mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-10-01 01:36:09 -04:00
image: allow toggling secure boot in image upload
This commit is contained in:
parent
c6ea596eb9
commit
3543fe140e
@ -83,20 +83,24 @@ func runAWS(cmd *cobra.Command, _ []string) error {
|
||||
out = outF
|
||||
}
|
||||
|
||||
sbDatabase, uefiVarStore, err := loadSecureBootKeys(flags.pki)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
uploadReq := &osimage.UploadRequest{
|
||||
Provider: flags.provider,
|
||||
Version: flags.version,
|
||||
AttestationVariant: flags.attestationVariant,
|
||||
SBDatabase: sbDatabase,
|
||||
UEFIVarStore: uefiVarStore,
|
||||
SecureBoot: flags.secureBoot,
|
||||
Size: size,
|
||||
Timestamp: flags.timestamp,
|
||||
Image: file,
|
||||
}
|
||||
|
||||
if flags.secureBoot {
|
||||
sbDatabase, uefiVarStore, err := loadSecureBootKeys(flags.pki)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
uploadReq.SBDatabase = sbDatabase
|
||||
uploadReq.UEFIVarStore = uefiVarStore
|
||||
}
|
||||
|
||||
return uploadImage(cmd.Context(), archiveC, uploadC, uploadReq, out)
|
||||
}
|
||||
|
@ -84,20 +84,24 @@ func runAzure(cmd *cobra.Command, _ []string) error {
|
||||
out = outF
|
||||
}
|
||||
|
||||
sbDatabase, uefiVarStore, err := loadSecureBootKeys(flags.pki)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
uploadReq := &osimage.UploadRequest{
|
||||
Provider: flags.provider,
|
||||
Version: flags.version,
|
||||
AttestationVariant: flags.attestationVariant,
|
||||
SBDatabase: sbDatabase,
|
||||
UEFIVarStore: uefiVarStore,
|
||||
SecureBoot: flags.secureBoot,
|
||||
Size: size,
|
||||
Timestamp: flags.timestamp,
|
||||
Image: file,
|
||||
}
|
||||
|
||||
if flags.secureBoot {
|
||||
sbDatabase, uefiVarStore, err := loadSecureBootKeys(flags.pki)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
uploadReq.SBDatabase = sbDatabase
|
||||
uploadReq.UEFIVarStore = uefiVarStore
|
||||
}
|
||||
|
||||
return uploadImage(cmd.Context(), archiveC, uploadC, uploadReq, out)
|
||||
}
|
||||
|
@ -23,6 +23,7 @@ type commonFlags struct {
|
||||
pki string
|
||||
provider cloudprovider.Provider
|
||||
attestationVariant string
|
||||
secureBoot bool
|
||||
version versionsapi.Version
|
||||
timestamp time.Time
|
||||
region string
|
||||
@ -49,6 +50,10 @@ func parseCommonFlags(cmd *cobra.Command) (commonFlags, error) {
|
||||
if err != nil {
|
||||
return commonFlags{}, err
|
||||
}
|
||||
secureBoot, err := cmd.Flags().GetBool("secure-boot")
|
||||
if err != nil {
|
||||
return commonFlags{}, err
|
||||
}
|
||||
version, err := cmd.Flags().GetString("version")
|
||||
if err != nil {
|
||||
return commonFlags{}, err
|
||||
@ -97,6 +102,7 @@ func parseCommonFlags(cmd *cobra.Command) (commonFlags, error) {
|
||||
rawImage: rawImage,
|
||||
pki: pki,
|
||||
attestationVariant: attestationVariant,
|
||||
secureBoot: secureBoot,
|
||||
version: ver,
|
||||
timestamp: timestmp,
|
||||
region: region,
|
||||
|
@ -84,20 +84,24 @@ func runGCP(cmd *cobra.Command, _ []string) error {
|
||||
out = outF
|
||||
}
|
||||
|
||||
sbDatabase, uefiVarStore, err := loadSecureBootKeys(flags.pki)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
uploadReq := &osimage.UploadRequest{
|
||||
Provider: flags.provider,
|
||||
Version: flags.version,
|
||||
AttestationVariant: flags.attestationVariant,
|
||||
SBDatabase: sbDatabase,
|
||||
UEFIVarStore: uefiVarStore,
|
||||
SecureBoot: flags.secureBoot,
|
||||
Size: size,
|
||||
Timestamp: flags.timestamp,
|
||||
Image: file,
|
||||
}
|
||||
|
||||
if flags.secureBoot {
|
||||
sbDatabase, uefiVarStore, err := loadSecureBootKeys(flags.pki)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
uploadReq.SBDatabase = sbDatabase
|
||||
uploadReq.UEFIVarStore = uefiVarStore
|
||||
}
|
||||
|
||||
return uploadImage(cmd.Context(), archiveC, uploadC, uploadReq, out)
|
||||
}
|
||||
|
@ -25,6 +25,7 @@ func NewImageCmd() *cobra.Command {
|
||||
cmd.SetOut(os.Stdout)
|
||||
|
||||
cmd.PersistentFlags().String("raw-image", "", "Path to os image in CSP specific format that should be uploaded.")
