Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-01-11 15:39:33 -05:00
Code Issues Packages Projects Releases Wiki Activity

Move mkosi folder to old image folder location

Browse Source
This commit is contained in:
Malte Poll 2022-10-21 10:11:53 +02:00 committed by Malte Poll
parent 24f3371cf6
commit 35e2267cf9
91 changed files with 27 additions and 214 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
.github/workflows/build-os-image.yml vendored
View File

@ -116,7 +116,7 @@ jobs:
run: | run: |
ln -s pki_testing pki ln -s pki_testing pki
echo "${DB_KEY}" > pki/db.key echo "${DB_KEY}" > pki/db.key
working-directory: ${{ github.workspace }}/image/mkosi working-directory: ${{ github.workspace }}/image
env: env:
DB_KEY: ${{ secrets.SECURE_BOOT_TESTING_DB_KEY }} DB_KEY: ${{ secrets.SECURE_BOOT_TESTING_DB_KEY }}
@ -126,7 +126,7 @@ jobs:
echo "::group::Build" echo "::group::Build"
sudo make "${CSP}" sudo make "${CSP}"
echo "::endgroup::" echo "::endgroup::"
working-directory: ${{ github.workspace }}/image/mkosi working-directory: ${{ github.workspace }}/image
env: env:
BOOTSTRAPPER_BINARY: ${{ github.workspace }}/build/bootstrapper BOOTSTRAPPER_BINARY: ${{ github.workspace }}/build/bootstrapper
DISK_MAPPER_BINARY: ${{ github.workspace }}/build/disk-mapper DISK_MAPPER_BINARY: ${{ github.workspace }}/build/disk-mapper
@ -143,14 +143,14 @@ jobs:
echo "image-vmlinuz-${{ matrix.csp }}-sha256=$(sha256sum image.vmlinuz | head -c 64)" >> $GITHUB_OUTPUT echo "image-vmlinuz-${{ matrix.csp }}-sha256=$(sha256sum image.vmlinuz | head -c 64)" >> $GITHUB_OUTPUT
echo "image-raw-changelog-${{ matrix.csp }}-sha256=$(sha256sum image.raw.changelog | head -c 64)" >> $GITHUB_OUTPUT echo "image-raw-changelog-${{ matrix.csp }}-sha256=$(sha256sum image.raw.changelog | head -c 64)" >> $GITHUB_OUTPUT
echo "image-raw-manifest-${{ matrix.csp }}-sha256=$(sha256sum image.raw.manifest | head -c 64)" >> $GITHUB_OUTPUT echo "image-raw-manifest-${{ matrix.csp }}-sha256=$(sha256sum image.raw.manifest | head -c 64)" >> $GITHUB_OUTPUT
working-directory: ${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36 working-directory: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36
continue-on-error: true continue-on-error: true
- name: Upload raw OS image as artifact - name: Upload raw OS image as artifact
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8
with: with:
name: image-${{ matrix.csp }} name: image-${{ matrix.csp }}
path: ${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.raw path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.raw
if: always() if: always()
continue-on-error: true continue-on-error: true
@ -159,13 +159,13 @@ jobs:
with: with:
name: parts-${{ matrix.csp }} name: parts-${{ matrix.csp }}
path: | path: |
${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.cmdline ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.cmdline
${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.efi ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.efi
${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.initrd ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.initrd
${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.root.raw ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.root.raw
${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.root.roothash ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.root.roothash
${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.root.verity ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.root.verity
${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.vmlinuz ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.vmlinuz
