diff --git a/.github/workflows/build-os-image.yml b/.github/workflows/build-os-image.yml index 745951013..e1a3ec4b8 100644 --- a/.github/workflows/build-os-image.yml +++ b/.github/workflows/build-os-image.yml @@ -116,7 +116,7 @@ jobs: run: | ln -s pki_testing pki echo "${DB_KEY}" > pki/db.key - working-directory: ${{ github.workspace }}/image/mkosi + working-directory: ${{ github.workspace }}/image env: DB_KEY: ${{ secrets.SECURE_BOOT_TESTING_DB_KEY }} @@ -126,7 +126,7 @@ jobs: echo "::group::Build" sudo make "${CSP}" echo "::endgroup::" - working-directory: ${{ github.workspace }}/image/mkosi + working-directory: ${{ github.workspace }}/image env: BOOTSTRAPPER_BINARY: ${{ github.workspace }}/build/bootstrapper DISK_MAPPER_BINARY: ${{ github.workspace }}/build/disk-mapper @@ -143,14 +143,14 @@ jobs: echo "image-vmlinuz-${{ matrix.csp }}-sha256=$(sha256sum image.vmlinuz | head -c 64)" >> $GITHUB_OUTPUT echo "image-raw-changelog-${{ matrix.csp }}-sha256=$(sha256sum image.raw.changelog | head -c 64)" >> $GITHUB_OUTPUT echo "image-raw-manifest-${{ matrix.csp }}-sha256=$(sha256sum image.raw.manifest | head -c 64)" >> $GITHUB_OUTPUT - working-directory: ${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36 + working-directory: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36 continue-on-error: true - name: Upload raw OS image as artifact uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 with: name: image-${{ matrix.csp }} - path: ${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.raw + path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.raw if: always() continue-on-error: true @@ -159,13 +159,13 @@ jobs: with: name: parts-${{ matrix.csp }} path: | - ${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.cmdline - ${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.efi - ${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.initrd - ${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.root.raw - ${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.root.roothash - ${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.root.verity - ${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.vmlinuz + ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.cmdline + ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.efi + ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.initrd + ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.root.raw + ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.root.roothash + ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.root.verity + ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.vmlinuz if: always() continue-on-error: true @@ -174,8 +174,8 @@ jobs: with: name: manifest-${{ matrix.csp }} path: | - ${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.raw.changelog - ${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.raw.manifest + ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.raw.changelog + ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.raw.manifest if: always() continue-on-error: true @@ -198,7 +198,7 @@ jobs: uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 with: name: image-${{ matrix.csp }} - path: ${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36 + path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36 - name: Install tools shell: bash @@ -223,7 +223,7 @@ jobs: - name: Prepare PKI for image upload shell: bash run: ln -s pki_testing pki - working-directory: ${{ github.workspace }}/image/mkosi + working-directory: ${{ github.workspace }}/image - name: Determine version id: version @@ -244,19 +244,19 @@ jobs: semver=${{ steps.version.outputs.semanticVersion }} imageVersion=${{ inputs.imageVersion }} pseudover=${{ steps.version.outputs.pseudoVersion }} - echo "PKI=${{ github.workspace }}/image/mkosi/pki" >> $GITHUB_ENV + echo "PKI=${{ github.workspace }}/image/pki" >> $GITHUB_ENV echo "GCP_PROJECT=constellation-images" >> $GITHUB_ENV echo "GCP_BUCKET=constellation-images" >> $GITHUB_ENV echo "GCP_REGION=europe-west3" >> $GITHUB_ENV - echo "GCP_RAW_IMAGE_PATH=${{ github.workspace }}/image/mkosi/mkosi.output.gcp/fedora~36/image.raw" >> $GITHUB_ENV - echo "GCP_IMAGE_PATH=${{ github.workspace }}/image/mkosi/mkosi.output.gcp/fedora~36/image.tar.gz" >> $GITHUB_ENV + echo "GCP_RAW_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.gcp/fedora~36/image.raw" >> $GITHUB_ENV + echo "GCP_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.gcp/fedora~36/image.tar.gz" >> $GITHUB_ENV echo "AZURE_RESOURCE_GROUP_NAME=constellation-images" >> $GITHUB_ENV echo "AZURE_REGION=northeurope" >> $GITHUB_ENV echo "AZURE_REPLICATION_REGIONS=northeurope eastus westeurope westus" >> $GITHUB_ENV echo "AZURE_SKU=constellation" >> $GITHUB_ENV echo "AZURE_PUBLISHER=edgelesssys" >> $GITHUB_ENV - echo "AZURE_RAW_IMAGE_PATH=${{ github.workspace }}/image/mkosi/mkosi.output.azure/fedora~36/image.raw" >> $GITHUB_ENV - echo "AZURE_IMAGE_PATH=${{ github.workspace }}/image/mkosi/mkosi.output.azure/fedora~36/image.vhd" >> $GITHUB_ENV + echo "AZURE_RAW_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.azure/fedora~36/image.raw" >> $GITHUB_ENV + echo "AZURE_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.azure/fedora~36/image.vhd" >> $GITHUB_ENV # TODO: set default security type to "ConfidentialVM" once replication is possible AZURE_SECURITY_TYPE=${{ matrix.upload-variant }} if [ -z "${AZURE_SECURITY_TYPE}" ]; then @@ -291,7 +291,7 @@ jobs: echo "AZURE_VMGS_PATH=" >> $GITHUB_ENV else echo "AZURE_GALLERY_NAME=${AZURE_GALLERY_NAME}" >> $GITHUB_ENV - echo "AZURE_VMGS_PATH=${{ github.workspace }}/image/mkosi/pki/${AZURE_SECURITY_TYPE}.vmgs" >> $GITHUB_ENV + echo "AZURE_VMGS_PATH=${{ github.workspace }}/image/pki/${AZURE_SECURITY_TYPE}.vmgs" >> $GITHUB_ENV fi echo "AZURE_IMAGE_DEFINITION=${AZURE_IMAGE_DEFINITION}" >> $GITHUB_ENV echo "AZURE_IMAGE_OFFER=${AZURE_IMAGE_DEFINITION}" >> $GITHUB_ENV @@ -303,7 +303,7 @@ jobs: s3://constellation-secure-boot/pki_testing/${AZURE_SECURITY_TYPE}.vmgs \ pki_testing/${AZURE_SECURITY_TYPE}.vmgs \ --no-progress - working-directory: ${{ github.workspace }}/image/mkosi + working-directory: ${{ github.workspace }}/image if: ${{ matrix.csp == 'azure' }} - name: Upload GCP image @@ -314,7 +314,7 @@ jobs: upload/upload_gcp.sh echo -e "Uploaded GCP image: \`projects/${GCP_PROJECT}/global/images/${GCP_IMAGE_NAME}\`" >> $GITHUB_STEP_SUMMARY echo "::endgroup::" - working-directory: ${{ github.workspace }}/image/mkosi + working-directory: ${{ github.workspace }}/image if: ${{ matrix.csp == 'gcp' }} - name: Upload Azure image @@ -325,7 +325,7 @@ jobs: upload/upload_azure.sh -g --disk-name "${AZURE_DISK_NAME}" "${AZURE_VMGS_PATH}" echo -e "Uploaded Azure ${AZURE_SECURITY_TYPE} image: \`/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/${AZURE_RESOURCE_GROUP_NAME^^}/providers/Microsoft.Compute/galleries/${AZURE_GALLERY_NAME}/images/${AZURE_IMAGE_DEFINITION}/versions/${AZURE_IMAGE_VERSION}\`" >> $GITHUB_STEP_SUMMARY echo "::endgroup::" - working-directory: ${{ github.workspace }}/image/mkosi + working-directory: ${{ github.workspace }}/image if: ${{ matrix.csp == 'azure' }} calculate-pcrs: @@ -361,7 +361,7 @@ jobs: cp pcr-stable.json ${{ github.workspace }}/ jq --sort-keys -s '.[0] * .[1] * .[2] * .[3]' ${{ github.workspace }}/pcr-* > ${{ github.workspace }}/pcrs-${{ matrix.csp }}.json echo "::endgroup::" - working-directory: ${{ github.workspace }}/image/mkosi/measured-boot + working-directory: ${{ github.workspace }}/image/measured-boot - name: Upload expected PCRs as artifact uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 diff --git a/mkosi/.gitignore b/image/.gitignore similarity index 100% rename from mkosi/.gitignore rename to image/.gitignore diff --git a/mkosi/Makefile b/image/Makefile similarity index 92% rename from mkosi/Makefile rename to image/Makefile index 07eb66967..fd1a9f83a 100644 --- a/mkosi/Makefile +++ b/image/Makefile @@ -1,8 +1,8 @@ SHELL = /bin/bash SRC_PATH = $(CURDIR) BASE_PATH ?= $(SRC_PATH) -BOOTSTRAPPER_BINARY ?= $(BASE_PATH)/../../build/bootstrapper -DISK_MAPPER_BINARY ?= $(BASE_PATH)/../../build/disk-mapper +BOOTSTRAPPER_BINARY ?= $(BASE_PATH)/../build/bootstrapper +DISK_MAPPER_BINARY ?= $(BASE_PATH)/../build/disk-mapper PKI ?= $(BASE_PATH)/pki MKOSI_EXTRA ?