Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-01-25 14:56:18 -05:00
Code Issues Packages Projects Releases Wiki Activity

ci: format shellscripts

Browse Source 
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
This commit is contained in:
Paul Meyer 2022-11-10 14:17:04 +01:00
parent fd9dfb500d
commit 106b738fab
29 changed files with 923 additions and 888 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
.github/actions/constellation_create/aws-logs.sh vendored
View File

@ -2,42 +2,42 @@
# Usage: ./aws-logs.sh <region> # Usage: ./aws-logs.sh <region>
controlAutoscalingGroup=$(\ controlAutoscalingGroup=$(
terraform show -json | \ terraform show -json |
jq -r .'values.root_module.child_modules[] | jq -r .'values.root_module.child_modules[] |
select(.address == "module.instance_group_control_plane") | select(.address == "module.instance_group_control_plane") |
.resources[0].values.name' \ .resources[0].values.name'
) )
workerAutoscalingGroup=$(\ workerAutoscalingGroup=$(
terraform show -json | \ terraform show -json |
jq -r .'values.root_module.child_modules[] | jq -r .'values.root_module.child_modules[] |
select(.address == "module.instance_group_worker_nodes") | select(.address == "module.instance_group_worker_nodes") |
.resources[0].values.name' \ .resources[0].values.name'
) )
controlInstances=$(\ controlInstances=$(
aws autoscaling describe-auto-scaling-groups \ aws autoscaling describe-auto-scaling-groups \
--region "${1}" \ --region "${1}" \
--no-paginate \ --no-paginate \
--output json \ --output json \
--auto-scaling-group-names "${controlAutoscalingGroup}" | \ --auto-scaling-group-names "${controlAutoscalingGroup}" |
jq -r '.AutoScalingGroups[0].Instances[].InstanceId' \ jq -r '.AutoScalingGroups[0].Instances[].InstanceId'
) )
workerInstances=$(\ workerInstances=$(
aws autoscaling describe-auto-scaling-groups \ aws autoscaling describe-auto-scaling-groups \
--region "${1}" \ --region "${1}" \
--no-paginate \ --no-paginate \
--output json \ --output json \
--auto-scaling-group-names "${workerAutoscalingGroup}" | \ --auto-scaling-group-names "${workerAutoscalingGroup}" |
jq -r '.AutoScalingGroups[0].Instances[].InstanceId' \ jq -r '.AutoScalingGroups[0].Instances[].InstanceId'
) )
echo "Fetching logs from control planes: ${controlInstances}" echo "Fetching logs from control planes: ${controlInstances}"
for instance in ${controlInstances}; do for instance in ${controlInstances}; do
printf "Fetching for %s\n" "${instance}" printf "Fetching for %s\n" "${instance}"
aws ec2 get-console-output --region "${1}" --instance-id "${instance}" | \ aws ec2 get-console-output --region "${1}" --instance-id "${instance}" |
jq -r .'Output' | \ jq -r .'Output' |
tail -n +2 > control-plane-"${instance}".log tail -n +2 > control-plane-"${instance}".log
done done
@ -45,7 +45,7 @@ echo "Fetching logs from worker nodes: ${workerInstances}"
for instance in ${workerInstances}; do for instance in ${workerInstances}; do
printf "Fetching for %s\n" "${instance}" printf "Fetching for %s\n" "${instance}"
aws ec2 get-console-output --region "${1}" --instance-id "${instance}" | \ aws ec2 get-console-output --region "${1}" --instance-id "${instance}" |
jq -r .'Output' | \ jq -r .'Output' |
tail -n +2 > worker-"${instance}".log tail -n +2 > worker-"${instance}".log
done done

15
.github/actions/constellation_create/az-logs.sh vendored
View File

@ -13,10 +13,21 @@ subscription=$(az account show | jq -r .id)
printf "Checking scalesets %s\n" "${scalesetslist}" printf "Checking scalesets %s\n" "${scalesetslist}"
for scaleset in ${scalesetslist}; do for scaleset in ${scalesetslist}; do
instanceids=$(az vmss list-instances --resource-group "${1}" --name "${scaleset}" -o json | jq -r '.[] | .instanceId') instanceids=$(
az vmss list-instances \
--resource-group "${1}" \
--name "${scaleset}" \
-o json |
jq -r '.[] | .instanceId'
)
printf "Checking instance IDs %s\n" "${instanceids}" printf "Checking instance IDs %s\n" "${instanceids}"
for instanceid in ${instanceids}; do for instanceid in ${instanceids}; do
bloburi=$(az rest --method post --url https://management.azure.com/subscriptions/"${subscription}"/resourceGroups/"${1}"/providers/Microsoft.Compute/virtualMachineScaleSets/"${scaleset}"/virtualmachines/"${instanceid}"/retrieveBootDiagnosticsData?api-version=2022-03-01 | jq '.serialConsoleLogBlobUri' -r) bloburi=$(
az rest \
--method post \
--url https://management.azure.com/subscriptions/"${subscription}"/resourceGroups/"${1}"/providers/Microsoft.Compute/virtualMachineScaleSets/"${scaleset}"/virtualmachines/"${instanceid}"/retrieveBootDiagnosticsData?api-version=2022-03-01 |
jq '.serialConsoleLogBlobUri' -r
)
sleep 4 sleep 4
curl -sL -o "./${scaleset}-${instanceid}.log" "${bloburi}" curl -sL -o "./${scaleset}-${instanceid}.log" "${bloburi}"
realpath "./${scaleset}-${instanceid}.log" realpath "./${scaleset}-${instanceid}.log"

4
.github/actions/constellation_create/gcp-logs.sh vendored
View File

@ -3,9 +3,9 @@
set -euo pipefail set -euo pipefail
shopt -s inherit_errexit shopt -s inherit_errexit
controlInstanceGroup=$(terraform show -json | jq -r .'values.root_module.child_modules[] | select(.address == "module.instance_group_control_plane") | .resources[0].values.base_instance_name' ) controlInstanceGroup=$(terraform show -json | jq -r .'values.root_module.child_modules[] | select(.address == "module.instance_group_control_plane") | .resources[0].values.base_instance_name')
workerInstanceGroup=$(terraform show -json | jq -r .'values.root_module.child_modules[] | select(.address == "module.instance_group_worker") | .resources[0].values.base_instance_name') workerInstanceGroup=$(terraform show -json | jq -r .'values.root_module.child_modules[] | select(.address == "module.instance_group_worker") | .resources[0].values.base_instance_name')
zone=$(terraform show -json | jq -r .'values.root_module.child_modules[] | select(.address == "module.instance_group_control_plane") | .resources[0].values.zone' ) zone=$(terraform show -json | jq -r .'values.root_module.child_modules[] | select(.address == "module.instance_group_control_plane") | .resources[0].values.zone')
controlInstanceGroup=${controlInstanceGroup##*/} controlInstanceGroup=${controlInstanceGroup##*/}
workerInstanceGroupShort=${workerInstanceGroup##*/} workerInstanceGroupShort=${workerInstanceGroup##*/}

10
hack/azure-jump-host/jump-host-create
View File

@ -3,7 +3,7 @@
set -euo pipefail set -euo pipefail
shopt -s inherit_errexit shopt -s inherit_errexit
SCRIPTDIR="$(dirname -- "$(realpath "${BASH_SOURCE[0]}")"; )"; SCRIPTDIR="$(dirname -- "$(realpath "${BASH_SOURCE[0]}")")"
RG=$(jq -r .azureresourcegroup constellation-state.json) RG=$(jq -r .azureresourcegroup constellation-state.json)
SUBNET=$(jq -r .azuresubnet constellation-state.json) SUBNET=$(jq -r .azuresubnet constellation-state.json)
VNET=${SUBNET%"/subnets/nodeNetwork"} VNET=${SUBNET%"/subnets/nodeNetwork"}
@ -21,7 +21,13 @@ az deployment group create \
--parameters "{ \"subnetRef\": { \"value\": \"${SUBNET}\" } }" \ --parameters "{ \"subnetRef\": { \"value\": \"${SUBNET}\" } }" \
--parameters "{ \"adminPublicKey\": { \"value\": \"${PUBKEY}\" } }" --parameters "{ \"adminPublicKey\": { \"value\": \"${PUBKEY}\" } }"
az deployment group wait --created --name "${DEPLOYMENT_NAME}" --resource-group "${RG}" az deployment group wait --created --name "${DEPLOYMENT_NAME}" --resource-group "${RG}"
PUBIP=$(az vm list-ip-addresses --resource-group "${RG}" --name "${VM_NAME}" --query "[].virtualMachine.network.publicIpAddresses[0].ipAddress" --output tsv) PUBIP=$(
az vm list-ip-addresses \
--resource-group "${RG}" \
--name "${VM_NAME}" \
--query "[].virtualMachine.network.publicIpAddresses[0].ipAddress" \
--output tsv
)
echo "Jump host created. Cleanup by deleteing the resource group." echo "Jump host created. Cleanup by deleteing the resource group."
echo "Connect to the jump host with the following command:" echo "Connect to the jump host with the following command:"
echo -e "ssh azureuser@${PUBIP}\n" echo -e "ssh azureuser@${PUBIP}\n"

