-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Minimise TCB on during verification by breaking out the verify subcommand #598
Comments
Hi @blenessy, Thanks for the suggestion, I'm pretty happy that you're taking Contrast for a spin and considering contributions! Regarding Trusted Computing BaseI fear that a reduction in binary size does not necessarily imply a reduction in TCB. Even if you compile a small
Now you might ask yourself why the policies obtained by `verify` are not sufficient for verification. This is mostly due to how workload policies in Kata operate (I wrote a paragraph about that [here](https://github.com/edgelesssys/contrast/blob/v0.7.0/dev-docs/coco/policy.md#storage-rules)): given a bunch of yaml it is easy to verify that `generate` produces the same result as retrieved by `verify`, but working backwards from policies to k8s resource definitions is infeasible, if only because of the precalculated dm-verity hashes for the OCI layers. This may change in the future, depending on the image handling strategy decided by upstream CoCo, but we're stuck with it for now.
At the end of the day, the TCB is the transitive closure of all Contrast components and their dependencies. If the goal is to reduce the TCB, we should imho start by reducing dependencies overall. Regarding a Standalone VerifyThat being said, I can imagine situations where a smaller On the other hand, we still want to support the Regarding Binary Size OverallThere are three main contributors as far as I'm aware of (see table below):
These are all used by
```plain
$ gsa ./contrast
+-----------------------------------------------------------------------------+
| contrast |
+---------+----------------------------------------------+--------+-----------+
| PERCENT | NAME | SIZE | TYPE |
+---------+----------------------------------------------+--------+-----------+
| 38.59% | .noptrdata | 23 MB | section |
| 16.30% | k8s.io/api | 9.8 MB | vendor |
| 12.47% | .gopclntab | 7.5 MB | section |
| 10.55% | .rodata | 6.4 MB | section |
| 2.80% | k8s.io/client-go | 1.7 MB | vendor |
| 1.82% | github.com/google/gnostic-models | 1.1 MB | vendor |
| 1.62% | google.golang.org/protobuf | 980 kB | vendor |
| 1.48% | k8s.io/apimachinery | 893 kB | vendor |
| 1.46% | crypto | 879 kB | std |
| 1.27% | net | 764 kB | std |
| 0.98% | google.golang.org/grpc | 589 kB | vendor |
[...]
```
Cheers, Markus |
Thanks for the quick and very insightful response @burgerdev ! As you suspected, I was under the assumption I will definitely start by exploring your concerns more in depth before moving forward with this. |
Hi @burgerdev ! I get it (especially after reading through Life of a Confidential Container): verification is currently (0.7.1) not trivial and the Nevertheless I still predict :) that you will eventually break up the When/if that happens it might be a good idea get inspired by how
In the shorter term I do agree that the overall size minimising the TCB of the AKS flow is important/urgent.
|
contrast v0.7.0 is very big ~60 MB in size with DWARF and symbols removed.
I've tested breaking out the
verify
subcommand from thecontrast
CLI into its own binary (calledverify
). The size ofverify
is 9.7MB.I analysed the contents of this binary with GSA. I attached the html report so you can see for yourselves. Spoiler: bigger code chunk is related to the GRPC protocol.
Do you guys think this is a good idea to do this (breaking out
verify
). Would you accept a PR with separatedverify
binary ?(FWIW. I would put in more effort to further minimise TCB of
verify
after the separation - I'm hoping to bring the size down to 4-5 MB).verify.html.gz
The text was updated successfully, but these errors were encountered: