From fc1045a4f7e0bfc0e017c880c3da00d02355b2bc Mon Sep 17 00:00:00 2001 From: Malte Poll Date: Mon, 11 Sep 2023 15:50:55 +0200 Subject: [PATCH] image: remove old mkosi config --- image/.csp/aws | 0 image/.gitignore | 8 - image/Makefile | 113 -------- image/mkosi.cache/.gitkeep | 0 image/mkosi.conf.d/aws.conf | 3 - image/mkosi.conf.d/azure.conf | 3 - image/mkosi.conf.d/containers.conf | 10 - image/mkosi.conf.d/gcp.conf | 3 - image/mkosi.conf.d/mkosi.aws.conf | 5 - image/mkosi.conf.d/mkosi.azure.conf | 5 - image/mkosi.conf.d/mkosi.conf | 32 --- image/mkosi.conf.d/mkosi.gcp.conf | 5 - image/mkosi.conf.d/mkosi.openstack.conf | 9 - image/mkosi.conf.d/mkosi.qemu.conf | 9 - image/mkosi.conf.d/network.conf | 8 - image/mkosi.conf.d/secure-boot-tpm.conf | 7 - image/mkosi.conf.d/selinux.conf | 8 - image/mkosi.conf.d/tools.conf | 8 - image/mkosi.finalize | 9 - image/mkosi.postinst | 36 --- image/mkosi.prepare | 33 --- image/mkosi.repart/00-esp.conf | 6 - image/mkosi.repart/10-root.conf | 7 - image/mkosi.repart/20-root-verity.conf | 6 - image/mkosi.reposdir/amzn2-core.repo | 39 --- image/mkosi.skeleton/etc/crictl.yaml | 1 - .../etc/dracut.conf.d/90-networkd.conf | 5 - .../mkosi.skeleton/etc/dracut.conf.d/aws.conf | 2 - .../etc/dracut.conf.d/azure.conf | 3 - .../mkosi.skeleton/etc/dracut.conf.d/gce.conf | 2 - image/mkosi.skeleton/etc/fstab | 5 - .../etc/profile.d/constellation.sh | 11 - .../usr/etc/containerd/config.toml | 216 --------------- .../usr/etc/containers/containers.conf | 2 - .../usr/etc/containers/registries.conf | 1 - .../azure-provisioning.service | 13 - .../38azure-provision/azure-provisioning.sh | 64 ----- .../38azure-provision/module-setup.sh | 34 --- .../aws-nvme-disk.service | 15 -- .../39constellation-mount/aws-nvme-disk.sh | 28 -- .../configure-constel-csp.service | 1 - .../39constellation-mount/module-setup.sh | 94 ------- .../prepare-state-disk.service | 18 -- .../prepare-state-disk.sh | 33 --- .../sysusers-dracut.conf | 3 - .../lib/environment.d/99-constellation.conf | 2 - .../usr/lib/issue.d/01_constellation.issue | 1 - .../usr/lib/modules-load.d/k8s.conf | 2 - .../usr/lib/sysctl.d/10-cilium.conf | 3 - .../usr/lib/sysctl.d/10-k8s.conf | 9 - .../usr/lib/systemd/network/20-wired.network | 5 - .../usr/lib/systemd/network/21-azure.network | 6 - .../systemd/resolved.conf.d/fallback_dns.conf | 2 - .../system-preset/30-constellation.preset | 11 - .../system/configure-constel-csp.service | 11 - .../system/constellation-bootstrapper.service | 16 -- .../constellation-upgrade-agent.service | 14 - .../system/containerd.service.d/local.conf | 3 - .../system/export_constellation_debug.service | 10 - .../usr/lib/systemd/system/kubelet.service | 21 -- .../lib/systemd/system/measurements.service | 12 - .../timesyncd.conf.d/constellation.conf | 1 - .../usr/lib/sysusers.d/constellation.conf | 2 - .../usr/lib/tmpfiles.d/constellation.conf | 10 - .../usr/lib/udev/google_nvme_id | 248 ------------------ .../udev/rules.d/64-gce-disk-removal.rules | 17 -- .../lib/udev/rules.d/65-gce-disk-naming.rules | 37 --- .../udev/rules.d/98-override-systemd.rules | 4 - .../usr/libexec/constellation-pcrs | 14 - image/secure-boot/aws/create_uefivars.sh | 12 - image/secure-boot/azure/delete.sh | 76 ------ image/secure-boot/azure/extract_vmgs.sh | 68 ----- image/secure-boot/azure/launch.sh | 104 -------- image/secure-boot/generate_nvram_vars.sh | 95 ------- image/secure-boot/genkeys.sh | 66 ----- image/secure-boot/signed-shim.sh | 48 ---- image/secure-boot/templates/dev_KEK.conf | 20 -- image/secure-boot/templates/dev_PK.conf | 20 -- image/secure-boot/templates/dev_db.conf | 20 -- image/secure-boot/templates/prod_KEK.conf | 20 -- image/secure-boot/templates/prod_PK.conf | 20 -- image/secure-boot/templates/prod_db.conf | 20 -- image/secure-boot/templates/testing_KEK.conf | 20 -- image/secure-boot/templates/testing_PK.conf | 20 -- image/secure-boot/templates/testing_db.conf | 20 -- 85 files changed, 2033 