if: always() if: always()
continue-on-error: true continue-on-error: true
@ -174,8 +174,8 @@ jobs:
with: with:
name: manifest-${{ matrix.csp }} name: manifest-${{ matrix.csp }}
path: | path: |
${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.raw.changelog ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.raw.changelog
${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.raw.manifest ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.raw.manifest
if: always() if: always()
continue-on-error: true continue-on-error: true
@ -198,7 +198,7 @@ jobs:
uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
with: with:
name: image-${{ matrix.csp }} name: image-${{ matrix.csp }}
path: ${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36 path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36
- name: Install tools - name: Install tools
shell: bash shell: bash
@ -223,7 +223,7 @@ jobs:
- name: Prepare PKI for image upload - name: Prepare PKI for image upload
shell: bash shell: bash
run: ln -s pki_testing pki run: ln -s pki_testing pki
working-directory: ${{ github.workspace }}/image/mkosi working-directory: ${{ github.workspace }}/image
- name: Determine version - name: Determine version
id: version id: version
@ -244,19 +244,19 @@ jobs:
semver=${{ steps.version.outputs.semanticVersion }} semver=${{ steps.version.outputs.semanticVersion }}
imageVersion=${{ inputs.imageVersion }} imageVersion=${{ inputs.imageVersion }}
pseudover=${{ steps.version.outputs.pseudoVersion }} pseudover=${{ steps.version.outputs.pseudoVersion }}
echo "PKI=${{ github.workspace }}/image/mkosi/pki" >> $GITHUB_ENV echo "PKI=${{ github.workspace }}/image/pki" >> $GITHUB_ENV
echo "GCP_PROJECT=constellation-images" >> $GITHUB_ENV echo "GCP_PROJECT=constellation-images" >> $GITHUB_ENV
echo "GCP_BUCKET=constellation-images" >> $GITHUB_ENV echo "GCP_BUCKET=constellation-images" >> $GITHUB_ENV
echo "GCP_REGION=europe-west3" >> $GITHUB_ENV echo "GCP_REGION=europe-west3" >> $GITHUB_ENV
echo "GCP_RAW_IMAGE_PATH=${{ github.workspace }}/image/mkosi/mkosi.output.gcp/fedora~36/image.raw" >> $GITHUB_ENV echo "GCP_RAW_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.gcp/fedora~36/image.raw" >> $GITHUB_ENV
echo "GCP_IMAGE_PATH=${{ github.workspace }}/image/mkosi/mkosi.output.gcp/fedora~36/image.tar.gz" >> $GITHUB_ENV echo "GCP_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.gcp/fedora~36/image.tar.gz" >> $GITHUB_ENV
echo "AZURE_RESOURCE_GROUP_NAME=constellation-images" >> $GITHUB_ENV echo "AZURE_RESOURCE_GROUP_NAME=constellation-images" >> $GITHUB_ENV
echo "AZURE_REGION=northeurope" >> $GITHUB_ENV echo "AZURE_REGION=northeurope" >> $GITHUB_ENV
echo "AZURE_REPLICATION_REGIONS=northeurope eastus westeurope westus" >> $GITHUB_ENV echo "AZURE_REPLICATION_REGIONS=northeurope eastus westeurope westus" >> $GITHUB_ENV
echo "AZURE_SKU=constellation" >> $GITHUB_ENV echo "AZURE_SKU=constellation" >> $GITHUB_ENV
echo "AZURE_PUBLISHER=edgelesssys" >> $GITHUB_ENV echo "AZURE_PUBLISHER=edgelesssys" >> $GITHUB_ENV
echo "AZURE_RAW_IMAGE_PATH=${{ github.workspace }}/image/mkosi/mkosi.output.azure/fedora~36/image.raw" >> $GITHUB_ENV echo "AZURE_RAW_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.azure/fedora~36/image.raw" >> $GITHUB_ENV
echo "AZURE_IMAGE_PATH=${{ github.workspace }}/image/mkosi/mkosi.output.azure/fedora~36/image.vhd" >> $GITHUB_ENV echo "AZURE_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.azure/fedora~36/image.vhd" >> $GITHUB_ENV
# TODO: set default security type to "ConfidentialVM" once replication is possible # TODO: set default security type to "ConfidentialVM" once replication is possible
AZURE_SECURITY_TYPE=${{ matrix.upload-variant }} AZURE_SECURITY_TYPE=${{ matrix.upload-variant }}
