From 705404bf712cc829ab5938ed5cdae307249aa2f8 Mon Sep 17 00:00:00 2001
From: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Date: Wed, 15 May 2024 15:15:12 +0200
Subject: [PATCH] image: update upload docs
---
image/README.md | 103 +++++-------------------------------------------
1 file changed, 9 insertions(+), 94 deletions(-)
diff --git a/image/README.md b/image/README.md
index bc19f579c..24666a5c6 100644
--- a/image/README.md
+++ b/image/README.md
@@ -16,113 +16,28 @@ bazel query //image/system/...
You can either build a group of images (all images for a cloud provider, a stream, ...) or a single image by selecting a target.
```sh
-bazel build //image/system:openstack_qemu-vtpm_debug
+bazel build //image/system:azure_azure-sev-snp_stable
```
The location of the destination folder can be queried like this:
```sh
-bazel cquery --output=files //image/system:openstack_qemu-vtpm_debug
+bazel cquery --output=files //image/system:azure_azure-sev-snp_stable
```
-## Upload to CSP
+## Build and Upload
-Warning! Never set `--version` to a value that is already used for a release image.
-
-
-AWS
-
-- Install `aws` cli (see [here](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html))
-- Login to AWS (see [here](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-quickstart.html))
-- Choose secure boot PKI public keys (one of `pki_dev`, `pki_test`, `pki_prod`)
- - `pki_dev` can be used for local image builds
- - `pki_test` is used by the CI for non-release images
- - `pki_prod` is used for release images
+Similarly, you can also build and upload images to the respective CSP within a single step with the `upload_*` targets.
```sh
-# Warning! Never set `--version` to a value that is already used for a release image.
-# Instead, use a `ref` that corresponds to your branch name.
-bazel run //image/upload -- image aws --verbose --raw-image path/to/constellation.raw --attestation-variant "" --version ref/foo/stream/nightly/v2.7.0-pre-asdf
+bazel run //image/system:upload_aws_aws-sev-snp_console -- --ref deps-image-fedora-40 --upload-measurements
```
-
+The `--ref` should be the branch you're building images on. It should **not contain slashes**. Slashes should be replaced with dashes to
+not break the filesystem structure of the image storages.
-
-GCP
-
-- Install `gcloud` and `gsutil` (see [here](https://cloud.google.com/sdk/docs/install))
-- Login to GCP (see [here](https://cloud.google.com/sdk/docs/authorizing))
-- Choose secure boot PKI public keys (one of `pki_dev`, `pki_test`, `pki_prod`)
- - `pki_dev` can be used for local image builds
- - `pki_test` is used by the CI for non-release images
- - `pki_prod` is used for release images
-
-```sh
-export GCP_RAW_IMAGE_PATH=$(realpath path/to/constellation.raw)
-export GCP_IMAGE_PATH=path/to/image.tar.gz
-upload/pack.sh gcp ${GCP_RAW_IMAGE_PATH} ${GCP_IMAGE_PATH}
-# Warning! Never set `--version` to a value that is already used for a release image.
-# Instead, use a `ref` that corresponds to your branch name.
-bazel run //image/upload -- image gcp --verbose --raw-image "${GCP_IMAGE_PATH}" --attestation-variant "sev-es" --version ref/foo/stream/nightly/v2.7.0-pre-asdf
-```
-
-
-
-
-Azure
-
-Note:
-
-> For testing purposes, it is a lot simpler to disable Secure Boot for the uploaded image!
-> Disabling Secure Boot allows you to skip the VMGS creation steps above.
-
-- Install `az` and `azcopy` (see [here](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli))
-- Login to Azure (see [here](https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli))
-- Optional (if Secure Boot should be enabled) [Prepare virtual machine guest state (VMGS) with customized NVRAM or use existing VMGS blob](#azure-secure-boot)
-
-```sh
-export AZURE_RAW_IMAGE_PATH=path/to/constellation.raw
-export AZURE_IMAGE_PATH=path/to/image.vhd
-upload/pack.sh azure "${AZURE_RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}"
-# Warning! Never set `--version` to a value that is already used for a release image.
-# Instead, use a `ref` that corresponds to your branch name.
-bazel run //image/upload -- image azure --verbose --raw-image "${AZURE_IMAGE_PATH}" --attestation-variant "cvm" --version ref/foo/stream/nightly/v2.7.0-pre-asdf
-```
-
-
-
-
-OpenStack
-
-Note:
-
-> OpenStack is not one a global cloud provider, but rather a software that can be installed on-premises.
-> This means we do not upload the image to a cloud provider, but to our CDN.
-
-- Install `aws` cli (see [here](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html))
-- Login to AWS (see [here](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-quickstart.html))
-
-```sh
-# Warning! Never set `--version` to a value that is already used for a release image.
-# Instead, use a `ref` that corresponds to your branch name.
-bazel run //image/upload -- image openstack --verbose --raw-image path/to/constellation.raw --attestation-variant "sev" --version ref/foo/stream/nightly/v2.7.0-pre-asdf
-```
-
-
-
-
-QEMU
-
-- Install `aws` cli (see [here](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html))
-- Login to AWS (see [here](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-quickstart.html))
-
-```sh
-# Warning! Never set `--version` to a value that is already used for a release image.
-# Instead, use a `ref` that corresponds to your branch name.
-bazel run //image/upload -- image qemu --verbose --raw-image path/to/constellation.raw --attestation-variant "default" --version ref/foo/stream/nightly/v2.7.0-pre-asdf
-```
-
-
+Optionally, the `--upload-measurements` option can be used to specify that measurements for the image should be uploaded, and `--fake-sign` specifies
+that a debugging signing key should be used to sign the measurements, which is done for debug images.
## Kernel