mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-24 06:59:40 -05:00
Move mkosi folder to old image folder location
This commit is contained in:
parent
24f3371cf6
commit
35e2267cf9
50
.github/workflows/build-os-image.yml
vendored
50
.github/workflows/build-os-image.yml
vendored
@ -116,7 +116,7 @@ jobs:
|
||||
run: |
|
||||
ln -s pki_testing pki
|
||||
echo "${DB_KEY}" > pki/db.key
|
||||
working-directory: ${{ github.workspace }}/image/mkosi
|
||||
working-directory: ${{ github.workspace }}/image
|
||||
env:
|
||||
DB_KEY: ${{ secrets.SECURE_BOOT_TESTING_DB_KEY }}
|
||||
|
||||
@ -126,7 +126,7 @@ jobs:
|
||||
echo "::group::Build"
|
||||
sudo make "${CSP}"
|
||||
echo "::endgroup::"
|
||||
working-directory: ${{ github.workspace }}/image/mkosi
|
||||
working-directory: ${{ github.workspace }}/image
|
||||
env:
|
||||
BOOTSTRAPPER_BINARY: ${{ github.workspace }}/build/bootstrapper
|
||||
DISK_MAPPER_BINARY: ${{ github.workspace }}/build/disk-mapper
|
||||
@ -143,14 +143,14 @@ jobs:
|
||||
echo "image-vmlinuz-${{ matrix.csp }}-sha256=$(sha256sum image.vmlinuz | head -c 64)" >> $GITHUB_OUTPUT
|
||||
echo "image-raw-changelog-${{ matrix.csp }}-sha256=$(sha256sum image.raw.changelog | head -c 64)" >> $GITHUB_OUTPUT
|
||||
echo "image-raw-manifest-${{ matrix.csp }}-sha256=$(sha256sum image.raw.manifest | head -c 64)" >> $GITHUB_OUTPUT
|
||||
working-directory: ${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36
|
||||
working-directory: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36
|
||||
continue-on-error: true
|
||||
|
||||
- name: Upload raw OS image as artifact
|
||||
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8
|
||||
with:
|
||||
name: image-${{ matrix.csp }}
|
||||
path: ${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.raw
|
||||
path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.raw
|
||||
if: always()
|
||||
continue-on-error: true
|
||||
|
||||
@ -159,13 +159,13 @@ jobs:
|
||||
with:
|
||||
name: parts-${{ matrix.csp }}
|
||||
path: |
|
||||
${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.cmdline
|
||||
${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.efi
|
||||
${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.initrd
|
||||
${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.root.raw
|
||||
${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.root.roothash
|
||||
${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.root.verity
|
||||
${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.vmlinuz
|
||||
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.cmdline
|
||||
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.efi
|
||||
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.initrd
|
||||
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.root.raw
|
||||
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.root.roothash
|
||||
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.root.verity
|
||||
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.vmlinuz
|
||||
if: always()
|
||||
continue-on-error: true
|
||||
|
||||
@ -174,8 +174,8 @@ jobs:
|
||||
with:
|
||||
name: manifest-${{ matrix.csp }}
|
||||
path: |
|
||||
${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.raw.changelog
|
||||
${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.raw.manifest