if [ -z "${AZURE_SECURITY_TYPE}" ]; then if [ -z "${AZURE_SECURITY_TYPE}" ]; then
@ -291,7 +291,7 @@ jobs:
echo "AZURE_VMGS_PATH=" >> $GITHUB_ENV echo "AZURE_VMGS_PATH=" >> $GITHUB_ENV
else else
echo "AZURE_GALLERY_NAME=${AZURE_GALLERY_NAME}" >> $GITHUB_ENV echo "AZURE_GALLERY_NAME=${AZURE_GALLERY_NAME}" >> $GITHUB_ENV
echo "AZURE_VMGS_PATH=${{ github.workspace }}/image/mkosi/pki/${AZURE_SECURITY_TYPE}.vmgs" >> $GITHUB_ENV echo "AZURE_VMGS_PATH=${{ github.workspace }}/image/pki/${AZURE_SECURITY_TYPE}.vmgs" >> $GITHUB_ENV
fi fi
echo "AZURE_IMAGE_DEFINITION=${AZURE_IMAGE_DEFINITION}" >> $GITHUB_ENV echo "AZURE_IMAGE_DEFINITION=${AZURE_IMAGE_DEFINITION}" >> $GITHUB_ENV
echo "AZURE_IMAGE_OFFER=${AZURE_IMAGE_DEFINITION}" >> $GITHUB_ENV echo "AZURE_IMAGE_OFFER=${AZURE_IMAGE_DEFINITION}" >> $GITHUB_ENV
@ -303,7 +303,7 @@ jobs:
s3://constellation-secure-boot/pki_testing/${AZURE_SECURITY_TYPE}.vmgs \ s3://constellation-secure-boot/pki_testing/${AZURE_SECURITY_TYPE}.vmgs \
pki_testing/${AZURE_SECURITY_TYPE}.vmgs \ pki_testing/${AZURE_SECURITY_TYPE}.vmgs \
--no-progress --no-progress
working-directory: ${{ github.workspace }}/image/mkosi working-directory: ${{ github.workspace }}/image
if: ${{ matrix.csp == 'azure' }} if: ${{ matrix.csp == 'azure' }}
- name: Upload GCP image - name: Upload GCP image
@ -314,7 +314,7 @@ jobs:
upload/upload_gcp.sh upload/upload_gcp.sh
echo -e "Uploaded GCP image: \`projects/${GCP_PROJECT}/global/images/${GCP_IMAGE_NAME}\`" >> $GITHUB_STEP_SUMMARY echo -e "Uploaded GCP image: \`projects/${GCP_PROJECT}/global/images/${GCP_IMAGE_NAME}\`" >> $GITHUB_STEP_SUMMARY
echo "::endgroup::" echo "::endgroup::"
working-directory: ${{ github.workspace }}/image/mkosi working-directory: ${{ github.workspace }}/image
if: ${{ matrix.csp == 'gcp' }} if: ${{ matrix.csp == 'gcp' }}
- name: Upload Azure image - name: Upload Azure image
@ -325,7 +325,7 @@ jobs:
upload/upload_azure.sh -g --disk-name "${AZURE_DISK_NAME}" "${AZURE_VMGS_PATH}" upload/upload_azure.sh -g --disk-name "${AZURE_DISK_NAME}" "${AZURE_VMGS_PATH}"
echo -e "Uploaded Azure ${AZURE_SECURITY_TYPE} image: \`/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/${AZURE_RESOURCE_GROUP_NAME^^}/providers/Microsoft.Compute/galleries/${AZURE_GALLERY_NAME}/images/${AZURE_IMAGE_DEFINITION}/versions/${AZURE_IMAGE_VERSION}\`" >> $GITHUB_STEP_SUMMARY echo -e "Uploaded Azure ${AZURE_SECURITY_TYPE} image: \`/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/${AZURE_RESOURCE_GROUP_NAME^^}/providers/Microsoft.Compute/galleries/${AZURE_GALLERY_NAME}/images/${AZURE_IMAGE_DEFINITION}/versions/${AZURE_IMAGE_VERSION}\`" >> $GITHUB_STEP_SUMMARY
echo "::endgroup::" echo "::endgroup::"
working-directory: ${{ github.workspace }}/image/mkosi working-directory: ${{ github.workspace }}/image
if: ${{ matrix.csp == 'azure' }} if: ${{ matrix.csp == 'azure' }}
calculate-pcrs: calculate-pcrs:
@ -361,7 +361,7 @@ jobs:
cp pcr-stable.json ${{ github.workspace }}/ cp pcr-stable.json ${{ github.workspace }}/
jq --sort-keys -s '.[0] * .[1] * .[2] * .[3]' ${{ github.workspace }}/pcr-* > ${{ github.workspace }}/pcrs-${{ matrix.csp }}.json jq --sort-keys -s '.[0] * .[1] * .[2] * .[3]' ${{ github.workspace }}/pcr-* > ${{ github.workspace }}/pcrs-${{ matrix.csp }}.json
echo "::endgroup::" echo "::endgroup::"
working-directory: ${{ github.workspace }}/image/mkosi/measured-boot working-directory: ${{ github.workspace }}/image/measured-boot
- name: Upload expected PCRs as artifact - name: Upload expected PCRs as artifact
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8