26
hack/check-licenses.sh
View File

@ -13,23 +13,23 @@ not_allowed() {
go mod download go mod download
go-licenses csv ./... | { go-licenses csv ./... | {
while read -r line; do while read -r line; do
pkg=${line%%,*} pkg=${line%%,*}
lic=${line##*,} lic=${line##*,}
case ${lic} in case ${lic} in
Apache-2.0|BSD-2-Clause|BSD-3-Clause|ISC|MIT) Apache-2.0 | BSD-2-Clause | BSD-3-Clause | ISC | MIT) ;;
;;
\
MPL-2.0) MPL-2.0)
case ${pkg} in case ${pkg} in
github.com/talos-systems/talos/pkg/machinery/config/encoder) github.com/talos-systems/talos/pkg/machinery/config/encoder) ;;
;;
github.com/letsencrypt/boulder) github.com/letsencrypt/boulder) ;;
;;
github.com/hashicorp/*) github.com/hashicorp/*) ;;
;;
*) *)
not_allowed not_allowed
;; ;;
@ -38,8 +38,8 @@ while read -r line; do
AGPL-3.0) AGPL-3.0)
case ${pkg} in case ${pkg} in
github.com/edgelesssys/constellation/v2) github.com/edgelesssys/constellation/v2) ;;
;;
*) *)
not_allowed not_allowed
;; ;;
@ -60,6 +60,6 @@ while read -r line; do
;; ;;
esac esac
done done
exit "${err}" exit "${err}"
} }

32
hack/fetch-broken-e2e/fetch.sh
View File

@ -3,20 +3,36 @@
set -euo pipefail set -euo pipefail
shopt -s inherit_errexit shopt -s inherit_errexit
LATEST_AZURE_RUNS=$(gh run list -R edgelesssys/constellation -w 'e2e Test Azure' --json databaseId -q '.[].databaseId') LATEST_AZURE_RUNS=$(
gh run list \
-R edgelesssys/constellation \
-w 'e2e Test Azure' \
--json databaseId \
-q '.[].databaseId'
)
echo "${LATEST_AZURE_RUNS}" echo "${LATEST_AZURE_RUNS}"
for RUN_ID in ${LATEST_AZURE_RUNS} for RUN_ID in ${LATEST_AZURE_RUNS}; do
do
# Might fail, because no state was written, because e2e pipeline failed early # Might fail, because no state was written, because e2e pipeline failed early
# Or, because state was downloaded by earlier run of this script # Or, because state was downloaded by earlier run of this script
gh run download "${RUN_ID}" -R edgelesssys/constellation -n constellation-state.json -D azure/"${RUN_ID}" || true gh run download "${RUN_ID}" \
-R edgelesssys/constellation \
-n constellation-state.json \
-D azure/"${RUN_ID}" || true
done done
LATEST_GCP_RUNS=$(gh run list -R edgelesssys/constellation -w 'e2e Test GCP' --json databaseId -q '.[].databaseId') LATEST_GCP_RUNS=$(
gh run list \
-R edgelesssys/constellation \
-w 'e2e Test GCP' \
--json databaseId \
-q '.[].databaseId'
)
echo "${LATEST_GCP_RUNS}" echo "${LATEST_GCP_RUNS}"
for RUN_ID in ${LATEST_GCP_RUNS} for RUN_ID in ${LATEST_GCP_RUNS}; do
do
# Might fail, because no state was written, because e2e pipeline failed early # Might fail, because no state was written, because e2e pipeline failed early
# Or, because state was downloaded by earlier run of this script # Or, because state was downloaded by earlier run of this script
gh run download "${RUN_ID}" -R edgelesssys/constellation -n constellation-state.json -D gcp/"${RUN_ID}" || true gh run download "${RUN_ID}" \
-R edgelesssys/constellation \
-n constellation-state.json \
-D gcp/"${RUN_ID}" || true
done done

3
hack/fetch-broken-e2e/find.sh
View File

@ -4,8 +4,7 @@ set -euo pipefail
shopt -s inherit_errexit shopt -s inherit_errexit
TO_DELETE=$(grep -lr "\"uid\": \"${1}\"" . || true) TO_DELETE=$(grep -lr "\"uid\": \"${1}\"" . || true)
if [[ -z "${TO_DELETE}" ]] if [[ -z ${TO_DELETE} ]]; then
then
printf "Unable to find '%s'\n" "${1}" printf "Unable to find '%s'\n" "${1}"
else else
printf "Statefile found. You should run:\n\n" printf "Statefile found. You should run:\n\n"

