CI: Add secure boot prod keys (#462)

* Add production secure boot keys
* Refactor OS build and upload settings
This commit is contained in:
Malte Poll 2022-11-04 16:48:52 +01:00 committed by GitHub
parent 5ffdbc9bd6
commit ed58fcccd3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
23 changed files with 424 additions and 100 deletions

View File

@ -0,0 +1,242 @@
name: Determine OS image upload variables
description: "Determine parameters used for image upload to various CSPs."
inputs:
csp:
description: "Cloud Service Provider"
required: true
uploadVariant:
description: "Upload variant"
required: true
basePath:
description: "Base path to the image build directory"
required: true
imageVersion:
description: "Semantic version including patch e.g. v<major>.<minor>.<patch> (only used for releases)"
required: false
imageType:
description: "Type of image to build"
required: true
debug:
description: "Build debug image"
required: false
default: "false"
outputs:
awsRegion:
description: "Primary AWS region"
value: ${{ steps.aws.outputs.region }}
awsReplicationRegions:
description: "AWS regions to replicate the image to"
value: ${{ steps.aws.outputs.replicationRegions }}
awsBucket:
description: "AWS S3 bucket to upload the image to"
value: ${{ steps.aws.outputs.bucket }}
awsEfivarsPath:
description: "AWS efivars path"
value: ${{ steps.aws.outputs.efivarsPath }}
awsImagePath:
description: "AWS image path"
value: ${{ steps.aws.outputs.imagePath }}
awsAmiOutput:
description: "AWS ami output path"
value: ${{ steps.aws.outputs.amiOutput }}
awsImageFilename:
description: "AWS raw image filename"
value: ${{ steps.aws.outputs.imageFilename }}
awsImageName:
description: "AWS image name"
value: ${{ steps.aws.outputs.imageName }}
azureResourceGroupName:
description: "Azure resource group name"
value: ${{ steps.azure.outputs.resourceGroupName }}
azureRegion:
description: "Primary Azure region"
value: ${{ steps.azure.outputs.region }}
azureReplicationRegions:
description: "Azure regions to replicate the image to"
value: ${{ steps.azure.outputs.replicationRegions }}
azureVmgsRegion:
description: "Azure VMGS region (AWS S3 bucket region where VMGS blob is stored)"
value: ${{ steps.azure.outputs.vmgsRegion }}
azureSku:
description: "Azure SIG SKU"
value: ${{ steps.azure.outputs.sku }}
azurePublisher:
description: "Azure SIG publisher"
value: ${{ steps.azure.outputs.publisher }}
azureRawImagePath:
description: "Azure raw image path"
value: ${{ steps.azure.outputs.rawImagePath }}
azureImagePath:
description: "Azure image path"
value: ${{ steps.azure.outputs.imagePath }}
azureSecurityType:
description: "Azure security type"
value: ${{ steps.azure.outputs.securityType }}
azureDiskName:
description: "Azure disk name"
value: ${{ steps.azure.outputs.diskName }}
azureImageDefinition:
description: "Azure image definition"
value: ${{ steps.azure.outputs.imageDefinition }}
azureImageVersion:
description: "Azure image version"
value: ${{ steps.azure.outputs.imageVersion }}
azureGalleryName:
description: "Azure gallery name"
value: ${{ steps.azure.outputs.galleryName }}
azureVmgsPath:
description: "Azure VMGS path"
value: ${{ steps.azure.outputs.vmgsPath }}
gcpProject:
description: "GCP project"
value: ${{ steps.gcp.outputs.project }}
gcpBucket:
description: "GCP bucket"
value: ${{ steps.gcp.outputs.bucket }}
gcpRegion:
description: "GCP region"
value: ${{ steps.gcp.outputs.region }}
gcpRawImagePath:
description: "GCP raw image path"
value: ${{ steps.gcp.outputs.rawImagePath }}
gcpImagePath:
description: "GCP image path"
value: ${{ steps.gcp.outputs.imagePath }}
gcpImageName:
description: "GCP image name"
value: ${{ steps.gcp.outputs.imageName }}
gcpImageFilename:
description: "GCP image filename"
value: ${{ steps.gcp.outputs.imageFilename }}
gcpImageFamily:
description: "GCP image family"
value: ${{ steps.gcp.outputs.imageFamily }}
runs:
using: "composite"
steps:
- name: Determine version
id: version
uses: ./.github/actions/pseudo_version
- name: Configure AWS input variables
id: aws
if: ${{ inputs.csp == 'aws' }}
shell: bash
env:
basePath: ${{ inputs.basePath }}
imageVersion: ${{ inputs.imageVersion }}
imageType: ${{ inputs.imageType }}
timestamp: ${{ steps.version.outputs.timestamp }}
semver: ${{ steps.version.outputs.semanticVersion }}
branchName: ${{ steps.version.outputs.branchName }}
run: |
echo "region=eu-central-1" >> $GITHUB_OUTPUT
echo "replicationRegions=us-east-2 ap-south-1" >> $GITHUB_OUTPUT
echo "bucket=constellation-images" >> $GITHUB_OUTPUT
echo "efivarsPath=${basePath}/mkosi.output.aws/fedora~36/efivars.bin" >> $GITHUB_OUTPUT
echo "imagePath=${basePath}/mkosi.output.aws/fedora~36/image.raw" >> $GITHUB_OUTPUT
