mini-constellation: pin swtpm to v0.8.2 (#3756)

* mini-constellation: pin swtpm to v0.8.2 * containers: update libvirtd_base image --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2025-04-11 18:39:44 -04:00 · 2025-04-11 14:09:37 +02:00 · 2025-04-11 14:09:37 +02:00 · e46726cf13
commit e46726cf13
parent 97a313ae0d
2 changed files with 13 additions and 3 deletions
--- a/bazel/toolchains/container_images.bzl
+++ b/bazel/toolchains/container_images.bzl
@ -16,6 +16,6 @@ def containter_image_deps():
    )
    oci_pull(
        name = "libvirtd_base",
-        digest = "sha256:10bc5281807d06e333f363dd27ccc8159884d706a6d738d6f54a925c483bdce3",
+        digest = "sha256:f23e0f587860c841adde25b1b4f0d99aa4fbce1c92b01b5b46ab5fa35980a135",
        image = "ghcr.io/edgelesssys/constellation/libvirtd-base",
    )
--- a/nix/container/libvirtd_base.nix
+++ b/nix/container/libvirtd_base.nix
@ -62,12 +62,22 @@ let
  '';
  startScript = pkgsLinux.writeShellApplication {
    name = "start.sh";
-    runtimeInputs = with pkgsLinux; [
+    runtimeInputs = let nixpkgs24_11 = import "${pkgs.fetchFromGitHub {
+      # Pinned release which contains swtpm v0.8.2
+      # Newer versions of NixOS package swtpm v0.10.0 with https://github.com/stefanberger/swtpm/pull/896
+      # This release breaks MiniConstellation since either libvirt, or the Terraform libvirt provider
+      # tries to apply the TPM config twice, resulting in an error during the setup phase
+      owner = "NixOS";
+      repo = "nixpkgs";
+      tag = "24.11";
+      hash = "sha256-CqCX4JG7UiHvkrBTpYC3wcEurvbtTADLbo3Ns2CEoL8=";
+    }}"{system = "x86_64-linux";}; in
+    with pkgsLinux; [
      shadow
      coreutils
      libvirt
      qemu
-      swtpm
+      nixpkgs24_11.swtpm
    ];
    text = ''
      set -euo pipefail