|
||||
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.raw.changelog
|
||||
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.raw.manifest
|
||||
if: always()
|
||||
continue-on-error: true
|
||||
|
||||
@ -198,7 +198,7 @@ jobs:
|
||||
uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
|
||||
with:
|
||||
name: image-${{ matrix.csp }}
|
||||
path: ${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36
|
||||
path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36
|
||||
|
||||
- name: Install tools
|
||||
shell: bash
|
||||
@ -223,7 +223,7 @@ jobs:
|
||||
- name: Prepare PKI for image upload
|
||||
shell: bash
|
||||
run: ln -s pki_testing pki
|
||||
working-directory: ${{ github.workspace }}/image/mkosi
|
||||
working-directory: ${{ github.workspace }}/image
|
||||
|
||||
- name: Determine version
|
||||
id: version
|
||||
@ -244,19 +244,19 @@ jobs:
|
||||
semver=${{ steps.version.outputs.semanticVersion }}
|
||||
imageVersion=${{ inputs.imageVersion }}
|
||||
pseudover=${{ steps.version.outputs.pseudoVersion }}
|
||||
echo "PKI=${{ github.workspace }}/image/mkosi/pki" >> $GITHUB_ENV
|
||||
echo "PKI=${{ github.workspace }}/image/pki" >> $GITHUB_ENV
|
||||
echo "GCP_PROJECT=constellation-images" >> $GITHUB_ENV
|
||||
echo "GCP_BUCKET=constellation-images" >> $GITHUB_ENV
|
||||
echo "GCP_REGION=europe-west3" >> $GITHUB_ENV
|
||||
echo "GCP_RAW_IMAGE_PATH=${{ github.workspace }}/image/mkosi/mkosi.output.gcp/fedora~36/image.raw" >> $GITHUB_ENV
|
||||
echo "GCP_IMAGE_PATH=${{ github.workspace }}/image/mkosi/mkosi.output.gcp/fedora~36/image.tar.gz" >> $GITHUB_ENV
|
||||
echo "GCP_RAW_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.gcp/fedora~36/image.raw" >> $GITHUB_ENV
|
||||
echo "GCP_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.gcp/fedora~36/image.tar.gz" >> $GITHUB_ENV
|
||||
echo "AZURE_RESOURCE_GROUP_NAME=constellation-images" >> $GITHUB_ENV
|
||||
echo "AZURE_REGION=northeurope" >> $GITHUB_ENV
|
||||
echo "AZURE_REPLICATION_REGIONS=northeurope eastus westeurope westus" >> $GITHUB_ENV
|
||||
echo "AZURE_SKU=constellation" >> $GITHUB_ENV
|
||||
echo "AZURE_PUBLISHER=edgelesssys" >> $GITHUB_ENV
|
||||
echo "AZURE_RAW_IMAGE_PATH=${{ github.workspace }}/image/mkosi/mkosi.output.azure/fedora~36/image.raw" >> $GITHUB_ENV
|
||||
echo "AZURE_IMAGE_PATH=${{ github.workspace }}/image/mkosi/mkosi.output.azure/fedora~36/image.vhd" >> $GITHUB_ENV
|
||||
echo "AZURE_RAW_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.azure/fedora~36/image.raw" >> $GITHUB_ENV
|
||||
echo "AZURE_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.azure/fedora~36/image.vhd" >> $GITHUB_ENV
|
||||
# TODO: set default security type to "ConfidentialVM" once replication is possible
|
||||
AZURE_SECURITY_TYPE=${{ matrix.upload-variant }}
|
||||
if [ -z "${AZURE_SECURITY_TYPE}" ]; then
|
||||
@ -291,7 +291,7 @@ jobs:
|
||||
echo "AZURE_VMGS_PATH=" >> $GITHUB_ENV
|
||||
else
|
||||
echo "AZURE_GALLERY_NAME=${AZURE_GALLERY_NAME}" >> $GITHUB_ENV
|
||||
echo "AZURE_VMGS_PATH=${{ github.workspace }}/image/mkosi/pki/${AZURE_SECURITY_TYPE}.vmgs" >> $GITHUB_ENV
|
||||
echo "AZURE_VMGS_PATH=${{ github.workspace }}/image/pki/${AZURE_SECURITY_TYPE}.vmgs" >> $GITHUB_ENV
|
||||
fi
|
||||
echo "AZURE_IMAGE_DEFINITION=${AZURE_IMAGE_DEFINITION}" >> $GITHUB_ENV
