From ed58fcccd3b44e012fc7734441b0571cbfd03c3c Mon Sep 17 00:00:00 2001 From: Malte Poll Date: Fri, 4 Nov 2022 16:48:52 +0100 Subject: [PATCH] CI: Add secure boot prod keys (#462) * Add production secure boot keys * Refactor OS build and upload settings --- .github/actions/os_build_variables/action.yml | 242 ++++++++++++++++++ .github/workflows/build-os-image.yml | 197 +++++++------- cli/internal/libvirt/Dockerfile | 15 +- .../nvram/constellation_vars.production.fd | Bin 0 -> 131072 bytes image/README.md | 1 + image/pki_prod/KEK.auth | Bin 0 -> 4103 bytes image/pki_prod/KEK.cer | Bin 0 -> 979 bytes image/pki_prod/KEK.crt | 23 ++ image/pki_prod/KEK.esl | Bin 0 -> 2583 bytes image/pki_prod/MicCorKEKCA2011_2011-06-24.crt | Bin 0 -> 1516 bytes image/pki_prod/MicCorKEKCA2011_2011-06-24.esl | Bin 0 -> 1560 bytes image/pki_prod/MicCorUEFCA2011_2011-06-27.crt | Bin 0 -> 1556 bytes image/pki_prod/MicCorUEFCA2011_2011-06-27.esl | Bin 0 -> 1600 bytes .../pki_prod/MicWinProPCA2011_2011-10-19.crt | Bin 0 -> 1499 bytes .../pki_prod/MicWinProPCA2011_2011-10-19.esl | Bin 0 -> 1543 bytes image/pki_prod/PK.auth | Bin 0 -> 2545 bytes image/pki_prod/PK.cer | Bin 0 -> 981 bytes image/pki_prod/PK.crt | 23 ++ image/pki_prod/PK.esl | Bin 0 -> 1025 bytes image/pki_prod/db.auth | Bin 0 -> 5699 bytes image/pki_prod/db.cer | Bin 0 -> 995 bytes image/pki_prod/db.crt | 23 ++ image/pki_prod/db.esl | Bin 0 -> 4182 bytes 23 files changed, 424 insertions(+), 100 deletions(-) create mode 100644 .github/actions/os_build_variables/action.yml create mode 100644 cli/internal/libvirt/nvram/constellation_vars.production.fd create mode 100644 image/pki_prod/KEK.auth create mode 100644 image/pki_prod/KEK.cer create mode 100644 image/pki_prod/KEK.crt create mode 100644 image/pki_prod/KEK.esl create mode 100644 image/pki_prod/MicCorKEKCA2011_2011-06-24.crt create mode 100644 image/pki_prod/MicCorKEKCA2011_2011-06-24.esl create mode 100644 image/pki_prod/MicCorUEFCA2011_2011-06-27.crt create mode 100644 image/pki_prod/MicCorUEFCA2011_2011-06-27.esl create mode 100644 image/pki_prod/MicWinProPCA2011_2011-10-19.crt create mode 100644 image/pki_prod/MicWinProPCA2011_2011-10-19.esl create mode 100644 image/pki_prod/PK.auth create mode 100644 image/pki_prod/PK.cer create mode 100644 image/pki_prod/PK.crt create mode 100644 image/pki_prod/PK.esl create mode 100644 image/pki_prod/db.auth create mode 100644 image/pki_prod/db.cer create mode 100644 image/pki_prod/db.crt create mode 100644 image/pki_prod/db.esl diff --git a/.github/actions/os_build_variables/action.yml b/.github/actions/os_build_variables/action.yml new file mode 100644 index 000000000..09a2b1dac --- /dev/null +++ b/.github/actions/os_build_variables/action.yml @@ -0,0 +1,242 @@ +name: Determine OS image upload variables +description: "Determine parameters used for image upload to various CSPs." +inputs: + csp: + description: "Cloud Service Provider" + required: true + uploadVariant: + description: "Upload variant" + required: true + basePath: + description: "Base path to the image build directory" + required: true + imageVersion: + description: "Semantic version including patch e.g. v.. (only used for releases)" + required: false + imageType: + description: "Type of image to build" + required: true + debug: + description: "Build debug image" + required: false + default: "false" +outputs: + awsRegion: + description: "Primary AWS region" + value: ${{ steps.aws.outputs.region }} + awsReplicationRegions: + description: "AWS regions to replicate the image to" + value: ${{ steps.aws.outputs.replicationRegions }} + awsBucket: + description: "AWS S3 bucket to upload the image to" + value: ${{ steps.aws.outputs.bucket }} + awsEfivarsPath: + description: "AWS efivars path" + value: ${{ steps.aws.outputs.efivarsPath }} + awsImagePath: + description: "AWS image path" + value: ${{ steps.aws.outputs.imagePath }} + awsAmiOutput: + description: "AWS ami output path" + value: ${{ steps.aws.outputs.amiOutput }} + awsImageFilename: + description: "AWS raw image filename" + value: ${{ steps.aws.outputs.imageFilename }} + awsImageName: + description: "AWS image name" + value: ${{ steps.aws.outputs.imageName }} + azureResourceGroupName: + description: "Azure resource group name" + value: ${{ steps.azure.outputs.resourceGroupName }} + azureRegion: + description: "Primary Azure region" + value: ${{ steps.azure.outputs.region }} + azureReplicationRegions: + description: "Azure regions to replicate the image to" + value: ${{ steps.azure.outputs.replicationRegions }} + azureVmgsRegion: + description: "Azure VMGS region (AWS S3 bucket region where VMGS blob is stored)" + value: ${{ steps.azure.outputs.vmgsRegion }} + azureSku: + description: "Azure SIG SKU" + value: ${{ steps.azure.outputs.sku }} + azurePublisher: + description: "Azure SIG publisher" + value: ${{ steps.azure.outputs.publisher }} + azureRawImagePath: + description: "Azure raw image path" + value: ${{ steps.azure.outputs.rawImagePath }} + azureImagePath: + description: "Azure image path" + value: ${{ steps.azure.outputs.imagePath }} + azureSecurityType: + description: "Azure security type" + value: ${{ steps.azure.outputs.securityType }} + azureDiskName: + description: "Azure disk name" + value: ${{ steps.azure.outputs.diskName }} + azureImageDefinition: + description: "Azure image definition" + value: ${{ steps.azure.outputs.imageDefinition }} + azureImageVersion: + description: "Azure image version" + value: ${{ steps.azure.outputs.imageVersion }} + azureGalleryName: + description: "Azure gallery name" + value: ${{ steps.azure.outputs.galleryName }} + azureVmgsPath: + description: "Azure VMGS path" + value: ${{ steps.azure.outputs.vmgsPath }} + gcpProject: + description: "GCP project" + value: ${{ steps.gcp.outputs.project }} + gcpBucket: + description: "GCP bucket" + value: ${{ steps.gcp.outputs.bucket }} + gcpRegion: + description: "GCP region" + value: ${{ steps.gcp.outputs.region }} + gcpRawImagePath: + description: "GCP raw image path" + value: ${{ steps.gcp.outputs.rawImagePath }} + gcpImagePath: + description: "GCP image path" + value: ${{ steps.gcp.outputs.imagePath }} + gcpImageName: + description: "GCP image name" + value: ${{ steps.gcp.outputs.imageName }} + gcpImageFilename: + description: "GCP image filename" + value: ${{ steps.gcp.outputs.imageFilename }} + gcpImageFamily: + description: "GCP image family" + value: ${{ steps.gcp.outputs.imageFamily }} + +runs: + using: "composite" + steps: + - name: Determine version + id: version + uses: ./.github/actions/pseudo_version + + - name: Configure AWS input variables + id: aws + if: ${{ inputs.csp == 'aws' }} + shell: bash + env: + basePath: ${{ inputs.basePath }} + imageVersion: ${{ inputs.imageVersion }} + imageType: ${{ inputs.imageType }} + timestamp: ${{ steps.version.outputs.timestamp }} + semver: ${{ steps.version.outputs.semanticVersion }} + branchName: ${{ steps.version.outputs.branchName }} + run: | + echo "region=eu-central-1" >> $GITHUB_OUTPUT + echo "replicationRegions=us-east-2 ap-south-1" >> $GITHUB_OUTPUT + echo "bucket=constellation-images" >> $GITHUB_OUTPUT + echo "efivarsPath=${basePath}/mkosi.output.aws/fedora~36/efivars.bin" >> $GITHUB_OUTPUT + echo "imagePath=${basePath}/mkosi.output.aws/fedora~36/image.raw" >> $GITHUB_OUTPUT + echo "amiOutput=${basePath}/mkosi.output.aws/fedora~36/ami.json" >> $GITHUB_OUTPUT + echo "imageFilename=image-$(date +%s).raw" >> $GITHUB_OUTPUT + if [ "${imageType}" = release ] + then + echo "imageName=constellation-${imageVersion}" >> $GITHUB_OUTPUT + elif [ "${imageType}" = debug ] + then + echo "imageName=constellation-debug-${semver}-${timestamp}" >> $GITHUB_OUTPUT + else + echo "imageName=constellation-${branchName}-${timestamp}" >> $GITHUB_OUTPUT + fi + + # gallery name may include alphanumeric characters, dots and underscores. Must end and begin with an alphanumeric character + # image definition may include alphanumeric characters, dots, dashes and underscores. Must end and begin with an alphanumeric character + # image version has to be semantic version in the form .. . uint may not be larger than 2,147,483,647 + - name: Configure Azure input variables + id: azure + if: ${{ inputs.csp == 'azure' }} + shell: bash + env: + basePath: ${{ inputs.basePath }} + imageVersion: ${{ inputs.imageVersion }} + imageType: ${{ inputs.imageType }} + timestamp: ${{ steps.version.outputs.timestamp }} + semver: ${{ steps.version.outputs.semanticVersion }} + pseudover: ${{ steps.version.outputs.pseudoVersion }} + branchName: ${{ steps.version.outputs.branchName }} + run: | + echo "resourceGroupName=constellation-images" >> $GITHUB_OUTPUT + echo "region=northeurope" >> $GITHUB_OUTPUT + echo "vmgsRegion=eu-central-1" >> $GITHUB_OUTPUT + echo "replicationRegions=northeurope eastus westeurope westus" >> $GITHUB_OUTPUT + echo "sku=constellation" >> $GITHUB_OUTPUT + echo "publisher=edgelesssys" >> $GITHUB_OUTPUT + echo "rawImagePath=${basePath}/mkosi.output.azure/fedora~36/image.raw" >> $GITHUB_OUTPUT + echo "imagePath=${basePath}/mkosi.output.azure/fedora~36/image.vhd" >> $GITHUB_OUTPUT + # TODO: set default security type to "ConfidentialVM" once replication is possible + securityType=${{ inputs.uploadVariant }} + if [ -z "${securityType}" ]; then + securityType=ConfidentialVMSupported + fi + echo "securityType=${securityType}" >> $GITHUB_OUTPUT + echo "diskName=constellation-${pseudover//./-}-${securityType,,}" >> $GITHUB_OUTPUT + if [ "${imageType}" = release ] + then + echo "imageDefinition=constellation" >> $GITHUB_OUTPUT + echo "imageOffer=constellation" >> $GITHUB_OUTPUT + echo "imageVersion=${imageVersion:1}" >> $GITHUB_OUTPUT + galleryName=Constellation + elif [ "${imageType}" = debug ] + then + echo "imageDefinition=${semver}" >> $GITHUB_OUTPUT + echo "imageDefinition=${semver}" >> $GITHUB_OUTPUT + echo "imageVersion=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_OUTPUT + galleryName=Constellation_Debug + else + echo "imageDefinition=${branchName}" >> $GITHUB_OUTPUT + echo "imageOffer=${branchName}" >> $GITHUB_OUTPUT + echo "imageVersion=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_OUTPUT + galleryName=Constellation_Testing + fi + # TODO: enable VMGS upload for ConfidentialVM images once replication is possible + if [ "${securityType}" == "ConfidentialVMSupported" ]; then + echo "galleryName=${galleryName}_CVM" >> $GITHUB_OUTPUT + echo "vmgsPath=" >> $GITHUB_OUTPUT + else + echo "galleryName=${galleryName}" >> $GITHUB_OUTPUT + echo "vmgsPath=${basePath}/pki/${securityType}.vmgs" >> $GITHUB_OUTPUT + fi + + # image family and image name may include lowercase alphanumeric characters and dashes. + # Must not end or begin with a dash + - name: Configure GCP input variables + id: gcp + if: ${{ inputs.csp == 'gcp' }} + shell: bash + env: + basePath: ${{ inputs.basePath }} + imageVersion: ${{ inputs.imageVersion }} + imageType: ${{ inputs.imageType }} + timestamp: ${{ steps.version.outputs.timestamp }} + semver: ${{ steps.version.outputs.semanticVersion }} + branchName: ${{ steps.version.outputs.branchName }} + run: | + echo "project=constellation-images" >> $GITHUB_OUTPUT + echo "bucket=constellation-images" >> $GITHUB_OUTPUT + echo "region=europe-west3" >> $GITHUB_OUTPUT + echo "rawImagePath=${basePath}/mkosi.output.gcp/fedora~36/image.raw" >> $GITHUB_OUTPUT + echo "imagePath=${basePath}/mkosi.output.gcp/fedora~36/image.tar.gz" >> $GITHUB_OUTPUT + if [ "${imageType}" = release ] + then + echo "imageName=constellation-${imageVersion//./-}" >> $GITHUB_OUTPUT + echo "imageFilename=constellation-${imageVersion//./-}.tar.gz" >> $GITHUB_OUTPUT + echo "imageFamily=constellation" >> $GITHUB_OUTPUT + elif [ "${imageType}" = debug ] + then + echo "imageName=constellation-${timestamp}" >> $GITHUB_OUTPUT + echo "imageFilename=constellation-${timestamp}.tar.gz" >> $GITHUB_OUTPUT + echo "imageFamily=constellation-debug-${semver//./-}" >> $GITHUB_OUTPUT + else + echo "imageName=constellation-${timestamp}" >> $GITHUB_OUTPUT + echo "imageFilename=constellation-${timestamp}.tar.gz" >> $GITHUB_OUTPUT + echo "imageFamily=constellation-${branchName}" >> $GITHUB_OUTPUT + fi diff --git a/.github/workflows/build-os-image.yml b/.github/workflows/build-os-image.yml index 404d4ab1b..1f194be28 100644 --- a/.github/workflows/build-os-image.yml +++ b/.github/workflows/build-os-image.yml @@ -57,9 +57,49 @@ jobs: echo "disk-mapper-sha256=$(sha256sum disk-mapper | head -c 64)" >> $GITHUB_OUTPUT working-directory: ${{ github.workspace }}/build + build-settings: + name: "Determine build settings" + runs-on: ubuntu-22.04 + outputs: + imageType: ${{ steps.image-type.outputs.imageType }} + pkiSet: ${{ steps.pki-set.outputs.pkiSet }} + + steps: + - name: Checkout + uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 # tag=v2.5.0 + + - name: Determine version + id: version + uses: ./.github/actions/pseudo_version + + - name: Determine type of image build + shell: bash + id: image-type + run: | + if [ "${{ startsWith(github.ref, 'refs/heads/release/') && (inputs.debug == 'false') }}" = true ] + then + echo "imageType=release" >> $GITHUB_OUTPUT + elif [ "${{ ((github.ref == 'refs/heads/main') || startsWith(github.ref, 'refs/heads/release/')) && (inputs.debug == 'true') }}" = true ] + then + echo "imageType=debug" >> $GITHUB_OUTPUT + else + echo "imageType=branch" >> $GITHUB_OUTPUT + fi + + - name: Determine PKI set + id: pki-set + shell: bash + run: | + if [ "${{ steps.image-type.outputs.image-type }}" = "release" ] + then + echo "pkiSet=pki_prod" >> $GITHUB_OUTPUT + else + echo "pkiSet=pki_testing" >> $GITHUB_OUTPUT + fi + make-os-image: name: "Build OS using mkosi" - needs: build-dependencies + needs: [build-settings, build-dependencies] runs-on: ubuntu-22.04 # TODO: flatten outputs once possible # https://github.com/community/community/discussions/17245 @@ -121,13 +161,15 @@ jobs: version: 058046019e7ed2e8e93af87b8c14a808dcc6bbc3 - name: Prepare PKI for secure boot signing + id: prepare-pki shell: bash run: | - ln -s pki_testing pki - echo "${DB_KEY}" > pki/db.key + echo "${DB_KEY}" > ${PKI_SET}/db.key + ln -s ${PKI_SET} pki working-directory: ${{ github.workspace }}/image env: - DB_KEY: ${{ secrets.SECURE_BOOT_TESTING_DB_KEY }} + PKI_SET: ${{ needs.build-settings.outputs.pkiSet }} + DB_KEY: ${{ (needs.build-settings.outputs.imageType == 'release' && secrets.SECURE_BOOT_RELEASE_DB_KEY) || secrets.SECURE_BOOT_TESTING_DB_KEY }} - name: Build shell: bash @@ -190,7 +232,7 @@ jobs: upload-os-image: name: "Upload OS image to CSP" - needs: make-os-image + needs: [build-settings, make-os-image] runs-on: ubuntu-22.04 permissions: id-token: write @@ -213,6 +255,17 @@ jobs: name: image-${{ matrix.csp }} path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36 + - name: Configure input variables + id: vars + uses: ./.github/actions/os_build_variables + with: + csp: ${{ matrix.csp }} + uploadVariant: ${{ matrix.upload-variant }} + basePath: ${{ github.workspace }}/image + imageVersion: ${{ inputs.imageVersion }} + imageType: ${{ needs.build-settings.outputs.imageType }} + debug: ${{ inputs.debug }} + - name: Install tools shell: bash run: | @@ -243,102 +296,25 @@ jobs: gcp_service_account_json: ${{ secrets.GCP_IMAGE_UPLOAD_SERVICE_ACCOUNT }} - name: Prepare PKI for image upload - shell: bash - run: ln -s pki_testing pki - working-directory: ${{ github.workspace }}/image - - - name: Determine version - id: version - uses: ./.github/actions/pseudo_version - - # Make sure to set valid names for AWS, Azure and GCP - # Azure - # gallery name may include alphanumeric characters, dots and underscores. Must end and begin with an alphanumeric character - # image definition may include alphanumeric characters, dots, dashes and underscores. Must end and begin with an alphanumeric character - # image version has to be semantic version in the form .. . uint may not be larger than 2,147,483,647 - # - # GCP - # image family and image name may include lowercase alphanumeric characters and dashes. Must not end or begin with a dash - - name: Configure input variables + id: prepare-pki shell: bash run: | - timestamp=${{ steps.version.outputs.timestamp }} - semver=${{ steps.version.outputs.semanticVersion }} - imageVersion=${{ inputs.imageVersion }} - pseudover=${{ steps.version.outputs.pseudoVersion }} - echo "PKI=${{ github.workspace }}/image/pki" >> $GITHUB_ENV - echo "AWS_REGION=eu-central-1" >> $GITHUB_ENV - echo "AWS_REPLICATION_REGIONS=us-east-2 ap-south-1" >> $GITHUB_ENV - echo "AWS_BUCKET=constellation-images" >> $GITHUB_ENV - echo "AWS_EFIVARS_PATH=${{ github.workspace }}/image/mkosi.output.aws/fedora~36/efivars.bin" >> $GITHUB_ENV - echo "AWS_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.aws/fedora~36/image.raw" >> $GITHUB_ENV - echo "AWS_AMI_OUTPUT=${{ github.workspace }}/image/mkosi.output.aws/fedora~36/ami.json" >> $GITHUB_ENV - echo "AWS_IMAGE_FILENAME=image-$(date +%s).raw" >> $GITHUB_ENV - echo "GCP_PROJECT=constellation-images" >> $GITHUB_ENV - echo "GCP_BUCKET=constellation-images" >> $GITHUB_ENV - echo "GCP_REGION=europe-west3" >> $GITHUB_ENV - echo "GCP_RAW_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.gcp/fedora~36/image.raw" >> $GITHUB_ENV - echo "GCP_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.gcp/fedora~36/image.tar.gz" >> $GITHUB_ENV - echo "AZURE_RESOURCE_GROUP_NAME=constellation-images" >> $GITHUB_ENV - echo "AZURE_REGION=northeurope" >> $GITHUB_ENV - echo "AZURE_REPLICATION_REGIONS=northeurope eastus westeurope westus" >> $GITHUB_ENV - echo "AZURE_SKU=constellation" >> $GITHUB_ENV - echo "AZURE_PUBLISHER=edgelesssys" >> $GITHUB_ENV - echo "AZURE_RAW_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.azure/fedora~36/image.raw" >> $GITHUB_ENV - echo "AZURE_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.azure/fedora~36/image.vhd" >> $GITHUB_ENV - # TODO: set default security type to "ConfidentialVM" once replication is possible - AZURE_SECURITY_TYPE=${{ matrix.upload-variant }} - if [ -z "${AZURE_SECURITY_TYPE}" ]; then - AZURE_SECURITY_TYPE=ConfidentialVMSupported - fi - echo "AZURE_SECURITY_TYPE=${AZURE_SECURITY_TYPE}" >> $GITHUB_ENV - echo "AZURE_DISK_NAME=constellation-${pseudover//./-}-${AZURE_SECURITY_TYPE,,}" >> $GITHUB_ENV - if [ "${{ startsWith(github.ref, 'refs/heads/release/') && (inputs.debug == false) }}" = true ] - then - echo "AWS_IMAGE_NAME=constellation-${imageVersion}" >> $GITHUB_ENV - GCP_IMAGE_NAME=constellation-${imageVersion//./-} - echo "GCP_IMAGE_FAMILY=constellation" >> $GITHUB_ENV - AZURE_IMAGE_DEFINITION=constellation - echo "AZURE_IMAGE_VERSION=${imageVersion:1}" >> $GITHUB_ENV - AZURE_GALLERY_NAME=Constellation - elif [ "${{ ((github.ref == 'refs/heads/main') || startsWith(github.ref, 'refs/heads/release/')) && (inputs.debug == true) }}" = true ] - then - echo "AWS_IMAGE_NAME=constellation-debug-${semver}-${{ steps.version.outputs.timestamp }}" >> $GITHUB_ENV - GCP_IMAGE_NAME=constellation-${{ steps.version.outputs.timestamp }} - echo "GCP_IMAGE_FAMILY=constellation-debug-${semver//./-}" >> $GITHUB_ENV - AZURE_IMAGE_DEFINITION=${semver} - echo "AZURE_IMAGE_VERSION=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_ENV - AZURE_GALLERY_NAME=Constellation_Debug - else - echo "AWS_IMAGE_NAME=constellation-${{ steps.version.outputs.branchName }}-${{ steps.version.outputs.timestamp }}" >> $GITHUB_ENV - GCP_IMAGE_NAME=constellation-${{ steps.version.outputs.timestamp }} - echo "GCP_IMAGE_FAMILY=constellation-${{ steps.version.outputs.branchName }}" >> $GITHUB_ENV - AZURE_IMAGE_DEFINITION=${{ steps.version.outputs.branchName }} - echo "AZURE_IMAGE_VERSION=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_ENV - AZURE_GALLERY_NAME=Constellation_Testing - fi - # TODO: enable VMGS upload for ConfidentialVM images once replication is possible - if [ "${AZURE_SECURITY_TYPE}" == "ConfidentialVMSupported" ]; then - echo "AZURE_GALLERY_NAME=${AZURE_GALLERY_NAME}_CVM" >> $GITHUB_ENV - echo "AZURE_VMGS_PATH=" >> $GITHUB_ENV - else - echo "AZURE_GALLERY_NAME=${AZURE_GALLERY_NAME}" >> $GITHUB_ENV - echo "AZURE_VMGS_PATH=${{ github.workspace }}/image/pki/${AZURE_SECURITY_TYPE}.vmgs" >> $GITHUB_ENV - fi - echo "AZURE_IMAGE_DEFINITION=${AZURE_IMAGE_DEFINITION}" >> $GITHUB_ENV - echo "AZURE_IMAGE_OFFER=${AZURE_IMAGE_DEFINITION}" >> $GITHUB_ENV - echo "GCP_IMAGE_NAME=${GCP_IMAGE_NAME}" >> $GITHUB_ENV - echo "GCP_IMAGE_FILENAME=${GCP_IMAGE_NAME}.tar.gz" >> $GITHUB_ENV + ln -s ${{ needs.build-settings.outputs.pkiSet }} pki + working-directory: ${{ github.workspace }}/image - name: Download VMGS blob run: | aws s3 cp \ - --region ${AWS_REGION} \ - s3://constellation-secure-boot/pki_testing/${AZURE_SECURITY_TYPE}.vmgs \ - pki_testing/${AZURE_SECURITY_TYPE}.vmgs \ + --region ${AZURE_VMGS_REGION} \ + s3://constellation-secure-boot/${PKI_SET}/${AZURE_SECURITY_TYPE}.vmgs \ + ${PKI_SET}/${AZURE_SECURITY_TYPE}.vmgs \ --no-progress working-directory: ${{ github.workspace }}/image if: ${{ matrix.csp == 'azure' && !endsWith(env.AZURE_SECURITY_TYPE, 'Supported') }} + env: + PKI_SET: ${{ needs.build-settings.outputs.pkiSet }} + AZURE_VMGS_REGION: ${{ steps.vars.outputs.azureVmgsRegion }} + AZURE_SECURITY_TYPE: ${{ steps.vars.outputs.azureSecurityType }} - name: Upload AWS image shell: bash @@ -350,6 +326,16 @@ jobs: echo "::endgroup::" working-directory: ${{ github.workspace }}/image if: ${{ matrix.csp == 'aws' }} + env: + PKI: ${{ github.workspace }}/image/pki + AWS_AMI_OUTPUT: ${{ steps.vars.outputs.awsAmiOutput }} + AWS_BUCKET: ${{ steps.vars.outputs.awsBucket }} + AWS_EFIVARS_PATH: ${{ steps.vars.outputs.awsEfivarsPath }} + AWS_IMAGE_FILENAME: ${{ steps.vars.outputs.awsImageFilename }} + AWS_IMAGE_NAME: ${{ steps.vars.outputs.awsImageName }} + AWS_IMAGE_PATH: ${{ steps.vars.outputs.awsImagePath }} + AWS_REGION: ${{ steps.vars.outputs.awsRegion }} + AWS_REPLICATION_REGIONS: ${{ steps.vars.outputs.awsReplicationRegions }} - name: Upload GCP image shell: bash @@ -361,6 +347,16 @@ jobs: echo "::endgroup::" working-directory: ${{ github.workspace }}/image if: ${{ matrix.csp == 'gcp' }} + env: + PKI: ${{ github.workspace }}/image/pki + GCP_BUCKET: ${{ steps.vars.outputs.gcpBucket }} + GCP_IMAGE_FAMILY: ${{ steps.vars.outputs.gcpImageFamily }} + GCP_IMAGE_FILENAME: ${{ steps.vars.outputs.gcpImageFilename }} + GCP_IMAGE_NAME: ${{ steps.vars.outputs.gcpImageName }} + GCP_IMAGE_PATH: ${{ steps.vars.outputs.gcpImagePath }} + GCP_PROJECT: ${{ steps.vars.outputs.gcpProject }} + GCP_RAW_IMAGE_PATH: ${{ steps.vars.outputs.gcpRawImagePath }} + GCP_REGION: ${{ steps.vars.outputs.gcpRegion }} - name: Upload Azure image shell: bash @@ -372,6 +368,23 @@ jobs: echo "::endgroup::" working-directory: ${{ github.workspace }}/image if: ${{ matrix.csp == 'azure' }} + env: + PKI: ${{ github.workspace }}/image/pki + AZURE_DISK_NAME: ${{ steps.vars.outputs.azureDiskName }} + AZURE_GALLERY_NAME: ${{ steps.vars.outputs.azureGalleryName }} + AZURE_IMAGE_DEFINITION: ${{ steps.vars.outputs.azureImageDefinition }} + AZURE_IMAGE_OFFER: ${{ steps.vars.outputs.azureImageOffer }} + AZURE_IMAGE_PATH: ${{ steps.vars.outputs.azureImagePath }} + AZURE_IMAGE_VERSION: ${{ steps.vars.outputs.azureImageVersion }} + AZURE_PUBLISHER: ${{ steps.vars.outputs.azurePublisher }} + AZURE_RAW_IMAGE_PATH: ${{ steps.vars.outputs.azureRawImagePath }} + AZURE_REGION: ${{ steps.vars.outputs.azureRegion }} + AZURE_REPLICATION_REGIONS: ${{ steps.vars.outputs.azureReplicationRegions }} + AZURE_VMGS_REGION: ${{ steps.vars.outputs.azureVmgsRegion }} + AZURE_RESOURCE_GROUP_NAME: ${{ steps.vars.outputs.azureResourceGroupName }} + AZURE_SECURITY_TYPE: ${{ steps.vars.outputs.azureSecurityType }} + AZURE_SKU: ${{ steps.vars.outputs.azureSku }} + AZURE_VMGS_PATH: ${{ steps.vars.outputs.azureVmgsPath }} calculate-pcrs: name: "Calculate PCRs" diff --git a/cli/internal/libvirt/Dockerfile b/cli/internal/libvirt/Dockerfile index 2a0983f08..826cda25e 100644 --- a/cli/internal/libvirt/Dockerfile +++ b/cli/internal/libvirt/Dockerfile @@ -1,12 +1,12 @@ FROM fedora:36@sha256:455fec9590de794fbc21f61dbc7e90bf9918b58492d2a03fa269c09db47b43f6 AS deploy RUN dnf -y update && \ dnf -y install dnf-plugins-core \ - libvirt-daemon-config-network \ - libvirt-daemon-kvm \ - qemu-kvm \ - swtpm \ - swtpm-tools \ - libvirt-client && \ + libvirt-daemon-config-network \ + libvirt-daemon-kvm \ + qemu-kvm \ + swtpm \ + swtpm-tools \ + libvirt-client && \ dnf clean all # Prevent cgroup issues on Fedora and configure libvirt @@ -19,8 +19,7 @@ RUN echo "cgroup_controllers = []" >> /etc/libvirt/qemu.conf && \ # Copy nvram templates COPY ./cli/internal/libvirt/nvram/constellation_vars.testing.fd /usr/share/OVMF/constellation_vars.testing.fd -# TODO: Uncomment this line when we have a production template -# COPY ./cli/internal/libvirt/nvram/constellation_vars.production.fd /usr/share/OVMF/constellation_vars.production.fd +COPY ./cli/internal/libvirt/nvram/constellation_vars.production.fd /usr/share/OVMF/constellation_vars.production.fd COPY --chmod=755 ./cli/internal/libvirt/start.sh /start.sh diff --git a/cli/internal/libvirt/nvram/constellation_vars.production.fd b/cli/internal/libvirt/nvram/constellation_vars.production.fd new file mode 100644 index 0000000000000000000000000000000000000000..7913e23880761b2f4a16992f8b797e92d3656cae GIT binary patch literal 131072 zcmeI52_RJ4|G@87vkYpik=$%Mu3dZ|HyelihWSvR>aO*k7e@~lRNq|m7NqM4o4B-i=mmNS;AZ`NO0w_uycx$H~H3rn)+^3{!( ze)CqOm?!Mzh5EpIt#Y?>C(NCt_GI6=Dl^KcutLWo?iUAc4YaqFbS%Q@jT+NVz6wt0 zujA9iMJ8dSj1W8+=SOWVBTnJMF z!`+eAv=L13=Eial3F@w7T&i^ANu3dNHTTT1 z&3C!