50
hack/importAzure.sh
View File

@ -18,20 +18,17 @@ set -euo pipefail
shopt -s inherit_errexit shopt -s inherit_errexit
# Required tools # Required tools
if ! command -v az &> /dev/null if ! command -v az &> /dev/null; then
then
echo "az CLI could not be found" echo "az CLI could not be found"
echo "Please instal it from: https://docs.microsoft.com/en-us/cli/azure/install-azure-cli" echo "Please instal it from: https://docs.microsoft.com/en-us/cli/azure/install-azure-cli"
exit exit
fi fi
if ! command -v azcopy &> /dev/null if ! command -v azcopy &> /dev/null; then
then
echo "azcopy could not be found" echo "azcopy could not be found"
echo "Please instal it from: https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10" echo "Please instal it from: https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10"
exit exit
fi fi
if ! command -v jq &> /dev/null if ! command -v jq &> /dev/null; then
then
echo "jq could not be found" echo "jq could not be found"
echo "Please instal it from: https://github.com/stedolan/jq" echo "Please instal it from: https://github.com/stedolan/jq"
exit exit
@ -47,17 +44,16 @@ AZURE_IMAGE_DEFINITION="${AZURE_IMAGE_DEFINITION:-constellation}"
AZURE_SKU="${AZURE_SKU:-constellation}" AZURE_SKU="${AZURE_SKU:-constellation}"
AZURE_SECURITY_TYPE="${AZURE_SECURITY_TYPE:-TrustedLaunch}" AZURE_SECURITY_TYPE="${AZURE_SECURITY_TYPE:-TrustedLaunch}"
if [[ -z "${AZURE_RESOURCE_GROUP_NAME}" ]]; then if [[ -z ${AZURE_RESOURCE_GROUP_NAME} ]]; then
echo "Please provide a value for AZURE_RESOURCE_GROUP_NAME." echo "Please provide a value for AZURE_RESOURCE_GROUP_NAME."
exit 1 exit 1
fi fi
if [[ -z "${AZURE_IMAGE_VERSION}" ]]; then if [[ -z ${AZURE_IMAGE_VERSION} ]]; then
echo "Please provide a value for AZURE_IMAGE_VERSION of pattern <major>.<minor>.<patch>" echo "Please provide a value for AZURE_IMAGE_VERSION of pattern <major>.<minor>.<patch>"
exit 1 exit 1
fi fi
echo "Using following settings:" echo "Using following settings:"
echo "AZURE_REGION=${AZURE_REGION}" echo "AZURE_REGION=${AZURE_REGION}"
echo "AZURE_RESOURCE_GROUP_NAME=${AZURE_RESOURCE_GROUP_NAME}" echo "AZURE_RESOURCE_GROUP_NAME=${AZURE_RESOURCE_GROUP_NAME}"
@ -74,9 +70,15 @@ echo ""
read -r -p "Continue (y/n)?" choice read -r -p "Continue (y/n)?" choice
case "${choice}" in case "${choice}" in
y|Y ) echo "Starting import...";; y | Y) echo "Starting import..." ;;
n|N ) echo "Abort!"; exit 1;; n | N)
* ) echo "invalid"; exit 1;; echo "Abort!"
exit 1
;;
*)
echo "invalid"
exit 1
;;
esac esac
echo "Preparing to upload '${AZURE_IMAGE_FILE} to Azure." echo "Preparing to upload '${AZURE_IMAGE_FILE} to Azure."
@ -97,20 +99,22 @@ az disk create \
echo "Waiting for disk to be created." echo "Waiting for disk to be created."
az disk wait --created -n "${AZURE_IMAGE_NAME}" -g "${AZURE_RESOURCE_GROUP_NAME}" az disk wait --created -n "${AZURE_IMAGE_NAME}" -g "${AZURE_RESOURCE_GROUP_NAME}"
echo "Retrieving disk ID." echo "Retrieving disk ID."
AZURE_DISK_ID=$(az disk list \ AZURE_DISK_ID=$(
az disk list \
--query "[?name == '${AZURE_IMAGE_NAME}' && resourceGroup == '${AZURE_RESOURCE_GROUP_NAME^^}'] | [0].id" \ --query "[?name == '${AZURE_IMAGE_NAME}' && resourceGroup == '${AZURE_RESOURCE_GROUP_NAME^^}'] | [0].id" \
--output json \ --output json |
| jq -r \ jq -r
) )
echo "Disk ID is ${AZURE_DISK_ID}" echo "Disk ID is ${AZURE_DISK_ID}"
echo "Generating SAS URL for authorized upload." echo "Generating SAS URL for authorized upload."
AZURE_SAS_URL=$(az disk grant-access \ AZURE_SAS_URL=$(
az disk grant-access \
-n "${AZURE_IMAGE_NAME}" \ -n "${AZURE_IMAGE_NAME}" \
-g "${AZURE_RESOURCE_GROUP_NAME}" \ -g "${AZURE_RESOURCE_GROUP_NAME}" \
--access-level Write \ --access-level Write \
--duration-in-seconds 86400 \ --duration-in-seconds 86400 |
| jq -r .accessSas \ jq -r .accessSas
) )
echo "Uploading image file to Azure disk." echo "Uploading image file to Azure disk."
azcopy copy "${AZURE_IMAGE_FILE}" "${AZURE_SAS_URL}" --blob-type PageBlob azcopy copy "${AZURE_IMAGE_FILE}" "${AZURE_SAS_URL}" --blob-type PageBlob
@ -143,9 +147,10 @@ az sig image-definition create \
--hyper-v-generation V2 \ --hyper-v-generation V2 \
--features SecurityType="${AZURE_SECURITY_TYPE}" --features SecurityType="${AZURE_SECURITY_TYPE}"
echo "Retrieving temporary image ID." echo "Retrieving temporary image ID."
AZURE_IMAGE_ID=$(az image list \ AZURE_IMAGE_ID=$(
az image list \
--query "[?name == '${AZURE_IMAGE_NAME}' && resourceGroup == '${AZURE_RESOURCE_GROUP_NAME^^}'] | [0].id" \ --query "[?name == '${AZURE_IMAGE_NAME}' && resourceGroup == '${AZURE_RESOURCE_GROUP_NAME^^}'] | [0].id" \
--output json | jq -r \ --output json | jq -r
) )
echo "Creating final image version." echo "Creating final image version."
@ -163,13 +168,14 @@ echo "Cleaning up ephemeral resources."
az image delete --ids "${AZURE_IMAGE_ID}" az image delete --ids "${AZURE_IMAGE_ID}"
az disk delete -y --ids "${AZURE_DISK_ID}" az disk delete -y --ids "${AZURE_DISK_ID}"
IMAGE_VERSION=$(az sig image-version show \ IMAGE_VERSION=$(
az sig image-version show \
--resource-group "${AZURE_RESOURCE_GROUP_NAME}" \ --resource-group "${AZURE_RESOURCE_GROUP_NAME}" \
--gallery-name "${AZURE_GALLERY_NAME}" \ --gallery-name "${AZURE_GALLERY_NAME}" \
--gallery-image-definition "${AZURE_IMAGE_DEFINITION}" \ --gallery-image-definition "${AZURE_IMAGE_DEFINITION}" \
--gallery-image-version "${AZURE_IMAGE_VERSION}" \ --gallery-image-version "${AZURE_IMAGE_VERSION}" \
-o tsv \ -o tsv \
--query id \ --query id
) )
echo "Image ID is ${IMAGE_VERSION}" echo "Image ID is ${IMAGE_VERSION}"

11
image/measured-boot/measure_util.sh
View File

@ -12,21 +12,24 @@ pcr_extend() {
local CURRENT_PCR="$1" local CURRENT_PCR="$1"
local EXTEND_WITH="$2" local EXTEND_WITH="$2"
local HASH_FUNCTION="$3" local HASH_FUNCTION="$3"
( echo -n "${CURRENT_PCR}" | xxd -r -p ; echo -n "${EXTEND_WITH}" | xxd -r -p; ) | ${HASH_FUNCTION} | cut -d " " -f 1 (
echo -n "${CURRENT_PCR}" | xxd -r -p
echo -n "${EXTEND_WITH}" | xxd -r -p
) | ${HASH_FUNCTION} | cut -d " " -f 1
} }
extract () { extract() {
local image="$1" local image="$1"
local path="$2" local path="$2"
local output="$3" local output="$3"
sudo systemd-dissect --copy-from "${image}" "${path}" "${output}" sudo systemd-dissect --copy-from "${image}" "${path}" "${output}"
} }
mktempdir () { mktempdir() {
mktemp -d mktemp -d
} }
cleanup () { cleanup() {
local dir="$1" local dir="$1"
rm -rf "${dir}" rm -rf "${dir}"
} }

12
image/measured-boot/precalculate_pcr_4.sh
View File

@ -13,14 +13,14 @@ source "$(dirname "$0")/measure_util.sh"
ev_efi_action_sha256=3d6772b4f84ed47595d72a2c4c5ffd15f5bb72c7507fe26f2aaee2c69d5633ba ev_efi_action_sha256=3d6772b4f84ed47595d72a2c4c5ffd15f5bb72c7507fe26f2aaee2c69d5633ba
ev_efi_separator_sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 ev_efi_separator_sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119
authentihash () { authentihash() {
local path="$1" local path="$1"
"$(dirname "$0")/extract_authentihash.py" "${path}" "$(dirname "$0")/extract_authentihash.py" "${path}"
} }
write_output () { write_output() {
local out="$1" local out="$1"
cat > "${out}" <<EOF cat > "${out}" << EOF
{ {
"pcr4": "${expected_pcr_4}", "pcr4": "${expected_pcr_4}",
"efistages": [ "efistages": [
@ -63,9 +63,9 @@ expected_pcr_4=$(pcr_extend "${expected_pcr_4}" "${sd_boot_authentihash}" "sha25
expected_pcr_4=$(pcr_extend "${expected_pcr_4}" "${uki_authentihash}" "sha256sum") expected_pcr_4=$(pcr_extend "${expected_pcr_4}" "${uki_authentihash}" "sha256sum")
echo "Authentihashes:" echo "Authentihashes:"
echo "Stage 1 shim: ${shim_authentihash}" echo "Stage 1 - shim: ${shim_authentihash}"
echo "Stage 2 sd-boot: ${sd_boot_authentihash}" echo "Stage 2 - sd-boot: ${sd_boot_authentihash}"
echo "Stage 3 Unified Kernel Image (UKI): ${uki_authentihash}" echo "Stage 3 - Unified Kernel Image (UKI): ${uki_authentihash}"
echo "" echo ""
echo "Expected PCR[4]: ${expected_pcr_4}" echo "Expected PCR[4]: ${expected_pcr_4}"
echo "" echo ""

