 |
10 | # These are some of the more commonly used values. Looking at the files in the
11 | # meta/conf/machine directory, or the conf/machine directory of any additional layers
12 | @@ -91,7 +91,7 @@
13 | # Ultimately when creating custom policy, people will likely end up subclassing
14 | # these defaults.
15 | #
16 | -DISTRO ?= "poky"
17 | +#DISTRO ?= "poky"
18 | # As an example of a subclass there is a "bleeding" edge policy configuration
19 | # where many versions are set to the absolute latest code from the upstream
20 | # source control systems. This is just mentioned here as an example, its not
21 | @@ -110,7 +110,7 @@
22 | # - 'package_rpm' for rpm style packages
23 | # E.g.: PACKAGE_CLASSES ?= "package_rpm package_deb package_ipk"
24 | # OE-Core defaults to ipkg, whilst Poky defaults to rpm:
25 | -# PACKAGE_CLASSES ?= "package_rpm"
26 | +PACKAGE_CLASSES ?= "package_ipk"
27 |
28 | #
29 | # SDK target architecture
30 | @@ -238,8 +238,8 @@
31 | # (CDN) kindly provided by JSDelivr, uncomment one of the SSTATE_MIRRORS lines, not both.
32 | # Using the CDN rather than the yoctoproject.org address is suggested/preferred.
33 | #
34 | -#BB_HASHSERVE_UPSTREAM = 'wss://hashserv.yoctoproject.org/ws'
35 | -#SSTATE_MIRRORS ?= "file://.* http://cdn.jsdelivr.net/yocto/sstate/all/PATH;downloadfilename=PATH"
36 | +BB_HASHSERVE_UPSTREAM = 'wss://hashserv.yoctoproject.org/ws'
37 | +SSTATE_MIRRORS ?= "file://.* http://cdn.jsdelivr.net/yocto/sstate/all/PATH;downloadfilename=PATH"
38 | #
39 | ###SSTATE_MIRRORS ?= "file://.* http://sstate.yoctoproject.org/all/PATH;downloadfilename=PATH"
40 |
41 | @@ -249,7 +249,7 @@
42 | #
43 | # By default native qemu will build with a builtin VNC server where graphical output can be
44 | # seen. The line below enables the SDL UI frontend too.
45 | -PACKAGECONFIG:append:pn-qemu-system-native = " sdl"
46 | +# PACKAGECONFIG:append:pn-qemu-system-native = " sdl"
47 | # By default libsdl2-native will be built, if you want to use your host's libSDL instead of
48 | # the minimal libsdl built by libsdl2-native then uncomment the ASSUME_PROVIDED line below.
49 | #ASSUME_PROVIDED += "libsdl2-native"
50 | @@ -269,8 +269,8 @@
51 | #
52 | # A shared hash equivalent server can be set with ":" format
53 | #
54 | -#BB_HASHSERVE = "auto"
55 | -#BB_SIGNATURE_HANDLER = "OEEquivHash"
56 | +BB_HASHSERVE = "auto"
57 | +BB_SIGNATURE_HANDLER = "OEEquivHash"
58 |
59 | #
60 | # Memory Resident Bitbake
61 | @@ -286,3 +286,10 @@
62 | # track the version of this file when it was generated. This can safely be ignored if
63 | # this doesn't mean anything to you.
64 | CONF_VERSION = "2"
65 | +MACHINE_FEATURES_NATIVE:append = " efi"
66 | +MACHINE_FEATURES:append = " efi"
67 | +EXTRA_IMAGEDEPENDS += "ovmf"
68 | +
69 | +MACHINE ?= "tdx"
70 | +DISTRO ?= "cvm"
71 | +DISTRO_FEATURES:append = " podman searcher"
72 |
--------------------------------------------------------------------------------
/config_files/tdx-buildernet/patches/patch-local.conf:
--------------------------------------------------------------------------------
1 | --- conf/local.conf 2024-06-03 15:49:59.294281280 +0000
2 | +++ /home/ubuntu/poky/build/conf/local.conf 2024-06-03 10:16:24.809382127 +0000
3 | @@ -36,7 +36,7 @@
4 | #MACHINE ?= "genericx86-64"
5 | #
6 | # This sets the default machine to be qemux86-64 if no other machine is selected:
7 | -MACHINE ??= "qemux86-64"
8 | +#MACHINE ??= "qemux86-64"
9 |
10 | # These are some of the more commonly used values. Looking at the files in the
11 | # meta/conf/machine directory, or the conf/machine directory of any additional layers
12 | @@ -91,7 +91,7 @@
13 | # Ultimately when creating custom policy, people will likely end up subclassing
14 | # these defaults.