echo "amiOutput=${basePath}/mkosi.output.aws/fedora~36/ami.json" >> $GITHUB_OUTPUT
echo "imageFilename=image-$(date +%s).raw" >> $GITHUB_OUTPUT
if [ "${imageType}" = release ]
then
echo "imageName=constellation-${imageVersion}" >> $GITHUB_OUTPUT
elif [ "${imageType}" = debug ]
then
echo "imageName=constellation-debug-${semver}-${timestamp}" >> $GITHUB_OUTPUT
else
echo "imageName=constellation-${branchName}-${timestamp}" >> $GITHUB_OUTPUT
fi
# gallery name may include alphanumeric characters, dots and underscores. Must end and begin with an alphanumeric character
# image definition may include alphanumeric characters, dots, dashes and underscores. Must end and begin with an alphanumeric character
# image version has to be semantic version in the form <uint>.<uint>.<uint> . uint may not be larger than 2,147,483,647
- name: Configure Azure input variables
id: azure
if: ${{ inputs.csp == 'azure' }}
shell: bash
env:
basePath: ${{ inputs.basePath }}
imageVersion: ${{ inputs.imageVersion }}
imageType: ${{ inputs.imageType }}
timestamp: ${{ steps.version.outputs.timestamp }}
semver: ${{ steps.version.outputs.semanticVersion }}
pseudover: ${{ steps.version.outputs.pseudoVersion }}
branchName: ${{ steps.version.outputs.branchName }}
run: |
echo "resourceGroupName=constellation-images" >> $GITHUB_OUTPUT
echo "region=northeurope" >> $GITHUB_OUTPUT
echo "vmgsRegion=eu-central-1" >> $GITHUB_OUTPUT
echo "replicationRegions=northeurope eastus westeurope westus" >> $GITHUB_OUTPUT
echo "sku=constellation" >> $GITHUB_OUTPUT
echo "publisher=edgelesssys" >> $GITHUB_OUTPUT
echo "rawImagePath=${basePath}/mkosi.output.azure/fedora~36/image.raw" >> $GITHUB_OUTPUT
echo "imagePath=${basePath}/mkosi.output.azure/fedora~36/image.vhd" >> $GITHUB_OUTPUT
# TODO: set default security type to "ConfidentialVM" once replication is possible
securityType=${{ inputs.uploadVariant }}
if [ -z "${securityType}" ]; then
securityType=ConfidentialVMSupported
fi
echo "securityType=${securityType}" >> $GITHUB_OUTPUT
echo "diskName=constellation-${pseudover//./-}-${securityType,,}" >> $GITHUB_OUTPUT
if [ "${imageType}" = release ]
then
echo "imageDefinition=constellation" >> $GITHUB_OUTPUT
echo "imageOffer=constellation" >> $GITHUB_OUTPUT
echo "imageVersion=${imageVersion:1}" >> $GITHUB_OUTPUT
galleryName=Constellation
elif [ "${imageType}" = debug ]
then
echo "imageDefinition=${semver}" >> $GITHUB_OUTPUT
echo "imageDefinition=${semver}" >> $GITHUB_OUTPUT
echo "imageVersion=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_OUTPUT
galleryName=Constellation_Debug
else
echo "imageDefinition=${branchName}" >> $GITHUB_OUTPUT
echo "imageOffer=${branchName}" >> $GITHUB_OUTPUT
echo "imageVersion=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_OUTPUT
galleryName=Constellation_Testing
fi
# TODO: enable VMGS upload for ConfidentialVM images once replication is possible
if [ "${securityType}" == "ConfidentialVMSupported" ]; then
echo "galleryName=${galleryName}_CVM" >> $GITHUB_OUTPUT
echo "vmgsPath=" >> $GITHUB_OUTPUT
else
echo "galleryName=${galleryName}" >> $GITHUB_OUTPUT
echo "vmgsPath=${basePath}/pki/${securityType}.vmgs" >> $GITHUB_OUTPUT
fi
# image family and image name may include lowercase alphanumeric characters and dashes.
# Must not end or begin with a dash
- name: Configure GCP input variables
id: gcp
if: ${{ inputs.csp == 'gcp' }}
shell: bash
env:
basePath: ${{ inputs.basePath }}
imageVersion: ${{ inputs.imageVersion }}
imageType: ${{ inputs.imageType }}
timestamp: ${{ steps.version.outputs.timestamp }}
semver: ${{ steps.version.outputs.semanticVersion }}
branchName: ${{ steps.version.outputs.branchName }}
run: |
echo "project=constellation-images" >> $GITHUB_OUTPUT
echo "bucket=constellation-images" >> $GITHUB_OUTPUT
echo "region=europe-west3" >> $GITHUB_OUTPUT
echo "rawImagePath=${basePath}/mkosi.output.gcp/fedora~36/image.raw" >> $GITHUB_OUTPUT
echo "imagePath=${basePath}/mkosi.output.gcp/fedora~36/image.tar.gz" >> $GITHUB_OUTPUT
if [ "${imageType}" = release ]
then
echo "imageName=constellation-${imageVersion//./-}" >> $GITHUB_OUTPUT
echo "imageFilename=constellation-${imageVersion//./-}.tar.gz" >> $GITHUB_OUTPUT
echo "imageFamily=constellation" >> $GITHUB_OUTPUT
elif [ "${imageType}" = debug ]
then
echo "imageName=constellation-${timestamp}" >> $GITHUB_OUTPUT
echo "imageFilename=constellation-${timestamp}.tar.gz" >> $GITHUB_OUTPUT
echo "imageFamily=constellation-debug-${semver//./-}" >> $GITHUB_OUTPUT
else
echo "imageName=constellation-${timestamp}" >> $GITHUB_OUTPUT
echo "imageFilename=constellation-${timestamp}.tar.gz" >> $GITHUB_OUTPUT
echo "imageFamily=constellation-${branchName}" >> $GITHUB_OUTPUT
fi

