diff --git a/.github/actions/build_debugd/action.yml b/.github/actions/build_debugd/action.yml deleted file mode 100644 index 31492aad8..000000000 --- a/.github/actions/build_debugd/action.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: Build debugd -description: Build the Constellation debugd binary - -inputs: - outputPath: - description: "Output path of the binary" - default: "./build/debugd" - required: true - -# Linux runner only (homedir trick does not work on macOS, required for private runner) -runs: - using: "composite" - steps: - - name: Build debugd - shell: bash - env: - OUTPUT_PATH: ${{ inputs.outputPath }} - run: | - echo "::group::Build debugd" - mkdir -p "$(dirname "${OUTPUT_PATH}")" - label=//debugd/cmd/debugd:debugd_linux_amd64 - bazel build "${label}" - repository_root=$(git rev-parse --show-toplevel) - out_rel=$(bazel cquery --output=files "${label}") - out_loc="$(realpath "${repository_root}/${out_rel}")" - cp "${out_loc}" "${OUTPUT_PATH}" - chmod +w "${OUTPUT_PATH}" - echo "::endgroup::" diff --git a/.github/actions/build_disk_mapper/action.yml b/.github/actions/build_disk_mapper/action.yml deleted file mode 100644 index 12c51a38a..000000000 --- a/.github/actions/build_disk_mapper/action.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: Build disk-mapper -description: Build the Constellation disk-mapper binary - -inputs: - outputPath: - description: "Output path of the binary" - default: "./build/disk-mapper" - required: true - -# Linux runner only (Docker required) -runs: - using: "composite" - steps: - - name: Build the disk-mapper - shell: bash - env: - OUTPUT_PATH: ${{ inputs.outputPath }} - run: | - echo "::group::Build the disk-mapper" - mkdir -p "$(dirname "${OUTPUT_PATH}")" - label="//disk-mapper/cmd:disk-mapper_linux_amd64" - bazel build "${label}" - repository_root=$(git rev-parse --show-toplevel) - out_rel=$(bazel cquery --output=files "${label}") - out_loc="$(realpath "${repository_root}/${out_rel}")" - cp "${out_loc}" "${OUTPUT_PATH}" - chmod +w "${OUTPUT_PATH}" - echo "::endgroup::" diff --git a/.github/actions/build_measurement_reader/action.yml b/.github/actions/build_measurement_reader/action.yml deleted file mode 100644 index bec75e762..000000000 --- a/.github/actions/build_measurement_reader/action.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: Build measurement-reader -description: Build the Constellation measurement-reader binary - -inputs: - outputPath: - description: "Output path of the binary" - default: "./build/measurement-reader" - required: true - -# Linux runner only (Docker required) -runs: - using: "composite" - steps: - - name: Build the measurement-reader - shell: bash - env: - OUTPUT_PATH: ${{ inputs.outputPath }} - run: | - echo "::group::Build the measurement-reader" - mkdir -p "$(dirname "${OUTPUT_PATH}")" - label="//measurement-reader/cmd:measurement-reader_linux_amd64" - bazel build "${label}" - repository_root=$(git rev-parse --show-toplevel) - out_rel=$(bazel cquery --output=files "${label}") - out_loc="$(realpath "${repository_root}/${out_rel}")" - cp "${out_loc}" "${OUTPUT_PATH}" - chmod +w "${OUTPUT_PATH}" - echo "::endgroup::" diff --git a/.github/actions/setup_mkosi/action.yaml b/.github/actions/setup_mkosi/action.yaml deleted file mode 100644 index cb6ee1b7e..000000000 --- a/.github/actions/setup_mkosi/action.yaml +++ /dev/null @@ -1,67 +0,0 @@ -name: Setup mkosi -description: Install mkosi and all its dependencies -inputs: - version: - description: "Version (commit hash) of mkosi to install." - required: true - systemdVersion: - description: "Version (commit hash) of systemd to install." - required: true -runs: - using: composite - steps: - - name: Dependencies - shell: bash - run: | - echo "::group::Dependencies" - echo "deb-src http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs) main restricted universe multiverse" | sudo tee -a /etc/apt/sources.list - sudo apt-get update - sudo apt-get install --assume-yes --no-install-recommends \ - bubblewrap \ - dnf \ - e2fsprogs \ - libfdisk-dev \ - mtools \ - ovmf \ - python3-pefile \ - python3-pyelftools \ - python3-setuptools \ - qemu-system-x86 \ - squashfs-tools \ - systemd-container - echo "::endgroup::" - - - name: Checkout systemd - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - with: - repository: systemd/systemd - path: ${{ github.action_path }}/systemd - ref: ${{ inputs.systemdVersion }} - - - name: Update systemd tools - shell: bash - working-directory: ${{ github.action_path }} - run: | - echo "::group::Update systemd tools" - sudo apt-get build-dep systemd - meson systemd/build systemd -Drepart=true -Defi=true -Dbootloader=true - - BINARIES=( - bootctl - systemctl - systemd-analyze - systemd-dissect - systemd-nspawn - systemd-repart - ukify - ) - - ninja -C systemd/build ${BINARIES[@]} - for BINARY in "${BINARIES[@]}"; do - sudo ln -svf $PWD/systemd/build/$BINARY /usr/bin/$BINARY - done - echo "::endgroup::" - - - name: Install - shell: bash - run: sudo python3 -m pip install git+https://github.com/systemd/mkosi.git@${{ inputs.version }} diff --git a/.github/workflows/build-os-image-requirements.txt b/.github/workflows/build-os-image-requirements.txt deleted file mode 100644 index f18c8e42e..000000000 --- a/.github/workflows/build-os-image-requirements.txt +++ /dev/null @@ -1,24 +0,0 @@ -lief==0.13.1 \ - --hash=sha256:018b542f09fe2305e1585a3e63a7e5132927b835062b456e5c8c571db7784d1e \ - --hash=sha256:0283a4c749afe58be8e21cdd9be79c657c51ca9b8346f75f4b97349b1f022851 \ - --hash=sha256:04c87039d1e68ebc467f83136179626403547dd1ce851541345f8ca0b1fe6c5b \ - --hash=sha256:16753bd72b1e3932d94d088a93b64e08c1f6c8bce1b064b47fe66ed73d9562b2 \ - --hash=sha256:23617d96d162081f8bf315d9b0494845891f8d0f04ad60991b83367ee9e261aa \ - --hash=sha256:3cfbc6c50f9e3a8015cd5ee88dfe83f423562c025439143bbd5c086a3f9fe599 \ - --hash=sha256:57bdb0471760c4ff520f5e5d005e503cc7ea3ebe22df307bb579a1a561b8c4e9 \ - --hash=sha256:661abaa48bc032b9a7529e0b73d2ced3e4a1f13381592f6b9e940750b07a5ac2 \ - --hash=sha256:8439805a389cc67b6d4ea7d757a3211f22298edce53c5b064fdf8bf05fabba54 \ - --hash=sha256:95a4b6d1f8dba9360aecf7542e54ce5eb02c0e88f2d827b5445594d5d51109f5 \ - --hash=sha256:965fadb1301d1a81f16067e4fa743d2be3f6aa71391a83b752ff811ec74b0766 \ - --hash=sha256:a0472636ab15b9afecf8b5d55966912af8cb4de2f05b98fc05c87d51880d0208 \ - --hash=sha256:a18fee5cf69adf9d5ee977778ccd46c39c450960f806231b26b69011f81bc712 \ - --hash=sha256:a3c900f49c3d3135c728faeb386d13310bb3511eb2d4e1c9b109b48ae2658361 \ - --hash=sha256:aa7f45c5125be80a513624d3a5f6bd50751c2edc6de5357fde218580111c8535 \ - --hash=sha256:b1f295dbb57094443926ac6051bee9a1945d92344f470da1cb506060eb2f91ac \ - --hash=sha256:b53317d78f8b7528e3f2f358b3f9334a1a84fae88c5aec1a3b7717ed31bfb066 \ - --hash=sha256:bb8b285a6c670df590c36fc0c19b9d2e32b99f17e57afa29bb3052f1d55aa50f \ - --hash=sha256:be871116faa698b6d9da76b0caec2ec5b7e7b8781cfb3a4ac0c4e348fb37ab49 \ - --hash=sha256:bfbf8885a3643ea9aaf663d039f50ca58b228886c3fe412725b22851aeda3b77 \ - --hash=sha256:c6839df875e912edd3fc553ab5d1b916527adee9c57ba85c69314a93f7ba2e15 \ - --hash=sha256:ccfba33c02f21d4ede26ab85eb6539a00e74e236569c13dcbab2e157b73673c4 \ - --hash=sha256:e414d6c23f26053f4824d080885ab1b75482122796cba7d09cbf157900646289 diff --git a/.github/workflows/build-os-image.yml b/.github/workflows/build-os-image.yml index 63330454e..6c50ffeae 100644 --- a/.github/workflows/build-os-image.yml +++ b/.github/workflows/build-os-image.yml @@ -45,84 +45,6 @@ on: required: false