From 84dd25600f271a4dfdc5ff177c9c0e757ff4e6d6 Mon Sep 17 00:00:00 2001
From: Malte Poll <1780588+malt3@users.noreply.github.com>
Date: Tue, 25 Apr 2023 18:22:40 +0200
Subject: [PATCH] image: upgrade mkosi to support repart (#1684)
---
.github/actions/setup_mkosi/action.yaml | 51 +++++++++++----
.github/workflows/build-os-image.yml | 53 ++++++++--------
image/Makefile | 26 +++++---
image/README.md | 63 +++++++++++++++----
.../mkosi.aws.conf | 4 +-
.../mkosi.azure.conf | 4 +-
image/mkosi.conf.d/mkosi.conf | 16 +----
.../mkosi.gcp.conf | 4 +-
.../mkosi.openstack.conf | 4 +-
.../mkosi.qemu.conf | 4 +-
image/mkosi.conf.d/selinux.conf | 7 ++-
image/mkosi.repart/00-esp.conf | 6 ++
image/mkosi.repart/10-root.conf | 7 +++
image/mkosi.repart/20-root-verity.conf | 6 ++
.../39constellation-mount/module-setup.sh | 16 ++++-
.../systemd/resolved.conf.d/fallback_dns.conf | 2 +
.../system-preset/30-constellation.preset | 2 +
17 files changed, 192 insertions(+), 83 deletions(-)
rename image/{mkosi.files => mkosi.conf.d}/mkosi.aws.conf (85%)
rename image/{mkosi.files => mkosi.conf.d}/mkosi.azure.conf (91%)
rename image/{mkosi.files => mkosi.conf.d}/mkosi.gcp.conf (91%)
rename image/{mkosi.files => mkosi.conf.d}/mkosi.openstack.conf (89%)
rename image/{mkosi.files => mkosi.conf.d}/mkosi.qemu.conf (87%)
create mode 100644 image/mkosi.repart/00-esp.conf
create mode 100644 image/mkosi.repart/10-root.conf
create mode 100644 image/mkosi.repart/20-root-verity.conf
create mode 100644 image/mkosi.skeleton/usr/lib/systemd/resolved.conf.d/fallback_dns.conf
diff --git a/.github/actions/setup_mkosi/action.yaml b/.github/actions/setup_mkosi/action.yaml
index 2737f6d69..e71ad3f87 100644
--- a/.github/actions/setup_mkosi/action.yaml
+++ b/.github/actions/setup_mkosi/action.yaml
@@ -4,6 +4,9 @@ inputs:
version:
description: "Version (commit hash) of mkosi to install."
required: true
+ systemdVersion:
+ description: "Version (commit hash) of systemd to install."
+ required: true
runs:
using: composite
steps:
@@ -14,27 +17,49 @@ runs:
echo "deb-src http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs) main restricted universe multiverse" | sudo tee -a /etc/apt/sources.list
sudo apt-get update
sudo apt-get install --assume-yes --no-install-recommends \
+ bubblewrap \
dnf \
- systemd-container \
- qemu-system-x86 \
- ovmf \
e2fsprogs \
- squashfs-tools
+ libfdisk-dev \
+ mtools \
+ ovmf \
+ python3-pefile \
+ python3-pyelftools \
+ python3-setuptools \
+ qemu-system-x86 \
+ squashfs-tools \
+ systemd-container
echo "::endgroup::"
- # Try to eliminate "Failed to dissect image: Connection timed out" errors from nspawn by compiling
- # systemd-nspawn from v251 from source.
