Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-10-01 01:36:09 -04:00
Code Issues Packages Projects Releases Wiki Activity

CI: Add secure boot prod keys (#462)

Browse Source 
* Add production secure boot keys
* Refactor OS build and upload settings
This commit is contained in:
Malte Poll 2022-11-04 16:48:52 +01:00 committed by GitHub
parent 5ffdbc9bd6
commit ed58fcccd3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
23 changed files with 424 additions and 100 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

242
.github/actions/os_build_variables/action.yml vendored Normal file
View File

@ -0,0 +1,242 @@
name: Determine OS image upload variables
description: "Determine parameters used for image upload to various CSPs."
inputs:
csp:
description: "Cloud Service Provider"
required: true
uploadVariant:
description: "Upload variant"
required: true
basePath:
description: "Base path to the image build directory"
required: true
imageVersion:
description: "Semantic version including patch e.g. v<major>.<minor>.<patch> (only used for releases)"
required: false
imageType:
description: "Type of image to build"
required: true
debug:
description: "Build debug image"
required: false
default: "false"
outputs:
awsRegion:
description: "Primary AWS region"
value: ${{ steps.aws.outputs.region }}
awsReplicationRegions:
description: "AWS regions to replicate the image to"
value: ${{ steps.aws.outputs.replicationRegions }}
awsBucket:
description: "AWS S3 bucket to upload the image to"
value: ${{ steps.aws.outputs.bucket }}
awsEfivarsPath:
description: "AWS efivars path"
value: ${{ steps.aws.outputs.efivarsPath }}
awsImagePath:
description: "AWS image path"
value: ${{ steps.aws.outputs.imagePath }}
awsAmiOutput:
description: "AWS ami output path"
value: ${{ steps.aws.outputs.amiOutput }}
awsImageFilename:
description: "AWS raw image filename"
value: ${{ steps.aws.outputs.imageFilename }}
awsImageName:
description: "AWS image name"
value: ${{ steps.aws.outputs.imageName }}
azureResourceGroupName:
description: "Azure resource group name"
value: ${{ steps.azure.outputs.resourceGroupName }}
azureRegion:
description: "Primary Azure region"
value: ${{ steps.azure.outputs.region }}
azureReplicationRegions:
description: "Azure regions to replicate the image to"
value: ${{ steps.azure.outputs.replicationRegions }}
azureVmgsRegion:
description: "Azure VMGS region (AWS S3 bucket region where VMGS blob is stored)"
value: ${{ steps.azure.outputs.vmgsRegion }}
azureSku:
description: "Azure SIG SKU"
value: ${{ steps.azure.outputs.sku }}
azurePublisher:
description: "Azure SIG publisher"
value: ${{ steps.azure.outputs.publisher }}
azureRawImagePath:
description: "Azure raw image path"
value: ${{ steps.azure.outputs.rawImagePath }}
azureImagePath:
description: "Azure image path"
value: ${{ steps.azure.outputs.imagePath }}
azureSecurityType:
description: "Azure security type"
value: ${{ steps.azure.outputs.securityType }}
azureDiskName:
description: "Azure disk name"
value: ${{ steps.azure.outputs.diskName }}
azureImageDefinition:
description: "Azure image definition"
value: ${{ steps.azure.outputs.imageDefinition }}
azureImageVersion:
description: "Azure image version"
value: ${{ steps.azure.outputs.imageVersion }}
azureGalleryName:
description: "Azure gallery name"
value: ${{ steps.azure.outputs.galleryName }}
azureVmgsPath:
description: "Azure VMGS path"
value: ${{ steps.azure.outputs.vmgsPath }}
gcpProject:
description: "GCP project"
value: ${{ steps.gcp.outputs.project }}
gcpBucket:
description: "GCP bucket"
value: ${{ steps.gcp.outputs.bucket }}
gcpRegion:
description: "GCP region"
value: ${{ steps.gcp.outputs.region }}
gcpRawImagePath:
description: "GCP raw image path"
value: ${{ steps.gcp.outputs.rawImagePath }}
gcpImagePath:
description: "GCP image path"
value: ${{ steps.gcp.outputs.imagePath }}
gcpImageName:
description: "GCP image name"
value: ${{ steps.gcp.outputs.imageName }}
gcpImageFilename:
description: "GCP image filename"
value: ${{ steps.gcp.outputs.imageFilename }}
gcpImageFamily:
description: "GCP image family"
value: ${{ steps.gcp.outputs.imageFamily }}
runs:
using: "composite"
steps:
- name: Determine version
id: version
uses: ./.github/actions/pseudo_version
- name: Configure AWS input variables
id: aws
if: ${{ inputs.csp == 'aws' }}
shell: bash
env:
basePath: ${{ inputs.basePath }}
imageVersion: ${{ inputs.imageVersion }}
imageType: ${{ inputs.imageType }}
timestamp: ${{ steps.version.outputs.timestamp }}
semver: ${{ steps.version.outputs.semanticVersion }}
branchName: ${{ steps.version.outputs.branchName }}
run: |
echo "region=eu-central-1" >> $GITHUB_OUTPUT
echo "replicationRegions=us-east-2 ap-south-1" >> $GITHUB_OUTPUT
echo "bucket=constellation-images" >> $GITHUB_OUTPUT