View File

@ -57,9 +57,49 @@ jobs:
echo "disk-mapper-sha256=$(sha256sum disk-mapper | head -c 64)" >> $GITHUB_OUTPUT echo "disk-mapper-sha256=$(sha256sum disk-mapper | head -c 64)" >> $GITHUB_OUTPUT
working-directory: ${{ github.workspace }}/build working-directory: ${{ github.workspace }}/build
build-settings:
name: "Determine build settings"
runs-on: ubuntu-22.04
outputs:
imageType: ${{ steps.image-type.outputs.imageType }}
pkiSet: ${{ steps.pki-set.outputs.pkiSet }}
steps:
- name: Checkout
uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 # tag=v2.5.0
- name: Determine version
id: version
uses: ./.github/actions/pseudo_version
- name: Determine type of image build
shell: bash
id: image-type
run: |
if [ "${{ startsWith(github.ref, 'refs/heads/release/') && (inputs.debug == 'false') }}" = true ]
then
echo "imageType=release" >> $GITHUB_OUTPUT
elif [ "${{ ((github.ref == 'refs/heads/main') || startsWith(github.ref, 'refs/heads/release/')) && (inputs.debug == 'true') }}" = true ]
then
echo "imageType=debug" >> $GITHUB_OUTPUT
else
echo "imageType=branch" >> $GITHUB_OUTPUT
fi
- name: Determine PKI set
id: pki-set
shell: bash
run: |
if [ "${{ steps.image-type.outputs.image-type }}" = "release" ]
then
echo "pkiSet=pki_prod" >> $GITHUB_OUTPUT
else
echo "pkiSet=pki_testing" >> $GITHUB_OUTPUT
fi
make-os-image: make-os-image:
name: "Build OS using mkosi" name: "Build OS using mkosi"
needs: build-dependencies needs: [build-settings, build-dependencies]
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
# TODO: flatten outputs once possible # TODO: flatten outputs once possible
# https://github.com/community/community/discussions/17245 # https://github.com/community/community/discussions/17245
@ -121,13 +161,15 @@ jobs:
version: 058046019e7ed2e8e93af87b8c14a808dcc6bbc3 version: 058046019e7ed2e8e93af87b8c14a808dcc6bbc3
- name: Prepare PKI for secure boot signing - name: Prepare PKI for secure boot signing
id: prepare-pki
shell: bash shell: bash
run: | run: |
ln -s pki_testing pki echo "${DB_KEY}" > ${PKI_SET}/db.key
echo "${DB_KEY}" > pki/db.key ln -s ${PKI_SET} pki
working-directory: ${{ github.workspace }}/image working-directory: ${{ github.workspace }}/image
env: env:
DB_KEY: ${{ secrets.SECURE_BOOT_TESTING_DB_KEY }} PKI_SET: ${{ needs.build-settings.outputs.pkiSet }}
DB_KEY: ${{ (needs.build-settings.outputs.imageType == 'release' && secrets.SECURE_BOOT_RELEASE_DB_KEY) || secrets.SECURE_BOOT_TESTING_DB_KEY }}
- name: Build - name: Build
shell: bash shell: bash
@ -190,7 +232,7 @@ jobs:
upload-os-image: upload-os-image:
name: "Upload OS image to CSP" name: "Upload OS image to CSP"
needs: make-os-image needs: [build-settings, make-os-image]
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
permissions: permissions:
id-token: write id-token: write
@ -213,6 +255,17 @@ jobs:
name: image-${{ matrix.csp }} name: image-${{ matrix.csp }}
path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36 path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36
- name: Configure input variables
id: vars
uses: ./.github/actions/os_build_variables
with:
csp: ${{ matrix.csp }}
uploadVariant: ${{ matrix.upload-variant }}
basePath: ${{ github.workspace }}/image
imageVersion: ${{ inputs.imageVersion }}
imageType: ${{ needs.build-settings.outputs.imageType }}
debug: ${{ inputs.debug }}
- name: Install tools - name: Install tools
shell: bash shell: bash
run: | run: |
@ -243,102 +296,25 @@ jobs:
gcp_service_account_json: ${{ secrets.GCP_IMAGE_UPLOAD_SERVICE_ACCOUNT }} gcp_service_account_json: ${{ secrets.GCP_IMAGE_UPLOAD_SERVICE_ACCOUNT }}
- name: Prepare PKI for image upload - name: Prepare PKI for image upload
shell: bash id: prepare-pki
run: ln -s pki_testing pki
working-directory: ${{ github.workspace }}/image
- name: Determine version
id: version
uses: ./.github/actions/pseudo_version
# Make sure to set valid names for AWS, Azure and GCP
# Azure
# gallery name may include alphanumeric characters, dots and underscores. Must end and begin with an alphanumeric character
# image definition may include alphanumeric characters, dots, dashes and underscores. Must end and begin with an alphanumeric character
# image version has to be semantic version in the form <uint>.<uint>.<uint> . uint may not be larger than 2,147,483,647
#
# GCP
# image family and image name may include lowercase alphanumeric characters and dashes. Must not end or begin with a dash
- name: Configure input variables
