Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-01-22 21:31:14 -05:00
Code Issues Packages Projects Releases Wiki Activity

Update coreos-assembler patch to latest changes

Browse Source
This commit is contained in:
Malte Poll 2022-08-18 15:43:52 +02:00 committed by Malte Poll
parent 7575f7688a
commit 3c6350a332
2 changed files with 66 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
3rdparty/coreos-assembler/Makefile vendored
View File

@ -2,7 +2,7 @@ CONTAINER_RUNTIME ?= docker
IMAGENAME ?= localhost/coreos-assembler IMAGENAME ?= localhost/coreos-assembler
IMAGETAG ?= latest IMAGETAG ?= latest
UPSTREAM ?= https://github.com/coreos/coreos-assembler UPSTREAM ?= https://github.com/coreos/coreos-assembler
COMMIT ?= b8f61207c7a4ce345a1f136823dac6c628086273 COMMIT ?= 2dd33ddc36e6b9e1cc01ee0740f29020d203ceb2
SRC_PATH = $(CURDIR) SRC_PATH = $(CURDIR)
BASE_PATH ?= $(SRC_PATH) BASE_PATH ?= $(SRC_PATH)
BUILDDIR ?= $(BASE_PATH)/build BUILDDIR ?= $(BASE_PATH)/build
@ -19,7 +19,7 @@ clone:
cd $(CLONEDIR) && git checkout $(COMMIT) cd $(CLONEDIR) && git checkout $(COMMIT)
patch: patch:
cd $(CLONEDIR) && patch -p1 < $(BASE_PATH)/verity.patch cd $(CLONEDIR) && patch --verbose -p1 < $(BASE_PATH)/verity.patch
containerimage: containerimage:
cd $(CLONEDIR) && $(CONTAINER_RUNTIME) build -t $(IMAGENAME):$(IMAGETAG) -f Dockerfile . cd $(CLONEDIR) && $(CONTAINER_RUNTIME) build -t $(IMAGENAME):$(IMAGETAG) -f Dockerfile .

93
3rdparty/coreos-assembler/verity.patch vendored
View File

@ -2,7 +2,7 @@ diff --git a/Dockerfile b/Dockerfile
index 80c008a2d..329171970 100644 index 80c008a2d..329171970 100644
--- a/Dockerfile --- a/Dockerfile
+++ b/Dockerfile +++ b/Dockerfile
@@ -35,3 +35,12 @@ RUN chmod g=u /etc/passwd @@ -38,3 +38,12 @@ RUN chmod g=u /etc/passwd
# run as `builder` user # run as `builder` user
USER builder USER builder
ENTRYPOINT ["/usr/bin/dumb-init", "/usr/bin/coreos-assembler"] ENTRYPOINT ["/usr/bin/dumb-init", "/usr/bin/coreos-assembler"]
@ -20,7 +20,7 @@ diff --git a/mantle/platform/qemu.go b/mantle/platform/qemu.go
index d4d5eafa7..20f156315 100644 index d4d5eafa7..20f156315 100644
--- a/mantle/platform/qemu.go --- a/mantle/platform/qemu.go
+++ b/mantle/platform/qemu.go +++ b/mantle/platform/qemu.go
@@ -447,7 +447,7 @@ type QemuBuilder struct { @@ -449,7 +449,7 @@ type QemuBuilder struct {
func NewQemuBuilder() *QemuBuilder { func NewQemuBuilder() *QemuBuilder {
ret := QemuBuilder{ ret := QemuBuilder{
Firmware: "bios", Firmware: "bios",
@ -33,7 +33,7 @@ diff --git a/src/cosalib/qemuvariants.py b/src/cosalib/qemuvariants.py
index 8d57803b1..cdad6aeba 100644 index 8d57803b1..cdad6aeba 100644
--- a/src/cosalib/qemuvariants.py --- a/src/cosalib/qemuvariants.py
+++ b/src/cosalib/qemuvariants.py +++ b/src/cosalib/qemuvariants.py
@@ -80,7 +80,7 @@ VARIANTS = { @@ -81,7 +81,7 @@ VARIANTS = {
"image_suffix": "tar.gz", "image_suffix": "tar.gz",
"gzip": True, "gzip": True,
"convert_options": { "convert_options": {
@ -46,80 +46,97 @@ diff --git a/src/create_disk.sh b/src/create_disk.sh
index 61d52cd96..fa3fe1655 100755 index 61d52cd96..fa3fe1655 100755
--- a/src/create_disk.sh --- a/src/create_disk.sh
+++ b/src/create_disk.sh +++ b/src/create_disk.sh
@@ -120,6 +120,7 @@ set -x @@ -188,6 +188,7 @@ set -x