|
||||
echo "AZURE_IMAGE_OFFER=${AZURE_IMAGE_DEFINITION}" >> $GITHUB_ENV
|
||||
@ -303,7 +303,7 @@ jobs:
|
||||
s3://constellation-secure-boot/pki_testing/${AZURE_SECURITY_TYPE}.vmgs \
|
||||
pki_testing/${AZURE_SECURITY_TYPE}.vmgs \
|
||||
--no-progress
|
||||
working-directory: ${{ github.workspace }}/image/mkosi
|
||||
working-directory: ${{ github.workspace }}/image
|
||||
if: ${{ matrix.csp == 'azure' }}
|
||||
|
||||
- name: Upload GCP image
|
||||
@ -314,7 +314,7 @@ jobs:
|
||||
upload/upload_gcp.sh
|
||||
echo -e "Uploaded GCP image: \`projects/${GCP_PROJECT}/global/images/${GCP_IMAGE_NAME}\`" >> $GITHUB_STEP_SUMMARY
|
||||
echo "::endgroup::"
|
||||
working-directory: ${{ github.workspace }}/image/mkosi
|
||||
working-directory: ${{ github.workspace }}/image
|
||||
if: ${{ matrix.csp == 'gcp' }}
|
||||
|
||||
- name: Upload Azure image
|
||||
@ -325,7 +325,7 @@ jobs:
|
||||
upload/upload_azure.sh -g --disk-name "${AZURE_DISK_NAME}" "${AZURE_VMGS_PATH}"
|
||||
echo -e "Uploaded Azure ${AZURE_SECURITY_TYPE} image: \`/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/${AZURE_RESOURCE_GROUP_NAME^^}/providers/Microsoft.Compute/galleries/${AZURE_GALLERY_NAME}/images/${AZURE_IMAGE_DEFINITION}/versions/${AZURE_IMAGE_VERSION}\`" >> $GITHUB_STEP_SUMMARY
|
||||
echo "::endgroup::"
|
||||
working-directory: ${{ github.workspace }}/image/mkosi
|
||||
working-directory: ${{ github.workspace }}/image
|
||||
if: ${{ matrix.csp == 'azure' }}
|
||||
|
||||
calculate-pcrs:
|
||||
@ -361,7 +361,7 @@ jobs:
|
||||
cp pcr-stable.json ${{ github.workspace }}/
|
||||
jq --sort-keys -s '.[0] * .[1] * .[2] * .[3]' ${{ github.workspace }}/pcr-* > ${{ github.workspace }}/pcrs-${{ matrix.csp }}.json
|
||||
echo "::endgroup::"
|
||||
working-directory: ${{ github.workspace }}/image/mkosi/measured-boot
|
||||
working-directory: ${{ github.workspace }}/image/measured-boot
|
||||
|
||||
- name: Upload expected PCRs as artifact
|
||||
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8
|
||||
|
0
mkosi/.gitignore → image/.gitignore
vendored
0
mkosi/.gitignore → image/.gitignore
vendored
@ -1,8 +1,8 @@
|
||||
SHELL = /bin/bash
|
||||
SRC_PATH = $(CURDIR)
|
||||
BASE_PATH ?= $(SRC_PATH)
|
||||
BOOTSTRAPPER_BINARY ?= $(BASE_PATH)/../../build/bootstrapper
|
||||
DISK_MAPPER_BINARY ?= $(BASE_PATH)/../../build/disk-mapper
|
||||
BOOTSTRAPPER_BINARY ?= $(BASE_PATH)/../build/bootstrapper
|
||||
DISK_MAPPER_BINARY ?= $(BASE_PATH)/../build/disk-mapper
|
||||
PKI ?= $(BASE_PATH)/pki
|
||||
MKOSI_EXTRA ?= $(BASE_PATH)/mkosi.extra
|
||||
-include $(CURDIR)/config.mk
|
0
mkosi/.gitattributes
vendored
0
mkosi/.gitattributes
vendored
187
mkosi/README.md
187
mkosi/README.md
@ -1,187 +0,0 @@
|
||||
## Setup
|
||||
|
||||
- Install mkosi (from git):
|
||||
|
||||
```sh
|
||||
cd /tmp/
|
||||
git clone https://github.com/systemd/mkosi
|
||||
cd mkosi
|
||||
tools/generate-zipapp.sh
|
||||
cp builddir/mkosi /usr/local/bin/
|
||||
```
|
||||
|
||||
- Install tools:
|
||||
|
||||
<details>
|
||||
<summary>Ubuntu / Debian</summary>
|
||||
|
||||
```sh
|
||||
sudo apt-get update
|
||||
sudo apt-get install --assume-yes --no-install-recommends \
|
||||
dnf \
|
||||
systemd-container \
|
||||
qemu-system-x86 \
|
||||
qemu-utils \
|
||||
ovmf \
|
||||
e2fsprogs \
|
||||
