mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-10-01 01:36:09 -04:00
CI: Add secure boot prod keys (#462)
* Add production secure boot keys * Refactor OS build and upload settings
This commit is contained in:
parent
5ffdbc9bd6
commit
ed58fcccd3
242
.github/actions/os_build_variables/action.yml
vendored
Normal file
242
.github/actions/os_build_variables/action.yml
vendored
Normal file
@ -0,0 +1,242 @@
|
||||
name: Determine OS image upload variables
|
||||
description: "Determine parameters used for image upload to various CSPs."
|
||||
inputs:
|
||||
csp:
|
||||
description: "Cloud Service Provider"
|
||||
required: true
|
||||
uploadVariant:
|
||||
description: "Upload variant"
|
||||
required: true
|
||||
basePath:
|
||||
description: "Base path to the image build directory"
|
||||
required: true
|
||||
imageVersion:
|
||||
description: "Semantic version including patch e.g. v<major>.<minor>.<patch> (only used for releases)"
|
||||
required: false
|
||||
imageType:
|
||||
description: "Type of image to build"
|
||||
required: true
|
||||
debug:
|
||||
description: "Build debug image"
|
||||
required: false
|
||||
default: "false"
|
||||
outputs:
|
||||
awsRegion:
|
||||
description: "Primary AWS region"
|
||||
value: ${{ steps.aws.outputs.region }}
|
||||
awsReplicationRegions:
|
||||
description: "AWS regions to replicate the image to"
|
||||
value: ${{ steps.aws.outputs.replicationRegions }}
|
||||
awsBucket:
|
||||
description: "AWS S3 bucket to upload the image to"
|
||||
value: ${{ steps.aws.outputs.bucket }}
|
||||
awsEfivarsPath:
|
||||
description: "AWS efivars path"
|
||||
value: ${{ steps.aws.outputs.efivarsPath }}
|
||||
awsImagePath:
|
||||
description: "AWS image path"
|
||||
value: ${{ steps.aws.outputs.imagePath }}
|
||||
awsAmiOutput:
|
||||
description: "AWS ami output path"
|
||||
value: ${{ steps.aws.outputs.amiOutput }}
|
||||
awsImageFilename:
|
||||
description: "AWS raw image filename"
|
||||
value: ${{ steps.aws.outputs.imageFilename }}
|
||||
awsImageName:
|
||||
description: "AWS image name"
|
||||
value: ${{ steps.aws.outputs.imageName }}
|
||||
azureResourceGroupName:
|
||||
description: "Azure resource group name"
|
||||
value: ${{ steps.azure.outputs.resourceGroupName }}
|
||||
azureRegion:
|
||||
description: "Primary Azure region"
|
||||
value: ${{ steps.azure.outputs.region }}
|
||||
azureReplicationRegions:
|
||||
description: "Azure regions to replicate the image to"
|
||||
value: ${{ steps.azure.outputs.replicationRegions }}
|
||||
azureVmgsRegion:
|
||||
description: "Azure VMGS region (AWS S3 bucket region where VMGS blob is stored)"
|
||||
value: ${{ steps.azure.outputs.vmgsRegion }}
|
||||
azureSku:
|
||||
description: "Azure SIG SKU"
|
||||
value: ${{ steps.azure.outputs.sku }}
|
||||
azurePublisher:
|
||||
description: "Azure SIG publisher"
|
||||
value: ${{ steps.azure.outputs.publisher }}
|
||||
azureRawImagePath:
|
||||
description: "Azure raw image path"
|
||||
value: ${{ steps.azure.outputs.rawImagePath }}
|
||||
azureImagePath:
|
||||
description: "Azure image path"
|
||||
value: ${{ steps.azure.outputs.imagePath }}
|
||||
azureSecurityType:
|
||||
description: "Azure security type"
|
||||
value: ${{ steps.azure.outputs.securityType }}
|
||||
azureDiskName:
|
||||
description: "Azure disk name"
|
||||
value: ${{ steps.azure.outputs.diskName }}
|
||||
azureImageDefinition:
|
||||
description: "Azure image definition"
|
||||
value: ${{ steps.azure.outputs.imageDefinition }}
|
||||
azureImageVersion:
|
||||
description: "Azure image version"
|
||||
value: ${{ steps.azure.outputs.imageVersion }}
|
||||
azureGalleryName:
|
||||
description: "Azure gallery name"
|
||||
value: ${{ steps.azure.outputs.galleryName }}
|
||||
azureVmgsPath:
|
||||
description: "Azure VMGS path"
|
||||
value: ${{ steps.azure.outputs.vmgsPath }}
|
||||
gcpProject:
|
||||
description: "GCP project"
|
||||
value: ${{ steps.gcp.outputs.project }}
|
||||
gcpBucket:
|
||||
description: "GCP bucket"
|
||||
value: ${{ steps.gcp.outputs.bucket }}
|
||||
gcpRegion:
|
||||
description: "GCP region"
|
||||
value: ${{ steps.gcp.outputs.region }}
|
||||
gcpRawImagePath:
|
||||
description: "GCP raw image path"
