Merge branch 'main' of github.com:flashbots/flashbots-images into kernel-and-docker

alexhulbert · alexhulbert · commit 47eaa591f598 · 2025-07-23T15:59:13.000-04:00
diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md
diff --git a/README.md b/README.md
@@ -0,0 +1,108 @@
+# Flashbots Images 📦⚡📦
+
+**Reproducible hardened Linux images for confidential computing and safe MEV**
+
+Flashboxes is a toolkit for building minimal, hardened Linux images designed for confidential computing environments and MEV (Maximum Extractable Value) applications. Built on mkosi and Nix, it provides reproducible, security-focused Linux distributions with strong network isolation, attestation capabilities, and blockchain infrastructure support.
+
+It contains our [bottom-of-block searcher sandbox](https://collective.flashbots.net/t/searching-in-tdx/3902) infrastructure and will soon contain our [BuilderNet](https://buildernet.org/blog/introducing-buildernet) infrastructure as well, along with any future TDX projects we implement.
+
+For more information about this repository, see [the Flashbots collective post](https://collective.flashbots.net/t/beyond-yocto-exploring-mkosi-for-tdx-images/4739).
+
+## 🌟 Features
+
+- **Reproducible Builds**: Deterministic image generation using Nix and frozen Debian snapshots
+- **Confidential Computing**: Built-in support for Intel TDX and remote attestation
+- **Minimal Attack Surface**: Uses very few packages (20Mb base)
+- **Flexible Deployment**: Support for Bare Metal TDX, QEMU, Azure, and GCP
+
+## 🚀 Quick Start
+
+### Prerequisites
+
+0. Make sure you're running systemd v250 or greater, or wait for [Docker support](https://github.com/flashbots/flashboxes/pull/11)
+
+1. **Install Nix** (single user mode is sufficient):
+   ```bash
+   sh <(curl -L https://nixos.org/nix/install) --no-daemon
+   ```
+
+2. **Enable Nix experimental features** in `~/.config/nix/nix.conf`:
+   ```
+   experimental-features = nix-command flakes
+   ```
+
+3. **Install Debian archive keyring** (temporary requirement):
+   ```bash
+   # On Ubuntu/Debian
+   sudo apt install debian-archive-keyring
+   # On other systems, download via package manager or use Docker approach below
+   ```
+
+### Building Images
+
+1. **Enter the development environment**:
+   ```bash
+   nix develop -c $SHELL
+   ```
+
+2. **Build a specific image**:
+   ```bash
+   # Build the BOB (searcher sandbox) image
+   mkosi --force -I bob.conf
+   
+   # Build the Buildernet image  
+   mkosi --force -I buildernet.conf
+   
+   # Build with development tools
+   mkosi --force -I bob.conf --profile=devtools
+   
+   # Build with Azure compatibility
+   mkosi --force -I bob.conf --profile=azure
+
+   # Build with both
+   mkosi --force -I bob.conf --profile=azure,devtools
+   ```
+
+### Running Images
+
+**Create persistent storage** (for stateful applications):
+   ```bash
+   qemu-img create -f qcow2 persistent.qcow2 2048G
+   ```
+
+**Run QEMU**:
+  ```bash
+  sudo qemu-system-x86_64 \
+    -enable-kvm \
+    -machine type=q35,smm=on \
+    -m 16384M \
+    -nographic \
+    -drive if=pflash,format=raw,readonly=on,file=/usr/share/edk2/x64/OVMF_CODE.secboot.4m.fd \
+    -drive file=/usr/share/edk2/x64/OVMF_VARS.4m.fd,if=pflash,format=raw \
+    -kernel build/tdx-debian.efi \
+    -netdev user,id=net0,hostfwd=tcp::2222-:22,hostfwd=tcp::8080-:8080 \
+    -device virtio-net-pci,netdev=net0 \
+    -device virtio-scsi-pci,id=scsi0 \
+    -drive file=persistent.qcow2,format=qcow2,if=none,id=disk0 \
+    -device scsi-hd,drive=disk0,bus=scsi0.0,channel=0,scsi-id=0,lun=10
+  ```
+
+**With TDX confidential computing** (requires TDX-enabled hardware/hypervisor):
+  ```bash
+  sudo qemu-system-x86_64 \
+    -accel kvm \
+    -machine type=q35,kernel_irqchip=split,confidential-guest-support=tdx0 \
+    -object tdx-guest,id=tdx0 \
+    -cpu host,-kvm-steal-time,-kvmclock \
+    -m 16384M \
+    -nographic \
+    -kernel build/tdx-debian.efi \
+    # ... rest of options same as above
+  ```
+
+> Depending on your Linux distro, these commands may require changing the supplied OVMF paths or installing your distro's OVMF package.
+
+## 📖 Documentation
+
+- [Development Guide](DEVELOPMENT.md) - Comprehensive guide for creating new modules and extending existing ones
+- [BOB Module Guide](bob/readme.md) - Detailed documentation for the MEV searcher environment
diff --git a/base/base.conf b/base/base.conf
@@ -4,6 +4,9 @@ Release=trixie
 
 [Build]
 PackageCacheDirectory=mkosi.cache
+Environment=KERNEL_IMAGE KERNEL_VERSION
+WithNetwork=true
+Incremental=true
 
 [Output]
 Format=uki
@@ -12,9 +15,6 @@ ImageId=tdx-debian
 OutputDirectory=build
 Seed=630b5f72-a36a-4e83-b23d-6ef47c82fd9c
 