squashfs-tools \
|
||||
efitools \
|
||||
sbsigntool \
|
||||
coreutils \
|
||||
curl \
|
||||
jq \
|
||||
util-linux \
|
||||
virt-manager
|
||||
```
|
||||
|
||||
</details>
|
||||
|
||||
<details>
|
||||
<summary>Fedora</summary>
|
||||
|
||||
```sh
|
||||
sudo dnf install -y \
|
||||
edk2-ovmf \
|
||||
systemd-container \
|
||||
qemu \
|
||||
e2fsprogs \
|
||||
squashfs-tools \
|
||||
efitools \
|
||||
sbsigntools \
|
||||
coreutils \
|
||||
curl \
|
||||
jq \
|
||||
util-linux \
|
||||
virt-manager
|
||||
```
|
||||
|
||||
</details>
|
||||
|
||||
- Prepare secure boot PKI (see `secure-boot/genkeys.sh`)
|
||||
|
||||
## Build
|
||||
|
||||
```sh
|
||||
# OPTIONAL: to create a debug image, export the following line
|
||||
# export BOOTSTRAPPER_BINARY=$(realpath ${PWD}/../../build/debugd)
|
||||
# OPTIONAL: specify path to secure boot PKI
|
||||
# export PKI=/path/to/pki/folder
|
||||
sudo make -j $(nproc)
|
||||
```
|
||||
|
||||
Raw images will be placed in `mkosi.output.<CSP>/fedora~36/image.raw`.
|
||||
|
||||
## Prepare Secure Boot
|
||||
|
||||
The generated images are partially signed by Microsoft ([shim loader](https://github.com/rhboot/shim)), and partially signed by Edgeless Systems (systemd-boot and unified kernel images consisting of the linux kernel, initramfs and kernel commandline).
|
||||
|
||||
For QEMU and Azure, you can pre-generate the NVRAM variables for secure boot. This is not necessary for GCP, as you can specify secure boot parameters via the GCP API on image creation.
|
||||
|
||||
<details>
|
||||
<summary>libvirt / QEMU / KVM</summary>
|
||||
|
||||
```sh
|
||||
secure-boot/generate_nvram_vars.sh mkosi.output.qemu/fedora~36/image.raw
|
||||
```
|
||||
|
||||
</details>
|
||||
|
||||
<details>
|
||||
<summary><a id="azure-secure-boot">Azure</a></summary>
|
||||
|
||||
These steps only have to performed once for a fresh set of secure boot certificates.
|
||||
VMGS blobs for testing and release images already exist.
|
||||
|
||||
First, create a disk without embedded MOK EFI variables.
|
||||
|
||||
```sh
|
||||
# set these variables
|
||||
export AZURE_SECURITY_TYPE=ConfidentialVM # or TrustedLaunch
|
||||
export AZURE_RESOURCE_GROUP_NAME= # e.g. "constellation-images"
|
||||
|
||||
export AZURE_REGION=northeurope
|
||||
export AZURE_DISK_NAME=constellation-$(date +%s)
|
||||
export AZURE_SNAPSHOT_NAME=${AZURE_DISK_NAME}
|
||||
export AZURE_RAW_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~36/image.raw
|
||||
export AZURE_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~36/image.vhd
|
||||
export AZURE_VMGS_FILENAME=${AZURE_SECURITY_TYPE}.vmgs
|
||||
export BLOBS_DIR=${PWD}/blobs
|
||||
upload/pack.sh azure "${AZURE_RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}"
|
||||
upload/upload_azure.sh --disk-name "${AZURE_DISK_NAME}-setup-secure-boot" ""
|
||||
secure-boot/azure/launch.sh -n "${AZURE_DISK_NAME}-setup-secure-boot" -d --secure-boot true --disk-name "${AZURE_DISK_NAME}-setup-secure-boot"
|
||||
```
|
||||
|
||||
Ignore the running launch script and connect to the serial console once available.
|
||||
The console shows the message "Verification failed: (0x1A) Security Violation". You can import the MOK certificate via the UEFI shell:
|
||||
|
||||
Press OK, then ENTER, then "Enroll key from disk".