|
||||
value: ${{ steps.gcp.outputs.rawImagePath }}
|
||||
gcpImagePath:
|
||||
description: "GCP image path"
|
||||
value: ${{ steps.gcp.outputs.imagePath }}
|
||||
gcpImageName:
|
||||
description: "GCP image name"
|
||||
value: ${{ steps.gcp.outputs.imageName }}
|
||||
gcpImageFilename:
|
||||
description: "GCP image filename"
|
||||
value: ${{ steps.gcp.outputs.imageFilename }}
|
||||
gcpImageFamily:
|
||||
description: "GCP image family"
|
||||
value: ${{ steps.gcp.outputs.imageFamily }}
|
||||
|
||||
runs:
|
||||
using: "composite"
|
||||
steps:
|
||||
- name: Determine version
|
||||
id: version
|
||||
uses: ./.github/actions/pseudo_version
|
||||
|
||||
- name: Configure AWS input variables
|
||||
id: aws
|
||||
if: ${{ inputs.csp == 'aws' }}
|
||||
shell: bash
|
||||
env:
|
||||
basePath: ${{ inputs.basePath }}
|
||||
imageVersion: ${{ inputs.imageVersion }}
|
||||
imageType: ${{ inputs.imageType }}
|
||||
timestamp: ${{ steps.version.outputs.timestamp }}
|
||||
semver: ${{ steps.version.outputs.semanticVersion }}
|
||||
branchName: ${{ steps.version.outputs.branchName }}
|
||||
run: |
|
||||
echo "region=eu-central-1" >> $GITHUB_OUTPUT
|
||||
echo "replicationRegions=us-east-2 ap-south-1" >> $GITHUB_OUTPUT
|
||||
echo "bucket=constellation-images" >> $GITHUB_OUTPUT
|
||||
echo "efivarsPath=${basePath}/mkosi.output.aws/fedora~36/efivars.bin" >> $GITHUB_OUTPUT
|
||||
echo "imagePath=${basePath}/mkosi.output.aws/fedora~36/image.raw" >> $GITHUB_OUTPUT
|
||||
echo "amiOutput=${basePath}/mkosi.output.aws/fedora~36/ami.json" >> $GITHUB_OUTPUT
|
||||
echo "imageFilename=image-$(date +%s).raw" >> $GITHUB_OUTPUT
|
||||
if [ "${imageType}" = release ]
|
||||
then
|
||||
echo "imageName=constellation-${imageVersion}" >> $GITHUB_OUTPUT
|
||||
elif [ "${imageType}" = debug ]
|
||||
then
|
||||
echo "imageName=constellation-debug-${semver}-${timestamp}" >> $GITHUB_OUTPUT
|
||||
else
|
||||
echo "imageName=constellation-${branchName}-${timestamp}" >> $GITHUB_OUTPUT
|
||||
fi
|
||||
|
||||
# gallery name may include alphanumeric characters, dots and underscores. Must end and begin with an alphanumeric character
|
||||
# image definition may include alphanumeric characters, dots, dashes and underscores. Must end and begin with an alphanumeric character
|
||||
# image version has to be semantic version in the form <uint>.<uint>.<uint> . uint may not be larger than 2,147,483,647
|
||||
- name: Configure Azure input variables
|
||||
id: azure
|
||||
if: ${{ inputs.csp == 'azure' }}
|
||||
shell: bash
|
||||
env:
|
||||
basePath: ${{ inputs.basePath }}
|
||||
imageVersion: ${{ inputs.imageVersion }}
|
||||
imageType: ${{ inputs.imageType }}
|
||||
timestamp: ${{ steps.version.outputs.timestamp }}
|
||||
semver: ${{ steps.version.outputs.semanticVersion }}
|
||||
pseudover: ${{ steps.version.outputs.pseudoVersion }}
|
||||
branchName: ${{ steps.version.outputs.branchName }}
|
||||
run: |
|
||||
echo "resourceGroupName=constellation-images" >> $GITHUB_OUTPUT
|
||||
echo "region=northeurope" >> $GITHUB_OUTPUT
|
||||
echo "vmgsRegion=eu-central-1" >> $GITHUB_OUTPUT
|
||||
echo "replicationRegions=northeurope eastus westeurope westus" >> $GITHUB_OUTPUT
|
||||
echo "sku=constellation" >> $GITHUB_OUTPUT
|
||||
echo "publisher=edgelesssys" >> $GITHUB_OUTPUT
|
||||
echo "rawImagePath=${basePath}/mkosi.output.azure/fedora~36/image.raw" >> $GITHUB_OUTPUT
|
||||
echo "imagePath=${basePath}/mkosi.output.azure/fedora~36/image.vhd" >> $GITHUB_OUTPUT
|
||||
# TODO: set default security type to "ConfidentialVM" once replication is possible
|
||||
securityType=${{ inputs.uploadVariant }}
|
||||
if [ -z "${securityType}" ]; then
|
||||
securityType=ConfidentialVMSupported
|
||||
fi
|
||||
echo "securityType=${securityType}" >> $GITHUB_OUTPUT
|
||||
echo "diskName=constellation-${pseudover//./-}-${securityType,,}" >> $GITHUB_OUTPUT
|
||||
if [ "${imageType}" = release ]
|
||||
then
|
||||
echo "imageDefinition=constellation" >> $GITHUB_OUTPUT
|
||||
echo "imageOffer=constellation" >> $GITHUB_OUTPUT
|
||||
echo "imageVersion=${imageVersion:1}" >> $GITHUB_OUTPUT
|
||||
galleryName=Constellation
|
||||
elif [ "${imageType}" = debug ]