0
mkosi/.gitignore → image/.gitignore vendored
View File

4
mkosi/Makefile → image/Makefile
View File

@ -1,8 +1,8 @@
SHELL = /bin/bash SHELL = /bin/bash
SRC_PATH = $(CURDIR) SRC_PATH = $(CURDIR)
BASE_PATH ?= $(SRC_PATH) BASE_PATH ?= $(SRC_PATH)
BOOTSTRAPPER_BINARY ?= $(BASE_PATH)/../../build/bootstrapper BOOTSTRAPPER_BINARY ?= $(BASE_PATH)/../build/bootstrapper
DISK_MAPPER_BINARY ?= $(BASE_PATH)/../../build/disk-mapper DISK_MAPPER_BINARY ?= $(BASE_PATH)/../build/disk-mapper
PKI ?= $(BASE_PATH)/pki PKI ?= $(BASE_PATH)/pki
MKOSI_EXTRA ?= $(BASE_PATH)/mkosi.extra MKOSI_EXTRA ?= $(BASE_PATH)/mkosi.extra
-include $(CURDIR)/config.mk -include $(CURDIR)/config.mk

0
mkosi/measured-boot/extract_authentihash.py → image/measured-boot/extract_authentihash.py
View File

0
mkosi/measured-boot/measure_util.sh → image/measured-boot/measure_util.sh
View File

0
mkosi/measured-boot/pcr-stable.json → image/measured-boot/pcr-stable.json
View File

0
mkosi/measured-boot/precalculate_pcr_4.sh → image/measured-boot/precalculate_pcr_4.sh
View File

0
mkosi/measured-boot/precalculate_pcr_8.sh → image/measured-boot/precalculate_pcr_8.sh
View File

0
mkosi/measured-boot/precalculate_pcr_9.sh → image/measured-boot/precalculate_pcr_9.sh
View File

0
mkosi/mkosi.cache/.gitkeep → image/mkosi.cache/.gitkeep
View File

0
mkosi/mkosi.conf.d/azure.conf → image/mkosi.conf.d/azure.conf
View File

0
mkosi/mkosi.conf.d/containers.conf → image/mkosi.conf.d/containers.conf
View File

0
mkosi/mkosi.conf.d/gcp.conf → image/mkosi.conf.d/gcp.conf
View File

0
mkosi/mkosi.conf.d/mkosi.conf → image/mkosi.conf.d/mkosi.conf
View File

0
mkosi/mkosi.conf.d/network.conf → image/mkosi.conf.d/network.conf
View File

0
mkosi/mkosi.conf.d/secure-boot-tpm.conf → image/mkosi.conf.d/secure-boot-tpm.conf
View File

0
mkosi/mkosi.conf.d/tools.conf → image/mkosi.conf.d/tools.conf
View File

0
mkosi/mkosi.files/mkosi.azure.conf → image/mkosi.files/mkosi.azure.conf
View File