10
image/measured-boot/precalculate_pcr_8.sh
View File

@ -13,13 +13,13 @@ set -euo pipefail
shopt -s inherit_errexit shopt -s inherit_errexit
source "$(dirname "$0")/measure_util.sh" source "$(dirname "$0")/measure_util.sh"
get_cmdline_from_uki () { get_cmdline_from_uki() {
local uki="$1" local uki="$1"
local output="$2" local output="$2"
objcopy -O binary --only-section=.cmdline "${uki}" "${output}" objcopy -O binary --only-section=.cmdline "${uki}" "${output}"
} }
cmdline_measure () { cmdline_measure() {
local path="$1" local path="$1"
local tmp local tmp
tmp=$(mktemp) tmp=$(mktemp)
@ -30,9 +30,9 @@ cmdline_measure () {
rm "${tmp}" rm "${tmp}"
} }
write_output () { write_output() {
local out="$1" local out="$1"
cat > "${out}" <<EOF cat > "${out}" << EOF
{ {
"pcr8": "${expected_pcr_8}", "pcr8": "${expected_pcr_8}",
"cmdline": "${cmdline}" "cmdline": "${cmdline}"
@ -58,7 +58,7 @@ cleanup "${DIR}"
expected_pcr_8=0000000000000000000000000000000000000000000000000000000000000000 expected_pcr_8=0000000000000000000000000000000000000000000000000000000000000000
expected_pcr_8=$(pcr_extend "${expected_pcr_8}" "${cmdline_hash}" "sha256sum") expected_pcr_8=$(pcr_extend "${expected_pcr_8}" "${cmdline_hash}" "sha256sum")
if [[ "${CSP}" == "azure" ]]; then if [[ ${CSP} == "azure" ]]; then
# Azure displays the boot menu # Azure displays the boot menu
# triggering an extra measurement of the kernel command line. # triggering an extra measurement of the kernel command line.
expected_pcr_8=$(pcr_extend "${expected_pcr_8}" "${cmdline_hash}" "sha256sum") expected_pcr_8=$(pcr_extend "${expected_pcr_8}" "${cmdline_hash}" "sha256sum")

9
image/measured-boot/precalculate_pcr_9.sh
View File

@ -12,21 +12,20 @@ shopt -s inherit_errexit
source "$(dirname "$0")/measure_util.sh" source "$(dirname "$0")/measure_util.sh"
get_initrd_from_uki () { get_initrd_from_uki() {
local uki="$1" local uki="$1"
local output="$2" local output="$2"
objcopy -O binary --only-section=.initrd "${uki}" "${output}" objcopy -O binary --only-section=.initrd "${uki}" "${output}"
} }
initrd_measure () { initrd_measure() {
local path="$1" local path="$1"
sha256sum "${path}" | cut -d " " -f 1 sha256sum "${path}" | cut -d " " -f 1
} }
write_output() {
write_output () {
local out="$1" local out="$1"
cat > "${out}" <<EOF cat > "${out}" << EOF
{ {
"pcr9": "${expected_pcr_9}", "pcr9": "${expected_pcr_9}",
"initrd": "${initrd_hash}" "initrd": "${initrd_hash}"

20
image/mkosi.skeleton/usr/lib/dracut/modules.d/38azure-provision/azure-provisioning.sh
View File

@ -5,25 +5,22 @@ set -euo pipefail
shopt -s inherit_errexit shopt -s inherit_errexit
attempts=1 attempts=1
until [[ "${attempts}" -gt 5 ]] until [[ ${attempts} -gt 5 ]]; do
do
echo "obtaining goal state - attempt ${attempts}" echo "obtaining goal state - attempt ${attempts}"
goalstate=$(curl --fail -v -X 'GET' -H "x-ms-agent-name: azure-vm-register" \ goalstate=$(curl --fail -v -X 'GET' -H "x-ms-agent-name: azure-vm-register" \
-H "Content-Type: text/xml;charset=utf-8" \ -H "Content-Type: text/xml;charset=utf-8" \
-H "x-ms-version: 2012-11-30" \ -H "x-ms-version: 2012-11-30" \
"http://168.63.129.16/machine/?comp=goalstate") "http://168.63.129.16/machine/?comp=goalstate")
if [[ $? -eq 0 ]] if [[ $? -eq 0 ]]; then
then
echo "successfully retrieved goal state" echo "successfully retrieved goal state"
retrieved_goal_state=true retrieved_goal_state=true
break break
fi fi
sleep 5 sleep 5
attempts=$((attempts+1)) attempts=$((attempts + 1))
done done
if [[ "${retrieved_goal_state}" != "true" ]] if [[ ${retrieved_goal_state} != "true" ]]; then
then
echo "failed to obtain goal state - cannot register this VM" echo "failed to obtain goal state - cannot register this VM"
exit 1 exit 1
fi fi
@ -31,7 +28,8 @@ fi
container_id=$(grep ContainerId <<< "${goalstate}" | sed 's/\s*<\/*ContainerId>//g' | sed 's/\r$//') container_id=$(grep ContainerId <<< "${goalstate}" | sed 's/\s*<\/*ContainerId>//g' | sed 's/\r$//')
instance_id=$(grep InstanceId <<< "${goalstate}" | sed 's/\s*<\/*InstanceId>//g' | sed 's/\r$//') instance_id=$(grep InstanceId <<< "${goalstate}" | sed 's/\s*<\/*InstanceId>//g' | sed 's/\r$//')
ready_doc=$(cat << EOF ready_doc=$(
cat << EOF
<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="utf-8"?>
<Health xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <Health xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<GoalStateIncarnation>1</GoalStateIncarnation> <GoalStateIncarnation>1</GoalStateIncarnation>
@ -51,16 +49,14 @@ EOF
) )
attempts=1 attempts=1
until [[ "${attempts}" -gt 5 ]] until [[ ${attempts} -gt 5 ]]; do
do
echo "registering with Azure - attempt ${attempts}" echo "registering with Azure - attempt ${attempts}"
curl --fail -v -X 'POST' -H "x-ms-agent-name: azure-vm-register" \ curl --fail -v -X 'POST' -H "x-ms-agent-name: azure-vm-register" \
-H "Content-Type: text/xml;charset=utf-8" \ -H "Content-Type: text/xml;charset=utf-8" \
-H "x-ms-version: 2012-11-30" \ -H "x-ms-version: 2012-11-30" \
-d "${ready_doc}" \ -d "${ready_doc}" \
"http://168.63.129.16/machine?comp=health" "http://168.63.129.16/machine?comp=health"
if [[ $? -eq 0 ]] if [[ $? -eq 0 ]]; then
then
echo "successfully register with Azure" echo "successfully register with Azure"
break break
fi fi

6
image/mkosi.skeleton/usr/lib/dracut/modules.d/38azure-provision/module-setup.sh
View File

@ -11,8 +11,10 @@ depends() {
} }
install_and_enable_unit() { install_and_enable_unit() {
unit="$1"; shift unit="$1"
target="$1"; shift shift
target="$1"
shift
inst_simple "${moddir:?}/${unit}" "${systemdsystemunitdir:?}/${unit}" inst_simple "${moddir:?}/${unit}" "${systemdsystemunitdir:?}/${unit}"
mkdir -p "${initdir:?}${systemdsystemconfdir:?}/${target}.wants" mkdir -p "${initdir:?}${systemdsystemconfdir:?}/${target}.wants"
ln_r "${systemdsystemunitdir}/${unit}" \ ln_r "${systemdsystemunitdir}/${unit}" \

10
image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/aws-nvme-disk.sh
View File

@ -10,16 +10,14 @@ AWS_STATE_DISK_DEVICENAME="sdb"
AWS_STATE_DISK_SYMLINK="/dev/${AWS_STATE_DISK_DEVICENAME}" AWS_STATE_DISK_SYMLINK="/dev/${AWS_STATE_DISK_DEVICENAME}"
# hack: aws nvme udev rules are never executed. Create symlinks for the nvme devices manually. # hack: aws nvme udev rules are never executed. Create symlinks for the nvme devices manually.
while [[ ! -L "${AWS_STATE_DISK_SYMLINK}" ]] while [[ ! -L ${AWS_STATE_DISK_SYMLINK} ]]; do
do for nvmedisk in /dev/nvme*n1; do
for nvmedisk in /dev/nvme*n1
do
linkname=$(nvme amzn id-ctrl -b "${nvmedisk}" | tail -c +3072 | tr -d ' ') || true linkname=$(nvme amzn id-ctrl -b "${nvmedisk}" | tail -c +3072 | tr -d ' ') || true
if [[ -n "${linkname}" ]] && [[ "${linkname}" == "${AWS_STATE_DISK_DEVICENAME}" ]]; then if [[ -n ${linkname} ]] && [[ ${linkname} == "${AWS_STATE_DISK_DEVICENAME}" ]]; then
ln -s "${nvmedisk}" "${AWS_STATE_DISK_SYMLINK}" ln -s "${nvmedisk}" "${AWS_STATE_DISK_SYMLINK}"
fi fi
done done
if [[ -L "${AWS_STATE_DISK_SYMLINK}" ]]; then if [[ -L ${AWS_STATE_DISK_SYMLINK} ]]; then
break break
fi fi
echo "Waiting for state disk to appear.." echo "Waiting for state disk to appear.."

