presentations/stagex/index.md

14 KiB
Raw Permalink Blame History

_class paginate backgroundColor
lead true

bg left:40% 80%

Bootstrapping Reproducibility with StageX

The steps involved in going from a 256 byte compiler to a deterministic bit-for-bit reproducible Linux distribution.


The Problem: Is Your Toolchain Secure?

FROM stagex/openssl
COPY --from=stagex/musl . /
ENTRYPOINT ["/usr/bin/openssl"]
CMD ["rand", "-hex", "12"]

docker build -t stagex/openssl -f stagex-openssl.Containerfile .
docker run stagex/openssl
# Output: 2a2a2a2a2a2a2a2a2a2a2a2a

width: auto


Minimalism and security first Linux distribution

Approach the development of a secure toolchain by ensuring each component uses exactly what it needs to build - no more, no less.


Distribution Signatures Libc Bootstrapped Reproducible Rust deps
Stagex 2+ Human Musl Yes Yes 4
Debian 1 Human Glibc No Partial 231
Arch 1 Human Glibc No Partial 127
Fedora 1 Bot Glibc No No 167
Alpine None Musl No No 41

A Rust Example

FROM scratch AS fetch
ADD . /app
WORKDIR /app

FROM stagex/pallet-rust AS build
COPY --from=fetch . /
COPY --from=stagex/nettle . /
COPY --from=stagex/gmp . /
ENV TARGET=x86_64-unknown-linux-musl
RUN cargo build --release --target $TARGET

FROM stagex/filesystem AS package
COPY --from=build /app/target/$TARGET/release/hello /usr/bin/hello
CMD ["/usr/bin/hello"]

All packages in StageX are:

  • Built using hash-locked sources
  • Confirmed reproducible by multiple developers
  • Signed by multiple release maintainers

bg right:35% 80%


Multi-Signed OCI Images

Multiple maintainers can each sign individual images, with the container runtime enforcing multiple signatures by maintainers to ensure no individual maintainer could have tampered with an image.


Common toolchain dependencies

StageX comes with developer-loved tooling and languages, such as:

  • rust
  • go
  • python
  • curl
  • git

If you are interested in additionally software being added feel free to open a PR or let us know what you would like to see added.


Pallets

StageX offers prebuilt containers including all the packages necessary to run some of our most used software, such as:

  • kubectl, kustomize, helm
  • keyfork
  • nginx
  • redis
  • postgres

We also ship pallets for building new images, such as the Rust pallet shown in the previous example.


Full source bootstrapped from Stage 0

From a 256-byte compiler written in hex, StageX bootstraps all the compiler tools necessary to build the distribution, 100% deterministically.

  • Stage 0: Getting a basic C compiler on x86
  • Stage 1: Building GCC for x86
  • Stage 2: Upgrading GCC for x86_64
  • Stage 3: Building up-to-date toolchains
  • Stage X: Shipping the software you know and love

OK, So What?

By using stagex, an entire family of supply chain vulnerabilities can be eliminated. Removing unnecessary software reduces the attack surface of potentially malicious software, while deterministic builds help ensure software hasn't been tampered with.

Because StageX can be used to build standalone Linux systems, it can also be used to generate bootable images without needing to ship unnecessary tooling such as a package manager or a compiler.


Solar Winds of Change

According to: https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/

  • SUNSPOT is StellarParticles malware used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product.
  • SUNSPOT monitors running processes for those involved in compilation of the Orion product and replaces one of the source files to include the SUNBURST backdoor code.
  • Several safeguards were added to SUNSPOT to avoid the Orion builds from failing, potentially alerting developers to the adversarys presence.

Key Takeaways

  • StageX packages the software you're already using, securely.
  • By leveraging Docker, we avoid mixing package managers and build contexts.
  • Your software, at every point in the bootstrapped toolchain, can all be built deterministically.

What's Next?

Packaging more software and updating existing software faster

Adding additional container runtimes like Podman and Kaniko

Adding additional chip architecture support such as ARM and RISC-V


Links

Matrix Chat: #stagex:matrix.org

Git Repo: https://codeberg.org/stagex/stagex

Big thank you to sponsors who have supported the development of this project:

Turnkey, Distrust, Mysten Labs