0
mkosi/mkosi.files/mkosi.gcp.conf → image/mkosi.files/mkosi.gcp.conf
View File

0
mkosi/mkosi.files/mkosi.qemu.conf → image/mkosi.files/mkosi.qemu.conf
View File

0
mkosi/mkosi.finalize → image/mkosi.finalize
View File

0
mkosi/mkosi.postinst → image/mkosi.postinst
View File

0
mkosi/mkosi.skeleton/etc/dracut.conf.d/90-networkd.conf → image/mkosi.skeleton/etc/dracut.conf.d/90-networkd.conf
View File

0
mkosi/mkosi.skeleton/etc/dracut.conf.d/azure.conf → image/mkosi.skeleton/etc/dracut.conf.d/azure.conf
View File

0
mkosi/mkosi.skeleton/etc/dracut.conf.d/gce.conf → image/mkosi.skeleton/etc/dracut.conf.d/gce.conf
View File

0
mkosi/mkosi.skeleton/etc/fstab → image/mkosi.skeleton/etc/fstab
View File

0
mkosi/mkosi.skeleton/etc/profile.d/constellation.sh → image/mkosi.skeleton/etc/profile.d/constellation.sh
View File

0
mkosi/mkosi.skeleton/usr/etc/containerd/config.toml → image/mkosi.skeleton/usr/etc/containerd/config.toml
View File

0
mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/configure-constel-csp.service → image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/configure-constel-csp.service
View File

0
mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/google-nvme-disk.service → image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/google-nvme-disk.service
View File

0
mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/google-nvme-disk.sh → image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/google-nvme-disk.sh
View File

0
mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/module-setup.sh → image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/module-setup.sh
View File

0
mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/prepare-state-disk.service → image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/prepare-state-disk.service
View File

0
mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/prepare-state-disk.sh → image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/prepare-state-disk.sh
View File

0
mkosi/mkosi.skeleton/usr/lib/environment.d/99-constellation.conf → image/mkosi.skeleton/usr/lib/environment.d/99-constellation.conf
View File

0
mkosi/mkosi.skeleton/usr/lib/modules-load.d/k8s.conf → image/mkosi.skeleton/usr/lib/modules-load.d/k8s.conf
View File

0
mkosi/mkosi.skeleton/usr/lib/sysctl.d/10-cilium.conf → image/mkosi.skeleton/usr/lib/sysctl.d/10-cilium.conf
View File

0
mkosi/mkosi.skeleton/usr/lib/sysctl.d/10-k8s.conf → image/mkosi.skeleton/usr/lib/sysctl.d/10-k8s.conf
View File

0
mkosi/mkosi.skeleton/usr/lib/systemd/network/20-wired.network → image/mkosi.skeleton/usr/lib/systemd/network/20-wired.network
View File

0
mkosi/mkosi.skeleton/usr/lib/systemd/network/21-azure.network → image/mkosi.skeleton/usr/lib/systemd/network/21-azure.network
View File

0
mkosi/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset → image/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset
View File

0
mkosi/mkosi.skeleton/usr/lib/systemd/system/configure-constel-csp.service → image/mkosi.skeleton/usr/lib/systemd/system/configure-constel-csp.service
View File

0
mkosi/mkosi.skeleton/usr/lib/systemd/system/constellation-bootstrapper.service → image/mkosi.skeleton/usr/lib/systemd/system/constellation-bootstrapper.service
View File

0
mkosi/mkosi.skeleton/usr/lib/systemd/system/containerd.service.d/local.conf → image/mkosi.skeleton/usr/lib/systemd/system/containerd.service.d/local.conf
View File

0
mkosi/mkosi.skeleton/usr/lib/systemd/system/tpm-pcrs.service → image/mkosi.skeleton/usr/lib/systemd/system/tpm-pcrs.service
View File

0
mkosi/mkosi.skeleton/usr/lib/sysusers.d/constellation.conf → image/mkosi.skeleton/usr/lib/sysusers.d/constellation.conf
View File