|!s~{P7vKNnApVC=K+b0Ue)scF3^|5ZHMf@DahBcGa%#`t6U~hU9u0jLov$ra zdCgGsj;@F$n^?AifNJq>nAb<Yn#|XG_;^tUIYDw)}OhqC%#RMuT9> zGOffn8cpw-23$*YK5DgpPlfTG7tMb4A%Qhhlr)PYGLr=-&_*muuc!2~k^tH3g3y%{2~3Sbrf`>aBD zFF%Or6rl8x8^eyIykG1-c%sFn9T@|%AB~_*F^`SMD{0|~izf)adfou@BPP zB1@k=zF6LDwZM5oKmDSI@}F9{-(4${$Ps%ud}V^qp-dUGhP>L%?O}TV~a73E^d|9?;&eh$NXKQYN@455F=Gi9(9h96+L=ekazY)8PD3|6=;&%nR=Q zugA2D2#fy8o5$aL(eFy(;k1shA!Mql=;tl89xG&J3LSB=}H~=7Jd^qOL6uTwigyAAOTGBFdJcAl?k+*3>&{wowg{=ks*seKs$A+?ptI zBWYM|-TGk#N`eU{Z6imChP=5Ey5mY<5%<~PXCjGfH=k&|&kXYv3AuLM;GWuyr12uP zb8T-9;!bMj-Kn=PeeowgsaK0^|4NGErf}6*?sm!~B#mreyrVx<@CgYAz~9y;!gJVpLqBq3*umRE5J_UaZsf&c>tN9jhbez~2{B(PP^qlRIg)yfd4{15D zQJy(2t$NM-*x*ek8N!D$q^aB+-=3Gq!)}x{l}d;PEL2M$av<5UX?Ff8yXhKN=~2hF z_SRRNN^$(6uV{)qz=Z;-8xypW3^Gb?Ulw+EW4fZJDhM4{kSsfHYOz*l_b%Oc8te2& z5_yS)qfhq{WOaU--lmVz5-A^=&n7dAMkwa#*0`pwGtJzPJS51n(55$e2DJrt%0sv= zBf*~K`FcFd+u`Y+_U!3yAWwIU?df;}Z3)3KzHW~S9 zsJa3E9!y^ba(0BlXm@ZloHm{|PK~BUXF0g`U3Fp?kBIsuqK-i$JC;+H|17E07(bDm{~Pf??8y}26K zG%i0UGk0{Tb1-*X^)zjYI@PDTtZre|=2DG-$Fa0~2|l%VH4pe3CXJjG<2YR9*j=L? z?r&x&ZuNc2yYpPp(1}*+p|uqaibXNftwraC^E0yy*BtjwnxtECAwzo(*8;N!#xVJj zvo+d2=?@TCUnRBw()|9=Xgph&n_?7JUou+eL&%shWJVIO2xb)`b6EeDi6+FTwI@RJ^jt> zev}xu{rZEl3aY%M7B|cs@qQ|q?d0^4lhgjDliM|lYy2w7vW-C(6W?t$Pk9h(v&ZV^ zIJxUBwii~{Z=db#aYbu=;;b9xDTB&z+jb{sj+@~o>Bi|s(FWh;}u524O#$aJ{Y3<0u+cK+T@9^Ike8yBjWB!8ph9Ng7 ziCKdNW~LTB)S+txmK~pY`dAI6^oeA}?voxboOj=|_O!t5cRmemUH|9wRm}~d(SCL( zEM@)FW;SKS+McD{=H-9(HmjsRz4|~F-m0S`%TwP(@C3GyG^M;Y>i*6?8wIQzx~F~o18P- zvEe>hG^>LDadS)3@`K?sR?Ih&O4y#?Un@e%gM0DeHKxuX2aoffDP9tzMiw@4UXuLy z{KxWXn&(Dm+J#EDYTYdqnfbo5Y#-Nht_e@}-SVzs$ZGx_ait|dirc+no!#6~L&l$d zKKjAM8Uw#sm#>yD$&r+bG_=1wcT2=R_dTBKuS#mQM?6&DE)c-eGRQXhT9C>W?jcVv zuOMy77JbQmzc@_AYv$cQpEATreC~$h3fm8Y^ z$H+)E=`JeOPJZl!D;#wYLkLVZ|)8{`D>9aZhx;f4Jy4=&6mCpYr;(q+0ltM|*iA{R9c zo-^d7MdG`CHc@&brKv{>@@7b!D&4(tgRFGo9g&ZVw{GxTv*P@bBbG(n7DD&!wx&Bh z6RP!+zojEGQ0HuU#ZRA84Qd`MA-Qnu-}B@1hu5Bo zy7}zMan;CNTa!VfUwUldy?Ck7w=wVVz3AneRAfz6l^aE-HG0GxSZhNM*tQ^Y!K4g% zvCL<=Hz;`*Zt6IsM_t)q>byp7u)j>amXYw3oi+KXYU+F6AGFF+iD<~=UUYU#VR8MC zDf4TLtc6$EhVM(0+*A;K*<*6z@B?G#uC`d7a5^D!p6<5hF+x?zS3Lu24l)kNM!)C1 z((=&k%I#d0#a2V*>6&LeEqymc=f6~US|IhhU}A)Y?N0jW*6l0b=|w9Jve_1SerD=h ze3P}rPNO9Gv1b)(bk`4_&81zNRK0xGq{-TcjU;_-9?Hw@y%kbN=26OcGc?igBqmfT zwX#}RUD27mXu!@Fmle~~9W))^j$2fsqafrI z)A4!AB~c-^YB836j^R7e46{bjoc4PX<@D7?BRld+RvMX9W?33+netce7!lKV#z;B_ zsxJeziYKOvzWF05y)YlNHAgZNOnr%K+uAwwbsq_oR|*MiU`%(I(ja8I_u`hlH7P-dHMKLd(6eo^qaONXw(hqn*{3n(vojp{r~%9r;h*suI3Nb zj%8~&vuVWak^k7Has6DIM(?T8?bBP(8MaO9F;`Dl{)5NBru7LMY+CP#z^3)ihJEHc zY#QM`|8tv0X7yM5^1z(-(^T2=cinat&bDbi=IVOIZ}<*2txxD+(|Sh)Hm!Fy>@(kC z(}*$b57;ycCvgH!ZJHWe{;pd>KvrVgv>tP@GySG5*t9;ugH7ul5!kfe*|5)ihfPD1 zDSpVNakK8#cYKvoyVf~5gk2Y6O9;tIY`fNDE_SBhv<17?CwQ=Hy(0p<);k;aneVV` z#4Ldy>8o+`{M@*j2D=Vjw;fX%KF8I1%+>XZ-|!vmTA$FtuJw)x>{{<^*k``Ot`YBA zf6T7&{?yo-Cc6$@x1BG9+5NR1b9KGqH+%=X)+cnZYrP`^yVg4!_8AVxhQz!MVvfiU z+BLqP8DAU6u0z)?AtWoY?OKny*qMIQ7VKJ|;K8o-jtJ~p?`+s-IJ9djC_jNS=Gu6d zVg(bulsO(@@;7u!h*@t&7#*93O+j-BZ82lCZ_u%4jlSuld2z;Q=Gt_0Et=lJQGZRL z&wJ^!N;E_z8(}t>C7LJK^)8&uza!=c63dzNULRW|y(RjcCR=)x`HRF^UB3T5v@z{( zZ`m(Ei2L+CFOi5z5>s2cucyME=h=1cAcnQe-r2SNqF$eO`lGLtzfmSyS%dY5Vf;un zR8UJWP)qorKQu>@R{}eCq%id9TQ&3SCzEUTxJhoK@JL{?*(!z-fn%;d^@>=>$J#t<1R{Y$R*|tb7U!y4q=Skp!{Jx@4k47>R^JJR~kM>Nt={OF3;f zVsfTjulFHlyP|gOewSe#M_BV3h&yp!CxSqC?i|;NMCnx)w9pPpWMOe)gJCDyT?-$H zL>7?1tc;FV9esCIEJYAYRMb9h)-Ezf&n>}cA^P+zGe>-Ws??l3i-hhN_aJk-HukDJ z9j*HPBsrBSzXzHA`L_RNa}a9tT}s4B-3cAq-)r6fSsnVBwdbVngf6b_q3*vz7ys$H z5$)R4L*3eS`oFYY5kwM20!y7aGkQ*;sZo@T+m)kHCJ#Fw3RK^Y)T?FXR4-njf_k>A zz1pbH{_UHMO-R@&aUZ_mn+1K3J@^UaIQOGhdSLgjex`l`9ZvL$cqX|}tM#l`|C`Sw zLQfXyNA!-{(3&;h*IyIqmF559GuolV+lKqw(_e6ZNrxhfu=vUQLbY=JW7S}Lx ze8oX==C3NyuY4cpSDoc;c z`>$}`cl>^R=)14*J!KNL=j0u&3d)D0PZ~waR8zOYY_n+G#w_hm@68Y!FIMC>7`?j) zMlo|Yq(R=Dac3e1&0xi1F^tfarRal}M($jKo!DoEB#|J59uUnTLTpjuL@uJPL|a?r z%yBfV!t`?vYTXpQ7dPArt+PPf+Z4$Y$Z9_f^K*9cSD~rUaXMP-9Q`v+puJz$`Li?P zradI0Unhbd+V1xt)`nP!?!aKJ7V-7!c*HeCYC<>Yel1!O={{QR{Y?9^ND_>ao$(q* zWdY=crTP`B$xRQ0#RI-tAgSv*c~cB%()eIv)i^#u@##!oS6>e|hBwvD&Ch>6THoE9 zCW0CaCLX{bo2A0S_S)|^$`51MqbWSY3x;21!eV_-srfe zCu_ynuNR=B(}{KR=ybH&swxdvLy1@y39XRSx%=gke!o}Lz7~XC6&;AgR58-hYZ$u{wkB~?R)!n#bWX+QKjB0UL zr3>n55)5y7z1^>v_w5Jx{V^(kbExTVOligQpqK7x^X90YX&X>~ajd&dzy*ndhI7$g z8~?iNxono;6RGwWrDg6g*R<&m^; ztu8AZwOvY8@VayG)8J2MpS`ia6J)6pck$~bUB6iHwTH#xRj(gfsz0syw7|zX+y?P) zqO30ucHZ(xaQULW8Jp#eXKLy-YRrhSS$cB!sr}x5F}PsqCVOp{d5eas_>W9T8hT7P zu2kCo(i!ntuO~krN)fmhXIBlG6T@&zmG#D$B)O>+s6(%TFx5YH!B5l65r2k7oo-IXp<#L9nQ~*Psup!Rv)3%!s$^>wPK(|hcbKDhY{c{x!c6qG z4h!+FkP|;j*eK55EB5U}h_OgM`gHf7zh%7Hz2kv(zJej#7pDPCj{A+oi2r1-b^pi5 zG+q1iX!QK^U~r;WgdVKzfyFNx7yPu!aZ)#;o&QBK&|lKd9pRQAc}>C57?{u#cu(=4 zy*nq^!Fvh>p@&4Uf!KOiz2YE%%HjMTPWudG)|i{KJ_E$4KPxezyZ>D=YVAJbDny+i zM$MW-*4YUqTAb5PD0+Ik`S~9Xg>p2`Ao@BGqyDaT`r(El;#YmeZi(mV-x#CjG$u<7 z!2Y{pvVFJ7_r_0&2?LOT01yBIKmZ5;0U!VbfB+Bx0zd!=00AHX1b_e#00KY&2mk>f z00e*l5C8%|00;m9AOHk_01yBIKmZ5;0U!VbfB+Bx0zd!=00AHX1b_e#00KY&2mk>f z00e*l5C8%|00;m9AOHk_01yBIKmZ5;0U!VbfB+Bx0zd!=00AHX1b_e#00KY&2mk>f z00e*l5C8%|00;m9AOHk_01yBIKmZ5;0U!VbfB+Bx0zd!=00AHX1b_e#00KY&2mk>f z00e*l5C8(di-7Vd`>h_Ke;B8iyJ4TwhHOyTqvG0%gsBoi|3i9|ewSQuUmySkfB+Bx z0zd!=00AHX1b_e#00KY&2mk>f00e*l5C8%|00;m9AOHk_01yBIKmZ5;0U!VbfB+Bx z0zd!=00AHX1b_e#00KY&2mk>f00e*l5C8%|00;m9AOHk_01yBIKmZ5;0U!VbfB+Bx z0zd!=00AHX1b_e#00KY&2mk>f00e*l5C8%|00;m9AOHk_01yBIKmZ5;0U!VbfB+Bx z0zd!=00AHX1b_e#00KY&2mk>f00e*l5C8%|00;m9AOHk_01yBIKmZ5;0U!VbfB+Bx z0zd!=00AHX1b_e#00KY&2mk>f00e*l5C8%|00;m9AOHk_01yBIKmZ5;0U!VbfB+Bx z0zd!=00AHX1b_e#00KY&2mk>f00e*l5C8%|00;m9AOHk_01yBIKmZ5;0U!VbfB+Bx z0zd!=00AHX1b_e#00KY&2mk>f00e*l5C8%|00;m9AOHk_01yBIKmZ5;0U!VbfB+Bx z0zd!=00AHX1b_e#00KY&2mk>f00e*l5C8%|00;m9AOHk_01yBIKmZ5;0U!VbfB+Bx U0zd!=00AHX1b_e#__+lB5BxLC?*IS* literal 0 HcmV?d00001 diff --git a/image/README.md b/image/README.md index 27c2df286..c5f998f6e 100644 --- a/image/README.md +++ b/image/README.md @@ -106,6 +106,7 @@ export AZURE_SECURITY_TYPE=ConfidentialVM # or TrustedLaunch export AZURE_RESOURCE_GROUP_NAME= # e.g. "constellation-images" export AZURE_REGION=northeurope +export AZURE_REPLICATION_REGIONS= export AZURE_DISK_NAME=constellation-$(date +%s) export AZURE_SNAPSHOT_NAME=${AZURE_DISK_NAME} export AZURE_RAW_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~36/image.raw diff --git a/image/pki_prod/KEK.auth b/image/pki_prod/KEK.auth new file mode 100644 index 0000000000000000000000000000000000000000..bb18b516cfdefce0e7853b20af1419813ccc22ab GIT binary patch literal 4103 zcmd6p2UHX37RNIwM4FUP1tDNTV3A1-T~r92MUWO1eAEchKxjcCA`n@s^eiYK9Vv3 zA>1hZEiZruvYCiMkcsF6neduy1RQ|Fg?0#tzbD^H8I)aVn&2ZYOQ_Q?&uqNnw`Txu z=oO)%IBt-W17U;Yz`*tNagyMcjbIZG<{-_-)yJJo@x+qIzJAA@sASKN89=jW9u8fa zi#y!