echo "efivarsPath=${basePath}/mkosi.output.aws/fedora~36/efivars.bin" >> $GITHUB_OUTPUT
echo "imagePath=${basePath}/mkosi.output.aws/fedora~36/image.raw" >> $GITHUB_OUTPUT
echo "amiOutput=${basePath}/mkosi.output.aws/fedora~36/ami.json" >> $GITHUB_OUTPUT
echo "imageFilename=image-$(date +%s).raw" >> $GITHUB_OUTPUT
if [ "${imageType}" = release ]
then
echo "imageName=constellation-${imageVersion}" >> $GITHUB_OUTPUT
elif [ "${imageType}" = debug ]
then
echo "imageName=constellation-debug-${semver}-${timestamp}" >> $GITHUB_OUTPUT
else
echo "imageName=constellation-${branchName}-${timestamp}" >> $GITHUB_OUTPUT
fi
# gallery name may include alphanumeric characters, dots and underscores. Must end and begin with an alphanumeric character
# image definition may include alphanumeric characters, dots, dashes and underscores. Must end and begin with an alphanumeric character
# image version has to be semantic version in the form <uint>.<uint>.<uint> . uint may not be larger than 2,147,483,647
- name: Configure Azure input variables
id: azure
if: ${{ inputs.csp == 'azure' }}
shell: bash
env:
basePath: ${{ inputs.basePath }}
imageVersion: ${{ inputs.imageVersion }}
imageType: ${{ inputs.imageType }}
timestamp: ${{ steps.version.outputs.timestamp }}
semver: ${{ steps.version.outputs.semanticVersion }}
pseudover: ${{ steps.version.outputs.pseudoVersion }}
branchName: ${{ steps.version.outputs.branchName }}
run: |
echo "resourceGroupName=constellation-images" >> $GITHUB_OUTPUT
echo "region=northeurope" >> $GITHUB_OUTPUT
echo "vmgsRegion=eu-central-1" >> $GITHUB_OUTPUT
echo "replicationRegions=northeurope eastus westeurope westus" >> $GITHUB_OUTPUT
echo "sku=constellation" >> $GITHUB_OUTPUT
echo "publisher=edgelesssys" >> $GITHUB_OUTPUT
echo "rawImagePath=${basePath}/mkosi.output.azure/fedora~36/image.raw" >> $GITHUB_OUTPUT
echo "imagePath=${basePath}/mkosi.output.azure/fedora~36/image.vhd" >> $GITHUB_OUTPUT
# TODO: set default security type to "ConfidentialVM" once replication is possible
securityType=${{ inputs.uploadVariant }}
if [ -z "${securityType}" ]; then
securityType=ConfidentialVMSupported
fi
echo "securityType=${securityType}" >> $GITHUB_OUTPUT
echo "diskName=constellation-${pseudover//./-}-${securityType,,}" >> $GITHUB_OUTPUT
if [ "${imageType}" = release ]
then
echo "imageDefinition=constellation" >> $GITHUB_OUTPUT
echo "imageOffer=constellation" >> $GITHUB_OUTPUT
echo "imageVersion=${imageVersion:1}" >> $GITHUB_OUTPUT
galleryName=Constellation
elif [ "${imageType}" = debug ]
then
echo "imageDefinition=${semver}" >> $GITHUB_OUTPUT
echo "imageDefinition=${semver}" >> $GITHUB_OUTPUT
echo "imageVersion=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_OUTPUT
galleryName=Constellation_Debug
else
echo "imageDefinition=${branchName}" >> $GITHUB_OUTPUT
echo "imageOffer=${branchName}" >> $GITHUB_OUTPUT
echo "imageVersion=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_OUTPUT
galleryName=Constellation_Testing
fi
# TODO: enable VMGS upload for ConfidentialVM images once replication is possible
if [ "${securityType}" == "ConfidentialVMSupported" ]; then
echo "galleryName=${galleryName}_CVM" >> $GITHUB_OUTPUT
echo "vmgsPath=" >> $GITHUB_OUTPUT
else
echo "galleryName=${galleryName}" >> $GITHUB_OUTPUT
echo "vmgsPath=${basePath}/pki/${securityType}.vmgs" >> $GITHUB_OUTPUT
fi
# image family and image name may include lowercase alphanumeric characters and dashes.
# Must not end or begin with a dash
- name: Configure GCP input variables
id: gcp
if: ${{ inputs.csp == 'gcp' }}
shell: bash
env:
basePath: ${{ inputs.basePath }}
imageVersion: ${{ inputs.imageVersion }}
imageType: ${{ inputs.imageType }}
timestamp: ${{ steps.version.outputs.timestamp }}
semver: ${{ steps.version.outputs.semanticVersion }}
branchName: ${{ steps.version.outputs.branchName }}
run: |
echo "project=constellation-images" >> $GITHUB_OUTPUT
echo "bucket=constellation-images" >> $GITHUB_OUTPUT
echo "region=europe-west3" >> $GITHUB_OUTPUT
echo "rawImagePath=${basePath}/mkosi.output.gcp/fedora~36/image.raw" >> $GITHUB_OUTPUT
echo "imagePath=${basePath}/mkosi.output.gcp/fedora~36/image.tar.gz" >> $GITHUB_OUTPUT
if [ "${imageType}" = release ]
then
echo "imageName=constellation-${imageVersion//./-}" >> $GITHUB_OUTPUT
echo "imageFilename=constellation-${imageVersion//./-}.tar.gz" >> $GITHUB_OUTPUT
echo "imageFamily=constellation" >> $GITHUB_OUTPUT
elif [ "${imageType}" = debug ]
then
echo "imageName=constellation-${timestamp}" >> $GITHUB_OUTPUT
echo "imageFilename=constellation-${timestamp}.tar.gz" >> $GITHUB_OUTPUT
echo "imageFamily=constellation-debug-${semver//./-}" >> $GITHUB_OUTPUT
else
echo "imageName=constellation-${timestamp}" >> $GITHUB_OUTPUT
echo "imageFilename=constellation-${timestamp}.tar.gz" >> $GITHUB_OUTPUT
echo "imageFamily=constellation-${branchName}" >> $GITHUB_OUTPUT
fi