15 | #
16 | -DISTRO ?= "poky"
17 | +#DISTRO ?= "poky"
18 | # As an example of a subclass there is a "bleeding" edge policy configuration
19 | # where many versions are set to the absolute latest code from the upstream
20 | # source control systems. This is just mentioned here as an example, its not
21 | @@ -110,7 +110,7 @@
22 | # - 'package_rpm' for rpm style packages
23 | # E.g.: PACKAGE_CLASSES ?= "package_rpm package_deb package_ipk"
24 | # OE-Core defaults to ipkg, whilst Poky defaults to rpm:
25 | -# PACKAGE_CLASSES ?= "package_rpm"
26 | +PACKAGE_CLASSES ?= "package_ipk"
27 |
28 | #
29 | # SDK target architecture
30 | @@ -238,8 +238,8 @@
31 | # (CDN) kindly provided by JSDelivr, uncomment one of the SSTATE_MIRRORS lines, not both.
32 | # Using the CDN rather than the yoctoproject.org address is suggested/preferred.
33 | #
34 | -#BB_HASHSERVE_UPSTREAM = 'wss://hashserv.yoctoproject.org/ws'
35 | -#SSTATE_MIRRORS ?= "file://.* http://cdn.jsdelivr.net/yocto/sstate/all/PATH;downloadfilename=PATH"
36 | +BB_HASHSERVE_UPSTREAM = 'wss://hashserv.yoctoproject.org/ws'
37 | +SSTATE_MIRRORS ?= "file://.* http://cdn.jsdelivr.net/yocto/sstate/all/PATH;downloadfilename=PATH"
38 | #
39 | ###SSTATE_MIRRORS ?= "file://.* http://sstate.yoctoproject.org/all/PATH;downloadfilename=PATH"
40 |
41 | @@ -249,7 +249,7 @@
42 | #
43 | # By default native qemu will build with a builtin VNC server where graphical output can be
44 | # seen. The line below enables the SDL UI frontend too.
45 | -PACKAGECONFIG:append:pn-qemu-system-native = " sdl"
46 | +# PACKAGECONFIG:append:pn-qemu-system-native = " sdl"
47 | # By default libsdl2-native will be built, if you want to use your host's libSDL instead of
48 | # the minimal libsdl built by libsdl2-native then uncomment the ASSUME_PROVIDED line below.
49 | #ASSUME_PROVIDED += "libsdl2-native"
50 | @@ -269,8 +269,8 @@
51 | #
52 | # A shared hash equivalent server can be set with ":" format
53 | #
54 | -#BB_HASHSERVE = "auto"
55 | -#BB_SIGNATURE_HANDLER = "OEEquivHash"
56 | +BB_HASHSERVE = "auto"
57 | +BB_SIGNATURE_HANDLER = "OEEquivHash"
58 |
59 | #
60 | # Memory Resident Bitbake
61 | @@ -286,3 +286,10 @@
62 | # track the version of this file when it was generated. This can safely be ignored if
63 | # this doesn't mean anything to you.
64 | CONF_VERSION = "2"
65 | +MACHINE_FEATURES_NATIVE:append = " efi"
66 | +MACHINE_FEATURES:append = " efi"
67 | +EXTRA_IMAGEDEPENDS += "ovmf"
68 | +
69 | +MACHINE ?= "tdx"
70 | +DISTRO ?= "cvm"
71 | +DISTRO_FEATURES:append = " evm observability podman"
72 |
--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
1 | DOCKER?=docker
2 |
3 | # Base directories
4 | BASE_BUILD_DIR := $(CURDIR)/build
5 | REPRODUCIBLE_BUILD_DIR := $(CURDIR)/reproducible-build
6 | REVISION?=$(shell git rev-parse HEAD)
7 |
8 | .PHONY: help
9 | help: ## Display this help.