|Ck0AwEa&18)^~LyQ^~%*SSyCFAKAkfYv|!@gxdznY|JBgwh(Ea&^VRq6M z1SAM=WW_3GL2=ZJ%5&L!vHA_}-cFu1HtZV-2FniJ4jePt@|i=9rIY(qHEcZy--j5H zLa0Q?OAn5gRA*s*EkrA8=L~eZ_zSG1L_sTo`7zefrU&qI_Q>#|nf;D#Wugl)hQ1}q zo1~Uli#!u2#^PWmawZ3M4d-3g{{CL~@~O#eMZu~XvAxQ6#m}l&qLo_0vX?u@!4JMT zI0AqHdHX?aa4Yn~w{Av?Acf8wv-K|VGma+&R@M}XXH+qLx~lYH-$VdFU-G!Y>a{hsG}GTUxT~NLONwvy5T78=$Sk&XEWpTm zJ+RFA-T}iXEmja%cQNDbcyEr0x01om-DMtPTfeuc=}johlAM0RHE^fxOfANQRjxUO zvulWS+|;SjPPYm6ej}c7QHOh(eRk6G5&IBYP#$klM9WhVNo*iBJC*BA8J+T zf?Y=((gj%0q|CZm*{qK1K7DV*QU_$k8Zm~UW_HS@c~g&l1g$u4IP=i;(J8a$0b>%lh`%RYX%od8A}e|b=NtlVJg8jEq*MI$aOfw ziq@H@;^I)&V`eGxVXuMBtvfjfWAxY41|(~0qI#^Q)<$sK&<>;?a7u3EdX`iEmc}j0 z^ts!julIRg=JD5wN^h^oN%E#CvN>xl?+*vL?mIf3Sg^TxpEfEk=SXA01gp>_qUwsU zz2Zxsb;Kv~k3-k0gkX@HNQ^NB;>a{vF68<`W4A_r1i`;3L=9 zO-}Qa&j-#JPLfnZYG*wB%?Gt5hJG&o@S0;c_IOp#Kvs+$}X> zBCcdd>w?qOALV)$ua%v&lU(&3x;cDsz42a?p8dHWU2fe8{1(W|5@Iz26|anE#LK%- z3Ie!zV^=x;dypGG=h#VntW$JMJ6gS?D`K~M>`aYSlc}`e`-Rf!TUXDiwKtmjXWAQU zxvXxjKhSPmKk~y}0_DoBtf9gu|Ke7+z7iE?TLWgdj;y8;D9b^8OAn?K)Y?_~oZDBe z>pX13j>YEkUiWJ>3+nH*UDzY$CSQrEQH8V0k|P{tx3^3_M~Sm|0J+3mqnv@qy1f!0 zJa|+WyGCkS3odhWw$GP-p)n@XH7XP!Hkx~(^Kkl$3uf9aC6}`xy*a+;%vxe|u1>uarvP!!ao6TzD|$+Bkl(`JPT5bu>U(&ss?#dnQy!P(7`^ z^pNf&#Off4{73tXaeT7>2dM3NfgkMwOf0wfYxa(8SGT+YmGpL~C{*D5zGgZ+IrKFwZ zJ6mR_-;+-3!H=PNM@%OD6sF4g<~-PQ!8PMYUGQfFM9nvka~G-$C&#rdJqxQyOaE?q zsXB3pbL^K!WYJYn@~P1xheeue;i2I6AI#&i;XP~0V_ECW#uv}Kd)`=`aMt7|*8H+# zbq)1ypjGIKz%SdPV!f*Kx0=meo6J}dX@1buIWW_zJb7_`dkkVO_I1o`i^+SUfFSqT zD#Ik|=oB)Fy|f3(<_8qKC*PgJ>|Ni%sqF4=uwH9^XSCE?;c&_O&HW7RiFC47m%KvO z2cILk>}yF2%PN?VHu&6xL)Rt$?gf{mrZUEXFh)f1xMk7Ir9d<#UicFQn1DG{DN~T2 zgHw?MKmtrPVPKThpIb#god7FQ%J)Ay%c!nVJ8>wG-*tJ+ z^)=k>&f6l1fcn~=$iuEYL!@@`JO|X!qqbg3kC7?9ntiMvTxwjpRU3fLQ(Q}bM6eB; zV|HBA+2NIO^7&c<--8tC$!V5!r2H02t{=l~n&J^_d*Pz-NFZdFYGMd+((#}%( z0tcG(9}^CxXz)$`%XU}{mGTCCS@(MOsnt#5uf1)%vck9JM|56ZJ$!b6;wGGUHuQBc zW|B81dT&G+d%UNfI9aL`mK=9N@#q=770Z&)b|uN%&n%z91b$7^ZgMOi+f$Vn*+&-V z+A@9hOnwtH;-GqkGVfiX2-<4w?mCT|(^D^EY&@!s6{8EOZVqo++7gosjeQw0x052`uA#8-eQ8Z!WbG3YC5jB1_a%okmP3 z5`lp^#v0?aXfvk{eN7Jw=J7_;i zrE;bslHUgVbfU$vFKCbI2D zEn{8s%`^GYIhlVmC!Chp^WJSfkBR-e6c$gdIXBD?cpkS(%2)d}UGkOX#ChFT4jDHO z*7l|uGV;7+TYuPdW8tw^Oc!-0slO==&0X!N;5@rNOyPc2e{o-Jrd#`sGdKJHpIvdu zNa@i0%re$JPOpz_uSsU&!7j-sVrF!Ij;+m=I=RU7n zpB*jpxA@w&8-D)}96#t1(>yhK$G&PNW=00a#r6ia2C~5DmgQp+V-Z5!Tlwhn)6-9 z6|uHm7N^d%>t*!5*cp7#TVCk*`?b$^tZ6nsalpH5UW})8@?Y7#4ktYK-fBH+lDT@v z{AWjV01GHwo`FW16yla(jZ3%HgLkStY0NFse^nkpj zV0V0v>+Y*^7uV*L8nay$N?PtWZQWy|&xejXF3!1Aq3;r+tF_=oqll2jtP^Vkoo+M# Iy&9eh02oE+%Ps~Z~k6MYpBZyacFsRf_=g}8~`YyU|`%~iXteFMz|x<1h|bYMGIUZGvu%Y zCoV657tCUZk~~>_L7*Rp6-vQFbiZC4fPx`J03HU400p=R0AS+hX*8!FUr_3(iAzh{4q_{xM@?*%cp4wB zp9qO?zGtb~PrNc14a6|-cX4-f*iv?Cr+UMjT@IGE`FQ}+fqZt*q{-oyxj%Q!htnEU zW@*_;=39dAH%BK2QUL5Ex}w$L(*B!M@E-m2wKL)FAthEMdRD9l>G8o7{)uR|op`Y8 ze#+AAqF$P*LW#k$ltp_XVz?FS=TTzQhhk@ zOs7}Y>={SP*5Y#{pKLYtqeAZo(xN=>ShaP%hQO|G`_(-^+g`o5vZss_z7c&-)xXf` zRQV|Nb;~WQe9myBp^ck9Id>wCsA`(oUbe&f0YZAulXde%SJ?#*~gBm)$oCLjs8`LBZ3HAIuI7 z5^zH)%Ak_Wi6LNISOFp2(10&wC#X5HnLI9^8z>;rxx6qg?-Qvh7ND7|0zsgDH%@X3 zX7d6_+x>U~A<5B?w~r+Vt&v6D%Z45jW2i}w1N9za6{W90`gcTekNpkCbn*L z7n6EOWx2D`sA8e1+Q}0)=byx1%FO!P_G4CS*}5sP)+XHF|qyK;e$q_M^@z zq=fE8!;zdNQPb???d~_Od;QH7>2*)_q>HHceQm@Nm8YwYC5P1%Xgki7OU`~+)-urC z**DQLkQW@~fn&)@=)P6;;KU>aFRV;W6Z~>G_SwX=Q-CU-JG4VbhYHykT&J z-BP{twc)b;WUt}{rCy=svn-ZH*Lrf!N8Zl7>GJfsw?>4+H{mnS_H><#xIM>AZ>|t- zi5H4vM_r00&P8F^DQcfpKm<5Ln__^bi1#52*2_fCxuoS1Q00pUym-w=WYgmDPE5N;vRLRj5H1u39D^npeOP%7w)mVhHQ!8i0ph@fTm#V5`aGt}W7;aZqLgJm%yUudDY^Ve zGwst0&Nt21)<|>BpZuv3J9+LpC2=isRb#wXQyK zc??teBh#|kw{m1-b$((GOG9DBc$&wwsdiQtahgGc@98^Powx=mEZzA{xJBV_t3PhH+9G_S@2s$QZA7Tc>?w9s1^%5F zb=S6~%#|3Yvj8HCO^p49wy`y7gTb@?@H?Cg>_6^sbcJP?UNj)`?0kP~!?gS$dMSN1 zA*A|VA1u9~OJsC34>G2sH+vdYjX8(^Ug?X_buCX5YWHVZ>8K^Rg;hPm8Q~9A(s=c! zeJx%Hr}L_`eDapnif>G6zO6p3$2H9vP5W?Mc&3%DRFkhoLY@AjgIEq5XnWm6R1V)q X%hjy@)%Ue`QxhX2!;u$TyY{aQSKFX=_|@~@;Z-h7vFyCJyq=b5 zJ=?(lCinH5`kjxXl8tHv#r^pnb1%0Lo!ocq>w}h!vu5i&|GItRHO_~R4zR3PV<2R91&S9_(-|4 zw_y7cS>HG7p3eCtcIf)S(^p;`(SJJgok}H`B=nQM3VkEpIuxws!gliCC zV&ReFVhCm^Wk_OhW^gp%2I=Hy0U6U~zz^aGGcx{XVKra|QU>xM0c92m1F;4X*R&w# zhjkHx`>*-UQx4^@wo=MkVGsjSAkPwN5Nr^*z<+^nn|DS@Nr9EVesWQcUM?&x>m}#s z>K9~Zf<*NTitQ<3X)E3>+FDvQfnk;IlCr2*mD_ikX9ZRZqL6?=D`>xf9< zxfXsxa&bKCwcE!oWS;ZzHroC=_L9NZ17COSs$gHN{crYdldzUIO{dm5sus-2e)(?# z|Mh9|PoGbb-=xLU>-}FtQ=t0$^_ry@%XYG!sC>&mVbYvK|L*74oX7zgh@9nG?To0`c7HO3KZNRe1+$`~ySEjVd zjf}U~n9k=+;kkT1N2zk{#t(a#7r7;@Ji>lRvFYRAPcJHs687I%vs6jM`_#c3-mh!z z!%a6m^Do`9A%R&bc-_QG*=w^MpcIued0CFhmQ`htXN|pbKm1LTfnT8<$?7l zTK)SK+Rpvce>net(}A}y&z}1doRwt7?Y#4m>fe8?Kd&4SSuOZTxwE%m`x05-H|w6x z`6YJf`oYszUL4VXI`f@MH}jj`Pu;H$d;NA66ymPi>OLvw&NG(I*I$iUUJEd46+Zph zENt^%l~X^X%UETJ!%DMJ{^1Zqoa2ros)!nBF{z zKQp)N?EB)Vs15iX1^#CGb01z;wDCaV2F4d2(WQ#voW$THkpeu zvH(*ggMlnCq-FV7#8^a<{y3jqV7KISy3nQQo1tr}&ur_8H;{yD5Mg5Bk>g?rW+-Jy zVsK_~G~fp5F=%35I%15zN*5^4}^5V*j9fp434MoCG5mA-y*QI1|NEG_FL=jZAdWM_gz^$Uvf zQ%aLdiuHlX0+_~uNf(%Ifr%EFR^x$*!9W*?3{3TaN(~a&IDj5yWo2h%WC<|{G6;b2 z4Vc{yO%O!Pf&{ckHTQU#$Ia_HC1}mN!kO);X#c%*lTFZvy}IY4T5>Pm$lG z#nbEkUqe%%`up{or5DR~vYx1X%Rgb#oJ0Ta=hx-%S6?~kde0GxOV&m$aW=_BW#LN@lv~#Ja{$^}t`RyCf`mD&9u=sttsk6E?{6E-|F-nzKsVyYyU)blkpOAa=*`&n$%=RGRY zp8vO3Z;$1+=g$s5cyd;~<^2?=_nO@k+#IbNrPFWxbdF3t&AaC>!zBMNrPj+=s{9FX zbf|ow>(7;?UX~a1c3Nijdj9Y2tQTAltqm4wl>cqOvdY{n@s?Mnw8@Q(x7V1?=S<L9-QzXoui0Qyv}<~T^@qyWi#Ex`E)v_(e)OgEx2@Av^DX8- zp7^V)a>n6IzU_-;6j-PKI3==<;rfx!2Sfx)vrQIAZ=IR&IcCGra6hw4MlJj20RViQ BVJQFr literal 0 HcmV?d00001 diff --git a/image/pki_prod/MicCorUEFCA2011_2011-06-27.crt b/image/pki_prod/MicCorUEFCA2011_2011-06-27.crt new file mode 100644 index 0000000000000000000000000000000000000000..9aa6ac6c79b21cf1c23b01b5a747aea6ca15da37 GIT binary patch literal 1556 zcmXqLViPcEV*as!nTe5!i7S!g@(~6QU@_ojd87gG}>Bg0aT9G~N^oLSyHOAfTxvz78VGlrx*5UXc@ zJE@j?Q}KQtu47)Vi3^U3=}x=+ReQm2U(eZ&4HIm3hWvfD=i=NWOC-AL9lK&8n=_1d z_qd;YSGY&fe^yt`e;51Sexprl9_vcCzB}n7=OtP9q-mCHMY%7}hP~hTFNkO^jv05GgVcV&l|i zV`O1$G8biJVFk+>C?mv}Sj1RFejLo+USA&U^;y+i)^DL&HNQeZgMlnCMr8Rw(!y)^ zJ9F-BDwxxA)!#7hs?v-u=_>}3a5F@hSa{^P7=jr}8Il;B85|9`K|1+aSb!Oz&43@o z5oTok&%$cJ45SR?K?2Gw5(Z)oBCcsc&JXJ%1ovO_o2MMgVQr<9wZb3jRSyFfRa;I52$! z6E`qT#{<)hfi4gknCbzQ8YHlB0KUE;q>3&%(?GnJZl9qB1|>ijLOt&-U~UZJ4t)3%5Ajph!hU}{4&C1 znHYD|s@Sznw;Gxq+4{H0eq!GFSt?fgW59%;n?qZiG-MR^Zdw;8a`eEO=~ESDCfw%# zQ$BBM@x+c(d-n$IWDVfGA3kqE;#=OQxvDoE_{AMgoLlU5$anoLAz6-){=LWd?9{gP z)Rs5;lckvHKl?QI|H^}7P`p3e|O3K zJ97OESKmr}(H9ZR*1wn5vqAak@s=BJUmY}VS{vpqq5CmoD*M^8kH{0YRa-%tSY$V?b_=s>rUTrh+NQeajH+!L?x*b*&bVWK9^-r zHq16L-S}%;@Cu#AH%nLxPt4u1>xHyS+7tH>zP_;f&GW@(Y-+oZVK+f}tA1R6Kx^-@ z-lllRgN1MfA-&c}SF>PgInqRZZ2P+zbh(mdgZ#grWnDhht= h@@Z?I^6kMoCf9eVhqf)Q%M>eRpEUdHvOST_5de>mHUa_C*_cCF*o2uvgAIiZ1VJ1Q zVXpAR;*89^^pgBMLjeOmkRZD-dr)dhZhl^hp`3vXNQ6sR)HgG^D8D#Atwg~&zo;O; zD6u3HsKeU85+u(oY=l)_AtWQSC`BP4v8bd{!8freJGG=BCowryAt*n;#6V7**U-?w z%*fox(8$QdG)kP;$PB_Y25}7<8)@QZZ39h+o0YJ;In>q7Q^DC$!N>sUx+X>?