The Super Protocol confidential virtual machine image.
To make possible use mount, losetup, etc. inside chroot during the Docker build process we need to create an appropriate builder:
docker buildx create --use --name insecure-builder --buildkitd-flags '--allow-insecure-entitlement security.insecure'
docker buildx build -t sp-vm --allow security.insecure src --output type=local,dest=./outYou can pass optional build arguments via docker --build-arg, list:
- SP_VM_IMAGE_VERSION - build tag
- S3_BUCKET - only for
vm.json, defaultlocal
Example:
docker buildx build -t sp-vm --allow security.insecure src --output type=local,dest=./out --build-arg SP_VM_IMAGE_VERSION=build-0 --build-arg S3_BUCKET=testThe build artifacts will be located in the $(pwd)/out directory.
The start_superprotocol.sh script will require changes in the future, but for now, you can test the VM using the following steps:
qemu-img create -f qcow2 state.qcow2 500G;dd if=/dev/zero of=provider.img bs=1M count=1;
mkfs.ext4 -O ^has_journal,^huge_file,^meta_bg,^ext_attr -L provider_config provider.img;
DEVICE="$(losetup --find --show --partscan provider.img)";
mount "$DEVICE" /mnt;
cp -r profconf/* /mnt/;
rm -rf /mnt/lost+found;
umount /mnt;
losetup -d "$DEVICE";/usr/bin/qemu-system-x86_64 \
-enable-kvm \
-smp cores=10 \
-m 30G \
-cpu host,-kvm-steal-time,pmu=off \
-machine q35,kernel_irqchip=split \
-device virtio-net-pci,netdev=nic_id0,mac=52:54:00:12:34:56 \
-netdev user,id=nic_id0 \
-nographic \
-vga none \
-nodefaults \
-serial stdio \
-device vhost-vsock-pci,guest-cid=4 \
-fw_cfg name=opt/ovmf/X-PciMmio64,string=262144 \
-drive file=sp_build-228.img,if=virtio,format=raw \
-drive file=state.qcow2,if=virtio,format=qcow2 \
-drive file=provider.img,if=virtio,format=raw;Some parts of the code, including kernel configs, were taken from or inspired by Kata Containers, which is distributed under the Apache-2.0 license.