9
image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/module-setup.sh
View File

@ -9,8 +9,10 @@ depends() {
} }
install_and_enable_unit() { install_and_enable_unit() {
unit="$1"; shift unit="$1"
target="$1"; shift shift
target="$1"
shift
inst_simple "${moddir:?}/${unit}" "${systemdsystemunitdir:?}/${unit}" inst_simple "${moddir:?}/${unit}" "${systemdsystemunitdir:?}/${unit}"
mkdir -p "${initdir:?}${systemdsystemconfdir:?}/${target}.wants" mkdir -p "${initdir:?}${systemdsystemconfdir:?}/${target}.wants"
ln_r "${systemdsystemunitdir}/${unit}" \ ln_r "${systemdsystemunitdir}/${unit}" \
@ -18,7 +20,8 @@ install_and_enable_unit() {
} }
install_path() { install_path() {
local dir="$1"; shift local dir="$1"
shift
mkdir -p "${initdir}/${dir}" mkdir -p "${initdir}/${dir}"
} }

30
image/mkosi.skeleton/usr/lib/udev/google_nvme_id
View File

@ -59,7 +59,7 @@ function get_namespace_device_name() {
return 1 return 1
fi fi
if [[ -z "${nvme_json}" ]]; then if [[ -z ${nvme_json} ]]; then
err "NVMe Vendor Extension disk information not present" err "NVMe Vendor Extension disk information not present"
return 1 return 1
fi fi
@ -68,7 +68,7 @@ function get_namespace_device_name() {
device_name="$(echo "${nvme_json}" | grep device_name | sed -e 's/.*"device_name":[ \t]*"\([a-zA-Z0-9_-]\+\)".*/\1/')" device_name="$(echo "${nvme_json}" | grep device_name | sed -e 's/.*"device_name":[ \t]*"\([a-zA-Z0-9_-]\+\)".*/\1/')"
# Error if our device name is empty # Error if our device name is empty
if [[ -z "${device_name}" ]]; then if [[ -z ${device_name} ]]; then
err "Empty name" err "Empty name"
return 1 return 1
fi fi
@ -91,7 +91,7 @@ function get_namespace_device_name() {
function get_namespace_number() { function get_namespace_number() {
local dev_path="$1" local dev_path="$1"
local namespace_number local namespace_number
if [[ "${dev_path}" =~ ${NAMESPACE_NUMBER_REGEX} ]]; then if [[ ${dev_path} =~ ${NAMESPACE_NUMBER_REGEX} ]]; then
namespace_number="${BASH_REMATCH[1]}" namespace_number="${BASH_REMATCH[1]}"
else else
return 1 return 1
@ -114,7 +114,7 @@ function get_namespace_number() {
function get_partition_number() { function get_partition_number() {
local dev_path="$1" local dev_path="$1"
local partition_number local partition_number
if [[ "${dev_path}" =~ ${PARTITION_NUMBER_REGEX} ]]; then if [[ ${dev_path} =~ ${PARTITION_NUMBER_REGEX} ]]; then
partition_number="${BASH_REMATCH[1]}" partition_number="${BASH_REMATCH[1]}"
echo "${partition_number}" echo "${partition_number}"
else else
@ -136,7 +136,7 @@ function gen_symlink() {
local partition_number local partition_number
partition_number="$(get_partition_number "${dev_path}")" partition_number="$(get_partition_number "${dev_path}")"
if [[ -n "${partition_number}" ]]; then if [[ -n ${partition_number} ]]; then
ln -s "${dev_path}" /dev/disk/by-id/google-"${ID_SERIAL_SHORT}"-part"${partition_number}" > /dev/null 2>&1 ln -s "${dev_path}" /dev/disk/by-id/google-"${ID_SERIAL_SHORT}"-part"${partition_number}" > /dev/null 2>&1
else else
ln -s "${dev_path}" /dev/disk/by-id/google-"${ID_SERIAL_SHORT}" > /dev/null 2>&1 ln -s "${dev_path}" /dev/disk/by-id/google-"${ID_SERIAL_SHORT}" > /dev/null 2>&1
@ -182,19 +182,21 @@ function main() {
while getopts :d:sh flag; do while getopts :d:sh flag; do
case "${flag}" in case "${flag}" in
d) device_path="${OPTARG}";; d) device_path="${OPTARG}" ;;
s) opt_gen_symlink='true';; s) opt_gen_symlink='true' ;;
h) print_help_message h)
print_help_message
return 0 return 0
;; ;;
:) echo "Invalid option: ${OPTARG} requires an argument" 1>&2 :)
echo "Invalid option: ${OPTARG} requires an argument" 1>&2
return 1 return 1
;; ;;
*) return 1 *) return 1 ;;
esac esac
done done
if [[ -z "${device_path}" ]]; then if [[ -z ${device_path} ]]; then
echo "Device path (-d) argument required. Use -h for full usage." 1>&2 echo "Device path (-d) argument required. Use -h for full usage." 1>&2
exit 1 exit 1
fi fi
@ -208,7 +210,7 @@ with sudo or install nvme-cli."
fi fi
# Ensure the passed device is actually an NVMe device # Ensure the passed device is actually an NVMe device
"${nvme_cli_bin}" id-ctrl "${device_path}" &>/dev/null "${nvme_cli_bin}" id-ctrl "${device_path}" &> /dev/null
if [[ $? -ne 0 ]]; then if [[ $? -ne 0 ]]; then
err "Passed device was not an NVMe device. (You may need to run this \ err "Passed device was not an NVMe device. (You may need to run this \
script as root/with sudo)." script as root/with sudo)."
@ -218,7 +220,7 @@ script as root/with sudo)."
# Detect the type of attached nvme device # Detect the type of attached nvme device
local controller_id local controller_id
controller_id=$("${nvme_cli_bin}" id-ctrl "${device_path}") controller_id=$("${nvme_cli_bin}" id-ctrl "${device_path}")
if [[ ! "${controller_id}" =~ nvme_card-pd ]] ; then if [[ ! ${controller_id} =~ nvme_card-pd ]]; then
err "Device is not a PD-NVMe device" err "Device is not a PD-NVMe device"
return 1 return 1
fi fi
@ -231,7 +233,7 @@ script as root/with sudo)."
fi fi
# Gen symlinks or print out the globals set by the identify command # Gen symlinks or print out the globals set by the identify command
if [[ "${opt_gen_symlink}" == 'true' ]]; then if [[ ${opt_gen_symlink} == 'true' ]]; then
gen_symlink "${device_path}" gen_symlink "${device_path}"
else else
# These will be consumed by udev # These will be consumed by udev

