Set up buildconfigs for the nvidia system image

Bug: 289334314
Change-Id: If96137473471c8c728dc99f9660fafb64a46e23e

.github/workflows/build.yaml

@@ -25,6 +25,7 @@ jobs:
           - buildconfigs/oak_containers_syslogd.sh
           - buildconfigs/oak_containers_agent.sh
           - buildconfigs/oak_containers_system_image.sh
+          - buildconfigs/oak_containers_nvidia_system_image.sh
           - buildconfigs/oak_echo_enclave_app.sh
           - buildconfigs/oak_echo_raw_enclave_app.sh
           - buildconfigs/oak_functions_enclave_app.sh

.github/workflows/provenance.yaml

@@ -32,6 +32,7 @@ jobs:
           - buildconfigs/oak_containers_syslogd.toml
           - buildconfigs/oak_containers_agent.toml
           - buildconfigs/oak_containers_system_image.toml
+          - buildconfigs/oak_containers_nvidia_system_image.toml
           - buildconfigs/oak_echo_enclave_app.toml
           - buildconfigs/oak_echo_raw_enclave_app.toml
           - buildconfigs/oak_functions_enclave_app.toml

WORKSPACE

@@ -264,7 +264,7 @@ oci_pull(
 
 oci_pull(
     name = "oak_containers_nvidia_sysimage_base",
-    digest = "sha256:fdec1e1dff19a21899c40f5004fc2d9b8e1f047a4605657eea6119e387168611",
+    digest = "sha256:96c88f713b07fcfe1f049f42042bd7b39298dd8533e646f554c8a56064619851",
     image = "europe-west2-docker.pkg.dev/oak-ci/oak-containers-sysimage-base/oak-containers-nvidia-sysimage-base",
 )
 

buildconfigs/oak_containers_nvidia_system_image.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+#
+# Build configuration for oak_containers_nvidiasystem_image.
+#
+export PACKAGE_NAME=oak_containers_nvidia_system_image
+
+export BUILD_COMMAND=(
+  nix
+  develop
+  .#systemImageProvenance
+  --command
+  just
+  oak_containers_nvidia_system_image
+)
+
+export SUBJECT_PATHS=(
+  oak_containers_system_image/target/nvidia_image.tar.xz
+)

buildconfigs/oak_containers_nvidia_system_image.toml

@@ -0,0 +1,12 @@
+# This is the static build configuration that we use with the docker-based SLSA3 generator for
+# building the system image that includes nvidia drivers, and its provenance.
+# See https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/docker.
+command = [
+  "nix",
+  "develop",
+  ".#systemImageProvenance",
+  "--command",
+  "just",
+  "oak_containers_nvidia_system_image",
+]
+artifact_path = "./oak_containers_system_image/target/nvidia_image.tar.xz"

justfile

@@ -212,7 +212,7 @@ cc_oak_containers_hello_world_container_bundle_tar:
 oak_containers_hello_world_untrusted_app:
     env cargo build --release --package='oak_containers_hello_world_untrusted_app'
 
-all_oak_containers_binaries: stage0_bin stage1_cpio oak_containers_kernel oak_containers_system_image oak_containers_hello_world_container_bundle_tar cc_oak_containers_hello_world_container_bundle_tar oak_containers_hello_world_untrusted_app
+all_oak_containers_binaries: stage0_bin stage1_cpio oak_containers_kernel oak_containers_system_image oak_containers_nvidia_system_image oak_containers_hello_world_container_bundle_tar cc_oak_containers_hello_world_container_bundle_tar oak_containers_hello_world_untrusted_app
 
 # Oak Functions Containers entry point.
 

kokoro/build_binaries_oak_containers.sh

@@ -31,6 +31,7 @@ readonly generated_binaries=(
     ./oak_containers_syslogd/target/oak_containers_syslogd_patched
     ./oak_containers_agent/target/oak_containers_agent_patched
     ./oak_containers_system_image/target/image.tar.xz
+    ./oak_containers_system_image/target/nvidia_image.tar.xz
     ./oak_containers_hello_world_container/target/oak_container_example_oci_filesystem_bundle.tar
     ./oak_functions_containers_container/target/oak_functions_container_oci_filesystem_bundle.tar
     ./oak_functions_containers_container/target/oak_functions_insecure_container_oci_filesystem_bundle.tar
@@ -42,6 +43,7 @@ readonly binary_names=(
     oak_containers_syslogd
     oak_containers_agent
     oak_containers_system_image
+    oak_containers_nvidia_system_image
     oak_containers_hello_world_container
     oak_functions_container
     oak_functions_insecure_container