10 | @awk 'BEGIN {FS = ":.*##"; printf "Usage:\n make \033[36m\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
11 |
12 | .PHONY: image-buildernet
13 | image-buildernet: prepare-dirs ### Build BuilderNet image, by default outputs to reproducile-build/artifacts-buildernet
14 | $(DOCKER) build -t yocto-builder:buildernet --build-arg MANIFEST=tdx-buildernet.xml --build-arg REVISION=$(REVISION) $(REPRODUCIBLE_BUILD_DIR)
15 | $(DOCKER) run --rm --env-file env_files/buildernet_yocto_build_config.env \
16 | -v $(REPRODUCIBLE_BUILD_DIR)/artifacts-buildernet:/artifacts \
17 | -v $(BASE_BUILD_DIR)/buildernet:/build \
18 | yocto-builder:buildernet
19 | chmod 0755 $(BASE_BUILD_DIR)/buildernet $(REPRODUCIBLE_BUILD_DIR)/artifacts-buildernet
20 |
21 | .PHONY: measurements-buildernet
22 | measurements-buildernet: measurements-image image-buildernet ### Generates measurements for BuilderNet image. The measurements can be found in reproducible-build/artifacts-buildernet/measurement-.json.
23 | chmod 0777 $(REPRODUCIBLE_BUILD_DIR)/artifacts-buildernet
24 | $(DOCKER) run --rm \
25 | -v $(REPRODUCIBLE_BUILD_DIR)/artifacts-buildernet:/artifacts \
26 | -v $(BASE_BUILD_DIR)/buildernet:/build \
27 | yocto-measurements:latest
28 | chmod 0755 $(REPRODUCIBLE_BUILD_DIR)/artifacts-buildernet
29 |
30 | .PHONY: image-bob
31 | image-bob: measurements-image prepare-dirs check-ssh-key ### Build bob image, by default outputs to reproducile-build/artifacts-bob. Make sure you update the ssh pubkey in env_files/bob_yocto_build_config.env
32 | $(DOCKER) build -t yocto-builder:bob --build-arg MANIFEST=tdx-bob.xml --build-arg REVISION=$(REVISION) $(REPRODUCIBLE_BUILD_DIR)
33 | $(DOCKER) run --rm --env-file env_files/bob_yocto_build_config.env \
34 | -v $(REPRODUCIBLE_BUILD_DIR)/artifacts-bob:/artifacts \
35 | -v $(BASE_BUILD_DIR)/bob:/build \
36 | yocto-builder:bob
37 | chmod 0755 $(BASE_BUILD_DIR)/bob $(REPRODUCIBLE_BUILD_DIR)/artifacts-bob
38 |
39 | .PHONY: measurements-bob
40 | measurements-bob: measurements-image image-bob ### Generates measurements for bob image. The measurements can be found in reproducible-build/artifacts-bob/measurement-.json.
41 | chmod 0777 $(REPRODUCIBLE_BUILD_DIR)/artifacts-bob
42 | $(DOCKER) run --rm \
43 | -v $(REPRODUCIBLE_BUILD_DIR)/artifacts-bob:/artifacts \
44 | -v $(BASE_BUILD_DIR)/bob:/build \
45 | yocto-measurements:latest
46 | chmod 0755 $(REPRODUCIBLE_BUILD_DIR)/artifacts-bob
47 |
48 | .PHONY: image-base
49 | image-base: measurements-image prepare-dirs ### Build a TDX general purpose base image, by default outputs to reproducile-build/artifacts-base
50 | $(DOCKER) build -t yocto-builder:base --build-arg MANIFEST=tdx-base.xml --build-arg REVISION=$(REVISION) $(REPRODUCIBLE_BUILD_DIR)
51 | $(DOCKER) run --rm --env-file env_files/tdx-base_yocto_build_config.env \
52 | -v $(REPRODUCIBLE_BUILD_DIR)/artifacts-base:/artifacts \
53 | -v $(BASE_BUILD_DIR)/base:/build \
54 | yocto-builder:base
55 | chmod 0755 $(BASE_BUILD_DIR)/base $(REPRODUCIBLE_BUILD_DIR)/artifacts-base
56 |
57 | .PHONY: measurements-base
58 | measurements-base: measurements-image image-base ### Generates measurements for base image. The measurements can be found in reproducible-build/artifacts-base/measurement-.json.