deletions(-) delete mode 100644 image/.csp/aws delete mode 100644 image/.gitignore delete mode 100644 image/Makefile delete mode 100644 image/mkosi.cache/.gitkeep delete mode 100644 image/mkosi.conf.d/aws.conf delete mode 100644 image/mkosi.conf.d/azure.conf delete mode 100644 image/mkosi.conf.d/containers.conf delete mode 100644 image/mkosi.conf.d/gcp.conf delete mode 100644 image/mkosi.conf.d/mkosi.aws.conf delete mode 100644 image/mkosi.conf.d/mkosi.azure.conf delete mode 100644 image/mkosi.conf.d/mkosi.conf delete mode 100644 image/mkosi.conf.d/mkosi.gcp.conf delete mode 100644 image/mkosi.conf.d/mkosi.openstack.conf delete mode 100644 image/mkosi.conf.d/mkosi.qemu.conf delete mode 100644 image/mkosi.conf.d/network.conf delete mode 100644 image/mkosi.conf.d/secure-boot-tpm.conf delete mode 100644 image/mkosi.conf.d/selinux.conf delete mode 100644 image/mkosi.conf.d/tools.conf delete mode 100755 image/mkosi.finalize delete mode 100755 image/mkosi.postinst delete mode 100755 image/mkosi.prepare delete mode 100644 image/mkosi.repart/00-esp.conf delete mode 100644 image/mkosi.repart/10-root.conf delete mode 100644 image/mkosi.repart/20-root-verity.conf delete mode 100644 image/mkosi.reposdir/amzn2-core.repo delete mode 100644 image/mkosi.skeleton/etc/crictl.yaml delete mode 100644 image/mkosi.skeleton/etc/dracut.conf.d/90-networkd.conf delete mode 100644 image/mkosi.skeleton/etc/dracut.conf.d/aws.conf delete mode 100644 image/mkosi.skeleton/etc/dracut.conf.d/azure.conf delete mode 100644 image/mkosi.skeleton/etc/dracut.conf.d/gce.conf delete mode 100644 image/mkosi.skeleton/etc/fstab delete mode 100755 image/mkosi.skeleton/etc/profile.d/constellation.sh delete mode 100644 image/mkosi.skeleton/usr/etc/containerd/config.toml delete mode 100644 image/mkosi.skeleton/usr/etc/containers/containers.conf delete mode 100644 image/mkosi.skeleton/usr/etc/containers/registries.conf delete mode 100644 image/mkosi.skeleton/usr/lib/dracut/modules.d/38azure-provision/azure-provisioning.service delete mode 100755 image/mkosi.skeleton/usr/lib/dracut/modules.d/38azure-provision/azure-provisioning.sh delete mode 100755 image/mkosi.skeleton/usr/lib/dracut/modules.d/38azure-provision/module-setup.sh delete mode 100644 image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/aws-nvme-disk.service delete mode 100644 image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/aws-nvme-disk.sh delete mode 120000 image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/configure-constel-csp.service delete mode 100644 image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/module-setup.sh delete mode 100644 image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/prepare-state-disk.service delete mode 100644 image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/prepare-state-disk.sh delete mode 100644 image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/sysusers-dracut.conf delete mode 100644 image/mkosi.skeleton/usr/lib/environment.d/99-constellation.conf delete mode 100644 image/mkosi.skeleton/usr/lib/issue.d/01_constellation.issue delete mode 100644 image/mkosi.skeleton/usr/lib/modules-load.d/k8s.conf delete mode 100644 image/mkosi.skeleton/usr/lib/sysctl.d/10-cilium.conf delete mode 100644 image/mkosi.skeleton/usr/lib/sysctl.d/10-k8s.conf delete mode 100644 image/mkosi.skeleton/usr/lib/systemd/network/20-wired.network delete mode 100644 image/mkosi.skeleton/usr/lib/systemd/network/21-azure.network delete mode 100644 image/mkosi.skeleton/usr/lib/systemd/resolved.conf.d/fallback_dns.conf delete mode 100644 image/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset delete mode 100644 image/mkosi.skeleton/usr/lib/systemd/system/configure-constel-csp.service delete mode 100644 image/mkosi.skeleton/usr/lib/systemd/system/constellation-bootstrapper.service delete mode 100644 image/mkosi.skeleton/usr/lib/systemd/system/constellation-upgrade-agent.service delete mode 100644 