From 403acf75aa7c6d48132ef6778c7e18bc1b0fc456 Mon Sep 17 00:00:00 2001 From: Malte Poll <1780588+malt3@users.noreply.github.com> Date: Mon, 15 Jan 2024 18:04:29 +0100 Subject: [PATCH] image: add mainline kernel and azure tdx image target --- bazel/mkosi/mkosi_image.bzl | 3 + bazel/toolchains/linux_kernel.bzl | 53 ++++++++++-- image/base/BUILD.bazel | 133 ++++++++++++++++++------------ image/system/BUILD.bazel | 8 +- image/system/variants.bzl | 16 ++++ 5 files changed, 148 insertions(+), 65 deletions(-) diff --git a/bazel/mkosi/mkosi_image.bzl b/bazel/mkosi/mkosi_image.bzl index c917c09ad..585ebeed7 100644 --- a/bazel/mkosi/mkosi_image.bzl +++ b/bazel/mkosi/mkosi_image.bzl @@ -16,6 +16,8 @@ def _mkosi_image_impl(ctx): args.add("--distribution", ctx.attr.distribution) if ctx.attr.architecture: args.add("--architecture", ctx.attr.architecture) + if ctx.attr.output: + args.add("--output", ctx.attr.output) args.add_all(ctx.attr.packages, before_each = "--package") for package_file in ctx.files.package_files: args.add("--package", config_rel(package_file.path)) @@ -122,6 +124,7 @@ mkosi_image = rule( doc = "main mkosi.conf file", ), "out_dir": attr.string(), + "output": attr.string(), "outs": attr.output_list(), "package_files": attr.label_list(allow_files = True), "package_manager_trees": attr.label_list(allow_files = True), diff --git a/bazel/toolchains/linux_kernel.bzl b/bazel/toolchains/linux_kernel.bzl index 0c0e95a3b..cd537f36c 100644 --- a/bazel/toolchains/linux_kernel.bzl +++ b/bazel/toolchains/linux_kernel.bzl @@ -3,39 +3,76 @@ load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_file") def kernel_rpms(): + """kernel rpms""" + + # LTS kernel http_file( - name = "kernel", + name = "kernel_lts", urls = [ "https://cdn.confidential.cloud/constellation/cas/sha256/4430d2f8076081291d505ccb91bc84e3a763e113348e23775cc01df5a574d684", "https://cdn.confidential.cloud/constellation/kernel/6.1.68-100.constellation/kernel-6.1.68-100.constellation.fc38.x86_64.rpm", ], - downloaded_file_path = "kernel.rpm", + downloaded_file_path = "kernel-lts.rpm", sha256 = "4430d2f8076081291d505ccb91bc84e3a763e113348e23775cc01df5a574d684", ) http_file( - name = "kernel_core", + name = "kernel_core_lts", urls = [ "https://cdn.confidential.cloud/constellation/cas/sha256/e3f9a42c4c86d56cae98053d3fc099368cbcf6dfa8ed48848e24e2c82ae3b7cc", "https://cdn.confidential.cloud/constellation/kernel/6.1.68-100.constellation/kernel-core-6.1.68-100.constellation.fc38.x86_64.rpm", ], - downloaded_file_path = "kernel-core.rpm", + downloaded_file_path = "kernel-core-lts.rpm", sha256 = "e3f9a42c4c86d56cae98053d3fc099368cbcf6dfa8ed48848e24e2c82ae3b7cc", ) http_file( - name = "kernel_modules", + name = "kernel_modules_lts", urls = [ "https://cdn.confidential.cloud/constellation/cas/sha256/072fc8e1b1bb37e1cc40038f60e21a7be374d801f48589146660ffe7028f6b39", "https://cdn.confidential.cloud/constellation/kernel/6.1.68-100.constellation/kernel-modules-6.1.68-100.constellation.fc38.x86_64.rpm", ], - downloaded_file_path = "kernel-modules.rpm", + downloaded_file_path = "kernel-modules-lts.rpm", sha256 = "072fc8e1b1bb37e1cc40038f60e21a7be374d801f48589146660ffe7028f6b39", ) http_file( - name = "kernel_modules_core", + name = "kernel_modules_core_lts", urls = [ "https://cdn.confidential.cloud/constellation/cas/sha256/97d1e099b874d53b87fad2515c450b33d56770236211bf6a83a52e9e28361be1", "https://cdn.confidential.cloud/constellation/kernel/6.1.68-100.constellation/kernel-modules-core-6.1.68-100.constellation.fc38.x86_64.rpm", ], - downloaded_file_path = "kernel-modules-core.rpm", + downloaded_file_path = "kernel-modules-core-lts.rpm", sha256 = "97d1e099b874d53b87fad2515c450b33d56770236211bf6a83a52e9e28361be1", ) + + # mainline