# and we only get three of those. https://github.com/coreos/fedora-coreos-tracker/issues/855 SDPART=1
BOOTPN=3 BOOTPN=3
ROOTPN=4 ROOTPN=4
+VERITYHASHPN=5 +VERITYHASHPN=5
# Make the size relative # Make the size relative
if [ "${rootfs_size}" != "0" ]; then if [ "${rootfs_size}" != "0" ]; then
rootfs_size="+${rootfs_size}" rootfs_size="+${rootfs_size}"
@@ -132,7 +133,8 @@ case "$arch" in @@ -201,7 +202,8 @@ case "$arch" in
-n 1:0:+1M -c 1:BIOS-BOOT -t 1:21686148-6449-6E6F-744E-656564454649 \ -n 1:0:+1M -c 1:BIOS-BOOT -t 1:21686148-6449-6E6F-744E-656564454649 \
-n ${EFIPN}:0:+127M -c ${EFIPN}:EFI-SYSTEM -t ${EFIPN}:C12A7328-F81F-11D2-BA4B-00A0C93EC93B \ -n ${EFIPN}:0:+127M -c ${EFIPN}:EFI-SYSTEM -t ${EFIPN}:C12A7328-F81F-11D2-BA4B-00A0C93EC93B \
-n ${BOOTPN}:0:+384M -c ${BOOTPN}:boot \ -n ${BOOTPN}:0:+384M -c ${BOOTPN}:boot \
- -n ${ROOTPN}:0:${rootfs_size} -c ${ROOTPN}:root -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 - -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4
+ -n ${ROOTPN}:0:${rootfs_size} -c ${ROOTPN}:root_raw -A ${ROOTPN}:set:60 -A ${ROOTPN}:set:63 -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 \ + -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root_raw -A ${ROOTPN}:set:60 -A ${ROOTPN}:set:63 -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 \
+ -n ${VERITYHASHPN}:0:+32M -c ${VERITYHASHPN}:root_verity + -n ${VERITYHASHPN}:0:+32M -c ${VERITYHASHPN}:root_verity
sgdisk -p "$disk" sgdisk -p "$disk"
;; ;;
aarch64) aarch64)
@@ -143,7 +145,8 @@ case "$arch" in @@ -212,7 +214,8 @@ case "$arch" in
-n ${RESERVEDPN}:0:+1M -c ${RESERVEDPN}:reserved -t ${RESERVEDPN}:8DA63339-0007-60C0-C436-083AC8230908 \ -n ${RESERVEDPN}:0:+1M -c ${RESERVEDPN}:reserved -t ${RESERVEDPN}:8DA63339-0007-60C0-C436-083AC8230908 \
-n ${EFIPN}:0:+127M -c ${EFIPN}:EFI-SYSTEM -t ${EFIPN}:C12A7328-F81F-11D2-BA4B-00A0C93EC93B \ -n ${EFIPN}:0:+127M -c ${EFIPN}:EFI-SYSTEM -t ${EFIPN}:C12A7328-F81F-11D2-BA4B-00A0C93EC93B \
-n ${BOOTPN}:0:+384M -c ${BOOTPN}:boot \ -n ${BOOTPN}:0:+384M -c ${BOOTPN}:boot \
- -n ${ROOTPN}:0:${rootfs_size} -c ${ROOTPN}:root -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 - -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4
+ -n ${ROOTPN}:0:${rootfs_size} -c ${ROOTPN}:root_raw -A ${ROOTPN}:set:60 -A ${ROOTPN}:set:63 -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 \ + -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root_raw -A ${ROOTPN}:set:60 -A ${ROOTPN}:set:63 -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 \
+ -n ${VERITYHASHPN}:0:+32M -c ${VERITYHASHPN}:root_verity + -n ${VERITYHASHPN}:0:+32M -c ${VERITYHASHPN}:root_verity
sgdisk -p "$disk" sgdisk -p "$disk"
;; ;;
s390x) s390x)
@@ -154,7 +157,8 @@ case "$arch" in @@ -222,6 +225,7 @@ case "$arch" in
sgdisk -Z $disk \ -n ${SDPART}:0:+200M -c ${SDPART}:se -t ${SDPART}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 \
-U "${uninitialized_gpt_uuid}" \ -n ${BOOTPN}:0:+384M -c ${BOOTPN}:boot \
-n ${BOOTPN}:0:+384M -c ${BOOTPN}:boot \ - -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4
- -n ${ROOTPN}:0:${rootfs_size} -c ${ROOTPN}:root -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 + -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root_raw -A ${ROOTPN}:set:60 -A ${ROOTPN}:set:63 -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 \