= $(BASE_PATH)/mkosi.extra -include $(CURDIR)/config.mk diff --git a/mkosi/measured-boot/extract_authentihash.py b/image/measured-boot/extract_authentihash.py similarity index 100% rename from mkosi/measured-boot/extract_authentihash.py rename to image/measured-boot/extract_authentihash.py diff --git a/mkosi/measured-boot/measure_util.sh b/image/measured-boot/measure_util.sh similarity index 100% rename from mkosi/measured-boot/measure_util.sh rename to image/measured-boot/measure_util.sh diff --git a/mkosi/measured-boot/pcr-stable.json b/image/measured-boot/pcr-stable.json similarity index 100% rename from mkosi/measured-boot/pcr-stable.json rename to image/measured-boot/pcr-stable.json diff --git a/mkosi/measured-boot/precalculate_pcr_4.sh b/image/measured-boot/precalculate_pcr_4.sh similarity index 100% rename from mkosi/measured-boot/precalculate_pcr_4.sh rename to image/measured-boot/precalculate_pcr_4.sh diff --git a/mkosi/measured-boot/precalculate_pcr_8.sh b/image/measured-boot/precalculate_pcr_8.sh similarity index 100% rename from mkosi/measured-boot/precalculate_pcr_8.sh rename to image/measured-boot/precalculate_pcr_8.sh diff --git a/mkosi/measured-boot/precalculate_pcr_9.sh b/image/measured-boot/precalculate_pcr_9.sh similarity index 100% rename from mkosi/measured-boot/precalculate_pcr_9.sh rename to image/measured-boot/precalculate_pcr_9.sh diff --git a/mkosi/mkosi.cache/.gitkeep b/image/mkosi.cache/.gitkeep similarity index 100% rename from mkosi/mkosi.cache/.gitkeep rename to image/mkosi.cache/.gitkeep diff --git a/mkosi/mkosi.conf.d/azure.conf b/image/mkosi.conf.d/azure.conf similarity index 100% rename from mkosi/mkosi.conf.d/azure.conf rename to image/mkosi.conf.d/azure.conf diff --git a/mkosi/mkosi.conf.d/containers.conf b/image/mkosi.conf.d/containers.conf similarity index 100% rename from mkosi/mkosi.conf.d/containers.conf rename to image/mkosi.conf.d/containers.conf diff --git a/mkosi/mkosi.conf.d/gcp.conf b/image/mkosi.conf.d/gcp.conf similarity index 100% rename from mkosi/mkosi.conf.d/gcp.conf rename to image/mkosi.conf.d/gcp.conf diff --git a/mkosi/mkosi.conf.d/mkosi.conf b/image/mkosi.conf.d/mkosi.conf similarity index 100% rename from mkosi/mkosi.conf.d/mkosi.conf rename to image/mkosi.conf.d/mkosi.conf diff --git a/mkosi/mkosi.conf.d/network.conf b/image/mkosi.conf.d/network.conf similarity index 100% rename from mkosi/mkosi.conf.d/network.conf rename to image/mkosi.conf.d/network.conf diff --git a/mkosi/mkosi.conf.d/secure-boot-tpm.conf b/image/mkosi.conf.d/secure-boot-tpm.conf similarity index 100% rename from mkosi/mkosi.conf.d/secure-boot-tpm.conf rename to image/mkosi.conf.d/secure-boot-tpm.conf diff --git a/mkosi/mkosi.conf.d/tools.conf b/image/mkosi.conf.d/tools.conf similarity index 100% rename from mkosi/mkosi.conf.d/tools.conf rename to image/mkosi.conf.d/tools.conf diff --git a/mkosi/mkosi.files/mkosi.azure.conf b/image/mkosi.files/mkosi.azure.conf similarity index 100% rename from mkosi/mkosi.files/mkosi.azure.conf rename to image/mkosi.files/mkosi.azure.conf diff --git a/mkosi/mkosi.files/mkosi.gcp.conf b/image/mkosi.files/mkosi.gcp.conf similarity index 100% rename from mkosi/mkosi.files/mkosi.gcp.conf rename to image/mkosi.files/mkosi.gcp.conf diff --git a/mkosi/mkosi.files/mkosi.qemu.conf b/image/mkosi.files/mkosi.qemu.conf similarity index 100% rename from mkosi/mkosi.files/mkosi.qemu.conf rename to image/mkosi.files/mkosi.qemu.conf diff --git a/mkosi/mkosi.finalize b/image/mkosi.finalize similarity index 100% rename from mkosi/mkosi.finalize rename to image/mkosi.finalize diff --git a/mkosi/mkosi.postinst b/image/mkosi.postinst similarity index 100% rename from mkosi/mkosi.postinst rename to image/mkosi.postinst diff --git a/mkosi/mkosi.skeleton/etc/dracut.conf.d/90-networkd.conf b/image/mkosi.skeleton/etc/dracut.conf.d/90-networkd.conf similarity index 100% rename from mkosi/mkosi.skeleton/etc/dracut.conf.d/90-networkd.conf rename to image/mkosi.skeleton/etc/dracut.conf.d/90-networkd.conf diff --git a/mkosi/mkosi.skeleton/etc/dracut.conf.d/azure.conf b/image/mkosi.skeleton/etc/dracut.conf.d/azure.conf similarity index 100% rename from mkosi/mkosi.skeleton/etc/dracut.conf.d/azure.conf rename to image/mkosi.skeleton/etc/dracut.conf.d/azure.conf diff --git a/mkosi/mkosi.skeleton/etc/dracut.conf.d/gce.conf b/image/mkosi.skeleton/etc/dracut.conf.d/gce.conf similarity index 100% rename from mkosi/mkosi.skeleton/etc/dracut.conf.d/gce.conf rename to image/mkosi.skeleton/etc/dracut.conf.d/gce.conf diff --git a/mkosi/mkosi.skeleton/etc/fstab b/image/mkosi.skeleton/etc/fstab similarity index 100% rename from mkosi/mkosi.skeleton/etc/fstab rename to image/mkosi.skeleton/etc/fstab diff --git a/mkosi/mkosi.skeleton/etc/profile.d/constellation.sh b/image/mkosi.skeleton/etc/profile.d/constellation.sh similarity index 100% rename from mkosi/mkosi.skeleton/etc/profile.d/constellation.sh rename to image/mkosi.skeleton/etc/profile.d/constellation.sh diff --git a/mkosi/mkosi.skeleton/usr/etc/containerd/config.toml b/image/mkosi.skeleton/usr/etc/containerd/config.toml similarity index 100% rename from mkosi/mkosi.skeleton/usr/etc/containerd/config.toml rename to image/mkosi.skeleton/usr/etc/containerd/config.toml diff --git a/mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/configure-constel-csp.service b/image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/configure-constel-csp.service similarity index 100% rename from mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/configure-constel-csp.service rename to image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/configure-constel-csp.service diff --git a/mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/google-nvme-disk.service b/image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/google-nvme-disk.service similarity index 100% rename from mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/google-nvme-disk.service rename to image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/google-nvme-disk.service diff --git a/mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/google-nvme-disk.sh b/image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/google-nvme-disk.sh similarity index 100% rename from mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/google-nvme-disk.sh rename to image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/google-nvme-disk.sh diff --git a/mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/module-setup.sh b/image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/module-setup.sh similarity index 100% rename from mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/module-setup.sh rename to image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/module-setup.sh diff --git a/mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/prepare-state-disk.service b/image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/prepare-state-disk.service similarity index 100% rename from mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/prepare-state-disk.service rename to image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/prepare-state-disk.service diff --git a/mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/prepare-state-disk.sh b/image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/prepare-state-disk.sh similarity index 100% rename from mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/prepare-state-disk.sh rename to image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/prepare-state-disk.sh diff --git a/mkosi/mkosi.skeleton/usr/lib/environment.d/99-constellation.conf b/image/mkosi.skeleton/usr/lib/environment.d/99-constellation.conf similarity index 100% rename from mkosi/mkosi.skeleton/usr/lib/environment.d/99-constellation.conf rename to image/mkosi.skeleton/usr/lib/environment.d/99-constellation.conf diff --git a/mkosi/mkosi.skeleton/usr/lib/modules-load.d/k8s.conf b/image/mkosi.skeleton/usr/lib/modules-load.d/k8s.conf similarity index 100% rename from mkosi/mkosi.skeleton/usr/lib/modules-load.d/k8s.conf rename to image/mkosi.skeleton/usr/lib/modules-load.d/k8s.conf diff --git a/mkosi/mkosi.skeleton/usr/lib/sysctl.d/10-cilium.conf b/image/mkosi.skeleton/usr/lib/sysctl.d/10-cilium.conf similarity index 100% rename from mkosi/mkosi.skeleton/usr/lib/sysctl.d/10-cilium.conf rename to image/mkosi.skeleton/usr/lib/sysctl.d/10-cilium.conf diff --git a/mkosi/mkosi.skeleton/usr/lib/sysctl.d/10-k8s.conf b/image/mkosi.skeleton/usr/lib/sysctl.d/10-k8s.conf similarity index 100% rename from mkosi/mkosi.skeleton/usr/lib/sysctl.d/10-k8s.conf rename to image/mkosi.skeleton/usr/lib/sysctl.d/10-k8s.conf diff --git a/mkosi/mkosi.skeleton/usr/lib/systemd/network/20-wired.network b/image/mkosi.skeleton/usr/lib/systemd/network/20-wired.network similarity index 100% rename from mkosi/mkosi.skeleton/usr/lib/systemd/network/20-wired.network rename to image/mkosi.skeleton/usr/lib/systemd/network/20-wired.network diff --git a/mkosi/mkosi.skeleton/usr/lib/systemd/network/21-azure.network b/image/mkosi.skeleton/usr/lib/systemd/network/21-azure.network