shell: bash shell: bash
run: | run: |
timestamp=${{ steps.version.outputs.timestamp }} ln -s ${{ needs.build-settings.outputs.pkiSet }} pki
semver=${{ steps.version.outputs.semanticVersion }} working-directory: ${{ github.workspace }}/image
imageVersion=${{ inputs.imageVersion }}
pseudover=${{ steps.version.outputs.pseudoVersion }}
echo "PKI=${{ github.workspace }}/image/pki" >> $GITHUB_ENV
echo "AWS_REGION=eu-central-1" >> $GITHUB_ENV
echo "AWS_REPLICATION_REGIONS=us-east-2 ap-south-1" >> $GITHUB_ENV
echo "AWS_BUCKET=constellation-images" >> $GITHUB_ENV
echo "AWS_EFIVARS_PATH=${{ github.workspace }}/image/mkosi.output.aws/fedora~36/efivars.bin" >> $GITHUB_ENV
echo "AWS_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.aws/fedora~36/image.raw" >> $GITHUB_ENV
echo "AWS_AMI_OUTPUT=${{ github.workspace }}/image/mkosi.output.aws/fedora~36/ami.json" >> $GITHUB_ENV
echo "AWS_IMAGE_FILENAME=image-$(date +%s).raw" >> $GITHUB_ENV
echo "GCP_PROJECT=constellation-images" >> $GITHUB_ENV
echo "GCP_BUCKET=constellation-images" >> $GITHUB_ENV
echo "GCP_REGION=europe-west3" >> $GITHUB_ENV
echo "GCP_RAW_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.gcp/fedora~36/image.raw" >> $GITHUB_ENV
echo "GCP_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.gcp/fedora~36/image.tar.gz" >> $GITHUB_ENV
echo "AZURE_RESOURCE_GROUP_NAME=constellation-images" >> $GITHUB_ENV
echo "AZURE_REGION=northeurope" >> $GITHUB_ENV
echo "AZURE_REPLICATION_REGIONS=northeurope eastus westeurope westus" >> $GITHUB_ENV
echo "AZURE_SKU=constellation" >> $GITHUB_ENV
echo "AZURE_PUBLISHER=edgelesssys" >> $GITHUB_ENV
echo "AZURE_RAW_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.azure/fedora~36/image.raw" >> $GITHUB_ENV
echo "AZURE_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.azure/fedora~36/image.vhd" >> $GITHUB_ENV
# TODO: set default security type to "ConfidentialVM" once replication is possible
AZURE_SECURITY_TYPE=${{ matrix.upload-variant }}
if [ -z "${AZURE_SECURITY_TYPE}" ]; then
AZURE_SECURITY_TYPE=ConfidentialVMSupported
fi
echo "AZURE_SECURITY_TYPE=${AZURE_SECURITY_TYPE}" >> $GITHUB_ENV
echo "AZURE_DISK_NAME=constellation-${pseudover//./-}-${AZURE_SECURITY_TYPE,,}" >> $GITHUB_ENV
if [ "${{ startsWith(github.ref, 'refs/heads/release/') && (inputs.debug == false) }}" = true ]
then
echo "AWS_IMAGE_NAME=constellation-${imageVersion}" >> $GITHUB_ENV
GCP_IMAGE_NAME=constellation-${imageVersion//./-}
echo "GCP_IMAGE_FAMILY=constellation" >> $GITHUB_ENV
AZURE_IMAGE_DEFINITION=constellation
echo "AZURE_IMAGE_VERSION=${imageVersion:1}" >> $GITHUB_ENV
AZURE_GALLERY_NAME=Constellation
elif [ "${{ ((github.ref == 'refs/heads/main') || startsWith(github.ref, 'refs/heads/release/')) && (inputs.debug == true) }}" = true ]
then
echo "AWS_IMAGE_NAME=constellation-debug-${semver}-${{ steps.version.outputs.timestamp }}" >> $GITHUB_ENV
GCP_IMAGE_NAME=constellation-${{ steps.version.outputs.timestamp }}
echo "GCP_IMAGE_FAMILY=constellation-debug-${semver//./-}" >> $GITHUB_ENV
AZURE_IMAGE_DEFINITION=${semver}
echo "AZURE_IMAGE_VERSION=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_ENV
AZURE_GALLERY_NAME=Constellation_Debug
else
echo "AWS_IMAGE_NAME=constellation-${{ steps.version.outputs.branchName }}-${{ steps.version.outputs.timestamp }}" >> $GITHUB_ENV
GCP_IMAGE_NAME=constellation-${{ steps.version.outputs.timestamp }}
echo "GCP_IMAGE_FAMILY=constellation-${{ steps.version.outputs.branchName }}" >> $GITHUB_ENV
AZURE_IMAGE_DEFINITION=${{ steps.version.outputs.branchName }}
echo "AZURE_IMAGE_VERSION=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_ENV
AZURE_GALLERY_NAME=Constellation_Testing
fi
# TODO: enable VMGS upload for ConfidentialVM images once replication is possible
if [ "${AZURE_SECURITY_TYPE}" == "ConfidentialVMSupported" ]; then
echo "AZURE_GALLERY_NAME=${AZURE_GALLERY_NAME}_CVM" >> $GITHUB_ENV
echo "AZURE_VMGS_PATH=" >> $GITHUB_ENV
else
echo "AZURE_GALLERY_NAME=${AZURE_GALLERY_NAME}" >> $GITHUB_ENV