image/mkosi.skeleton/usr/lib/systemd/system/containerd.service.d/local.conf delete mode 100644 image/mkosi.skeleton/usr/lib/systemd/system/export_constellation_debug.service delete mode 100644 image/mkosi.skeleton/usr/lib/systemd/system/kubelet.service delete mode 100644 image/mkosi.skeleton/usr/lib/systemd/system/measurements.service delete mode 100644 image/mkosi.skeleton/usr/lib/systemd/timesyncd.conf.d/constellation.conf delete mode 100644 image/mkosi.skeleton/usr/lib/sysusers.d/constellation.conf delete mode 100644 image/mkosi.skeleton/usr/lib/tmpfiles.d/constellation.conf delete mode 100755 image/mkosi.skeleton/usr/lib/udev/google_nvme_id delete mode 100755 image/mkosi.skeleton/usr/lib/udev/rules.d/64-gce-disk-removal.rules delete mode 100755 image/mkosi.skeleton/usr/lib/udev/rules.d/65-gce-disk-naming.rules delete mode 100644 image/mkosi.skeleton/usr/lib/udev/rules.d/98-override-systemd.rules delete mode 100755 image/mkosi.skeleton/usr/libexec/constellation-pcrs delete mode 100755 image/secure-boot/aws/create_uefivars.sh delete mode 100755 image/secure-boot/azure/delete.sh delete mode 100755 image/secure-boot/azure/extract_vmgs.sh delete mode 100755 image/secure-boot/azure/launch.sh delete mode 100755 image/secure-boot/generate_nvram_vars.sh delete mode 100755 image/secure-boot/genkeys.sh delete mode 100755 image/secure-boot/signed-shim.sh delete mode 100644 image/secure-boot/templates/dev_KEK.conf delete mode 100644 image/secure-boot/templates/dev_PK.conf delete mode 100644 image/secure-boot/templates/dev_db.conf delete mode 100644 image/secure-boot/templates/prod_KEK.conf delete mode 100644 image/secure-boot/templates/prod_PK.conf delete mode 100644 image/secure-boot/templates/prod_db.conf delete mode 100644 image/secure-boot/templates/testing_KEK.conf delete mode 100644 image/secure-boot/templates/testing_PK.conf delete mode 100644 image/secure-boot/templates/testing_db.conf diff --git a/image/.csp/aws b/image/.csp/aws deleted file mode 100644 index e69de29bb..000000000 diff --git a/image/.gitignore b/image/.gitignore deleted file mode 100644 index 512f820fe..000000000 --- a/image/.gitignore +++ /dev/null @@ -1,8 +0,0 @@ -mkosi.cache -mkosi.extra -pki -image.* -!image.go -mkosi.output.* -pki_*/*.key -pki_*/*.vmgs diff --git a/image/Makefile b/image/Makefile deleted file mode 100644 index cb03a3481..000000000 --- a/image/Makefile +++ /dev/null @@ -1,113 +0,0 @@ -SHELL = /bin/bash -SRC_PATH = $(CURDIR) -BASE_PATH ?= $(SRC_PATH) -BOOTSTRAPPER_BINARY ?= $(BASE_PATH)/../build/bootstrapper -DISK_MAPPER_BINARY ?= $(BASE_PATH)/../build/disk-mapper -UPGRADE_AGENT_BINARY ?= $(BASE_PATH)/../build/upgrade-agent -DEBUGD_BINARY ?= $(BASE_PATH)/../build/debugd -MEASUREMENT_READER_BINARY ?= $(BASE_PATH)/../build/measurement-reader -PKI ?= $(BASE_PATH)/pki -MKOSI_EXTRA ?= $(BASE_PATH)/mkosi.extra -EXTRA_SEARCH_PATHS ?= -IMAGE_VERSION ?= v0.0.0 -DEBUG ?= false -AUTOLOGIN ?= false -AUTOLOGIN_ARGS := $(if $(filter true,$(AUTOLOGIN)),--autologin) # set "--autologin" if AUTOLOGIN is true -KERNEL_DEBUG_CMDLNE := $(if $(filter true,$(DEBUG)),constellation.debug) # set "constellation.debug" if DEBUG is true -SEARCH_PATHS_PARAM := $(if $(EXTRA_SEARCH_PATHS),--extra-search-path=$(EXTRA_SEARCH_PATHS)) -export INSTALL_DEBUGD ?= $(DEBUG) -export CONSOLE_MOTD = $(AUTOLOGIN) --include $(CURDIR)/config.mk -csps := aws azure gcp openstack qemu -variants := aws_aws-sev-snp aws_aws-nitro-tpm azure_azure-sev-snp gcp_gcp-sev-es gcp_gcp-sev-snp openstack_qemu-vtpm qemu_qemu-vtpm -certs := $(PKI)/PK.cer $(PKI)/KEK.cer $(PKI)/db.cer - -SYSTEMD_FIXED_RPMS := systemd-251.11-2.fc37.x86_64.rpm systemd-libs-251.11-2.fc37.x86_64.rpm systemd-networkd-251.11-2.fc37.x86_64.rpm systemd-pam-251.11-2.fc37.x86_64.rpm systemd-resolved-251.11-2.fc37.x86_64.rpm systemd-udev-251.11-2.fc37.x86_64.rpm -KERNEL_RPMS := kernel-6.1.46-100.constellation.fc38.x86_64.rpm kernel-core-6.1.46-100.constellation.fc38.x86_64.rpm kernel-modules-6.1.46-100.constellation.fc38.x86_64.rpm kernel-modules-core-6.1.46-100.constellation.fc38.x86_64.rpm -PREBUILD_RPMS_SYSTEMD := $(addprefix prebuilt/rpms/systemd/,$(SYSTEMD_FIXED_RPMS)) -PREBUILD_RPMS_KERNEL := $(addprefix prebuilt/rpms/kernel/,$(KERNEL_RPMS)) - -.PHONY: all clean inject-bins $(csps) $(variants) - -.NOTPARALLEL: mkosi.output.%/fedora~38/image.raw clean-% - -all: $(csps) - -aws: aws_aws-sev-snp aws_aws-nitro-tpm -azure: azure_azure-sev-snp -gcp: gcp_gcp-sev-es gcp_gcp-sev-snp -openstack: openstack_qemu-vtpm -qemu: qemu_qemu-vtpm - -$(variants): %: mkosi.output.%/fedora~38/image.raw - -prebuilt/rpms/systemd/%.rpm: - @echo "Downloading $*" - @mkdir -p $(@D) - @curl -fsSL -o $@ https://kojipkgs.fedoraproject.org/packages/systemd/251.11/2.fc37/x86_64/$*.rpm - -prebuilt/rpms/kernel/%.rpm: - @echo "Downloading $*" - @mkdir -p $(@D) - @curl -fsSL -o $@ https://cdn.confidential.cloud/constellation/kernel/6.1.46-100.constellation/$*.rpm - -mkosi.output.%/fedora~38/image.raw: inject-bins inject-certs - rm -rf .csp/ - mkdir -p .csp/ - $(eval csp := $(firstword $(subst _, ,$*))) - $(eval attestation_variant := $(lastword $(subst _, ,$*))) - touch .csp/$(csp) - mkosi \ - --image-version=$(IMAGE_VERSION) \ - $(AUTOLOGIN_ARGS) \ - --environment=INSTALL_DEBUGD \ - --environment=CONSOLE_MOTD \ - --kernel-command-line="$(KERNEL_DEBUG_CMDLNE)" \ - --kernel-command-line="constel.attestation-variant=$(attestation_variant)" \ - --kernel-command-line="constel.csp=$(csp)" \ - --output-dir=mkosi.output.$* \ - $(SEARCH_PATHS_PARAM) \ - build - secure-boot/signed-shim.sh $@ - @if [ -n $(SUDO_UID) ] && [ -n $(SUDO_GID) ]; then \ - chown -R $(SUDO_UID):$(SUDO_GID) mkosi.output.$*; \ - fi - rm -rf .csp/ - @echo "Image is ready: $@" - -inject-bins: $(PREBUILD_RPMS_SYSTEMD) $(PREBUILD_RPMS_KERNEL) - mkdir -p $(MKOSI_EXTRA)/usr/bin - mkdir -p $(MKOSI_EXTRA)/usr/sbin - cp $(UPGRADE_AGENT_BINARY) $(MKOSI_EXTRA)/usr/bin/upgrade-agent - cp $(DISK_MAPPER_BINARY) $(MKOSI_EXTRA)/usr/sbin/disk-mapper - cp $(MEASUREMENT_READER_BINARY) $(MKOSI_EXTRA)/usr/sbin/measurement-reader - if [ "$(DEBUG)" = "true" ]; then \ - cp $(DEBUGD_BINARY) $(MKOSI_EXTRA)/usr/bin/debugd; \ - rm -f $(MKOSI_EXTRA)/usr/bin/bootstrapper; \ - rm -f $(MKOSI_EXTRA)/usr/bin/upgrade-agent; \ - else \ - cp $(BOOTSTRAPPER_BINARY) $(MKOSI_EXTRA)/usr/bin/bootstrapper; \ - rm -f $(MKOSI_EXTRA)/usr/bin/debugd; \ - fi - -inject-certs: $(certs) - # for auto enrollment using systemd-boot (not working yet) - mkdir -p "$(MKOSI_EXTRA)/boot/loader/keys/auto" - cp $(PKI)/{PK,KEK,db}.cer "$(MKOSI_EXTRA)/boot/loader/keys/auto" - cp $(PKI)/{MicWinProPCA2011_2011-10-19,MicCorUEFCA2011_2011-06-27,MicCorKEKCA2011_2011-06-24}.crt "$(MKOSI_EXTRA)/boot/loader/keys/auto" - -clean-cache: - rm -rf mkosi.cache/* - -clean-%: - rm -rf .csp/ - mkdir -p .csp/ - touch .csp/$* - mkosi clean - rm -rf .csp/ - -clean: - rm -rf mkosi.output.* - rm -rf prebuilt/rpms - rm -rf $(MKOSI_EXTRA) - mkdir -p $(MKOSI_EXTRA) diff --git a/image/mkosi.cache/.gitkeep b/image/mkosi.cache/.gitkeep deleted file mode 100644 index e69de29bb..000000000 diff --git a/image/mkosi.conf.d/aws.conf b/image/mkosi.conf.d/aws.conf deleted file mode 100644 index 75846a74c..000000000 --- a/image/mkosi.conf.d/aws.conf +++ /dev/null @@ -1,3 +0,0 @@ -[Content] -Packages= - ec2-utils diff --git a/image/mkosi.conf.d/azure.conf b/image/mkosi.conf.d/azure.conf deleted file mode 100644 index bc4b707b4..000000000 --- a/image/mkosi.conf.d/azure.conf +++ /dev/null @@ -1,3 +0,0 @@ -[Content] -Packages= - WALinuxAgent-udev diff --git a/image/mkosi.conf.d/containers.conf b/image/mkosi.conf.d/containers.conf deleted file mode 100644 index 5acc0c2d8..000000000 --- a/image/mkosi.conf.d/containers.conf +++ /dev/null @@ -1,10 +0,0 @@ -[Content] -Packages= - containerd, - containernetworking-plugins, - iptables-nft, - ethtool, - socat, - iproute-tc, - conntrack-tools, - podman diff --git a/image/mkosi.conf.d/gcp.conf