+ -n ${ROOTPN}:0:${rootfs_size} -c ${ROOTPN}:root_raw -A ${ROOTPN}:set:60 -A ${ROOTPN}:set:63 -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 \ + -n ${VERITYHASHPN}:0:+32M -c ${VERITYHASHPN}:root_verity
+ -n ${VERITYHASHPN}:0:+32M -c ${VERITYHASHPN}:root_verity else
# NB: in the bare metal case when targeting ECKD DASD disks, this
# partition table is not what actually gets written to disk in the end:
@@ -231,7 +235,8 @@ case "$arch" in
-U "${uninitialized_gpt_uuid}" \
-n ${BOOTPN}:0:+384M -c ${BOOTPN}:boot \
- -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4
+ -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root_raw -A ${ROOTPN}:set:60 -A ${ROOTPN}:set:63 -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 \
+ -n ${VERITYHASHPN}:0:+32M -c ${VERITYHASHPN}:root_verity
fi
sgdisk -p "$disk" sgdisk -p "$disk"
;; ;;
ppc64le) ppc64le)
@@ -166,7 +170,8 @@ case "$arch" in @@ -243,7 +248,8 @@ case "$arch" in
-n ${PREPPN}:0:+4M -c ${PREPPN}:PowerPC-PReP-boot -t ${PREPPN}:9E1A2D38-C612-4316-AA26-8B49521E5A8B \ -n ${PREPPN}:0:+4M -c ${PREPPN}:PowerPC-PReP-boot -t ${PREPPN}:9E1A2D38-C612-4316-AA26-8B49521E5A8B \
-n ${RESERVEDPN}:0:+1M -c ${RESERVEDPN}:reserved -t ${RESERVEDPN}:8DA63339-0007-60C0-C436-083AC8230908 \ -n ${RESERVEDPN}:0:+1M -c ${RESERVEDPN}:reserved -t ${RESERVEDPN}:8DA63339-0007-60C0-C436-083AC8230908 \
-n ${BOOTPN}:0:+384M -c ${BOOTPN}:boot \ -n ${BOOTPN}:0:+384M -c ${BOOTPN}:boot \
- -n ${ROOTPN}:0:${rootfs_size} -c ${ROOTPN}:root -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 - -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4
+ -n ${ROOTPN}:0:${rootfs_size} -c ${ROOTPN}:root_raw -A ${ROOTPN}:set:60 -A ${ROOTPN}:set:63 -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 \ + -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root_raw -A ${ROOTPN}:set:60 -A ${ROOTPN}:set:63 -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 \
+ -n ${VERITYHASHPN}:0:+32M -c ${VERITYHASHPN}:root_verity + -n ${VERITYHASHPN}:0:+32M -c ${VERITYHASHPN}:root_verity
sgdisk -p "$disk" sgdisk -p "$disk"
;; ;;
esac esac
@@ -174,6 +179,7 @@ esac @@ -251,10 +257,11 @@ esac
udevtrig udevtrig
zipl_dev="${disk}${SDPART}"
boot_dev="${disk}${BOOTPN}"
root_dev="${disk}${ROOTPN}" root_dev="${disk}${ROOTPN}"
+hash_dev="${disk}${VERITYHASHPN}" +hash_dev="${disk}${VERITYHASHPN}"
bootargs= bootargs=
# If the bootfs_metadata_csum_seed image.yaml knob is set to true then # If the bootfs_metadata_csum_seed image.yaml knob is set to true then
@@ -212,13 +218,13 @@ case "${rootfs_type}" in # we'll enable the metadata_csum_seed filesystem feature. This is
# gated behind an image.yaml knob because support for this feature
@@ -305,17 +315,17 @@ case "${rootfs_type}" in
# And reflinks are *very* useful for the container stack with overlayfs (and in general).
# So basically, we're choosing performance over half-implemented security. # So basically, we're choosing performance over half-implemented security.
# Eventually, we'd like both - once XFS gains verity (probably not too hard), # Eventually, we'd like both - once XFS gains verity (probably not too hard),
