Move mkosi folder to old image folder location

image/secure-boot/azure/delete.sh

@@ -0,0 +1,74 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [ -z "${CONFIG_FILE-}" ] && [ -f "${CONFIG_FILE-}" ]; then
+    . "${CONFIG_FILE}"
+fi
+POSITIONAL_ARGS=()
+
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    -n|--name)
+      AZURE_VM_NAME="$2"
+      shift # past argument
+      shift # past value
+      ;;
+    -*|--*)
+      echo "Unknown option $1"
+      exit 1
+      ;;
+    *)
+      POSITIONAL_ARGS+=("$1") # save positional arg
+      shift # past argument
+      ;;
+  esac
+done
+
+set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
+
+AZ_VM_INFO=$(az vm show --name "${AZURE_VM_NAME}" --resource-group "${AZURE_RESOURCE_GROUP_NAME}" -o json)
+NIC=$(echo "${AZ_VM_INFO}" | jq -r '.networkProfile.networkInterfaces[0].id')
+NIC_INFO=$(az network nic show --ids "${NIC}" -o json)
+PUBIP=$(echo "${NIC_INFO}" | jq -r '.ipConfigurations[0].publicIpAddress.id')
+NSG=$(echo "${NIC_INFO}" | jq -r '.networkSecurityGroup.id')
+SUBNET=$(echo "${NIC_INFO}" | jq -r '.ipConfigurations[0].subnet.id')
+VNET=$(echo $SUBNET | sed 's#/subnets/.*##')
+DISK=$(echo "${AZ_VM_INFO}" | jq -r '.storageProfile.osDisk.managedDisk.id')
+
+
+delete_vm () {
+    az vm delete -y --name "${AZURE_VM_NAME}" \
+        --resource-group "${AZURE_RESOURCE_GROUP_NAME}" || true
+}
+
+delete_vnet () {
+    az network vnet delete --ids "${VNET}" || true
+}
+
+delete_subnet () {
+    az network vnet subnet delete --ids "${SUBNET}" || true
+}
+
+delete_nsg () {
+    az network nsg delete --ids "${NSG}" || true
+}
+
+delete_pubip () {
+    az network public-ip delete --ids "${PUBIP}" || true
+}
+
+delete_disk () {
+    az disk delete -y --ids "${DISK}" || true
+}
+
+delete_nic () {
+    az network nic delete --ids "${NIC}" || true
+}
+
+delete_vm
+delete_disk
+delete_nic
+delete_nsg
+delete_subnet
+delete_vnet
+delete_pubip

image/secure-boot/azure/extract_vmgs.sh

@@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [ -z "${CONFIG_FILE-}" ] && [ -f "${CONFIG_FILE-}" ]; then
+    . "${CONFIG_FILE}"
+fi
+AZURE_SUBSCRIPTION=$(az account show --query id -o tsv)
+POSITIONAL_ARGS=()
+
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    -n|--name)
+      AZURE_VM_NAME="$2"
+      shift # past argument
+      shift # past value
+      ;;
+    -*|--*)
+      echo "Unknown option $1"
+      exit 1
+      ;;
+    *)
+      POSITIONAL_ARGS+=("$1") # save positional arg
+      shift # past argument
+      ;;
+  esac
+done
+
+set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
+
+VM_DISK=$(az vm show -g "${AZURE_RESOURCE_GROUP_NAME}" --name "${AZURE_VM_NAME}" --query "storageProfile.osDisk.managedDisk.id" -o tsv)
+LOCATION=$(az disk show --ids "${VM_DISK}" --query "location" -o tsv)
+
+az snapshot create \
+    -g "${AZURE_RESOURCE_GROUP_NAME}" \
+    --source "${VM_DISK}" \
+    --name "${AZURE_SNAPSHOT_NAME}" \
+    -l "${LOCATION}"
+
+# Azure CLI does not implement getSecureVMGuestStateSAS for snapshots yet
+# az snapshot grant-access \
+#     --duration-in-seconds 3600 \
+#     --access-level Read \
+#     --name "${AZURE_SNAPSHOT_NAME}" \
+#     -g "${AZURE_RESOURCE_GROUP_NAME}"
+
+BEGIN=$(az rest \
+    --method post \
+    --url "https://management.azure.com/subscriptions/${AZURE_SUBSCRIPTION}/resourceGroups/${AZURE_RESOURCE_GROUP_NAME}/providers/Microsoft.Compute/snapshots/${AZURE_SNAPSHOT_NAME}/beginGetAccess" \
+    --uri-parameters api-version="2021-12-01" \
+    --body '{"access": "Read", "durationInSeconds": 3600, "getSecureVMGuestStateSAS": true}' \
+    --verbose 2>&1)
+ASYNC_OPERATION_URI=$(echo "${BEGIN}" | grep Azure-AsyncOperation | cut -d ' ' -f 7 | tr -d "'")
+sleep 10
+ACCESS=$(az rest --method get --url "${ASYNC_OPERATION_URI}")
+VMGS_URL=$(echo "${ACCESS}" | jq -r '.properties.output.securityDataAccessSAS')
+
+curl -L -o "${AZURE_VMGS_FILENAME}" "${VMGS_URL}"
+
+az snapshot revoke-access \
+    --name "${AZURE_SNAPSHOT_NAME}" \
+    -g "${AZURE_RESOURCE_GROUP_NAME}"
+az snapshot delete \
+    --name "${AZURE_SNAPSHOT_NAME}" \
+    -g "${AZURE_RESOURCE_GROUP_NAME}"
+echo "VMGS saved to ${AZURE_VMGS_FILENAME}"