197
.github/workflows/build-os-image.yml vendored
View File

@ -57,9 +57,49 @@ jobs:
echo "disk-mapper-sha256=$(sha256sum disk-mapper | head -c 64)" >> $GITHUB_OUTPUT
working-directory: ${{ github.workspace }}/build
build-settings:
name: "Determine build settings"
runs-on: ubuntu-22.04
outputs:
imageType: ${{ steps.image-type.outputs.imageType }}
pkiSet: ${{ steps.pki-set.outputs.pkiSet }}
steps:
- name: Checkout
uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 # tag=v2.5.0
- name: Determine version
id: version
uses: ./.github/actions/pseudo_version
- name: Determine type of image build
shell: bash
id: image-type
run: |
if [ "${{ startsWith(github.ref, 'refs/heads/release/') && (inputs.debug == 'false') }}" = true ]
then
echo "imageType=release" >> $GITHUB_OUTPUT
elif [ "${{ ((github.ref == 'refs/heads/main') || startsWith(github.ref, 'refs/heads/release/')) && (inputs.debug == 'true') }}" = true ]
then
echo "imageType=debug" >> $GITHUB_OUTPUT
else
echo "imageType=branch" >> $GITHUB_OUTPUT
fi
- name: Determine PKI set
id: pki-set
shell: bash
run: |
if [ "${{ steps.image-type.outputs.image-type }}" = "release" ]
then
echo "pkiSet=pki_prod" >> $GITHUB_OUTPUT
else
echo "pkiSet=pki_testing" >> $GITHUB_OUTPUT
fi
make-os-image:
name: "Build OS using mkosi"
needs: build-dependencies
needs: [build-settings, build-dependencies]
runs-on: ubuntu-22.04
# TODO: flatten outputs once possible
# https://github.com/community/community/discussions/17245
@ -121,13 +161,15 @@ jobs:
version: 058046019e7ed2e8e93af87b8c14a808dcc6bbc3
- name: Prepare PKI for secure boot signing
id: prepare-pki
shell: bash
run: |
ln -s pki_testing pki
echo "${DB_KEY}" > pki/db.key
echo "${DB_KEY}" > ${PKI_SET}/db.key
ln -s ${PKI_SET} pki
working-directory: ${{ github.workspace }}/image
env:
DB_KEY: ${{ secrets.SECURE_BOOT_TESTING_DB_KEY }}
PKI_SET: ${{ needs.build-settings.outputs.pkiSet }}
DB_KEY: ${{ (needs.build-settings.outputs.imageType == 'release' && secrets.SECURE_BOOT_RELEASE_DB_KEY) || secrets.SECURE_BOOT_TESTING_DB_KEY }}
- name: Build
shell: bash
@ -190,7 +232,7 @@ jobs:
upload-os-image:
name: "Upload OS image to CSP"
needs: make-os-image
needs: [build-settings, make-os-image]
runs-on: ubuntu-22.04
permissions:
id-token: write
@ -213,6 +255,17 @@ jobs:
name: image-${{ matrix.csp }}
path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36
- name: Configure input variables
id: vars
uses: ./.github/actions/os_build_variables
with:
csp: ${{ matrix.csp }}
uploadVariant: ${{ matrix.upload-variant }}
basePath: ${{ github.workspace }}/image
imageVersion: ${{ inputs.imageVersion }}
imageType: ${{ needs.build-settings.outputs.imageType }}
debug: ${{ inputs.debug }}
- name: Install tools
shell: bash
run: |
@ -243,102 +296,25 @@ jobs:
gcp_service_account_json: ${{ secrets.GCP_IMAGE_UPLOAD_SERVICE_ACCOUNT }}
- name: Prepare PKI for image upload
shell: bash
run: ln -s pki_testing pki
working-directory: ${{ github.workspace }}/image
- name: Determine version
id: version
uses: ./.github/actions/pseudo_version
# Make sure to set valid names for AWS, Azure and GCP
# Azure
# gallery name may include alphanumeric characters, dots and underscores. Must end and begin with an alphanumeric character
# image definition may include alphanumeric characters, dots, dashes and underscores. Must end and begin with an alphanumeric character
# image version has to be semantic version in the form <uint>.<uint>.<uint> . uint may not be larger than 2,147,483,647
#
# GCP
# image family and image name may include lowercase alphanumeric characters and dashes. Must not end or begin with a dash
- name: Configure input variables
id: prepare-pki
shell: bash
run: |
timestamp=${{ steps.version.outputs.timestamp }}
