14 KiB
_class | paginate | backgroundColor |
---|---|---|
lead | true |
Bootstrapping Reproducibility with StageX
The steps involved in going from a 256 byte compiler to a deterministic bit-for-bit reproducible Linux distribution.
The Problem: Is Your Toolchain Secure?
FROM stagex/openssl
COPY --from=stagex/musl . /
ENTRYPOINT ["/usr/bin/openssl"]
CMD ["rand", "-hex", "12"]
docker build -t stagex/openssl -f stagex-openssl.Containerfile .
docker run stagex/openssl
# Output: 2a2a2a2a2a2a2a2a2a2a2a2a
Minimalism and security first Linux distribution
Approach the development of a secure toolchain by ensuring each component uses exactly what it needs to build - no more, no less.
Distribution | Signatures | Libc | Bootstrapped | Reproducible | Rust deps |
---|---|---|---|---|---|
Stagex | 2+ Human | Musl | Yes | Yes | 4 |
Debian | 1 Human | Glibc | No | Partial | 231 |
Arch | 1 Human | Glibc | No | Partial | 127 |
Fedora | 1 Bot | Glibc | No | No | 167 |
Alpine | None | Musl | No | No | 41 |
A Rust Example
FROM scratch AS fetch
ADD . /app
WORKDIR /app
FROM stagex/pallet-rust AS build
COPY --from=fetch . /
COPY --from=stagex/nettle . /
COPY --from=stagex/gmp . /
ENV TARGET=x86_64-unknown-linux-musl
RUN cargo build --release --target $TARGET
FROM stagex/filesystem AS package
COPY --from=build /app/target/$TARGET/release/hello /usr/bin/hello
CMD ["/usr/bin/hello"]
All packages in StageX are:
- Built using hash-locked sources
- Confirmed reproducible by multiple developers
- Signed by multiple release maintainers
Multi-Signed OCI Images
Multiple maintainers can each sign individual images, with the container runtime enforcing multiple signatures by maintainers to ensure no individual maintainer could have tampered with an image.
Common toolchain dependencies
StageX comes with developer-loved tooling and languages, such as:
rust
go
python
curl
git
If you are interested in additionally software being added feel free to open a PR or let us know what you would like to see added.
Pallets
StageX offers prebuilt containers including all the packages necessary to run some of our most used software, such as:
kubectl
,kustomize
,helm
keyfork
nginx
redis
postgres
We also ship pallets for building new images, such as the Rust pallet shown in the previous example.
Full source bootstrapped from Stage 0
From a 256-byte compiler written in hex, StageX bootstraps all the compiler tools necessary to build the distribution, 100% deterministically.
- Stage 0: Getting a basic C compiler on x86
- Stage 1: Building GCC for x86
- Stage 2: Upgrading GCC for x86_64
- Stage 3: Building up-to-date toolchains
- Stage X: Shipping the software you know and love
OK, So What?
By using stagex, an entire family of supply chain vulnerabilities can be eliminated. Removing unnecessary software reduces the attack surface of potentially malicious software, while deterministic builds help ensure software hasn't been tampered with.
Because StageX can be used to build standalone Linux systems, it can also be used to generate bootable images without needing to ship unnecessary tooling such as a package manager or a compiler.
Solar Winds of Change
According to: https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/
- SUNSPOT is StellarParticle’s malware used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product.
- SUNSPOT monitors running processes for those involved in compilation of the Orion product and replaces one of the source files to include the SUNBURST backdoor code.
- Several safeguards were added to SUNSPOT to avoid the Orion builds from failing, potentially alerting developers to the adversary’s presence.
Key Takeaways
- StageX packages the software you're already using, securely.
- By leveraging Docker, we avoid mixing package managers and build contexts.
- Your software, at every point in the bootstrapped toolchain, can all be built deterministically.
What's Next?
Packaging more software and updating existing software faster
Adding additional container runtimes like Podman and Kaniko
Adding additional chip architecture support such as ARM and RISC-V
Links
Matrix Chat: #stagex:matrix.org
Git Repo: https://codeberg.org/stagex/stagex
Big thank you to sponsors who have supported the development of this project:
Turnkey, Distrust, Mysten Labs