59 | chmod 0777 $(REPRODUCIBLE_BUILD_DIR)/artifacts-base
60 | $(DOCKER) run --rm \
61 | -v $(REPRODUCIBLE_BUILD_DIR)/artifacts-base:/artifacts \
62 | -v $(BASE_BUILD_DIR)/base:/build \
63 | yocto-measurements:latest
64 | chmod 0755 $(REPRODUCIBLE_BUILD_DIR)/artifacts-base
65 |
66 | .PHONY: measurements-image
67 | measurements-image: ### Internal target preparing measurements image
68 | $(DOCKER) build -t yocto-measurements:latest -f reproducible-build/measurements.Dockerfile $(REPRODUCIBLE_BUILD_DIR)
69 |
70 | .PHONY: prepare-dirs
71 | prepare-dirs: ### Internal target preparing artifact directories
72 | mkdir -p $(BASE_BUILD_DIR)/buildernet $(BASE_BUILD_DIR)/bob $(BASE_BUILD_DIR)/base
73 | mkdir -p $(REPRODUCIBLE_BUILD_DIR)/artifacts-buildernet $(REPRODUCIBLE_BUILD_DIR)/artifacts-bob $(REPRODUCIBLE_BUILD_DIR)/artifacts-base
74 | chmod 0777 $(BASE_BUILD_DIR)/buildernet $(BASE_BUILD_DIR)/bob $(BASE_BUILD_DIR)/base \
75 | $(REPRODUCIBLE_BUILD_DIR)/artifacts-buildernet $(REPRODUCIBLE_BUILD_DIR)/artifacts-bob $(REPRODUCIBLE_BUILD_DIR)/artifacts-base
76 |
77 | .PHONY: check-ssh-key
78 | check-ssh-key: ### Internal target checking a pubkey for bob image is provided
79 | @if grep -q "^SEARCHER_SSH_KEY=$$" env_files/bob_yocto_build_config.env; then \
80 | echo "Error: SEARCHER_SSH_KEY is not set in env_files/bob_yocto_build_config.env"; \
81 | exit 1; \
82 | fi
83 |
84 | .PHONY: clean
85 | clean: ### Remove build cache and artifacts
86 | rm -rf $(BASE_BUILD_DIR) $(REPRODUCIBLE_BUILD_DIR)/artifacts-*
87 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # yocto-manifests
2 | This repository provides Repo manifests to setup the Yocto build system for reproducible TEE builds.
3 |
4 | [The Yocto Project](https://docs.yoctoproject.org/singleindex.html#) allows the creation of custom linux distributions for
5 | embedded systems, including AMD based systems. It is a collection of git
6 | repositories known as *layers* each of which provides *recipes* to build
7 | software packages as well as configuration information.
8 |
9 | [Repo](https://gerrit.googlesource.com/git-repo/+/HEAD/README.md) is a tool that enables the management of many git repositories given a
10 | single *manifest* file. Tell repo to fetch a manifest from this repository and
11 | it will fetch the git repositories specified in the manifest and, by doing so,
12 | setup a Yocto Project build environment for you!
