Add patches and Makefile for modified CoreOS assembler

3rdparty/coreos-assembler/.gitignore

@@ -0,0 +1 @@
+build

3rdparty/coreos-assembler/HACKING.md

@@ -0,0 +1,36 @@
+# dm-verity patch for CoreOS assembler
+
+Constellation uses CoreOS as a base for OS images. While the images are mostly unmodified and can be built using the upstream CoreOS assembler, small modifications to the assembler are required to support dm-verity for the root filesystem.
+
+Checkout the CoreOS assembler source code [from the upstream repo](https://github.com/coreos/coreos-assembler) using the commit ID specified in the [Makefile](Makefile)
+
+```shell-session
+mkdir build && cd build
+git clone https://github.com/coreos/coreos-assembler
+git checkout <HASH>
+```
+
+Apply the patch:
+
+```shell-session
+patch -p1 < ../../verity.patch
+```
+
+Now you can make changes to the coreos-assembler and compile it using the included `Dockerfile`:
+
+```shell-session
+docker build -t <TAG> .
+```
+
+Once you are done, create a new patch file (within `3rdparty/coreos-assembler/build/coreos-assembler`):
+```shell-session
+git diff HEAD^ > ../../verity.patch
+```
+
+## Building the CoreOS assembler container image
+
+```shell-session
+make
+```
+
+The resulting container image will be tagged as `localhost/coreos-assembler`.

3rdparty/coreos-assembler/Makefile

@@ -0,0 +1,28 @@
+CONTAINER_RUNTIME ?= docker
+IMAGENAME         ?= localhost/coreos-assembler
+IMAGETAG          ?= latest
+UPSTREAM          ?= https://github.com/coreos/coreos-assembler
+COMMIT            ?= b8f61207c7a4ce345a1f136823dac6c628086273
+SRC_PATH           = $(CURDIR)
+BASE_PATH         ?= $(SRC_PATH)
+BUILDDIR		  ?= $(BASE_PATH)/build
+CLONEDIR	      ?= $(BUILDDIR)/coreos-assembler
+
+
+.PHONY: all clone patch containerimage clean
+
+all: clone patch containerimage
+
+clone:
+	@mkdir -p $(BUILDDIR)
+	git clone $(UPSTREAM) $(CLONEDIR)
+	cd $(CLONEDIR) && git checkout $(COMMIT)
+
+patch:
+	cd $(CLONEDIR) && patch -p1 < $(BASE_PATH)/verity.patch
+
+containerimage:
+	cd $(CLONEDIR) && $(CONTAINER_RUNTIME) build -t $(IMAGENAME):$(IMAGETAG) -f Dockerfile .
+
+clean:
+	rm -rf $(BUILDDIR)