|
||||
cmd.PersistentFlags().Bool("secure-boot", false, "Enables secure boot support.")
|
||||
cmd.PersistentFlags().String("pki", "", "Base path to the PKI (secure boot signing) files.")
|
||||
cmd.PersistentFlags().String("attestation-variant", "", "Attestation variant of the image being uploaded.")
|
||||
cmd.PersistentFlags().String("version", "", "Shortname of the os image version.")
|
||||
|
@ -67,20 +67,24 @@ func runNOP(cmd *cobra.Command, provider cloudprovider.Provider, _ []string) err
|
||||
out = outF
|
||||
}
|
||||
|
||||
sbDatabase, uefiVarStore, err := loadSecureBootKeys(flags.pki)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
uploadReq := &osimage.UploadRequest{
|
||||
Provider: flags.provider,
|
||||
Version: flags.version,
|
||||
AttestationVariant: flags.attestationVariant,
|
||||
SBDatabase: sbDatabase,
|
||||
UEFIVarStore: uefiVarStore,
|
||||
SecureBoot: flags.secureBoot,
|
||||
Size: size,
|
||||
Timestamp: flags.timestamp,
|
||||
Image: file,
|
||||
}
|
||||
|
||||
if flags.secureBoot {
|
||||
sbDatabase, uefiVarStore, err := loadSecureBootKeys(flags.pki)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
uploadReq.SBDatabase = sbDatabase
|
||||
uploadReq.UEFIVarStore = uefiVarStore
|
||||
}
|
||||
|
||||
return uploadImage(cmd.Context(), archiveC, uploadC, uploadReq, out)
|
||||
}
|
||||
|
@ -110,7 +110,7 @@ func (u *Uploader) Upload(ctx context.Context, req *osimage.UploadRequest) ([]ve
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("importing snapshot: %w", err)
|
||||
}
|
||||
primaryAMIID, err := u.createImageFromSnapshot(ctx, req.Version, imageName, snapshotID, req.UEFIVarStore)
|
||||
primaryAMIID, err := u.createImageFromSnapshot(ctx, req.Version, imageName, snapshotID, req.SecureBoot, req.UEFIVarStore)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("creating image from snapshot: %w", err)
|
||||
}
|
||||
@ -297,16 +297,21 @@ func (u *Uploader) ensureSnapshotDeleted(ctx context.Context, snapshotName, regi
|
||||
return nil
|
||||
}
|
||||
|
||||
func (u *Uploader) createImageFromSnapshot(ctx context.Context, version versionsapi.Version, imageName, snapshotID string, uefiVarStore secureboot.UEFIVarStore) (string, error) {
|
||||
func (u *Uploader) createImageFromSnapshot(ctx context.Context, version versionsapi.Version, imageName, snapshotID string, enableSecureBoot bool, uefiVarStore secureboot.UEFIVarStore) (string, error) {
|
||||
u.log.Debugf("Creating image %s in %s", imageName, u.region)
|
||||
ec2C, err := u.ec2(ctx, u.region)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("creating ec2 client: %w", err)
|
||||
}
|
||||
uefiData, err := uefiVarStore.ToAWS()
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("creating uefi data: %w", err)
|
||||
var uefiData *string
|
||||
if enableSecureBoot {
|
||||
awsUEFIData, err := uefiVarStore.ToAWS()
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("creating uefi data: %w", err)