- - name: Update systemd-nspawn
+ - name: Checkout systemd
+ uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
+ with:
+ repository: systemd/systemd
+ path: ${{ github.action_path }}/systemd
+ ref: ${{ inputs.systemdVersion }}
+
+ - name: Update systemd tools
shell: bash
working-directory: ${{ github.action_path }}
run: |
- echo "::group::Update systemd-nspawn"
+ echo "::group::Update systemd tools"
sudo apt-get build-dep systemd
- git clone https://github.com/systemd/systemd-stable --branch v251.2 --depth=1
- meson systemd-stable/build systemd-stable
- ninja -C systemd-stable/build systemd-nspawn
- sudo ln -svf $PWD/systemd-stable/build/systemd-nspawn $(which systemd-nspawn)
- systemd-nspawn --version
+ meson systemd/build systemd -Drepart=true -Defi=true -Dbootloader=true
+
+ BINARIES=(
+ bootctl
+ systemctl
+ systemd-analyze
+ systemd-dissect
+ systemd-nspawn
+ systemd-repart
+ ukify
+ )
+
+ ninja -C systemd/build ${BINARIES[@]}
+ for BINARY in "${BINARIES[@]}"; do
+ sudo ln -svf $PWD/systemd/build/$BINARY /usr/bin/$BINARY
+ done
echo "::endgroup::"
- name: Install
diff --git a/.github/workflows/build-os-image.yml b/.github/workflows/build-os-image.yml
index dc5c608fb..b6f29028c 100644
--- a/.github/workflows/build-os-image.yml
+++ b/.github/workflows/build-os-image.yml
@@ -284,7 +284,8 @@ jobs:
- name: Setup mkosi
uses: ./.github/actions/setup_mkosi
with:
- version: 058046019e7ed2e8e93af87b8c14a808dcc6bbc3
+ version: d8b32fbf3077b612db0024276e73cec3c2c87577
+ systemdVersion: f6e94c5f7ddd796095cf6294857e535dcdbfc677
- name: Prepare PKI for secure boot signing
id: prepare-pki
@@ -295,6 +296,7 @@ jobs:
DB_KEY: ${{ ((needs.build-settings.outputs.pkiSet == 'pki_prod') && secrets.SECURE_BOOT_RELEASE_DB_KEY) || secrets.SECURE_BOOT_TESTING_DB_KEY }}
run: |
echo "${DB_KEY}" > "${PKI_SET}/db.key"
+ chmod 600 "${PKI_SET}/db.key"
ln -s "${PKI_SET}" pki
- name: Build
@@ -322,12 +324,12 @@ jobs:
{
echo "image-raw-${{ matrix.csp }}-sha256=$(sha256sum image.raw | head -c 64)"
echo "image-efi-${{ matrix.csp }}-sha256=$(sha256sum image.efi | head -c 64)"
- echo "image-initrd-${{ matrix.csp }}-sha256=$(sha256sum image.initrd | head -c 64)"
- echo "image-root-raw-${{ matrix.csp }}-sha256=$(sha256sum image.root.raw | head -c 64)"
- echo "image-root-verity-${{ matrix.csp }}-sha256=$(sha256sum image.root.verity | head -c 64)"
+ echo "image-initrd-${{ matrix.csp }}-sha256=$(sha256sum image.esp.raw | head -c 64)"
+ echo "image-root-raw-${{ matrix.csp }}-sha256=$(sha256sum image.root-x86-64.raw | head -c 64)"
+ echo "image-root-verity-${{ matrix.csp }}-sha256=$(sha256sum image.root-x86-64-verity.raw | head -c 64)"
echo "image-vmlinuz-${{ matrix.csp }}-sha256=$(sha256sum image.vmlinuz | head -c 64)"
- echo "image-raw-changelog-${{ matrix.csp }}-sha256=$(sha256sum image.raw.changelog | head -c 64)"
- echo "image-raw-manifest-${{ matrix.csp }}-sha256=$(sha256sum image.raw.manifest | head -c 64)"
+ echo "image-raw-changelog-${{ matrix.csp }}-sha256=$(sha256sum image.changelog | head -c 64)"
+ echo "image-raw-manifest-${{ matrix.csp }}-sha256=$(sha256sum image.manifest | head -c 64)"
} | tee -a "$GITHUB_OUTPUT"
- name: Upload raw OS image as artifact
@@ -343,10 +345,9 @@ jobs:
path: |
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.cmdline
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.efi
- ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.initrd
- ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.root.raw
- ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.root.roothash
- ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.root.verity
+ ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.esp.raw
+ ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.root-x86-64.raw
+ ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.root-x86-64-verity.raw
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.vmlinuz
- name: Upload manifest as artifact
@@ -354,8 +355,8 @@ jobs:
with:
name: manifest-${{ matrix.csp }}
path: |
- ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.raw.changelog
- ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.raw.manifest
+ ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.changelog
+ ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.manifest
upload-os-image:
name: "Upload OS image to CSP"
@@ -812,7 +813,7 @@ jobs:
- name: Unpack squashfs
run: |
echo "::group::Unpack squashfs"
- unsquashfs -user-xattrs -d image.root.tree image.root.raw
+ unsquashfs -user-xattrs -d image.root.tree image.root-x86-64.raw
echo "::endgroup::"
- name: Create SBOM in SPDX fromat
@@ -847,35 +848,35 @@ jobs:
${{ needs.build-dependencies.outputs.upgrade-agent-sha256 }} upgrade-agent
${{ needs.build-dependencies.outputs.measurement-reader-sha256 }} measurement-reader
${{ needs.make-os-image.outputs.image-raw-aws-sha256 }} aws/image.raw
- ${{ needs.make-os-image.outputs.image-raw-changelog-aws-sha256 }} aws/image.raw.changelog
- ${{ needs.make-os-image.outputs.image-raw-manifest-aws-sha256 }} aws/image.raw.manifest
+ ${{ needs.make-os-image.outputs.image-raw-changelog-aws-sha256 }} aws/image.changelog
+ ${{ needs.make-os-image.outputs.image-raw-manifest-aws-sha256 }} aws/image.manifest
${{ needs.make-os-image.outputs.image-efi-aws-sha256 }} aws/image.efi
${{ needs.make-os-image.outputs.image-initrd-aws-sha256 }} aws/image.initrd
- ${{ needs.make-os-image.outputs.image-root-raw-aws-sha256 }} aws/image.root.raw
+ ${{ needs.make-os-image.outputs.image-root-raw-aws-sha256 }} aws/image.root-x86-64.raw
${{ needs.make-os-image.outputs.image-root-verity-aws-sha256 }} aws/image.root.verity
${{ needs.make-os-image.outputs.image-vmlinuz-aws-sha256 }} aws/image.vmlinuz
${{ needs.make-os-image.outputs.image-raw-azure-sha256 }} azure/image.raw
- ${{ needs.make-os-image.outputs.image-raw-changelog-azure-sha256 }} azure/image.raw.changelog
- ${{ needs.make-os-image.outputs.image-raw-manifest-azure-sha256 }} azure/image.raw.manifest
+ ${{ needs.make-os-image.outputs.image-raw-changelog-azure-sha256 }} azure/image.changelog
+ ${{ needs.make-os-image.outputs.image-raw-manifest-azure-sha256 }} azure/image.manifest
${{ needs.make-os-image.outputs.image-efi-azure-sha256 }} azure/image.efi
${{ needs.make-os-image.outputs.image-initrd-azure-sha256 }} azure/image.initrd
- ${{ needs.make-os-image.outputs.image-root-raw-azure-sha256 }} azure/image.root.raw
+ ${{ needs.make-os-image.outputs.image-root-raw-azure-sha256 }} azure/image.root-x86-64.raw
${{ needs.make-os-image.outputs.image-root-verity-azure-sha256 }} azure/image.root.verity
${{ needs.make-os-image.outputs.image-vmlinuz-azure-sha256 }} azure/image.vmlinuz
${{ needs.make-os-image.outputs.image-raw-gcp-sha256 }} gcp/image.raw
- ${{ needs.make-os-image.outputs.image-raw-changelog-gcp-sha256 }} gcp/image.raw.changelog
- ${{ needs.make-os-image.outputs.image-raw-manifest-gcp-sha256 }} gcp/image.raw.manifest
+ ${{ needs.make-os-image.outputs.image-raw-changelog-gcp-sha256 }} gcp/image.changelog
+ ${{ needs.make-os-image.outputs.image-raw-manifest-gcp-sha256 }} gcp/image.manifest