${Uaa$b^kPnu@QR+RhlY}osa|FYQSJ-@V<23o{^{k`jU1=H>S zZ@8qVU2WbWDg1KVfog~9hw>WgCx5*Ui<5a)H>K{t2bWEimQQbOO6vCAZ&C0lLq+7I z@e&U6s}Y%Tmuuc0WC`YY?zcg!J((jhKUp;L)h6xA>pY3+UD1Ez*0$I0YD@Poj1W>{ zQBpeB{XV3S;aq@eMA=l1cUc=3Fq@BrUvlzcc6Frh+*=SN#q1 zt}4ywlD=Xf2{%K8iG@dwiy@eylp%@1nZeP38>Ew;g$0-a+6?$X9AQSr|17Kq%s|RO z9wea5B4HrbAmW-9`aiTenC-wN@;RQu|6>Q0P_Mci38I&FmVIZbUZN480Z3# zfvFx)sX+o82QWNXS=kvGSwakg3<6+$1Ew|?s72-F<=8ArEh55(66CZA%;wBZOpFYs z98UiY&Yb&R#?h`(pQU1@KL$+rxjD4ONkc|q@1}KuB1aFbnLbrfX2Na$KjrhL7EkOrwRdmO zPSyb4`{DBzB);W+nyY%#fnVI=#JR;@hkV!15|ZTz>EC;N&rWSyPi=XlKUs>I{l-#lMz#-_Fl8Fmwtx9Z3B2ekGc>urj6T=+$g_rc6d zIi*jwWo}h$`^A3o+auqLx7O;E2g|7%nIF#yDw^81;iG9{mgLt>){OyS%ZzmYE$aN~ z)TS;Gy0Ga~)a)MyGeSg`xldEoKcV)-af(z7ll{|ak6WW{?Cf{Dixq`FQdQb`v-&wR zo7Up*aueJRGw@!M?0n2;s-DDLD7x(Z1@#3BBFz(iSWMaRprYW%E}ypcDc>HfV{(0$ WdT86?x=gWB_DQq9F545?9035V8Amh# literal 0 HcmV?d00001 diff --git a/image/pki_prod/MicWinProPCA2011_2011-10-19.crt b/image/pki_prod/MicWinProPCA2011_2011-10-19.crt new file mode 100644 index 0000000000000000000000000000000000000000..a6d001c219389bbdd9f011ccac1b620defcd44bd GIT binary patch literal 1499 zcmXqLV!dwA#Jqn2GZP~d6IUX8Sr`Kda2W8iacZ@Bw0-AgWaMULFlg*BBvrw&v?L?HD6^ze z!N|bSz(7u%*U-?=z|hjr!o<+TC`z2y$PB_Y1#t};TWI1`Jp&zxQ&ka84bRL=$uBQf z2q?-=DNP3XNFl)45#&rmgC<5L{yk8AUeRmzWhZyaSqGceJiYuzeP_GO zznv$QIrCSzO+1)4&BpQa>BaW3Oj*8fGUZh@V$A;kbr$8C@<4LS`TK{29vzBSf2Uqy z&>gMCnXS|roFJxiAVW5I*Bj5za}#@7GdPP~Vrv(LXy2{;E_&WHHb+J~=G>k+%H8>S zTh(rw2_N>qroL{ck+tI_orlNImcLjP;`cpmjt1Nyo%}2yW7-V(K^$R5#{Vp=2FyUpKprHZ z%pzeR)*y2ATiEIT7mH$&GA`OqnGk*b+$@PB24Nrt@+|%az6Rb4JQujPxn`7<6jrfX!Z2UKJb#l`{j zA}cF9BO{BSfscU~jBmiyW(T#Ryu2Kn6~N4Z&+HQ9ga*v5%uT=m6!}wA7`U|ZP~N8Z zmUeq=g81{a?FEF3|EFLizEK78Zu;`nWUQnsi*c*pB~ z$qyde8m4Y&eEMn4S+OPaZC7lZeaPv;gqHXa+5erdcFDR=$lp-x=Q!VCe*DvgTAKtX z7I!IXd^mTn*fQR3bxgvW`^*9>E_1&8@@-n{w)()1Ge@>ec3(c~3GG&F?i{ z{8lQ-ntpk5c$}uR<%xH?56?bvEsnl$>0H%nG07&khzoIZ8#kw~&oTY9=c&EQBhy7( zrEK3M!e(Bn(7DJe{rW-&EB)G3mq&^vrrU323H zMVl`&2aoQYFqyBzb#mLwjS4gO%{YB@>XO)`YYUP&6!w-1l-JsRcHKFD`ux-34f)0^ NSjq8C z`xh`XF)}f6C9;==fz@&t@Un4gwRyCC=VfH%W@RvF>@egu;ACSCWnmL$3Jo?CHV_1H zIE1;v6N@u4^U_Q5^9%(H_&|c}!t6n*DY^N1DTZv}YxZR)cgk4@o7OzN{6>9eyUf3xCzUz#SGY|) zm^aPF@$%`#_OVP^zHc(+RW)MF{{M9r<(l$9a?APqhlCy-idKK8USZH3t;LzG)ES&0 zrgI=eHh9+?&(Cucds;I%i(O)C7lmlwt^6)}-ZVBxMmy%*o;k|h`FUH_Zkh=n_P?gS zZl{s8<0PGj$Iq6(SQX;;J%*d5J#~w-#EMN1awW^(M5+ApU}j=wWMEv}#OMqR5qkpx zHco9eMi#~HZgsVv;g0+D@4eef``li6aJKAO-R){sz7V-U~bzxVO1xl#~=$>FXyK<>=+YlCfTL zey)B&b|y$vzW@^d#rnXc0ZhKY#0yNb@u1YIYhb2pWUL2NWDv#10rVm(D?1}2i=Tmy zfftN#z|>|3wW7Sd9Gexu%z)4A66Ayi%&p8#zyK8aQ&SkYwDM5iruUY1du)RE^R(>+ zgp2>J$hhFK%*3~A8mrnnL$?WumDm1T=(%QpIq+0t$1U0ZuG^f~rH=b>nWbg*ypg`n zGGT>;_>$Q>A2}GAl^r=4b!`6=mIJTEF0VP9@jhwI-H@CBgNS9XYyM4H?$`I_O-);I z_@N-hVw0%Pi@U;3u-szjeEXyO@wqQ`ed|7as6Ked>wU=&9@`qGZfJb^ zY0X)&CG%}pY@B__>B5AT_z>Cuov(Jux=+a8Q0(V8-(i0I(}h}_1Sb}EDQbK;cdyto z-fneF!khcd0xK?azWnlSTI;s@z>YL`$=*d9glrqNGFZ!ZPxMKu-gc1v_^zsU6J|c| zq^g-OPyIRPWqwk3NqCLSKifMy_@jPZJF=OnmC5SW=9_s>G8N75HD3HyD#@CDd2)E1 zrnKdWce)SHK5;FMzHsSW)oL-xCbx(SadR6tr?1a3{j}$)y~-ogMO>w9-z36jUa8Qz z$SVE%LI>mARRSMb@9(P9N#4#jTUqhQ&x)K!5#nrS+7pGC&n&t5Nq5)JDRUj(O1OSJ z*AD+J1K3Ie+^6)8P&I#w%IQmoG_@iL3(v D6(vW! literal 0 HcmV?d00001 diff --git a/image/pki_prod/PK.auth b/image/pki_prod/PK.auth new file mode 100644 index 0000000000000000000000000000000000000000..ce7228c62d0e4b33cf35187453f38bc98aa930d4 GIT binary patch literal 2545 zcmaFH&dtoNqsIUP4_JXLrjLAcFRk~wpYhJKYo$r8d06UlgC^D^OpJ_%{06*ioC$3n zjH%2lOpL4y2Hb3%T5TR}-+39?85cA$Uo~iAzG%?Iv~vM76C)Foh^nCE@6;XBt}6XH z_=Mm2o3usgvKJsDpn4d&fkreo8gd(OvN4CUun9A{xEjhBNP##UJi>nYMJYuYshN2S z;i<(XX^A~@I0^J}^IHpkHZ z*}`03&sd8;yJ+OJxUchNo6beEQ~PF>nOw{ZcQ<)lIw9xXB86|}Ju@9PX*M&z(@yX= z-ak__ApAj($+R5dcooI|*$p+?$MU!vW0;%SKlcern|x7{*!apolJ)JT<^?tiuKP0z z6Z3Y4zTPsy?OXiWc(xY{H0NDQSo_q@%rY$3#HYa{ydlRqVea*)Romw)6bFcJ+V#fG z@r=OI5IJ#!V8M3}r$imR&eR;k(su2IeM0(r@%P>C#j7TB$bFsindeE?!#)NtbuR~v z8;dvF`W!#|t^DZ%ZK16@C2aJgS3cPOt4sHA%YtvG9~=BBHe_OEWMEuuZ(wU63yg4C zJ{B<+ksi<2E^`Gc(pG+oEda> zZNYJmjnAvLuDyBjNd;r+*W4{rE`)gp`MN4!)mXY*A-w-kuH=){7mA;coqErZ>T-@@ z-n$D|+&itO)EexWIp_Q13k$spb=}nT*5^vd`ULE}Fk$_CndkSouIxKjvrE`($_A@v zhSB>w5;#sxd{_sPI8(f|&jQw?o zQ6VN~x|gP29`-fq~IWpjma<csi`p&^dcYj>0>Ic{VW9A16*<~gQMf571GOP+e8UB}5T+V|*V9UFjs2e-({JP7|?@-_Q z_)|HzQ|+oh3nLFKeKKXaSNqo0qA}VZiWpfSCI3@q28N!iz8~M8I_%w1D8Btr^tmac SMLEr?o6(|tv?w2#q8tF!MY4MU literal 0 HcmV?d00001 diff --git a/image/pki_prod/PK.cer b/image/pki_prod/PK.cer new file mode 100644 index 0000000000000000000000000000000000000000..3ed594eeadc60d89426f0c9db6738039e1ef5051 GIT binary patch literal 981 zcmXqLV!mk5#I$n(GZP~dlZdLI9Q9Fylk9WZ60mkc^MhG zSs4r(8x6S)IN6v(S=fY`TwD!h45UCD4jy5@{GybijMU6Lh49qklC;E})I39epmv}v zI}e*vesV@>uA!WP3`l^BN7OYXJvAq_xL6^$vbZEQw^+eFH_5|L*+3B_&&(s`oSz32 z&&f$F$;{7F2z7PyRB(1wFfuSQGLRGJH8L_ZG%z+aFflPPjskOy;M_ss#wJE3)TDu3v3iz_h%F)=Iso9y=8*ixA?R1 zY%dmQ&byYd_NkqjWmv9>PlHEzLymL8-0M-Rw$E264iMk8>y4Y^8G)rCa^eQTg6|$q zi8^?lsX2zF?b-|bg!J{|@4MZLS54-S`#R+_&y%c&eGFdeUJe>J7H_uoIezwA`O^j3 zLR)uA*yu;Ee6amjm+s+~1>a6THuzI)$i&RZz_{4nz}7$(7~!&fEMhDoJ)W;!<_c7% zO%_VJYPqDXeASAD(+&7R(!z|4|5;cKn1Pf5H%Ne=g$0;q+mM48m^y($%*aqYeWmQB z7luK{Ln`hs?b>xH`&dkg*c9DEQx>S7{!wLNFQu!n@lW&0V6Mg9N+<0mCB6xFa-ZZ{ z>E1UZXK&Ti$)+nSauXRWPgc9 z+PQ$4iIIs(L{(7ocj}I5SCxJpe8TViP1>S#*$V?+HcqWJkGAi;jEvl@3Y9?Cnv+^wtPosTT#}kwtl*xTlz`tve-b^rKfk z*#4_a_i)RCZ>Jv{{3$kMVrFDuTx@S(Yak1Za9KVUF&2>?&(|(<1uD}f3ng8(T+&v) zYQ@6o2K*ptVMfOPEUX61K+1p{B*4$Y0!*`Q$UzKDoxmVwWGJ4#Qufjd!=U3K75A5R z?K+fwET%+kiteE)3)D~lsIst^(pA{_r+H;C*J5v_lXjC5--J84Pjanv@0*dcw`%HS z)0Gvui42w}txi?n<`vq$cUb_xA&c2j1<9E~XV(@S_t^NnYU|pY7oSuxmVV9MGUY;; zcaX2E@>Pwc%N4@=59LZeNqwRC`PixV45=>X80NjZaK*jTdP=Rqo|$vLKfbWgt5DZX zO>cd!gse}%&I=RP&zE_AkL$|5V>P>ky{2ridS)2CzaxR;wB?D?(E7qJl5=J{a({bW z_cZVJ>p*rPO{0Jn`HM}(ChiYEl(@m=$->xQcNi67Vx}u3?!6qZ_*&tB?-oT70CR4C AC;$Ke literal 0 HcmV?d00001 diff --git a/image/pki_prod/db.auth b/image/pki_prod/db.auth new file mode 100644 index 0000000000000000000000000000000000000000..c2b6d50276e71a4521b124b409a6f927ff567a46 GIT binary patch literal 5699 zcmd6rc|276|HsW@Y-7nT+aQ$n%-Ad0LUu8>EM;snw!sjxk3yDEsK~zLW=W*1S+XWd zLiU72wj#Qf{Epo2?R)S2-S7QA9^dN(z7uK_eD* zB5I2sLIueo!v+8{>a8w zh+avSH9WS4uEoUc?C73DR;&cQ(VnxA53hUUan@*1nR|%!