3rdparty/coreos-assembler/verity.patch

@@ -0,0 +1,197 @@
+diff --git a/Dockerfile b/Dockerfile
+index 80c008a2d..329171970 100644
+--- a/Dockerfile
++++ b/Dockerfile
+@@ -35,3 +35,12 @@ RUN chmod g=u /etc/passwd
+ # run as `builder` user
+ USER builder
+ ENTRYPOINT ["/usr/bin/dumb-init", "/usr/bin/coreos-assembler"]
++
++# Constellation start
++USER root
++
++RUN dnf -y update && \
++    dnf install -y veritysetup && \
++    dnf clean all
++
++USER builder
++# Constellation end
+diff --git a/mantle/platform/qemu.go b/mantle/platform/qemu.go
+index d4d5eafa7..20f156315 100644
+--- a/mantle/platform/qemu.go
++++ b/mantle/platform/qemu.go
+@@ -447,7 +447,7 @@ type QemuBuilder struct {
+ func NewQemuBuilder() *QemuBuilder {
+ 	ret := QemuBuilder{
+ 		Firmware:  "bios",
+-		Swtpm:     true,
++		Swtpm:     false,
+ 		Pdeathsig: true,
+ 		Argv:      []string{},
+ 	}
+diff --git a/src/cosalib/qemuvariants.py b/src/cosalib/qemuvariants.py
+index 8d57803b1..cdad6aeba 100644
+--- a/src/cosalib/qemuvariants.py
++++ b/src/cosalib/qemuvariants.py
+@@ -80,7 +80,7 @@ VARIANTS = {
+         "image_suffix": "tar.gz",
+         "gzip": True,
+         "convert_options": {
+-            '-o': 'preallocation=off'
++            '-o': 'preallocation=full'
+         },
+         "tar_members": [
+             "disk.raw"
+diff --git a/src/create_disk.sh b/src/create_disk.sh
+index 61d52cd96..fa3fe1655 100755
+--- a/src/create_disk.sh
++++ b/src/create_disk.sh
+@@ -120,6 +120,7 @@ set -x
+ # and we only get three of those. https://github.com/coreos/fedora-coreos-tracker/issues/855
+ BOOTPN=3
+ ROOTPN=4
++VERITYHASHPN=5
+ # Make the size relative
+ if [ "${rootfs_size}" != "0" ]; then
+     rootfs_size="+${rootfs_size}"
+@@ -132,7 +133,8 @@ case "$arch" in
+         -n 1:0:+1M -c 1:BIOS-BOOT -t 1:21686148-6449-6E6F-744E-656564454649 \
+         -n ${EFIPN}:0:+127M -c ${EFIPN}:EFI-SYSTEM -t ${EFIPN}:C12A7328-F81F-11D2-BA4B-00A0C93EC93B \
+         -n ${BOOTPN}:0:+384M -c ${BOOTPN}:boot \
+-        -n ${ROOTPN}:0:${rootfs_size} -c ${ROOTPN}:root -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4
++        -n ${ROOTPN}:0:${rootfs_size} -c ${ROOTPN}:root_raw -A ${ROOTPN}:set:60 -A ${ROOTPN}:set:63 -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 \
++        -n ${VERITYHASHPN}:0:+32M -c ${VERITYHASHPN}:root_verity
+         sgdisk -p "$disk"
+         ;;
+     aarch64)
+@@ -143,7 +145,8 @@ case "$arch" in
+         -n ${RESERVEDPN}:0:+1M -c ${RESERVEDPN}:reserved -t ${RESERVEDPN}:8DA63339-0007-60C0-C436-083AC8230908 \
+         -n ${EFIPN}:0:+127M -c ${EFIPN}:EFI-SYSTEM -t ${EFIPN}:C12A7328-F81F-11D2-BA4B-00A0C93EC93B \
+         -n ${BOOTPN}:0:+384M -c ${BOOTPN}:boot \
+-        -n ${ROOTPN}:0:${rootfs_size} -c ${ROOTPN}:root -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4
++        -n ${ROOTPN}:0:${rootfs_size} -c ${ROOTPN}:root_raw -A ${ROOTPN}:set:60 -A ${ROOTPN}:set:63 -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 \
++        -n ${VERITYHASHPN}:0:+32M -c ${VERITYHASHPN}:root_verity
+         sgdisk -p "$disk"
+         ;;
+     s390x)
+@@ -154,7 +157,8 @@ case "$arch" in
+         sgdisk -Z $disk \
+         -U "${uninitialized_gpt_uuid}" \
+         -n ${BOOTPN}:0:+384M -c ${BOOTPN}:boot \
+-        -n ${ROOTPN}:0:${rootfs_size} -c ${ROOTPN}:root -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4
++        -n ${ROOTPN}:0:${rootfs_size} -c ${ROOTPN}:root_raw -A ${ROOTPN}:set:60 -A ${ROOTPN}:set:63 -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 \
++        -n ${VERITYHASHPN}:0:+32M -c ${VERITYHASHPN}:root_verity
+         sgdisk -p "$disk"
+         ;;
+     ppc64le)
+@@ -166,7 +170,8 @@ case "$arch" in
+         -n ${PREPPN}:0:+4M -c ${PREPPN}:PowerPC-PReP-boot -t ${PREPPN}:9E1A2D38-C612-4316-AA26-8B49521E5A8B \
+         -n ${RESERVEDPN}:0:+1M -c ${RESERVEDPN}:reserved -t ${RESERVEDPN}:8DA63339-0007-60C0-C436-083AC8230908 \
+         -n ${BOOTPN}:0:+384M -c ${BOOTPN}:boot \
+-        -n ${ROOTPN}:0:${rootfs_size} -c ${ROOTPN}:root -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4
