Skip to content

feat: Implement new bazel rules for building SEV recovery GuestOS images#10571

Open
frankdavid wants to merge 5 commits into
masterfrom
frankdavid/build-sev-recovery-images
Open

feat: Implement new bazel rules for building SEV recovery GuestOS images#10571
frankdavid wants to merge 5 commits into
masterfrom
frankdavid/build-sev-recovery-images

Conversation

@frankdavid

Copy link
Copy Markdown
Contributor

Introduces the build infrastructure for SEV recovery GuestOS images. These images are recovery images whose measured boot components (kernel, initrd, OVMF, boot args) are taken from a previously released GuestOS version and whose launch measurements are verified against an NNS-signed BlessAlternativeGuestOsVersion proposal at build time. The signed proposal is embedded in the boot partition (and later verified at boot time).

Build usage

ALTERNATIVE_GUESTOS_BASE_VERSION=<commit> \
ALTERNATIVE_GUESTOS_PROPOSAL_ID=<proposal_id> \
  bazel build //ic-os/guestos/envs/sev-recovery:update-img.tar.zst

Changes

New crates

  • rs/ic_os/alternative_guestos — Extracts the existing proposal
    verification logic (read_and_verify_signed_bless_alternative_guest_os_version_proposal)
    out of open_rootfs into a reusable library. The nns_public_key_override
    parameter is now always present (previously conditionally compiled), with
    None passed in production builds so the hardcoded NNS public key is used.
  • rs/ic_os/build_tools/alternative_guestos — A build tool
    (alternative_guestos_proposal_tool) with two subcommands:
    • download-signed-proposal: fetches a certified get_proposal_info
      response from the NNS governance canister via ic-agent and stores the
      CBOR certificate to disk, verifying it immediately.
    • validate-measurements: checks that locally generated launch
      measurements overlap with the measurements blessed in the proposal.

Bazel build rules (ic-os/alternative_guestos.bzl)

  • download_alternative_guestos_proposal — downloads and verifies a signed
    proposal, driven by the ALTERNATIVE_GUESTOS_PROPOSAL_ID env var.
  • prepare_alternative_guestos_base_bootfs_tree_tar — downloads a released
    GuestOS update image, extracts its boot partition via fuse2fs, and produces
    a tarball of the boot file tree. Driven by ALTERNATIVE_GUESTOS_BASE_VERSION.
  • validate_launch_measurements_match — runs the measurement-overlap check
    against the downloaded proposal.

Build wiring (ic-os/defs.bzl)

  • Adds a build_alternative_guestos_image flag to icos_build. When enabled,
    the boot partition is built from the downloaded base bootfs tree (plus the
    embedded proposal), the boot args are reused from the base release, and the
    launch measurements are validated against the proposal.
  • Refactors boot partition file extraction (extract_boot_partition_files)
    to extract initrd, vmlinuz, OVMF, and boot args directly from the built boot
    partition image via debugfs, so launch measurements reflect the actual
    partition contents.

Introduces the build infrastructure for SEV recovery GuestOS images. These
images are recovery images whose measured boot components (kernel, initrd, OVMF,
boot args) are taken from a previously released GuestOS version and whose
launch measurements are verified against an NNS-signed
`BlessAlternativeGuestOsVersion` proposal at build time. The signed proposal
is embedded in the boot partition (and later verified at boot time).

## Build usage

```bash
ALTERNATIVE_GUESTOS_BASE_VERSION=<commit> \
ALTERNATIVE_GUESTOS_PROPOSAL_ID=<proposal_id> \
  bazel build //ic-os/guestos/envs/sev-recovery:update-img.tar.zst
 ```

## Changes

### New crates
- **`rs/ic_os/alternative_guestos`** — Extracts the existing proposal
  verification logic (`read_and_verify_signed_bless_alternative_guest_os_version_proposal`)
  out of `open_rootfs` into a reusable library. The `nns_public_key_override`
  parameter is now always present (previously conditionally compiled), with
  `None` passed in production builds so the hardcoded NNS public key is used.
- **`rs/ic_os/build_tools/alternative_guestos`** — A build tool
  (`alternative_guestos_proposal_tool`) with two subcommands:
  - `download-signed-proposal`: fetches a certified `get_proposal_info`
    response from the NNS governance canister via ic-agent and stores the
    CBOR certificate to disk, verifying it immediately.
  - `validate-measurements`: checks that locally generated launch
    measurements overlap with the measurements blessed in the proposal.