${{ needs.make-os-image.outputs.image-efi-gcp-sha256 }} gcp/image.efi
${{ needs.make-os-image.outputs.image-initrd-gcp-sha256 }} gcp/image.initrd
- ${{ needs.make-os-image.outputs.image-root-raw-gcp-sha256 }} gcp/image.root.raw
+ ${{ needs.make-os-image.outputs.image-root-raw-gcp-sha256 }} gcp/image.root-x86-64.raw
${{ needs.make-os-image.outputs.image-root-verity-gcp-sha256 }} gcp/image.root.verity
${{ needs.make-os-image.outputs.image-vmlinuz-gcp-sha256 }} gcp/image.vmlinuz
${{ needs.make-os-image.outputs.image-raw-qemu-sha256 }} qemu/image.raw
- ${{ needs.make-os-image.outputs.image-raw-changelog-qemu-sha256 }} qemu/image.raw.changelog
- ${{ needs.make-os-image.outputs.image-raw-manifest-qemu-sha256 }} qemu/image.raw.manifest
+ ${{ needs.make-os-image.outputs.image-raw-changelog-qemu-sha256 }} qemu/image.changelog
+ ${{ needs.make-os-image.outputs.image-raw-manifest-qemu-sha256 }} qemu/image.manifest
${{ needs.make-os-image.outputs.image-efi-qemu-sha256 }} qemu/image.efi
${{ needs.make-os-image.outputs.image-initrd-qemu-sha256 }} qemu/image.initrd
- ${{ needs.make-os-image.outputs.image-root-raw-qemu-sha256 }} qemu/image.root.raw
+ ${{ needs.make-os-image.outputs.image-root-raw-qemu-sha256 }} qemu/image.root-x86-64.raw
${{ needs.make-os-image.outputs.image-root-verity-qemu-sha256 }} qemu/image.root.verity
${{ needs.make-os-image.outputs.image-vmlinuz-qemu-sha256 }} qemu/image.vmlinuz
EOF
@@ -886,7 +887,7 @@ jobs:
shell: bash
run: |
sboms='sbom.spdx.json sbom.cyclonedx.json sbom.syft.json'
- manifests='image.raw.manifest image.raw.changelog'
+ manifests='image.manifest image.changelog'
hashes='SHA256SUMS'
for file in ${sboms} ${manifests} ${hashes}; do
aws s3 cp \
diff --git a/image/Makefile b/image/Makefile
index ef4754c6d..3b0fad94a 100644
--- a/image/Makefile
+++ b/image/Makefile
@@ -8,11 +8,13 @@ DEBUGD_BINARY ?= $(BASE_PATH)/../build/debugd
MEASUREMENT_READER_BINARY ?= $(BASE_PATH)/../build/measurement-reader
PKI ?= $(BASE_PATH)/pki
MKOSI_EXTRA ?= $(BASE_PATH)/mkosi.extra
+EXTRA_SEARCH_PATHS ?=
IMAGE_VERSION ?= v0.0.0
DEBUG ?= false
AUTOLOGIN ?= false
AUTOLOGIN_ARGS := $(if $(filter true,$(AUTOLOGIN)),--autologin) # set "--autologin" if AUTOLOGIN is true
KERNEL_DEBUG_CMDLNE := $(if $(filter true,$(DEBUG)),constellation.debug) # set "constellation.debug" if DEBUG is true
+SEARCH_PATHS_PARAM := $(if $(EXTRA_SEARCH_PATHS),--extra-search-path=$(EXTRA_SEARCH_PATHS))
export INSTALL_DEBUGD ?= $(DEBUG)
export CONSOLE_MOTD = $(AUTOLOGIN)
-include $(CURDIR)/config.mk
@@ -28,6 +30,8 @@ PREBUILT_RPMS_GCP := $(addprefix prebuilt/rpms/gcp/,$(GCP_FIXED_KERNEL_RPMS))
.PHONY: all clean inject-bins $(csps)
+.NOTPARALLEL: mkosi.output.%/fedora~37/image.raw clean-%
+
all: $(csps)
$(csps): %: mkosi.output.%/fedora~37/image.raw
@@ -50,18 +54,23 @@ prebuilt/rpms/azure/%.rpm:
@mkdir -p $(@D)
@curl -fsSL -o $@ https://kojipkgs.fedoraproject.org/packages/kernel/6.1.18/200.fc37/x86_64/$*.rpm
-mkosi.output.%/fedora~37/image.raw: mkosi.files/mkosi.%.conf inject-bins inject-certs
- mkosi --config mkosi.files/mkosi.$*.conf \
+mkosi.output.%/fedora~37/image.raw: inject-bins inject-certs
+ rm -rf .csp/
+ mkdir -p .csp/
+ touch .csp/$*
+ mkosi \
--image-version=$(IMAGE_VERSION) \
$(AUTOLOGIN_ARGS) \
--environment=INSTALL_DEBUGD \
--environment=CONSOLE_MOTD \
--kernel-command-line="$(KERNEL_DEBUG_CMDLNE)" \
+ $(SEARCH_PATHS_PARAM) \
build
secure-boot/signed-shim.sh $@
@if [ -n $(SUDO_UID) ] && [ -n $(SUDO_GID) ]; then \
chown -R $(SUDO_UID):$(SUDO_GID) mkosi.output.$*; \