0
mkosi/mkosi.skeleton/usr/lib/tmpfiles.d/constellation.conf → image/mkosi.skeleton/usr/lib/tmpfiles.d/constellation.conf
View File

0
mkosi/mkosi.skeleton/usr/lib/udev/google_nvme_id → image/mkosi.skeleton/usr/lib/udev/google_nvme_id
View File

0
mkosi/mkosi.skeleton/usr/lib/udev/rules.d/64-gce-disk-removal.rules → image/mkosi.skeleton/usr/lib/udev/rules.d/64-gce-disk-removal.rules
View File

0
mkosi/mkosi.skeleton/usr/lib/udev/rules.d/65-gce-disk-naming.rules → image/mkosi.skeleton/usr/lib/udev/rules.d/65-gce-disk-naming.rules
View File

0
mkosi/mkosi.skeleton/usr/lib/udev/rules.d/98-override-systemd.rules → image/mkosi.skeleton/usr/lib/udev/rules.d/98-override-systemd.rules
View File

0
mkosi/mkosi.skeleton/usr/libexec/constellation-pcrs → image/mkosi.skeleton/usr/libexec/constellation-pcrs
View File

0
mkosi/pki_testing/KEK.auth → image/pki_testing/KEK.auth
View File

0
mkosi/pki_testing/KEK.cer → image/pki_testing/KEK.cer
View File

0
mkosi/pki_testing/KEK.crt → image/pki_testing/KEK.crt
View File

0
mkosi/pki_testing/KEK.esl → image/pki_testing/KEK.esl
View File

0
mkosi/pki_testing/MicCorKEKCA2011_2011-06-24.crt → image/pki_testing/MicCorKEKCA2011_2011-06-24.crt
View File

0
mkosi/pki_testing/MicCorKEKCA2011_2011-06-24.esl → image/pki_testing/MicCorKEKCA2011_2011-06-24.esl
View File

0
mkosi/pki_testing/MicCorUEFCA2011_2011-06-27.crt → image/pki_testing/MicCorUEFCA2011_2011-06-27.crt
View File

0
mkosi/pki_testing/MicCorUEFCA2011_2011-06-27.esl → image/pki_testing/MicCorUEFCA2011_2011-06-27.esl
View File

0
mkosi/pki_testing/MicWinProPCA2011_2011-10-19.crt → image/pki_testing/MicWinProPCA2011_2011-10-19.crt
View File

0
mkosi/pki_testing/MicWinProPCA2011_2011-10-19.esl → image/pki_testing/MicWinProPCA2011_2011-10-19.esl
View File

0
mkosi/pki_testing/PK.auth → image/pki_testing/PK.auth
View File

0
mkosi/pki_testing/PK.cer → image/pki_testing/PK.cer
View File

0
mkosi/pki_testing/PK.crt → image/pki_testing/PK.crt
View File

0
mkosi/pki_testing/PK.esl → image/pki_testing/PK.esl
View File

0
mkosi/pki_testing/db.auth → image/pki_testing/db.auth
View File

0
mkosi/pki_testing/db.cer → image/pki_testing/db.cer
View File

0
mkosi/pki_testing/db.crt → image/pki_testing/db.crt
View File

0
mkosi/pki_testing/db.esl → image/pki_testing/db.esl
View File

0
mkosi/secure-boot/azure/delete.sh → image/secure-boot/azure/delete.sh
View File

0
mkosi/secure-boot/azure/extract_vmgs.sh → image/secure-boot/azure/extract_vmgs.sh
View File

0
mkosi/secure-boot/azure/launch.sh → image/secure-boot/azure/launch.sh
View File

0
mkosi/secure-boot/generate_nvram_vars.sh → image/secure-boot/generate_nvram_vars.sh
View File

0
mkosi/secure-boot/genkeys.sh → image/secure-boot/genkeys.sh
View File

0
mkosi/secure-boot/signed-shim.sh → image/secure-boot/signed-shim.sh
View File

0
mkosi/secure-boot/templates/dev_KEK.conf → image/secure-boot/templates/dev_KEK.conf
View File