### Bazel build rules (`ic-os/alternative_guestos.bzl`)
- `download_alternative_guestos_proposal` — downloads and verifies a signed
  proposal, driven by the `ALTERNATIVE_GUESTOS_PROPOSAL_ID` env var.
- `prepare_alternative_guestos_base_bootfs_tree_tar` — downloads a released
  GuestOS update image, extracts its boot partition via fuse2fs, and produces
  a tarball of the boot file tree. Driven by `ALTERNATIVE_GUESTOS_BASE_VERSION`.
- `validate_launch_measurements_match` — runs the measurement-overlap check
  against the downloaded proposal.

### Build wiring (`ic-os/defs.bzl`)
- Adds a `build_alternative_guestos_image` flag to `icos_build`. When enabled,
  the boot partition is built from the downloaded base bootfs tree (plus the
  embedded proposal), the boot args are reused from the base release, and the
  launch measurements are validated against the proposal.
- Refactors boot partition file extraction (`extract_boot_partition_files`)
  to extract initrd, vmlinuz, OVMF, and boot args directly from the built boot
  partition image via `debugfs`, so launch measurements reflect the actual
  partition contents.
@zeropath-ai

zeropath-ai Bot commented Jun 25, 2026

Copy link
Copy Markdown

No security or compliance issues detected. Reviewed everything up to 3656d95.

Security Overview
Detected Code Changes
Change Type Relevant files
Enhancement ► ic-os/open_rootfs/BUILD.bazel
    Add dependency on alternative_guestos
► ic-os/open_rootfs/Cargo.toml
    Add alternative_guestos as a workspace dependency
Enhancement ► ic-os/open_rootfs/BUILD.bazel
    Include alternative_guestos in open_rootfs binary deps
Enhancement ► ic-os/open_rootfs/src/main.rs
    Remove proposal module import (commented/renamed)
Enhancement ► ic-os/open_rootfs/src/recovery.rs
    Use alternative_guestos::proposal for read_and_verify_signed_bless_alternative_guest_os_version_proposal
Enhancement ► ic-os/alternative_guestos/BUILD.bazel
    Add new alternative_guestos Rust library
Enhancement ► rs/ic_os/alternative_guestos/Cargo.toml
    Add crate dependencies for alternative_guestos
Enhancement ► rs/ic_os/alternative_guestos/src/lib.rs
    Expose proposal module
Enhancement ► rs/ic_os/open_rootfs/src/recovery.rs (rename/replace path)
    Use alternative_guestos proposal module
Enhancement ► rs/ic_os/open_rootfs/Cargo.toml
    Add alternative_guestos as dependency
Enhancement ► rs/ic_os/open_rootfs/BUILD.bazel
    Add dependency on alternative_guestos in open_rootfs build
Enhancement ► rs/ic_os/alternative_guestos/src/proposal.rs
    Add proposal module (renamed from open_rootfs)
Enhancement ► rs/ic_os/build_tools/alternative_guestos/src/download.rs
    Add downloader to fetch and verify proposal CBOR
Enhancement ► rs/ic_os/build_tools/alternative_guestos/src/main.rs
    Add CLI for download/validate and coordinates with proposal
Enhancement ► rs/ic_os/build_tools/alternative_guestos/src/proposal_build.rs
    Add measurement validation logic between local and proposal
Enhancement ► rs/ic_os/build_tools/alternative_guestos/BUILD.bazel
    Define alternative_guestos build tool binary
Enhancement ► rs/ic_os/build_tools/alternative_guestos/src/download.rs
    Download and verify alternative guestos proposal
Enhancement ► rs/ic_os/defs.bzl
    Load alternative_guestos.bzl and expose build_alternative_guestos_image flag
Enhancement ► ic-os/bazel/BUILD.bazel
    Add stable status vars for alternative_guestos proposals (new outputs)
Enhancement ► bazel/workspace_status.sh
    Emit stable status vars if ALTERNATIVE_GUESTOS_PROPOSAL_ID/BAS_VERSION set
Enhancement ► ic-os/guestos/envs/sev-recovery/BUILD.bazel
    New env for sev-recovery using alternative_guestos image variant
Enhancement Entities for new feature: alternative_guestos components, tools, and recovery support

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Introduces build-time support for “alternative GuestOS” (SEV recovery) images whose boot components and blessed launch measurements are pinned to a previously released GuestOS version and verified against an NNS-signed BlessAlternativeGuestOsVersion proposal that gets embedded into the boot partition.