echo "AZURE_VMGS_PATH=${{ github.workspace }}/image/pki/${AZURE_SECURITY_TYPE}.vmgs" >> $GITHUB_ENV
fi
echo "AZURE_IMAGE_DEFINITION=${AZURE_IMAGE_DEFINITION}" >> $GITHUB_ENV
echo "AZURE_IMAGE_OFFER=${AZURE_IMAGE_DEFINITION}" >> $GITHUB_ENV
echo "GCP_IMAGE_NAME=${GCP_IMAGE_NAME}" >> $GITHUB_ENV
echo "GCP_IMAGE_FILENAME=${GCP_IMAGE_NAME}.tar.gz" >> $GITHUB_ENV
- name: Download VMGS blob - name: Download VMGS blob
run: | run: |
aws s3 cp \ aws s3 cp \
--region ${AWS_REGION} \ --region ${AZURE_VMGS_REGION} \
s3://constellation-secure-boot/pki_testing/${AZURE_SECURITY_TYPE}.vmgs \ s3://constellation-secure-boot/${PKI_SET}/${AZURE_SECURITY_TYPE}.vmgs \
pki_testing/${AZURE_SECURITY_TYPE}.vmgs \ ${PKI_SET}/${AZURE_SECURITY_TYPE}.vmgs \
--no-progress --no-progress
working-directory: ${{ github.workspace }}/image working-directory: ${{ github.workspace }}/image
if: ${{ matrix.csp == 'azure' && !endsWith(env.AZURE_SECURITY_TYPE, 'Supported') }} if: ${{ matrix.csp == 'azure' && !endsWith(env.AZURE_SECURITY_TYPE, 'Supported') }}
env:
PKI_SET: ${{ needs.build-settings.outputs.pkiSet }}
AZURE_VMGS_REGION: ${{ steps.vars.outputs.azureVmgsRegion }}
AZURE_SECURITY_TYPE: ${{ steps.vars.outputs.azureSecurityType }}
- name: Upload AWS image - name: Upload AWS image
shell: bash shell: bash
@ -350,6 +326,16 @@ jobs:
echo "::endgroup::" echo "::endgroup::"
working-directory: ${{ github.workspace }}/image working-directory: ${{ github.workspace }}/image
if: ${{ matrix.csp == 'aws' }} if: ${{ matrix.csp == 'aws' }}
env:
PKI: ${{ github.workspace }}/image/pki
AWS_AMI_OUTPUT: ${{ steps.vars.outputs.awsAmiOutput }}
AWS_BUCKET: ${{ steps.vars.outputs.awsBucket }}
AWS_EFIVARS_PATH: ${{ steps.vars.outputs.awsEfivarsPath }}
AWS_IMAGE_FILENAME: ${{ steps.vars.outputs.awsImageFilename }}
AWS_IMAGE_NAME: ${{ steps.vars.outputs.awsImageName }}
AWS_IMAGE_PATH: ${{ steps.vars.outputs.awsImagePath }}
AWS_REGION: ${{ steps.vars.outputs.awsRegion }}
AWS_REPLICATION_REGIONS: ${{ steps.vars.outputs.awsReplicationRegions }}
- name: Upload GCP image - name: Upload GCP image
shell: bash shell: bash
@ -361,6 +347,16 @@ jobs:
echo "::endgroup::" echo "::endgroup::"
working-directory: ${{ github.workspace }}/image working-directory: ${{ github.workspace }}/image
if: ${{ matrix.csp == 'gcp' }} if: ${{ matrix.csp == 'gcp' }}
env:
PKI: ${{ github.workspace }}/image/pki
GCP_BUCKET: ${{ steps.vars.outputs.gcpBucket }}
GCP_IMAGE_FAMILY: ${{ steps.vars.outputs.gcpImageFamily }}
GCP_IMAGE_FILENAME: ${{ steps.vars.outputs.gcpImageFilename }}
GCP_IMAGE_NAME: ${{ steps.vars.outputs.gcpImageName }}
GCP_IMAGE_PATH: ${{ steps.vars.outputs.gcpImagePath }}
GCP_PROJECT: ${{ steps.vars.outputs.gcpProject }}
GCP_RAW_IMAGE_PATH: ${{ steps.vars.outputs.gcpRawImagePath }}
GCP_REGION: ${{ steps.vars.outputs.gcpRegion }}
- name: Upload Azure image - name: Upload Azure image
shell: bash shell: bash
@ -372,6 +368,23 @@ jobs:
echo "::endgroup::" echo "::endgroup::"
working-directory: ${{ github.workspace }}/image working-directory: ${{ github.workspace }}/image
if: ${{ matrix.csp == 'azure' }} if: ${{ matrix.csp == 'azure' }}
env:
PKI: ${{ github.workspace }}/image/pki
AZURE_DISK_NAME: ${{ steps.vars.outputs.azureDiskName }}
AZURE_GALLERY_NAME: ${{ steps.vars.outputs.azureGalleryName }}
AZURE_IMAGE_DEFINITION: ${{ steps.vars.outputs.azureImageDefinition }}
AZURE_IMAGE_OFFER: ${{ steps.vars.outputs.azureImageOffer }}
AZURE_IMAGE_PATH: ${{ steps.vars.outputs.azureImagePath }}
AZURE_IMAGE_VERSION: ${{ steps.vars.outputs.azureImageVersion }}
AZURE_PUBLISHER: ${{ steps.vars.outputs.azurePublisher }}
AZURE_RAW_IMAGE_PATH: ${{ steps.vars.outputs.azureRawImagePath }}
AZURE_REGION: ${{ steps.vars.outputs.azureRegion }}
AZURE_REPLICATION_REGIONS: ${{ steps.vars.outputs.azureReplicationRegions }}
AZURE_VMGS_REGION: ${{ steps.vars.outputs.azureVmgsRegion }}
AZURE_RESOURCE_GROUP_NAME: ${{ steps.vars.outputs.azureResourceGroupName }}
AZURE_SECURITY_TYPE: ${{ steps.vars.outputs.azureSecurityType }}
AZURE_SKU: ${{ steps.vars.outputs.azureSku }}
AZURE_VMGS_PATH: ${{ steps.vars.outputs.azureVmgsPath }}
calculate-pcrs: calculate-pcrs:
name: "Calculate PCRs" name: "Calculate PCRs"