0
mkosi/secure-boot/templates/dev_PK.conf → image/secure-boot/templates/dev_PK.conf
View File

0
mkosi/secure-boot/templates/dev_db.conf → image/secure-boot/templates/dev_db.conf
View File

0
mkosi/secure-boot/templates/prod_KEK.conf → image/secure-boot/templates/prod_KEK.conf
View File

0
mkosi/secure-boot/templates/prod_PK.conf → image/secure-boot/templates/prod_PK.conf
View File

0
mkosi/secure-boot/templates/prod_db.conf → image/secure-boot/templates/prod_db.conf
View File

0
mkosi/secure-boot/templates/testing_KEK.conf → image/secure-boot/templates/testing_KEK.conf
View File

0
mkosi/secure-boot/templates/testing_PK.conf → image/secure-boot/templates/testing_PK.conf
View File

0
mkosi/secure-boot/templates/testing_db.conf → image/secure-boot/templates/testing_db.conf
View File

0
mkosi/upload/pack.sh → image/upload/pack.sh
View File

0
mkosi/upload/upload_azure.sh → image/upload/upload_azure.sh
View File

0
mkosi/upload/upload_gcp.sh → image/upload/upload_gcp.sh
View File

0
mkosi/.gitattributes vendored
View File

187
mkosi/README.md
View File

@ -1,187 +0,0 @@
## Setup
- Install mkosi (from git):
```sh
cd /tmp/
git clone https://github.com/systemd/mkosi
cd mkosi
tools/generate-zipapp.sh
cp builddir/mkosi /usr/local/bin/
```
- Install tools:
<details>
<summary>Ubuntu / Debian</summary>
```sh
sudo apt-get update
sudo apt-get install --assume-yes --no-install-recommends \
dnf \
systemd-container \
qemu-system-x86 \
qemu-utils \
ovmf \
e2fsprogs \
squashfs-tools \
efitools \
sbsigntool \
coreutils \
curl \
jq \
util-linux \
virt-manager
```
</details>
<details>
<summary>Fedora</summary>
```sh
sudo dnf install -y \
edk2-ovmf \
systemd-container \
qemu \
e2fsprogs \
squashfs-tools \
efitools \
sbsigntools \
coreutils \
curl \
jq \
util-linux \
virt-manager
```
</details>
- Prepare secure boot PKI (see `secure-boot/genkeys.sh`)
## Build
```sh
# OPTIONAL: to create a debug image, export the following line
# export BOOTSTRAPPER_BINARY=$(realpath ${PWD}/../../build/debugd)
# OPTIONAL: specify path to secure boot PKI
# export PKI=/path/to/pki/folder
sudo make -j $(nproc)
```
Raw images will be placed in `mkosi.output.<CSP>/fedora~36/image.raw`.
## Prepare Secure Boot
The generated images are partially signed by Microsoft ([shim loader](https://github.com/rhboot/shim)), and partially signed by Edgeless Systems (systemd-boot and unified kernel images consisting of the linux kernel, initramfs and kernel commandline).
For QEMU and Azure, you can pre-generate the NVRAM variables for secure boot. This is not necessary for GCP, as you can specify secure boot parameters via the GCP API on image creation.
<details>
<summary>libvirt / QEMU / KVM</summary>
```sh
secure-boot/generate_nvram_vars.sh mkosi.output.qemu/fedora~36/image.raw
```
</details>
<details>
<summary><a id="azure-secure-boot">Azure</a></summary>
These steps only have to performed once for a fresh set of secure boot certificates.
VMGS blobs for testing and release images already exist.
First, create a disk without embedded MOK EFI variables.
```sh
# set these variables
export AZURE_SECURITY_TYPE=ConfidentialVM # or TrustedLaunch
export AZURE_RESOURCE_GROUP_NAME= # e.g. "constellation-images"
export AZURE_REGION=northeurope
export AZURE_DISK_NAME=constellation-$(date +%s)
export AZURE_SNAPSHOT_NAME=${AZURE_DISK_NAME}
export AZURE_RAW_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~36/image.raw