semver=${{ steps.version.outputs.semanticVersion }}
imageVersion=${{ inputs.imageVersion }}
pseudover=${{ steps.version.outputs.pseudoVersion }}
echo "PKI=${{ github.workspace }}/image/pki" >> $GITHUB_ENV
echo "AWS_REGION=eu-central-1" >> $GITHUB_ENV
echo "AWS_REPLICATION_REGIONS=us-east-2 ap-south-1" >> $GITHUB_ENV
echo "AWS_BUCKET=constellation-images" >> $GITHUB_ENV
echo "AWS_EFIVARS_PATH=${{ github.workspace }}/image/mkosi.output.aws/fedora~36/efivars.bin" >> $GITHUB_ENV
echo "AWS_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.aws/fedora~36/image.raw" >> $GITHUB_ENV
echo "AWS_AMI_OUTPUT=${{ github.workspace }}/image/mkosi.output.aws/fedora~36/ami.json" >> $GITHUB_ENV
echo "AWS_IMAGE_FILENAME=image-$(date +%s).raw" >> $GITHUB_ENV
echo "GCP_PROJECT=constellation-images" >> $GITHUB_ENV
echo "GCP_BUCKET=constellation-images" >> $GITHUB_ENV
echo "GCP_REGION=europe-west3" >> $GITHUB_ENV
echo "GCP_RAW_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.gcp/fedora~36/image.raw" >> $GITHUB_ENV
echo "GCP_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.gcp/fedora~36/image.tar.gz" >> $GITHUB_ENV
echo "AZURE_RESOURCE_GROUP_NAME=constellation-images" >> $GITHUB_ENV
echo "AZURE_REGION=northeurope" >> $GITHUB_ENV
echo "AZURE_REPLICATION_REGIONS=northeurope eastus westeurope westus" >> $GITHUB_ENV
echo "AZURE_SKU=constellation" >> $GITHUB_ENV
echo "AZURE_PUBLISHER=edgelesssys" >> $GITHUB_ENV
echo "AZURE_RAW_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.azure/fedora~36/image.raw" >> $GITHUB_ENV
echo "AZURE_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.azure/fedora~36/image.vhd" >> $GITHUB_ENV
# TODO: set default security type to "ConfidentialVM" once replication is possible
AZURE_SECURITY_TYPE=${{ matrix.upload-variant }}
if [ -z "${AZURE_SECURITY_TYPE}" ]; then
AZURE_SECURITY_TYPE=ConfidentialVMSupported
fi
echo "AZURE_SECURITY_TYPE=${AZURE_SECURITY_TYPE}" >> $GITHUB_ENV
echo "AZURE_DISK_NAME=constellation-${pseudover//./-}-${AZURE_SECURITY_TYPE,,}" >> $GITHUB_ENV
if [ "${{ startsWith(github.ref, 'refs/heads/release/') && (inputs.debug == false) }}" = true ]
then
echo "AWS_IMAGE_NAME=constellation-${imageVersion}" >> $GITHUB_ENV
GCP_IMAGE_NAME=constellation-${imageVersion//./-}
echo "GCP_IMAGE_FAMILY=constellation" >> $GITHUB_ENV
AZURE_IMAGE_DEFINITION=constellation
echo "AZURE_IMAGE_VERSION=${imageVersion:1}" >> $GITHUB_ENV
AZURE_GALLERY_NAME=Constellation
elif [ "${{ ((github.ref == 'refs/heads/main') || startsWith(github.ref, 'refs/heads/release/')) && (inputs.debug == true) }}" = true ]
then
echo "AWS_IMAGE_NAME=constellation-debug-${semver}-${{ steps.version.outputs.timestamp }}" >> $GITHUB_ENV
GCP_IMAGE_NAME=constellation-${{ steps.version.outputs.timestamp }}
echo "GCP_IMAGE_FAMILY=constellation-debug-${semver//./-}" >> $GITHUB_ENV
AZURE_IMAGE_DEFINITION=${semver}
echo "AZURE_IMAGE_VERSION=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_ENV
AZURE_GALLERY_NAME=Constellation_Debug
else
echo "AWS_IMAGE_NAME=constellation-${{ steps.version.outputs.branchName }}-${{ steps.version.outputs.timestamp }}" >> $GITHUB_ENV
GCP_IMAGE_NAME=constellation-${{ steps.version.outputs.timestamp }}
echo "GCP_IMAGE_FAMILY=constellation-${{ steps.version.outputs.branchName }}" >> $GITHUB_ENV
AZURE_IMAGE_DEFINITION=${{ steps.version.outputs.branchName }}
echo "AZURE_IMAGE_VERSION=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_ENV
AZURE_GALLERY_NAME=Constellation_Testing
fi
# TODO: enable VMGS upload for ConfidentialVM images once replication is possible
if [ "${AZURE_SECURITY_TYPE}" == "ConfidentialVMSupported" ]; then
echo "AZURE_GALLERY_NAME=${AZURE_GALLERY_NAME}_CVM" >> $GITHUB_ENV
echo "AZURE_VMGS_PATH=" >> $GITHUB_ENV
