From 33368859d907ef357073112f108f358872dd7a02 Mon Sep 17 00:00:00 2001
From: Julio Montes <julio.montes@intel.com>
Date: Wed, 14 Aug 2019 17:41:31 +0000
Subject: [PATCH 1/4] qemu/nemu: remove blacklisted binaries

Remove blacklisted binaries, since they are not needed in kata and may have
CVEs.

fixes #311

Signed-off-by: Julio Montes <julio.montes@intel.com>
---
 static-build/nemu/build-static-nemu.sh |  6 ++++
 static-build/qemu.blacklist            | 38 ++++++++++++++++++++++++++
 static-build/qemu/build-static-qemu.sh |  6 ++++
 3 files changed, 50 insertions(+)
 create mode 100644 static-build/qemu.blacklist

diff --git a/static-build/nemu/build-static-nemu.sh b/static-build/nemu/build-static-nemu.sh
index 2e07da6ea..f1027c2aa 100755
--- a/static-build/nemu/build-static-nemu.sh
+++ b/static-build/nemu/build-static-nemu.sh
@@ -11,9 +11,11 @@ set -o pipefail
 script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 
 source "${script_dir}/../../scripts/lib.sh"
+source "${script_dir}/../qemu.blacklist"
 
 config_dir="${script_dir}/../../scripts/"
 nemu_tar="kata-nemu-static.tar.gz"
+nemu_tmp_tar="kata-nemu-static-tmp.tar.gz"
 Dockerfile="Dockerfile"
 
 if [ $# -ne 0 ];then
@@ -94,3 +96,7 @@ sudo docker run \
 	mv "/tmp/nemu-static/${nemu_tar}" /share/
 
 sudo chown ${USER}:${USER} "${PWD}/${nemu_tar}"
+
+# Remove blacklisted binaries
+gzip -d < "${nemu_tar}" | tar --delete --wildcards -f - ${qemu_black_list[*]} | gzip > "${nemu_tmp_tar}"
+mv -f "${nemu_tmp_tar}" "${nemu_tar}"
diff --git a/static-build/qemu.blacklist b/static-build/qemu.blacklist
new file mode 100644
index 000000000..558459676
--- /dev/null
+++ b/static-build/qemu.blacklist
@@ -0,0 +1,38 @@
+#
+# List of blacklisted files that are not
+# required in kata and may have CVEs.
+#
+qemu_black_list=(
+*/bin/qemu-pr-helper
+*/bin/virtfs-proxy-helper
+*/libexec/
+*/share/*/applications/
+*/share/*/*.dtb
+*/share/*/efi-e1000e.rom
+*/share/*/efi-e1000.rom
+*/share/*/efi-eepro100.rom
+*/share/*/efi-ne2k_pci.rom
+*/share/*/efi-pcnet.rom
+*/share/*/efi-rtl8139.rom
+*/share/*/efi-vmxnet3.rom
+*/share/*/icons/
+*/share/*/*.img
+*/share/*/keymaps/
+*/share/*/multiboot.bin
+*/share/*/openbios-ppc
+*/share/*/openbios-sparc32
+*/share/*/openbios-sparc64
+*/share/*/palcode-clipper
+*/share/*/ppc_rom.bin
+*/share/*/pvh.bin
+*/share/*/pxe-*
+*/share/*/QEMU,*
+*/share/*/qemu_vga.ndrv
+*/share/*/sgabios.bin
+*/share/*/skiboot.lid
+*/share/*/slof.bin
+*/share/*/spapr-rtas.bin
+*/share/*/trace-events-all
+*/share/*/u-boot*
+*/share/*/vgabios*
+)
diff --git a/static-build/qemu/build-static-qemu.sh b/static-build/qemu/build-static-qemu.sh
index d2986897c..030e142c5 100755
--- a/static-build/qemu/build-static-qemu.sh
+++ b/static-build/qemu/build-static-qemu.sh
@@ -11,9 +11,11 @@ set -o pipefail
 script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 
 source "${script_dir}/../../scripts/lib.sh"
+source "${script_dir}/../qemu.blacklist"
 
 packaging_dir="${script_dir}/../.."
 qemu_tar="kata-qemu-static.tar.gz"
+qemu_tmp_tar="kata-qemu-static-tmp.tar.gz"
 
 qemu_repo="${qemu_repo:-}"
 qemu_version="${qemu_version:-}"
@@ -54,3 +56,7 @@ sudo docker run \
 	mv "/tmp/qemu-static/${qemu_tar}" /share/
 
 sudo chown ${USER}:${USER} "${PWD}/${qemu_tar}"
+
+# Remove blacklisted binaries
+gzip -d < "${qemu_tar}" | tar --delete --wildcards -f - ${qemu_black_list[*]} | gzip > "${qemu_tmp_tar}"
+mv -f "${qemu_tmp_tar}" "${qemu_tar}"

From 7892608589f9abe5960e7b08b3bc4250b5ca4487 Mon Sep 17 00:00:00 2001
From: Julio Montes <julio.montes@intel.com>
Date: Wed, 14 Aug 2019 17:48:28 +0000
Subject: [PATCH 2/4] static-build/qemu: use the latest ubuntu long term to
 build qemu

In theory the latest ubuntu long term may have less CVE than previous versions,
so let's use it to build the static QEMU.

