presently flashtestations demand that builder runs under root (b/c if in cases of TPM or TDX via device we could still give necessary permissions to a non-root, then in case of configfs-based access that is simply not possible).
however, running such a complex service as op-rbuilder/op-reth is, exposed to the internet, and under a root account, is just plain asking for trouble. we mustn't do that.
instead we should extract TDX quote producer into a separate sidecar service, that would be simple and minimal, that would listen on hardcoded 127.0.0.1 loopback (only port-number should be configurable), and which op-rbuilder would query via http to get the quote.
presently flashtestations demand that builder runs under
root(b/c if in cases of TPM or TDX via device we could still give necessary permissions to a non-root, then in case ofconfigfs-based access that is simply not possible).however, running such a complex service as
op-rbuilder/op-rethis, exposed to the internet, and under arootaccount, is just plain asking for trouble. we mustn't do that.instead we should extract TDX quote producer into a separate sidecar service, that would be simple and minimal, that would listen on hardcoded
127.0.0.1loopback (only port-number should be configurable), and whichop-rbuilderwould query via http to get the quote.