++        -n ${ROOTPN}:0:${rootfs_size} -c ${ROOTPN}:root_raw -A ${ROOTPN}:set:60 -A ${ROOTPN}:set:63 -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 \
++        -n ${VERITYHASHPN}:0:+32M -c ${VERITYHASHPN}:root_verity
+         sgdisk -p "$disk"
+         ;;
+ esac
+@@ -174,6 +179,7 @@ esac
+ udevtrig
+
+ root_dev="${disk}${ROOTPN}"
++hash_dev="${disk}${VERITYHASHPN}"
+
+ bootargs=
+ # If the bootfs_metadata_csum_seed image.yaml knob is set to true then
+@@ -212,13 +218,13 @@ case "${rootfs_type}" in
+         # So basically, we're choosing performance over half-implemented security.
+         # Eventually, we'd like both - once XFS gains verity (probably not too hard),
+         # we could unconditionally enable it there.
+-        mkfs.ext4 -b $(getconf PAGE_SIZE) -O verity -L root "${root_dev}" -U "${rootfs_uuid}" ${rootfs_args}
++        mkfs.ext4 -b $(getconf PAGE_SIZE) -O verity -L root_raw "${root_dev}" -U "${rootfs_uuid}" ${rootfs_args}
+         ;;
+     btrfs)
+-        mkfs.btrfs -L root "${root_dev}" -U "${rootfs_uuid}" ${rootfs_args}
++        mkfs.btrfs -L root_raw "${root_dev}" -U "${rootfs_uuid}" ${rootfs_args}
+         ;;
+     xfs|"")
+-        mkfs.xfs "${root_dev}" -L root -m reflink=1 -m uuid="${rootfs_uuid}" ${rootfs_args}
++        mkfs.xfs "${root_dev}" -L root_raw -m reflink=1 -m uuid="${rootfs_uuid}" -s "size=4096" ${rootfs_args}
+         ;;
+     *)
+         echo "Unknown rootfs_type: $rootfs_type" 1>&2
+@@ -422,11 +428,11 @@ s390x)
+ esac
+
+ ostree config --repo $rootfs/ostree/repo set sysroot.bootloader "${bootloader_backend}"
+-# Opt-in to https://github.com/ostreedev/ostree/pull/1767 AKA
+-# https://github.com/ostreedev/ostree/issues/1265
+-ostree config --repo $rootfs/ostree/repo set sysroot.readonly true
++# constellation: setting readonly to false interestingly stops ostree from remounting anything as rw
++ostree config --repo $rootfs/ostree/repo set sysroot.readonly false
+
+-touch $rootfs/boot/ignition.firstboot
++# constellation: do not enable ignition on first boot
++# touch $rootfs/boot/ignition.firstboot
+
+ # Finally, add the immutable bit to the physical root; we don't
+ # expect people to be creating anything there.  A use case for
+@@ -439,10 +445,21 @@ chattr +i $rootfs
+
+ fstrim -a -v
+ # Ensure the filesystem journals are flushed
+-for fs in $rootfs/boot $rootfs; do
++mount -o remount,ro $rootfs/boot
++for fs in $rootfs; do
+     mount -o remount,ro $fs
+     xfs_freeze -f $fs
+ done
+ umount -R $rootfs
+
+ rmdir $rootfs
++
++# setup dm-verity and disable audit logs
++veritysetup_out=$(veritysetup format "${root_dev}" "${hash_dev}")
++verity_root_hash=$(echo "${veritysetup_out}" | grep 'Root hash:' | sed --expression='s/Root hash:\s*//g')
++bootfs_mount=/tmp/boot
++rm -rf "${bootfs_mount}"
++mkdir -p "${bootfs_mount}"
++mount "${disk}${BOOTPN}" "${bootfs_mount}"
++sed -i -e "s/^options .*/\0 audit=0 verity.sysroot=${verity_root_hash}/g" "${bootfs_mount}/loader.1/entries/ostree-1-fedora-coreos.conf"
++umount "${bootfs_mount}"
+diff --git a/src/gf-fsck b/src/gf-fsck
+index 2d07eca2a..46c137672 100755
+--- a/src/gf-fsck
++++ b/src/gf-fsck
+@@ -28,7 +28,7 @@ for pt in $partitions; do
+ done
+
+ # And fsck the main rootfs
+-root=$(coreos_gf findfs-label root)
++root=$(coreos_gf findfs-label root_raw)
+ coreos_gf debug sh "fsck.xfs -f -n ${root}"
+
+ coreos_gf_shutdown
+diff --git a/src/libguestfish.sh b/src/libguestfish.sh
+index 82cfcf86e..635fb9eaa 100755
+--- a/src/libguestfish.sh
++++ b/src/libguestfish.sh
+@@ -58,7 +58,7 @@ coreos_gf_run_mount() {
+         shift
+     fi
+     coreos_gf_run "$@"
+-    root=$(coreos_gf findfs-label root)
++    root=$(coreos_gf findfs-label root_raw)
+     coreos_gf ${mntarg} "${root}" /
+     local boot
+     boot=$(coreos_gf findfs-label boot)
+diff --git a/src/vmdeps.txt b/src/vmdeps.txt
+index 6c6045840..ddbece267 100644
+--- a/src/vmdeps.txt
++++ b/src/vmdeps.txt
+@@ -27,3 +27,6 @@ gdisk xfsprogs e2fsprogs dosfstools btrfs-progs
+
+ # needed for basic CA support
+ ca-certificates
++
++# dm-verity
++veritysetup