13 |
14 | ## Build Environment Requirements
15 |
16 | ### System Requirements
17 | - **Operating System**: Ubuntu 22.04 LTS (recommended for stability and reproducibility)
18 | - **Storage**: Minimum 300GB free disk space
19 | - Required for build artifacts and output images
20 | - SSD storage recommended for optimal performance
21 | - **Processor**: Minimum 16 CPU cores
22 | - Builds are heavily parallelized
23 | - More cores will significantly reduce build time
24 | - **Memory**: Minimum 16GB RAM (32GB recommended)
25 |
26 | ### Recommended Setup
27 | - Dedicated build server for consistent and uninterrupted builds
28 | - Fast internet connection for downloading source packages
29 | - Regular system maintenance to ensure sufficient free space
30 |
31 | ### Notes
32 | - Clean builds typically take 2-4 hours depending on hardware
33 | - Incremental builds are significantly faster
34 | - Consider using build containers for consistent environments across teams
35 |
36 | ## Manifest Files
37 |
38 | This repository contains several manifest files:
39 | * **tdx-base.xml** - Minimal confidential computing image configuration (uses [tdx-base_yocto_build_config.env](env_files/tdx-base_yocto_build_config.env))
40 | * **tdx-bob.xml** - Searcher node image configuration (uses [bob_yocto_build_config.env](env_files/bob_yocto_build_config.env))
41 | * **tdx-buildernet.xml** - BuilderNet node image configuration (uses [buildernet_yocto_build_config.env](env_files/buildernet_yocto_build_config.env))
42 |
43 | ## Build Profiles
44 |
45 | This repository supports multiple build profiles, each tailored for specific use cases and defined by its corresponding manifest file:
46 |
47 | * **tdx-base**: Minimal confidential computing image.
48 | See [tdx-base/README.md](config_files/tdx-base/README.md) for details.
49 |
50 | * **tdx-bob**: Specialized image for running searcher nodes with podman support and searcher-specific configurations.
51 | See [tdx-bob/README.md](config_files/tdx-bob/README.md) for details.
52 |
53 | * **tdx-buildernet**: Comprehensive environment to run as part of [BuilderNet](https://buildernet.org/). Includes Lighthouse, Reth, and rbuilder.
54 | See [tdx-buildernet/README.md](config_files/tdx-buildernet/README.md) for details.
55 |
56 | Each profile's configuration and setup scripts are maintained in the `config_files/` directory. See the profile-specific READMEs for detailed information about features, requirements, and build configurations.
57 |
58 | ## Reproducing image measurements
59 |
60 | **Make sure you are checked out on the correct commit (in this repo).**
61 |
62 | Building images and generating their reproducible build measurements is as simple as installing docker and running `make measurements-`. For list of images run `make help`.
63 | Make sure you have plenty of disk space available (200 GBs), and that your session will not time out as a fresh build can take over an hour on slow hardware.
64 |
65 | Built images as well as measurements will be available in `./reproducible-build/artifacts-`.
66 |
67 | ## Preparing your host for non-docker builds
68 |
69 | **If you only want to build images, see the "Building images" section above. This is only required if you want to build images on your physical host and is aimed at image developers**
70 |
71 | 1. See the [Preparing Build Host](https://docs.yoctoproject.org/singleindex.html#preparing-the-build-host)
72 | documentation to install essential host packages on your build host. The
73 | following command installs the host packages based on an Ubuntu distribution.
74 | ```
75 | $ sudo apt install gawk wget git diffstat unzip texinfo gcc build-essential chrpath socat cpio python3 python3-pip python3-pexpect xz-utils debianutils iputils-ping python3-git python3-jinja2 libegl1-mesa libsdl1.2-dev xterm python3-subunit mesa-common-dev zstd liblz4-tool chrpath diffstat lz4 mtools
76 | $ sudo locale-gen en_US.UTF-8
77 | ```
78 |
79 | 2. Install Repo tool.
80 |
81 | If on Debian/Ubuntu, then run:
82 | ```
83 | sudo apt-get install repo
84 | ```
85 |
86 | Otherwise, follow these steps:
87 | * Download the Repo script.
88 | ```
89 | $ curl https://storage.googleapis.com/git-repo-downloads/repo > repo
90 | ```
91 |
92 | * Make it executable.
93 | ```
94 | $ chmod a+x repo
95 | ```
96 |
97 | * Move it on to your system path.
98 | ```
99 | $ sudo mv repo /usr/local/bin/
100 | ```
101 |
102 | If it is correctly installed, you should see a Usage message when invoked
103 | with the help flag.