fi
+ rm -rf .csp/
@echo "Image is ready: $@"
inject-bins: $(PREBUILD_RPMS_SYSTEMD) $(PREBUILT_RPMS_AZURE) $(PREBUILT_RPMS_GCP)
@@ -84,19 +93,16 @@ inject-certs: $(certs)
mkdir -p "$(MKOSI_EXTRA)/boot/loader/keys/auto"
cp $(PKI)/{PK,KEK,db}.cer "$(MKOSI_EXTRA)/boot/loader/keys/auto"
cp $(PKI)/{MicWinProPCA2011_2011-10-19,MicCorUEFCA2011_2011-06-27,MicCorKEKCA2011_2011-06-24}.crt "$(MKOSI_EXTRA)/boot/loader/keys/auto"
- cp $(PKI)/{PK,KEK,db}.esl "$(MKOSI_EXTRA)/boot/loader/keys/auto"
- cp $(PKI)/{PK,KEK,db}.auth "$(MKOSI_EXTRA)/boot/loader/keys/auto"
- # for manual enrollment using sbkeysync
- mkdir -p $(MKOSI_EXTRA)/etc/secureboot/keys/{db,dbx,KEK,PK}
- cp $(PKI)/db.auth "$(MKOSI_EXTRA)/etc/secureboot/keys/db/"
- cp $(PKI)/KEK.auth "$(MKOSI_EXTRA)/etc/secureboot/keys/KEK/"
- cp $(PKI)/PK.auth "$(MKOSI_EXTRA)/etc/secureboot/keys/PK/"
clean-cache:
rm -rf mkosi.cache/*
clean-%:
- mkosi --config mkosi.files/mkosi.$*.conf clean
+ rm -rf .csp/
+ mkdir -p .csp/
+ touch .csp/$*
+ mkosi clean
+ rm -rf .csp/
clean:
rm -rf mkosi.output.*
diff --git a/image/README.md b/image/README.md
index a38c96078..4bbf42c5e 100644
--- a/image/README.md
+++ b/image/README.md
@@ -6,10 +6,40 @@
cd /tmp/
git clone https://github.com/systemd/mkosi
cd mkosi
+ git checkout d8b32fbf3077b612db0024276e73cec3c2c87577
tools/generate-zipapp.sh
cp builddir/mkosi /usr/local/bin/
```
+- Build systemd tooling (from git):
+
+ Ubuntu and Fedora ship outdated versions of systemd tools, so you need to build them from source:
+
+ ```sh
+ # Ubuntu
+ echo "deb-src http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs) main restricted universe multiverse" | sudo tee -a /etc/apt/sources.list
+ sudo apt-get update
+ sudo apt-get build-dep systemd
+ sudo apt-get install libfdisk-dev
+ # Fedora
+ sudo dnf builddep systemd
+
+ git clone https://github.com/systemd/systemd --depth=1
+ meson systemd/build systemd -Drepart=true -Defi=true -Dbootloader=true
+ BINARIES=(
+ bootctl
+ systemctl
+ systemd-analyze
+ systemd-dissect
+ systemd-nspawn
+ systemd-repart
+ ukify
+ )
+ ninja -C systemd/build ${BINARIES[@]}
+ SYSTEMD_BIN=$(realpath systemd/build)
+ echo installed systemd tools to "${SYSTEMD_BIN}"
+ ```
+
- Install tools:
@@ -18,22 +48,27 @@
```sh
sudo apt-get update
sudo apt-get install --assume-yes --no-install-recommends \
- dnf \
- systemd-container \
- qemu-system-x86 \
- qemu-utils \
- ovmf \
- e2fsprogs \
- squashfs-tools \
- efitools \
- sbsigntool \
+ bubblewrap \
coreutils \
curl \
+ dnf \
+ e2fsprogs \
+ efitools \
jq \
- util-linux \
- virt-manager \
+ mtools \
+ ovmf \
python3-crc32c \
- rpm
+ python3-pefile \
+ python3-pyelftools \
+ python3-setuptools \
+ qemu-system-x86 \
+ qemu-utils \
+ rpm \
+ sbsigntool \
+ squashfs-tools \
+ systemd-container \
+ util-linux \
+ virt-manager
```
@@ -43,6 +78,7 @@
```sh
sudo dnf install -y \
+ bubblewrap \
edk2-ovmf \
systemd-container \
qemu \
@@ -68,13 +104,14 @@ When building your first image, prepare the secure boot PKI (see `secure-boot/ge
After that, you can build the image with:
```sh
+# export SYSTEMD_BIN=
# OPTIONAL: to create a debug image, export the following line
# export DEBUG=true
# OPTIONAL: to enable the serial console, export the following line
# export AUTOLOGIN=true
# OPTIONAL: symlink custom path to secure boot PKI to ./pki
# ln -s /path/to/pki/folder ./pki
-sudo make -j $(nproc)
+sudo make EXTRA_SEARCH_PATHS="${SYSTEMD_BIN}" -j $(nproc)
```
Raw images will be placed in `mkosi.output./fedora~37/image.raw`.
diff --git a/image/mkosi.files/mkosi.aws.conf b/image/mkosi.conf.d/mkosi.aws.conf
similarity index 85%
rename from image/mkosi.files/mkosi.aws.conf
rename to image/mkosi.conf.d/mkosi.aws.conf
index d833e0044..534ee0d2b 100644
--- a/image/mkosi.files/mkosi.aws.conf
+++ b/image/mkosi.conf.d/mkosi.aws.conf
@@ -1,9 +1,11 @@
+[Match]
+PathExists=../.csp/aws
+
[Output]
KernelCommandLine=constel.csp=aws constel.attestation-variant=aws-nitro-tpm
OutputDirectory=mkosi.output.aws
[Content]
-BasePackages=conditional
Packages=kernel
kernel-core
kernel-modules
diff --git a/image/mkosi.files/mkosi.azure.conf b/image/mkosi.conf.d/mkosi.azure.conf
similarity index 91%
rename from image/mkosi.files/mkosi.azure.conf
rename to image/mkosi.conf.d/mkosi.azure.conf
index c4699e94d..4f4c523cb 100644
--- a/image/mkosi.files/mkosi.azure.conf
+++ b/image/mkosi.conf.d/mkosi.azure.conf
@@ -1,10 +1,12 @@
+[Match]
+PathExists=../.csp/azure
+
[Output]
KernelCommandLine=constel.csp=azure constel.attestation-variant=azure-sev-snp
OutputDirectory=mkosi.output.azure
# replace kernel
[Content]
-BasePackages=conditional
Packages=prebuilt/rpms/azure/kernel-6.1.18-200.fc37.x86_64.rpm
prebuilt/rpms/azure/kernel-core-6.1.18-200.fc37.x86_64.rpm
prebuilt/rpms/azure/kernel-modules-6.1.18-200.fc37.x86_64.rpm
diff --git a/image/mkosi.conf.d/mkosi.conf b/image/mkosi.conf.d/mkosi.conf
index 7f8f5efc5..1fa05ad33 100644
--- a/image/mkosi.conf.d/mkosi.conf
+++ b/image/mkosi.conf.d/mkosi.conf
@@ -3,13 +3,10 @@ Distribution=fedora
Release=37
[Output]
-Format=gpt_squashfs
+Format=disk
ManifestFormat=json,changelog
Bootable=yes
-KernelCommandLine=mitigations=auto,nosmt preempt=full rd.shell=0 rd.emergency=reboot loglevel=8
-WithUnifiedKernelImages=yes
-Verity=yes
-CompressFs=zstd
+KernelCommandLine=mitigations=auto,nosmt preempt=full rd.shell=0 rd.emergency=reboot loglevel=8 console=ttyS0
SplitArtifacts=yes
# Enable Secure Boot with own PKI
SecureBoot=yes
@@ -20,19 +17,12 @@ SecureBootCertificate=pki/db.crt
ImageId=constellation
Output=image.raw
-[Partitions]
-ESPSize=512M
-
[Content]
-BasePackages=conditional
Packages=prebuilt/rpms/systemd/systemd-251.11-2.fc37.x86_64.rpm
prebuilt/rpms/systemd/systemd-libs-251.11-2.fc37.x86_64.rpm
prebuilt/rpms/systemd/systemd-networkd-251.11-2.fc37.x86_64.rpm
prebuilt/rpms/systemd/systemd-pam-251.11-2.fc37.x86_64.rpm
prebuilt/rpms/systemd/systemd-resolved-251.11-2.fc37.x86_64.rpm
prebuilt/rpms/systemd/systemd-udev-251.11-2.fc37.x86_64.rpm
- util-linux
dracut
-
-[Host]
-QemuHeadless=yes
+ util-linux
diff --git a/image/mkosi.files/mkosi.gcp.conf b/image/mkosi.conf.d/mkosi.gcp.conf
similarity index 91%
rename from image/mkosi.files/mkosi.gcp.conf
rename to image/mkosi.conf.d/mkosi.gcp.conf
index 9ff6f4166..d27678e9a 100644
--- a/image/mkosi.files/mkosi.gcp.conf
+++ b/image/mkosi.conf.d/mkosi.gcp.conf
@@ -1,10 +1,12 @@
+[Match]
+PathExists=../.csp/gcp
+
[Output]