Changes:

  • Adds a reusable Rust library (rs/ic_os/alternative_guestos) plus a build tool (rs/ic_os/build_tools/alternative_guestos) to download/verify proposals and validate launch-measurement overlap.
  • Wires new Bazel/Starlark rules to (a) download the signed proposal and (b) build a recovery image boot partition from a released GuestOS bootfs tree, then validate generated measurements during the build.
  • Refactors SEV measurement inputs to be extracted from the built boot partition image (boot args/initrd/kernel/OVMF) to better reflect real partition contents.

Reviewed changes

Copilot reviewed 20 out of 21 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
rs/ic_os/open_rootfs/src/recovery.rs Switches proposal verification callsite to the new alternative_guestos library and standardizes the public-key override parameter handling.
rs/ic_os/open_rootfs/src/main.rs Removes the now-redundant local proposal module from the binary crate.
rs/ic_os/open_rootfs/Cargo.toml Adds a path dependency on the new alternative_guestos crate.
rs/ic_os/open_rootfs/BUILD.bazel Adds Bazel dep on //rs/ic_os/alternative_guestos for open_rootfs binaries/tests.
rs/ic_os/config/tool/src/guestos/bootstrap_ic_node.rs Minor import gating cleanup related to GuestOS bootstrap tooling.
rs/ic_os/build_tools/alternative_guestos/src/proposal_build.rs Implements measurement-overlap validation logic with unit tests.
rs/ic_os/build_tools/alternative_guestos/src/main.rs Adds a CLI tool with download-signed-proposal and validate-measurements subcommands.
rs/ic_os/build_tools/alternative_guestos/src/download.rs Implements NNS-governance certified proposal download + immediate verification.
rs/ic_os/build_tools/alternative_guestos/Cargo.toml Defines the new build tool crate and its dependencies.
rs/ic_os/build_tools/alternative_guestos/BUILD.bazel Adds Bazel targets for the new Rust build tool.
rs/ic_os/alternative_guestos/src/proposal.rs Makes the NNS public key override parameter consistently available and verifies certified proposal replies.
rs/ic_os/alternative_guestos/src/lib.rs Exposes the proposal verification module as a library API.
rs/ic_os/alternative_guestos/Cargo.toml Defines the new alternative_guestos library crate and dependencies.
rs/ic_os/alternative_guestos/BUILD.bazel Adds Bazel rust_library target for the new crate.
ic-os/guestos/envs/sev-recovery/BUILD.bazel Adds a new SEV recovery GuestOS Bazel environment target wiring build_alternative_guestos_image = True.
ic-os/defs.bzl Adds alternative-GuestOS build flag and integrates proposal download, base bootfs extraction, and in-rule measurement validation.
ic-os/alternative_guestos.bzl Adds Starlark rule/macro to download proposals and to prepare the released bootfs tree tarball.
Cargo.toml Registers the two new Rust workspace members.
Cargo.lock Locks dependencies for the new crates.
bazel/workspace_status.sh Exposes ALTERNATIVE_GUESTOS_* env vars as stable workspace status vars for Bazel actions.
bazel/BUILD.bazel Adds stable-status file targets for proposal ID and base version.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread ic-os/defs.bzl Outdated
Comment thread rs/ic_os/open_rootfs/BUILD.bazel Outdated
Comment thread ic-os/guestos/envs/sev-recovery/BUILD.bazel Outdated
Comment thread ic-os/guestos/envs/sev-recovery/BUILD.bazel Outdated
Comment thread ic-os/defs.bzl Outdated
Comment thread ic-os/defs.bzl
@frankdavid frankdavid enabled auto-merge July 2, 2026 13:24
}}
trap cleanup EXIT

curl --fail --silent --show-error --location \

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should definitely not be downloading via curl inside a build. Can you turn this into an http_file or similar?

proposal_id="$(cat {proposal_id_file})"

if [[ -z "$proposal_id" ]]; then
echo "//{package}:{name} requires ALTERNATIVE_GUESTOS_PROPOSAL_ID to be set in the environment before invoking Bazel." >&2

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My instincts say this is probably not the right way to do it. In practice, when will this be built? And can the targets still be built on a clean checkout with e.g. bazel build //...? Otherwise it's probably best to run this as a bazel run

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: lots of new code in this directory, would be good to have a README or a few top-level comments explaining what this is for. Also, what's the difference between rs/ic_os/alternative_guestos and ‎rs/ic_os/build_tools/alternative_guestos?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants