mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-25 07:29:38 -05:00
image: remove old mkosi config
This commit is contained in:
parent
0979a483b4
commit
fc1045a4f7
8
image/.gitignore
vendored
8
image/.gitignore
vendored
@ -1,8 +0,0 @@
|
||||
mkosi.cache
|
||||
mkosi.extra
|
||||
pki
|
||||
image.*
|
||||
!image.go
|
||||
mkosi.output.*
|
||||
pki_*/*.key
|
||||
pki_*/*.vmgs
|
113
image/Makefile
113
image/Makefile
@ -1,113 +0,0 @@
|
||||
SHELL = /bin/bash
|
||||
SRC_PATH = $(CURDIR)
|
||||
BASE_PATH ?= $(SRC_PATH)
|
||||
BOOTSTRAPPER_BINARY ?= $(BASE_PATH)/../build/bootstrapper
|
||||
DISK_MAPPER_BINARY ?= $(BASE_PATH)/../build/disk-mapper
|
||||
UPGRADE_AGENT_BINARY ?= $(BASE_PATH)/../build/upgrade-agent
|
||||
DEBUGD_BINARY ?= $(BASE_PATH)/../build/debugd
|
||||
MEASUREMENT_READER_BINARY ?= $(BASE_PATH)/../build/measurement-reader
|
||||
PKI ?= $(BASE_PATH)/pki
|
||||
MKOSI_EXTRA ?= $(BASE_PATH)/mkosi.extra
|
||||
EXTRA_SEARCH_PATHS ?=
|
||||
IMAGE_VERSION ?= v0.0.0
|
||||
DEBUG ?= false
|
||||
AUTOLOGIN ?= false
|
||||
AUTOLOGIN_ARGS := $(if $(filter true,$(AUTOLOGIN)),--autologin) # set "--autologin" if AUTOLOGIN is true
|
||||
KERNEL_DEBUG_CMDLNE := $(if $(filter true,$(DEBUG)),constellation.debug) # set "constellation.debug" if DEBUG is true
|
||||
SEARCH_PATHS_PARAM := $(if $(EXTRA_SEARCH_PATHS),--extra-search-path=$(EXTRA_SEARCH_PATHS))
|
||||
export INSTALL_DEBUGD ?= $(DEBUG)
|
||||
export CONSOLE_MOTD = $(AUTOLOGIN)
|
||||
-include $(CURDIR)/config.mk
|
||||
csps := aws azure gcp openstack qemu
|
||||
variants := aws_aws-sev-snp aws_aws-nitro-tpm azure_azure-sev-snp gcp_gcp-sev-es gcp_gcp-sev-snp openstack_qemu-vtpm qemu_qemu-vtpm
|
||||
certs := $(PKI)/PK.cer $(PKI)/KEK.cer $(PKI)/db.cer
|
||||
|
||||
SYSTEMD_FIXED_RPMS := systemd-251.11-2.fc37.x86_64.rpm systemd-libs-251.11-2.fc37.x86_64.rpm systemd-networkd-251.11-2.fc37.x86_64.rpm systemd-pam-251.11-2.fc37.x86_64.rpm systemd-resolved-251.11-2.fc37.x86_64.rpm systemd-udev-251.11-2.fc37.x86_64.rpm
|
||||
KERNEL_RPMS := kernel-6.1.46-100.constellation.fc38.x86_64.rpm kernel-core-6.1.46-100.constellation.fc38.x86_64.rpm kernel-modules-6.1.46-100.constellation.fc38.x86_64.rpm kernel-modules-core-6.1.46-100.constellation.fc38.x86_64.rpm
|
||||
PREBUILD_RPMS_SYSTEMD := $(addprefix prebuilt/rpms/systemd/,$(SYSTEMD_FIXED_RPMS))
|
||||
PREBUILD_RPMS_KERNEL := $(addprefix prebuilt/rpms/kernel/,$(KERNEL_RPMS))
|
||||
|
||||
.PHONY: all clean inject-bins $(csps) $(variants)
|
||||
|
||||
.NOTPARALLEL: mkosi.output.%/fedora~38/image.raw clean-%
|
||||
|
||||
all: $(csps)
|
||||
|
||||
aws: aws_aws-sev-snp aws_aws-nitro-tpm
|
||||
azure: azure_azure-sev-snp
|
||||
gcp: gcp_gcp-sev-es gcp_gcp-sev-snp
|
||||
openstack: openstack_qemu-vtpm
|
||||
qemu: qemu_qemu-vtpm
|
||||
|
||||
$(variants): %: mkosi.output.%/fedora~38/image.raw
|
||||
|
||||
prebuilt/rpms/systemd/%.rpm:
|
||||
@echo "Downloading $*"
|
||||
@mkdir -p $(@D)
|
||||
@curl -fsSL -o $@ https://kojipkgs.fedoraproject.org/packages/systemd/251.11/2.fc37/x86_64/$*.rpm
|
||||
|
||||
prebuilt/rpms/kernel/%.rpm:
|
||||
@echo "Downloading $*"
|
||||
@mkdir -p $(@D)
|
||||
@curl -fsSL -o $@ https://cdn.confidential.cloud/constellation/kernel/6.1.46-100.constellation/$*.rpm
|
||||
|
||||
mkosi.output.%/fedora~38/image.raw: inject-bins inject-certs
|
||||
rm -rf .csp/
|
||||
mkdir -p .csp/
|
||||
$(eval csp := $(firstword $(subst _, ,$*)))
|
||||
$(eval attestation_variant := $(lastword $(subst _, ,$*)))
|
||||
touch .csp/$(csp)
|
||||
mkosi \
|
||||
--image-version=$(IMAGE_VERSION) \
|
||||
$(AUTOLOGIN_ARGS) \
|
||||
--environment=INSTALL_DEBUGD \
|
||||
--environment=CONSOLE_MOTD \
|
||||
--kernel-command-line="$(KERNEL_DEBUG_CMDLNE)" \
|
||||
--kernel-command-line="constel.attestation-variant=$(attestation_variant)" \
|
||||
--kernel-command-line="constel.csp=$(csp)" \
|
||||
--output-dir=mkosi.output.$* \
|
||||
$(SEARCH_PATHS_PARAM) \
|
||||
build
|
||||
secure-boot/signed-shim.sh $@
|
||||
@if [ -n $(SUDO_UID) ] && [ -n $(SUDO_GID) ]; then \
|
||||
chown -R $(SUDO_UID):$(SUDO_GID) mkosi.output.$*; \
|
||||
fi
|
||||
rm -rf .csp/
|
||||
@echo "Image is ready: $@"
|
||||
|
||||
inject-bins: $(PREBUILD_RPMS_SYSTEMD) $(PREBUILD_RPMS_KERNEL)
|
||||
mkdir -p $(MKOSI_EXTRA)/usr/bin
|
||||
mkdir -p $(MKOSI_EXTRA)/usr/sbin
|
||||
cp $(UPGRADE_AGENT_BINARY) $(MKOSI_EXTRA)/usr/bin/upgrade-agent
|
||||
cp $(DISK_MAPPER_BINARY) $(MKOSI_EXTRA)/usr/sbin/disk-mapper
|
||||
cp $(MEASUREMENT_READER_BINARY) $(MKOSI_EXTRA)/usr/sbin/measurement-reader
|
||||
if [ "$(DEBUG)" = "true" ]; then \
|
||||
cp $(DEBUGD_BINARY) $(MKOSI_EXTRA)/usr/bin/debugd; \
|
||||
rm -f $(MKOSI_EXTRA)/usr/bin/bootstrapper; \
|
||||
rm -f $(MKOSI_EXTRA)/usr/bin/upgrade-agent; \
|
||||
else \
|
||||
cp $(BOOTSTRAPPER_BINARY) $(MKOSI_EXTRA)/usr/bin/bootstrapper; \
|
||||
rm -f $(MKOSI_EXTRA)/usr/bin/debugd; \
|
||||
fi
|
||||
|
||||
inject-certs: $(certs)
|
||||
# for auto enrollment using systemd-boot (not working yet)
|
||||
mkdir -p "$(MKOSI_EXTRA)/boot/loader/keys/auto"
|
||||
cp $(PKI)/{PK,KEK,db}.cer "$(MKOSI_EXTRA)/boot/loader/keys/auto"
|
||||
cp $(PKI)/{MicWinProPCA2011_2011-10-19,MicCorUEFCA2011_2011-06-27,MicCorKEKCA2011_2011-06-24}.crt "$(MKOSI_EXTRA)/boot/loader/keys/auto"
|
||||
|
||||
clean-cache:
|
||||
rm -rf mkosi.cache/*
|
||||
|
||||
clean-%:
|
||||
rm -rf .csp/
|
||||
mkdir -p .csp/
|
||||
touch .csp/$*
|
||||
mkosi clean
|
||||
rm -rf .csp/
|
||||
|
||||
clean:
|
||||
rm -rf mkosi.output.*
|
||||
rm -rf prebuilt/rpms
|
||||
rm -rf $(MKOSI_EXTRA)
|
||||
mkdir -p $(MKOSI_EXTRA)
|
@ -1,3 +0,0 @@
|
||||
[Content]
|
||||
Packages=
|
||||
ec2-utils
|
@ -1,3 +0,0 @@
|
||||
[Content]
|
||||
Packages=
|
||||
WALinuxAgent-udev
|
@ -1,10 +0,0 @@
|
||||
[Content]
|
||||
Packages=
|
||||
containerd,
|
||||
containernetworking-plugins,
|
||||
iptables-nft,
|
||||
ethtool,
|
||||
socat,
|
||||
iproute-tc,
|
||||
conntrack-tools,
|
||||
podman
|
@ -1,3 +0,0 @@
|
||||
[Content]
|
||||
Packages=
|
||||
nvme-cli
|
@ -1,5 +0,0 @@
|
||||
[Match]
|
||||
PathExists=../.csp/aws
|
||||
|
||||
[Output]
|
||||
KernelCommandLine=mitigations=auto idle=poll
|
@ -1,5 +0,0 @@
|
||||
[Match]
|
||||
PathExists=../.csp/azure
|
||||
|
||||
[Output]
|
||||
KernelCommandLine=mitigations=auto,nosmt
|
@ -1,32 +0,0 @@
|
||||
[Distribution]
|
||||
Distribution=fedora
|
||||
Release=38
|
||||
|
||||
[Output]
|
||||
Format=disk
|
||||
ManifestFormat=json,changelog
|
||||
Bootable=yes
|
||||
KernelCommandLine=preempt=full rd.shell=0 rd.emergency=reboot loglevel=8 console=ttyS0
|
||||
SplitArtifacts=yes
|
||||
# Enable Secure Boot with own PKI
|
||||
SecureBoot=yes
|
||||
SecureBootKey=pki/db.key
|
||||
SecureBootCertificate=pki/db.crt
|
||||
# TODO(malt3): Wait for systemd 252 to bring systemd-measure
|
||||
# Measure=yes
|
||||
ImageId=constellation
|
||||
Output=image.raw
|
||||
|
||||
[Content]
|
||||
Packages=prebuilt/rpms/kernel/kernel-6.1.46-100.constellation.fc38.x86_64.rpm
|
||||
prebuilt/rpms/kernel/kernel-core-6.1.46-100.constellation.fc38.x86_64.rpm
|
||||
prebuilt/rpms/kernel/kernel-modules-6.1.46-100.constellation.fc38.x86_64.rpm
|
||||
prebuilt/rpms/kernel/kernel-modules-core-6.1.46-100.constellation.fc38.x86_64.rpm
|
||||
prebuilt/rpms/systemd/systemd-251.11-2.fc37.x86_64.rpm
|
||||
prebuilt/rpms/systemd/systemd-libs-251.11-2.fc37.x86_64.rpm
|
||||
prebuilt/rpms/systemd/systemd-networkd-251.11-2.fc37.x86_64.rpm
|
||||
prebuilt/rpms/systemd/systemd-pam-251.11-2.fc37.x86_64.rpm
|
||||
prebuilt/rpms/systemd/systemd-resolved-251.11-2.fc37.x86_64.rpm
|
||||
prebuilt/rpms/systemd/systemd-udev-251.11-2.fc37.x86_64.rpm
|
||||
dracut
|
||||
util-linux
|
@ -1,5 +0,0 @@
|
||||
[Match]
|
||||
PathExists=../.csp/gcp
|
||||
|
||||
[Output]
|
||||
KernelCommandLine=mitigations=auto,nosmt
|
@ -1,9 +0,0 @@
|
||||
[Match]
|
||||
PathExists=../.csp/openstack
|
||||
|
||||
[Output]
|
||||
KernelCommandLine=mem_encrypt=on kvm_amd.sev=1 module_blacklist=qemu_fw_cfg console=tty0 console=ttyS0 mitigations=auto,nosmt
|
||||
|
||||
[Content]
|
||||
Autologin=yes
|
||||
Environment=CONSOLE_MOTD=true
|
@ -1,9 +0,0 @@
|
||||
[Match]
|
||||
PathExists=../.csp/qemu
|
||||
|
||||
[Content]
|
||||
Autologin=yes
|
||||
Environment=CONSOLE_MOTD=true
|
||||
|
||||
[Output]
|
||||
KernelCommandLine=mitigations=auto,nosmt
|
@ -1,8 +0,0 @@
|
||||
[Content]
|
||||
Packages=
|
||||
iproute,
|
||||
dbus-broker,
|
||||
systemd-networkd,
|
||||
systemd-resolved,
|
||||
dracut-network,
|
||||
dhclient, # prevent NetworkManager from being pulled in by dracut-network
|
@ -1,7 +0,0 @@
|
||||
[Content]
|
||||
# Secure Boot / EFI related packages for manual enrollment / verification of Secure Boot
|
||||
Packages=
|
||||
e2fsprogs,
|
||||
sbsigntools,
|
||||
efitools,
|
||||
mokutil,
|
@ -1,8 +0,0 @@
|
||||
[Output]
|
||||
# set selinux to permissive
|
||||
KernelCommandLine=!selinux=0 selinux=1 enforcing=0 audit=0
|
||||
|
||||
[Content]
|
||||
# Secure Boot / EFI related packages for manual enrollment / verification of Secure Boot
|
||||
Packages=selinux-policy,
|
||||
selinux-policy-targeted,
|
@ -1,8 +0,0 @@
|
||||
[Content]
|
||||
Packages=
|
||||
passwd,
|
||||
nano,
|
||||
nano-default-editor,
|
||||
vim,
|
||||
curl,
|
||||
wget
|
@ -1,9 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
# Copyright (c) Edgeless Systems GmbH
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-only
|
||||
|
||||
set -euxo pipefail
|
||||
|
||||
# cleanup dracut generation files (disk-mapper) to save space
|
||||
rm -rf "${BUILDROOT}/usr/lib/dracut/modules.d/39constellation-mount/"
|
@ -1,36 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euxo pipefail
|
||||
|
||||
# This will work in sd-boot 251 to auto-enroll secure boot keys.
|
||||
# https://www.freedesktop.org/software/systemd/man/systemd-boot.html
|
||||
# > CHANGES WITH 252 in spe:
|
||||
# > [...]
|
||||
# > * sd-boot can automatically enroll SecureBoot keys from files found on
|
||||
# > the ESP. This enrollment can be either automatic ('force' mode) or
|
||||
# > controlled by the user ('manual' mode).
|
||||
# > [...]
|
||||
#
|
||||
# echo "secure-boot-enroll force" >> /boot/loader/loader.conf
|
||||
|
||||
# create mountpoints in /etc
|
||||
mkdir -p /etc/{cni,kubernetes}
|
||||
|
||||
# move issue files away from /etc
|
||||
# to allow /run/issue and /run/issue.d to take precedence
|
||||
mv /etc/issue.d /usr/lib/issue.d || true
|
||||
rm -f /etc/issue
|
||||
rm -f /etc/issue.net
|
||||
|
||||
# add motd for constellation console access
|
||||
if [[ ${CONSOLE_MOTD:-false} == "true" ]]; then
|
||||
cat << EOF > /usr/lib/motd.d/10-constellation-console-access.motd
|
||||
~ Welcome to Constellation! ~
|
||||
Usually, on release versions of Constellation running in the cloud, you are not able to login through the serial console.
|
||||
This shell access is specifically granted for debug images and MiniConstellation to allow users to research the environment Constellation runs in.
|
||||
Have fun! Feel free to report any issues to GitHub or security@edgeless.systems (for security vulnerabilities only).
|
||||
EOF
|
||||
fi
|
||||
|
||||
# update /etc/os-release
|
||||
echo "IMAGE_ID=\"${IMAGE_ID}\"" >> /etc/os-release
|
||||
echo "IMAGE_VERSION=\"${IMAGE_VERSION}\"" >> /etc/os-release
|
@ -1,33 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euxo pipefail
|
||||
|
||||
# set selinux to permissive
|
||||
sed -i 's/^SELINUX=.*/SELINUX=permissive/' /etc/selinux/config
|
||||
|
||||
# backport of https://github.com/dracutdevs/dracut/commit/dcbe23c14d13ca335ad327b7bb985071ca442f12
|
||||
sed -i 's/WantedBy=multi-user.target/WantedBy=basic.target/' /usr/lib/systemd/system/systemd-resolved.service
|
||||
|
||||
# write + enable debugd.service if INSTALL_DEBUGD is set
|
||||
if [[ ${INSTALL_DEBUGD:-false} == "true" ]]; then
|
||||
cat << EOF > /usr/lib/systemd/system/debugd.service
|
||||
[Unit]
|
||||
Description=Constellation Debug Daemon
|
||||
Wants=network-online.target
|
||||
After=network-online.target configure-constel-csp.service
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
RemainAfterExit=yes
|
||||
Restart=on-failure
|
||||
EnvironmentFile=/run/constellation.env
|
||||
Environment=PATH=/run/state/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
|
||||
ExecStart=/usr/bin/debugd
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
EOF
|
||||
echo "enable debugd.service" > /usr/lib/systemd/system-preset/31-constellation-debug.preset
|
||||
systemctl enable debugd.service
|
||||
# ensure constellation-bootstrapper.service uses downloaded binaries on reboots
|
||||
sed -i 's#ExecStart=.*#ExecStart=/run/state/bin/bootstrapper#' /usr/lib/systemd/system/constellation-bootstrapper.service
|
||||
fi
|
@ -1,6 +0,0 @@
|
||||
[Partition]
|
||||
Type=esp
|
||||
Format=vfat
|
||||
CopyFiles=/boot:/
|
||||
SizeMinBytes=256M
|
||||
SizeMaxBytes=512M
|
@ -1,7 +0,0 @@
|
||||
[Partition]
|
||||
Type=root
|
||||
Format=squashfs
|
||||
Verity=data
|
||||
VerityMatchKey=root
|
||||
CopyFiles=/
|
||||
Minimize=guess
|
@ -1,6 +0,0 @@
|
||||
[Partition]
|
||||
Type=root-verity
|
||||
Verity=hash
|
||||
VerityMatchKey=root
|
||||
SizeMinBytes=64M
|
||||
SizeMaxBytes=64M
|
@ -1,39 +0,0 @@
|
||||
[amzn2-core]
|
||||
name=Amazon Linux 2 core repository
|
||||
#mirrorlist=$awsproto://$amazonlinux.$awsregion.$awsdomain/$releasever/$product/$target/$basearch/mirror.list
|
||||
mirrorlist=https://amazonlinux-2-repos-us-east-2.s3.dualstack.us-east-2.amazonaws.com/2/core/latest/x86_64/mirror.list
|
||||
priority=10
|
||||
gpgcheck=1
|
||||
#gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2
|
||||
gpgkey=https://cdn.amazonlinux.com/_assets/11CF1F95C87F5B1A.asc
|
||||
enabled=1
|
||||
metadata_expire=300
|
||||
mirrorlist_expire=300
|
||||
report_instanceid=yes
|
||||
includepkgs=ec2-utils
|
||||
|
||||
# [amzn2-core-source]
|
||||
# name=Amazon Linux 2 core repository - source packages
|
||||
# mirrorlist=$awsproto://$amazonlinux.$awsregion.$awsdomain/$releasever/$product/$target/SRPMS/mirror.list
|
||||
# priority=10
|
||||
# gpgcheck=1
|
||||
# #gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2
|
||||
# gpgkey=https://cdn.amazonlinux.com/_assets/11CF1F95C87F5B1A.asc
|
||||
# enabled=0
|
||||
# metadata_expire=300
|
||||
# mirrorlist_expire=300
|
||||
# report_instanceid=yes
|
||||
# includepkgs=ec2-utils
|
||||
|
||||
# [amzn2-core-debuginfo]
|
||||
# name=Amazon Linux 2 core repository - debuginfo packages
|
||||
# mirrorlist=$awsproto://$amazonlinux.$awsregion.$awsdomain/$releasever/$product/$target/debuginfo/$basearch/mirror.list
|
||||
# priority=10
|
||||
# gpgcheck=1
|
||||
# #gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2
|
||||
# gpgkey=https://cdn.amazonlinux.com/_assets/11CF1F95C87F5B1A.asc
|
||||
# enabled=0
|
||||
# metadata_expire=300
|
||||
# mirrorlist_expire=300
|
||||
# report_instanceid=yes
|
||||
# includepkgs=ec2-utils
|
@ -1 +0,0 @@
|
||||
runtime-endpoint: "unix:///run/containerd/containerd.sock"
|
@ -1,5 +0,0 @@
|
||||
# enable networking in initrd (initramfs) with dracut and systemd-networkd
|
||||
install_items+=" /usr/lib/systemd/network/20-wired.network "
|
||||
install_items+=" /usr/lib/systemd/network/21-azure.network "
|
||||
# see https://github.com/dracutdevs/dracut/tree/master/modules.d for a list of modules
|
||||
add_dracutmodules+=" systemd-networkd systemd-resolved "
|
@ -1,2 +0,0 @@
|
||||
# add Amazon ena driver to the list of drivers to be loaded
|
||||
force_drivers+=" ena "
|
@ -1,3 +0,0 @@
|
||||
# add hyperv drivers to initramfs
|
||||
# (important for early networking)
|
||||
force_drivers+=" hv_netvsc hv_sock hv_storvsc hv_vmbus "
|
@ -1,2 +0,0 @@
|
||||
# Include NVMe driver in initrd to boot on NVMe devices.
|
||||
force_drivers+=" nvme "
|
@ -1,5 +0,0 @@
|
||||
/dev/mapper/state /run/state ext4 defaults,x-systemd.makefs,x-mount.mkdir 0 0
|
||||
/run/state/var /var none defaults,bind,x-mount.mkdir 0 0
|
||||
/run/state/kubernetes /etc/kubernetes none defaults,bind,x-mount.mkdir 0 0
|
||||
/run/state/etccni /etc/cni/ none defaults,bind,x-mount.mkdir 0 0
|
||||
/run/state/opt /opt none defaults,bind,x-mount.mkdir 0 0
|
@ -1,11 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
# Copyright (c) Edgeless Systems GmbH
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-only
|
||||
|
||||
# Note: This script is sourced.
|
||||
|
||||
export TERM=linux
|
||||
export PATH=/run/state/bin:${PATH}
|
||||
export KUBECONFIG=/etc/kubernetes/admin.conf
|
||||
alias k=kubectl
|
@ -1,216 +0,0 @@
|
||||
disabled_plugins = []
|
||||
imports = []
|
||||
oom_score = 0
|
||||
plugin_dir = ""
|
||||
required_plugins = []
|
||||
root = "/var/lib/containerd"
|
||||
state = "/run/containerd"
|
||||
version = 2
|
||||
|
||||
[cgroup]
|
||||
path = ""
|
||||
|
||||
[debug]
|
||||
address = ""
|
||||
format = ""
|
||||
gid = 0
|
||||
level = ""
|
||||
uid = 0
|
||||
|
||||
[grpc]
|
||||
address = "/run/containerd/containerd.sock"
|
||||
gid = 0
|
||||
max_recv_message_size = 16777216
|
||||
max_send_message_size = 16777216
|
||||
tcp_address = ""
|
||||
tcp_tls_cert = ""
|
||||
tcp_tls_key = ""
|
||||
uid = 0
|
||||
|
||||
[metrics]
|
||||
address = ""
|
||||
grpc_histogram = false
|
||||
|
||||
[plugins]
|
||||
|
||||
[plugins."io.containerd.gc.v1.scheduler"]
|
||||
deletion_threshold = 0
|
||||
mutation_threshold = 100
|
||||
pause_threshold = 0.02
|
||||
schedule_delay = "0s"
|
||||
startup_delay = "100ms"
|
||||
|
||||
[plugins."io.containerd.grpc.v1.cri"]
|
||||
disable_apparmor = false
|
||||
disable_cgroup = false
|
||||
disable_hugetlb_controller = true
|
||||
disable_proc_mount = false
|
||||
disable_tcp_service = true
|
||||
enable_selinux = false
|
||||
enable_tls_streaming = false
|
||||
ignore_image_defined_volumes = false
|
||||
max_concurrent_downloads = 3
|
||||
max_container_log_line_size = 16384
|
||||
netns_mounts_under_state_dir = false
|
||||
restrict_oom_score_adj = false
|
||||
sandbox_image = "registry.k8s.io/pause:3.9@sha256:7031c1b283388d2c2e09b57badb803c05ebed362dc88d84b480cc47f72a21097"
|
||||
selinux_category_range = 1024
|
||||
stats_collect_period = 10
|
||||
stream_idle_timeout = "4h0m0s"
|
||||
stream_server_address = "127.0.0.1"
|
||||
stream_server_port = "0"
|
||||
systemd_cgroup = false
|
||||
tolerate_missing_hugetlb_controller = true
|
||||
unset_seccomp_profile = ""
|
||||
|
||||
[plugins."io.containerd.grpc.v1.cri".cni]
|
||||
bin_dir = "/opt/cni/bin"
|
||||
conf_dir = "/etc/cni/net.d"
|
||||
conf_template = ""
|
||||
max_conf_num = 1
|
||||
|
||||
[plugins."io.containerd.grpc.v1.cri".containerd]
|
||||
default_runtime_name = "runc"
|
||||
disable_snapshot_annotations = true
|
||||
discard_unpacked_layers = false
|
||||
no_pivot = false
|
||||
snapshotter = "overlayfs"
|
||||
|
||||
[plugins."io.containerd.grpc.v1.cri".containerd.default_runtime]
|
||||
base_runtime_spec = ""
|
||||
container_annotations = []
|
||||
pod_annotations = []
|
||||
privileged_without_host_devices = false
|
||||
runtime_engine = ""
|
||||
runtime_root = ""
|
||||
runtime_type = ""
|
||||
|
||||
[plugins."io.containerd.grpc.v1.cri".containerd.default_runtime.options]
|
||||
|
||||
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
|
||||
|
||||
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
|
||||
base_runtime_spec = ""
|
||||
container_annotations = []
|
||||
pod_annotations = []
|
||||
privileged_without_host_devices = false
|
||||
runtime_engine = ""
|
||||
runtime_root = ""
|
||||
runtime_type = "io.containerd.runc.v2"
|
||||
|
||||
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
|
||||
BinaryName = ""
|
||||
CriuImagePath = ""
|
||||
CriuPath = ""
|
||||
CriuWorkPath = ""
|
||||
IoGid = 0
|
||||
IoUid = 0
|
||||
NoNewKeyring = false
|
||||
NoPivotRoot = false
|
||||
Root = ""
|
||||
ShimCgroup = ""
|
||||
SystemdCgroup = true
|
||||
|
||||
[plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime]
|
||||
base_runtime_spec = ""
|
||||
container_annotations = []
|
||||
pod_annotations = []
|
||||
privileged_without_host_devices = false
|
||||
runtime_engine = ""
|
||||
runtime_root = ""
|
||||
runtime_type = ""
|
||||
|
||||
[plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime.options]
|
||||
|
||||
[plugins."io.containerd.grpc.v1.cri".image_decryption]
|
||||
key_model = "node"
|
||||
|
||||
[plugins."io.containerd.grpc.v1.cri".registry]
|
||||
config_path = ""
|
||||
|
||||
[plugins."io.containerd.grpc.v1.cri".registry.auths]
|
||||
|
||||
[plugins."io.containerd.grpc.v1.cri".registry.configs]
|
||||
|
||||
[plugins."io.containerd.grpc.v1.cri".registry.headers]
|
||||
|
||||
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
|
||||
|
||||
[plugins."io.containerd.grpc.v1.cri".x509_key_pair_streaming]
|
||||
tls_cert_file = ""
|
||||
tls_key_file = ""
|
||||
|
||||
[plugins."io.containerd.internal.v1.opt"]
|
||||
path = "/opt/containerd"
|
||||
|
||||
[plugins."io.containerd.internal.v1.restart"]
|
||||
interval = "10s"
|
||||
|
||||
[plugins."io.containerd.metadata.v1.bolt"]
|
||||
content_sharing_policy = "shared"
|
||||
|
||||
[plugins."io.containerd.monitor.v1.cgroups"]
|
||||
no_prometheus = false
|
||||
|
||||
[plugins."io.containerd.runtime.v1.linux"]
|
||||
no_shim = false
|
||||
runtime = "runc"
|
||||
runtime_root = ""
|
||||
shim = "containerd-shim"
|
||||
shim_debug = false
|
||||
|
||||
[plugins."io.containerd.runtime.v2.task"]
|
||||
platforms = ["linux/amd64"]
|
||||
|
||||
[plugins."io.containerd.service.v1.diff-service"]
|
||||
default = ["walking"]
|
||||
|
||||
[plugins."io.containerd.snapshotter.v1.aufs"]
|
||||
root_path = ""
|
||||
|
||||
[plugins."io.containerd.snapshotter.v1.btrfs"]
|
||||
root_path = ""
|
||||
|
||||
[plugins."io.containerd.snapshotter.v1.devmapper"]
|
||||
async_remove = false
|
||||
base_image_size = ""
|
||||
pool_name = ""
|
||||
root_path = ""
|
||||
|
||||
[plugins."io.containerd.snapshotter.v1.native"]
|
||||
root_path = ""
|
||||
|
||||
[plugins."io.containerd.snapshotter.v1.overlayfs"]
|
||||
root_path = ""
|
||||
|
||||
[plugins."io.containerd.snapshotter.v1.zfs"]
|
||||
root_path = ""
|
||||
|
||||
[proxy_plugins]
|
||||
|
||||
[stream_processors]
|
||||
|
||||
[stream_processors."io.containerd.ocicrypt.decoder.v1.tar"]
|
||||
accepts = ["application/vnd.oci.image.layer.v1.tar+encrypted"]
|
||||
args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"]
|
||||
env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"]
|
||||
path = "ctd-decoder"
|
||||
returns = "application/vnd.oci.image.layer.v1.tar"
|
||||
|
||||
[stream_processors."io.containerd.ocicrypt.decoder.v1.tar.gzip"]
|
||||
accepts = ["application/vnd.oci.image.layer.v1.tar+gzip+encrypted"]
|
||||
args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"]
|
||||
env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"]
|
||||
path = "ctd-decoder"
|
||||
returns = "application/vnd.oci.image.layer.v1.tar+gzip"
|
||||
|
||||
[timeouts]
|
||||
"io.containerd.timeout.shim.cleanup" = "5s"
|
||||
"io.containerd.timeout.shim.load" = "5s"
|
||||
"io.containerd.timeout.shim.shutdown" = "3s"
|
||||
"io.containerd.timeout.task.state" = "2s"
|
||||
|
||||
[ttrpc]
|
||||
address = ""
|
||||
gid = 0
|
||||
uid = 0
|
@ -1,2 +0,0 @@
|
||||
[network]
|
||||
network_config_dir = "/run/containers/networks"
|
@ -1 +0,0 @@
|
||||
unqualified-search-registries = ["docker.io"]
|
@ -1,13 +0,0 @@
|
||||
[Unit]
|
||||
Description=Azure Provisioning
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
ConditionKernelCommandLine=constel.csp=azure
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/local/bin/azure-provisioning
|
||||
RemainAfterExit=yes
|
||||
StandardOutput=tty
|
||||
StandardInput=tty
|
||||
StandardError=tty
|
@ -1,64 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
# source https://learn.microsoft.com/en-us/azure/virtual-machines/linux/no-agent
|
||||
|
||||
set -euo pipefail
|
||||
shopt -s inherit_errexit
|
||||
|
||||
attempts=1
|
||||
until [[ ${attempts} -gt 5 ]]; do
|
||||
echo "obtaining goal state - attempt ${attempts}"
|
||||
goalstate=$(curl --fail -v -X 'GET' -H "x-ms-agent-name: azure-vm-register" \
|
||||
-H "Content-Type: text/xml;charset=utf-8" \
|
||||
-H "x-ms-version: 2012-11-30" \
|
||||
"http://168.63.129.16/machine/?comp=goalstate")
|
||||
if [[ $? -eq 0 ]]; then
|
||||
echo "successfully retrieved goal state"
|
||||
retrieved_goal_state=true
|
||||
break
|
||||
fi
|
||||
sleep 5
|
||||
attempts=$((attempts + 1))
|
||||
done
|
||||
|
||||
if [[ ${retrieved_goal_state} != "true" ]]; then
|
||||
echo "failed to obtain goal state - cannot register this VM"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
container_id=$(grep ContainerId <<< "${goalstate}" | sed 's/\s*<\/*ContainerId>//g' | sed 's/\r$//')
|
||||
instance_id=$(grep InstanceId <<< "${goalstate}" | sed 's/\s*<\/*InstanceId>//g' | sed 's/\r$//')
|
||||
|
||||
ready_doc=$(
|
||||
cat << EOF
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Health xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
|
||||
<GoalStateIncarnation>1</GoalStateIncarnation>
|
||||
<Container>
|
||||
<ContainerId>${container_id}</ContainerId>
|
||||
<RoleInstanceList>
|
||||
<Role>
|
||||
<InstanceId>${instance_id}</InstanceId>
|
||||
<Health>
|
||||
<State>Ready</State>
|
||||
</Health>
|
||||
</Role>
|
||||
</RoleInstanceList>
|
||||
</Container>
|
||||
</Health>
|
||||
EOF
|
||||
)
|
||||
|
||||
attempts=1
|
||||
until [[ ${attempts} -gt 5 ]]; do
|
||||
echo "registering with Azure - attempt ${attempts}"
|
||||
curl --fail -v -X 'POST' -H "x-ms-agent-name: azure-vm-register" \
|
||||
-H "Content-Type: text/xml;charset=utf-8" \
|
||||
-H "x-ms-version: 2012-11-30" \
|
||||
-d "${ready_doc}" \
|
||||
"http://168.63.129.16/machine?comp=health"
|
||||
if [[ $? -eq 0 ]]; then
|
||||
echo "successfully register with Azure"
|
||||
break
|
||||
fi
|
||||
sleep 5 # sleep to prevent throttling from wire server
|
||||
done
|
@ -1,34 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
# Copyright (c) Edgeless Systems GmbH
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-only
|
||||
|
||||
# Note: This script is sourced.
|
||||
|
||||
depends() {
|
||||
echo systemd
|
||||
}
|
||||
|
||||
install_and_enable_unit() {
|
||||
unit="$1"
|
||||
shift
|
||||
target="$1"
|
||||
shift
|
||||
inst_simple "${moddir:?}/${unit}" "${systemdsystemunitdir:?}/${unit}"
|
||||
mkdir -p "${initdir:?}${systemdsystemconfdir:?}/${target}.wants"
|
||||
ln_r "${systemdsystemunitdir}/${unit}" \
|
||||
"${systemdsystemconfdir}/${target}.wants/${unit}"
|
||||
}
|
||||
|
||||
install() {
|
||||
inst_multiple \
|
||||
bash \
|
||||
curl \
|
||||
grep \
|
||||
sed
|
||||
|
||||
inst_script "${moddir}/azure-provisioning.sh" \
|
||||
"/usr/local/bin/azure-provisioning"
|
||||
install_and_enable_unit "azure-provisioning.service" \
|
||||
"basic.target"
|
||||
}
|
@ -1,15 +0,0 @@
|
||||
[Unit]
|
||||
Description=Force symlink creation for AWS nvme disks
|
||||
Before=prepare-state-disk.service
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
ConditionKernelCommandLine=constel.csp=aws
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/bin/bash /usr/sbin/aws-nvme-disk
|
||||
RemainAfterExit=yes
|
||||
StandardOutput=tty
|
||||
StandardInput=tty
|
||||
StandardError=tty
|
||||
TimeoutSec=infinity
|
@ -1,28 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
# Copyright (c) Edgeless Systems GmbH
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-only
|
||||
|
||||
set -euo pipefail
|
||||
shopt -s extglob nullglob inherit_errexit
|
||||
|
||||
AWS_STATE_DISK_DEVICENAME="sdb"
|
||||
AWS_STATE_DISK_SYMLINK="/dev/${AWS_STATE_DISK_DEVICENAME}"
|
||||
|
||||
# hack: aws nvme udev rules are never executed. Create symlinks for the nvme devices manually.
|
||||
while [[ ! -L ${AWS_STATE_DISK_SYMLINK} ]]; do
|
||||
for nvmedisk in /dev/nvme*n1; do
|
||||
linkname=$(nvme amzn id-ctrl -b "${nvmedisk}" | tail -c +3073 | head -c 32 | tr -d ' ') || true
|
||||
if [[ -n ${linkname} ]] && [[ ${linkname} == "${AWS_STATE_DISK_DEVICENAME}" ]]; then
|
||||
ln -s "${nvmedisk}" "${AWS_STATE_DISK_SYMLINK}"
|
||||
fi
|
||||
done
|
||||
if [[ -L ${AWS_STATE_DISK_SYMLINK} ]]; then
|
||||
break
|
||||
fi
|
||||
echo "Waiting for state disk to appear.."
|
||||
sleep 2
|
||||
done
|
||||
|
||||
echo "AWS state disk found"
|
||||
echo "${AWS_STATE_DISK_SYMLINK}" → "$(readlink -f "${AWS_STATE_DISK_SYMLINK}")"
|
@ -1 +0,0 @@
|
||||
../../../systemd/system/configure-constel-csp.service
|
@ -1,94 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
# Copyright (c) Edgeless Systems GmbH
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-only
|
||||
|
||||
# Note: This script is sourced.
|
||||
|
||||
depends() {
|
||||
# systemd-network-management expands to: systemd systemd-hostnamed systemd-networkd systemd-resolved systemd-timedated systemd-timesyncd
|
||||
echo dracut-systemd systemd-network-management systemd-veritysetup systemd-udevd
|
||||
return 0
|
||||
}
|
||||
|
||||
install_and_enable_unit() {
|
||||
unit="$1"
|
||||
shift
|
||||
target="$1"
|
||||
shift
|
||||
inst_simple "${moddir:?}/${unit}" "${systemdsystemunitdir:?}/${unit}"
|
||||
mkdir -p "${initdir:?}${systemdsystemconfdir:?}/${target}.wants"
|
||||
ln_r "${systemdsystemunitdir}/${unit}" \
|
||||
"${systemdsystemconfdir}/${target}.wants/${unit}"
|
||||
}
|
||||
|
||||
install_path() {
|
||||
local dir="$1"
|
||||
shift
|
||||
mkdir -p "${initdir}/${dir}"
|
||||
}
|
||||
|
||||
install() {
|
||||
inst_multiple \
|
||||
bash
|
||||
inst_script "/usr/sbin/disk-mapper" \
|
||||
"/usr/sbin/disk-mapper"
|
||||
|
||||
inst_script "${moddir}/prepare-state-disk.sh" \
|
||||
"/usr/sbin/prepare-state-disk"
|
||||
install_and_enable_unit "prepare-state-disk.service" \
|
||||
"basic.target"
|
||||
install_and_enable_unit "configure-constel-csp.service" \
|
||||
"basic.target"
|
||||
|
||||
# aws nvme disks
|
||||
inst_multiple \
|
||||
tail \
|
||||
tr \
|
||||
head
|
||||
|
||||
# azure scsi disks
|
||||
inst_multiple \
|
||||
cut \
|
||||
readlink
|
||||
|
||||
# gcp nvme disks
|
||||
inst_multiple \
|
||||
date \
|
||||
xxd \
|
||||
grep \
|
||||
sed \
|
||||
ln \
|
||||
command \
|
||||
readlink
|
||||
|
||||
inst_script "/usr/sbin/nvme" \
|
||||
"/usr/sbin/nvme"
|
||||
inst_script "/usr/lib/udev/google_nvme_id" \
|
||||
"/usr/lib/udev/google_nvme_id"
|
||||
inst_rules "64-gce-disk-removal.rules" "65-gce-disk-naming.rules"
|
||||
|
||||
inst_script "${moddir}/aws-nvme-disk.sh" \
|
||||
"/usr/sbin/aws-nvme-disk"
|
||||
install_and_enable_unit "aws-nvme-disk.service" \
|
||||
"basic.target"
|
||||
|
||||
# TLS / CA store in initramfs
|
||||
install_path /etc/pki/tls/certs/
|
||||
inst_simple /etc/pki/tls/certs/ca-bundle.crt \
|
||||
/etc/pki/tls/certs/ca-bundle.crt
|
||||
|
||||
# backport of https://github.com/dracutdevs/dracut/commit/dcbe23c14d13ca335ad327b7bb985071ca442f12
|
||||
inst_simple "${moddir}/sysusers-dracut.conf" "${systemdsystemunitdir}/systemd-sysusers.service.d/sysusers-dracut.conf"
|
||||
# force systemd-networkd in initrd
|
||||
install_and_enable_unit "systemd-networkd.service" \
|
||||
"basic.target"
|
||||
# shellcheck disable=SC2154
|
||||
inst_multiple -o \
|
||||
"${tmpfilesdir}"/systemd-network.conf \
|
||||
"${systemdnetwork}"/80-6rd-tunnel.network \
|
||||
"${systemdnetwork}"/80-container-vb.network \
|
||||
"${systemdsystemunitdir}"/systemd-networkd-wait-online@.service
|
||||
inst_simple /usr/lib/systemd/resolved.conf.d/fallback_dns.conf \
|
||||
/usr/lib/systemd/resolved.conf.d/fallback_dns.conf
|
||||
}
|
@ -1,18 +0,0 @@
|
||||
[Unit]
|
||||
Description=Prepare encrypted state disk
|
||||
Before=initrd-fs.target
|
||||
After=network-online.target nss-lookup.target configure-constel-csp.service
|
||||
Wants=network-online.target
|
||||
Requires=initrd-root-fs.target
|
||||
FailureAction=reboot-immediate
|
||||
After=export_constellation_debug.service
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
EnvironmentFile=/run/constellation.env
|
||||
ExecStart=/bin/bash /usr/sbin/prepare-state-disk $CONSTELLATION_DEBUG_FLAGS
|
||||
RemainAfterExit=yes
|
||||
StandardOutput=tty
|
||||
StandardInput=tty
|
||||
StandardError=tty
|
||||
TimeoutSec=infinity
|
@ -1,33 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
# Copyright (c) Edgeless Systems GmbH
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-only
|
||||
|
||||
set -euo pipefail
|
||||
shopt -s inherit_errexit
|
||||
|
||||
# parsing of the command line arguments. check if argv[1] is --debug
|
||||
verbosity=0
|
||||
if [[ $# -gt 0 ]]; then
|
||||
if [[ $1 == "--debug" ]]; then
|
||||
verbosity=-1
|
||||
echo "[Constellation] Debug mode enabled"
|
||||
else
|
||||
echo "[Constellation] Unknown argument: $1"
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
echo "[Constellation] Debug mode disabled"
|
||||
fi
|
||||
|
||||
# Prepare the encrypted volume by either initializing it with a random key or by aquiring the key from another bootstrapper.
|
||||
# Store encryption key (random or recovered key) in /run/cryptsetup-keys.d/state.key
|
||||
disk-mapper \
|
||||
-csp "${CONSTEL_CSP}" \
|
||||
-v "${verbosity}"
|
||||
|
||||
if [[ $? -ne 0 ]]; then
|
||||
echo "Failed to prepare state disk"
|
||||
sleep 2 # give the serial console time to print the error message
|
||||
exit $? # exit with the same error code as disk-mapper
|
||||
fi
|
@ -1,3 +0,0 @@
|
||||
# backport of https://github.com/dracutdevs/dracut/commit/dcbe23c14d13ca335ad327b7bb985071ca442f12
|
||||
[Unit]
|
||||
ConditionNeedsUpdate=
|
@ -1,2 +0,0 @@
|
||||
PATH=/run/state/bin:$PATH
|
||||
KUBECONFIG=/etc/kubernetes/admin.conf
|
@ -1 +0,0 @@
|
||||
\S{IMAGE_ID} \S{IMAGE_VERSION}
|
@ -1,2 +0,0 @@
|
||||
overlay
|
||||
br_netfilter
|
@ -1,3 +0,0 @@
|
||||
# See https://github.com/cilium/cilium/issues/10645
|
||||
net.ipv4.conf.lxc*.rp_filter = 0
|
||||
net.ipv4.conf.cilium_*.rp_filter = 0
|
@ -1,9 +0,0 @@
|
||||
net.bridge.bridge-nf-call-ip6tables = 1
|
||||
net.bridge.bridge-nf-call-iptables = 1
|
||||
net.ipv4.ip_forward = 1
|
||||
fs.inotify.max_user_instances = 8192
|
||||
fs.inotify.max_user_watches = 524288
|
||||
# kubernetes hardening (protectKernelDefaults=true)
|
||||
vm.overcommit_memory = 1
|
||||
kernel.panic = 10
|
||||
kernel.panic_on_oops = 1
|
@ -1,5 +0,0 @@
|
||||
[Match]
|
||||
Name=en*
|
||||
|
||||
[Network]
|
||||
DHCP=yes
|
@ -1,6 +0,0 @@
|
||||
# Used as a fallback rule for Azure NICs as they are not named with "en*"
|
||||
[Match]
|
||||
Driver=hv_netvsc
|
||||
|
||||
[Network]
|
||||
DHCP=yes
|
@ -1,2 +0,0 @@
|
||||
[Resolve]
|
||||
FallbackDNS=1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001 8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844 9.9.9.9 149.112.112.112 2620:fe::fe 2620:fe::9
|
@ -1,11 +0,0 @@
|
||||
enable configure-constel-csp.service
|
||||
enable constellation-upgrade-agent.service
|
||||
enable constellation-bootstrapper.service
|
||||
enable containerd.service
|
||||
enable kubelet.service
|
||||
enable systemd-networkd.service
|
||||
enable systemd-networkd.socket
|
||||
enable systemd-resolved.service
|
||||
enable measurements.service
|
||||
enable export_constellation_debug.service
|
||||
enable systemd-timesyncd
|
@ -1,11 +0,0 @@
|
||||
[Unit]
|
||||
Description=Configures constellation cloud service provider environment variable
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/bin/bash -c "CSP=$(< /proc/cmdline tr ' ' '\n' | grep constel.csp | sed 's/constel.csp=//'); echo CONSTEL_CSP=$CSP >> /run/constellation.env"
|
||||
ExecStart=/bin/bash -c "ATTESTATION=$(< /proc/cmdline tr ' ' '\n' | grep constel.attestation-variant | sed 's/constel.attestation-variant=//'); echo CONSTEL_ATTESTATION_VARIANT=$ATTESTATION >> /run/constellation.env"
|
||||
RemainAfterExit=yes
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -1,16 +0,0 @@
|
||||
[Unit]
|
||||
Description=Constellation Bootstrapper
|
||||
Wants=network-online.target
|
||||
After=network-online.target configure-constel-csp.service
|
||||
After=export_constellation_debug.service
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
RemainAfterExit=yes
|
||||
Restart=on-failure
|
||||
EnvironmentFile=/run/constellation.env
|
||||
Environment=PATH=/run/state/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
|
||||
ExecStart=/usr/bin/bootstrapper $CONSTELLATION_DEBUG_FLAGS
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -1,14 +0,0 @@
|
||||
[Unit]
|
||||
Description=Constellation Upgrade Agent
|
||||
After=export_constellation_debug.service
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
RemainAfterExit=yes
|
||||
Restart=on-failure
|
||||
EnvironmentFile=/run/constellation.env
|
||||
Environment=PATH=/run/state/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
|
||||
ExecStart=/usr/bin/upgrade-agent $CONSTELLATION_DEBUG_FLAGS
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -1,3 +0,0 @@
|
||||
[Service]
|
||||
ExecStart=
|
||||
ExecStart=/usr/bin/containerd --config /usr/etc/containerd/config.toml
|
@ -1,10 +0,0 @@
|
||||
[Unit]
|
||||
Description=Export Constellation Debug Level to Environment
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/bin/bash -c "tr ' ' '\n' < /proc/cmdline | grep -q 'constellation.debug' && echo CONSTELLATION_DEBUG_FLAGS=--debug >> /run/constellation.env"
|
||||
RemainAfterExit=yes
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -1,21 +0,0 @@
|
||||
[Unit]
|
||||
Description=kubelet: The Kubernetes Node Agent
|
||||
Documentation=https://kubernetes.io/docs/home/
|
||||
Wants=network-online.target
|
||||
After=network-online.target
|
||||
|
||||
[Service]
|
||||
Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf"
|
||||
Environment="KUBELET_CONFIG_ARGS=--config=/var/lib/kubelet/config.yaml"
|
||||
# This is a file that "kubeadm init" and "kubeadm join" generates at runtime, populating the KUBELET_KUBEADM_ARGS variable dynamically
|
||||
EnvironmentFile=-/var/lib/kubelet/kubeadm-flags.env
|
||||
# This is a file that the user can use for overrides of the kubelet args as a last resort. Preferably, the user should use
|
||||
# the .NodeRegistration.KubeletExtraArgs object in the configuration files instead. KUBELET_EXTRA_ARGS should be sourced from this file.
|
||||
EnvironmentFile=-/etc/default/kubelet
|
||||
ExecStart=/run/state/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS
|
||||
Restart=always
|
||||
StartLimitInterval=0
|
||||
RestartSec=10
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -1,12 +0,0 @@
|
||||
[Unit]
|
||||
Description=Print image measurements on startup
|
||||
Before=constellation-bootstrapper.service
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
EnvironmentFile=/run/constellation.env
|
||||
ExecStart=/usr/libexec/constellation-pcrs
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -1 +0,0 @@
|
||||
FallbackNTP=time.google.com time.cloudflare.com time.windows.com time.apple.com time.nist.gov europe.pool.ntp.org 0.rhel.pool.ntp.org 1.rhel.pool.ntp.org 2.rhel.pool.ntp.org 3.rhel.pool.ntp.org
|
@ -1,2 +0,0 @@
|
||||
#Type Name ID GECOS Home directory Shell
|
||||
u etcd 998:997 "etcd user" /var/lib/etcd
|
@ -1,10 +0,0 @@
|
||||
#Type Path Mode User Group Age Argument
|
||||
d /var/lib/etcd 0700 998 997 - -
|
||||
d /var/log/kubernetes/audit/ 0700 0 0 - -
|
||||
d /run/state/bin 0755 0 0 - -
|
||||
C /run/issue.d - - - - /usr/lib/issue.d/
|
||||
C /run/issue - - - - /usr/lib/issue
|
||||
C /run/motd.d - - - - /usr/lib/motd.d/
|
||||
C /run/motd - - - - /usr/lib/motd
|
||||
# merge all CNI binaries in writable folder until containerd can use multiple CNI bins: https://github.com/containerd/containerd/issues/6600
|
||||
C /opt/cni/bin - - - - /usr/libexec/cni/
|
@ -1,248 +0,0 @@
|
||||
#!/bin/bash
|
||||
# Copyright 2020 Google Inc. All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
# Used to generate symlinks for PD-NVMe devices using the disk names reported by
|
||||
# the metadata server
|
||||
|
||||
# Locations of the script's dependencies
|
||||
readonly nvme_cli_bin=/usr/sbin/nvme
|
||||
|
||||
# Bash regex to parse device paths and controller identification
|
||||
readonly NAMESPACE_NUMBER_REGEX="/dev/nvme[[:digit:]]+n([[:digit:]]+).*"
|
||||
readonly PARTITION_NUMBER_REGEX="/dev/nvme[[:digit:]]+n[[:digit:]]+p([[:digit:]]+)"
|
||||
|
||||
# Globals used to generate the symlinks for a PD-NVMe disk. These are populated
|
||||
# by the identify_pd_disk function and exported for consumption by udev rules.
|
||||
ID_SERIAL=''
|
||||
ID_SERIAL_SHORT=''
|
||||
|
||||
#######################################
|
||||
# Helper function to log an error message to stderr.
|
||||
# Globals:
|
||||
# None
|
||||
# Arguments:
|
||||
# String to print as the log message
|
||||
# Outputs:
|
||||
# Writes error to STDERR
|
||||
#######################################
|
||||
function err() {
|
||||
echo "[$(date +'%Y-%m-%dT%H:%M:%S%z')]: $*" >&2
|
||||
}
|
||||
|
||||
#######################################
|
||||
# Retrieves the device name for an NVMe namespace using nvme-cli.
|
||||
# Globals:
|
||||
# Uses nvme_cli_bin
|
||||
# Arguments:
|
||||
# The path to the nvme namespace (/dev/nvme0n?)
|
||||
# Outputs:
|
||||
# The device name parsed from the JSON in the vendor ext of the ns-id command.
|
||||
# Returns:
|
||||
# 0 if the device name for the namespace could be retrieved, 1 otherwise
|
||||
#######################################
|
||||
function get_namespace_device_name() {
|
||||
local nvme_json
|
||||
nvme_json="$("${nvme_cli_bin}" id-ns -b "$1" | xxd -p -seek 384 | xxd -p -r)"
|
||||
if [[ $? -ne 0 ]]; then
|
||||
return 1
|
||||
fi
|
||||
|
||||
if [[ -z ${nvme_json} ]]; then
|
||||
err "NVMe Vendor Extension disk information not present"
|
||||
return 1
|
||||
fi
|
||||
|
||||
local device_name
|
||||
device_name="$(echo "${nvme_json}" | grep device_name | sed -e 's/.*"device_name":[ \t]*"\([a-zA-Z0-9_-]\+\)".*/\1/')"
|
||||
|
||||
# Error if our device name is empty
|
||||
if [[ -z ${device_name} ]]; then
|
||||
err "Empty name"
|
||||
return 1
|
||||
fi
|
||||
|
||||
echo "${device_name}"
|
||||
return 0
|
||||
}
|
||||
|
||||
#######################################
|
||||
# Retrieves the nsid for an NVMe namespace
|
||||
# Globals:
|
||||
# None
|
||||
# Arguments:
|
||||
# The path to the nvme namespace (/dev/nvme0n*)
|
||||
# Outputs:
|
||||
# The namespace number/id
|
||||
# Returns:
|
||||
# 0 if the namespace id could be retrieved, 1 otherwise
|
||||
#######################################
|
||||
function get_namespace_number() {
|
||||
local dev_path="$1"
|
||||
local namespace_number
|
||||
if [[ ${dev_path} =~ ${NAMESPACE_NUMBER_REGEX} ]]; then
|
||||
namespace_number="${BASH_REMATCH[1]}"
|
||||
else
|
||||
return 1
|
||||
fi
|
||||
|
||||
echo "${namespace_number}"
|
||||
return 0
|
||||
}
|
||||
|
||||
#######################################
|
||||
# Retrieves the partition number for a device path if it exists
|
||||
# Globals:
|
||||
# None
|
||||
# Arguments:
|
||||
# The path to the device partition (/dev/nvme0n*p*)
|
||||
# Outputs:
|
||||
# The value after 'p' in the device path, or an empty string if the path has
|
||||
# no partition.
|
||||
#######################################
|
||||
function get_partition_number() {
|
||||
local dev_path="$1"
|
||||
local partition_number
|
||||
if [[ ${dev_path} =~ ${PARTITION_NUMBER_REGEX} ]]; then
|
||||
partition_number="${BASH_REMATCH[1]}"
|
||||
echo "${partition_number}"
|
||||
else
|
||||
echo ''
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
#######################################
|
||||
# Generates a symlink for a PD-NVMe device using the metadata's disk name.
|
||||
# Primarily used for testing but can be used if the script is directly invoked.
|
||||
# Globals:
|
||||
# Uses ID_SERIAL_SHORT (can be populated by identify_pd_disk)
|
||||
# Arguments:
|
||||
# The device path for the disk
|
||||
#######################################
|
||||
function gen_symlink() {
|
||||
local dev_path="$1"
|
||||
local partition_number
|
||||
partition_number="$(get_partition_number "${dev_path}")"
|
||||
|
||||
if [[ -n ${partition_number} ]]; then
|
||||
ln -s "${dev_path}" /dev/disk/by-id/google-"${ID_SERIAL_SHORT}"-part"${partition_number}" > /dev/null 2>&1
|
||||
else
|
||||
ln -s "${dev_path}" /dev/disk/by-id/google-"${ID_SERIAL_SHORT}" > /dev/null 2>&1
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
#######################################
|
||||
# Populates the ID_* global variables with a disk's device name and namespace
|
||||
# Globals:
|
||||
# Populates ID_SERIAL_SHORT, and ID_SERIAL
|
||||
# Arguments:
|
||||
# The device path for the disk
|
||||
# Returns:
|
||||
# 0 on success and 1 if an error occurrs
|
||||
#######################################
|
||||
function identify_pd_disk() {
|
||||
local dev_path="$1"
|
||||
local dev_name
|
||||
dev_name="$(get_namespace_device_name "${dev_path}")"
|
||||
if [[ $? -ne 0 ]]; then
|
||||
return 1
|
||||
fi
|
||||
|
||||
ID_SERIAL_SHORT="${dev_name}"
|
||||
ID_SERIAL="Google_PersistentDisk_${ID_SERIAL_SHORT}"
|
||||
return 0
|
||||
}
|
||||
|
||||
function print_help_message() {
|
||||
echo "Usage: google_nvme_id [-s] [-h] -d device_path"
|
||||
echo " -d <device_path> (Required): Specifies the path to generate a name"
|
||||
echo " for. This needs to be a path to an nvme device or namespace"
|
||||
echo " -s: Create symbolic link for the disk under /dev/disk/by-id."
|
||||
echo " Otherwise, the disk name will be printed to STDOUT"
|
||||
echo " -h: Print this help message"
|
||||
}
|
||||
|
||||
function main() {
|
||||
local opt_gen_symlink='false'
|
||||
local device_path=''
|
||||
|
||||
while getopts :d:sh flag; do
|
||||
case "${flag}" in
|
||||
d) device_path="${OPTARG}" ;;
|
||||
s) opt_gen_symlink='true' ;;
|
||||
h)
|
||||
print_help_message
|
||||
return 0
|
||||
;;
|
||||
:)
|
||||
echo "Invalid option: ${OPTARG} requires an argument" 1>&2
|
||||
return 1
|
||||
;;
|
||||
*) return 1 ;;
|
||||
esac
|
||||
done
|
||||
|
||||
if [[ -z ${device_path} ]]; then
|
||||
echo "Device path (-d) argument required. Use -h for full usage." 1>&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Ensure the nvme-cli command is installed
|
||||
command -v "${nvme_cli_bin}" > /dev/null 2>&1
|
||||
if [[ $? -ne 0 ]]; then
|
||||
err "The nvme utility (/usr/sbin/nvme) was not found. You may need to run \
|
||||
with sudo or install nvme-cli."
|
||||
return 1
|
||||
fi
|
||||
|
||||
# Ensure the passed device is actually an NVMe device
|
||||
"${nvme_cli_bin}" id-ctrl "${device_path}" &> /dev/null
|
||||
if [[ $? -ne 0 ]]; then
|
||||
err "Passed device was not an NVMe device. (You may need to run this \
|
||||
script as root/with sudo)."
|
||||
return 1
|
||||
fi
|
||||
|
||||
# Detect the type of attached nvme device
|
||||
local controller_id
|
||||
controller_id=$("${nvme_cli_bin}" id-ctrl "${device_path}")
|
||||
if [[ ! ${controller_id} =~ nvme_card-pd ]]; then
|
||||
err "Device is not a PD-NVMe device"
|
||||
return 1
|
||||
fi
|
||||
|
||||
# Fill the global variables for the id command for the given disk type
|
||||
# Error messages will be printed closer to error, no need to reprint here
|
||||
identify_pd_disk "${device_path}"
|
||||
ret=$?
|
||||
if [[ ${ret} -ne 0 ]]; then
|
||||
return "${ret}"
|
||||
fi
|
||||
|
||||
# Gen symlinks or print out the globals set by the identify command
|
||||
if [[ ${opt_gen_symlink} == 'true' ]]; then
|
||||
gen_symlink "${device_path}"
|
||||
else
|
||||
# These will be consumed by udev
|
||||
echo "ID_SERIAL_SHORT=${ID_SERIAL_SHORT}"
|
||||
echo "ID_SERIAL=${ID_SERIAL}"
|
||||
fi
|
||||
|
||||
return $?
|
||||
|
||||
}
|
||||
main "$@"
|
@ -1,17 +0,0 @@
|
||||
# Copyright 2016 Google Inc. All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
# When a disk is removed, unmount any remaining attached volumes.
|
||||
|
||||
ACTION=="remove", SUBSYSTEM=="block", KERNEL=="sd*|vd*|nvme*", RUN+="/bin/sh -c '/bin/umount -fl /dev/$name && /usr/bin/logger -p daemon.warn -s WARNING: hot-removed /dev/$name that was still mounted, data may have been corrupted'"
|
@ -1,37 +0,0 @@
|
||||
# Copyright 2016 Google Inc. All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
# Name the attached disks as the specified by deviceName.
|
||||
|
||||
ACTION!="add|change", GOTO="gce_disk_naming_end"
|
||||
SUBSYSTEM!="block", GOTO="gce_disk_naming_end"
|
||||
|
||||
# SCSI naming
|
||||
KERNEL=="sd*|vd*", IMPORT{program}="scsi_id --export --whitelisted -d $tempnode"
|
||||
|
||||
# NVME Local SSD naming
|
||||
KERNEL=="nvme*n*", ATTRS{model}=="nvme_card", PROGRAM="/bin/sh -c 'nsid=$$(echo %k|sed -re s/nvme[0-9]+n\([0-9]+\).\*/\\1/); echo $$((nsid-1))'", ENV{ID_SERIAL_SHORT}="local-nvme-ssd-%c"
|
||||
KERNEL=="nvme*", ATTRS{model}=="nvme_card", ENV{ID_SERIAL}="Google_EphemeralDisk_$env{ID_SERIAL_SHORT}"
|
||||
|
||||
# NVME Persistent Disk IO Timeout
|
||||
KERNEL=="nvme*n*", ENV{DEVTYPE}=="disk", ATTRS{model}=="nvme_card-pd", ATTR{queue/io_timeout}="4294967295"
|
||||
|
||||
# NVME Persistent Disk Naming
|
||||
KERNEL=="nvme*n*", ATTRS{model}=="nvme_card-pd", IMPORT{program}="google_nvme_id -d $tempnode"
|
||||
|
||||
# Symlinks
|
||||
KERNEL=="sd*|vd*|nvme*", ENV{DEVTYPE}=="disk", SYMLINK+="disk/by-id/google-$env{ID_SERIAL_SHORT}"
|
||||
KERNEL=="sd*|vd*|nvme*", ENV{DEVTYPE}=="partition", SYMLINK+="disk/by-id/google-$env{ID_SERIAL_SHORT}-part%n"
|
||||
|
||||
LABEL="gce_disk_naming_end"
|
@ -1,4 +0,0 @@
|
||||
# prevent systemd udev rules from marking unformatted device mapper device as unready (SYSTEMD_READY=0)
|
||||
# this is the offending rule from systemd: SUBSYSTEM=="block", ENV{DM_UUID}=="CRYPT-*", ENV{ID_PART_TABLE_TYPE}=="", ENV{ID_FS_USAGE}=="", ENV{SYSTEMD_READY}="0"
|
||||
SUBSYSTEM=="block", ENV{DM_UUID}=="CRYPT-*", ENV{ID_PART_TABLE_TYPE}=="", ENV{ID_FS_USAGE}="constellation-encrypted-disk"
|
||||
SUBSYSTEM=="block", ENV{DM_NAME}=="state", ENV{DM_UUID}=="CRYPT-*", ENV{ID_PART_TABLE_TYPE}=="", ENV{ID_FS_USAGE}="constellation-state"
|
@ -1,14 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
# Copyright (c) Edgeless Systems GmbH
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-only
|
||||
|
||||
# This script reads the measurements of the system
|
||||
# and prints the message to the serial console
|
||||
|
||||
main() {
|
||||
pcr_state="$(/usr/sbin/measurement-reader)"
|
||||
echo -e "${pcr_state}\n" > /run/issue.d/35_constellation_pcrs.issue
|
||||
}
|
||||
|
||||
main
|
@ -1,12 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
set -euo pipefail
|
||||
shopt -s inherit_errexit
|
||||
|
||||
TMPDIR=$(mktemp -d /tmp/uefivars-XXXXXXXXXXXXXX)
|
||||
git clone --branch v1.0.0 https://github.com/awslabs/python-uefivars "${TMPDIR}"
|
||||
cd "${TMPDIR}" && git reset 9679002a4392d8e7831d2dbda3fab41ccc5c6b8c --hard
|
||||
|
||||
"${TMPDIR}/uefivars.py" -i none -o aws -O "$1" -P "${PKI}"/PK.esl -K "${PKI}"/KEK.esl --db "${PKI}"/db.esl
|
||||
|
||||
rm -rf "${TMPDIR}"
|
@ -1,76 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
set -euo pipefail
|
||||
shopt -s inherit_errexit
|
||||
|
||||
if [[ -z ${CONFIG_FILE-} ]] && [[ -f ${CONFIG_FILE-} ]]; then
|
||||
# shellcheck source=/dev/null
|
||||
. "${CONFIG_FILE}"
|
||||
fi
|
||||
POSITIONAL_ARGS=()
|
||||
|
||||
while [[ $# -gt 0 ]]; do
|
||||
case $1 in
|
||||
-n | --name)
|
||||
AZURE_VM_NAME="$2"
|
||||
shift # past argument
|
||||
shift # past value
|
||||
;;
|
||||
-*)
|
||||
echo "Unknown option $1"
|
||||
exit 1
|
||||
;;
|
||||
*)
|
||||
POSITIONAL_ARGS+=("$1") # save positional arg
|
||||
shift # past argument
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
|
||||
|
||||
AZ_VM_INFO=$(az vm show --name "${AZURE_VM_NAME}" --resource-group "${AZURE_RESOURCE_GROUP_NAME}" -o json)
|
||||
NIC=$(echo "${AZ_VM_INFO}" | jq -r '.networkProfile.networkInterfaces[0].id')
|
||||
NIC_INFO=$(az network nic show --ids "${NIC}" -o json)
|
||||
PUBIP=$(echo "${NIC_INFO}" | jq -r '.ipConfigurations[0].publicIpAddress.id')
|
||||
NSG=$(echo "${NIC_INFO}" | jq -r '.networkSecurityGroup.id')
|
||||
SUBNET=$(echo "${NIC_INFO}" | jq -r '.ipConfigurations[0].subnet.id')
|
||||
VNET=${SUBNET//\/subnets\/.*/}
|
||||
DISK=$(echo "${AZ_VM_INFO}" | jq -r '.storageProfile.osDisk.managedDisk.id')
|
||||
|
||||
delete_vm() {
|
||||
az vm delete -y --name "${AZURE_VM_NAME}" \
|
||||
--resource-group "${AZURE_RESOURCE_GROUP_NAME}" || true
|
||||
}
|
||||
|
||||
delete_vnet() {
|
||||
az network vnet delete --ids "${VNET}" || true
|
||||
}
|
||||
|
||||
delete_subnet() {
|
||||
az network vnet subnet delete --ids "${SUBNET}" || true
|
||||
}
|
||||
|
||||
delete_nsg() {
|
||||
az network nsg delete --ids "${NSG}" || true
|
||||
}
|
||||
|
||||
delete_pubip() {
|
||||
az network public-ip delete --ids "${PUBIP}" || true
|
||||
}
|
||||
|
||||
delete_disk() {
|
||||
az disk delete -y --ids "${DISK}" || true
|
||||
}
|
||||
|
||||
delete_nic() {
|
||||
az network nic delete --ids "${NIC}" || true
|
||||
}
|
||||
|
||||
delete_vm
|
||||
delete_disk
|
||||
delete_nic
|
||||
delete_nsg
|
||||
delete_subnet
|
||||
delete_vnet
|
||||
delete_pubip
|
@ -1,68 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
set -euo pipefail
|
||||
shopt -s inherit_errexit
|
||||
|
||||
if [[ -z ${CONFIG_FILE-} ]] && [[ -f ${CONFIG_FILE-} ]]; then
|
||||
# shellcheck source=/dev/null
|
||||
. "${CONFIG_FILE}"
|
||||
fi
|
||||
AZURE_SUBSCRIPTION=$(az account show --query id -o tsv)
|
||||
POSITIONAL_ARGS=()
|
||||
|
||||
while [[ $# -gt 0 ]]; do
|
||||
case $1 in
|
||||
-n | --name)
|
||||
AZURE_VM_NAME="$2"
|
||||
shift # past argument
|
||||
shift # past value
|
||||
;;
|
||||
-*)
|
||||
echo "Unknown option $1"
|
||||
exit 1
|
||||
;;
|
||||
*)
|
||||
POSITIONAL_ARGS+=("$1") # save positional arg
|
||||
shift # past argument
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
|
||||
|
||||
VM_DISK=$(az vm show -g "${AZURE_RESOURCE_GROUP_NAME}" --name "${AZURE_VM_NAME}" --query "storageProfile.osDisk.managedDisk.id" -o tsv)
|
||||
LOCATION=$(az disk show --ids "${VM_DISK}" --query "location" -o tsv)
|
||||
|
||||
az snapshot create \
|
||||
-g "${AZURE_RESOURCE_GROUP_NAME}" \
|
||||
--source "${VM_DISK}" \
|
||||
--name "${AZURE_SNAPSHOT_NAME}" \
|
||||
-l "${LOCATION}"
|
||||
|
||||
# Azure CLI does not implement getSecureVMGuestStateSAS for snapshots yet
|
||||
# az snapshot grant-access \
|
||||
# --duration-in-seconds 3600 \
|
||||
# --access-level Read \
|
||||
# --name "${AZURE_SNAPSHOT_NAME}" \
|
||||
# -g "${AZURE_RESOURCE_GROUP_NAME}"
|
||||
|
||||
BEGIN=$(az rest \
|
||||
--method post \
|
||||
--url "https://management.azure.com/subscriptions/${AZURE_SUBSCRIPTION}/resourceGroups/${AZURE_RESOURCE_GROUP_NAME}/providers/Microsoft.Compute/snapshots/${AZURE_SNAPSHOT_NAME}/beginGetAccess" \
|
||||
--uri-parameters api-version="2021-12-01" \
|
||||
--body '{"access": "Read", "durationInSeconds": 3600, "getSecureVMGuestStateSAS": true}' \
|
||||
--verbose 2>&1)
|
||||
ASYNC_OPERATION_URI=$(echo "${BEGIN}" | grep Azure-AsyncOperation | cut -d ' ' -f 7 | tr -d "'")
|
||||
sleep 10
|
||||
ACCESS=$(az rest --method get --url "${ASYNC_OPERATION_URI}")
|
||||
VMGS_URL=$(echo "${ACCESS}" | jq -r '.properties.output.securityDataAccessSAS')
|
||||
|
||||
curl -fsSL -o "${AZURE_VMGS_FILENAME}" "${VMGS_URL}"
|
||||
|
||||
az snapshot revoke-access \
|
||||
--name "${AZURE_SNAPSHOT_NAME}" \
|
||||
-g "${AZURE_RESOURCE_GROUP_NAME}"
|
||||
az snapshot delete \
|
||||
--name "${AZURE_SNAPSHOT_NAME}" \
|
||||
-g "${AZURE_RESOURCE_GROUP_NAME}"
|
||||
echo "VMGS saved to ${AZURE_VMGS_FILENAME}"
|
@ -1,104 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
set -euo pipefail
|
||||
shopt -s inherit_errexit
|
||||
|
||||
if [[ -z ${CONFIG_FILE-} ]] && [[ -f ${CONFIG_FILE-} ]]; then
|
||||
# shellcheck source=/dev/null
|
||||
. "${CONFIG_FILE}"
|
||||
fi
|
||||
POSITIONAL_ARGS=()
|
||||
|
||||
while [[ $# -gt 0 ]]; do
|
||||
case $1 in
|
||||
-n | --name)
|
||||
AZURE_VM_NAME="$2"
|
||||
shift # past argument
|
||||
shift # past value
|
||||
;;
|
||||
-g | --gallery)
|
||||
CREATE_FROM_GALLERY=YES
|
||||
shift # past argument
|
||||
;;
|
||||
-d | --disk)
|
||||
CREATE_FROM_GALLERY=NO
|
||||
shift # past argument
|
||||
;;
|
||||
--secure-boot)
|
||||
AZURE_SECURE_BOOT="$2"
|
||||
shift # past argument
|
||||
shift # past value
|
||||
;;
|
||||
--disk-name)
|
||||
AZURE_DISK_NAME="$2"
|
||||
shift # past argument
|
||||
shift # past value
|
||||
;;
|
||||
-*)
|
||||
echo "Unknown option $1"
|
||||
exit 1
|
||||
;;
|
||||
*)
|
||||
POSITIONAL_ARGS+=("$1") # save positional arg
|
||||
shift # past argument
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
|
||||
|
||||
if [[ ${AZURE_SECURITY_TYPE} == "ConfidentialVM" ]]; then
|
||||
VMSIZE="Standard_DC2as_v5"
|
||||
elif [[ ${AZURE_SECURITY_TYPE} == "TrustedLaunch" ]]; then
|
||||
VMSIZE="standard_D2as_v5"
|
||||
else
|
||||
echo "Unknown security type: ${AZURE_SECURITY_TYPE}"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
create_vm_from_disk() {
|
||||
AZURE_DISK_REFERENCE=$(az disk show --resource-group "${AZURE_RESOURCE_GROUP_NAME}" --name "${AZURE_DISK_NAME}" --query id -o tsv)
|
||||
az vm create --name "${AZURE_VM_NAME}" \
|
||||
--resource-group "${AZURE_RESOURCE_GROUP_NAME}" \
|
||||
-l "${AZURE_REGION}" \
|
||||
--size "${VMSIZE}" \
|
||||
--public-ip-sku Standard \
|
||||
--os-type Linux \
|
||||
--attach-os-disk "${AZURE_DISK_REFERENCE}" \
|
||||
--security-type "${AZURE_SECURITY_TYPE}" \
|
||||
--os-disk-security-encryption-type VMGuestStateOnly \
|
||||
--enable-vtpm true \
|
||||
--enable-secure-boot "${AZURE_SECURE_BOOT}" \
|
||||
--boot-diagnostics-storage "" \
|
||||
--no-wait
|
||||
}
|
||||
|
||||
create_vm_from_sig() {
|
||||
AZURE_IMAGE_REFERENCE=$(az sig image-version show \
|
||||
--gallery-image-definition "${AZURE_IMAGE_DEFINITION}" \
|
||||
--gallery-image-version "${AZURE_IMAGE_VERSION}" \
|
||||
--gallery-name "${AZURE_GALLERY_NAME}" \
|
||||
-g "${AZURE_RESOURCE_GROUP_NAME}" \
|
||||
--query id -o tsv)
|
||||
az vm create --name "${AZURE_VM_NAME}" \
|
||||
--resource-group "${AZURE_RESOURCE_GROUP_NAME}" \
|
||||
-l "${AZURE_REGION}" \
|
||||
--size "${VMSIZE}" \
|
||||
--public-ip-sku Standard \
|
||||
--image "${AZURE_IMAGE_REFERENCE}" \
|
||||
--security-type "${AZURE_SECURITY_TYPE}" \
|
||||
--os-disk-security-encryption-type VMGuestStateOnly \
|
||||
--enable-vtpm true \
|
||||
--enable-secure-boot "${AZURE_SECURE_BOOT}" \
|
||||
--boot-diagnostics-storage "" \
|
||||
--no-wait
|
||||
}
|
||||
|
||||
if [[ ${CREATE_FROM_GALLERY} == "YES" ]]; then
|
||||
create_vm_from_sig
|
||||
else
|
||||
create_vm_from_disk
|
||||
fi
|
||||
|
||||
sleep 30
|
||||
az vm boot-diagnostics enable --name "${AZURE_VM_NAME}" --resource-group "${AZURE_RESOURCE_GROUP_NAME}"
|
@ -1,95 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
# Copyright (c) Edgeless Systems GmbH
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-only
|
||||
|
||||
set -euo pipefail
|
||||
shopt -s inherit_errexit
|
||||
|
||||
SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &> /dev/null && pwd)
|
||||
BASE_DIR=$(realpath "${SCRIPT_DIR}/..")
|
||||
|
||||
# Set to qemu+tcp://localhost:16599/system for dockerized libvirt setup
|
||||
if [[ -z ${LIBVIRT_SOCK} ]]; then
|
||||
LIBVIRT_SOCK=qemu:///system
|
||||
fi
|
||||
|
||||
libvirt_nvram_gen() {
|
||||
local image_path="${1}"
|
||||
if test -f "${BASE_DIR}/image.nvram.template"; then
|
||||
echo "NVRAM template already generated: $(realpath "--relative-to=$(pwd)" "${BASE_DIR}"/image.nvram.template)"
|
||||
return
|
||||
fi
|
||||
if ! test -f "${image_path}"; then
|
||||
echo "Image \"${image_path}\" does not exist yet. To generate nvram, create disk image first."
|
||||
return
|
||||
fi
|
||||
|
||||
OVMF_CODE=/usr/share/OVMF/OVMF_CODE_4M.ms.fd
|
||||
OVMF_VARS=/usr/share/OVMF/OVMF_VARS_4M.ms.fd
|
||||
if ! test -f "${OVMF_CODE}"; then
|
||||
OVMF_CODE=/usr/share/OVMF/OVMF_CODE.secboot.fd
|
||||
fi
|
||||
if ! test -f "${OVMF_VARS}"; then
|
||||
OVMF_VARS=/usr/share/OVMF/OVMF_VARS.secboot.fd
|
||||
fi
|
||||
|
||||
echo "Using OVMF_CODE: ${OVMF_CODE}"
|
||||
echo "Using OVMF_VARS: ${OVMF_VARS}"
|
||||
|
||||
# generate nvram file using libvirt
|
||||
virt-install --name constell-nvram-gen \
|
||||
--connect "${LIBVIRT_SOCK}" \
|
||||
--nonetworks \
|
||||
--description 'Constellation' \
|
||||
--ram 1024 \
|
||||
--vcpus 1 \
|
||||
--osinfo detect=on,require=off \
|
||||
--disk "${image_path},format=raw" \
|
||||
--boot "machine=q35,menu=on,loader=${OVMF_CODE},loader.readonly=yes,loader.type=pflash,nvram.template=${OVMF_VARS},nvram=${BASE_DIR}/image.nvram,loader_secure=yes" \
|
||||
--features smm.state=on \
|
||||
--noautoconsole
|
||||
echo -e 'connect using'
|
||||
echo -e ' \u001b[1mvirsh console constell-nvram-gen\u001b[0m'
|
||||
echo -e ''
|
||||
echo -e 'Load db cert with MokManager or enroll full PKI with firmware setup'
|
||||
echo -e ''
|
||||
echo -e ' \u001b[1mMokManager\u001b[0m'
|
||||
echo -e ' For mokmanager, try to boot as usual. You will see this message:'
|
||||
echo -e ' > "Verification failed: (0x1A) Security Violation"'
|
||||
echo -e ' Press OK, then ENTER, then "Enroll key from disk"'
|
||||
echo -e ' Select the following key:'
|
||||
echo -e ' > \u001b[1m/EFI/loader/keys/auto/db.cer\u001b[0m'
|
||||
echo -e ' Press Continue, then choose "Yes" to the question "Enroll the key(s)?"'
|
||||
echo -e ' Choose reboot and continue this script.'
|
||||
echo -e ''
|
||||
echo -e ' \u001b[1mFirmware setup\u001b[0m'
|
||||
echo -e ' For firmware setup, press F2.'
|
||||
echo -e ' Go to "Device Manager">"Secure Boot Configuration">"Secure Boot Mode"'
|
||||
echo -e ' Choose "Custom Mode"'
|
||||
echo -e ' Go to "Custom Securee Boot Options"'
|
||||
echo -e ' Go to "PK Options">"Enroll PK", Press "Y" if queried, "Enroll PK using File"'
|
||||
echo -e ' Select the following cert: \u001b[1m/EFI/loader/keys/auto/PK.cer\u001b[0m'
|
||||
echo -e ' Choose "Commit Changes and Exit"'
|
||||
echo -e ' Go to "KEK Options">"Enroll KEK", Press "Y" if queried, "Enroll KEK using File"'
|
||||
echo -e ' Select the following cert: \u001b[1m/EFI/loader/keys/auto/KEK.cer\u001b[0m'
|
||||
echo -e ' Choose "Commit Changes and Exit"'
|
||||
echo -e ' Go to "DB Options">"Enroll Signature">"Enroll Signature using File"'
|
||||
echo -e ' Select the following cert: \u001b[1m/EFI/loader/keys/auto/db.cer\u001b[0m'
|
||||
echo -e ' Choose "Commit Changes and Exit"'
|
||||
echo -e ' Repeat the last step for the following certs:'
|
||||
echo -e ' > \u001b[1m/EFI/loader/keys/auto/MicWinProPCA2011_2011-10-19.crt\u001b[0m'
|
||||
echo -e ' > \u001b[1m/EFI/loader/keys/auto/MicCorUEFCA2011_2011-06-27.crt\u001b[0m'
|
||||
echo -e ' Reboot and continue this script.'
|
||||
echo -e ''
|
||||
echo -e 'Press ENTER to continue after you followed one of the guides from above.'
|
||||
read -r
|
||||
sudo cp "${BASE_DIR}/image.nvram" "${BASE_DIR}/image.nvram.template"
|
||||
virsh --connect "${LIBVIRT_SOCK}" destroy --domain constell-nvram-gen
|
||||
virsh --connect "${LIBVIRT_SOCK}" undefine --nvram constell-nvram-gen
|
||||
rm -f "${BASE_DIR}/image.nvram"
|
||||
|
||||
echo "NVRAM template generated: $(realpath "--relative-to=$(pwd)" "${BASE_DIR}"/image.nvram.template)"
|
||||
}
|
||||
|
||||
libvirt_nvram_gen "$1"
|
@ -1,66 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
# Copyright (c) Edgeless Systems GmbH
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-only
|
||||
|
||||
# This script generates a PKI for secure boot.
|
||||
# It is based on the example from https://github.com/systemd/systemd/blob/main/man/loader.conf.xml
|
||||
# This is meant to be used for development purposes only.
|
||||
# Release images are signed using a different set of keys.
|
||||
# Set PKI to an empty folder and PKI_SET to "dev".
|
||||
|
||||
set -euo pipefail
|
||||
shopt -s inherit_errexit
|
||||
|
||||
script_dir=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &> /dev/null && pwd)
|
||||
templates=${script_dir}/templates
|
||||
base_dir=$(realpath "${script_dir}/..")
|
||||
pki="${PKI:-${base_dir}/pki}"
|
||||
pki_set="${PKI_SET:-dev}"
|
||||
|
||||
gen_pki() {
|
||||
# Only use for non-production images.
|
||||
# Use real PKI for production images instead.
|
||||
mkdir -p "${pki}"
|
||||
count=$(find "${pki}" -maxdepth 1 \( -name '*.key' -o -name '*.crt' -o -name '*.cer' -o -name '*.esl' -o -name '*.auth' \) 2> /dev/null | wc -l)
|
||||
if [[ ${count} != 0 ]]; then
|
||||
echo PKI files "$(ls -1 "$(realpath "--relative-to=$(pwd)" "${pki}")"/*.{key,crt,cer,esl,auth})" already exist
|
||||
return
|
||||
fi
|
||||
pushd "${pki}" || exit 1
|
||||
|
||||
uuid=$(systemd-id128 new --uuid)
|
||||
for key in PK KEK db; do
|
||||
openssl req -new -x509 -config "${templates}/${pki_set}_${key}.conf" -keyout "${key}.key" -out "${key}.crt" -nodes
|
||||
openssl x509 -outform DER -in "${key}.crt" -out "${key}.cer"
|
||||
cert-to-efi-sig-list -g "${uuid}" "${key}.crt" "${key}.esl"
|
||||
done
|
||||
|
||||
for key in MicWinProPCA2011_2011-10-19.crt MicCorUEFCA2011_2011-06-27.crt MicCorKEKCA2011_2011-06-24.crt; do
|
||||
curl -fsSL "https://www.microsoft.com/pkiops/certs/${key}" --output "${key}"
|
||||
sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output "${key%crt}esl" "${key}"
|
||||
done
|
||||
|
||||
# Optionally add Microsoft Windows Production CA 2011 (needed to boot into Windows).
|
||||
cat MicWinProPCA2011_2011-10-19.esl >> db.esl
|
||||
|
||||
# Optionally add Microsoft Corporation UEFI CA 2011 (for firmware drivers / option ROMs
|
||||
# and third-party boot loaders (including shim). This is highly recommended on real
|
||||
# hardware as not including this may soft-brick your device (see next paragraph).
|
||||
cat MicCorUEFCA2011_2011-06-27.esl >> db.esl
|
||||
|
||||
# Optionally add Microsoft Corporation KEK CA 2011. Recommended if either of the
|
||||
# Microsoft keys is used as the official UEFI revocation database is signed with this
|
||||
# key. The revocation database can be updated with [fwupdmgr(1)](https://www.freedesktop.org/software/systemd/man/fwupdmgr.html#).
|
||||
cat MicCorKEKCA2011_2011-06-24.esl >> KEK.esl
|
||||
|
||||
sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth
|
||||
sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth
|
||||
sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth
|
||||
|
||||
popd || exit 1
|
||||
}
|
||||
|
||||
# gen_pki generates a PKI for testing purposes only.
|
||||
# if keys/certs are already present in the pki folder, they are not regenerated.
|
||||
gen_pki
|
@ -1,48 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
# Copyright (c) Edgeless Systems GmbH
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-only
|
||||
|
||||
# This script is used to add a signed shim to the image.raw file EFI partition after running `mkosi build`.
|
||||
|
||||
set -euo pipefail
|
||||
shopt -s inherit_errexit
|
||||
|
||||
if (($# != 1)); then
|
||||
echo "Usage: $0 <image.raw>"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# SOURCE is the URL used to download the signed shim RPM
|
||||
SOURCE=https://kojipkgs.fedoraproject.org/packages/shim/15.6/2/x86_64/shim-x64-15.6-2.x86_64.rpm
|
||||
# EXPECTED_SHA512 is the SHA512 checksum of the signed shim RPM
|
||||
EXPECTED_SHA512=971978bddee95a6a134ef05c4d88cf5df41926e631de863b74ef772307f3e106c82c8f6889c18280d47187986abd774d8671c5be4b85b1b0bb3d1858b65d02cf
|
||||
TMPDIR=$(mktemp -d)
|
||||
|
||||
pushd "${TMPDIR}"
|
||||
|
||||
curl -fsSL -o shim.rpm "${SOURCE}"
|
||||
echo "Checking SHA512 checksum of signed shim..."
|
||||
sha512sum -c <<< "${EXPECTED_SHA512} shim.rpm"
|
||||
rpm2cpio shim.rpm | cpio -idmv
|
||||
echo "${TMPDIR}"
|
||||
|
||||
popd
|
||||
|
||||
MOUNTPOINT=$(mktemp -d)
|
||||
sectoroffset=$(sfdisk -J "${1}" | jq -r '.partitiontable.partitions[0].start')
|
||||
byteoffset=$((sectoroffset * 512))
|
||||
mount -o offset="${byteoffset}" "${1}" "${MOUNTPOINT}"
|
||||
|
||||
mkdir -p "${MOUNTPOINT}/EFI/BOOT/"
|
||||
cp "${TMPDIR}/boot/efi/EFI/BOOT/BOOTX64.EFI" "${MOUNTPOINT}/EFI/BOOT/"
|
||||
cp "${TMPDIR}/boot/efi/EFI/fedora/mmx64.efi" "${MOUNTPOINT}/EFI/BOOT/"
|
||||
cp "${MOUNTPOINT}/EFI/systemd/systemd-bootx64.efi" "${MOUNTPOINT}/EFI/BOOT/grubx64.efi"
|
||||
|
||||
# Remove unused kernel and initramfs from EFI to save space
|
||||
# We boot from unified kernel image anyway
|
||||
rm -f "${MOUNTPOINT}"/*/*/{linux,initrd}
|
||||
|
||||
umount "${MOUNTPOINT}"
|
||||
rm -rf "${MOUNTPOINT}"
|
||||
rm -rf "${TMPDIR}"
|
@ -1,20 +0,0 @@
|
||||
[ req ]
|
||||
default_bits = 2048
|
||||
distinguished_name = req_distinguished_name
|
||||
x509_extensions = v3_req
|
||||
req_extensions = v3_req
|
||||
prompt = no
|
||||
|
||||
dirstring_type = nobmp
|
||||
|
||||
[ req_distinguished_name ]
|
||||
C = DE
|
||||
ST = Nordrhein Westfalen
|
||||
L = Bochum
|
||||
O = Edgeless Systems GmbH
|
||||
CN = Constellation Development KEK CA 2022
|
||||
|
||||
[ v3_req ]
|
||||
subjectKeyIdentifier = hash
|
||||
basicConstraints = critical,CA:true
|
||||
keyUsage = digitalSignature,keyCertSign,cRLSign
|
@ -1,20 +0,0 @@
|
||||
[ req ]
|
||||
default_bits = 2048
|
||||
distinguished_name = req_distinguished_name
|
||||
x509_extensions = v3_req
|
||||
req_extensions = v3_req
|
||||
prompt = no
|
||||
|
||||
dirstring_type = nobmp
|
||||
|
||||
[ req_distinguished_name ]
|
||||
C = DE
|
||||
ST = Nordrhein Westfalen
|
||||
L = Bochum
|
||||
O = Edgeless Systems GmbH
|
||||
CN = Constellation Development UEFI CA 2022
|
||||
|
||||
[ v3_req ]
|
||||
subjectKeyIdentifier = hash
|
||||
basicConstraints = critical,CA:true
|
||||
keyUsage = digitalSignature,keyCertSign,cRLSign
|
@ -1,20 +0,0 @@
|
||||
[ req ]
|
||||
default_bits = 2048
|
||||
distinguished_name = req_distinguished_name
|
||||
x509_extensions = v3_req
|
||||
req_extensions = v3_req
|
||||
prompt = no
|
||||
|
||||
dirstring_type = nobmp
|
||||
|
||||
[ req_distinguished_name ]
|
||||
C = DE
|
||||
ST = Nordrhein Westfalen
|
||||
L = Bochum
|
||||
O = Edgeless Systems GmbH
|
||||
CN = Constellation Development PCA 2022
|
||||
|
||||
[ v3_req ]
|
||||
subjectKeyIdentifier = hash
|
||||
basicConstraints = critical,CA:true
|
||||
keyUsage = digitalSignature,keyCertSign,cRLSign
|
@ -1,20 +0,0 @@
|
||||
[ req ]
|
||||
default_bits = 2048
|
||||
distinguished_name = req_distinguished_name
|
||||
x509_extensions = v3_req
|
||||
req_extensions = v3_req
|
||||
prompt = no
|
||||
|
||||
dirstring_type = nobmp
|
||||
|
||||
[ req_distinguished_name ]
|
||||
C = DE
|
||||
ST = Nordrhein Westfalen
|
||||
L = Bochum
|
||||
O = Edgeless Systems GmbH
|
||||
CN = Constellation KEK CA 2022
|
||||
|
||||
[ v3_req ]
|
||||
subjectKeyIdentifier = hash
|
||||
basicConstraints = critical,CA:true
|
||||
keyUsage = digitalSignature,keyCertSign,cRLSign
|
@ -1,20 +0,0 @@
|
||||
[ req ]
|
||||
default_bits = 2048
|
||||
distinguished_name = req_distinguished_name
|
||||
x509_extensions = v3_req
|
||||
req_extensions = v3_req
|
||||
prompt = no
|
||||
|
||||
dirstring_type = nobmp
|
||||
|
||||
[ req_distinguished_name ]
|
||||
C = DE
|
||||
ST = Nordrhein Westfalen
|
||||
L = Bochum
|
||||
O = Edgeless Systems GmbH
|
||||
CN = Constellation UEFI CA 2022
|
||||
|
||||
[ v3_req ]
|
||||
subjectKeyIdentifier = hash
|
||||
basicConstraints = critical,CA:true
|
||||
keyUsage = digitalSignature,keyCertSign,cRLSign
|
@ -1,20 +0,0 @@
|
||||
[ req ]
|
||||
default_bits = 2048
|
||||
distinguished_name = req_distinguished_name
|
||||
x509_extensions = v3_req
|
||||
req_extensions = v3_req
|
||||
prompt = no
|
||||
|
||||
dirstring_type = nobmp
|
||||
|
||||
[ req_distinguished_name ]
|
||||
C = DE
|
||||
ST = Nordrhein Westfalen
|
||||
L = Bochum
|
||||
O = Edgeless Systems GmbH
|
||||
CN = Constellation Production PCA 2022
|
||||
|
||||
[ v3_req ]
|
||||
subjectKeyIdentifier = hash
|
||||
basicConstraints = critical,CA:true
|
||||
keyUsage = digitalSignature,keyCertSign,cRLSign
|
@ -1,20 +0,0 @@
|
||||
[ req ]
|
||||
default_bits = 2048
|
||||
distinguished_name = req_distinguished_name
|
||||
x509_extensions = v3_req
|
||||
req_extensions = v3_req
|
||||
prompt = no
|
||||
|
||||
dirstring_type = nobmp
|
||||
|
||||
[ req_distinguished_name ]
|
||||
C = DE
|
||||
ST = Nordrhein Westfalen
|
||||
L = Bochum
|
||||
O = Edgeless Systems GmbH
|
||||
CN = Constellation Testing KEK CA 2022
|
||||
|
||||
[ v3_req ]
|
||||
subjectKeyIdentifier = hash
|
||||
basicConstraints = critical,CA:true
|
||||
keyUsage = digitalSignature,keyCertSign,cRLSign
|
@ -1,20 +0,0 @@
|
||||
[ req ]
|
||||
default_bits = 2048
|
||||
distinguished_name = req_distinguished_name
|
||||
x509_extensions = v3_req
|
||||
req_extensions = v3_req
|
||||
prompt = no
|
||||
|
||||
dirstring_type = nobmp
|
||||
|
||||
[ req_distinguished_name ]
|
||||
C = DE
|
||||
ST = Nordrhein Westfalen
|
||||
L = Bochum
|
||||
O = Edgeless Systems GmbH
|
||||
CN = Constellation Testing UEFI CA 2022
|
||||
|
||||
[ v3_req ]
|
||||
subjectKeyIdentifier = hash
|
||||
basicConstraints = critical,CA:true
|
||||
keyUsage = digitalSignature,keyCertSign,cRLSign
|
@ -1,20 +0,0 @@
|
||||
[ req ]
|
||||
default_bits = 2048
|
||||
distinguished_name = req_distinguished_name
|
||||
x509_extensions = v3_req
|
||||
req_extensions = v3_req
|
||||
prompt = no
|
||||
|
||||
dirstring_type = nobmp
|
||||
|
||||
[ req_distinguished_name ]
|
||||
C = DE
|
||||
ST = Nordrhein Westfalen
|
||||
L = Bochum
|
||||
O = Edgeless Systems GmbH
|
||||
CN = Constellation Testing PCA 2022
|
||||
|
||||
[ v3_req ]
|
||||
subjectKeyIdentifier = hash
|
||||
basicConstraints = critical,CA:true
|
||||
keyUsage = digitalSignature,keyCertSign,cRLSign
|
Loading…
Reference in New Issue
Block a user