|
||||
Select the following key: `/EFI/loader/keys/auto/db.cer`.
|
||||
Press Continue, then choose "Yes" to the question "Enroll the key(s)?".
|
||||
Choose reboot.
|
||||
|
||||
Extract the VMGS from the running VM (this includes the MOK EFI variables) and delete the VM:
|
||||
|
||||
```sh
|
||||
secure-boot/azure/extract_vmgs.sh --name "${AZURE_DISK_NAME}-setup-secure-boot"
|
||||
secure-boot/azure/delete.sh --name "${AZURE_DISK_NAME}-setup-secure-boot"
|
||||
```
|
||||
|
||||
</details>
|
||||
|
||||
## Upload to CSP
|
||||
|
||||
<details>
|
||||
<summary>GCP</summary>
|
||||
|
||||
- Install `gcloud` and `gsutil` (see [here](https://cloud.google.com/sdk/docs/install))
|
||||
- Login to GCP (see [here](https://cloud.google.com/sdk/docs/authorizing))
|
||||
- Prepare secure boot PKI (see `secure-boot/genkeys.sh`)
|
||||
|
||||
```sh
|
||||
# set these variables
|
||||
export GCP_IMAGE_FAMILY= # e.g. "constellation"
|
||||
export GCP_IMAGE_NAME= # e.g. "constellation-v1.0.0"
|
||||
export PKI=${PWD}/pki
|
||||
|
||||
export GCP_PROJECT=constellation-images
|
||||
export GCP_REGION=europe-west3
|
||||
export GCP_BUCKET=constellation-images
|
||||
export GCP_RAW_IMAGE_PATH=${PWD}/mkosi.output.gcp/fedora~36/image.raw
|
||||
export GCP_IMAGE_FILENAME=$(date +%s).tar.gz
|
||||
export GCP_IMAGE_PATH=${PWD}/mkosi.output.gcp/fedora~36/image.tar.gz
|
||||
upload/pack.sh gcp ${GCP_RAW_IMAGE_PATH} ${GCP_IMAGE_PATH}
|
||||
upload/upload_gcp.sh
|
||||
```
|
||||
|
||||
</details>
|
||||
|
||||
<details>
|
||||
<summary>Azure</summary>
|
||||
|
||||
- Install `az` and `azcopy` (see [here](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli))
|
||||
- Login to Azure (see [here](https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli))
|
||||
- Prepare secure boot PKI (see `secure-boot/genkeys.sh`)
|
||||
- [Prepare virtual machine guest state (VMGS) with customized NVRAM or use existing VMGS blob](#azure-secure-boot)
|
||||
|
||||
```sh
|
||||
# set these variables
|
||||
export AZURE_GALLERY_NAME= # e.g. "Constellation"
|
||||
export AZURE_IMAGE_DEFINITION= # e.g. "constellation"
|
||||
export AZURE_IMAGE_VERSION= # e.g. "1.0.0"
|
||||
export AZURE_VMGS_PATH= # e.g. "path/to/ConfidentialVM.vmgs"
|
||||
export AZURE_SECURITY_TYPE=ConfidentialVM # or TrustedLaunch
|
||||
|
||||
export AZURE_RESOURCE_GROUP_NAME=constellation-images
|
||||
export AZURE_REGION=northeurope
|
||||
export AZURE_REPLICATION_REGIONS="northeurope eastus westeurope westus"
|
||||
export AZURE_IMAGE_OFFER=constellation
|
||||
export AZURE_SKU=constellation
|
||||
export AZURE_PUBLISHER=edgelesssys
|
||||
export AZURE_DISK_NAME=constellation-$(date +%s)
|
||||
export AZURE_RAW_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~36/image.raw
|
||||
export AZURE_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~36/image.vhd
|
||||
upload/pack.sh azure "${AZURE_RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}"
|
||||
upload/upload_azure.sh -g --disk-name "${AZURE_DISK_NAME}" "${AZURE_VMGS_PATH}"
|
||||
```
|
||||
|
||||
</details>
|
Loading…
Reference in New Issue
Block a user