-ir`OsKdx(qP06=n~>DQ z*|4gWjg(bcafIuL-FTtUtkZcIM-=&Vm1|KcIVx7xYJww3?tZ@O*l*0p#HY)4$b%j`pcDT zCp5CEN42*U9`Z4yFQq_YI(ovn@&&8j3RmBKN1}R-)}fXgjaW3BlY3(sD8;{I&ok9e zic=ITieY3vJ9z|Mqrj$tz9rnYYG0Zv+P7YQ+s&G1n>2Lqh2c(fXUlP$$W(`#2SHF6 zgaVSU0w@E#;OpjPfV0C{Zzm-j4iYb!xsiCtflwGgOP{cf02p_tSs;)dI3)lBPoRXs z0Y*3+RBY6bTMTLw++qlY_5wmgV?wRiRykJj(c@?-e8QVr(-u8`=Fh8T^EIWB3SG^5 zXR~Z{jyP=dHmY{%G>%?qmnD?cWDnh(w4+nRmRvkh7t9+XcLZ0=QugY+`9I9lgm4~L>z7l;#@W8{l1xl_IBt$eh??mqN z3H7Jk05oh|9re|s*7jUuW)sDT3Ok&;i6RZlq|5L6to9G(O8J6}!=;C6~ zq;SLg(T+Yv#Y}QAWev-h2Y236+aK`Erd4MZJl`55k?`-3g=m*4|5@M&cd3xk5r1p)@)~r4DI}~*@^2T(>NK-%^v^~un zp5kl7c;I;xqa^JIZCA_c^^X$l%xas=&Fk#s<~Fpg|jI)b)&0G z*lfhtd>G+-w!aRepokwdc(?lKp(j~n|C9sL}>S-SDx_VfRpRR5i?UkV&@uoRFX zJcG8spYv^f!ciC+QZkVGNHC_>WhZdpE0I3f>uwO^=dieeEv6$32Urt=)vgvEoIU4E zm|<}g>ygW5C3p&}m%b-XS+bEr4prO;)-RFM?bM06k#IX0Aj{hZ8= zaeU1PdQ?OMvi7XwS@+N@dx~iN_tsQP#YeSf=`QtleO6qvzFGV(NJJ+0&wPF7Nrs5W z*uCxj+g;0BmSX`X5^=r%xv$F%-VfK%-RPkGVoRwRzjYq_bU!ZhHS&V@o%|cZI;RxW z*W^z|n}t6tZNKYDiUyF)*DO^WPJ8o7_#RA1<7;AwYv!?h(#c}|;n)fvoOU7(Tj>;+ z=4?uJC0_MhGxM=WdPydtm?oiU2Lg>p@DNTUI1cb}9I8;UrmVq>k6lBE0OD6!UB)7b z6Y0hYc4CX4Sj-o!RF!e^o-c-IO9VOQ9)$UIUJVX_dtRK5eia3Ouqj}ejcK>I_MSg! z&Z2?*dgfIX5U;Iqa^P`NRvho@ol626Z8bAuX1JUq*FOfmrpY&+S1ZZC&tD!^ASjKJ zF`ieoNsi1CGdB%GN0r9a|K1L$5PNp;7VH5V(?9uJ!7v7mXAW-6CkE(&{ogQX2~B%; zKxc2DrGgCARuy40&saa?(>`8cnr;9Jq6U_uL><&_~P?Qg6!9`9!z6582gT1d4O3lv~PxK-9 z27*l;8rW^>&|pu8RzfSvqGd6=O`ZH+D7PB|5$AvKtN&iAQh>x>s=~jeYC-UHB>Iz3 zfAA_Wzkg={6Uh3!St**C`Sz_eLIZ_BBSA)HwG7^a4PQY-*0-b1k8C}QTUV?oDJYW+ z#syOD%;>7Xx;(hgcjpAnL18rLp#**Ynj<@1)R zsJoW$h^bug+`y7(Z8Xo<+HN5lVzE|oi)Y$VwSk^|6`y~uZGwtIq;Au$5ZA0>~;uC>eY)|BD z-Fd`q`WkKs#SuNLMMmUV9vTgame*pAs9lzr?(Fq{a|>&@WkUy#cDk#90r2;S^Xv7f^IE1Xg2HEY{D1K=7emVqIy2RdgHJ~@?=PaZ2>0q=&SM`_}HeZ3A#OFQ_uOL=^kv6KVRL)y!YusbU4wZ|%w zG$;*FzMyzP&7R&>t0W*ViII^47Xhab)ZkyFq@;pC;D&%cp!+=rpi#$ud4#{e|DQbq zEQY_jx9{(&6-EX(ko8Nj_sPP*R?o^+rDF|8O&C4JRhU>vUyJciPZY@-#HLY-te~}$ z>;s2(6s0uXHk#)S){OEd#*Wbp@9)&7m3MZHU*aByClzyY6lB!CQpL!hZEHEz(KHKh zUSuCAeTZMhl}=#YjRDJ|x4~aiZW>3ao(#`7=W?J+1fy2ugWwcX8#N7MRUiN})<>EUTt?Eyc&Y#Be?p$1~R6Iblu(6qT;a=Fu7-wy+guDu7 zc~oRX=!%&GaVFV@EGSP5*vi&Ko&_2p^p{y_&?%=_EJ^88|6r{>hHsJ-

OvzU)&!1j@U*noCS75O(YzA1a0hk$!L^?D)B;=FP>usNs?m?hKSX(5vo`x`c8^6k zQRXN36aNAnk5%aJF`)Vj1`dGdKVksE1Y+RhcMMPuw0*+>{CC0vB9i|RZ#@Di?RhKa zH*fs`6DTa6;Nyrgw)X)UU|{d#=H%<;ZtviP+C{}44*+?L0tSu2$jW`=!Cok{8v+p# z|47c_z@fdI1^+x}Gfgd>y$=z80|tfE?)sgYG_HEcg68Njgdb7^f^~e!9!9l%IfSl~ z)P$t%(ABihX=j&A8~7le^VvWrLoGb%Xf1a8bwhtk1U z&Jrzm+F)c27t6xE<{;IeY5s$v-Je#??RZ{?ri3=H9j^>jnj5Xe#ThgydcDFQVC|ME zpjH^PB-jlEFSo!=spkzV#G)Oj?THR-R*RM5fx}39mssmqa4 ztiWrSD-y(r@(TZf87yT@8Z?b$uN(1$MrhAL!E3SH&;L8j&~!G@m=3kv*ED39C1gf@ zeIw)~a-=MfbP4AIo7anro$Z_U7DL`^y0TaOZ zdkm7}_}?SPUq0ba`5{NGz5_h&+d7LZW5Qd?9n!*_6%AfxRufg{*1hEsp?JcI#cX}S zQnrYlj(p3uj6511sfI|r%ljTyyT0F+`<-#p&sApU)erKZ8Y|0BvbHyuUQHF?Ng8AP z;-8gDN{)Hd*l1EqX-q$5k(Fb=Oh4x#Jfh0Tq1x4#uiI*HJDr)A8k^YI*-$I4tRv2k z`Qj=-Fv{o(RhRuDkKl+)M5#7cr3?Fs_IAVaH*Ndp<+0~#jjIQk`>C4heW%9x62k|V zIX9$P+1;cko#QKn<~q;6SYB+AA(xr!aZ0|!r&9GkS@T&dub+sza7{u$Uq*b5QFjd= zU47XMM>R+Y_utupE<{#cSwwX|KL@r8tr1oCOM+zl!Em)D=U z`_0}XR0~9XqUzs#WzaubCgE?&CyY_(bT{!yjjDJjXYb1Oq4G$Cv3U_j@@wA3pVgy8 zIn8p(k4|NL1g>FOi?q{(rMpCC)l&A`Kvm|_W-eGCJ*HBx&F*9NN?7pDNYFeCA(p?z zm!$QOf_{kW;tYeFC=TY$R(^op85G9pKz%GFB_*;n@8JsUPeZ4 zRtAH{4nuAOPB!LH7B*of7gs|W11S)PgGbmezbK_BBQ-NmAw0FXBrP!~HP4VAs2wQF z&co)EpPW&eYba+R0}|lk5p_*TPt8d!E>;MxEG|jSEmm;PP4Y0*GSC3YGxI1q=jQ>% zb8-?(GV}8k0*dleN|PZ>XGaAi10y2?IdNViBSS+2V?zTIAcz8Ujo{qD7-{&WkUtt6hD0>M5m;o$3E8FaOKu zttr@2&HuZ;`|@`IYd#f`-Wtd0OEsQUrDZ-APSHATI$tC+Pt|G7r~La7qQ$kE8|Kvb ztYOgVcvtZ;eSUnb@$vtnFV5I#2t+==p0coGhv3xkXH&N9_FKhauMn_o>3pk9rPbWO zC8kc6S|q;tGT)(ZYrYr@&YG3DB;T+ypXc_qSu?AQ=iJHIantaYnls~vOUEvqy!I%O zq21?GH2a$sHf~S2`_7*DZSf&``HGL#YQ_thm>C%u7uy@y8pr~pUzU$Wj78-C`Ppi@ zx3~S3`g`K-_lVmSK|0-M4fsLQ!iAsbAIt*VLmLjSIl3jUxZQx~z>Em{ z$Adx(~=ioIfrc{nhTB91GXo?vPEX-P6*7*(dinR2>kqJLNqgNZn|^ za(i+nXKu~4B(<7ugQApc8|aayl_35UImbg)e_ z%e!%nYqgU2(|z@&$EVj+u;g_r|H?_N1F|L+?@k2 zpP4YPTlW3NKE*Fbc0AS!OIJBH(gx6pclh(*r2%2!cEy%TEYmB`gC&g2IECOuS1hlNA)f z#9K%BZzgB}>ilsyR?&h^1M}hGWEPc9!#gqPf$V_gpB83#B0wYp@=_~^L;?XI5ddBA z@?HvwpTqyBQaMniuMZN6guppa5eUG63c@&0DCA&le}JbViFy~-J~PT{y(4uxeoqB2 z=ay1xUC3fA?<0LhT;#>wBJUE?c?+T&gx824h%-BST76_!Fm)IgsBv4bK%7cbF|VAV zKlYSh?pa%XBF?T7qLDfo^D?AhyC11zQR3Gwoe($nZSk7%PHx1}A0LJ%`(S&1uz2QZ zwZA+sgGhXG=8R#{BWy8N!MN*43$(hn)B;Tr^%}buSd?13GRNa-_QeK=GZ+)RQ`zZ) z@2E-@Lhqz=j;tz{y1)}|ov)lDt<1|Km(mHbbnHNX-tk?e6Avl1_X!VFEuhnPZ`|$d zA0k6i>}Gt>+ z1D8Ln`fzh%!E+$SSu4E@5aAEwpwLAG5`cp@K!~3ZK_EZ{bH6@fP^;h(Lm{NTD~T31 zb2kLv`ynke7WTUKtnxqk6uU3#e8~xwE#3y^)B0Oe+!C)>wqK+%QvhtsF;A0#?NRbt zEcFAq^3B5OEwY|>I&eO(j3?z0f{)T&Yl6~qgI&-^GE8^1h#B9q&2m;FHY=wDPz565 z`u$bo(g8+bf3=AZvX-Jba15miXdV?08Azr-%5yrfP2>4nocl8`QzL(U+Ry!h6-rX0 zR}5yvCJ4-fP=gTT0--(9SD-qJKdKiW4<}q-*=Xq3jqhL&7 zA&|89E5G{ZN?iwNEtjhDrBn|pEs!3~{G(Ta_5C*kc!X^z9$69dB_6{S_$asIK$#bFy0gdRR}xNR(K@I;F~`&k;{(SgX( zhX$8eR=MgvDLa(4njc!94q4c$c8c)=UDjDAzrjT>Zj?8!R+l3Cv942DfL?BO=o&3| zqZ#jZiHRR9)P9_*prY=pzxcsILNI$!=Hi{ltztv1K5CO{F+jSHhCrCoewQ7RS}hbg zm-_K7vnRqT~fWTkGt;JuXeVMxWVkO z){~B|=wHvcIxP4KAyR@aT1c1I3`WRAk9)6qyBWT0034_Vcv2>SC`v#R1w}wP1`<$y zXG6ZSg&)?!)*qB?I~voK_2!gg-jg`Db1s0)=LO<01Xf-U;sRkq{2>+)v)>!UAM8T` ze2a3*2x&kvQM_;7{dVTB#lHTOUZdR^)d& zIsuIEbrGLrye@zqp%WQK;(0LLo>!# z-$P`TOG}mJ*A1Bx^>?;i^S;qMf@paz$*a6hnewlEpfeN=6)0L04*@_I(@i%F8<)z>3N|v%sZ1#IYxp@?Tf1cgTqFIpz5U2naVE7 z(gLIM^ZBjjJz0CVyUH!@e_k(Vokg!^I+zuh7Hl6a(x_Q^h?%CSKHdEbbNzPX3f~>$ zkKv-_Jb`C(^SS#jCu~g(ww5_iTrFmlq(MPOHypC_-+lQSx}$zqiY{E()_>RWXSd#W z+Zc3emwLp>el&VmE8_jOzwH8SAMCs57w*$WsEP)^B=yd-Wso7fBOcq)3A8PY2jWTWP#-H-niqt%OC{h}uodh(3u zOXTDFc&&gdsC;F`wl^{1L!MG7ea%B+@E=R>&uG`b$v$a1A#M4xJIy!DxB||Ll-3Xo z9o%l++ZP~6oH=(-UqK_%d(_+u6J_gBAD^5wt+;Vc_F8*g))C=U%Ol)p=kdp{9=qM1 zQ|jm6Ul@SFH?c*d_ZZDu))gErxb2ZhC;fo96J6>r>lObk226j$z#8!WM+~4uK@7b9 zgaHh%Z3zR2Z-fOT9r{d4<(ifLyk<8`t1bAY57)l|gVUIByADf% zP+M$iOG*NYjkSQf1`bLlpeGLR5vpM}V+C*6Sdt6dCAD*TuQUta*>A}=OU&9>=lbDk zWADkfQt7k=vov3?WD2n%!@6@as!`D~FD-6ylgWWhVvXwNv+PTgop$mzGVvpvJh_-? zdu(;nya-Q{*Z5ZR^j1T^SMTZvVqgP{^9x~L_uAx^X-)THrc1~ z+3_vYn`&a$k3OjJPq%M2j2xn@5$`0GVhs8`soQvQ6W0(fm@$WHjg$ZknI0hF^}I$i z_8yiTlIHVaTUAOzJvYQL%2P}Up`_HEKIIw(>2}id+?j)!3_V{A?fV3SogfStfY@hm z2VsC*8UvKS=JNzj>^f2a&z>nPvJF!)w6i>ai zR>YlZaZ_SuYUZnL&O{^`ZuY{t%|7$gEt3@DobjvTJV;D7LuFo+n}OHOuJT*`(kbiB z1-HHC>azHznzLKQ+gmD+<|xW$4T!vtK9$2flzOYF$+-^cwBoVHsY3F^iqQy_`=%mN zrZ>AwY+CKl<%!8*Tr-JdQUjxTn#mlU7RdjBuj+kYy@`ag< z<__=k*=TIiU@ggT8&Xj^e}DHF9HmjRAfIJ*9kQZdX8*9To|->AN}_D4N3F2X%V5WA o!|d9@n8?@lcHETg`N6X=%gLbD%O&wtNjCa${;RS^uVl~v0NXYfyZ`_I literal 0 HcmV?d00001