b/image/mkosi.conf.d/gcp.conf deleted file mode 100644 index 0c72df1b9..000000000 --- a/image/mkosi.conf.d/gcp.conf +++ /dev/null @@ -1,3 +0,0 @@ -[Content] -Packages= - nvme-cli diff --git a/image/mkosi.conf.d/mkosi.aws.conf b/image/mkosi.conf.d/mkosi.aws.conf deleted file mode 100644 index 5862d9cf5..000000000 --- a/image/mkosi.conf.d/mkosi.aws.conf +++ /dev/null @@ -1,5 +0,0 @@ -[Match] -PathExists=../.csp/aws - -[Output] -KernelCommandLine=mitigations=auto idle=poll diff --git a/image/mkosi.conf.d/mkosi.azure.conf b/image/mkosi.conf.d/mkosi.azure.conf deleted file mode 100644 index 61bb8b1b6..000000000 --- a/image/mkosi.conf.d/mkosi.azure.conf +++ /dev/null @@ -1,5 +0,0 @@ -[Match] -PathExists=../.csp/azure - -[Output] -KernelCommandLine=mitigations=auto,nosmt diff --git a/image/mkosi.conf.d/mkosi.conf b/image/mkosi.conf.d/mkosi.conf deleted file mode 100644 index 37dca24d4..000000000 --- a/image/mkosi.conf.d/mkosi.conf +++ /dev/null @@ -1,32 +0,0 @@ -[Distribution] -Distribution=fedora -Release=38 - -[Output] -Format=disk -ManifestFormat=json,changelog -Bootable=yes -KernelCommandLine=preempt=full rd.shell=0 rd.emergency=reboot loglevel=8 console=ttyS0 -SplitArtifacts=yes -# Enable Secure Boot with own PKI -SecureBoot=yes -SecureBootKey=pki/db.key -SecureBootCertificate=pki/db.crt -# TODO(malt3): Wait for systemd 252 to bring systemd-measure -# Measure=yes -ImageId=constellation -Output=image.raw - -[Content] -Packages=prebuilt/rpms/kernel/kernel-6.1.46-100.constellation.fc38.x86_64.rpm - prebuilt/rpms/kernel/kernel-core-6.1.46-100.constellation.fc38.x86_64.rpm - prebuilt/rpms/kernel/kernel-modules-6.1.46-100.constellation.fc38.x86_64.rpm - prebuilt/rpms/kernel/kernel-modules-core-6.1.46-100.constellation.fc38.x86_64.rpm - prebuilt/rpms/systemd/systemd-251.11-2.fc37.x86_64.rpm - prebuilt/rpms/systemd/systemd-libs-251.11-2.fc37.x86_64.rpm - prebuilt/rpms/systemd/systemd-networkd-251.11-2.fc37.x86_64.rpm - prebuilt/rpms/systemd/systemd-pam-251.11-2.fc37.x86_64.rpm - prebuilt/rpms/systemd/systemd-resolved-251.11-2.fc37.x86_64.rpm - prebuilt/rpms/systemd/systemd-udev-251.11-2.fc37.x86_64.rpm - dracut - util-linux diff --git a/image/mkosi.conf.d/mkosi.gcp.conf b/image/mkosi.conf.d/mkosi.gcp.conf deleted file mode 100644 index 392813c02..000000000 --- a/image/mkosi.conf.d/mkosi.gcp.conf +++ /dev/null @@ -1,5 +0,0 @@ -[Match] -PathExists=../.csp/gcp - -[Output] -KernelCommandLine=mitigations=auto,nosmt diff --git a/image/mkosi.conf.d/mkosi.openstack.conf b/image/mkosi.conf.d/mkosi.openstack.conf deleted file mode 100644 index a761879ec..000000000 --- a/image/mkosi.conf.d/mkosi.openstack.conf +++ /dev/null @@ -1,9 +0,0 @@ -[Match] -PathExists=../.csp/openstack - -[Output] -KernelCommandLine=mem_encrypt=on kvm_amd.sev=1 module_blacklist=qemu_fw_cfg console=tty0 console=ttyS0 mitigations=auto,nosmt - -[Content] -Autologin=yes -Environment=CONSOLE_MOTD=true diff --git a/image/mkosi.conf.d/mkosi.qemu.conf b/image/mkosi.conf.d/mkosi.qemu.conf deleted file mode 100644 index 02e64fd19..000000000 --- a/image/mkosi.conf.d/mkosi.qemu.conf +++ /dev/null @@ -1,9 +0,0 @@ -[Match] -PathExists=../.csp/qemu - -[Content] -Autologin=yes -Environment=CONSOLE_MOTD=true - -[Output] -KernelCommandLine=mitigations=auto,nosmt diff --git a/image/mkosi.conf.d/network.conf b/image/mkosi.conf.d/network.conf deleted file mode 100644 index ee7dad6ee..000000000 --- a/image/mkosi.conf.d/network.conf +++ /dev/null @@ -1,8 +0,0 @@ -[Content] -Packages= - iproute, - dbus-broker, - systemd-networkd, - systemd-resolved, - dracut-network, - dhclient, # prevent NetworkManager from being pulled in by dracut-network diff --git a/image/mkosi.conf.d/secure-boot-tpm.conf b/image/mkosi.conf.d/secure-boot-tpm.conf deleted file mode 100644 index b72e0c47c..000000000 --- a/image/mkosi.conf.d/secure-boot-tpm.conf +++ /dev/null @@ -1,7 +0,0 @@ -[Content] -# Secure Boot / EFI related packages for manual enrollment / verification of Secure Boot -Packages= - e2fsprogs, - sbsigntools, - efitools, - mokutil, diff --git a/image/mkosi.conf.d/selinux.conf b/image/mkosi.conf.d/selinux.conf deleted file mode 100644 index b55576282..000000000 --- a/image/mkosi.conf.d/selinux.conf +++ /dev/null @@ -1,8 +0,0 @@ -[Output] -# set selinux to permissive -KernelCommandLine=!selinux=0 selinux=1 enforcing=0 audit=0 - -[Content] -# Secure Boot / EFI related packages for manual enrollment / verification of Secure Boot -Packages=selinux-policy, - selinux-policy-targeted, diff --git a/image/mkosi.conf.d/tools.conf b/image/mkosi.conf.d/tools.conf deleted file mode 100644 index c3f7f1e32..000000000 --- a/image/mkosi.conf.d/tools.conf +++ /dev/null @@ -1,8 +0,0 @@ -[Content] -Packages= - passwd, - nano, - nano-default-editor, - vim, - curl, - wget diff --git a/image/mkosi.finalize b/image/mkosi.finalize deleted file mode 100755 index 77b1066d4..000000000 --- a/image/mkosi.finalize +++ /dev/null @@ -1,9 +0,0 @@ -#!/usr/bin/env bash -# Copyright (c) Edgeless Systems GmbH -# -# SPDX-License-Identifier: AGPL-3.0-only - -set -euxo pipefail - -# cleanup dracut generation files (disk-mapper) to save space -rm -rf "${BUILDROOT}/usr/lib/dracut/modules.d/39constellation-mount/" diff --git a/image/mkosi.postinst b/image/mkosi.postinst deleted file mode 100755 index 89054f43c..000000000 --- a/image/mkosi.postinst +++ /dev/null @@ -1,36 +0,0 @@ -#!/usr/bin/env bash -set -euxo pipefail - -# This will work in sd-boot 251 to auto-enroll secure boot keys. -# https://www.freedesktop.org/software/systemd/man/systemd-boot.html -# > CHANGES WITH 252 in spe: -# > [...] -# > * sd-boot can automatically enroll SecureBoot keys from files found on -# > the ESP. This enrollment can be either automatic ('force' mode) or -# > controlled by the user ('manual' mode). -# > [...] -# -# echo "secure-boot-enroll force" >> /boot/loader/loader.conf - -# create mountpoints in /etc -mkdir -p /etc/{cni,kubernetes} - -# move issue files away from /etc -# to allow /run/issue and /run/issue.d to take precedence -mv /etc/issue.d /usr/lib/issue.d || true -rm -f /etc/issue -rm -f /etc/issue.net - -# add motd for constellation console access -if [[ ${CONSOLE_MOTD:-false} == "true" ]]; then - cat << EOF > /usr/lib/motd.d/10-constellation-console-access.motd -~ Welcome to Constellation! ~ -Usually, on release versions of Constellation running in the cloud, you are not able to login through the serial console. -This shell access is specifically granted for debug images and MiniConstellation to allow users to research the environment Constellation runs in. -Have fun! Feel free to report any issues to GitHub or security@edgeless.systems (for security vulnerabilities only). -EOF -fi - -# update /etc/os-release -echo "IMAGE_ID=\"${IMAGE_ID}\"" >> /etc/os-release -echo "IMAGE_VERSION=\"${IMAGE_VERSION}\"" >> /etc/os-release diff --git a/image/mkosi.prepare b/image/mkosi.prepare deleted file mode 100755 index ace1ac65b..000000000 --- a/image/mkosi.prepare +++ /dev/null @@ -1,33 +0,0 @@ -#!/usr/bin/env bash -set -euxo pipefail - -# set selinux to permissive -sed -i 's/^SELINUX=.*/SELINUX=permissive/' /etc/selinux/config - -# backport of https://github.com/dracutdevs/dracut/commit/dcbe23c14d13ca335ad327b7bb985071ca442f12 -sed -i 's/WantedBy=multi-user.target/WantedBy=basic.target/' /usr/lib/systemd/system/systemd-resolved.service - -# write + enable debugd.service if INSTALL_DEBUGD is set -if [[ ${INSTALL_DEBUGD:-false} == "true" ]]; then - cat << EOF > /usr/lib/systemd/system/debugd.service -[Unit] -Description=Constellation Debug Daemon -Wants=network-online.target -After=network-online.target configure-constel-csp.service - -[Service] -Type=simple -RemainAfterExit=yes -Restart=on-failure -EnvironmentFile=/run/constellation.env -Environment=PATH=/run/state/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin -ExecStart=/usr/bin/debugd - -[Install] -WantedBy=multi-user.target -EOF - echo "enable debugd.service" > /usr/lib/systemd/system-preset/31-constellation-debug.preset - systemctl enable debugd.service - # ensure constellation-bootstrapper.service uses downloaded binaries on reboots - sed -i 's#ExecStart=.