19
image/secure-boot/azure/delete.sh
View File

@ -3,7 +3,7 @@
set -euo pipefail set -euo pipefail
shopt -s inherit_errexit shopt -s inherit_errexit
if [[ -z "${CONFIG_FILE-}" ]] && [[ -f "${CONFIG_FILE-}" ]]; then if [[ -z ${CONFIG_FILE-} ]] && [[ -f ${CONFIG_FILE-} ]]; then
# shellcheck source=/dev/null # shellcheck source=/dev/null
. "${CONFIG_FILE}" . "${CONFIG_FILE}"
fi fi
@ -11,7 +11,7 @@ POSITIONAL_ARGS=()
while [[ $# -gt 0 ]]; do while [[ $# -gt 0 ]]; do
case $1 in case $1 in
-n|--name) -n | --name)
AZURE_VM_NAME="$2" AZURE_VM_NAME="$2"
shift # past argument shift # past argument
shift # past value shift # past value
@ -38,33 +38,32 @@ SUBNET=$(echo "${NIC_INFO}" | jq -r '.ipConfigurations[0].subnet.id')
VNET=${SUBNET//\/subnets\/.*/} VNET=${SUBNET//\/subnets\/.*/}
DISK=$(echo "${AZ_VM_INFO}" | jq -r '.storageProfile.osDisk.managedDisk.id') DISK=$(echo "${AZ_VM_INFO}" | jq -r '.storageProfile.osDisk.managedDisk.id')
delete_vm() {
delete_vm () {
az vm delete -y --name "${AZURE_VM_NAME}" \ az vm delete -y --name "${AZURE_VM_NAME}" \
--resource-group "${AZURE_RESOURCE_GROUP_NAME}" || true --resource-group "${AZURE_RESOURCE_GROUP_NAME}" || true
} }
delete_vnet () { delete_vnet() {
az network vnet delete --ids "${VNET}" || true az network vnet delete --ids "${VNET}" || true
} }
delete_subnet () { delete_subnet() {
az network vnet subnet delete --ids "${SUBNET}" || true az network vnet subnet delete --ids "${SUBNET}" || true
} }
delete_nsg () { delete_nsg() {
az network nsg delete --ids "${NSG}" || true az network nsg delete --ids "${NSG}" || true
} }
delete_pubip () { delete_pubip() {
az network public-ip delete --ids "${PUBIP}" || true az network public-ip delete --ids "${PUBIP}" || true
} }
delete_disk () { delete_disk() {
az disk delete -y --ids "${DISK}" || true az disk delete -y --ids "${DISK}" || true
} }
delete_nic () { delete_nic() {
az network nic delete --ids "${NIC}" || true az network nic delete --ids "${NIC}" || true
} }

4
image/secure-boot/azure/extract_vmgs.sh
View File

@ -3,7 +3,7 @@
set -euo pipefail set -euo pipefail
shopt -s inherit_errexit shopt -s inherit_errexit
if [[ -z "${CONFIG_FILE-}" ]] && [[ -f "${CONFIG_FILE-}" ]]; then if [[ -z ${CONFIG_FILE-} ]] && [[ -f ${CONFIG_FILE-} ]]; then
# shellcheck source=/dev/null # shellcheck source=/dev/null
. "${CONFIG_FILE}" . "${CONFIG_FILE}"
fi fi
@ -12,7 +12,7 @@ POSITIONAL_ARGS=()
while [[ $# -gt 0 ]]; do while [[ $# -gt 0 ]]; do
case $1 in case $1 in
-n|--name) -n | --name)
AZURE_VM_NAME="$2" AZURE_VM_NAME="$2"
shift # past argument shift # past argument
shift # past value shift # past value

18
image/secure-boot/azure/launch.sh
View File

@ -3,7 +3,7 @@
set -euo pipefail set -euo pipefail
shopt -s inherit_errexit shopt -s inherit_errexit
if [[ -z "${CONFIG_FILE-}" ]] && [[ -f "${CONFIG_FILE-}" ]]; then if [[ -z ${CONFIG_FILE-} ]] && [[ -f ${CONFIG_FILE-} ]]; then
# shellcheck source=/dev/null # shellcheck source=/dev/null
. "${CONFIG_FILE}" . "${CONFIG_FILE}"
fi fi
@ -11,16 +11,16 @@ POSITIONAL_ARGS=()
while [[ $# -gt 0 ]]; do while [[ $# -gt 0 ]]; do
case $1 in case $1 in
-n|--name) -n | --name)
AZURE_VM_NAME="$2" AZURE_VM_NAME="$2"
shift # past argument shift # past argument
shift # past value shift # past value
;; ;;
-g|--gallery) -g | --gallery)
CREATE_FROM_GALLERY=YES CREATE_FROM_GALLERY=YES
shift # past argument shift # past argument
;; ;;
-d|--disk) -d | --disk)
CREATE_FROM_GALLERY=NO CREATE_FROM_GALLERY=NO
shift # past argument shift # past argument
;; ;;
@ -47,16 +47,16 @@ done
set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
if [[ "${AZURE_SECURITY_TYPE}" == "ConfidentialVM" ]]; then if [[ ${AZURE_SECURITY_TYPE} == "ConfidentialVM" ]]; then
VMSIZE="Standard_DC2as_v5" VMSIZE="Standard_DC2as_v5"
elif [[ "${AZURE_SECURITY_TYPE}" == "TrustedLaunch" ]]; then elif [[ ${AZURE_SECURITY_TYPE} == "TrustedLaunch" ]]; then
VMSIZE="standard_D2as_v5" VMSIZE="standard_D2as_v5"
else else
echo "Unknown security type: ${AZURE_SECURITY_TYPE}" echo "Unknown security type: ${AZURE_SECURITY_TYPE}"
exit 1 exit 1
fi fi
create_vm_from_disk () { create_vm_from_disk() {
AZURE_DISK_REFERENCE=$(az disk show --resource-group "${AZURE_RESOURCE_GROUP_NAME}" --name "${AZURE_DISK_NAME}" --query id -o tsv) AZURE_DISK_REFERENCE=$(az disk show --resource-group "${AZURE_RESOURCE_GROUP_NAME}" --name "${AZURE_DISK_NAME}" --query id -o tsv)
az vm create --name "${AZURE_VM_NAME}" \ az vm create --name "${AZURE_VM_NAME}" \
--resource-group "${AZURE_RESOURCE_GROUP_NAME}" \ --resource-group "${AZURE_RESOURCE_GROUP_NAME}" \
@ -73,7 +73,7 @@ create_vm_from_disk () {
--no-wait --no-wait
} }
create_vm_from_sig () { create_vm_from_sig() {
AZURE_IMAGE_REFERENCE=$(az sig image-version show \ AZURE_IMAGE_REFERENCE=$(az sig image-version show \
--gallery-image-definition "${AZURE_IMAGE_DEFINITION}" \ --gallery-image-definition "${AZURE_IMAGE_DEFINITION}" \
--gallery-image-version "${AZURE_IMAGE_VERSION}" \ --gallery-image-version "${AZURE_IMAGE_VERSION}" \
@ -94,7 +94,7 @@ create_vm_from_sig () {
--no-wait --no-wait
} }
if [[ "${CREATE_FROM_GALLERY}" = "YES" ]]; then if [[ ${CREATE_FROM_GALLERY} == "YES" ]]; then
create_vm_from_sig create_vm_from_sig
else else
create_vm_from_disk create_vm_from_disk

6
image/secure-boot/generate_nvram_vars.sh
View File

@ -6,15 +6,15 @@
set -euo pipefail set -euo pipefail
shopt -s inherit_errexit shopt -s inherit_errexit
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &> /dev/null && pwd)
BASE_DIR=$(realpath "${SCRIPT_DIR}/..") BASE_DIR=$(realpath "${SCRIPT_DIR}/..")
# Set to qemu+tcp://localhost:16599/system for dockerized libvirt setup # Set to qemu+tcp://localhost:16599/system for dockerized libvirt setup
if [[ -z "${LIBVIRT_SOCK}" ]]; then if [[ -z ${LIBVIRT_SOCK} ]]; then
LIBVIRT_SOCK=qemu:///system LIBVIRT_SOCK=qemu:///system
fi fi
libvirt_nvram_gen () { libvirt_nvram_gen() {
local image_path="${1}" local image_path="${1}"
if test -f "${BASE_DIR}/image.nvram.template"; then if test -f "${BASE_DIR}/image.nvram.template"; then
echo "NVRAM template already generated: $(realpath "--relative-to=$(pwd)" "${BASE_DIR}"/image.nvram.template)" echo "NVRAM template already generated: $(realpath "--relative-to=$(pwd)" "${BASE_DIR}"/image.nvram.template)"