104 | ```
105 | $ repo --help
106 | ```
107 | 3. Initialize a Repo client.
108 |
109 | * Create an empty directory to hold your working files.
110 | ```
111 | $ mkdir -p yocto/tdx
112 | $ cd yocto/tdx
113 | ```
114 |
115 | * Clone the Yocto meta layer source using yocto manifest as show below.
116 | ```
117 | $ repo init -u https://github.com/flashbots/yocto-manifests.git -b main -m .xml
118 | # Replace with tdx-base.xml, tdx-bob.xml, or tdx-buildernet.xml depending on your needs
119 | ```
120 | A successful initialization will end with a message stating that Repo is
121 | initialized in your working directory. Your directory should now contain a
122 | .repo directory where repo control files such as the manifest are stored but
123 | you should not need to touch this directory.
124 |
125 | To learn more about repo, look at https://source.android.com/setup/develop/repo
126 |
127 | 4. Fetch all the repositories.
128 | ```
129 | $ repo sync
130 | ```
131 |
132 | 5. Start a branch with for development starting from the revision specified in
133 | the manifest. This is an optional step.
134 | ```
135 | $ repo start --all
136 | ```
137 |
138 | 6. Setup the Yocto OE Init scripts by sourcing `setup` script.
139 | ```
140 | $ source setup
141 | ```
142 | > **Note:** if you are building on ubuntu 24.04, yocto bitbake build will fail due to apparmor strict profile update.
143 | >
144 | > Here is a workaround to fix the build issue [link](https://lists.yoctoproject.org/g/docs/topic/yocto_workaround_for/106220010)
145 |
146 | 7. Build the image by using the provided `Makefile`.
147 |
148 | Your host is now ready to build images.
149 |
150 | > **Note:** Make sure you are exporting the env vars you want to enable/disable yocto build time configuration. \
151 | > Please inspect the [env_files](./env_files/) and export the desired ones as env variables before trigger the build. \
152 | > e.g. export DEBUG_TWEAKS_ENABLED=1. This builds the image in debug mode and enable root ssh access for dev/debug purposes
153 |
154 | ```
155 | $ make build
156 | ```
157 |
158 | 8. Generate the measurements values after building the image. They will be located in measurements directory
159 | ```
160 | $ make gen-measurements
161 | ```
162 | > **Note:** to generate the measurements, you need to make sure that you have `python3`, `libssl-dev` and the `signify` module installed.
163 | >
164 | >$ sudo apt-get install python3 libssl-dev
165 | >
166 | >$ ln -s /usr/bin/python3 /usr/bin/python
167 | >
168 | >$ pip install signify
169 |
170 | ## Staying Up to Date
171 |
172 | To pick up the latest changes for all source repositories, run:
173 | ```
174 | $ repo sync
175 | ```
176 | ## Docker build env
177 | There is also [poky-container](https://github.com/crops/poky-container/) as an alternative docker build environment to build your yocto projects with it.
178 |
179 | ## Alternative Build with Docker
180 | 1. Clone this repo
181 | ```
182 | $ git clone https://github.com/flashbots/yocto-manifests.git
183 | ```
184 | 2. adjust the yocto build configuration in [env_files](https://github.com/flashbots/yocto-manifests/tree/main/env_files) for the target image you want to build
185 | 3. make the desired image using, these are the current options:
186 | - image-base: builds a basic tdx-image and outputs the image artifacts in */reproducible-build/artifacts-base* (see [tdx-base profile](config_files/tdx-base/README.md))
187 | - image-bob: builds the image for the BOB project with the searcher embedded ss-key and podman support and outputs the image artifacts in */reproducible-build/artifacts-bob* (see [tdx-bob profile](config_files/tdx-bob/README.md))
188 | - image-buildernet: builds the image for with rbuilder/reth/lighthouse and outputs the image artifacts to */reproducible-build/artifacts-buildernet* (see [tdx-buildernet profile](config_files/tdx-buildernet/README.md))
189 | ```
190 | $ make image-
191 | ```
192 |
--------------------------------------------------------------------------------