bob-l2: initial commit

Author: ilyaluk

DEVELOPMENT.md

@@ -27,6 +27,7 @@ flashboxes/
 │   └── debloat*.sh         # System cleanup scripts
 ├── bob-common/             # TEE Searcher common image
 ├── bob-l1/                 # L1 TEE Searcher sandbox image
+├── bob-l2/                 # L2 TEE Searcher sandbox image
 ├── buildernet/             # BuilderNet
 ├── tdx-dummy/              # TDX test environment
 ├── kernel/                 # Kernel configuration

Makefile

@@ -39,11 +39,11 @@ setup: ## Install dependencies (Linux only)
 
 # Build module
 build: check-perms setup ## Build the specified module
-	$(WRAPPER) mkosi --force -I $(IMAGE).conf
+	$(WRAPPER) mkosi --force --include=$(IMAGE).conf
 
 # Build module with devtools profile
 build-dev: check-perms setup ## Build module with development tools
-	$(WRAPPER) mkosi --force --profile=devtools -I $(IMAGE).conf
+	$(WRAPPER) mkosi --force --profile=devtools --include=$(IMAGE).conf
 
 ##@ Utilities
 

bob-common/mkosi.extra/usr/bin/init-firewall.sh

@@ -124,6 +124,18 @@ accept_dst_ip_port() {
                          -m comment --comment "$comment"
 }
 
+accept_src_ip_dst_port() {
+    chain="$1"
+    protocol="$2"
+    ip="$3"
+    port="$4"
+    comment="$5"
+
+    iptables -A "$chain" -p "$protocol" -s "$ip" --dport "$port" \
+                         -m conntrack --ctstate NEW -j ACCEPT \
+                         -m comment --comment "$comment"
+}
+
 drop_dst_ip() {
     chain="$1"
     ip="$2"

bob-l2.conf

@@ -0,0 +1,13 @@
+[Include]
+Include=base/mkosi.conf
+Include=bob-common/mkosi.conf
+Include=bob-l2/mkosi.conf
+
+[Config]
+Profiles=gcp
+
+[Distribution]
+Mirror=https://snapshot.debian.org/archive/debian/20250526T142542Z/
+
+[Build]
+ToolsTreeMirror=https://snapshot.debian.org/archive/debian/20250526T142542Z/

bob-l2/kernel.config

@@ -0,0 +1,45 @@
+CONFIG_NET_VENDOR_GOOGLE=y
+CONFIG_GVE=y
+
+# Enable iptables interface for CONFIG_NF_TABLES
+# Same config as in bob-l1
+CONFIG_IPV6=n
+CONFIG_NETFILTER_NETLINK=y
+CONFIG_NETFILTER_NETLINK_LOG=y
+CONFIG_NF_CONNTRACK_MARK=y
+CONFIG_NF_CONNTRACK_EVENTS=y
+CONFIG_NF_CT_PROTO_SCTP=y
+CONFIG_NF_CT_PROTO_UDPLITE=y
+CONFIG_NF_CT_NETLINK=y
+CONFIG_NF_NAT_NEEDED=y
+CONFIG_NF_TABLES=y
+CONFIG_NF_TABLES_INET=y
+CONFIG_NF_TABLES_IPV4=y
+CONFIG_NF_TABLES_BRIDGE=y
+CONFIG_NF_TABLES_ARP=y
+CONFIG_NF_TABLES_NETDEV=y
+CONFIG_NETFILTER_XTABLES_COMPAT=y
+CONFIG_NFT_CT=y
+CONFIG_NFT_COUNTER=y
+CONFIG_NFT_LOG=y
+CONFIG_NFT_LIMIT=y
+CONFIG_NFT_MASQ=y
+CONFIG_NFT_REJECT=y
+CONFIG_NFT_REJECT_INET=y
+CONFIG_NFT_COMPAT=y
+CONFIG_NFT_NAT=y
+CONFIG_NFT_REDIR=y
+CONFIG_NFT_OBJREF=y
+CONFIG_NETFILTER_XT_TARGET_LOG=y
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_IP_NF_TARGET_REJECT=y
+CONFIG_IP_NF_TARGET_NETMAP=y
+CONFIG_IP_NF_TARGET_REDIRECT=y
+CONFIG_IP_NF_MANGLE=y
+CONFIG_IP_NF_RAW=y
+CONFIG_NET_SCHED=y
+CONFIG_CRYPTO_USER_API_HASH=y
+CONFIG_CRYPTO_USER_API_SKCIPHER=y
+CONFIG_CRYPTO_USER_API_RNG=y
+CONFIG_CRYPTO_USER_API_AEAD=y

bob-l2/mkosi.conf

@@ -0,0 +1,9 @@
+[Build]
+Environment=KERNEL_CONFIG_SNIPPETS=kernel/snippets/ubuntu.config,bob-l2/kernel.config
+WithNetwork=true
+
+[Content]
+ExtraTrees=bob-l2/mkosi.extra
+PostInstallationScripts=bob-l2/mkosi.postinst
+
+Packages=chrony