image/secure-boot/azure/launch.sh

@@ -0,0 +1,101 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [ -z "${CONFIG_FILE-}" ] && [ -f "${CONFIG_FILE-}" ]; then
+    . "${CONFIG_FILE}"
+fi
+POSITIONAL_ARGS=()
+
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    -n|--name)
+      AZURE_VM_NAME="$2"
+      shift # past argument
+      shift # past value
+      ;;
+    -g|--gallery)
+      CREATE_FROM_GALLERY=YES
+      shift # past argument
+      ;;
+    -d|--disk)
+      CREATE_FROM_GALLERY=NO
+      shift # past argument
+      ;;
+    --secure-boot)
+      AZURE_SECURE_BOOT="$2"
+      shift # past argument
+      shift # past value
+      ;;
+    --disk-name)
+      AZURE_DISK_NAME="$2"
+      shift # past argument
+      shift # past value
+      ;;
+    -*|--*)
+      echo "Unknown option $1"
+      exit 1
+      ;;
+    *)
+      POSITIONAL_ARGS+=("$1") # save positional arg
+      shift # past argument
+      ;;
+  esac
+done
+
+set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
+
+if [[ "${AZURE_SECURITY_TYPE}" == "ConfidentialVM" ]]; then
+  VMSIZE="Standard_DC2as_v5"
+elif [[ "${AZURE_SECURITY_TYPE}" == "TrustedLaunch" ]]; then
+  VMSIZE="standard_D2as_v5"
+else
+  echo "Unknown security type: ${AZURE_SECURITY_TYPE}"
+  exit 1
+fi
+
+create_vm_from_disk () {
+    AZURE_DISK_REFERENCE=$(az disk show --resource-group ${AZURE_RESOURCE_GROUP_NAME} --name ${AZURE_DISK_NAME} --query id -o tsv)
+    az vm create --name "${AZURE_VM_NAME}" \
+        --resource-group "${AZURE_RESOURCE_GROUP_NAME}" \
+        -l ${AZURE_REGION} \
+        --size "${VMSIZE}" \
+        --public-ip-sku Standard \
+        --os-type Linux \
+        --attach-os-disk "${AZURE_DISK_REFERENCE}" \
+        --security-type "${AZURE_SECURITY_TYPE}" \
+        --os-disk-security-encryption-type VMGuestStateOnly \
+        --enable-vtpm true \
+        --enable-secure-boot "${AZURE_SECURE_BOOT}" \
+        --boot-diagnostics-storage "" \
+        --no-wait
+}
+
+create_vm_from_sig () {
+    AZURE_IMAGE_REFERENCE=$(az sig image-version show \
+        --gallery-image-definition "${AZURE_IMAGE_DEFINITION}" \
+        --gallery-image-version "${AZURE_IMAGE_VERSION}" \
+        --gallery-name "${AZURE_GALLERY_NAME}" \
+        -g "${AZURE_RESOURCE_GROUP_NAME}" \
+        --query id -o tsv)
+    az vm create --name "${AZURE_VM_NAME}" \
+        --resource-group "${AZURE_RESOURCE_GROUP_NAME}" \
+        -l ${AZURE_REGION} \
+        --size "${VMSIZE}" \
+        --public-ip-sku Standard \
+        --image "${AZURE_IMAGE_REFERENCE}" \
+        --security-type "${AZURE_SECURITY_TYPE}" \
+        --os-disk-security-encryption-type VMGuestStateOnly \
+        --enable-vtpm true \
+        --enable-secure-boot "${AZURE_SECURE_BOOT}" \
+        --boot-diagnostics-storage "" \
+        --no-wait
+}
+
+if [ "$CREATE_FROM_GALLERY" = "YES" ]; then
+    create_vm_from_sig
+else
+    create_vm_from_disk
+fi
+
+sleep 30
+az vm boot-diagnostics enable --name "${AZURE_VM_NAME}" --resource-group "${AZURE_RESOURCE_GROUP_NAME}"