# we could unconditionally enable it there. # we could unconditionally enable it there.
- mkfs.ext4 -b $(getconf PAGE_SIZE) -O verity -L root "${root_dev}" -U "${rootfs_uuid}" ${rootfs_args} # shellcheck disable=SC2086
+ mkfs.ext4 -b $(getconf PAGE_SIZE) -O verity -L root_raw "${root_dev}" -U "${rootfs_uuid}" ${rootfs_args} - mkfs.ext4 -b "$(getconf PAGE_SIZE)" -O verity -L root "${root_dev}" -U "${rootfs_uuid}" ${rootfs_args}
+ mkfs.ext4 -b "$(getconf PAGE_SIZE)" -O verity -L root_raw "${root_dev}" -U "${rootfs_uuid}" ${rootfs_args}
;; ;;
btrfs) btrfs)
# shellcheck disable=SC2086
- mkfs.btrfs -L root "${root_dev}" -U "${rootfs_uuid}" ${rootfs_args} - mkfs.btrfs -L root "${root_dev}" -U "${rootfs_uuid}" ${rootfs_args}
+ mkfs.btrfs -L root_raw "${root_dev}" -U "${rootfs_uuid}" ${rootfs_args} + mkfs.btrfs -L root_raw "${root_dev}" -U "${rootfs_uuid}" ${rootfs_args}
;; ;;
xfs|"") xfs|"")
# shellcheck disable=SC2086
- mkfs.xfs "${root_dev}" -L root -m reflink=1 -m uuid="${rootfs_uuid}" ${rootfs_args} - mkfs.xfs "${root_dev}" -L root -m reflink=1 -m uuid="${rootfs_uuid}" ${rootfs_args}
+ mkfs.xfs "${root_dev}" -L root_raw -m reflink=1 -m uuid="${rootfs_uuid}" -s "size=4096" ${rootfs_args} + mkfs.xfs "${root_dev}" -L root_raw -m reflink=1 -m uuid="${rootfs_uuid}" -s "size=4096" ${rootfs_args}
;; ;;
*) *)
echo "Unknown rootfs_type: $rootfs_type" 1>&2 echo "Unknown rootfs_type: $rootfs_type" 1>&2
@@ -422,11 +428,11 @@ s390x) @@ -536,11 +428,10 @@ s390x)
esac esac
ostree config --repo $rootfs/ostree/repo set sysroot.bootloader "${bootloader_backend}" ostree config --repo $rootfs/ostree/repo set sysroot.bootloader "${bootloader_backend}"
@ -128,6 +145,16 @@ index 61d52cd96..fa3fe1655 100755
-ostree config --repo $rootfs/ostree/repo set sysroot.readonly true -ostree config --repo $rootfs/ostree/repo set sysroot.readonly true
+# constellation: setting readonly to false interestingly stops ostree from remounting anything as rw +# constellation: setting readonly to false interestingly stops ostree from remounting anything as rw
+ostree config --repo $rootfs/ostree/repo set sysroot.readonly false +ostree config --repo $rootfs/ostree/repo set sysroot.readonly false
# enable support for GRUB password
if [ "${bootloader_backend}" = "none" ]; then
ostree config --repo $rootfs/ostree/repo set sysroot.bls-append-except-default 'grub_users=""'
fi
@@ -542,15 +548,16 @@ s390x)
# enable support for GRUB password
if [ "${bootloader_backend}" = "none" ]; then
ostree config --repo $rootfs/ostree/repo set sysroot.bls-append-except-default 'grub_users=""'
fi
-touch $rootfs/boot/ignition.firstboot -touch $rootfs/boot/ignition.firstboot
+# constellation: do not enable ignition on first boot +# constellation: do not enable ignition on first boot
@ -135,7 +162,13 @@ index 61d52cd96..fa3fe1655 100755
# Finally, add the immutable bit to the physical root; we don't # Finally, add the immutable bit to the physical root; we don't
# expect people to be creating anything there. A use case for # expect people to be creating anything there. A use case for
@@ -439,10 +445,21 @@ chattr +i $rootfs # OSTree in general is to support installing *inside* the existing
# root of a deployed OS, so OSTree doesn't do this by default, but
# we have no reason not to enable it here. Administrators should
# generally expect that state data is in /etc and /var; if anything
# else is in /sysroot it's probably by accident.
chattr +i $rootfs
@@ -557,10 +564,21 @@ chattr +i $rootfs
fstrim -a -v fstrim -a -v
# Ensure the filesystem journals are flushed # Ensure the filesystem journals are flushed
@ -175,7 +208,7 @@ diff --git a/src/libguestfish.sh b/src/libguestfish.sh
index 82cfcf86e..635fb9eaa 100755 index 82cfcf86e..635fb9eaa 100755
--- a/src/libguestfish.sh --- a/src/libguestfish.sh
+++ b/src/libguestfish.sh +++ b/src/libguestfish.sh
@@ -58,7 +58,7 @@ coreos_gf_run_mount() { @@ -64,7 +64,7 @@ coreos_gf_run_mount() {
shift shift
fi fi
coreos_gf_run "$@" coreos_gf_run "$@"
@ -188,10 +221,12 @@ diff --git a/src/vmdeps.txt b/src/vmdeps.txt
index 6c6045840..ddbece267 100644 index 6c6045840..ddbece267 100644
--- a/src/vmdeps.txt --- a/src/vmdeps.txt
+++ b/src/vmdeps.txt +++ b/src/vmdeps.txt
@@ -27,3 +27,6 @@ gdisk xfsprogs e2fsprogs dosfstools btrfs-progs @@ -27,5 +27,8 @@ gdisk xfsprogs e2fsprogs dosfstools btrfs-progs
# needed for basic CA support # needed for basic CA support
ca-certificates ca-certificates
tar
+ +
+# dm-verity +# dm-verity
+veritysetup +veritysetup