similarity index 100% rename from mkosi/mkosi.skeleton/usr/lib/systemd/network/21-azure.network rename to image/mkosi.skeleton/usr/lib/systemd/network/21-azure.network diff --git a/mkosi/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset b/image/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset similarity index 100% rename from mkosi/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset rename to image/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset diff --git a/mkosi/mkosi.skeleton/usr/lib/systemd/system/configure-constel-csp.service b/image/mkosi.skeleton/usr/lib/systemd/system/configure-constel-csp.service similarity index 100% rename from mkosi/mkosi.skeleton/usr/lib/systemd/system/configure-constel-csp.service rename to image/mkosi.skeleton/usr/lib/systemd/system/configure-constel-csp.service diff --git a/mkosi/mkosi.skeleton/usr/lib/systemd/system/constellation-bootstrapper.service b/image/mkosi.skeleton/usr/lib/systemd/system/constellation-bootstrapper.service similarity index 100% rename from mkosi/mkosi.skeleton/usr/lib/systemd/system/constellation-bootstrapper.service rename to image/mkosi.skeleton/usr/lib/systemd/system/constellation-bootstrapper.service diff --git a/mkosi/mkosi.skeleton/usr/lib/systemd/system/containerd.service.d/local.conf b/image/mkosi.skeleton/usr/lib/systemd/system/containerd.service.d/local.conf similarity index 100% rename from mkosi/mkosi.skeleton/usr/lib/systemd/system/containerd.service.d/local.conf rename to image/mkosi.skeleton/usr/lib/systemd/system/containerd.service.d/local.conf diff --git a/mkosi/mkosi.skeleton/usr/lib/systemd/system/tpm-pcrs.service b/image/mkosi.skeleton/usr/lib/systemd/system/tpm-pcrs.service similarity index 100% rename from mkosi/mkosi.skeleton/usr/lib/systemd/system/tpm-pcrs.service rename to image/mkosi.skeleton/usr/lib/systemd/system/tpm-pcrs.service diff --git a/mkosi/mkosi.skeleton/usr/lib/sysusers.d/constellation.conf b/image/mkosi.skeleton/usr/lib/sysusers.d/constellation.conf similarity index 100% rename from mkosi/mkosi.skeleton/usr/lib/sysusers.d/constellation.conf rename to image/mkosi.skeleton/usr/lib/sysusers.d/constellation.conf diff --git a/mkosi/mkosi.skeleton/usr/lib/tmpfiles.d/constellation.conf b/image/mkosi.skeleton/usr/lib/tmpfiles.d/constellation.conf similarity index 100% rename from mkosi/mkosi.skeleton/usr/lib/tmpfiles.d/constellation.conf rename to image/mkosi.skeleton/usr/lib/tmpfiles.d/constellation.conf diff --git a/mkosi/mkosi.skeleton/usr/lib/udev/google_nvme_id b/image/mkosi.skeleton/usr/lib/udev/google_nvme_id similarity index 100% rename from mkosi/mkosi.skeleton/usr/lib/udev/google_nvme_id rename to image/mkosi.skeleton/usr/lib/udev/google_nvme_id diff --git a/mkosi/mkosi.skeleton/usr/lib/udev/rules.d/64-gce-disk-removal.rules b/image/mkosi.skeleton/usr/lib/udev/rules.d/64-gce-disk-removal.rules similarity index 100% rename from mkosi/mkosi.skeleton/usr/lib/udev/rules.d/64-gce-disk-removal.rules rename to image/mkosi.skeleton/usr/lib/udev/rules.d/64-gce-disk-removal.rules diff --git a/mkosi/mkosi.skeleton/usr/lib/udev/rules.d/65-gce-disk-naming.rules b/image/mkosi.skeleton/usr/lib/udev/rules.d/65-gce-disk-naming.rules similarity index 100% rename from mkosi/mkosi.skeleton/usr/lib/udev/rules.d/65-gce-disk-naming.rules rename to image/mkosi.skeleton/usr/lib/udev/rules.d/65-gce-disk-naming.rules diff --git a/mkosi/mkosi.skeleton/usr/lib/udev/rules.d/98-override-systemd.rules b/image/mkosi.skeleton/usr/lib/udev/rules.d/98-override-systemd.rules similarity index 100% rename from mkosi/mkosi.skeleton/usr/lib/udev/rules.d/98-override-systemd.rules rename to image/mkosi.skeleton/usr/lib/udev/rules.d/98-override-systemd.rules diff --git a/mkosi/mkosi.skeleton/usr/libexec/constellation-pcrs b/image/mkosi.skeleton/usr/libexec/constellation-pcrs similarity index 100% rename from mkosi/mkosi.skeleton/usr/libexec/constellation-pcrs rename to image/mkosi.skeleton/usr/libexec/constellation-pcrs diff --git a/mkosi/pki_testing/KEK.auth b/image/pki_testing/KEK.auth similarity index 100% rename from mkosi/pki_testing/KEK.auth rename to image/pki_testing/KEK.auth diff --git a/mkosi/pki_testing/KEK.cer b/image/pki_testing/KEK.cer similarity index 100% rename from mkosi/pki_testing/KEK.cer rename to image/pki_testing/KEK.cer diff --git