-[Host]
-# Incremental=true
-
 [Content]
 SourceDateEpoch=0
 KernelCommandLine=console=tty0 console=ttyS0,115200n8 mitigations=auto,nosmt spec_store_bypass_disable=on nospectre_v2
diff --git a/base/debloat-systemd.sh b/base/debloat-systemd.sh
@@ -9,6 +9,7 @@ systemd_svc_whitelist=(
     "sockets.target" 
     "local-fs.target"
     "local-fs-pre.target"
+    "network-online.target"
     "slices.target"
     "systemd-journald.service"
     "systemd-journald.socket"
diff --git a/flake.nix b/flake.nix
@@ -34,7 +34,7 @@
     devShells.${system}.default = pkgs.mkShell {
       nativeBuildInputs = [ pkgs.qemu mkosi ];
       shellHook = ''
-        mkdir -p mkosi.packages mkosi.cache mkosi.builddir
+        mkdir -p mkosi.packages mkosi.cache mkosi.builddir ~/.cache/mkosi
       '';
     };
   };
diff --git a/mkosi.profiles/devtools/mkosi.conf b/mkosi.profiles/devtools/mkosi.conf
@@ -1,6 +1,7 @@
 [Content]
 SkeletonTrees=serial-console.service:/etc/systemd/system/serial-console.service
 Packages=socat
+         openssh-server
          iputils-ping
          dnsutils
          strace
diff --git a/mkosi.profiles/devtools/mkosi.postinst b/mkosi.profiles/devtools/mkosi.postinst
@@ -1,3 +1,15 @@
 #!/bin/sh
+set -euxo pipefail
+
 mkosi-chroot passwd -u root
 echo "root:dqSPjo4p" | mkosi-chroot chpasswd
+
+if [ -f "$BUILDROOT/etc/default/dropbear" ]; then
+    # Remove -s, -w, -g flags from dropbear args
+    sed -i '/^DROPBEAR_EXTRA_ARGS=/s/-[swg] \?//g' "$BUILDROOT/etc/default/dropbear"
+else
+    echo "PermitRootLogin yes" >> "$BUILDROOT/etc/ssh/sshd_config"
+    echo "PasswordAuthentication yes" >> "$BUILDROOT/etc/ssh/sshd_config"
+    mkosi-chroot systemctl enable ssh.service
+    mkosi-chroot systemctl unmask ssh.service ssh.socket
+fi
diff --git a/readme.md b/readme.md
diff --git a/verify/Dockerfile b/verify/Dockerfile
@@ -0,0 +1,28 @@
+FROM debian:trixie
+
+# Update and install all required packages
+RUN apt-get update && apt-get install -y \
+    python3-requests \
+    python3-debian \
+    equivs \
+    mmdebstrap \
+    sbuild \
+    apt-utils \
+    wget \
+    vim \
+    curl \
+    gnupg \
+    devscripts \
+    dpkg-dev \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN echo "root:100000:65536" >> /etc/subuid && \
+    echo "root:100000:65536" >> /etc/subgid
+
+COPY verify.py /usr/local/bin/verify.py
+RUN chmod +x /usr/local/bin/verify.py
+
+WORKDIR /workspace
+
+ENTRYPOINT ["python3", "/usr/local/bin/verify.py"]
diff --git a/verify/verify-lite.py b/verify/verify-lite.py
@@ -0,0 +1,74 @@
+#!/usr/bin/env python3
+
+import json
+import csv
+import requests
+from pathlib import Path
+from collections import defaultdict
+
+def fetch_status(arch):
+    """Fetch package reproducibility status from Debian CI."""
+    url = f"https://{arch}.reproduce.debian.net/api/v0/pkgs/list"
+    return {(p['name'], p['architecture']): p for p in requests.get(url).json()}
+
+def main():
+    # Load manifest
+    manifest = next(Path("build").glob("*.manifest"))
+    with open(manifest) as f:
+        packages = [p for p in json.load(f)["packages"] if p["type"] == "deb"]
+    
+    # Fetch status from Debian CI
+    print("Fetching reproducibility status from Debian CI...")
+    amd64_status = fetch_status("amd64")
+    all_status = fetch_status("all")
+    status_data = {**amd64_status, **all_status}
+    
+    # Analyze packages
+    results = []
+    stats = defaultdict(int)
+    
+    for pkg in packages:
+        name, version, arch = pkg["name"], pkg["version"], pkg["architecture"]
+        
+        # Look up status
+        ci_pkg = status_data.get((name, arch))
+        
+        if not ci_pkg:
+            status = "UNKNOWN"
+            ci_version = "N/A"
+        else:
+            status = ci_pkg["status"]
+            ci_version = ci_pkg["version"]
+        
+        version_match = version == ci_version
+        
+        results.append({
+            "name": name,
+            "architecture": arch,
+            "version": version,
+            "ci_version": ci_version,
+            "status": status,
+            "version_match": version_match
+        })
+        
+        stats[status] += 1
+        if not version_match and ci_pkg:
+            stats["VERSION_MISMATCH"] += 1
+    
+    # Write CSV report
+    with open("build/debian-ci-report.csv", 'w', newline='') as f:
+        writer = csv.DictWriter(f, ["name", "architecture", "version", "ci_version", "status", "version_match"])
+        writer.writeheader()
+        writer.writerows(results)
+    
+    # Print summary
+    total = len(results)
+    print(f"\n{'='*50}")
+    print(f"Total packages: {total}")
+    for status, count in sorted(stats.items()):
+        print(f"{status}: {count} ({count/total*100:.1f}%)")
+    
+    print(f"\nReport saved to: build/debian-ci-report.csv")
+
+if __name__ == "__main__":
+    main()
diff --git a/verify/verify.py b/verify/verify.py