*#ExecStart=/run/state/bin/bootstrapper#' /usr/lib/systemd/system/constellation-bootstrapper.service -fi diff --git a/image/mkosi.repart/00-esp.conf b/image/mkosi.repart/00-esp.conf deleted file mode 100644 index 126d27fb0..000000000 --- a/image/mkosi.repart/00-esp.conf +++ /dev/null @@ -1,6 +0,0 @@ -[Partition] -Type=esp -Format=vfat -CopyFiles=/boot:/ -SizeMinBytes=256M -SizeMaxBytes=512M diff --git a/image/mkosi.repart/10-root.conf b/image/mkosi.repart/10-root.conf deleted file mode 100644 index 10ac90529..000000000 --- a/image/mkosi.repart/10-root.conf +++ /dev/null @@ -1,7 +0,0 @@ -[Partition] -Type=root -Format=squashfs -Verity=data -VerityMatchKey=root -CopyFiles=/ -Minimize=guess diff --git a/image/mkosi.repart/20-root-verity.conf b/image/mkosi.repart/20-root-verity.conf deleted file mode 100644 index 352c50d55..000000000 --- a/image/mkosi.repart/20-root-verity.conf +++ /dev/null @@ -1,6 +0,0 @@ -[Partition] -Type=root-verity -Verity=hash -VerityMatchKey=root -SizeMinBytes=64M -SizeMaxBytes=64M diff --git a/image/mkosi.reposdir/amzn2-core.repo b/image/mkosi.reposdir/amzn2-core.repo deleted file mode 100644 index 32b6472b4..000000000 --- a/image/mkosi.reposdir/amzn2-core.repo +++ /dev/null @@ -1,39 +0,0 @@ -[amzn2-core] -name=Amazon Linux 2 core repository -#mirrorlist=$awsproto://$amazonlinux.$awsregion.$awsdomain/$releasever/$product/$target/$basearch/mirror.list -mirrorlist=https://amazonlinux-2-repos-us-east-2.s3.dualstack.us-east-2.amazonaws.com/2/core/latest/x86_64/mirror.list -priority=10 -gpgcheck=1 -#gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2 -gpgkey=https://cdn.amazonlinux.com/_assets/11CF1F95C87F5B1A.asc -enabled=1 -metadata_expire=300 -mirrorlist_expire=300 -report_instanceid=yes -includepkgs=ec2-utils - -# [amzn2-core-source] -# name=Amazon Linux 2 core repository - source packages -# mirrorlist=$awsproto://$amazonlinux.$awsregion.$awsdomain/$releasever/$product/$target/SRPMS/mirror.list -# priority=10 -# gpgcheck=1 -# #gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2 -# gpgkey=https://cdn.amazonlinux.com/_assets/11CF1F95C87F5B1A.asc -# enabled=0 -# metadata_expire=300 -# mirrorlist_expire=300 -# report_instanceid=yes -# includepkgs=ec2-utils - -# [amzn2-core-debuginfo] -# name=Amazon Linux 2 core repository - debuginfo packages -# mirrorlist=$awsproto://$amazonlinux.$awsregion.$awsdomain/$releasever/$product/$target/debuginfo/$basearch/mirror.list -# priority=10 -# gpgcheck=1 -# #gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2 -# gpgkey=https://cdn.amazonlinux.com/_assets/11CF1F95C87F5B1A.asc -# enabled=0 -# metadata_expire=300 -# mirrorlist_expire=300 -# report_instanceid=yes -# includepkgs=ec2-utils diff --git a/image/mkosi.skeleton/etc/crictl.yaml b/image/mkosi.skeleton/etc/crictl.yaml deleted file mode 100644 index 3e588cd39..000000000 --- a/image/mkosi.skeleton/etc/crictl.yaml +++ /dev/null @@ -1 +0,0 @@ -runtime-endpoint: "unix:///run/containerd/containerd.sock" diff --git a/image/mkosi.skeleton/etc/dracut.conf.d/90-networkd.conf b/image/mkosi.skeleton/etc/dracut.conf.d/90-networkd.conf deleted file mode 100644 index 6e8da82e7..000000000 --- a/image/mkosi.skeleton/etc/dracut.conf.d/90-networkd.conf +++ /dev/null @@ -1,5 +0,0 @@ -# enable networking in initrd (initramfs) with dracut and systemd-networkd -install_items+=" /usr/lib/systemd/network/20-wired.network " -install_items+=" /usr/lib/systemd/network/21-azure.network " -# see https://github.com/dracutdevs/dracut/tree/master/modules.d for a list of modules -add_dracutmodules+=" systemd-networkd systemd-resolved " diff --git a/image/mkosi.skeleton/etc/dracut.conf.d/aws.conf b/image/mkosi.skeleton/etc/dracut.conf.d/aws.conf