13
image/secure-boot/genkeys.sh
View File

@ -12,22 +12,21 @@
set -euo pipefail set -euo pipefail
shopt -s inherit_errexit shopt -s inherit_errexit
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &> /dev/null && pwd)
TEMPLATES=${SCRIPT_DIR}/templates TEMPLATES=${SCRIPT_DIR}/templates
BASE_DIR=$(realpath "${SCRIPT_DIR}/..") BASE_DIR=$(realpath "${SCRIPT_DIR}/..")
if [[ -z "${PKI}" ]]; then if [[ -z ${PKI} ]]; then
PKI=${BASE_DIR}/pki PKI=${BASE_DIR}/pki
fi fi
if [[ -z "${PKI_SET}" ]]; then if [[ -z ${PKI_SET} ]]; then
PKI_SET=dev PKI_SET=dev
fi fi
gen_pki () { gen_pki() {
# Only use for non-production images. # Only use for non-production images.
# Use real PKI for production images instead. # Use real PKI for production images instead.
count=$(find "${PKI}" -maxdepth 1 \( -name '*.key' -o -name '*.crt' -o -name '*.cer' -o -name '*.esl' -o -name '*.auth' \) 2>/dev/null | wc -l) count=$(find "${PKI}" -maxdepth 1 \( -name '*.key' -o -name '*.crt' -o -name '*.cer' -o -name '*.esl' -o -name '*.auth' \) 2> /dev/null | wc -l)
if [[ "${count}" != 0 ]] if [[ ${count} != 0 ]]; then
then
echo PKI files "$(ls -1 "$(realpath "--relative-to=$(pwd)" "${PKI}")"/*.{key,crt,cer,esl,auth})" already exist echo PKI files "$(ls -1 "$(realpath "--relative-to=$(pwd)" "${PKI}")"/*.{key,crt,cer,esl,auth})" already exist
return return
fi fi

3
image/secure-boot/signed-shim.sh
View File

@ -8,8 +8,7 @@
set -euo pipefail set -euo pipefail
shopt -s inherit_errexit shopt -s inherit_errexit
if (( $# != 1 )) if (($# != 1)); then
then
echo "Usage: $0 <image.raw>" echo "Usage: $0 <image.raw>"
exit 1 exit 1
fi fi

5
image/upload/pack.sh
View File

@ -8,14 +8,13 @@ shopt -s inherit_errexit
# Show progress on pipes if `pv` is installed # Show progress on pipes if `pv` is installed
# Otherwise use plain cat # Otherwise use plain cat
if ! command -v pv &> /dev/null if ! command -v pv &> /dev/null; then
then
PV="cat" PV="cat"
else else
PV="pv" PV="pv"
fi fi
pack () { pack() {
local cloudprovider=$1 local cloudprovider=$1
local unpacked_image=$2 local unpacked_image=$2
local packed_image=$3 local packed_image=$3

13
image/upload/upload_aws.sh
View File

@ -6,7 +6,7 @@
set -euo pipefail set -euo pipefail
shopt -s inherit_errexit shopt -s inherit_errexit
if [[ -z "${CONFIG_FILE-}" ]] && [[ -f "${CONFIG_FILE-}" ]]; then if [[ -z ${CONFIG_FILE-} ]] && [[ -f ${CONFIG_FILE-} ]]; then
# shellcheck source=/dev/null # shellcheck source=/dev/null
. "${CONFIG_FILE}" . "${CONFIG_FILE}"
fi fi
@ -88,7 +88,7 @@ tag_ami_with_backing_snapshot() {
make_ami_public() { make_ami_public() {
local ami_id=$1 local ami_id=$1
local region=$2 local region=$2
if [ "${AWS_PUBLISH-}" != "true" ]; then if [[ ${AWS_PUBLISH-} != "true" ]]; then
return return
fi fi
aws ec2 modify-image-attribute \ aws ec2 modify-image-attribute \
@ -117,7 +117,8 @@ create_ami_from_raw_disk() {
echo "Deleting raw disk image from S3" echo "Deleting raw disk image from S3"
aws s3 rm "s3://${AWS_BUCKET}/${AWS_IMAGE_FILENAME}" aws s3 rm "s3://${AWS_BUCKET}/${AWS_IMAGE_FILENAME}"
rm "${CONTAINERS_JSON}" rm "${CONTAINERS_JSON}"
REGISTER_OUT=$(aws ec2 register-image \ REGISTER_OUT=$(
aws ec2 register-image \
--region "${AWS_REGION}" \ --region "${AWS_REGION}" \
--name "${AWS_IMAGE_NAME}" \ --name "${AWS_IMAGE_NAME}" \
--boot-mode uefi \ --boot-mode uefi \
@ -126,10 +127,10 @@ create_ami_from_raw_disk() {
--block-device-mappings "DeviceName=/dev/xvda,Ebs={SnapshotId=${AWS_SNAPSHOT}}" \ --block-device-mappings "DeviceName=/dev/xvda,Ebs={SnapshotId=${AWS_SNAPSHOT}}" \
--ena-support \ --ena-support \
--tpm-support v2.0 \ --tpm-support v2.0 \
--uefi-data "$(cat "${AWS_EFIVARS_PATH}")" \ --uefi-data "$(cat "${AWS_EFIVARS_PATH}")"
) )
IMAGE_ID=$(echo "${REGISTER_OUT}" | jq -r '.ImageId') IMAGE_ID=$(echo "${REGISTER_OUT}" | jq -r '.ImageId')
AMI_FOR_REGION=( ["${AWS_REGION}"]="${IMAGE_ID}") AMI_FOR_REGION=(["${AWS_REGION}"]="${IMAGE_ID}")
tag_ami_with_backing_snapshot "${IMAGE_ID}" "${AWS_REGION}" tag_ami_with_backing_snapshot "${IMAGE_ID}" "${AWS_REGION}"
make_ami_public "${IMAGE_ID}" "${AWS_REGION}" make_ami_public "${IMAGE_ID}" "${AWS_REGION}"
echo "Imported initial AMI as ${IMAGE_ID} in ${AWS_REGION}" echo "Imported initial AMI as ${IMAGE_ID} in ${AWS_REGION}"
@ -149,8 +150,6 @@ replicate_ami() {
echo "Replicated AMI as ${replicated_image_id} in ${target_region}" echo "Replicated AMI as ${replicated_image_id} in ${target_region}"
} }
create_ami_from_raw_disk create_ami_from_raw_disk
# replicate in parallel # replicate in parallel
for region in ${AWS_REPLICATION_REGIONS}; do for region in ${AWS_REPLICATION_REGIONS}; do