kernel + http_file( + name = "kernel_mainline", + urls = [ + "https://cdn.confidential.cloud/constellation/cas/sha256/b42a4ee6c486832adbff101447a0f92b61905e43acabffc40e573ebf87799889", + ], + downloaded_file_path = "kernel-mainline.rpm", + sha256 = "b42a4ee6c486832adbff101447a0f92b61905e43acabffc40e573ebf87799889", + ) + http_file( + name = "kernel_core_mainline", + urls = [ + "https://cdn.confidential.cloud/constellation/cas/sha256/88f34a4add6d1c8d9c7cff499843d0d565aa798b1bf365c7b4a0e0c48adab2b4", + ], + downloaded_file_path = "kernel-core-mainline.rpm", + sha256 = "88f34a4add6d1c8d9c7cff499843d0d565aa798b1bf365c7b4a0e0c48adab2b4", + ) + http_file( + name = "kernel_modules_mainline", + urls = [ + "https://cdn.confidential.cloud/constellation/cas/sha256/4ba6599de2934315fb659b512659e5d96b2812f877e0c2d41625d899d8d440ad", + ], + downloaded_file_path = "kernel-modules-mainline.rpm", + sha256 = "4ba6599de2934315fb659b512659e5d96b2812f877e0c2d41625d899d8d440ad", + ) + http_file( + name = "kernel_modules_core_mainline", + urls = [ + "https://cdn.confidential.cloud/constellation/cas/sha256/3d01a6e11fb4110b6c7f2f63c113c7b7c7ea8f5a78d77c4ca355b3039bbcb282", + ], + downloaded_file_path = "kernel-modules-core-mainline.rpm", + sha256 = "3d01a6e11fb4110b6c7f2f63c113c7b7c7ea8f5a78d77c4ca355b3039bbcb282", + ) diff --git a/image/base/BUILD.bazel b/image/base/BUILD.bazel index 1d02317b2..7dc5215e0 100644 --- a/image/base/BUILD.bazel +++ b/image/base/BUILD.bazel @@ -4,14 +4,26 @@ load("@rules_pkg//:pkg.bzl", "pkg_tar") load("//bazel/mkosi:mkosi_image.bzl", "mkosi_image") copy_to_directory( - name = "rpms", + name = "rpms_lts", srcs = [ - "@kernel//file", - "@kernel_core//file", - "@kernel_modules//file", - "@kernel_modules_core//file", + "@kernel_core_lts//file", + "@kernel_lts//file", + "@kernel_modules_core_lts//file", + "@kernel_modules_lts//file", ], - include_external_repositories = ["kernel*"], + include_external_repositories = ["kernel*lts"], + replace_prefixes = {"file": ""}, +) + +copy_to_directory( + name = "rpms_mainline", + srcs = [ + "@kernel_core_mainline//file", + "@kernel_mainline//file", + "@kernel_modules_core_mainline//file", + "@kernel_modules_mainline//file", + ], + include_external_repositories = ["kernel*mainline"], replace_prefixes = {"file": ""}, ) @@ -23,64 +35,75 @@ copy_to_directory( allow_symlink = True, ) for name in [ - "kernel", - "kernel_core", - "kernel_modules", - "kernel_modules_core", + "kernel_lts", + "kernel_core_lts", + "kernel_modules_lts", + "kernel_modules_core_lts", + "kernel_mainline", + "kernel_core_mainline", + "kernel_modules_mainline", + "kernel_modules_core_mainline", ] ] -mkosi_image( - name = "base", - srcs = [ - "mkosi.postinst", - "mkosi.prepare", - ] + glob([ - "mkosi.skeleton/**", - ]), - outs = [ - "image", - "image.tar", - "image-.rpm.lock", - "image-packagemanifest", - "image-rpmdb.sqlite", - "image-rpmdb.sqlite-shm", - "image-rpmdb.sqlite-wal", - ], - extra_trees = [ - "//image:sysroot_tar", - "//image:cryptsetup_closure", - ], - local_mirror = ["@mkosi_rpms//:repo"], - mkosi_conf = "mkosi.conf", - package_files = [ - ":kernel", - ":kernel_core", - ":kernel_modules", - ":kernel_modules_core", - ], - tags = [ - "manual", - "no-cache", - ], - visibility = ["//visibility:public"], -) +[ + mkosi_image( + name = "base_" + kernel_variant, + srcs = [ + "mkosi.postinst", + "mkosi.prepare", + ] + glob([ + "mkosi.skeleton/**", + ]), + outs = [ + kernel_variant, + kernel_variant + ".tar", + kernel_variant + "-.rpm.lock", + kernel_variant + "-packagemanifest", + kernel_variant + "-rpmdb.sqlite", + kernel_variant + "-rpmdb.sqlite-shm", + kernel_variant + "-rpmdb.sqlite-wal", + ], + extra_trees = [ + "//image:sysroot_tar", + "//image:cryptsetup_closure", + ], + local_mirror = ["@mkosi_rpms//:repo"], + mkosi_conf = "mkosi.conf", + output = kernel_variant, + package_files = [ + ":kernel_" + kernel_variant, + ":kernel_core_" + kernel_variant, + ":kernel_modules_" + kernel_variant, + ":kernel_modules_core_" + kernel_variant, + ], + tags = [ + "manual", + "no-cache", + ], + visibility = ["//visibility:public"], + ) + for kernel_variant in [ + "lts", + "mainline", + ] +] pkg_tar( name = "rpmdb", srcs = [ - "image-.rpm.lock", - "image-packagemanifest", - "image-rpmdb.sqlite", - "image-rpmdb.sqlite-shm", - "image-rpmdb.sqlite-wal", + "lts-.rpm.lock", + "lts-packagemanifest", + "lts-rpmdb.sqlite", + "lts-rpmdb.sqlite-shm", + "lts-rpmdb.sqlite-wal", ], remap_paths = { - "/image-.rpm.lock": "/var/lib/rpm/.rpm.lock", - "/image-packagemanifest": "/usr/share/constellation/packagemanifest", - "/image-rpmdb.sqlite": "/var/lib/rpm/rpmdb.sqlite", - "/image-rpmdb.sqlite-shm": "/var/lib/rpm/rpmdb.sqlite-shm", - "/image-rpmdb.sqlite-wal": "/var/lib/rpm/image-rpmdb.sqlite-wal", + "/lts-.rpm.lock": "/var/lib/rpm/.rpm.lock", + "/lts-packagemanifest": "/usr/share/constellation/packagemanifest", + "/lts-rpmdb.sqlite": "/var/lib/rpm/rpmdb.sqlite", + "/lts-rpmdb.sqlite-shm": "/var/lib/rpm/rpmdb.sqlite-shm", + "/lts-rpmdb.sqlite-wal": "/var/lib/rpm/image-rpmdb.sqlite-wal", }, tags = ["manual"], visibility = ["//visibility:public"], diff --git a/image/system/BUILD.bazel b/image/system/BUILD.bazel index 49a9d42d1..b08ae0bd8 100644 --- a/image/system/BUILD.bazel +++ b/image/system/BUILD.bazel @@ -1,6 +1,6 @@ load("//bazel/mkosi:mkosi_image.bzl", "mkosi_image") load("//bazel/osimage:upload_os_images.bzl", "upload_os_images") -load(":variants.bzl", "CSPS", "STREAMS", "VARIANTS", "autologin", "constellation_packages", "images_for_csp", "images_for_csp_and_stream", "images_for_stream", "kernel_command_line", "kernel_command_line_dict") +load(":variants.bzl", "CSPS", "STREAMS", "VARIANTS", "autologin", "base_image", "constellation_packages", "images_for_csp", "images_for_csp_and_stream", "images_for_stream", "kernel_command_line", "kernel_command_line_dict") [ mkosi_image( @@ -16,7 +16,11 @@ load(":variants.bzl", "CSPS", "STREAMS", "VARIANTS", "autologin", "constellation stream, ), base_trees = [ - "//image/base:image.tar", + base_image( + variant["csp"], + variant["attestation_variant"], + stream, + ), ], extra_trees = constellation_packages(stream), initrds = [ diff --git a/image/system/variants.bzl b/image/system/variants.bzl index 9f96ba7a8..5465d4f45 100644 --- a/image/system/variants.bzl +++ b/image/system/variants.bzl @@ -13,6 +13,10 @@ VARIANTS = [ "attestation_variant": "azure-sev-snp", "csp": "azure", }, + { + "attestation_variant": "azure-tdx", + "csp": "azure", + }, { "attestation_variant": "gcp-sev-es", "csp": "gcp", @@ -105,6 +109,12 @@ attestation_variant_settings = { "constel.attestation-variant": "azure-sev-snp", }, }, + "azure-tdx": { + "base_image": "//image/base:mainline", + "kernel_command_line_dict": { + "constel.attestation-variant": "azure-tdx", + }, + }, "gcp-sev-es": { "kernel_command_line_dict": { "constel.attestation-variant": "gcp-sev-es", @@ -201,6 +211,12 @@ def kernel_command_line_dict(csp, attestation_variant, stream): commandline_dict = commandline_dict | settings.get("kernel_command_line_dict", {}) return commandline_dict +def base_image(csp, attestation_variant, stream): + for settings in from_settings(csp, attestation_variant, stream): + if "base_image" in settings: + return settings["base_image"] + return "//image/base:lts" + def append_cmdline(current, append): """Append a string to an existing commandline, separating them with a space.