From 1a141c39728c88d9a5c8b36ab453cf055e3968dc Mon Sep 17 00:00:00 2001
From: Malte Poll <1780588+malt3@users.noreply.github.com>
Date: Tue, 17 Oct 2023 14:04:41 +0200
Subject: [PATCH] image: add rpm database as build output (#2442)

For reproducibility reasons, the final OS image does not ship the rpm database in sqlite format.
For supply chain security and license compliance reasons, we want to keep the rpm database of os images as a detached build artifact.
We now ship a reproducible, human readable manifest of installed rpms in the image under "/usr/share/constellation/packagemanifest" and upload the full rpm database as a build artifact (rpmdb.tar).
---
 .github/workflows/build-os-image.yml | 36 ++++++++++++++++++++++++++++
 image/base/BUILD.bazel               | 26 ++++++++++++++++++++
 image/base/mkosi.conf                |  4 ----
 image/base/mkosi.postinst            |  8 +++++++
 image/initrd/mkosi.conf              |  2 --
 image/system/BUILD.bazel             |  2 +-
 image/system/mkosi.conf              |  2 --
 7 files changed, 71 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/build-os-image.yml b/.github/workflows/build-os-image.yml
index 8bbdeafe6..38b0105c6 100644
--- a/.github/workflows/build-os-image.yml
+++ b/.github/workflows/build-os-image.yml
@@ -172,6 +172,7 @@ jobs:
           bazel build "${TARGET}"
           {
             echo "image-dir=$(bazel cquery --output=files "$TARGET")"
+            echo "rpmdb=$(bazel cquery --output=files //image/base:rpmdb)"
           } | tee -a "$GITHUB_OUTPUT"
           echo "::endgroup::"
 
@@ -190,6 +191,12 @@ jobs:
             ${{ steps.build.outputs.image-dir }}/constellation.initrd
             ${{ steps.build.outputs.image-dir }}/constellation.vmlinuz
 
+      - name: Upload sbom info as artifact
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        with:
+          name: sbom-${{ matrix.csp }}-${{ matrix.attestation_variant }}
+          path: ${{ steps.build.outputs.rpmdb }}
+
   upload-os-image:
     name: "Upload OS image to CSP"
     needs: [build-settings, make-os-image]
@@ -616,6 +623,35 @@ jobs:
             --signature measurements.json.sig
           echo "::endgroup::"
 
+  upload-sbom:
+    name: "Upload SBOM"
+    needs: [build-settings, make-os-image]
+    permissions:
+      id-token: write
+      contents: read
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Login to AWS
+        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
+        with:
+          role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
+          aws-region: eu-central-1
+
+      - name: Download sbom
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        with:
+          # downloading / using only the QEMU manifest is fine
+          # since the images only differ in the ESP partition
+          name: sbom-qemu-qemu-vtpm
+
+      - name: Upload SBOMs to S3
+        shell: bash
+        run: |
+          aws s3 cp \
+          rpmdb.tar \
+            "s3://cdn-constellation-backend/${{needs.build-settings.outputs.imageApiBasePath}}/${file}" \
+            --no-progress
+
   upload-artifacts:
     name: "Upload image lookup table and CLI compatibility info"
     runs-on: ubuntu-22.04
diff --git a/image/base/BUILD.bazel b/image/base/BUILD.bazel
index 20155ca04..b226f472d 100644
--- a/image/base/BUILD.bazel
+++ b/image/base/BUILD.bazel
@@ -1,5 +1,6 @@
 load("@aspect_bazel_lib//lib:copy_file.bzl", "copy_file")
 load("@aspect_bazel_lib//lib:copy_to_directory.bzl", "copy_to_directory")
+load("@rules_pkg//:pkg.bzl", "pkg_tar")
 load("//bazel/mkosi:mkosi_image.bzl", "mkosi_image")
 