a/mkosi/pki_testing/KEK.crt b/image/pki_testing/KEK.crt similarity index 100% rename from mkosi/pki_testing/KEK.crt rename to image/pki_testing/KEK.crt diff --git a/mkosi/pki_testing/KEK.esl b/image/pki_testing/KEK.esl similarity index 100% rename from mkosi/pki_testing/KEK.esl rename to image/pki_testing/KEK.esl diff --git a/mkosi/pki_testing/MicCorKEKCA2011_2011-06-24.crt b/image/pki_testing/MicCorKEKCA2011_2011-06-24.crt similarity index 100% rename from mkosi/pki_testing/MicCorKEKCA2011_2011-06-24.crt rename to image/pki_testing/MicCorKEKCA2011_2011-06-24.crt diff --git a/mkosi/pki_testing/MicCorKEKCA2011_2011-06-24.esl b/image/pki_testing/MicCorKEKCA2011_2011-06-24.esl similarity index 100% rename from mkosi/pki_testing/MicCorKEKCA2011_2011-06-24.esl rename to image/pki_testing/MicCorKEKCA2011_2011-06-24.esl diff --git a/mkosi/pki_testing/MicCorUEFCA2011_2011-06-27.crt b/image/pki_testing/MicCorUEFCA2011_2011-06-27.crt similarity index 100% rename from mkosi/pki_testing/MicCorUEFCA2011_2011-06-27.crt rename to image/pki_testing/MicCorUEFCA2011_2011-06-27.crt diff --git a/mkosi/pki_testing/MicCorUEFCA2011_2011-06-27.esl b/image/pki_testing/MicCorUEFCA2011_2011-06-27.esl similarity index 100% rename from mkosi/pki_testing/MicCorUEFCA2011_2011-06-27.esl rename to image/pki_testing/MicCorUEFCA2011_2011-06-27.esl diff --git a/mkosi/pki_testing/MicWinProPCA2011_2011-10-19.crt b/image/pki_testing/MicWinProPCA2011_2011-10-19.crt similarity index 100% rename from mkosi/pki_testing/MicWinProPCA2011_2011-10-19.crt rename to image/pki_testing/MicWinProPCA2011_2011-10-19.crt diff --git a/mkosi/pki_testing/MicWinProPCA2011_2011-10-19.esl b/image/pki_testing/MicWinProPCA2011_2011-10-19.esl similarity index 100% rename from mkosi/pki_testing/MicWinProPCA2011_2011-10-19.esl rename to image/pki_testing/MicWinProPCA2011_2011-10-19.esl diff --git a/mkosi/pki_testing/PK.auth b/image/pki_testing/PK.auth similarity index 100% rename from mkosi/pki_testing/PK.auth rename to image/pki_testing/PK.auth diff --git a/mkosi/pki_testing/PK.cer b/image/pki_testing/PK.cer similarity index 100% rename from mkosi/pki_testing/PK.cer rename to image/pki_testing/PK.cer diff --git a/mkosi/pki_testing/PK.crt b/image/pki_testing/PK.crt similarity index 100% rename from mkosi/pki_testing/PK.crt rename to image/pki_testing/PK.crt diff --git a/mkosi/pki_testing/PK.esl b/image/pki_testing/PK.esl similarity index 100% rename from mkosi/pki_testing/PK.esl rename to image/pki_testing/PK.esl diff --git a/mkosi/pki_testing/db.auth b/image/pki_testing/db.auth similarity index 100% rename from mkosi/pki_testing/db.auth rename to image/pki_testing/db.auth diff --git a/mkosi/pki_testing/db.cer b/image/pki_testing/db.cer similarity index 100% rename from mkosi/pki_testing/db.cer rename to image/pki_testing/db.cer diff --git a/mkosi/pki_testing/db.crt b/image/pki_testing/db.crt similarity index 100% rename from mkosi/pki_testing/db.crt rename to image/pki_testing/db.crt diff --git a/mkosi/pki_testing/db.esl b/image/pki_testing/db.esl similarity index 100% rename from mkosi/pki_testing/db.esl rename to image/pki_testing/db.esl diff --git a/mkosi/secure-boot/azure/delete.sh b/image/secure-boot/azure/delete.sh similarity index 100% rename from mkosi/secure-boot/azure/delete.sh rename to image/secure-boot/azure/delete.sh diff --git a/mkosi/secure-boot/azure/extract_vmgs.sh b/image/secure-boot/azure/extract_vmgs.sh similarity index 100% rename from mkosi/secure-boot/azure/extract_vmgs.sh rename to image/secure-boot/azure/extract_vmgs.sh diff --git a/mkosi/secure-boot/azure/launch.sh b/image/secure-boot/azure/launch.sh similarity index 100% rename from mkosi/secure-boot/azure/launch.sh rename to image/secure-boot/azure/launch.sh diff --git a/mkosi/secure-boot/generate_nvram_vars.sh b/image/secure-boot/generate_nvram_vars.sh similarity index 100% rename from mkosi/secure-boot/generate_nvram_vars.sh rename to image/secure-boot/generate_nvram_vars.sh diff --git a/mkosi/secure-boot/genkeys.sh b/image/secure-boot/genkeys.sh similarity index 100% rename from mkosi/secure-boot/genkeys.sh rename to image/secure-boot/genkeys.sh diff --git a/mkosi/secure-boot/signed-shim.sh b/image/secure-boot/signed-shim.sh similarity index 100% rename from mkosi/secure-boot/signed-shim.sh rename to image/secure-boot/signed-shim.sh diff --git