bob-l2/mkosi.extra/etc/bob/firewall-config

@@ -0,0 +1,81 @@
+# This script is sourced from firewall script and contains image-specific rules
+# See also: bob-common/mkosi.extra/usr/bin/init-firewall.sh
+
+# Image-specific ports
+SSH_CONTROL_PORT=22
+SSH_DATA_PORT=10022
+SSH_REGISTER_PORT=8080
+CVM_REVERSE_PROXY_PORT=8745
+SEARCHER_INPUT_PORT=27017
+
+# Well-known ports
+DNS_PORT=53
+HTTP_PORT=80
+HTTPS_PORT=443
+NTP_PORT=123
+OP_NODE_P2P_PORT=9222
+OP_GETH_P2P_PORT=30303
+ENGINE_API_PORT=8651
+
+###########################################################################
+# (1) ALWAYS_IN: Inbound rules that are always applied
+###########################################################################
+
+accept_dst_port $CHAIN_ALWAYS_IN tcp $SSH_CONTROL_PORT "SSH control port"
+accept_dst_port $CHAIN_ALWAYS_IN udp $SEARCHER_INPUT_PORT "Searcher input channel"
+
+# We drive op-geth in the searcher container from external op-node
+accept_src_ip_dst_port $CHAIN_ALWAYS_IN tcp "$METADATA_BOB_L2_OP_NODE_CIDR" $ENGINE_API_PORT "Engine API"
+
+# CVM reverse-proxy serves server attestation
+# Also forwards request to ssh pubkey server on localhost:5001,
+#    which serves searcher-container openssh server pubkey
+accept_dst_port $CHAIN_ALWAYS_IN tcp $CVM_REVERSE_PROXY_PORT "CVM reverse-proxy"
+
+###########################################################################
+# (2) ALWAYS_OUT: Outbound rules that are always applied
+###########################################################################
+
+# Note: this is accessible only from host, searcher netns has DROP on those
+# See also init-container.sh
+accept_dst_port $CHAIN_ALWAYS_OUT udp $NTP_PORT "NTP"
+
+accept_dst_ip_port $CHAIN_ALWAYS_OUT tcp "$METADATA_BOB_L2_BACKRUNS_IP" $HTTP_PORT "bundle"
+
+###########################################################################
+# (3) MAINTENANCE_IN: Inbound rules for Maintenance Mode
+###########################################################################
+
+accept_dst_port $CHAIN_MAINTENANCE_IN tcp $SSH_DATA_PORT "SSH data plane"
+accept_dst_port $CHAIN_MAINTENANCE_IN tcp $SSH_REGISTER_PORT "SSH register service"
+
+accept_dst_port $CHAIN_MAINTENANCE_IN tcp $OP_GETH_P2P_PORT "op-geth P2P (TCP)"
+accept_dst_port $CHAIN_MAINTENANCE_IN udp $OP_GETH_P2P_PORT "op-geth P2P (UDP)"
+
+###########################################################################
+# (4) MAINTENANCE_OUT: Outbound rules for Maintenance Mode
+###########################################################################
+
+# Block tx endpoint during maintenance
+drop_dst_ip $CHAIN_MAINTENANCE_OUT "$METADATA_BOB_L2_TX_STREAM_IP" "tx stream (DROP before accept-all rules)"
+
+accept_dst_port $CHAIN_MAINTENANCE_OUT udp $DNS_PORT "DNS (UDP)"
+accept_dst_port $CHAIN_MAINTENANCE_OUT tcp $DNS_PORT "DNS (TCP)"
+
+accept_dst_port $CHAIN_MAINTENANCE_OUT tcp $HTTP_PORT "HTTP"
+accept_dst_port $CHAIN_MAINTENANCE_OUT tcp $HTTPS_PORT "HTTPS"
+
+accept_dst_port $CHAIN_MAINTENANCE_OUT tcp $OP_GETH_P2P_PORT "op-geth P2P (TCP)"
+accept_dst_port $CHAIN_MAINTENANCE_OUT udp $OP_GETH_P2P_PORT "op-geth P2P (UDP)"
+
+###########################################################################
+# (5) PRODUCTION_IN: Inbound rules for Production Mode
+###########################################################################
+
+# None at the moment
+
+###########################################################################
+# (6) PRODUCTION_OUT: Outbound rules for Production Mode
+###########################################################################
+
+accept_dst_ip_port $CHAIN_PRODUCTION_OUT tcp "$METADATA_BOB_L2_TX_STREAM_IP" $HTTP_PORT "tx stream"

bob-l2/mkosi.extra/etc/bob/searcher-container-after-init

@@ -0,0 +1,14 @@
+# This script is sourced from init-container.sh and contains image-specific stuff
+# See also: bob-common/mkosi.extra/usr/bin/init-container.sh
+
+exec_in_container "
+    cat <<EOF >> /etc/hosts
+$METADATA_BOB_L2_TX_STREAM_IP tx-stream.internal
+$METADATA_BOB_L2_BACKRUNS_IP  backruns.internal
+EOF"
+
+# Copy metadata into the container for transparency
+#
+# This might be implemented as bind read-only mount in the future,
+# but customizing container startup per bob-l2 is too complex for now
+cat /etc/metadata.env | exec_in_container "cat > /etc/metadata.env"

bob-l2/mkosi.extra/etc/searcher-container-init-extra

@@ -0,0 +1,7 @@
+# This script is sourced from init-container.sh and contains image-specific stuff
+# See also: bob-common/mkosi.extra/usr/bin/init-container.sh
+
+echo "Injecting static hosts into searcher container..."
+exec_in_container '
+    cat <<EOF >> /etc/hosts
+EOF'

bob-l2/mkosi.extra/etc/tdx-init/disk-glob

@@ -0,0 +1 @@
+/dev/disk/by-path/*nvme-2