|
||||
}
|
||||
uefiData = toPtr(awsUEFIData)
|
||||
}
|
||||
|
||||
createReq, err := ec2C.RegisterImage(ctx, &ec2.RegisterImageInput{
|
||||
Name: &imageName,
|
||||
Architecture: ec2types.ArchitectureValuesX8664,
|
||||
@ -324,7 +329,7 @@ func (u *Uploader) createImageFromSnapshot(ctx context.Context, version versions
|
||||
EnaSupport: toPtr(true),
|
||||
RootDeviceName: toPtr("/dev/xvda"),
|
||||
TpmSupport: ec2types.TpmSupportValuesV20,
|
||||
UefiData: &uefiData,
|
||||
UefiData: uefiData,
|
||||
VirtualizationType: toPtr("hvm"),
|
||||
})
|
||||
if err != nil {
|
||||
|
@ -82,7 +82,7 @@ func (u *Uploader) Upload(ctx context.Context, req *osimage.UploadRequest) ([]ve
|
||||
u.log.Errorf("post-cleaning: deleting blob: %v", err)
|
||||
}
|
||||
}()
|
||||
imageRef, err := u.createImage(ctx, req.Version, imageName, blobName, req.SBDatabase)
|
||||
imageRef, err := u.createImage(ctx, req.Version, imageName, blobName, req.SecureBoot, req.SBDatabase)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("creating image: %w", err)
|
||||
}
|
||||
@ -134,10 +134,18 @@ func (u *Uploader) ensureBlobDeleted(ctx context.Context, blobName string) error
|
||||
return u.bucket.Object(blobName).Delete(ctx)
|
||||
}
|
||||
|
||||
func (u *Uploader) createImage(ctx context.Context, version versionsapi.Version, imageName, blobName string, sbDatabase secureboot.Database) (string, error) {
|
||||
func (u *Uploader) createImage(ctx context.Context, version versionsapi.Version, imageName, blobName string, enableSecureBoot bool, sbDatabase secureboot.Database) (string, error) {
|
||||
u.log.Debugf("Creating image %s", imageName)
|
||||
blobURL := u.blobURL(blobName)
|
||||
family := u.imageFamily(version)
|
||||
var initialState *computepb.InitialStateConfig
|
||||
if enableSecureBoot {
|
||||
initialState = &computepb.InitialStateConfig{
|
||||
Pk: pk(&sbDatabase),
|
||||
Keks: keks(&sbDatabase),
|
||||
Dbs: dbs(&sbDatabase),
|
||||
}
|
||||
}
|
||||
req := computepb.InsertImageRequest{
|
||||
ImageResource: &computepb.Image{
|
||||
Name: &imageName,
|
||||
@ -154,11 +162,7 @@ func (u *Uploader) createImage(ctx context.Context, version versionsapi.Version,
|
||||
{Type: toPtr("VIRTIO_SCSI_MULTIQUEUE")},
|
||||
{Type: toPtr("UEFI_COMPATIBLE")},
|
||||
},
|
||||
ShieldedInstanceInitialState: &computepb.InitialStateConfig{
|
||||
Pk: pk(&sbDatabase),
|
||||
Keks: keks(&sbDatabase),
|
||||
Dbs: dbs(&sbDatabase),
|
||||
},
|
||||
ShieldedInstanceInitialState: initialState,
|
||||
},
|
||||
Project: u.project,
|
||||
}
|
||||
|
@ -21,6 +21,7 @@ type UploadRequest struct {
|
||||
Provider cloudprovider.Provider
|
||||
Version versionsapi.Version
|
||||
AttestationVariant string
|
||||
SecureBoot bool
|
||||
SBDatabase secureboot.Database
|
||||
UEFIVarStore secureboot.UEFIVarStore
|
||||
Size int64
|
||||
|
Loading…
Reference in New Issue
Block a user