View File

@ -19,8 +19,7 @@ RUN echo "cgroup_controllers = []" >> /etc/libvirt/qemu.conf && \
# Copy nvram templates # Copy nvram templates
COPY ./cli/internal/libvirt/nvram/constellation_vars.testing.fd /usr/share/OVMF/constellation_vars.testing.fd COPY ./cli/internal/libvirt/nvram/constellation_vars.testing.fd /usr/share/OVMF/constellation_vars.testing.fd
# TODO: Uncomment this line when we have a production template COPY ./cli/internal/libvirt/nvram/constellation_vars.production.fd /usr/share/OVMF/constellation_vars.production.fd
# COPY ./cli/internal/libvirt/nvram/constellation_vars.production.fd /usr/share/OVMF/constellation_vars.production.fd
COPY --chmod=755 ./cli/internal/libvirt/start.sh /start.sh COPY --chmod=755 ./cli/internal/libvirt/start.sh /start.sh

View File

@ -106,6 +106,7 @@ export AZURE_SECURITY_TYPE=ConfidentialVM # or TrustedLaunch
export AZURE_RESOURCE_GROUP_NAME= # e.g. "constellation-images" export AZURE_RESOURCE_GROUP_NAME= # e.g. "constellation-images"
export AZURE_REGION=northeurope export AZURE_REGION=northeurope
export AZURE_REPLICATION_REGIONS=
export AZURE_DISK_NAME=constellation-$(date +%s) export AZURE_DISK_NAME=constellation-$(date +%s)
export AZURE_SNAPSHOT_NAME=${AZURE_DISK_NAME} export AZURE_SNAPSHOT_NAME=${AZURE_DISK_NAME}
export AZURE_RAW_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~36/image.raw export AZURE_RAW_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~36/image.raw

BIN
image/pki_prod/KEK.auth Normal file

Binary file not shown.

BIN
image/pki_prod/KEK.cer Normal file

Binary file not shown.