a/mkosi/secure-boot/templates/dev_KEK.conf b/image/secure-boot/templates/dev_KEK.conf similarity index 100% rename from mkosi/secure-boot/templates/dev_KEK.conf rename to image/secure-boot/templates/dev_KEK.conf diff --git a/mkosi/secure-boot/templates/dev_PK.conf b/image/secure-boot/templates/dev_PK.conf similarity index 100% rename from mkosi/secure-boot/templates/dev_PK.conf rename to image/secure-boot/templates/dev_PK.conf diff --git a/mkosi/secure-boot/templates/dev_db.conf b/image/secure-boot/templates/dev_db.conf similarity index 100% rename from mkosi/secure-boot/templates/dev_db.conf rename to image/secure-boot/templates/dev_db.conf diff --git a/mkosi/secure-boot/templates/prod_KEK.conf b/image/secure-boot/templates/prod_KEK.conf similarity index 100% rename from mkosi/secure-boot/templates/prod_KEK.conf rename to image/secure-boot/templates/prod_KEK.conf diff --git a/mkosi/secure-boot/templates/prod_PK.conf b/image/secure-boot/templates/prod_PK.conf similarity index 100% rename from mkosi/secure-boot/templates/prod_PK.conf rename to image/secure-boot/templates/prod_PK.conf diff --git a/mkosi/secure-boot/templates/prod_db.conf b/image/secure-boot/templates/prod_db.conf similarity index 100% rename from mkosi/secure-boot/templates/prod_db.conf rename to image/secure-boot/templates/prod_db.conf diff --git a/mkosi/secure-boot/templates/testing_KEK.conf b/image/secure-boot/templates/testing_KEK.conf similarity index 100% rename from mkosi/secure-boot/templates/testing_KEK.conf rename to image/secure-boot/templates/testing_KEK.conf diff --git a/mkosi/secure-boot/templates/testing_PK.conf b/image/secure-boot/templates/testing_PK.conf similarity index 100% rename from mkosi/secure-boot/templates/testing_PK.conf rename to image/secure-boot/templates/testing_PK.conf diff --git a/mkosi/secure-boot/templates/testing_db.conf b/image/secure-boot/templates/testing_db.conf similarity index 100% rename from mkosi/secure-boot/templates/testing_db.conf rename to image/secure-boot/templates/testing_db.conf diff --git a/mkosi/upload/pack.sh b/image/upload/pack.sh similarity index 100% rename from mkosi/upload/pack.sh rename to image/upload/pack.sh diff --git a/mkosi/upload/upload_azure.sh b/image/upload/upload_azure.sh similarity index 100% rename from mkosi/upload/upload_azure.sh rename to image/upload/upload_azure.sh diff --git a/mkosi/upload/upload_gcp.sh b/image/upload/upload_gcp.sh similarity index 100% rename from mkosi/upload/upload_gcp.sh rename to image/upload/upload_gcp.sh diff --git a/mkosi/.gitattributes b/mkosi/.gitattributes deleted file mode 100644 index e69de29bb..000000000 diff --git a/mkosi/README.md b/mkosi/README.md deleted file mode 100644 index de089ff9a..000000000 --- a/mkosi/README.md +++ /dev/null @@ -1,187 +0,0 @@ -## Setup - -- Install mkosi (from git): - - ```sh - cd /tmp/ - git clone https://github.com/systemd/mkosi - cd mkosi - tools/generate-zipapp.sh - cp builddir/mkosi /usr/local/bin/ - ``` - -- Install tools: - -
- Ubuntu / Debian - - ```sh - sudo apt-get update - sudo apt-get install --assume-yes --no-install-recommends \ - dnf \ - systemd-container \ - qemu-system-x86 \ - qemu-utils \ - ovmf \ - e2fsprogs \ - squashfs-tools \ - efitools \ - sbsigntool \ - coreutils \ - curl \ - jq \ - util-linux \ - virt-manager - ``` - -
- -
- Fedora - - ```sh - sudo dnf install -y \ - edk2-ovmf \ - systemd-container \ - qemu \ - e2fsprogs \ - squashfs-tools \ - efitools \ - sbsigntools \ - coreutils \ - curl \ - jq \ - util-linux \ - virt-manager - ``` - -
- -- Prepare secure boot PKI (see `secure-boot/genkeys.sh`) - -## Build - -```sh -# OPTIONAL: to create a debug image, export the following line -# export BOOTSTRAPPER_BINARY=$(realpath ${PWD}/../../build/debugd) -# OPTIONAL: specify path to secure boot PKI -# export PKI=/path/to/pki/folder -sudo make -j $(nproc) -``` - -Raw images will be placed in `mkosi.output./fedora~36/image.raw`. - -## Prepare Secure Boot - -The generated images are partially signed by Microsoft ([shim loader](https://github.com/rhboot/shim)), and partially signed by Edgeless Systems (systemd-boot and unified kernel images consisting of the linux kernel, initramfs and kernel commandline). - -For QEMU and Azure, you can pre-generate the NVRAM variables for secure boot. This is not necessary for GCP, as you can specify secure boot parameters via the GCP API on image creation. - -