|
||||
then
|
||||
echo "imageDefinition=${semver}" >> $GITHUB_OUTPUT
|
||||
echo "imageDefinition=${semver}" >> $GITHUB_OUTPUT
|
||||
echo "imageVersion=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_OUTPUT
|
||||
galleryName=Constellation_Debug
|
||||
else
|
||||
echo "imageDefinition=${branchName}" >> $GITHUB_OUTPUT
|
||||
echo "imageOffer=${branchName}" >> $GITHUB_OUTPUT
|
||||
echo "imageVersion=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_OUTPUT
|
||||
galleryName=Constellation_Testing
|
||||
fi
|
||||
# TODO: enable VMGS upload for ConfidentialVM images once replication is possible
|
||||
if [ "${securityType}" == "ConfidentialVMSupported" ]; then
|
||||
echo "galleryName=${galleryName}_CVM" >> $GITHUB_OUTPUT
|
||||
echo "vmgsPath=" >> $GITHUB_OUTPUT
|
||||
else
|
||||
echo "galleryName=${galleryName}" >> $GITHUB_OUTPUT
|
||||
echo "vmgsPath=${basePath}/pki/${securityType}.vmgs" >> $GITHUB_OUTPUT
|
||||
fi
|
||||
|
||||
# image family and image name may include lowercase alphanumeric characters and dashes.
|
||||
# Must not end or begin with a dash
|
||||
- name: Configure GCP input variables
|
||||
id: gcp
|
||||
if: ${{ inputs.csp == 'gcp' }}
|
||||
shell: bash
|
||||
env:
|
||||
basePath: ${{ inputs.basePath }}
|
||||
imageVersion: ${{ inputs.imageVersion }}
|
||||
imageType: ${{ inputs.imageType }}
|
||||
timestamp: ${{ steps.version.outputs.timestamp }}
|
||||
semver: ${{ steps.version.outputs.semanticVersion }}
|
||||
branchName: ${{ steps.version.outputs.branchName }}
|
||||
run: |
|
||||
echo "project=constellation-images" >> $GITHUB_OUTPUT
|
||||
echo "bucket=constellation-images" >> $GITHUB_OUTPUT
|
||||
echo "region=europe-west3" >> $GITHUB_OUTPUT
|
||||
echo "rawImagePath=${basePath}/mkosi.output.gcp/fedora~36/image.raw" >> $GITHUB_OUTPUT
|
||||
echo "imagePath=${basePath}/mkosi.output.gcp/fedora~36/image.tar.gz" >> $GITHUB_OUTPUT
|
||||
if [ "${imageType}" = release ]
|
||||
then
|
||||
echo "imageName=constellation-${imageVersion//./-}" >> $GITHUB_OUTPUT
|
||||
echo "imageFilename=constellation-${imageVersion//./-}.tar.gz" >> $GITHUB_OUTPUT
|
||||
echo "imageFamily=constellation" >> $GITHUB_OUTPUT
|
||||
elif [ "${imageType}" = debug ]
|
||||
then
|
||||
echo "imageName=constellation-${timestamp}" >> $GITHUB_OUTPUT
|
||||
echo "imageFilename=constellation-${timestamp}.tar.gz" >> $GITHUB_OUTPUT
|
||||
echo "imageFamily=constellation-debug-${semver//./-}" >> $GITHUB_OUTPUT
|
||||
else
|
||||
echo "imageName=constellation-${timestamp}" >> $GITHUB_OUTPUT
|
||||
echo "imageFilename=constellation-${timestamp}.tar.gz" >> $GITHUB_OUTPUT
|
||||
echo "imageFamily=constellation-${branchName}" >> $GITHUB_OUTPUT
|
||||
fi
|
197
.github/workflows/build-os-image.yml
vendored
197
.github/workflows/build-os-image.yml
vendored
@ -57,9 +57,49 @@ jobs:
|
||||
echo "disk-mapper-sha256=$(sha256sum disk-mapper | head -c 64)" >> $GITHUB_OUTPUT
|
||||
working-directory: ${{ github.workspace }}/build
|
||||
|
||||
build-settings:
|
||||
name: "Determine build settings"
|
||||
runs-on: ubuntu-22.04
|
||||
outputs:
|
||||
imageType: ${{ steps.image-type.outputs.imageType }}
|
||||
pkiSet: ${{ steps.pki-set.outputs.pkiSet }}
|
||||
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 # tag=v2.5.0
|
||||
|
||||
- name: Determine version
|
||||
id: version
|
||||
uses: ./.github/actions/pseudo_version
|
||||
|
||||
- name: Determine type of image build
|
||||
shell: bash
|
||||
id: image-type
|
||||
run: |
|
||||
if [ "${{ startsWith(github.ref, 'refs/heads/release/') && (inputs.debug == 'false') }}" = true ]
|
||||
then
|
||||
echo "imageType=release" >> $GITHUB_OUTPUT
|
||||
elif [ "${{ ((github.ref == 'refs/heads/main') || startsWith(github.ref, 'refs/heads/release/')) && (inputs.debug == 'true') }}" = true ]
|
||||
then
|
||||
echo "imageType=debug" >> $GITHUB_OUTPUT
|
||||
else
|
||||
echo "imageType=branch" >> $GITHUB_OUTPUT
|
||||
fi
|
||||
|
||||
- name: Determine PKI set
|
||||
id: pki-set
|
||||
shell: bash
|
||||
run: |
|
||||
if [ "${{ steps.image-type.outputs.image-type }}" = "release" ]
|
||||
then
|
||||
echo "pkiSet=pki_prod" >> $GITHUB_OUTPUT
|
||||
else
|
||||
echo "pkiSet=pki_testing" >> $GITHUB_OUTPUT
|
||||
fi
|
||||
|
||||
make-os-image:
|
||||
name: "Build OS using mkosi"
|