else
echo "AZURE_GALLERY_NAME=${AZURE_GALLERY_NAME}" >> $GITHUB_ENV
echo "AZURE_VMGS_PATH=${{ github.workspace }}/image/pki/${AZURE_SECURITY_TYPE}.vmgs" >> $GITHUB_ENV
fi
echo "AZURE_IMAGE_DEFINITION=${AZURE_IMAGE_DEFINITION}" >> $GITHUB_ENV
echo "AZURE_IMAGE_OFFER=${AZURE_IMAGE_DEFINITION}" >> $GITHUB_ENV
echo "GCP_IMAGE_NAME=${GCP_IMAGE_NAME}" >> $GITHUB_ENV
echo "GCP_IMAGE_FILENAME=${GCP_IMAGE_NAME}.tar.gz" >> $GITHUB_ENV
ln -s ${{ needs.build-settings.outputs.pkiSet }} pki
working-directory: ${{ github.workspace }}/image
- name: Download VMGS blob
run: |
aws s3 cp \
--region ${AWS_REGION} \
s3://constellation-secure-boot/pki_testing/${AZURE_SECURITY_TYPE}.vmgs \
pki_testing/${AZURE_SECURITY_TYPE}.vmgs \
--region ${AZURE_VMGS_REGION} \
s3://constellation-secure-boot/${PKI_SET}/${AZURE_SECURITY_TYPE}.vmgs \
${PKI_SET}/${AZURE_SECURITY_TYPE}.vmgs \
--no-progress
working-directory: ${{ github.workspace }}/image
if: ${{ matrix.csp == 'azure' && !endsWith(env.AZURE_SECURITY_TYPE, 'Supported') }}
env:
PKI_SET: ${{ needs.build-settings.outputs.pkiSet }}
AZURE_VMGS_REGION: ${{ steps.vars.outputs.azureVmgsRegion }}
AZURE_SECURITY_TYPE: ${{ steps.vars.outputs.azureSecurityType }}
- name: Upload AWS image
shell: bash
@ -350,6 +326,16 @@ jobs:
echo "::endgroup::"
working-directory: ${{ github.workspace }}/image
if: ${{ matrix.csp == 'aws' }}
env:
PKI: ${{ github.workspace }}/image/pki
AWS_AMI_OUTPUT: ${{ steps.vars.outputs.awsAmiOutput }}
AWS_BUCKET: ${{ steps.vars.outputs.awsBucket }}
AWS_EFIVARS_PATH: ${{ steps.vars.outputs.awsEfivarsPath }}
AWS_IMAGE_FILENAME: ${{ steps.vars.outputs.awsImageFilename }}
AWS_IMAGE_NAME: ${{ steps.vars.outputs.awsImageName }}
AWS_IMAGE_PATH: ${{ steps.vars.outputs.awsImagePath }}
AWS_REGION: ${{ steps.vars.outputs.awsRegion }}
AWS_REPLICATION_REGIONS: ${{ steps.vars.outputs.awsReplicationRegions }}
- name: Upload GCP image
shell: bash
@ -361,6 +347,16 @@ jobs:
echo "::endgroup::"
working-directory: ${{ github.workspace }}/image
if: ${{ matrix.csp == 'gcp' }}
env:
PKI: ${{ github.workspace }}/image/pki
GCP_BUCKET: ${{ steps.vars.outputs.gcpBucket }}
GCP_IMAGE_FAMILY: ${{ steps.vars.outputs.gcpImageFamily }}
GCP_IMAGE_FILENAME: ${{ steps.vars.outputs.gcpImageFilename }}
GCP_IMAGE_NAME: ${{ steps.vars.outputs.gcpImageName }}
GCP_IMAGE_PATH: ${{ steps.vars.outputs.gcpImagePath }}
GCP_PROJECT: ${{ steps.vars.outputs.gcpProject }}
GCP_RAW_IMAGE_PATH: ${{ steps.vars.outputs.gcpRawImagePath }}
GCP_REGION: ${{ steps.vars.outputs.gcpRegion }}
- name: Upload Azure image
shell: bash
@ -372,6 +368,23 @@ jobs:
echo "::endgroup::"
working-directory: ${{ github.workspace }}/image
if: ${{ matrix.csp == 'azure' }}
env:
PKI: ${{ github.workspace }}/image/pki
AZURE_DISK_NAME: ${{ steps.vars.outputs.azureDiskName }}
AZURE_GALLERY_NAME: ${{ steps.vars.outputs.azureGalleryName }}
AZURE_IMAGE_DEFINITION: ${{ steps.vars.outputs.azureImageDefinition }}
AZURE_IMAGE_OFFER: ${{ steps.vars.outputs.azureImageOffer }}
AZURE_IMAGE_PATH: ${{ steps.vars.outputs.azureImagePath }}
AZURE_IMAGE_VERSION: ${{ steps.vars.outputs.azureImageVersion }}
AZURE_PUBLISHER: ${{ steps.vars.outputs.azurePublisher }}
AZURE_RAW_IMAGE_PATH: ${{ steps.vars.outputs.azureRawImagePath }}
AZURE_REGION: ${{ steps.vars.outputs.azureRegion }}
AZURE_REPLICATION_REGIONS: ${{ steps.vars.outputs.azureReplicationRegions }}
AZURE_VMGS_REGION: ${{ steps.vars.outputs.azureVmgsRegion }}
AZURE_RESOURCE_GROUP_NAME: ${{ steps.vars.outputs.azureResourceGroupName }}
AZURE_SECURITY_TYPE: ${{ steps.vars.outputs.azureSecurityType }}
AZURE_SKU: ${{ steps.vars.outputs.azureSku }}
AZURE_VMGS_PATH: ${{ steps.vars.outputs.azureVmgsPath }}
calculate-pcrs:
name: "Calculate PCRs"