Signed-off-by: Julio Montes <julio.montes@intel.com>
---
 static-build/qemu/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/static-build/qemu/Dockerfile b/static-build/qemu/Dockerfile
index 410a17e2c..1bc492590 100644
--- a/static-build/qemu/Dockerfile
+++ b/static-build/qemu/Dockerfile
@@ -1,4 +1,4 @@
-from ubuntu:16.04
+from ubuntu:18.04
 
 ARG QEMU_REPO
 # commit/tag/branch

From decb9de7df38ba302e82a2571374058f747990ff Mon Sep 17 00:00:00 2001
From: Julio Montes <julio.montes@intel.com>
Date: Wed, 14 Aug 2019 17:53:22 +0000
Subject: [PATCH 3/4] static-build: do not use cache to build docker images

Do not use cache to build the docker images that build static  qemu and nemu.
The latest version of the packages must be installed, since they may include
the fixes for theirs CVEs.

Signed-off-by: Julio Montes <julio.montes@intel.com>
---
 static-build/nemu/build-static-nemu.sh | 1 +
 static-build/qemu/build-static-qemu.sh | 1 +
 2 files changed, 2 insertions(+)

diff --git a/static-build/nemu/build-static-nemu.sh b/static-build/nemu/build-static-nemu.sh
index f1027c2aa..bc1f7957e 100755
--- a/static-build/nemu/build-static-nemu.sh
+++ b/static-build/nemu/build-static-nemu.sh
@@ -76,6 +76,7 @@ https_proxy="${https_proxy:-}"
 prefix="${prefix:-"/opt/kata"}"
 
 sudo docker build \
+	--no-cache \
 	--build-arg http_proxy="${http_proxy}" \
 	--build-arg https_proxy="${https_proxy}" \
 	--build-arg NEMU_REPO="${nemu_repo}" \
diff --git a/static-build/qemu/build-static-qemu.sh b/static-build/qemu/build-static-qemu.sh
index 030e142c5..7e46c837e 100755
--- a/static-build/qemu/build-static-qemu.sh
+++ b/static-build/qemu/build-static-qemu.sh
@@ -41,6 +41,7 @@ https_proxy="${https_proxy:-}"
 prefix="${prefix:-"/opt/kata"}"
 
 sudo docker build \
+	--no-cache \
 	--build-arg http_proxy="${http_proxy}" \
 	--build-arg https_proxy="${https_proxy}" \
 	--build-arg QEMU_REPO="${qemu_repo}" \

From c79a01b3f95450eedba3b4354334e1f3d55f3fa8 Mon Sep 17 00:00:00 2001
From: Julio Montes <julio.montes@intel.com>
Date: Wed, 14 Aug 2019 17:57:26 +0000
Subject: [PATCH 4/4] static-build: upgrade the container before building qemu
 and nemu

Upgrade the container before building qemu and nemu in order to install
the latest fixes for the CVEs.

fixes #676

Signed-off-by: Julio Montes <julio.montes@intel.com>
---
 static-build/nemu/Dockerfile | 2 +-
 static-build/qemu/Dockerfile | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/static-build/nemu/Dockerfile b/static-build/nemu/Dockerfile
index f8c52f29e..61ea52420 100644
--- a/static-build/nemu/Dockerfile
+++ b/static-build/nemu/Dockerfile
@@ -12,7 +12,7 @@ ARG VIRTIOFSD
 ARG PREFIX
 
 WORKDIR /root/nemu
-RUN apt-get update
+RUN apt-get update && apt-get upgrade -y
 RUN apt-get install -y \
 	    autoconf \
 	    automake \
diff --git a/static-build/qemu/Dockerfile b/static-build/qemu/Dockerfile
index 1bc492590..3d79f853d 100644
--- a/static-build/qemu/Dockerfile
+++ b/static-build/qemu/Dockerfile
@@ -6,7 +6,7 @@ ARG QEMU_VERSION
 ARG PREFIX
 
 WORKDIR /root/qemu
-RUN apt-get update
+RUN apt-get update && apt-get upgrade -y
 RUN apt-get install -y \
 	    autoconf \
 	    automake \