export AZURE_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~36/image.vhd
export AZURE_VMGS_FILENAME=${AZURE_SECURITY_TYPE}.vmgs
export BLOBS_DIR=${PWD}/blobs
upload/pack.sh azure "${AZURE_RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}"
upload/upload_azure.sh --disk-name "${AZURE_DISK_NAME}-setup-secure-boot" ""
secure-boot/azure/launch.sh -n "${AZURE_DISK_NAME}-setup-secure-boot" -d --secure-boot true --disk-name "${AZURE_DISK_NAME}-setup-secure-boot"
```
Ignore the running launch script and connect to the serial console once available.
The console shows the message "Verification failed: (0x1A) Security Violation". You can import the MOK certificate via the UEFI shell:
Press OK, then ENTER, then "Enroll key from disk".
Select the following key: `/EFI/loader/keys/auto/db.cer`.
Press Continue, then choose "Yes" to the question "Enroll the key(s)?".
Choose reboot.
Extract the VMGS from the running VM (this includes the MOK EFI variables) and delete the VM:
```sh
secure-boot/azure/extract_vmgs.sh --name "${AZURE_DISK_NAME}-setup-secure-boot"
secure-boot/azure/delete.sh --name "${AZURE_DISK_NAME}-setup-secure-boot"
```
</details>
## Upload to CSP
<details>
<summary>GCP</summary>
- Install `gcloud` and `gsutil` (see [here](https://cloud.google.com/sdk/docs/install))
- Login to GCP (see [here](https://cloud.google.com/sdk/docs/authorizing))
- Prepare secure boot PKI (see `secure-boot/genkeys.sh`)
```sh
# set these variables
export GCP_IMAGE_FAMILY= # e.g. "constellation"
export GCP_IMAGE_NAME= # e.g. "constellation-v1.0.0"
export PKI=${PWD}/pki
export GCP_PROJECT=constellation-images
export GCP_REGION=europe-west3
export GCP_BUCKET=constellation-images
export GCP_RAW_IMAGE_PATH=${PWD}/mkosi.output.gcp/fedora~36/image.raw
export GCP_IMAGE_FILENAME=$(date +%s).tar.gz
export GCP_IMAGE_PATH=${PWD}/mkosi.output.gcp/fedora~36/image.tar.gz
upload/pack.sh gcp ${GCP_RAW_IMAGE_PATH} ${GCP_IMAGE_PATH}
upload/upload_gcp.sh
```
</details>
<details>
<summary>Azure</summary>
- Install `az` and `azcopy` (see [here](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli))
- Login to Azure (see [here](https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli))
- Prepare secure boot PKI (see `secure-boot/genkeys.sh`)
- [Prepare virtual machine guest state (VMGS) with customized NVRAM or use existing VMGS blob](#azure-secure-boot)
```sh
# set these variables
export AZURE_GALLERY_NAME= # e.g. "Constellation"
export AZURE_IMAGE_DEFINITION= # e.g. "constellation"
export AZURE_IMAGE_VERSION= # e.g. "1.0.0"
export AZURE_VMGS_PATH= # e.g. "path/to/ConfidentialVM.vmgs"
export AZURE_SECURITY_TYPE=ConfidentialVM # or TrustedLaunch
export AZURE_RESOURCE_GROUP_NAME=constellation-images
export AZURE_REGION=northeurope
export AZURE_REPLICATION_REGIONS="northeurope eastus westeurope westus"
export AZURE_IMAGE_OFFER=constellation
export AZURE_SKU=constellation
export AZURE_PUBLISHER=edgelesssys
export AZURE_DISK_NAME=constellation-$(date +%s)
export AZURE_RAW_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~36/image.raw
export AZURE_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~36/image.vhd
upload/pack.sh azure "${AZURE_RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}"
upload/upload_azure.sh -g --disk-name "${AZURE_DISK_NAME}" "${AZURE_VMGS_PATH}"
```
</details>

0
mkosi/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/constellation-state-disk-generator
View File