-libvirt / QEMU / KVM - -```sh -secure-boot/generate_nvram_vars.sh mkosi.output.qemu/fedora~36/image.raw -``` - -
- -
-Azure - -These steps only have to performed once for a fresh set of secure boot certificates. -VMGS blobs for testing and release images already exist. - -First, create a disk without embedded MOK EFI variables. - -```sh -# set these variables -export AZURE_SECURITY_TYPE=ConfidentialVM # or TrustedLaunch -export AZURE_RESOURCE_GROUP_NAME= # e.g. "constellation-images" - -export AZURE_REGION=northeurope -export AZURE_DISK_NAME=constellation-$(date +%s) -export AZURE_SNAPSHOT_NAME=${AZURE_DISK_NAME} -export AZURE_RAW_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~36/image.raw -export AZURE_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~36/image.vhd -export AZURE_VMGS_FILENAME=${AZURE_SECURITY_TYPE}.vmgs -export BLOBS_DIR=${PWD}/blobs -upload/pack.sh azure "${AZURE_RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}" -upload/upload_azure.sh --disk-name "${AZURE_DISK_NAME}-setup-secure-boot" "" -secure-boot/azure/launch.sh -n "${AZURE_DISK_NAME}-setup-secure-boot" -d --secure-boot true --disk-name "${AZURE_DISK_NAME}-setup-secure-boot" -``` - -Ignore the running launch script and connect to the serial console once available. -The console shows the message "Verification failed: (0x1A) Security Violation". You can import the MOK certificate via the UEFI shell: - -Press OK, then ENTER, then "Enroll key from disk". -Select the following key: `/EFI/loader/keys/auto/db.cer`. -Press Continue, then choose "Yes" to the question "Enroll the key(s)?". -Choose reboot. - -Extract the VMGS from the running VM (this includes the MOK EFI variables) and delete the VM: - -```sh -secure-boot/azure/extract_vmgs.sh --name "${AZURE_DISK_NAME}-setup-secure-boot" -secure-boot/azure/delete.sh --name "${AZURE_DISK_NAME}-setup-secure-boot" -``` - -
- -## Upload to CSP - -
-GCP - -- Install `gcloud` and `gsutil` (see [here](https://cloud.google.com/sdk/docs/install)) -- Login to GCP (see [here](https://cloud.google.com/sdk/docs/authorizing)) -- Prepare secure boot PKI (see `secure-boot/genkeys.sh`) - -```sh -# set these variables -export GCP_IMAGE_FAMILY= # e.g. "constellation" -export GCP_IMAGE_NAME= # e.g. "constellation-v1.0.0" -export PKI=${PWD}/pki - -export GCP_PROJECT=constellation-images -export GCP_REGION=europe-west3 -export GCP_BUCKET=constellation-images -export GCP_RAW_IMAGE_PATH=${PWD}/mkosi.output.gcp/fedora~36/image.raw -export GCP_IMAGE_FILENAME=$(date +%s).tar.gz -export GCP_IMAGE_PATH=${PWD}/mkosi.output.gcp/fedora~36/image.tar.gz -upload/pack.sh gcp ${GCP_RAW_IMAGE_PATH} ${GCP_IMAGE_PATH} -upload/upload_gcp.sh -``` - -
- -
-Azure - -- Install `az` and `azcopy` (see [here](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli)) -- Login to Azure (see [here](https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli)) -- Prepare secure boot PKI (see `secure-boot/genkeys.sh`) -- [Prepare virtual machine guest state (VMGS) with customized NVRAM or use existing VMGS blob](#azure-secure-boot) - -```sh -# set these variables -export AZURE_GALLERY_NAME= # e.g. "Constellation" -export AZURE_IMAGE_DEFINITION= # e.g. "constellation" -export AZURE_IMAGE_VERSION= # e.g. "1.0.0" -export AZURE_VMGS_PATH= # e.g. "path/to/ConfidentialVM.vmgs" -export AZURE_SECURITY_TYPE=ConfidentialVM # or TrustedLaunch - -export AZURE_RESOURCE_GROUP_NAME=constellation-images -export AZURE_REGION=northeurope -export AZURE_REPLICATION_REGIONS="northeurope eastus westeurope westus" -export AZURE_IMAGE_OFFER=constellation -export AZURE_SKU=constellation -export AZURE_PUBLISHER=edgelesssys -export AZURE_DISK_NAME=constellation-$(date +%s) -export AZURE_RAW_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~36/image.raw -export AZURE_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~36/image.vhd -upload/pack.sh azure "${AZURE_RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}" -upload/upload_azure.sh -g --disk-name "${AZURE_DISK_NAME}" "${AZURE_VMGS_PATH}" -``` - -
diff --git a/mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/constellation-state-disk-generator b/mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/constellation-state-disk-generator deleted file mode 100755 index e69de29bb..000000000