15
cli/internal/libvirt/Dockerfile
View File

@ -1,12 +1,12 @@
FROM fedora:36@sha256:455fec9590de794fbc21f61dbc7e90bf9918b58492d2a03fa269c09db47b43f6 AS deploy
RUN dnf -y update && \
dnf -y install dnf-plugins-core \
libvirt-daemon-config-network \
libvirt-daemon-kvm \
qemu-kvm \
swtpm \
swtpm-tools \
libvirt-client && \
libvirt-daemon-config-network \
libvirt-daemon-kvm \
qemu-kvm \
swtpm \
swtpm-tools \
libvirt-client && \
dnf clean all
# Prevent cgroup issues on Fedora and configure libvirt
@ -19,8 +19,7 @@ RUN echo "cgroup_controllers = []" >> /etc/libvirt/qemu.conf && \
# Copy nvram templates
COPY ./cli/internal/libvirt/nvram/constellation_vars.testing.fd /usr/share/OVMF/constellation_vars.testing.fd
# TODO: Uncomment this line when we have a production template
# COPY ./cli/internal/libvirt/nvram/constellation_vars.production.fd /usr/share/OVMF/constellation_vars.production.fd
COPY ./cli/internal/libvirt/nvram/constellation_vars.production.fd /usr/share/OVMF/constellation_vars.production.fd
COPY --chmod=755 ./cli/internal/libvirt/start.sh /start.sh

BIN
cli/internal/libvirt/nvram/constellation_vars.production.fd Normal file
View File

Binary file not shown.

1
image/README.md
View File

@ -106,6 +106,7 @@ export AZURE_SECURITY_TYPE=ConfidentialVM # or TrustedLaunch
export AZURE_RESOURCE_GROUP_NAME= # e.g. "constellation-images"
export AZURE_REGION=northeurope
export AZURE_REPLICATION_REGIONS=
export AZURE_DISK_NAME=constellation-$(date +%s)
export AZURE_SNAPSHOT_NAME=${AZURE_DISK_NAME}
export AZURE_RAW_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~36/image.raw

BIN
image/pki_prod/KEK.auth Normal file
View File

Binary file not shown.

BIN
image/pki_prod/KEK.cer Normal file
View File

Binary file not shown.

