Rust toolchain for building really small static binaries, without excluding the whole std lib.
The default target (x86_64-unknown-linux-musl) gives you a ~50 KiB statically linked "Hello World" binary.
cargo release-no-panic when you want a release build without the standard RUST panic handler.
There are lots of confusing blogs from 2018 - 2019 on how to build no_std rust apps for embedded systems.
However, there are very few that target amd64 Linux (posix) systems where you want to keep most of the
rust goodies - including stdlib - and just throw away the stuff you can live without (like the native panic handler).
Before I begin, the following blogs are great and had almost what I need. The only thing missing (on this gist) is static linking with MUSL libc:
The oci2krun.sh solves the same problem as the oci2cw project in a less complex way.
It can convert a valid OCI (docker, podman) image to a LUKS2 encrypted disk image, which you then can launch
in an AMD SEV ES/SNP enabled TEE.
The script in question assumes that your are running it on Linux as the root user.
Running as root is very unconfortable for most (for good reason) so please do your own review (< 100 LoC)
to convince yourself that it is doing anything malicious:
If you opened the champagne after the [AMD SEV-SNP Finally Being Merged In Linux 5.19][1] article like I did, you started celebrating too early it seems. You are likely missing essential patches from AMD's [sev-snp-iommu-avic_5.19-rc6_v4][2] branch.
This GIST will properly enable AMD SEV-SNP support on 22.04 and later (works with 22.10 as well).
Before we begin - this is how success looks like on my Dell R6515 (with AMD EPYC 7313P). If this is NOT what you are getting then you should keep reading:
| # SPDX-License-Identifier: Unlicense | |
| # TODO: change the image name | |
| DOCKER_IMAGE_NAME := buildroot-builder | |
| # TODO: change the Dockerfile contents | |
| define DOCKERFILE | |
| FROM debian:11-slim | |
| RUN apt-get update \ |
I hereby claim:
To claim this, I am signing this object: