Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-02-22 16:00:05 -05:00
Code Issues Packages Projects Releases Wiki Activity

image: upgrade mkosi to support repart (#1684)

Browse Source
This commit is contained in:
Malte Poll 2023-04-25 18:22:40 +02:00 committed by GitHub
parent ded8abeacc
commit 84dd25600f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
17 changed files with 192 additions and 83 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
.github/actions/setup_mkosi/action.yaml vendored
View File

@ -4,6 +4,9 @@ inputs:
version: version:
description: "Version (commit hash) of mkosi to install." description: "Version (commit hash) of mkosi to install."
required: true required: true
systemdVersion:
description: "Version (commit hash) of systemd to install."
required: true
runs: runs:
using: composite using: composite
steps: steps:
@ -14,27 +17,49 @@ runs:
echo "deb-src http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs) main restricted universe multiverse" | sudo tee -a /etc/apt/sources.list echo "deb-src http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs) main restricted universe multiverse" | sudo tee -a /etc/apt/sources.list
sudo apt-get update sudo apt-get update
sudo apt-get install --assume-yes --no-install-recommends \ sudo apt-get install --assume-yes --no-install-recommends \
bubblewrap \
dnf \ dnf \
systemd-container \
qemu-system-x86 \
ovmf \
e2fsprogs \ e2fsprogs \
squashfs-tools libfdisk-dev \
mtools \
ovmf \
python3-pefile \
python3-pyelftools \
python3-setuptools \
qemu-system-x86 \
squashfs-tools \
systemd-container
echo "::endgroup::" echo "::endgroup::"
# Try to eliminate "Failed to dissect image: Connection timed out" errors from nspawn by compiling - name: Checkout systemd
# systemd-nspawn from v251 from source. uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
- name: Update systemd-nspawn with:
repository: systemd/systemd
path: ${{ github.action_path }}/systemd
ref: ${{ inputs.systemdVersion }}
- name: Update systemd tools
shell: bash shell: bash
working-directory: ${{ github.action_path }} working-directory: ${{ github.action_path }}
run: | run: |
echo "::group::Update systemd-nspawn" echo "::group::Update systemd tools"
sudo apt-get build-dep systemd sudo apt-get build-dep systemd
git clone https://github.com/systemd/systemd-stable --branch v251.2 --depth=1 meson systemd/build systemd -Drepart=true -Defi=true -Dbootloader=true
meson systemd-stable/build systemd-stable
ninja -C systemd-stable/build systemd-nspawn BINARIES=(
sudo ln -svf $PWD/systemd-stable/build/systemd-nspawn $(which systemd-nspawn) bootctl
systemd-nspawn --version systemctl
systemd-analyze
systemd-dissect
systemd-nspawn
systemd-repart
ukify
)
ninja -C systemd/build ${BINARIES[@]}
for BINARY in "${BINARIES[@]}"; do
sudo ln -svf $PWD/systemd/build/$BINARY /usr/bin/$BINARY
done
echo "::endgroup::" echo "::endgroup::"
- name: Install - name: Install

53
.github/workflows/build-os-image.yml vendored
View File

@ -284,7 +284,8 @@ jobs:
- name: Setup mkosi - name: Setup mkosi
uses: ./.github/actions/setup_mkosi uses: ./.github/actions/setup_mkosi
with: with:
version: 058046019e7ed2e8e93af87b8c14a808dcc6bbc3 version: d8b32fbf3077b612db0024276e73cec3c2c87577
systemdVersion: f6e94c5f7ddd796095cf6294857e535dcdbfc677
- name: Prepare PKI for secure boot signing - name: Prepare PKI for secure boot signing
id: prepare-pki id: prepare-pki
@ -295,6 +296,7 @@ jobs:
DB_KEY: ${{ ((needs.build-settings.outputs.pkiSet == 'pki_prod') && secrets.SECURE_BOOT_RELEASE_DB_KEY) || secrets.SECURE_BOOT_TESTING_DB_KEY }} DB_KEY: ${{ ((needs.build-settings.outputs.pkiSet == 'pki_prod') && secrets.SECURE_BOOT_RELEASE_DB_KEY) || secrets.SECURE_BOOT_TESTING_DB_KEY }}
run: | run: |
echo "${DB_KEY}" > "${PKI_SET}/db.key" echo "${DB_KEY}" > "${PKI_SET}/db.key"
chmod 600 "${PKI_SET}/db.key"
ln -s "${PKI_SET}" pki ln -s "${PKI_SET}" pki
- name: Build - name: Build
@ -322,12 +324,12 @@ jobs:
{ {
echo "image-raw-${{ matrix.csp }}-sha256=$(sha256sum image.raw | head -c 64)" echo "image-raw-${{ matrix.csp }}-sha256=$(sha256sum image.raw | head -c 64)"
echo "image-efi-${{ matrix.csp }}-sha256=$(sha256sum image.efi | head -c 64)" echo "image-efi-${{ matrix.csp }}-sha256=$(sha256sum image.efi | head -c 64)"
echo "image-initrd-${{ matrix.csp }}-sha256=$(sha256sum image.initrd | head -c 64)" echo "image-initrd-${{ matrix.csp }}-sha256=$(sha256sum image.esp.raw | head -c 64)"
echo "image-root-raw-${{ matrix.csp }}-sha256=$(sha256sum image.root.raw | head -c 64)" echo "image-root-raw-${{ matrix.csp }}-sha256=$(sha256sum image.root-x86-64.raw | head -c 64)"
echo "image-root-verity-${{ matrix.csp }}-sha256=$(sha256sum image.root.verity | head -c 64)" echo "image-root-verity-${{ matrix.csp }}-sha256=$(sha256sum image.root-x86-64-verity.raw | head -c 64)"
echo "image-vmlinuz-${{ matrix.csp }}-sha256=$(sha256sum image.vmlinuz | head -c 64)" echo "image-vmlinuz-${{ matrix.csp }}-sha256=$(sha256sum image.vmlinuz | head -c 64)"
echo "image-raw-changelog-${{ matrix.csp }}-sha256=$(sha256sum image.raw.changelog | head -c 64)" echo "image-raw-changelog-${{ matrix.csp }}-sha256=$(sha256sum image.changelog | head -c 64)"
echo "image-raw-manifest-${{ matrix.csp }}-sha256=$(sha256sum image.raw.manifest | head -c 64)" echo "image-raw-manifest-${{ matrix.csp }}-sha256=$(sha256sum image.manifest | head -c 64)"
} | tee -a "$GITHUB_OUTPUT" } | tee -a "$GITHUB_OUTPUT"
- name: Upload raw OS image as artifact - name: Upload raw OS image as artifact
@ -343,10 +345,9 @@ jobs:
path: | path: |
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.cmdline ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.cmdline
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.efi ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.efi
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.initrd ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.esp.raw
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.root.raw ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.root-x86-64.raw
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.root.roothash ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.root-x86-64-verity.raw
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.root.verity
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.vmlinuz ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.vmlinuz
- name: Upload manifest as artifact - name: Upload manifest as artifact
@ -354,8 +355,8 @@ jobs:
with: with:
name: manifest-${{ matrix.csp }} name: manifest-${{ matrix.csp }}
path: | path: |
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.raw.changelog ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.changelog
${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.raw.manifest ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~37/image.manifest
upload-os-image: upload-os-image:
name: "Upload OS image to CSP" name: "Upload OS image to CSP"
@ -812,7 +813,7 @@ jobs:
- name: Unpack squashfs - name: Unpack squashfs
run: | run: |
echo "::group::Unpack squashfs" echo "::group::Unpack squashfs"
unsquashfs -user-xattrs -d image.root.tree image.root.raw unsquashfs -user-xattrs -d image.root.tree image.root-x86-64.raw
echo "::endgroup::" echo "::endgroup::"
- name: Create SBOM in SPDX fromat - name: Create SBOM in SPDX fromat
@ -847,35 +848,35 @@ jobs:
${{ needs.build-dependencies.outputs.upgrade-agent-sha256 }} upgrade-agent ${{ needs.build-dependencies.outputs.upgrade-agent-sha256 }} upgrade-agent
${{ needs.build-dependencies.outputs.measurement-reader-sha256 }} measurement-reader ${{ needs.build-dependencies.outputs.measurement-reader-sha256 }} measurement-reader
${{ needs.make-os-image.outputs.image-raw-aws-sha256 }} aws/image.raw ${{ needs.make-os-image.outputs.image-raw-aws-sha256 }} aws/image.raw
${{ needs.make-os-image.outputs.image-raw-changelog-aws-sha256 }} aws/image.raw.changelog ${{ needs.make-os-image.outputs.image-raw-changelog-aws-sha256 }} aws/image.changelog
${{ needs.make-os-image.outputs.image-raw-manifest-aws-sha256 }} aws/image.raw.manifest ${{ needs.make-os-image.outputs.image-raw-manifest-aws-sha256 }} aws/image.manifest
${{ needs.make-os-image.outputs.image-efi-aws-sha256 }} aws/image.efi ${{ needs.make-os-image.outputs.image-efi-aws-sha256 }} aws/image.efi
${{ needs.make-os-image.outputs.image-initrd-aws-sha256 }} aws/image.initrd ${{ needs.make-os-image.outputs.image-initrd-aws-sha256 }} aws/image.initrd
${{ needs.make-os-image.outputs.image-root-raw-aws-sha256 }} aws/image.root.raw ${{ needs.make-os-image.outputs.image-root-raw-aws-sha256 }} aws/image.root-x86-64.raw
${{ needs.make-os-image.outputs.image-root-verity-aws-sha256 }} aws/image.root.verity ${{ needs.make-os-image.outputs.image-root-verity-aws-sha256 }} aws/image.root.verity
${{ needs.make-os-image.outputs.image-vmlinuz-aws-sha256 }} aws/image.vmlinuz ${{ needs.make-os-image.outputs.image-vmlinuz-aws-sha256 }} aws/image.vmlinuz
${{ needs.make-os-image.outputs.image-raw-azure-sha256 }} azure/image.raw ${{ needs.make-os-image.outputs.image-raw-azure-sha256 }} azure/image.raw
${{ needs.make-os-image.outputs.image-raw-changelog-azure-sha256 }} azure/image.raw.changelog ${{ needs.make-os-image.outputs.image-raw-changelog-azure-sha256 }} azure/image.changelog
${{ needs.make-os-image.outputs.image-raw-manifest-azure-sha256 }} azure/image.raw.manifest ${{ needs.make-os-image.outputs.image-raw-manifest-azure-sha256 }} azure/image.manifest
${{ needs.make-os-image.outputs.image-efi-azure-sha256 }} azure/image.efi ${{ needs.make-os-image.outputs.image-efi-azure-sha256 }} azure/image.efi
${{ needs.make-os-image.outputs.image-initrd-azure-sha256 }} azure/image.initrd ${{ needs.make-os-image.outputs.image-initrd-azure-sha256 }} azure/image.initrd
${{ needs.make-os-image.outputs.image-root-raw-azure-sha256 }} azure/image.root.raw ${{ needs.make-os-image.outputs.image-root-raw-azure-sha256 }} azure/image.root-x86-64.raw
${{ needs.make-os-image.outputs.image-root-verity-azure-sha256 }} azure/image.root.verity ${{ needs.make-os-image.outputs.image-root-verity-azure-sha256 }} azure/image.root.verity
${{ needs.make-os-image.outputs.image-vmlinuz-azure-sha256 }} azure/image.vmlinuz ${{ needs.make-os-image.outputs.image-vmlinuz-azure-sha256 }} azure/image.vmlinuz
${{ needs.make-os-image.outputs.image-raw-gcp-sha256 }} gcp/image.raw ${{ needs.make-os-image.outputs.image-raw-gcp-sha256 }} gcp/image.raw
${{ needs.make-os-image.outputs.image-raw-changelog-gcp-sha256 }} gcp/image.raw.changelog ${{ needs.make-os-image.outputs.image-raw-changelog-gcp-sha256 }} gcp/image.changelog
${{ needs.make-os-image.outputs.image-raw-manifest-gcp-sha256 }} gcp/image.raw.manifest ${{ needs.make-os-image.outputs.image-raw-manifest-gcp-sha256 }} gcp/image.manifest
${{ needs.make-os-image.outputs.image-efi-gcp-sha256 }} gcp/image.efi ${{ needs.make-os-image.outputs.image-efi-gcp-sha256 }} gcp/image.efi
${{ needs.make-os-image.outputs.image-initrd-gcp-sha256 }} gcp/image.initrd ${{ needs.make-os-image.outputs.image-initrd-gcp-sha256 }} gcp/image.initrd
${{ needs.make-os-image.outputs.image-root-raw-gcp-sha256 }} gcp/image.root.raw ${{ needs.make-os-image.outputs.image-root-raw-gcp-sha256 }} gcp/image.root-x86-64.raw
${{ needs.make-os-image.outputs.image-root-verity-gcp-sha256 }} gcp/image.root.verity ${{ needs.make-os-image.outputs.image-root-verity-gcp-sha256 }} gcp/image.root.verity
${{ needs.make-os-image.outputs.image-vmlinuz-gcp-sha256 }} gcp/image.vmlinuz ${{ needs.make-os-image.outputs.image-vmlinuz-gcp-sha256 }} gcp/image.vmlinuz
${{ needs.make-os-image.outputs.image-raw-qemu-sha256 }} qemu/image.raw ${{ needs.make-os-image.outputs.image-raw-qemu-sha256 }} qemu/image.raw
${{ needs.make-os-image.outputs.image-raw-changelog-qemu-sha256 }} qemu/image.raw.changelog ${{ needs.make-os-image.outputs.image-raw-changelog-qemu-sha256 }} qemu/image.changelog
${{ needs.make-os-image.outputs.image-raw-manifest-qemu-sha256 }} qemu/image.raw.manifest ${{ needs.make-os-image.outputs.image-raw-manifest-qemu-sha256 }} qemu/image.manifest
${{ needs.make-os-image.outputs.image-efi-qemu-sha256 }} qemu/image.efi ${{ needs.make-os-image.outputs.image-efi-qemu-sha256 }} qemu/image.efi
${{ needs.make-os-image.outputs.image-initrd-qemu-sha256 }} qemu/image.initrd ${{ needs.make-os-image.outputs.image-initrd-qemu-sha256 }} qemu/image.initrd
${{ needs.make-os-image.outputs.image-root-raw-qemu-sha256 }} qemu/image.root.raw ${{ needs.make-os-image.outputs.image-root-raw-qemu-sha256 }} qemu/image.root-x86-64.raw
${{ needs.make-os-image.outputs.image-root-verity-qemu-sha256 }} qemu/image.root.verity ${{ needs.make-os-image.outputs.image-root-verity-qemu-sha256 }} qemu/image.root.verity
${{ needs.make-os-image.outputs.image-vmlinuz-qemu-sha256 }} qemu/image.vmlinuz ${{ needs.make-os-image.outputs.image-vmlinuz-qemu-sha256 }} qemu/image.vmlinuz
EOF EOF
@ -886,7 +887,7 @@ jobs:
shell: bash shell: bash
run: | run: |
sboms='sbom.spdx.json sbom.cyclonedx.json sbom.syft.json' sboms='sbom.spdx.json sbom.cyclonedx.json sbom.syft.json'
manifests='image.raw.manifest image.raw.changelog' manifests='image.manifest image.changelog'
hashes='SHA256SUMS' hashes='SHA256SUMS'
for file in ${sboms} ${manifests} ${hashes}; do for file in ${sboms} ${manifests} ${hashes}; do
aws s3 cp \ aws s3 cp \

26
image/Makefile
View File

@ -8,11 +8,13 @@ DEBUGD_BINARY ?= $(BASE_PATH)/../build/debugd
MEASUREMENT_READER_BINARY ?= $(BASE_PATH)/../build/measurement-reader MEASUREMENT_READER_BINARY ?= $(BASE_PATH)/../build/measurement-reader
PKI ?= $(BASE_PATH)/pki PKI ?= $(BASE_PATH)/pki
MKOSI_EXTRA ?= $(BASE_PATH)/mkosi.extra MKOSI_EXTRA ?= $(BASE_PATH)/mkosi.extra
EXTRA_SEARCH_PATHS ?=
IMAGE_VERSION ?= v0.0.0 IMAGE_VERSION ?= v0.0.0
DEBUG ?= false DEBUG ?= false
AUTOLOGIN ?= false AUTOLOGIN ?= false
AUTOLOGIN_ARGS := $(if $(filter true,$(AUTOLOGIN)),--autologin) # set "--autologin" if AUTOLOGIN is true AUTOLOGIN_ARGS := $(if $(filter true,$(AUTOLOGIN)),--autologin) # set "--autologin" if AUTOLOGIN is true
KERNEL_DEBUG_CMDLNE := $(if $(filter true,$(DEBUG)),constellation.debug) # set "constellation.debug" if DEBUG is true KERNEL_DEBUG_CMDLNE := $(if $(filter true,$(DEBUG)),constellation.debug) # set "constellation.debug" if DEBUG is true
SEARCH_PATHS_PARAM := $(if $(EXTRA_SEARCH_PATHS),--extra-search-path=$(EXTRA_SEARCH_PATHS))
export INSTALL_DEBUGD ?= $(DEBUG) export INSTALL_DEBUGD ?= $(DEBUG)
export CONSOLE_MOTD = $(AUTOLOGIN) export CONSOLE_MOTD = $(AUTOLOGIN)
-include $(CURDIR)/config.mk -include $(CURDIR)/config.mk
@ -28,6 +30,8 @@ PREBUILT_RPMS_GCP := $(addprefix prebuilt/rpms/gcp/,$(GCP_FIXED_KERNEL_RPMS))
.PHONY: all clean inject-bins $(csps) .PHONY: all clean inject-bins $(csps)
.NOTPARALLEL: mkosi.output.%/fedora~37/image.raw clean-%
all: $(csps) all: $(csps)
$(csps): %: mkosi.output.%/fedora~37/image.raw $(csps): %: mkosi.output.%/fedora~37/image.raw
@ -50,18 +54,23 @@ prebuilt/rpms/azure/%.rpm:
@mkdir -p $(@D) @mkdir -p $(@D)
@curl -fsSL -o $@ https://kojipkgs.fedoraproject.org/packages/kernel/6.1.18/200.fc37/x86_64/$*.rpm @curl -fsSL -o $@ https://kojipkgs.fedoraproject.org/packages/kernel/6.1.18/200.fc37/x86_64/$*.rpm
mkosi.output.%/fedora~37/image.raw: mkosi.files/mkosi.%.conf inject-bins inject-certs mkosi.output.%/fedora~37/image.raw: inject-bins inject-certs
mkosi --config mkosi.files/mkosi.$*.conf \ rm -rf .csp/
mkdir -p .csp/
touch .csp/$*
mkosi \
--image-version=$(IMAGE_VERSION) \ --image-version=$(IMAGE_VERSION) \
$(AUTOLOGIN_ARGS) \ $(AUTOLOGIN_ARGS) \
--environment=INSTALL_DEBUGD \ --environment=INSTALL_DEBUGD \
--environment=CONSOLE_MOTD \ --environment=CONSOLE_MOTD \
--kernel-command-line="$(KERNEL_DEBUG_CMDLNE)" \ --kernel-command-line="$(KERNEL_DEBUG_CMDLNE)" \
$(SEARCH_PATHS_PARAM) \
build build
secure-boot/signed-shim.sh $@ secure-boot/signed-shim.sh $@
@if [ -n $(SUDO_UID) ] && [ -n $(SUDO_GID) ]; then \ @if [ -n $(SUDO_UID) ] && [ -n $(SUDO_GID) ]; then \
chown -R $(SUDO_UID):$(SUDO_GID) mkosi.output.$*; \ chown -R $(SUDO_UID):$(SUDO_GID) mkosi.output.$*; \
fi fi
rm -rf .csp/
@echo "Image is ready: $@" @echo "Image is ready: $@"
inject-bins: $(PREBUILD_RPMS_SYSTEMD) $(PREBUILT_RPMS_AZURE) $(PREBUILT_RPMS_GCP) inject-bins: $(PREBUILD_RPMS_SYSTEMD) $(PREBUILT_RPMS_AZURE) $(PREBUILT_RPMS_GCP)
@ -84,19 +93,16 @@ inject-certs: $(certs)
mkdir -p "$(MKOSI_EXTRA)/boot/loader/keys/auto" mkdir -p "$(MKOSI_EXTRA)/boot/loader/keys/auto"
cp $(PKI)/{PK,KEK,db}.cer "$(MKOSI_EXTRA)/boot/loader/keys/auto" cp $(PKI)/{PK,KEK,db}.cer "$(MKOSI_EXTRA)/boot/loader/keys/auto"
cp $(PKI)/{MicWinProPCA2011_2011-10-19,MicCorUEFCA2011_2011-06-27,MicCorKEKCA2011_2011-06-24}.crt "$(MKOSI_EXTRA)/boot/loader/keys/auto" cp $(PKI)/{MicWinProPCA2011_2011-10-19,MicCorUEFCA2011_2011-06-27,MicCorKEKCA2011_2011-06-24}.crt "$(MKOSI_EXTRA)/boot/loader/keys/auto"
cp $(PKI)/{PK,KEK,db}.esl "$(MKOSI_EXTRA)/boot/loader/keys/auto"
cp $(PKI)/{PK,KEK,db}.auth "$(MKOSI_EXTRA)/boot/loader/keys/auto"
# for manual enrollment using sbkeysync
mkdir -p $(MKOSI_EXTRA)/etc/secureboot/keys/{db,dbx,KEK,PK}
cp $(PKI)/db.auth "$(MKOSI_EXTRA)/etc/secureboot/keys/db/"
cp $(PKI)/KEK.auth "$(MKOSI_EXTRA)/etc/secureboot/keys/KEK/"
cp $(PKI)/PK.auth "$(MKOSI_EXTRA)/etc/secureboot/keys/PK/"
clean-cache: clean-cache:
rm -rf mkosi.cache/* rm -rf mkosi.cache/*
clean-%: clean-%:
mkosi --config mkosi.files/mkosi.$*.conf clean rm -rf .csp/
mkdir -p .csp/
touch .csp/$*
mkosi clean
rm -rf .csp/
clean: clean:
rm -rf mkosi.output.* rm -rf mkosi.output.*

63
image/README.md
View File

@ -6,10 +6,40 @@
cd /tmp/ cd /tmp/
git clone https://github.com/systemd/mkosi git clone https://github.com/systemd/mkosi
cd mkosi cd mkosi
git checkout d8b32fbf3077b612db0024276e73cec3c2c87577
tools/generate-zipapp.sh tools/generate-zipapp.sh
cp builddir/mkosi /usr/local/bin/ cp builddir/mkosi /usr/local/bin/
``` ```
- Build systemd tooling (from git):
Ubuntu and Fedora ship outdated versions of systemd tools, so you need to build them from source:
```sh
# Ubuntu
echo "deb-src http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs) main restricted universe multiverse" | sudo tee -a /etc/apt/sources.list
sudo apt-get update
sudo apt-get build-dep systemd
sudo apt-get install libfdisk-dev
# Fedora
sudo dnf builddep systemd
git clone https://github.com/systemd/systemd --depth=1
meson systemd/build systemd -Drepart=true -Defi=true -Dbootloader=true
BINARIES=(
bootctl
systemctl
systemd-analyze
systemd-dissect
systemd-nspawn
systemd-repart
ukify
)
ninja -C systemd/build ${BINARIES[@]}
SYSTEMD_BIN=$(realpath systemd/build)
echo installed systemd tools to "${SYSTEMD_BIN}"
```
- Install tools: - Install tools:
<details> <details>
@ -18,22 +48,27 @@
```sh ```sh
sudo apt-get update sudo apt-get update
sudo apt-get install --assume-yes --no-install-recommends \ sudo apt-get install --assume-yes --no-install-recommends \
dnf \ bubblewrap \
systemd-container \
qemu-system-x86 \
qemu-utils \
ovmf \
e2fsprogs \
squashfs-tools \
efitools \
sbsigntool \
coreutils \ coreutils \
curl \ curl \
dnf \
e2fsprogs \
efitools \
jq \ jq \
util-linux \ mtools \
virt-manager \ ovmf \
python3-crc32c \ python3-crc32c \
rpm python3-pefile \
python3-pyelftools \
python3-setuptools \
qemu-system-x86 \
qemu-utils \
rpm \
sbsigntool \
squashfs-tools \
systemd-container \
util-linux \
virt-manager
``` ```
</details> </details>
@ -43,6 +78,7 @@
```sh ```sh
sudo dnf install -y \ sudo dnf install -y \
bubblewrap \
edk2-ovmf \ edk2-ovmf \
systemd-container \ systemd-container \
qemu \ qemu \
@ -68,13 +104,14 @@ When building your first image, prepare the secure boot PKI (see `secure-boot/ge
After that, you can build the image with: After that, you can build the image with:
```sh ```sh
# export SYSTEMD_BIN=<path to systemd tools>
# OPTIONAL: to create a debug image, export the following line # OPTIONAL: to create a debug image, export the following line
# export DEBUG=true # export DEBUG=true
# OPTIONAL: to enable the serial console, export the following line # OPTIONAL: to enable the serial console, export the following line
# export AUTOLOGIN=true # export AUTOLOGIN=true
# OPTIONAL: symlink custom path to secure boot PKI to ./pki # OPTIONAL: symlink custom path to secure boot PKI to ./pki
# ln -s /path/to/pki/folder ./pki # ln -s /path/to/pki/folder ./pki
sudo make -j $(nproc) sudo make EXTRA_SEARCH_PATHS="${SYSTEMD_BIN}" -j $(nproc)
``` ```
Raw images will be placed in `mkosi.output.<CSP>/fedora~37/image.raw`. Raw images will be placed in `mkosi.output.<CSP>/fedora~37/image.raw`.

4
image/mkosi.files/mkosi.aws.conf → image/mkosi.conf.d/mkosi.aws.conf
View File

@ -1,9 +1,11 @@
[Match]
PathExists=../.csp/aws
[Output] [Output]
KernelCommandLine=constel.csp=aws constel.attestation-variant=aws-nitro-tpm KernelCommandLine=constel.csp=aws constel.attestation-variant=aws-nitro-tpm
OutputDirectory=mkosi.output.aws OutputDirectory=mkosi.output.aws
[Content] [Content]
BasePackages=conditional
Packages=kernel Packages=kernel
kernel-core kernel-core
kernel-modules kernel-modules

4
image/mkosi.files/mkosi.azure.conf → image/mkosi.conf.d/mkosi.azure.conf
View File

@ -1,10 +1,12 @@
[Match]
PathExists=../.csp/azure
[Output] [Output]
KernelCommandLine=constel.csp=azure constel.attestation-variant=azure-sev-snp KernelCommandLine=constel.csp=azure constel.attestation-variant=azure-sev-snp
OutputDirectory=mkosi.output.azure OutputDirectory=mkosi.output.azure
# replace kernel # replace kernel
[Content] [Content]
BasePackages=conditional
Packages=prebuilt/rpms/azure/kernel-6.1.18-200.fc37.x86_64.rpm Packages=prebuilt/rpms/azure/kernel-6.1.18-200.fc37.x86_64.rpm
prebuilt/rpms/azure/kernel-core-6.1.18-200.fc37.x86_64.rpm prebuilt/rpms/azure/kernel-core-6.1.18-200.fc37.x86_64.rpm
prebuilt/rpms/azure/kernel-modules-6.1.18-200.fc37.x86_64.rpm prebuilt/rpms/azure/kernel-modules-6.1.18-200.fc37.x86_64.rpm