23
image/pki_prod/KEK.crt Normal file
View File

@ -0,0 +1,23 @@
-----BEGIN CERTIFICATE-----
MIIDzzCCAregAwIBAgIUPRz+bwbU52YaVAdEOfTJsDS8uaMwDQYJKoZIhvcNAQEL
BQAwgYAxCzAJBgNVBAYTAkRFMRwwGgYDVQQIDBNOb3JkcmhlaW4gV2VzdGZhbGVu
MQ8wDQYDVQQHDAZCb2NodW0xHjAcBgNVBAoMFUVkZ2VsZXNzIFN5c3RlbXMgR21i
SDEiMCAGA1UEAwwZQ29uc3RlbGxhdGlvbiBLRUsgQ0EgMjAyMjAeFw0yMjExMDMx
MDQ0NDRaFw0yMjEyMDMxMDQ0NDRaMIGAMQswCQYDVQQGEwJERTEcMBoGA1UECAwT
Tm9yZHJoZWluIFdlc3RmYWxlbjEPMA0GA1UEBwwGQm9jaHVtMR4wHAYDVQQKDBVF
ZGdlbGVzcyBTeXN0ZW1zIEdtYkgxIjAgBgNVBAMMGUNvbnN0ZWxsYXRpb24gS0VL
IENBIDIwMjIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCH7pE0Tj7w
MbkyiP//SnoMsO576EflVzaAuuhtdk/VPRvWFLbYfQF+Y9nMb1tsaf1pkMsYvO9G
nww0P+5kBEkqnNg3wEnHOmJvJvqXGeo5kZ6LOkBo2cF9jWYxAQzpBq/DSbFxxuoC
0S2SJ+x1VW2rQSBDm39WIN96j3OOfWlGh9jM2Y//zajSMiLCn2l2BbxC68SxCdy+
DZKy8EhDnrXaR/c3wx4OmuyUAYjGy4AZoyKz6yW1tPFzB+YxSQg12oHqVeU16Fh5
Lh/sYRzf0XOLOCqmiA8Sdt47Mbg3FUMxqiXE72GslSfO866va1sc/XPWtthO/8DH
wURcg5VjuL57AgMBAAGjPzA9MB0GA1UdDgQWBBSvkI06eyur45yPKWNppXgKDY39
BjAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBhjANBgkqhkiG9w0BAQsFAAOC
AQEAR+kGJkPdQahdPYo4ysyHLmiN6LlTwUsfEvvvree4rIM3yMBLdp5cSTtj/R29
QMhJvdqFxTRpq7if1qfeXgs4VKuJhFa5MKDE2v2aNGn2fdH11+eQN8g2D2LI/VS8
bVaEXY2iDbN0wE190stW7zMYZymyE7k2ApSvk4dgIiTD5ekFGZQMASeRokih1N1C
0BswAn/cQiD+V8H+f69nYlykH+054RbM3BR4GNyimMtYm+2YTT3Dqp0gXZ4VGIV5
XNv9qKJv5rVCuhl0RtRQu1+MRbvVHtGtbHUzBtUSYqdOlq7jMvPCx0GjbNx4L0RU
LSqg6IEUEjiayK1RQtsD/dVXZQ==
-----END CERTIFICATE-----

BIN
image/pki_prod/KEK.esl Normal file
View File

Binary file not shown.

BIN
image/pki_prod/MicCorKEKCA2011_2011-06-24.crt Normal file
View File

Binary file not shown.

BIN
image/pki_prod/MicCorKEKCA2011_2011-06-24.esl Normal file
View File

Binary file not shown.

BIN
image/pki_prod/MicCorUEFCA2011_2011-06-27.crt Normal file
View File

Binary file not shown.

BIN
image/pki_prod/MicCorUEFCA2011_2011-06-27.esl Normal file
View File

Binary file not shown.

BIN
image/pki_prod/MicWinProPCA2011_2011-10-19.crt Normal file
View File

Binary file not shown.

BIN
image/pki_prod/MicWinProPCA2011_2011-10-19.esl Normal file
View File

Binary file not shown.

BIN
image/pki_prod/PK.auth Normal file
View File

Binary file not shown.

BIN
image/pki_prod/PK.cer Normal file
View File

Binary file not shown.

23
image/pki_prod/PK.crt Normal file
View File

@ -0,0 +1,23 @@
-----BEGIN CERTIFICATE-----
MIID0TCCArmgAwIBAgIUJREZ+2W4ltUi+sHkD0P2Gzh1pugwDQYJKoZIhvcNAQEL
BQAwgYExCzAJBgNVBAYTAkRFMRwwGgYDVQQIDBNOb3JkcmhlaW4gV2VzdGZhbGVu
MQ8wDQYDVQQHDAZCb2NodW0xHjAcBgNVBAoMFUVkZ2VsZXNzIFN5c3RlbXMgR21i
SDEjMCEGA1UEAwwaQ29uc3RlbGxhdGlvbiBVRUZJIENBIDIwMjIwHhcNMjIxMTAz
MTA0NDQzWhcNMjIxMjAzMTA0NDQzWjCBgTELMAkGA1UEBhMCREUxHDAaBgNVBAgM
E05vcmRyaGVpbiBXZXN0ZmFsZW4xDzANBgNVBAcMBkJvY2h1bTEeMBwGA1UECgwV
RWRnZWxlc3MgU3lzdGVtcyBHbWJIMSMwIQYDVQQDDBpDb25zdGVsbGF0aW9uIFVF
RkkgQ0EgMjAyMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbY5r+o
2oiCzfOMu0Bb3PqnF7ZBVY+bEwr1zDsX5tEyQqOOiemGLNE2yr6adjTRbldHNON1
kGzuoiD2N4yZQLIpgwPuK2BPM7+ZKVBX4Iw0lmwTXyQhj5uAfCvGbguBXAODB/OO
ERs09CIYseowGQXtsoOgPCBFv2hxYW65Veu0kEb2X81fBuigKZ7WYK3lPjY5Vm00
TIBIV4BsQ2Cd11qqt58gc1AXsrrsRkHMEKVUHhcwUxHu4ZRawdcCg1wEhtboP2Bn
rxfvi0dzqpMIHvWU8wzkauGOAEonSkAo2KOzPUzHzfZ35aArErW5GDwvW6ngt/qK
LcOEoPbL4zD8czECAwEAAaM/MD0wHQYDVR0OBBYEFIxJ60SdEHlmkxJi1Tmkhneq
qKGXMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgGGMA0GCSqGSIb3DQEBCwUA
A4IBAQBzl6kd0ugxUsdUeN+lirrCa8ZcdBaULcKUoCfL+Ho4PxotILH8g6lTCqNL
Isk+kmHsV0JHkkV5R46YbL16lZM1qXhtYQA5yTrKe9sNEre9plAPMQQ2xSAZmVLN
rXDHSLHnerWt2dHkeAF19W20lNBWS1JNRSPVKKWnIFePwm0Z5GXoIfPGyu8AZUTO
AJ7u0NRHiTuUfTC8mZz349ChSnEtRiYur20YHUxQudCQr58c594K1L7GfLoTSpSw
OuYxW7+IYAjLOch1VX9x9BmcmUEL9ut+5W7b61EHEikyUKhvozUWkb9XwmGwROSh
XfrcASBcXJcgYb3TXyHrIMBNtCEU
-----END CERTIFICATE-----