KernelCommandLine=constel.csp=gcp constel.attestation-variant=gcp-sev-es
OutputDirectory=mkosi.output.gcp
# replace kernel
[Content]
-BasePackages=conditional
Packages=prebuilt/rpms/gcp/kernel-6.1.18-200.fc37.x86_64.rpm
prebuilt/rpms/gcp/kernel-core-6.1.18-200.fc37.x86_64.rpm
prebuilt/rpms/gcp/kernel-modules-6.1.18-200.fc37.x86_64.rpm
diff --git a/image/mkosi.files/mkosi.openstack.conf b/image/mkosi.conf.d/mkosi.openstack.conf
similarity index 89%
rename from image/mkosi.files/mkosi.openstack.conf
rename to image/mkosi.conf.d/mkosi.openstack.conf
index 35ac99754..d7e1fbda9 100644
--- a/image/mkosi.files/mkosi.openstack.conf
+++ b/image/mkosi.conf.d/mkosi.openstack.conf
@@ -1,3 +1,6 @@
+[Match]
+PathExists=../.csp/openstack
+
[Output]
KernelCommandLine=constel.csp=openstack constel.attestation-variant=qemu-vtpm mem_encrypt=on kvm_amd.sev=1 module_blacklist=qemu_fw_cfg console=tty0 console=ttyS0
OutputDirectory=mkosi.output.openstack
@@ -5,7 +8,6 @@ OutputDirectory=mkosi.output.openstack
[Content]
Autologin=yes
Environment=CONSOLE_MOTD=true
-BasePackages=conditional
Packages=kernel
kernel-core
kernel-modules
diff --git a/image/mkosi.files/mkosi.qemu.conf b/image/mkosi.conf.d/mkosi.qemu.conf
similarity index 87%
rename from image/mkosi.files/mkosi.qemu.conf
rename to image/mkosi.conf.d/mkosi.qemu.conf
index b63ab3d5d..529ef75a0 100644
--- a/image/mkosi.files/mkosi.qemu.conf
+++ b/image/mkosi.conf.d/mkosi.qemu.conf
@@ -1,3 +1,6 @@
+[Match]
+PathExists=../.csp/qemu
+
[Output]
KernelCommandLine=constel.csp=qemu constel.attestation-variant=qemu-vtpm
OutputDirectory=mkosi.output.qemu
@@ -5,7 +8,6 @@ OutputDirectory=mkosi.output.qemu
[Content]
Autologin=yes
Environment=CONSOLE_MOTD=true
-BasePackages=conditional
Packages=kernel
kernel-core
kernel-modules
diff --git a/image/mkosi.conf.d/selinux.conf b/image/mkosi.conf.d/selinux.conf
index 2eddf3550..b55576282 100644
--- a/image/mkosi.conf.d/selinux.conf
+++ b/image/mkosi.conf.d/selinux.conf
@@ -1,3 +1,8 @@
[Output]
# set selinux to permissive
-KernelCommandLine=!selinux=0 selinux=1 enforcing=0
+KernelCommandLine=!selinux=0 selinux=1 enforcing=0 audit=0
+
+[Content]
+# Secure Boot / EFI related packages for manual enrollment / verification of Secure Boot
+Packages=selinux-policy,
+ selinux-policy-targeted,
diff --git a/image/mkosi.repart/00-esp.conf b/image/mkosi.repart/00-esp.conf
new file mode 100644
index 000000000..126d27fb0
--- /dev/null
+++ b/image/mkosi.repart/00-esp.conf
@@ -0,0 +1,6 @@
+[Partition]
+Type=esp
+Format=vfat
+CopyFiles=/boot:/
+SizeMinBytes=256M
+SizeMaxBytes=512M
diff --git a/image/mkosi.repart/10-root.conf b/image/mkosi.repart/10-root.conf
new file mode 100644
index 000000000..10ac90529
--- /dev/null
+++ b/image/mkosi.repart/10-root.conf
@@ -0,0 +1,7 @@
+[Partition]
+Type=root
+Format=squashfs
+Verity=data
+VerityMatchKey=root
+CopyFiles=/
+Minimize=guess
diff --git a/image/mkosi.repart/20-root-verity.conf b/image/mkosi.repart/20-root-verity.conf