16
image/mkosi.conf.d/mkosi.conf
View File

@ -3,13 +3,10 @@ Distribution=fedora
Release=37 Release=37
[Output] [Output]
Format=gpt_squashfs Format=disk
ManifestFormat=json,changelog ManifestFormat=json,changelog
Bootable=yes Bootable=yes
KernelCommandLine=mitigations=auto,nosmt preempt=full rd.shell=0 rd.emergency=reboot loglevel=8 KernelCommandLine=mitigations=auto,nosmt preempt=full rd.shell=0 rd.emergency=reboot loglevel=8 console=ttyS0
WithUnifiedKernelImages=yes
Verity=yes
CompressFs=zstd
SplitArtifacts=yes SplitArtifacts=yes
# Enable Secure Boot with own PKI # Enable Secure Boot with own PKI
SecureBoot=yes SecureBoot=yes
@ -20,19 +17,12 @@ SecureBootCertificate=pki/db.crt
ImageId=constellation ImageId=constellation
Output=image.raw Output=image.raw
[Partitions]
ESPSize=512M
[Content] [Content]
BasePackages=conditional
Packages=prebuilt/rpms/systemd/systemd-251.11-2.fc37.x86_64.rpm Packages=prebuilt/rpms/systemd/systemd-251.11-2.fc37.x86_64.rpm
prebuilt/rpms/systemd/systemd-libs-251.11-2.fc37.x86_64.rpm prebuilt/rpms/systemd/systemd-libs-251.11-2.fc37.x86_64.rpm
prebuilt/rpms/systemd/systemd-networkd-251.11-2.fc37.x86_64.rpm prebuilt/rpms/systemd/systemd-networkd-251.11-2.fc37.x86_64.rpm
prebuilt/rpms/systemd/systemd-pam-251.11-2.fc37.x86_64.rpm prebuilt/rpms/systemd/systemd-pam-251.11-2.fc37.x86_64.rpm
prebuilt/rpms/systemd/systemd-resolved-251.11-2.fc37.x86_64.rpm prebuilt/rpms/systemd/systemd-resolved-251.11-2.fc37.x86_64.rpm
prebuilt/rpms/systemd/systemd-udev-251.11-2.fc37.x86_64.rpm prebuilt/rpms/systemd/systemd-udev-251.11-2.fc37.x86_64.rpm
util-linux
dracut dracut
util-linux
[Host]
QemuHeadless=yes

4
image/mkosi.files/mkosi.gcp.conf → image/mkosi.conf.d/mkosi.gcp.conf
View File

@ -1,10 +1,12 @@
[Match]
PathExists=../.csp/gcp
[Output] [Output]
KernelCommandLine=constel.csp=gcp constel.attestation-variant=gcp-sev-es KernelCommandLine=constel.csp=gcp constel.attestation-variant=gcp-sev-es
OutputDirectory=mkosi.output.gcp OutputDirectory=mkosi.output.gcp
# replace kernel # replace kernel
[Content] [Content]
BasePackages=conditional
Packages=prebuilt/rpms/gcp/kernel-6.1.18-200.fc37.x86_64.rpm Packages=prebuilt/rpms/gcp/kernel-6.1.18-200.fc37.x86_64.rpm
prebuilt/rpms/gcp/kernel-core-6.1.18-200.fc37.x86_64.rpm prebuilt/rpms/gcp/kernel-core-6.1.18-200.fc37.x86_64.rpm
prebuilt/rpms/gcp/kernel-modules-6.1.18-200.fc37.x86_64.rpm prebuilt/rpms/gcp/kernel-modules-6.1.18-200.fc37.x86_64.rpm

4
image/mkosi.files/mkosi.openstack.conf → image/mkosi.conf.d/mkosi.openstack.conf
View File

@ -1,3 +1,6 @@
[Match]
PathExists=../.csp/openstack
[Output] [Output]
KernelCommandLine=constel.csp=openstack constel.attestation-variant=qemu-vtpm mem_encrypt=on kvm_amd.sev=1 module_blacklist=qemu_fw_cfg console=tty0 console=ttyS0 KernelCommandLine=constel.csp=openstack constel.attestation-variant=qemu-vtpm mem_encrypt=on kvm_amd.sev=1 module_blacklist=qemu_fw_cfg console=tty0 console=ttyS0
OutputDirectory=mkosi.output.openstack OutputDirectory=mkosi.output.openstack
@ -5,7 +8,6 @@ OutputDirectory=mkosi.output.openstack
[Content] [Content]
Autologin=yes Autologin=yes
Environment=CONSOLE_MOTD=true Environment=CONSOLE_MOTD=true
BasePackages=conditional
Packages=kernel Packages=kernel
kernel-core kernel-core
kernel-modules kernel-modules