 copy_to_directory(
@@ -40,6 +41,11 @@ mkosi_image(
     outs = [
         "image",
         "image.tar",
+        "image-.rpm.lock",
+        "image-packagemanifest",
+        "image-rpmdb.sqlite",
+        "image-rpmdb.sqlite-shm",
+        "image-rpmdb.sqlite-wal",
     ],
     extra_trees = [
         "//image:sysroot_tar",
@@ -58,3 +64,23 @@ mkosi_image(
     ],
     visibility = ["//visibility:public"],
 )
+
+pkg_tar(
+    name = "rpmdb",
+    srcs = [
+        "image-.rpm.lock",
+        "image-packagemanifest",
+        "image-rpmdb.sqlite",
+        "image-rpmdb.sqlite-shm",
+        "image-rpmdb.sqlite-wal",
+    ],
+    remap_paths = {
+        "/image-.rpm.lock": "/var/lib/rpm/.rpm.lock",
+        "/image-packagemanifest": "/usr/share/constellation/packagemanifest",
+        "/image-rpmdb.sqlite": "/var/lib/rpm/rpmdb.sqlite",
+        "/image-rpmdb.sqlite-shm": "/var/lib/rpm/rpmdb.sqlite-shm",
+        "/image-rpmdb.sqlite-wal": "/var/lib/rpm/image-rpmdb.sqlite-wal",
+    },
+    tags = ["manual"],
+    visibility = ["//visibility:public"],
+)
diff --git a/image/base/mkosi.conf b/image/base/mkosi.conf
index 3f041eac2..8d0049326 100644
--- a/image/base/mkosi.conf
+++ b/image/base/mkosi.conf
@@ -61,10 +61,6 @@ Packages=passwd
 RemoveFiles=/var/log
 RemoveFiles=/var/cache
 RemoveFiles=/etc/pki/ca-trust/extracted/java/cacerts
-            /usr/lib/sysimage/libdnf5/transaction_history.sqlite*
             /var/cache/ldconfig/aux-cache
-# https://github.com/authselect/authselect/pull/348
-# RemoveFiles=/etc/authselect/*
 RemoveFiles=/etc/issue
 RemoveFiles=/etc/issue.net
-CleanPackageMetadata=true
diff --git a/image/base/mkosi.postinst b/image/base/mkosi.postinst
index 99a2ec0bc..9e02d6c32 100755
--- a/image/base/mkosi.postinst
+++ b/image/base/mkosi.postinst
@@ -7,3 +7,11 @@ mkdir -p "${BUILDROOT}"/etc/{cni,kubernetes}
 # move issue files away from /etc
 # to allow /run/issue and /run/issue.d to take precedence
 mv "${BUILDROOT}/etc/issue.d" "${BUILDROOT}/usr/lib/issue.d" || true
+
+# generate reproducible package manifest
+mkdir -p "${BUILDROOT}/usr/share/constellation"
+rpm -qa --qf '%{name};%{version};%{license}\n' --dbpath "${BUILDROOT}/var/lib/rpm/" | LC_ALL=C sort | tee "${BUILDROOT}/usr/share/constellation/packagemanifest"
+cp "${BUILDROOT}/usr/share/constellation/packagemanifest" "${OUTPUTDIR}/"
+
+# copy rpmdb to outputs
+cp "${BUILDROOT}"/var/lib/rpm/{rpmdb.sqlite-wal,rpmdb.sqlite-shm,rpmdb.sqlite,.rpm.lock} "${OUTPUTDIR}/"
diff --git a/image/initrd/mkosi.conf b/image/initrd/mkosi.conf
index 173691555..9c32e11ad 100644
--- a/image/initrd/mkosi.conf
+++ b/image/initrd/mkosi.conf
@@ -36,6 +36,4 @@ RemoveFiles=/var/cache
 RemoveFiles=/etc/pki/ca-trust/extracted/java/cacerts
             /usr/lib/sysimage/libdnf5/transaction_history.sqlite*
             /var/cache/ldconfig/aux-cache
-# https://github.com/authselect/authselect/pull/348
-# RemoveFiles=/etc/authselect/*
 CleanPackageMetadata=true
diff --git a/image/system/BUILD.bazel b/image/system/BUILD.bazel
index a1be95698..ddc7ae621 100644
--- a/image/system/BUILD.bazel
+++ b/image/system/BUILD.bazel
@@ -15,7 +15,7 @@ load(":variants.bzl", "CSPS", "STREAMS", "VARIANTS", "autologin", "constellation
             stream,
         ),
         base_trees = [
-            "//image/base",
+            "//image/base:image.tar",
         ],
         extra_trees = constellation_packages(stream),
         initrds = [
diff --git a/image/system/mkosi.conf b/image/system/mkosi.conf
index c45f0cc23..f49c9ebd8 100644
--- a/image/system/mkosi.conf
+++ b/image/system/mkosi.conf
@@ -19,6 +19,4 @@ RemoveFiles=/var/cache
 RemoveFiles=/etc/pki/ca-trust/extracted/java/cacerts
             /usr/lib/sysimage/libdnf5/transaction_history.sqlite*
             /var/cache/ldconfig/aux-cache
-# https://github.com/authselect/authselect/pull/348
-# RemoveFiles=/etc/authselect/*
 CleanPackageMetadata=true