||||
needs: build-dependencies
|
||||
needs: [build-settings, build-dependencies]
|
||||
runs-on: ubuntu-22.04
|
||||
# TODO: flatten outputs once possible
|
||||
# https://github.com/community/community/discussions/17245
|
||||
@ -121,13 +161,15 @@ jobs:
|
||||
version: 058046019e7ed2e8e93af87b8c14a808dcc6bbc3
|
||||
|
||||
- name: Prepare PKI for secure boot signing
|
||||
id: prepare-pki
|
||||
shell: bash
|
||||
run: |
|
||||
ln -s pki_testing pki
|
||||
echo "${DB_KEY}" > pki/db.key
|
||||
echo "${DB_KEY}" > ${PKI_SET}/db.key
|
||||
ln -s ${PKI_SET} pki
|
||||
working-directory: ${{ github.workspace }}/image
|
||||
env:
|
||||
DB_KEY: ${{ secrets.SECURE_BOOT_TESTING_DB_KEY }}
|
||||
PKI_SET: ${{ needs.build-settings.outputs.pkiSet }}
|
||||
DB_KEY: ${{ (needs.build-settings.outputs.imageType == 'release' && secrets.SECURE_BOOT_RELEASE_DB_KEY) || secrets.SECURE_BOOT_TESTING_DB_KEY }}
|
||||
|
||||
- name: Build
|
||||
shell: bash
|
||||
@ -190,7 +232,7 @@ jobs:
|
||||
|
||||
upload-os-image:
|
||||
name: "Upload OS image to CSP"
|
||||
needs: make-os-image
|
||||
needs: [build-settings, make-os-image]
|
||||
runs-on: ubuntu-22.04
|
||||
permissions:
|
||||
id-token: write
|
||||
@ -213,6 +255,17 @@ jobs:
|
||||
name: image-${{ matrix.csp }}
|
||||
path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36
|
||||
|
||||
- name: Configure input variables
|
||||
id: vars
|
||||
uses: ./.github/actions/os_build_variables
|
||||
with:
|
||||
csp: ${{ matrix.csp }}
|
||||
uploadVariant: ${{ matrix.upload-variant }}
|
||||
basePath: ${{ github.workspace }}/image
|
||||
imageVersion: ${{ inputs.imageVersion }}
|
||||
imageType: ${{ needs.build-settings.outputs.imageType }}
|
||||
debug: ${{ inputs.debug }}
|
||||
|
||||
- name: Install tools
|
||||
shell: bash
|
||||
run: |
|
||||
@ -243,102 +296,25 @@ jobs:
|
||||
gcp_service_account_json: ${{ secrets.GCP_IMAGE_UPLOAD_SERVICE_ACCOUNT }}
|
||||
|
||||
- name: Prepare PKI for image upload
|
||||
shell: bash
|
||||
run: ln -s pki_testing pki
|
||||
working-directory: ${{ github.workspace }}/image
|
||||
|
||||
- name: Determine version
|
||||
id: version
|
||||
uses: ./.github/actions/pseudo_version
|
||||
|
||||
# Make sure to set valid names for AWS, Azure and GCP
|
||||
# Azure
|
||||
# gallery name may include alphanumeric characters, dots and underscores. Must end and begin with an alphanumeric character
|
||||
# image definition may include alphanumeric characters, dots, dashes and underscores. Must end and begin with an alphanumeric character
|
||||
# image version has to be semantic version in the form <uint>.<uint>.<uint> . uint may not be larger than 2,147,483,647
|
||||
#
|
||||
# GCP
|
||||
# image family and image name may include lowercase alphanumeric characters and dashes. Must not end or begin with a dash
|
||||
- name: Configure input variables
|
||||
id: prepare-pki
|
||||
shell: bash
|
||||
run: |
|
||||
timestamp=${{ steps.version.outputs.timestamp }}
|
||||
semver=${{ steps.version.outputs.semanticVersion }}
|
||||
imageVersion=${{ inputs.imageVersion }}
|
||||
pseudover=${{ steps.version.outputs.pseudoVersion }}
|
||||
echo "PKI=${{ github.workspace }}/image/pki" >> $GITHUB_ENV
|
||||
echo "AWS_REGION=eu-central-1" >> $GITHUB_ENV
|
||||
echo "AWS_REPLICATION_REGIONS=us-east-2 ap-south-1" >> $GITHUB_ENV
|
||||
echo "AWS_BUCKET=constellation-images" >> $GITHUB_ENV
|
||||
echo "AWS_EFIVARS_PATH=${{ github.workspace }}/image/mkosi.output.aws/fedora~36/efivars.bin" >> $GITHUB_ENV
|
||||
echo "AWS_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.aws/fedora~36/image.raw" >> $GITHUB_ENV
|
||||
echo "AWS_AMI_OUTPUT=${{ github.workspace }}/image/mkosi.output.aws/fedora~36/ami.json" >> $GITHUB_ENV
|
||||
echo "AWS_IMAGE_FILENAME=image-$(date +%s).raw" >> $GITHUB_ENV
|
||||
echo "GCP_PROJECT=constellation-images" >> $GITHUB_ENV
|
||||
echo "GCP_BUCKET=constellation-images" >> $GITHUB_ENV
|
||||
echo "GCP_REGION=europe-west3" >> $GITHUB_ENV
|
||||
echo "GCP_RAW_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.gcp/fedora~36/image.raw" >> $GITHUB_ENV
|
||||
echo "GCP_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.gcp/fedora~36/image.tar.gz" >> $GITHUB_ENV
|
||||
echo "AZURE_RESOURCE_GROUP_NAME=constellation-images" >> $GITHUB_ENV
|
||||