4
image/mkosi.files/mkosi.qemu.conf → image/mkosi.conf.d/mkosi.qemu.conf
View File

@ -1,3 +1,6 @@
[Match]
PathExists=../.csp/qemu
[Output] [Output]
KernelCommandLine=constel.csp=qemu constel.attestation-variant=qemu-vtpm KernelCommandLine=constel.csp=qemu constel.attestation-variant=qemu-vtpm
OutputDirectory=mkosi.output.qemu OutputDirectory=mkosi.output.qemu
@ -5,7 +8,6 @@ OutputDirectory=mkosi.output.qemu
[Content] [Content]
Autologin=yes Autologin=yes
Environment=CONSOLE_MOTD=true Environment=CONSOLE_MOTD=true
BasePackages=conditional
Packages=kernel Packages=kernel
kernel-core kernel-core
kernel-modules kernel-modules

7
image/mkosi.conf.d/selinux.conf
View File

@ -1,3 +1,8 @@
[Output] [Output]
# set selinux to permissive # set selinux to permissive
KernelCommandLine=!selinux=0 selinux=1 enforcing=0 KernelCommandLine=!selinux=0 selinux=1 enforcing=0 audit=0
[Content]
# Secure Boot / EFI related packages for manual enrollment / verification of Secure Boot
Packages=selinux-policy,
selinux-policy-targeted,

6
image/mkosi.repart/00-esp.conf Normal file
View File

@ -0,0 +1,6 @@
[Partition]
Type=esp
Format=vfat
CopyFiles=/boot:/
SizeMinBytes=256M
SizeMaxBytes=512M

7
image/mkosi.repart/10-root.conf Normal file
View File

@ -0,0 +1,7 @@
[Partition]
Type=root
Format=squashfs
Verity=data
VerityMatchKey=root
CopyFiles=/
Minimize=guess

6
image/mkosi.repart/20-root-verity.conf Normal file
View File

@ -0,0 +1,6 @@
[Partition]
Type=root-verity
Verity=hash
VerityMatchKey=root
SizeMinBytes=64M
SizeMaxBytes=64M

16
image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/module-setup.sh
View File

@ -6,8 +6,9 @@
# Note: This script is sourced. # Note: This script is sourced.
depends() { depends() {
# expands to: systemd systemd-hostnamed systemd-networkd systemd-resolved systemd-timedated systemd-timesyncd # systemd-network-management expands to: systemd systemd-hostnamed systemd-networkd systemd-resolved systemd-timedated systemd-timesyncd
echo systemd-network-management echo dracut-systemd systemd-network-management systemd-veritysetup systemd-udevd
return 0
} }
install_and_enable_unit() { install_and_enable_unit() {
@ -79,4 +80,15 @@ install() {
# backport of https://github.com/dracutdevs/dracut/commit/dcbe23c14d13ca335ad327b7bb985071ca442f12 # backport of https://github.com/dracutdevs/dracut/commit/dcbe23c14d13ca335ad327b7bb985071ca442f12
inst_simple "${moddir}/sysusers-dracut.conf" "${systemdsystemunitdir}/systemd-sysusers.service.d/sysusers-dracut.conf" inst_simple "${moddir}/sysusers-dracut.conf" "${systemdsystemunitdir}/systemd-sysusers.service.d/sysusers-dracut.conf"
# force systemd-networkd in initrd
install_and_enable_unit "systemd-networkd.service" \
"basic.target"
# shellcheck disable=SC2154
inst_multiple -o \
"${tmpfilesdir}"/systemd-network.conf \
"${systemdnetwork}"/80-6rd-tunnel.network \
"${systemdnetwork}"/80-container-vb.network \
"${systemdsystemunitdir}"/systemd-networkd-wait-online@.service
inst_simple /usr/lib/systemd/resolved.conf.d/fallback_dns.conf \
/usr/lib/systemd/resolved.conf.d/fallback_dns.conf
} }

2
image/mkosi.skeleton/usr/lib/systemd/resolved.conf.d/fallback_dns.conf Normal file
View File

@ -0,0 +1,2 @@
[Resolve]
FallbackDNS=1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001 8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844 9.9.9.9 149.112.112.112 2620:fe::fe 2620:fe::9

2
image/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset
View File

@ -4,5 +4,7 @@ enable constellation-bootstrapper.service
enable containerd.service enable containerd.service
enable kubelet.service enable kubelet.service
enable systemd-networkd.service enable systemd-networkd.service
enable systemd-networkd.socket
enable systemd-resolved.service
enable measurements.service enable measurements.service
enable export_constellation_debug.service enable export_constellation_debug.service