BIN
image/pki_prod/PK.esl Normal file
View File

Binary file not shown.

BIN
image/pki_prod/db.auth Normal file
View File

Binary file not shown.

BIN
image/pki_prod/db.cer Normal file
View File

Binary file not shown.

23
image/pki_prod/db.crt Normal file
View File

@ -0,0 +1,23 @@
-----BEGIN CERTIFICATE-----
MIID3zCCAsegAwIBAgIUabymjDZHxHUDa8BD0zOZ8+EOE3UwDQYJKoZIhvcNAQEL
BQAwgYgxCzAJBgNVBAYTAkRFMRwwGgYDVQQIDBNOb3JkcmhlaW4gV2VzdGZhbGVu
MQ8wDQYDVQQHDAZCb2NodW0xHjAcBgNVBAoMFUVkZ2VsZXNzIFN5c3RlbXMgR21i
SDEqMCgGA1UEAwwhQ29uc3RlbGxhdGlvbiBQcm9kdWN0aW9uIFBDQSAyMDIyMB4X
DTIyMTEwMzEwNDQ0NFoXDTIyMTIwMzEwNDQ0NFowgYgxCzAJBgNVBAYTAkRFMRww
GgYDVQQIDBNOb3JkcmhlaW4gV2VzdGZhbGVuMQ8wDQYDVQQHDAZCb2NodW0xHjAc
BgNVBAoMFUVkZ2VsZXNzIFN5c3RlbXMgR21iSDEqMCgGA1UEAwwhQ29uc3RlbGxh
dGlvbiBQcm9kdWN0aW9uIFBDQSAyMDIyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAjnnWY1ghM2nSAsXy5XTCzxelfn2r05XKIoi5Z/950/5vDXxwtHsP
+3+L0/cQOw4kFI18QZelKOR6ZmnjE2QqyzWfFGluJUKs8m/fWBVzfSmwnHxMrAAq
iO548WefX10zx/8V6M0vZ1V1yxSy7MmGbZfM3GyDWwzQqUPpT0aJqJqMMjLhqqo4
od0MogwfPs2TwAGwuKRDB2gQWefXZKGIuBGVV+aUtLtOqgg/IFCmpZ86aSKrC/sY
lZMaohez0w7C9qz0MxGammGkbzF5bwzb1pqZejOc3Gi42THaJkMB8NLG0snW4mEA
h0zyWwfsqDxG5AuOzcj7OPBbp6jxeyYzoQIDAQABoz8wPTAdBgNVHQ4EFgQU/8+b
Jm3btv0a/cjt91jbeFIsi80wDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAYYw
DQYJKoZIhvcNAQELBQADggEBADPVt4BDSvTGCvxdBUWM94RU0BpineYMhXGxo5wl
SVo3QvA2UYdVgMOsxbRuc4cwDMCYWD9jX3EeLHQojZYevw6LwBxYz8cTW/U+7h4E
Ct2LVLJli5ZmUweTjEB6wBI+ykuQUicyvyOHY2kJbXzWYiZ8izByZNawP1sFuGgr
25gGJjArlxRn24Nv3ZpQjV4q6voTVulZQD1iNm7Y1gqrIhflvn91x5d8eARuieGH
4oYEvvYhTp8yxVeY8h+Q5Ve8gubj4rMwjEdDUdPMkJ6LHe+xjiH0xLjjKlVioDuZ
+HvmCaNQ50Gro7cfrn+kIi8gM1DnQFyRg54qVlN/MYasi7s=
-----END CERTIFICATE-----

BIN
image/pki_prod/db.esl Normal file
View File

Binary file not shown.