jobs: - build-dependencies: - name: "Build binaries for embedding in the OS" - runs-on: ubuntu-22.04 - permissions: - contents: read - packages: read - outputs: - bootstrapper-sha256: ${{ steps.collect-hashes.outputs.bootstrapper-sha256 }} - disk-mapper-sha256: ${{ steps.collect-hashes.outputs.disk-mapper-sha256 }} - upgrade-agent-sha256: ${{ steps.collect-hashes.outputs.upgrade-agent-sha256 }} - measurement-reader-sha256: ${{ steps.collect-hashes.outputs.measurement-reader-sha256 }} - steps: - - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - with: - ref: ${{ inputs.ref || github.head_ref }} - - - name: Setup Go environment - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 - with: - go-version: "1.20.8" - cache: true - - - name: Setup bazel - uses: ./.github/actions/setup_bazel - with: - useCache: "false" - - - name: Build bootstrapper - if: inputs.stream != 'debug' - uses: ./.github/actions/build_bootstrapper - with: - outputPath: ${{ github.workspace }}/build/bootstrapper - - - name: Build debugd - if: inputs.stream == 'debug' - uses: ./.github/actions/build_debugd - with: - outputPath: ${{ github.workspace }}/build/debugd - - - name: Build disk-mapper - uses: ./.github/actions/build_disk_mapper - with: - outputPath: ${{ github.workspace }}/build/disk-mapper - - - name: Build upgrade-agent - uses: ./.github/actions/build_upgrade_agent - with: - outputPath: ${{ github.workspace }}/build/upgrade-agent - - - name: Build measurement-reader - uses: ./.github/actions/build_measurement_reader - with: - outputPath: ${{ github.workspace }}/build/measurement-reader - - - name: Upload dependencies - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 - env: - MAIN_BINARY: ${{ inputs.stream == 'debug' && 'debugd' || 'bootstrapper' }} - with: - name: dependencies - path: | - ${{ github.workspace }}/build/${{ env.MAIN_BINARY }} - ${{ github.workspace }}/build/disk-mapper - ${{ github.workspace }}/build/upgrade-agent - ${{ github.workspace }}/build/measurement-reader - - - name: Collect hashes - id: collect-hashes - working-directory: ${{ github.workspace }}/build - run: | - { - echo "bootstrapper-sha256=$(sha256sum bootstrapper | head -c 64)" - echo "disk-mapper-sha256=$(sha256sum disk-mapper | head -c 64)" - echo "upgrade-agent-sha256=$(sha256sum upgrade-agent | head -c 64)" - echo "measurement-reader-sha256=$(sha256sum measurement-reader | head -c 64)" - } | tee -a "$GITHUB_OUTPUT" - build-settings: name: "Determine build settings" runs-on: ubuntu-22.04 @@ -130,7 +52,6 @@ jobs: ref: ${{ steps.ref.outputs.ref }} stream: ${{ steps.stream.outputs.stream }} imageType: ${{ steps.image-type.outputs.imageType }} - pkiSet: ${{ steps.pki-set.outputs.pkiSet }} imageVersion: ${{ steps.image-version.outputs.imageVersion }} imageName: ${{ steps.image-version.outputs.imageName }} imageNameShort: ${{ steps.image-version.outputs.imageNameShort }} @@ -185,16 +106,6 @@ jobs: ;; esac - - name: Determine PKI set - id: pki-set - shell: bash - run: | - if [[ "${{ inputs.isRelease }}" == "true" ]] && [[ "${{ steps.stream.outputs.stream }}" == "stable" ]]; then - echo "pkiSet=pki_prod" | tee -a "$GITHUB_OUTPUT" - else - echo "pkiSet=pki_testing" | tee -a "$GITHUB_OUTPUT" - fi - - name: Determine image version id: image-version shell: bash @@ -220,43 +131,10 @@ jobs: make-os-image: name: "Build OS using mkosi" - needs: [build-settings, build-dependencies] + needs: [build-settings] runs-on: ubuntu-22.04 # TODO(malt3): flatten outputs once possible # https://github.com/community/community/discussions/17245 - outputs: - image-raw-aws-aws-nitro-tpm-sha256: ${{ steps.collect-hashes.outputs.image-raw-aws-aws-nitro-tpm-sha256 }} - image-raw-azure-azure-sev-snp-sha256: ${{ steps.collect-hashes.outputs.image-raw-azure-azure-sev-snp-sha256 }} - image-raw-gcp-gcp-sev-es-sha256: ${{ steps.collect-hashes.outputs.image-raw-gcp-gcp-sev-es-sha256 }} - image-raw-qemu-qemu-vtpm-sha256: ${{ steps.collect-hashes.outputs.image-raw-qemu-qemu-vtpm-sha256 }} - image-efi-aws-aws-nitro-tpm-sha256: ${{ steps.collect-hashes.outputs.image-efi-aws-aws-nitro-tpm-sha256 }} - image-efi-azure-azure-sev-snp-sha256: ${{ steps.collect-hashes.outputs.image-efi-azure-azure-sev-snp-sha256 }} - image-efi-gcp-gcp-sev-es-sha256: ${{ steps.collect-hashes.outputs.image-efi-gcp-gcp-sev-es-sha256 }} - image-efi-qemu-qemu-vtpm-sha256: ${{ steps.collect-hashes.outputs.image-efi-qemu-qemu-vtpm-sha256 }} - image-initrd-aws-aws-nitro-tpm-sha256: ${{ steps.collect-hashes.outputs.image-initrd-aws-aws-nitro-tpm-sha256 }} - image-initrd-azure-azure-sev-snp-sha256: ${{ steps.collect-hashes.outputs.image-initrd-azure-azure-sev-snp-sha256 }} - image-initrd-gcp-gcp-sev-es-sha256: ${{ steps.collect-hashes.outputs.image-initrd-gcp-gcp-sev-es-sha256 }} - image-initrd-qemu-qemu-vtpm-sha256: ${{ steps.collect-hashes.outputs.image-initrd-qemu-qemu-vtpm-sha256 }} - image-root-raw-aws-aws-nitro-tpm-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-aws-aws-nitro-tpm-sha256 }} - image-root-raw-azure-azure-sev-snp-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-azure-azure-sev-snp-sha256 }} - image-root-raw-gcp-gcp-sev-es-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-gcp-gcp-sev-es-sha256 }} - image-root-raw-qemu-qemu-vtpm-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-qemu-qemu-vtpm-sha256 }} - image-root-verity-aws-aws-nitro-tpm-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-aws-aws-nitro-tpm-sha256 }} - image-root-verity-azure-azure-sev-snp-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-azure-azure-sev-snp-sha256 }} - image-root-verity-gcp-gcp-sev-es-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-gcp-gcp-sev-es-sha256 }} - image-root-verity-qemu-qemu-vtpm-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-qemu-qemu-vtpm-sha256 }} - image-vmlinuz-aws-aws-nitro-tpm-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-aws-aws-nitro-tpm-sha256 }} - image-vmlinuz-azure-azure-sev-snp-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-azure-azure-sev-snp-sha256 }} - image-vmlinuz-gcp-gcp-sev-es-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-gcp-gcp-sev-es-sha256 }} - image-vmlinuz-qemu-qemu-vtpm-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-qemu-qemu-vtpm-sha256 }} - image-raw-changelog-aws-aws-nitro-tpm-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-aws-aws-nitro-tpm-sha256 }} - image-raw-changelog-azure-azure-sev-snp-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-azure-azure-sev-snp-sha256 }} - image-raw-changelog-gcp-gcp-sev-es-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-gcp-gcp-sev-es-sha256 }} - image-raw-changelog-qemu-qemu-vtpm-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-qemu-qemu-vtpm-sha256 }} - image-raw-manifest-aws-aws-nitro-tpm-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-aws-aws-nitro-tpm-sha256 }} - image-raw-manifest-azure-azure-sev-snp-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-azure-azure-sev-snp-sha256 }} - image-raw-manifest-gcp-gcp-sev-es-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-gcp-gcp-sev-es-sha256 }} - image-raw-manifest-qemu-qemu-vtpm-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-qemu-qemu-vtpm-sha256 }} strategy: fail-fast: false matrix: @@ -281,97 +159,36 @@ jobs: with: ref: ${{ inputs.ref || github.head_ref }} - - name: Download build dependencies - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 - with: - name: dependencies - path: ${{ github.workspace }}/build - - - name: Mark bootstrapper, debugd, disk-mapper, measurement-reader, and upgrade-agent as executable - run: | - chmod +x ${{ github.workspace }}/build/bootstrapper || true - chmod +x ${{ github.workspace }}/build/debugd || true - chmod +x ${{ github.workspace }}/build/disk-mapper - chmod +x ${{ github.workspace }}/build/upgrade-agent - chmod +x ${{ github.workspace }}/build/measurement-reader - - - name: Setup mkosi - uses: ./.github/actions/setup_mkosi - with: - version: d8b32fbf3077b612db0024276e73cec3c2c87577 - systemdVersion: f6e94c5f7ddd796095cf6294857e535dcdbfc677 - - - name: Prepare PKI for secure boot signing - id: prepare-pki - shell: bash - working-directory: ${{ github.workspace }}/image - env: - PKI_SET: ${{ needs.build-settings.outputs.pkiSet }} - DB_KEY: ${{ ((needs.build-settings.outputs.pkiSet == 'pki_prod') && secrets.SECURE_BOOT_RELEASE_DB_KEY) || secrets.SECURE_BOOT_TESTING_DB_KEY }} - run: | - echo "${DB_KEY}" > "${PKI_SET}/db.key" - chmod 600 "${PKI_SET}/db.key" - ln -s "${PKI_SET}" pki + - uses: cachix/install-nix-action@v22 - name: Build + id: build shell: bash working-directory: ${{ github.workspace }}/image env: - BOOTSTRAPPER_BINARY: ${{ github.workspace }}/build/bootstrapper - DEBUGD_BINARY: ${{ github.workspace }}/build/bootstrapper - DISK_MAPPER_BINARY: ${{ github.workspace }}/build/disk-mapper - UPGRADE_AGENT_BINARY: ${{ github.workspace }}/build/upgrade-agent - MEASUREMENT_READER_BINARY: ${{ github.workspace }}/build/measurement-reader - DEBUG: ${{ (needs.build-settings.outputs.stream == 'debug') && 'true' || 'false' }} - AUTOLOGIN: ${{ (needs.build-settings.outputs.stream == 'console' || needs.build-settings.outputs.stream == 'debug' ) && 'true' || 'false' }} - IMAGE_VERSION: ${{ needs.build-settings.outputs.imageVersion }} - CSP: ${{ matrix.csp }} - ATTESTATION_VARIANT: ${{ matrix.attestation_variant }} + TARGET: //image/system:${{ matrix.csp }}_${{ matrix.attestation_variant }}_${{ needs.build-settings.outputs.stream }} run: | echo "::group::Build" - sudo make IMAGE_VERSION="${IMAGE_VERSION}" DEBUG="${DEBUG}" AUTOLOGIN="${AUTOLOGIN}" "${CSP}_${ATTESTATION_VARIANT}" - echo "::endgroup::" - - - name: Collect hashes - id: collect-hashes - working-directory: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38 - run: | + bazel build --host_platform=@rules_nixpkgs_core//platforms:host "${TARGET}" { - echo "image-raw-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.raw | head -c 64)" - echo "image-efi-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.efi | head -c 64)" - echo "image-initrd-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.esp.raw | head -c 64)" - echo "image-root-raw-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.root-x86-64.raw | head -c 64)" - echo "image-root-verity-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.root-x86-64-verity.raw | head -c 64)" - echo "image-vmlinuz-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.vmlinuz | head -c 64)" - echo "image-raw-changelog-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.changelog | head -c 64)" - echo "image-raw-manifest-${{ matrix.csp }}-${{ matrix.attestation_variant }}-sha256=$(sha256sum image.manifest | head -c 64)" + echo "image-dir=$(bazel cquery --host_platform=@rules_nixpkgs_core//platforms:host --output=files "$TARGET")" } | tee -a "$GITHUB_OUTPUT" + echo "::endgroup::" - name: Upload raw OS image as artifact uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }} - path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.raw + path: ${{ steps.build.outputs.image-dir }}/constellation.raw - name: Upload individual OS parts as artifacts uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: parts-${{ matrix.csp }}-${{ matrix.attestation_variant }} path: | - ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.cmdline - ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.efi - ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.esp.raw - ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.root-x86-64.raw - ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.root-x86-64-verity.raw - ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.vmlinuz - - - name: Upload manifest as artifact - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 - with: - name: manifest-${{ matrix.csp }}-${{ matrix.attestation_variant }} - path: | - ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.changelog - ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.manifest + ${{ steps.build.outputs.image-dir }}/constellation.efi + ${{ steps.build.outputs.image-dir }}/constellation.initrd + ${{ steps.build.outputs.image-dir }}/constellation.vmlinuz upload-os-image: name: "Upload OS image to CSP" @@ -399,7 +216,7 @@ jobs: - csp: openstack attestation_variant: qemu-vtpm env: - RAW_IMAGE_PATH: mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image.raw + RAW_IMAGE_PATH: mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/constellation.raw JSON_OUTPUT: mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image-upload.json AZURE_IMAGE_PATH: mkosi.output.azure_${{ matrix.attestation_variant }}/fedora~38/image.vhd GCP_IMAGE_PATH: mkosi.output.gcp_${{ matrix.attestation_variant }}/fedora~38/image.tar.gz @@ -446,13 +263,6 @@ jobs: with: service_account: "constellation-cos-builder@constellation-331613.iam.gserviceaccount.com" - - name: Prepare PKI for image upload - id: prepare-pki - shell: bash - working-directory: ${{ github.workspace }}/image - run: | - ln -s ${{ needs.build-settings.outputs.pkiSet }} pki - - name: Upload AWS image if: matrix.csp == 'aws' shell: bash @@ -575,7 +385,6 @@ jobs: - name: Install dependencies run: | echo "::group::Install dependencies" - python -m pip install --user --require-hashes -r .github/workflows/build-os-image-requirements.txt sudo apt-get update sudo apt-get install -y systemd-container # for systemd-dissect echo "::endgroup::" @@ -584,13 +393,7 @@ jobs: working-directory: ${{ github.workspace }}/image/measured-boot run: | echo "::group::Calculate expected PCRs" - { - ./precalculate_pcr_4.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-4-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json - ./precalculate_pcr_9.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-9-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json - ./precalculate_pcr_12.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-12-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json ${{ matrix.csp }} - } >> "$GITHUB_STEP_SUMMARY" - cp pcr-stable.json ${{ github.workspace }}/ - jq -sSc '.[0] * .[1] * .[2] * .[3]' ${{ github.workspace }}/pcr-* > ${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json + bazel run --run_under="sudo -E" //image/measured-boot/cmd ${{ github.workspace }}/constellation.raw ${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json >> "$GITHUB_STEP_SUMMARY" echo "::endgroup::" - name: Add static PCRs @@ -614,7 +417,7 @@ jobs: .measurements.12.warnOnly = false | .measurements.13.warnOnly = false | .measurements.14.warnOnly = true | - .measurements.14.expected = "d7c4cc7ff7933022f013e03bdee875b91720b5b86cf1753cad830f95e791926f" | + .measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" | .measurements.15.warnOnly = false' \ -I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json" ;; @@ -634,7 +437,7 @@ jobs: .measurements.12.warnOnly = false | .measurements.13.warnOnly = false | .measurements.14.warnOnly = true | - .measurements.14.expected = "d7c4cc7ff7933022f013e03bdee875b91720b5b86cf1753cad830f95e791926f" | + .measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" | .measurements.15.warnOnly = false' \ -I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json" ;; @@ -656,7 +459,7 @@ jobs: .measurements.12.warnOnly = false | .measurements.13.warnOnly = false | .measurements.14.warnOnly = true | - .measurements.14.expected = "d7c4cc7ff7933022f013e03bdee875b91720b5b86cf1753cad830f95e791926f" | + .measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" | .measurements.15.warnOnly = false' \ -I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json" ;; @@ -669,6 +472,8 @@ jobs: .measurements.11.warnOnly = false | .measurements.12.warnOnly = false | .measurements.13.warnOnly = false | + .measurements.14.warnOnly = true | + .measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" | .measurements.15.warnOnly = false' \ -I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json" ;; @@ -681,6 +486,8 @@ jobs: .measurements.11.warnOnly = false | .measurements.12.warnOnly = false | .measurements.13.warnOnly = false | + .measurements.14.warnOnly = true | + .measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" | .measurements.15.warnOnly = false' \ -I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json" ;; @@ -797,127 +604,6 @@ jobs: --signature measurements.json.sig echo "::endgroup::" - generate-sbom: - name: "Generate SBOM" - needs: [build-settings, build-dependencies, make-os-image] - permissions: - id-token: write - contents: read - runs-on: ubuntu-22.04 - steps: - - name: Login to AWS - uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0 - with: - role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline - aws-region: eu-central-1 - - - name: Install squashfs tools - run: | - echo "::group::Install squashfs tools" - sudo apt-get update - sudo apt-get install -y squashfs-tools - echo "::endgroup::" - - - name: Download rootfs - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 - with: - # downloading / using only the QEMU rootfs is fine - # since the images only differ in the ESP partition - name: parts-qemu-qemu-vtpm - - - name: Download manifest - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 - with: - # downloading / using only the QEMU manifest is fine - # since the images only differ in the ESP partition - name: manifest-qemu-qemu-vtpm - - - name: Unpack squashfs - run: | - echo "::group::Unpack squashfs" - unsquashfs -user-xattrs -d image.root.tree image.root-x86-64.raw - echo "::endgroup::" - - - name: Create SBOM in SPDX fromat - uses: anchore/sbom-action@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3 - with: - path: image.root.tree - artifact-name: sbom.spdx.json - output-file: sbom.spdx.json - format: spdx-json - - - name: Create SBOM in CycloneDX fromat - uses: anchore/sbom-action@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3 - with: - path: image.root.tree - artifact-name: sbom.cyclonedx.json - output-file: sbom.cyclonedx.json - format: cyclonedx-json - - - name: Create SBOM in Syft fromat - uses: anchore/sbom-action@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3 - with: - path: image.root.tree - artifact-name: sbom.syft.json - output-file: sbom.syft.json - format: syft-json - - - name: Combine hashes - run: | - cat > SHA256SUMS <> "$GITHUB_STEP_SUMMARY" - - - name: Upload SBOMs to S3 - shell: bash - run: | - sboms='sbom.spdx.json sbom.cyclonedx.json sbom.syft.json' - manifests='image.manifest image.changelog' - hashes='SHA256SUMS' - for file in ${sboms} ${manifests} ${hashes}; do - aws s3 cp \ - "${file}" \ - "s3://cdn-constellation-backend/${{needs.build-settings.outputs.imageApiBasePath}}/${file}" \ - --no-progress - done - upload-artifacts: name: "Upload image lookup table and CLI compatibility info" runs-on: ubuntu-22.04