23
image/pki_prod/KEK.crt Normal file
View File

@ -0,0 +1,23 @@
-----BEGIN CERTIFICATE-----
MIIDzzCCAregAwIBAgIUPRz+bwbU52YaVAdEOfTJsDS8uaMwDQYJKoZIhvcNAQEL
BQAwgYAxCzAJBgNVBAYTAkRFMRwwGgYDVQQIDBNOb3JkcmhlaW4gV2VzdGZhbGVu
MQ8wDQYDVQQHDAZCb2NodW0xHjAcBgNVBAoMFUVkZ2VsZXNzIFN5c3RlbXMgR21i
SDEiMCAGA1UEAwwZQ29uc3RlbGxhdGlvbiBLRUsgQ0EgMjAyMjAeFw0yMjExMDMx
MDQ0NDRaFw0yMjEyMDMxMDQ0NDRaMIGAMQswCQYDVQQGEwJERTEcMBoGA1UECAwT
Tm9yZHJoZWluIFdlc3RmYWxlbjEPMA0GA1UEBwwGQm9jaHVtMR4wHAYDVQQKDBVF
ZGdlbGVzcyBTeXN0ZW1zIEdtYkgxIjAgBgNVBAMMGUNvbnN0ZWxsYXRpb24gS0VL
IENBIDIwMjIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCH7pE0Tj7w
MbkyiP//SnoMsO576EflVzaAuuhtdk/VPRvWFLbYfQF+Y9nMb1tsaf1pkMsYvO9G
nww0P+5kBEkqnNg3wEnHOmJvJvqXGeo5kZ6LOkBo2cF9jWYxAQzpBq/DSbFxxuoC
0S2SJ+x1VW2rQSBDm39WIN96j3OOfWlGh9jM2Y//zajSMiLCn2l2BbxC68SxCdy+
DZKy8EhDnrXaR/c3wx4OmuyUAYjGy4AZoyKz6yW1tPFzB+YxSQg12oHqVeU16Fh5
Lh/sYRzf0XOLOCqmiA8Sdt47Mbg3FUMxqiXE72GslSfO866va1sc/XPWtthO/8DH
wURcg5VjuL57AgMBAAGjPzA9MB0GA1UdDgQWBBSvkI06eyur45yPKWNppXgKDY39
BjAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBhjANBgkqhkiG9w0BAQsFAAOC
AQEAR+kGJkPdQahdPYo4ysyHLmiN6LlTwUsfEvvvree4rIM3yMBLdp5cSTtj/R29
QMhJvdqFxTRpq7if1qfeXgs4VKuJhFa5MKDE2v2aNGn2fdH11+eQN8g2D2LI/VS8
bVaEXY2iDbN0wE190stW7zMYZymyE7k2ApSvk4dgIiTD5ekFGZQMASeRokih1N1C
0BswAn/cQiD+V8H+f69nYlykH+054RbM3BR4GNyimMtYm+2YTT3Dqp0gXZ4VGIV5
XNv9qKJv5rVCuhl0RtRQu1+MRbvVHtGtbHUzBtUSYqdOlq7jMvPCx0GjbNx4L0RU
LSqg6IEUEjiayK1RQtsD/dVXZQ==
-----END CERTIFICATE-----

BIN
image/pki_prod/KEK.esl Normal file

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

BIN
image/pki_prod/PK.auth Normal file

Binary file not shown.

BIN
image/pki_prod/PK.cer Normal file

Binary file not shown.

23
image/pki_prod/PK.crt Normal file
View File

@ -0,0 +1,23 @@
-----BEGIN CERTIFICATE-----
MIID0TCCArmgAwIBAgIUJREZ+2W4ltUi+sHkD0P2Gzh1pugwDQYJKoZIhvcNAQEL
BQAwgYExCzAJBgNVBAYTAkRFMRwwGgYDVQQIDBNOb3JkcmhlaW4gV2VzdGZhbGVu
MQ8wDQYDVQQHDAZCb2NodW0xHjAcBgNVBAoMFUVkZ2VsZXNzIFN5c3RlbXMgR21i
SDEjMCEGA1UEAwwaQ29uc3RlbGxhdGlvbiBVRUZJIENBIDIwMjIwHhcNMjIxMTAz
MTA0NDQzWhcNMjIxMjAzMTA0NDQzWjCBgTELMAkGA1UEBhMCREUxHDAaBgNVBAgM
E05vcmRyaGVpbiBXZXN0ZmFsZW4xDzANBgNVBAcMBkJvY2h1bTEeMBwGA1UECgwV
RWRnZWxlc3MgU3lzdGVtcyBHbWJIMSMwIQYDVQQDDBpDb25zdGVsbGF0aW9uIFVF
RkkgQ0EgMjAyMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbY5r+o
2oiCzfOMu0Bb3PqnF7ZBVY+bEwr1zDsX5tEyQqOOiemGLNE2yr6adjTRbldHNON1
kGzuoiD2N4yZQLIpgwPuK2BPM7+ZKVBX4Iw0lmwTXyQhj5uAfCvGbguBXAODB/OO
ERs09CIYseowGQXtsoOgPCBFv2hxYW65Veu0kEb2X81fBuigKZ7WYK3lPjY5Vm00
TIBIV4BsQ2Cd11qqt58gc1AXsrrsRkHMEKVUHhcwUxHu4ZRawdcCg1wEhtboP2Bn
rxfvi0dzqpMIHvWU8wzkauGOAEonSkAo2KOzPUzHzfZ35aArErW5GDwvW6ngt/qK
LcOEoPbL4zD8czECAwEAAaM/MD0wHQYDVR0OBBYEFIxJ60SdEHlmkxJi1Tmkhneq
qKGXMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgGGMA0GCSqGSIb3DQEBCwUA
A4IBAQBzl6kd0ugxUsdUeN+lirrCa8ZcdBaULcKUoCfL+Ho4PxotILH8g6lTCqNL
Isk+kmHsV0JHkkV5R46YbL16lZM1qXhtYQA5yTrKe9sNEre9plAPMQQ2xSAZmVLN
rXDHSLHnerWt2dHkeAF19W20lNBWS1JNRSPVKKWnIFePwm0Z5GXoIfPGyu8AZUTO
AJ7u0NRHiTuUfTC8mZz349ChSnEtRiYur20YHUxQudCQr58c594K1L7GfLoTSpSw
OuYxW7+IYAjLOch1VX9x9BmcmUEL9ut+5W7b61EHEikyUKhvozUWkb9XwmGwROSh
XfrcASBcXJcgYb3TXyHrIMBNtCEU
-----END CERTIFICATE-----