new file mode 100644
index 000000000..352c50d55
--- /dev/null
+++ b/image/mkosi.repart/20-root-verity.conf
@@ -0,0 +1,6 @@
+[Partition]
+Type=root-verity
+Verity=hash
+VerityMatchKey=root
+SizeMinBytes=64M
+SizeMaxBytes=64M
diff --git a/image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/module-setup.sh b/image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/module-setup.sh
index 8773a9b5f..9534b1929 100644
--- a/image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/module-setup.sh
+++ b/image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/module-setup.sh
@@ -6,8 +6,9 @@
# Note: This script is sourced.
depends() {
- # expands to: systemd systemd-hostnamed systemd-networkd systemd-resolved systemd-timedated systemd-timesyncd
- echo systemd-network-management
+ # systemd-network-management expands to: systemd systemd-hostnamed systemd-networkd systemd-resolved systemd-timedated systemd-timesyncd
+ echo dracut-systemd systemd-network-management systemd-veritysetup systemd-udevd
+ return 0
}
install_and_enable_unit() {
@@ -79,4 +80,15 @@ install() {
# backport of https://github.com/dracutdevs/dracut/commit/dcbe23c14d13ca335ad327b7bb985071ca442f12
inst_simple "${moddir}/sysusers-dracut.conf" "${systemdsystemunitdir}/systemd-sysusers.service.d/sysusers-dracut.conf"
+ # force systemd-networkd in initrd
+ install_and_enable_unit "systemd-networkd.service" \
+ "basic.target"
+ # shellcheck disable=SC2154
+ inst_multiple -o \
+ "${tmpfilesdir}"/systemd-network.conf \
+ "${systemdnetwork}"/80-6rd-tunnel.network \
+ "${systemdnetwork}"/80-container-vb.network \
+ "${systemdsystemunitdir}"/systemd-networkd-wait-online@.service
+ inst_simple /usr/lib/systemd/resolved.conf.d/fallback_dns.conf \
+ /usr/lib/systemd/resolved.conf.d/fallback_dns.conf
}
diff --git a/image/mkosi.skeleton/usr/lib/systemd/resolved.conf.d/fallback_dns.conf b/image/mkosi.skeleton/usr/lib/systemd/resolved.conf.d/fallback_dns.conf
new file mode 100644
index 000000000..1b9e32a50
--- /dev/null
+++ b/image/mkosi.skeleton/usr/lib/systemd/resolved.conf.d/fallback_dns.conf
@@ -0,0 +1,2 @@
+[Resolve]
+FallbackDNS=1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001 8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844 9.9.9.9 149.112.112.112 2620:fe::fe 2620:fe::9
diff --git a/image/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset b/image/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset
index d969344af..4008179c8 100644
--- a/image/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset
+++ b/image/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset
@@ -4,5 +4,7 @@ enable constellation-bootstrapper.service
enable containerd.service
enable kubelet.service
enable systemd-networkd.service
+enable systemd-networkd.socket
+enable systemd-resolved.service
enable measurements.service
enable export_constellation_debug.service