echo "AZURE_REGION=northeurope" >> $GITHUB_ENV
|
||||
echo "AZURE_REPLICATION_REGIONS=northeurope eastus westeurope westus" >> $GITHUB_ENV
|
||||
echo "AZURE_SKU=constellation" >> $GITHUB_ENV
|
||||
echo "AZURE_PUBLISHER=edgelesssys" >> $GITHUB_ENV
|
||||
echo "AZURE_RAW_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.azure/fedora~36/image.raw" >> $GITHUB_ENV
|
||||
echo "AZURE_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.azure/fedora~36/image.vhd" >> $GITHUB_ENV
|
||||
# TODO: set default security type to "ConfidentialVM" once replication is possible
|
||||
AZURE_SECURITY_TYPE=${{ matrix.upload-variant }}
|
||||
if [ -z "${AZURE_SECURITY_TYPE}" ]; then
|
||||
AZURE_SECURITY_TYPE=ConfidentialVMSupported
|
||||
fi
|
||||
echo "AZURE_SECURITY_TYPE=${AZURE_SECURITY_TYPE}" >> $GITHUB_ENV
|
||||
echo "AZURE_DISK_NAME=constellation-${pseudover//./-}-${AZURE_SECURITY_TYPE,,}" >> $GITHUB_ENV
|
||||
if [ "${{ startsWith(github.ref, 'refs/heads/release/') && (inputs.debug == false) }}" = true ]
|
||||
then
|
||||
echo "AWS_IMAGE_NAME=constellation-${imageVersion}" >> $GITHUB_ENV
|
||||
GCP_IMAGE_NAME=constellation-${imageVersion//./-}
|
||||
echo "GCP_IMAGE_FAMILY=constellation" >> $GITHUB_ENV
|
||||
AZURE_IMAGE_DEFINITION=constellation
|
||||
echo "AZURE_IMAGE_VERSION=${imageVersion:1}" >> $GITHUB_ENV
|
||||
AZURE_GALLERY_NAME=Constellation
|
||||
elif [ "${{ ((github.ref == 'refs/heads/main') || startsWith(github.ref, 'refs/heads/release/')) && (inputs.debug == true) }}" = true ]
|
||||
then
|
||||
echo "AWS_IMAGE_NAME=constellation-debug-${semver}-${{ steps.version.outputs.timestamp }}" >> $GITHUB_ENV
|
||||
GCP_IMAGE_NAME=constellation-${{ steps.version.outputs.timestamp }}
|
||||
echo "GCP_IMAGE_FAMILY=constellation-debug-${semver//./-}" >> $GITHUB_ENV
|
||||
AZURE_IMAGE_DEFINITION=${semver}
|
||||
echo "AZURE_IMAGE_VERSION=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_ENV
|
||||
AZURE_GALLERY_NAME=Constellation_Debug
|
||||
else
|
||||
echo "AWS_IMAGE_NAME=constellation-${{ steps.version.outputs.branchName }}-${{ steps.version.outputs.timestamp }}" >> $GITHUB_ENV
|
||||
GCP_IMAGE_NAME=constellation-${{ steps.version.outputs.timestamp }}
|
||||
echo "GCP_IMAGE_FAMILY=constellation-${{ steps.version.outputs.branchName }}" >> $GITHUB_ENV
|
||||
AZURE_IMAGE_DEFINITION=${{ steps.version.outputs.branchName }}
|
||||
echo "AZURE_IMAGE_VERSION=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_ENV
|
||||
AZURE_GALLERY_NAME=Constellation_Testing
|
||||
fi
|
||||
# TODO: enable VMGS upload for ConfidentialVM images once replication is possible
|
||||
if [ "${AZURE_SECURITY_TYPE}" == "ConfidentialVMSupported" ]; then
|
||||
echo "AZURE_GALLERY_NAME=${AZURE_GALLERY_NAME}_CVM" >> $GITHUB_ENV
|
||||
echo "AZURE_VMGS_PATH=" >> $GITHUB_ENV
|
||||
else
|
||||
echo "AZURE_GALLERY_NAME=${AZURE_GALLERY_NAME}" >> $GITHUB_ENV
|
||||
echo "AZURE_VMGS_PATH=${{ github.workspace }}/image/pki/${AZURE_SECURITY_TYPE}.vmgs" >> $GITHUB_ENV
|
||||
fi
|
||||
echo "AZURE_IMAGE_DEFINITION=${AZURE_IMAGE_DEFINITION}" >> $GITHUB_ENV
|
||||
echo "AZURE_IMAGE_OFFER=${AZURE_IMAGE_DEFINITION}" >> $GITHUB_ENV
|
||||
echo "GCP_IMAGE_NAME=${GCP_IMAGE_NAME}" >> $GITHUB_ENV
|
||||
echo "GCP_IMAGE_FILENAME=${GCP_IMAGE_NAME}.tar.gz" >> $GITHUB_ENV
|
||||
ln -s ${{ needs.build-settings.outputs.pkiSet }} pki
|
||||
working-directory: ${{ github.workspace }}/image
|
||||
|
||||
- name: Download VMGS blob
|
||||
run: |
|
||||
aws s3 cp \
|
||||
--region ${AWS_REGION} \
|
||||
s3://constellation-secure-boot/pki_testing/${AZURE_SECURITY_TYPE}.vmgs \
|
||||
pki_testing/${AZURE_SECURITY_TYPE}.vmgs \
|
||||
--region ${AZURE_VMGS_REGION} \
|
||||
s3://constellation-secure-boot/${PKI_SET}/${AZURE_SECURITY_TYPE}.vmgs \
|
||||
${PKI_SET}/${AZURE_SECURITY_TYPE}.vmgs \
|
||||
--no-progress
|
||||
working-directory: ${{ github.workspace }}/image
|
||||
if: ${{ matrix.csp == 'azure' && !endsWith(env.AZURE_SECURITY_TYPE, 'Supported') }}
|
||||
env:
|
||||
PKI_SET: ${{ needs.build-settings.outputs.pkiSet }}
|
||||
AZURE_VMGS_REGION: ${{ steps.vars.outputs.azureVmgsRegion }}
|
||||
AZURE_SECURITY_TYPE: ${{ steps.vars.outputs.azureSecurityType }}
|
||||
|
||||
- name: Upload AWS image
|
||||
shell: bash
|
||||
@ -350,6 +326,16 @@ jobs:
|
||||
echo "::endgroup::"
|
||||
working-directory: ${{ github.workspace }}/image
|
||||
if: ${{ matrix.csp == 'aws' }}
|
||||
env:
|
||||
PKI: ${{ github.workspace }}/image/pki
|
||||
AWS_AMI_OUTPUT: ${{ steps.vars.outputs.awsAmiOutput }}
|
||||
AWS_BUCKET: ${{ steps.vars.outputs.awsBucket }}
|
||||
AWS_EFIVARS_PATH: ${{ steps.vars.outputs.awsEfivarsPath }}
|
||||
AWS_IMAGE_FILENAME: ${{ steps.vars.outputs.awsImageFilename }}
|
||||
AWS_IMAGE_NAME: ${{ steps.vars.outputs.awsImageName }}
|
||||
AWS_IMAGE_PATH: ${{ steps.vars.outputs.awsImagePath }}
|
||||
AWS_REGION: ${{ steps.vars.outputs.awsRegion }}
|
||||
AWS_REPLICATION_REGIONS: ${{ steps.vars.outputs.awsReplicationRegions }}
|
||||
|
||||
- name: Upload GCP image
|
||||
shell: bash
|
||||
@ -361,6 +347,16 @@ jobs:
|
||||
echo "::endgroup::"
|
||||
working-directory: ${{ github.workspace }}/image
|
||||
if: ${{ matrix.csp == 'gcp' }}
|
||||
env:
|
||||
PKI: ${{ github.workspace }}/image/pki
|
||||
GCP_BUCKET: ${{ steps.vars.outputs.gcpBucket }}
|
||||
GCP_IMAGE_FAMILY: ${{ steps.vars.outputs.gcpImageFamily }}
|
||||
GCP_IMAGE_FILENAME: ${{ steps.vars.outputs.gcpImageFilename }}
|
||||
GCP_IMAGE_NAME: ${{ steps.vars.outputs.gcpImageName }}
|
||||
GCP_IMAGE_PATH: ${{ steps.vars.outputs.gcpImagePath }}
|
||||
GCP_PROJECT: ${{ steps.vars.outputs.gcpProject }}
|
||||
GCP_RAW_IMAGE_PATH: ${{ steps.vars.outputs.gcpRawImagePath }}
|
||||
GCP_REGION: ${{ steps.vars.outputs.gcpRegion }}
|
||||
|
||||
- name: Upload Azure image
|
||||
shell: bash
|
||||
@ -372,6 +368,23 @@ jobs:
|
||||
echo "::endgroup::"
|
||||
working-directory: ${{ github.workspace }}/image
|
||||
if: ${{ matrix.csp == 'azure' }}
|
||||
env:
|
||||
PKI: ${{ github.workspace }}/image/pki
|
||||
AZURE_DISK_NAME: ${{ steps.vars.outputs.azureDiskName }}
|
||||
AZURE_GALLERY_NAME: ${{ steps.vars.outputs.azureGalleryName }}
|
||||
AZURE_IMAGE_DEFINITION: ${{ steps.vars.outputs.azureImageDefinition }}
|
||||
AZURE_IMAGE_OFFER: ${{ steps.vars.outputs.azureImageOffer }}
|
||||
AZURE_IMAGE_PATH: ${{ steps.vars.outputs.azureImagePath }}
|
||||
AZURE_IMAGE_VERSION: ${{ steps.vars.outputs.azureImageVersion }}
|
||||
AZURE_PUBLISHER: ${{ steps.vars.outputs.azurePublisher }}
|
||||
AZURE_RAW_IMAGE_PATH: ${{ steps.vars.outputs.azureRawImagePath }}
|
||||
AZURE_REGION: ${{ steps.vars.outputs.azureRegion }}
|
||||
AZURE_REPLICATION_REGIONS: ${{ steps.vars.outputs.azureReplicationRegions }}
|
||||
AZURE_VMGS_REGION: ${{ steps.vars.outputs.azureVmgsRegion }}
|
||||
AZURE_RESOURCE_GROUP_NAME: ${{ steps.vars.outputs.azureResourceGroupName }}
|
||||
AZURE_SECURITY_TYPE: ${{ steps.vars.outputs.azureSecurityType }}
|
||||
AZURE_SKU: ${{ steps.vars.outputs.azureSku }}
|
||||
AZURE_VMGS_PATH: ${{ steps.vars.outputs.azureVmgsPath }}
|
||||
|
||||
calculate-pcrs:
|
||||
name: "Calculate PCRs"
|
||||
|
@ -19,8 +19,7 @@ RUN echo "cgroup_controllers = []" >> /etc/libvirt/qemu.conf && \
|
||||
|
||||
# Copy nvram templates
|
||||
COPY ./cli/internal/libvirt/nvram/constellation_vars.testing.fd /usr/share/OVMF/constellation_vars.testing.fd
|
||||
# TODO: Uncomment this line when we have a production template
|
||||
# COPY ./cli/internal/libvirt/nvram/constellation_vars.production.fd /usr/share/OVMF/constellation_vars.production.fd
|
||||
COPY ./cli/internal/libvirt/nvram/constellation_vars.production.fd /usr/share/OVMF/constellation_vars.production.fd
|
||||
|
||||
COPY --chmod=755 ./cli/internal/libvirt/start.sh /start.sh
|
||||
|
||||
|
BIN
cli/internal/libvirt/nvram/constellation_vars.production.fd
Normal file
BIN
cli/internal/libvirt/nvram/constellation_vars.production.fd
Normal file
Binary file not shown.
@ -106,6 +106,7 @@ export AZURE_SECURITY_TYPE=ConfidentialVM # or TrustedLaunch
|
||||
export AZURE_RESOURCE_GROUP_NAME= # e.g. "constellation-images"
|
||||
|
||||
export AZURE_REGION=northeurope
|
||||
export AZURE_REPLICATION_REGIONS=
|
||||
export AZURE_DISK_NAME=constellation-$(date +%s)
|
||||
export AZURE_SNAPSHOT_NAME=${AZURE_DISK_NAME}
|
||||
export AZURE_RAW_IMAGE_PATH=${PWD}/mkosi.output.azure/fedora~36/image.raw
|
||||
|
BIN
image/pki_prod/KEK.auth
Normal file
BIN
image/pki_prod/KEK.auth
Normal file
Binary file not shown.
BIN
image/pki_prod/KEK.cer
Normal file
BIN
image/pki_prod/KEK.cer
Normal file
Binary file not shown.
23
image/pki_prod/KEK.crt
Normal file
23
image/pki_prod/KEK.crt
Normal file
@ -0,0 +1,23 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDzzCCAregAwIBAgIUPRz+bwbU52YaVAdEOfTJsDS8uaMwDQYJKoZIhvcNAQEL
|
||||
BQAwgYAxCzAJBgNVBAYTAkRFMRwwGgYDVQQIDBNOb3JkcmhlaW4gV2VzdGZhbGVu
|
||||
MQ8wDQYDVQQHDAZCb2NodW0xHjAcBgNVBAoMFUVkZ2VsZXNzIFN5c3RlbXMgR21i
|
||||
SDEiMCAGA1UEAwwZQ29uc3RlbGxhdGlvbiBLRUsgQ0EgMjAyMjAeFw0yMjExMDMx
|
||||
MDQ0NDRaFw0yMjEyMDMxMDQ0NDRaMIGAMQswCQYDVQQGEwJERTEcMBoGA1UECAwT
|
||||
Tm9yZHJoZWluIFdlc3RmYWxlbjEPMA0GA1UEBwwGQm9jaHVtMR4wHAYDVQQKDBVF
|
||||
ZGdlbGVzcyBTeXN0ZW1zIEdtYkgxIjAgBgNVBAMMGUNvbnN0ZWxsYXRpb24gS0VL
|
||||
IENBIDIwMjIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCH7pE0Tj7w
|
||||
MbkyiP//SnoMsO576EflVzaAuuhtdk/VPRvWFLbYfQF+Y9nMb1tsaf1pkMsYvO9G
|
||||
nww0P+5kBEkqnNg3wEnHOmJvJvqXGeo5kZ6LOkBo2cF9jWYxAQzpBq/DSbFxxuoC
|
||||
0S2SJ+x1VW2rQSBDm39WIN96j3OOfWlGh9jM2Y//zajSMiLCn2l2BbxC68SxCdy+
|
||||
DZKy8EhDnrXaR/c3wx4OmuyUAYjGy4AZoyKz6yW1tPFzB+YxSQg12oHqVeU16Fh5
|
||||
Lh/sYRzf0XOLOCqmiA8Sdt47Mbg3FUMxqiXE72GslSfO866va1sc/XPWtthO/8DH
|
||||
wURcg5VjuL57AgMBAAGjPzA9MB0GA1UdDgQWBBSvkI06eyur45yPKWNppXgKDY39
|
||||
BjAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBhjANBgkqhkiG9w0BAQsFAAOC
|
||||
AQEAR+kGJkPdQahdPYo4ysyHLmiN6LlTwUsfEvvvree4rIM3yMBLdp5cSTtj/R29
|
||||
QMhJvdqFxTRpq7if1qfeXgs4VKuJhFa5MKDE2v2aNGn2fdH11+eQN8g2D2LI/VS8
|
||||
bVaEXY2iDbN0wE190stW7zMYZymyE7k2ApSvk4dgIiTD5ekFGZQMASeRokih1N1C
|
||||
0BswAn/cQiD+V8H+f69nYlykH+054RbM3BR4GNyimMtYm+2YTT3Dqp0gXZ4VGIV5
|
||||
XNv9qKJv5rVCuhl0RtRQu1+MRbvVHtGtbHUzBtUSYqdOlq7jMvPCx0GjbNx4L0RU
|
||||
LSqg6IEUEjiayK1RQtsD/dVXZQ==
|
||||
-----END CERTIFICATE-----
|
BIN
image/pki_prod/KEK.esl
Normal file
BIN
image/pki_prod/KEK.esl
Normal file
Binary file not shown.
BIN
image/pki_prod/MicCorKEKCA2011_2011-06-24.crt
Normal file
BIN
image/pki_prod/MicCorKEKCA2011_2011-06-24.crt
Normal file
Binary file not shown.
BIN
image/pki_prod/MicCorKEKCA2011_2011-06-24.esl
Normal file
BIN
image/pki_prod/MicCorKEKCA2011_2011-06-24.esl
Normal file
Binary file not shown.
BIN
image/pki_prod/MicCorUEFCA2011_2011-06-27.crt
Normal file
BIN
image/pki_prod/MicCorUEFCA2011_2011-06-27.crt
Normal file
Binary file not shown.
BIN
image/pki_prod/MicCorUEFCA2011_2011-06-27.esl
Normal file
BIN
image/pki_prod/MicCorUEFCA2011_2011-06-27.esl
Normal file
Binary file not shown.
BIN
image/pki_prod/MicWinProPCA2011_2011-10-19.crt
Normal file
BIN
image/pki_prod/MicWinProPCA2011_2011-10-19.crt
Normal file
Binary file not shown.
BIN
image/pki_prod/MicWinProPCA2011_2011-10-19.esl
Normal file
BIN
image/pki_prod/MicWinProPCA2011_2011-10-19.esl
Normal file
Binary file not shown.
BIN
image/pki_prod/PK.auth
Normal file
BIN
image/pki_prod/PK.auth
Normal file
Binary file not shown.
BIN
image/pki_prod/PK.cer
Normal file
BIN
image/pki_prod/PK.cer
Normal file
Binary file not shown.