BIN
image/pki_prod/PK.esl Normal file

Binary file not shown.

BIN
image/pki_prod/db.auth Normal file

Binary file not shown.

BIN
image/pki_prod/db.cer Normal file

Binary file not shown.

23
image/pki_prod/db.crt Normal file
View File

@ -0,0 +1,23 @@
-----BEGIN CERTIFICATE-----
MIID3zCCAsegAwIBAgIUabymjDZHxHUDa8BD0zOZ8+EOE3UwDQYJKoZIhvcNAQEL
BQAwgYgxCzAJBgNVBAYTAkRFMRwwGgYDVQQIDBNOb3JkcmhlaW4gV2VzdGZhbGVu
MQ8wDQYDVQQHDAZCb2NodW0xHjAcBgNVBAoMFUVkZ2VsZXNzIFN5c3RlbXMgR21i
SDEqMCgGA1UEAwwhQ29uc3RlbGxhdGlvbiBQcm9kdWN0aW9uIFBDQSAyMDIyMB4X
DTIyMTEwMzEwNDQ0NFoXDTIyMTIwMzEwNDQ0NFowgYgxCzAJBgNVBAYTAkRFMRww
GgYDVQQIDBNOb3JkcmhlaW4gV2VzdGZhbGVuMQ8wDQYDVQQHDAZCb2NodW0xHjAc
BgNVBAoMFUVkZ2VsZXNzIFN5c3RlbXMgR21iSDEqMCgGA1UEAwwhQ29uc3RlbGxh
dGlvbiBQcm9kdWN0aW9uIFBDQSAyMDIyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAjnnWY1ghM2nSAsXy5XTCzxelfn2r05XKIoi5Z/950/5vDXxwtHsP
+3+L0/cQOw4kFI18QZelKOR6ZmnjE2QqyzWfFGluJUKs8m/fWBVzfSmwnHxMrAAq
iO548WefX10zx/8V6M0vZ1V1yxSy7MmGbZfM3GyDWwzQqUPpT0aJqJqMMjLhqqo4
od0MogwfPs2TwAGwuKRDB2gQWefXZKGIuBGVV+aUtLtOqgg/IFCmpZ86aSKrC/sY
lZMaohez0w7C9qz0MxGammGkbzF5bwzb1pqZejOc3Gi42THaJkMB8NLG0snW4mEA
h0zyWwfsqDxG5AuOzcj7OPBbp6jxeyYzoQIDAQABoz8wPTAdBgNVHQ4EFgQU/8+b
Jm3btv0a/cjt91jbeFIsi80wDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAYYw
DQYJKoZIhvcNAQELBQADggEBADPVt4BDSvTGCvxdBUWM94RU0BpineYMhXGxo5wl
SVo3QvA2UYdVgMOsxbRuc4cwDMCYWD9jX3EeLHQojZYevw6LwBxYz8cTW/U+7h4E
Ct2LVLJli5ZmUweTjEB6wBI+ykuQUicyvyOHY2kJbXzWYiZ8izByZNawP1sFuGgr
25gGJjArlxRn24Nv3ZpQjV4q6voTVulZQD1iNm7Y1gqrIhflvn91x5d8eARuieGH
4oYEvvYhTp8yxVeY8h+Q5Ve8gubj4rMwjEdDUdPMkJ6LHe+xjiH0xLjjKlVioDuZ
+HvmCaNQ50Gro7cfrn+kIi8gM1DnQFyRg54qVlN/MYasi7s=
-----END CERTIFICATE-----

BIN
image/pki_prod/db.esl Normal file

Binary file not shown.