43
image/upload/upload_azure.sh
View File

@ -6,18 +6,17 @@
set -euo pipefail set -euo pipefail
shopt -s inherit_errexit shopt -s inherit_errexit
if [[ -z "${CONFIG_FILE-}" ]] && [[ -f "${CONFIG_FILE-}" ]]; then if [[ -z ${CONFIG_FILE-} ]] && [[ -f ${CONFIG_FILE-} ]]; then
# shellcheck source=/dev/null # shellcheck source=/dev/null
. "${CONFIG_FILE}" . "${CONFIG_FILE}"
fi fi
CREATE_SIG_VERSION=NO CREATE_SIG_VERSION=NO
POSITIONAL_ARGS=() POSITIONAL_ARGS=()
while [[ $# -gt 0 ]]; do while [[ $# -gt 0 ]]; do
case $1 in case $1 in
-g|--gallery) -g | --gallery)
CREATE_SIG_VERSION=YES CREATE_SIG_VERSION=YES
shift # past argument shift # past argument
;; ;;
@ -39,12 +38,12 @@ done
set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
if [[ "${AZURE_SECURITY_TYPE}" == "ConfidentialVM" ]]; then if [[ ${AZURE_SECURITY_TYPE} == "ConfidentialVM" ]]; then
AZURE_DISK_SECURITY_TYPE=ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey AZURE_DISK_SECURITY_TYPE=ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey
AZURE_SIG_VERSION_ENCRYPTION_TYPE=EncryptedVMGuestStateOnlyWithPmk AZURE_SIG_VERSION_ENCRYPTION_TYPE=EncryptedVMGuestStateOnlyWithPmk
elif [[ "${AZURE_SECURITY_TYPE}" == "ConfidentialVMSupported" ]]; then elif [[ ${AZURE_SECURITY_TYPE} == "ConfidentialVMSupported" ]]; then
AZURE_DISK_SECURITY_TYPE="" AZURE_DISK_SECURITY_TYPE=""
elif [[ "${AZURE_SECURITY_TYPE}" == "TrustedLaunch" ]]; then elif [[ ${AZURE_SECURITY_TYPE} == "TrustedLaunch" ]]; then
AZURE_DISK_SECURITY_TYPE=TrustedLaunch AZURE_DISK_SECURITY_TYPE=TrustedLaunch
else else
echo "Unknown security type: ${AZURE_SECURITY_TYPE}" echo "Unknown security type: ${AZURE_SECURITY_TYPE}"
@ -52,7 +51,7 @@ else
fi fi
AZURE_CVM_ENCRYPTION_ARGS="" AZURE_CVM_ENCRYPTION_ARGS=""
if [[ -n "${AZURE_SIG_VERSION_ENCRYPTION_TYPE-}" ]]; then if [[ -n ${AZURE_SIG_VERSION_ENCRYPTION_TYPE-} ]]; then
AZURE_CVM_ENCRYPTION_ARGS=" --target-region-cvm-encryption " AZURE_CVM_ENCRYPTION_ARGS=" --target-region-cvm-encryption "
for _ in ${AZURE_REPLICATION_REGIONS}; do for _ in ${AZURE_REPLICATION_REGIONS}; do
AZURE_CVM_ENCRYPTION_ARGS=" ${AZURE_CVM_ENCRYPTION_ARGS} ${AZURE_SIG_VERSION_ENCRYPTION_TYPE}, " AZURE_CVM_ENCRYPTION_ARGS=" ${AZURE_CVM_ENCRYPTION_ARGS} ${AZURE_SIG_VERSION_ENCRYPTION_TYPE}, "
@ -61,17 +60,17 @@ fi
echo "Replicating image in ${AZURE_REPLICATION_REGIONS}" echo "Replicating image in ${AZURE_REPLICATION_REGIONS}"
AZURE_VMGS_PATH=$1 AZURE_VMGS_PATH=$1
if [[ -z "${AZURE_VMGS_PATH}" ]] && [[ "${AZURE_SECURITY_TYPE}" == "ConfidentialVM" ]]; then if [[ -z ${AZURE_VMGS_PATH} ]] && [[ ${AZURE_SECURITY_TYPE} == "ConfidentialVM" ]]; then
echo "No VMGS path provided - using default ConfidentialVM VMGS" echo "No VMGS path provided - using default ConfidentialVM VMGS"
AZURE_VMGS_PATH="${BLOBS_DIR}/cvm-vmgs.vhd" AZURE_VMGS_PATH="${BLOBS_DIR}/cvm-vmgs.vhd"
elif [[ -z "${AZURE_VMGS_PATH}" ]] && [[ "${AZURE_SECURITY_TYPE}" == "TrustedLaunch" ]]; then elif [[ -z ${AZURE_VMGS_PATH} ]] && [[ ${AZURE_SECURITY_TYPE} == "TrustedLaunch" ]]; then
echo "No VMGS path provided - using default TrsutedLaunch VMGS" echo "No VMGS path provided - using default TrsutedLaunch VMGS"
AZURE_VMGS_PATH="${BLOBS_DIR}/trusted-launch-vmgs.vhd" AZURE_VMGS_PATH="${BLOBS_DIR}/trusted-launch-vmgs.vhd"
fi fi
SIZE=$(wc -c "${AZURE_IMAGE_PATH}" | cut -d " " -f1) SIZE=$(wc -c "${AZURE_IMAGE_PATH}" | cut -d " " -f1)
create_disk_with_vmgs () { create_disk_with_vmgs() {
az disk create \ az disk create \
-n "${AZURE_DISK_NAME}" \ -n "${AZURE_DISK_NAME}" \
-g "${AZURE_RESOURCE_GROUP_NAME}" \ -g "${AZURE_RESOURCE_GROUP_NAME}" \
@ -90,7 +89,7 @@ create_disk_with_vmgs () {
azcopy copy "${AZURE_IMAGE_PATH}" \ azcopy copy "${AZURE_IMAGE_PATH}" \
"$(echo "${DISK_SAS}" | jq -r .accessSas)" \ "$(echo "${DISK_SAS}" | jq -r .accessSas)" \
--blob-type PageBlob --blob-type PageBlob
if [[ -z "${AZURE_VMGS_PATH}" ]]; then if [[ -z ${AZURE_VMGS_PATH} ]]; then
echo "No VMGS path provided - skipping VMGS upload" echo "No VMGS path provided - skipping VMGS upload"
else else
azcopy copy "${AZURE_VMGS_PATH}" \ azcopy copy "${AZURE_VMGS_PATH}" \
@ -100,7 +99,7 @@ create_disk_with_vmgs () {
az disk revoke-access -n "${AZURE_DISK_NAME}" -g "${AZURE_RESOURCE_GROUP_NAME}" az disk revoke-access -n "${AZURE_DISK_NAME}" -g "${AZURE_RESOURCE_GROUP_NAME}"
} }
create_disk_without_vmgs () { create_disk_without_vmgs() {
az disk create \ az disk create \
-n "${AZURE_DISK_NAME}" \ -n "${AZURE_DISK_NAME}" \
-g "${AZURE_RESOURCE_GROUP_NAME}" \ -g "${AZURE_RESOURCE_GROUP_NAME}" \
@ -120,20 +119,20 @@ create_disk_without_vmgs () {
az disk revoke-access -n "${AZURE_DISK_NAME}" -g "${AZURE_RESOURCE_GROUP_NAME}" az disk revoke-access -n "${AZURE_DISK_NAME}" -g "${AZURE_RESOURCE_GROUP_NAME}"
} }
create_disk () { create_disk() {
if [[ -z "${AZURE_VMGS_PATH}" ]]; then if [[ -z ${AZURE_VMGS_PATH} ]]; then
create_disk_without_vmgs create_disk_without_vmgs
else else
create_disk_with_vmgs create_disk_with_vmgs
fi fi
} }
delete_disk () { delete_disk() {
az disk delete -y -n "${AZURE_DISK_NAME}" -g "${AZURE_RESOURCE_GROUP_NAME}" az disk delete -y -n "${AZURE_DISK_NAME}" -g "${AZURE_RESOURCE_GROUP_NAME}"
} }
create_image () { create_image() {
if [[ -n "${AZURE_VMGS_PATH}" ]]; then if [[ -n ${AZURE_VMGS_PATH} ]]; then
return return
fi fi
az image create \ az image create \
@ -145,15 +144,15 @@ create_image () {
--source "$(az disk list --query "[?name == '${AZURE_DISK_NAME}' && resourceGroup == '${AZURE_RESOURCE_GROUP_NAME^^}'] | [0].id" --output tsv)" --source "$(az disk list --query "[?name == '${AZURE_DISK_NAME}' && resourceGroup == '${AZURE_RESOURCE_GROUP_NAME^^}'] | [0].id" --output tsv)"
} }
delete_image () { delete_image() {
if [[ -n "${AZURE_VMGS_PATH}" ]]; then if [[ -n ${AZURE_VMGS_PATH} ]]; then
return return
fi fi
az image delete -n "${AZURE_DISK_NAME}" -g "${AZURE_RESOURCE_GROUP_NAME}" az image delete -n "${AZURE_DISK_NAME}" -g "${AZURE_RESOURCE_GROUP_NAME}"
} }
create_sig_version () { create_sig_version() {
if [[ -n "${AZURE_VMGS_PATH}" ]]; then if [[ -n ${AZURE_VMGS_PATH} ]]; then
local DISK local DISK
DISK="$(az disk list --query "[?name == '${AZURE_DISK_NAME}' && resourceGroup == '${AZURE_RESOURCE_GROUP_NAME^^}'] | [0].id" --output tsv)" DISK="$(az disk list --query "[?name == '${AZURE_DISK_NAME}' && resourceGroup == '${AZURE_RESOURCE_GROUP_NAME^^}'] | [0].id" --output tsv)"
local SOURCE="--os-snapshot ${DISK}" local SOURCE="--os-snapshot ${DISK}"
@ -190,7 +189,7 @@ create_sig_version () {
create_disk create_disk
if [[ "${CREATE_SIG_VERSION}" = "YES" ]]; then if [[ ${CREATE_SIG_VERSION} == "YES" ]]; then
create_image create_image
create_sig_version create_sig_version
delete_image delete_image

2
image/upload/upload_gcp.sh
View File

@ -6,7 +6,7 @@
set -euo pipefail set -euo pipefail
shopt -s inherit_errexit shopt -s inherit_errexit
if [[ -z "${CONFIG_FILE-}" ]] && [[ -f "${CONFIG_FILE-}" ]]; then if [[ -z ${CONFIG_FILE-} ]] && [[ -f ${CONFIG_FILE-} ]]; then
# shellcheck source=/dev/null # shellcheck source=/dev/null
. "${CONFIG_FILE}" . "${CONFIG_FILE}"
fi fi