23
image/pki_prod/PK.crt
Normal file
23
image/pki_prod/PK.crt
Normal file
@ -0,0 +1,23 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIID0TCCArmgAwIBAgIUJREZ+2W4ltUi+sHkD0P2Gzh1pugwDQYJKoZIhvcNAQEL
|
||||
BQAwgYExCzAJBgNVBAYTAkRFMRwwGgYDVQQIDBNOb3JkcmhlaW4gV2VzdGZhbGVu
|
||||
MQ8wDQYDVQQHDAZCb2NodW0xHjAcBgNVBAoMFUVkZ2VsZXNzIFN5c3RlbXMgR21i
|
||||
SDEjMCEGA1UEAwwaQ29uc3RlbGxhdGlvbiBVRUZJIENBIDIwMjIwHhcNMjIxMTAz
|
||||
MTA0NDQzWhcNMjIxMjAzMTA0NDQzWjCBgTELMAkGA1UEBhMCREUxHDAaBgNVBAgM
|
||||
E05vcmRyaGVpbiBXZXN0ZmFsZW4xDzANBgNVBAcMBkJvY2h1bTEeMBwGA1UECgwV
|
||||
RWRnZWxlc3MgU3lzdGVtcyBHbWJIMSMwIQYDVQQDDBpDb25zdGVsbGF0aW9uIFVF
|
||||
RkkgQ0EgMjAyMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbY5r+o
|
||||
2oiCzfOMu0Bb3PqnF7ZBVY+bEwr1zDsX5tEyQqOOiemGLNE2yr6adjTRbldHNON1
|
||||
kGzuoiD2N4yZQLIpgwPuK2BPM7+ZKVBX4Iw0lmwTXyQhj5uAfCvGbguBXAODB/OO
|
||||
ERs09CIYseowGQXtsoOgPCBFv2hxYW65Veu0kEb2X81fBuigKZ7WYK3lPjY5Vm00
|
||||
TIBIV4BsQ2Cd11qqt58gc1AXsrrsRkHMEKVUHhcwUxHu4ZRawdcCg1wEhtboP2Bn
|
||||
rxfvi0dzqpMIHvWU8wzkauGOAEonSkAo2KOzPUzHzfZ35aArErW5GDwvW6ngt/qK
|
||||
LcOEoPbL4zD8czECAwEAAaM/MD0wHQYDVR0OBBYEFIxJ60SdEHlmkxJi1Tmkhneq
|
||||
qKGXMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgGGMA0GCSqGSIb3DQEBCwUA
|
||||
A4IBAQBzl6kd0ugxUsdUeN+lirrCa8ZcdBaULcKUoCfL+Ho4PxotILH8g6lTCqNL
|
||||
Isk+kmHsV0JHkkV5R46YbL16lZM1qXhtYQA5yTrKe9sNEre9plAPMQQ2xSAZmVLN
|
||||
rXDHSLHnerWt2dHkeAF19W20lNBWS1JNRSPVKKWnIFePwm0Z5GXoIfPGyu8AZUTO
|
||||
AJ7u0NRHiTuUfTC8mZz349ChSnEtRiYur20YHUxQudCQr58c594K1L7GfLoTSpSw
|
||||
OuYxW7+IYAjLOch1VX9x9BmcmUEL9ut+5W7b61EHEikyUKhvozUWkb9XwmGwROSh
|
||||
XfrcASBcXJcgYb3TXyHrIMBNtCEU
|
||||
-----END CERTIFICATE-----
|
BIN
image/pki_prod/PK.esl
Normal file
BIN
image/pki_prod/PK.esl
Normal file
Binary file not shown.
BIN
image/pki_prod/db.auth
Normal file
BIN
image/pki_prod/db.auth
Normal file
Binary file not shown.
BIN
image/pki_prod/db.cer
Normal file
BIN
image/pki_prod/db.cer
Normal file
Binary file not shown.
23
image/pki_prod/db.crt
Normal file
23
image/pki_prod/db.crt
Normal file
@ -0,0 +1,23 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIID3zCCAsegAwIBAgIUabymjDZHxHUDa8BD0zOZ8+EOE3UwDQYJKoZIhvcNAQEL
|
||||
BQAwgYgxCzAJBgNVBAYTAkRFMRwwGgYDVQQIDBNOb3JkcmhlaW4gV2VzdGZhbGVu
|
||||
MQ8wDQYDVQQHDAZCb2NodW0xHjAcBgNVBAoMFUVkZ2VsZXNzIFN5c3RlbXMgR21i
|
||||
SDEqMCgGA1UEAwwhQ29uc3RlbGxhdGlvbiBQcm9kdWN0aW9uIFBDQSAyMDIyMB4X
|
||||
DTIyMTEwMzEwNDQ0NFoXDTIyMTIwMzEwNDQ0NFowgYgxCzAJBgNVBAYTAkRFMRww
|
||||
GgYDVQQIDBNOb3JkcmhlaW4gV2VzdGZhbGVuMQ8wDQYDVQQHDAZCb2NodW0xHjAc
|
||||
BgNVBAoMFUVkZ2VsZXNzIFN5c3RlbXMgR21iSDEqMCgGA1UEAwwhQ29uc3RlbGxh
|
||||
dGlvbiBQcm9kdWN0aW9uIFBDQSAyMDIyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
|
||||
MIIBCgKCAQEAjnnWY1ghM2nSAsXy5XTCzxelfn2r05XKIoi5Z/950/5vDXxwtHsP
|
||||
+3+L0/cQOw4kFI18QZelKOR6ZmnjE2QqyzWfFGluJUKs8m/fWBVzfSmwnHxMrAAq
|
||||
iO548WefX10zx/8V6M0vZ1V1yxSy7MmGbZfM3GyDWwzQqUPpT0aJqJqMMjLhqqo4
|
||||
od0MogwfPs2TwAGwuKRDB2gQWefXZKGIuBGVV+aUtLtOqgg/IFCmpZ86aSKrC/sY
|
||||
lZMaohez0w7C9qz0MxGammGkbzF5bwzb1pqZejOc3Gi42THaJkMB8NLG0snW4mEA
|
||||
h0zyWwfsqDxG5AuOzcj7OPBbp6jxeyYzoQIDAQABoz8wPTAdBgNVHQ4EFgQU/8+b
|
||||
Jm3btv0a/cjt91jbeFIsi80wDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAYYw
|
||||
DQYJKoZIhvcNAQELBQADggEBADPVt4BDSvTGCvxdBUWM94RU0BpineYMhXGxo5wl
|
||||
SVo3QvA2UYdVgMOsxbRuc4cwDMCYWD9jX3EeLHQojZYevw6LwBxYz8cTW/U+7h4E
|
||||
Ct2LVLJli5ZmUweTjEB6wBI+ykuQUicyvyOHY2kJbXzWYiZ8izByZNawP1sFuGgr
|
||||
25gGJjArlxRn24Nv3ZpQjV4q6voTVulZQD1iNm7Y1gqrIhflvn91x5d8eARuieGH
|
||||
4oYEvvYhTp8yxVeY8h+Q5Ve8gubj4rMwjEdDUdPMkJ6LHe+xjiH0xLjjKlVioDuZ
|
||||
+HvmCaNQ50Gro7cfrn+kIi8gM1DnQFyRg54qVlN/MYasi7s=
|
||||
-----END CERTIFICATE-----
|
BIN
image/pki_prod/db.esl
Normal file
BIN
image/pki_prod/db.esl
Normal file
Binary file not shown.
Loading…
Reference in New Issue
Block a user