deleted file mode 100644 index 38c3741af..000000000 --- a/image/mkosi.skeleton/etc/dracut.conf.d/aws.conf +++ /dev/null @@ -1,2 +0,0 @@ -# add Amazon ena driver to the list of drivers to be loaded -force_drivers+=" ena " diff --git a/image/mkosi.skeleton/etc/dracut.conf.d/azure.conf b/image/mkosi.skeleton/etc/dracut.conf.d/azure.conf deleted file mode 100644 index 41eb5d0ab..000000000 --- a/image/mkosi.skeleton/etc/dracut.conf.d/azure.conf +++ /dev/null @@ -1,3 +0,0 @@ -# add hyperv drivers to initramfs -# (important for early networking) -force_drivers+=" hv_netvsc hv_sock hv_storvsc hv_vmbus " diff --git a/image/mkosi.skeleton/etc/dracut.conf.d/gce.conf b/image/mkosi.skeleton/etc/dracut.conf.d/gce.conf deleted file mode 100644 index cae7ce6d5..000000000 --- a/image/mkosi.skeleton/etc/dracut.conf.d/gce.conf +++ /dev/null @@ -1,2 +0,0 @@ -# Include NVMe driver in initrd to boot on NVMe devices. -force_drivers+=" nvme " diff --git a/image/mkosi.skeleton/etc/fstab b/image/mkosi.skeleton/etc/fstab deleted file mode 100644 index e22f0b247..000000000 --- a/image/mkosi.skeleton/etc/fstab +++ /dev/null @@ -1,5 +0,0 @@ -/dev/mapper/state /run/state ext4 defaults,x-systemd.makefs,x-mount.mkdir 0 0 -/run/state/var /var none defaults,bind,x-mount.mkdir 0 0 -/run/state/kubernetes /etc/kubernetes none defaults,bind,x-mount.mkdir 0 0 -/run/state/etccni /etc/cni/ none defaults,bind,x-mount.mkdir 0 0 -/run/state/opt /opt none defaults,bind,x-mount.mkdir 0 0 diff --git a/image/mkosi.skeleton/etc/profile.d/constellation.sh b/image/mkosi.skeleton/etc/profile.d/constellation.sh deleted file mode 100755 index d52d2361d..000000000 --- a/image/mkosi.skeleton/etc/profile.d/constellation.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/usr/bin/env bash -# Copyright (c) Edgeless Systems GmbH -# -# SPDX-License-Identifier: AGPL-3.0-only - -# Note: This script is sourced. - -export TERM=linux -export PATH=/run/state/bin:${PATH} -export KUBECONFIG=/etc/kubernetes/admin.conf -alias k=kubectl diff --git a/image/mkosi.skeleton/usr/etc/containerd/config.toml b/image/mkosi.skeleton/usr/etc/containerd/config.toml deleted file mode 100644 index b1a2e073b..000000000 --- a/image/mkosi.skeleton/usr/etc/containerd/config.toml +++ /dev/null @@ -1,216 +0,0 @@ -disabled_plugins = [] -imports = [] -oom_score = 0 -plugin_dir = "" -required_plugins = [] -root = "/var/lib/containerd" -state = "/run/containerd" -version = 2 - -[cgroup] - path = "" - -[debug] - address = "" - format = "" - gid = 0 - level = "" - uid = 0 - -[grpc] - address = "/run/containerd/containerd.sock" - gid = 0 - max_recv_message_size = 16777216 - max_send_message_size = 16777216 - tcp_address = "" - tcp_tls_cert = "" - tcp_tls_key = "" - uid = 0 - -[metrics] - address = "" - grpc_histogram = false - -[plugins] - - [plugins."io.containerd.gc.v1.scheduler"] - deletion_threshold = 0 - mutation_threshold = 100 - pause_threshold = 0.02 - schedule_delay = "0s" - startup_delay = "100ms" - - [plugins."io.containerd.grpc.v1.cri"] - disable_apparmor = false - disable_cgroup = false - disable_hugetlb_controller = true - disable_proc_mount = false - disable_tcp_service = true - enable_selinux = false - enable_tls_streaming = false - ignore_image_defined_volumes = false - max_concurrent_downloads = 3 - max_container_log_line_size = 16384 - netns_mounts_under_state_dir = false - restrict_oom_score_adj = false - sandbox_image = "registry.k8s.io/pause:3.9@sha256:7031c1b283388d2c2e09b57badb803c05ebed362dc88d84b480cc47f72a21097" - selinux_category_range = 1024 - stats_collect_period = 10 - stream_idle_timeout = "4h0m0s" - stream_server_address = "127.0.0.1" - stream_server_port = "0" - systemd_cgroup = false - tolerate_missing_hugetlb_controller = true - unset_seccomp_profile = "" - - [plugins."io.containerd.grpc.v1.cri".cni] - bin_dir = "/opt/cni/bin" - conf_dir = "/etc/cni/net.d" - conf_template = "" - max_conf_num = 1 - - [plugins."io.containerd.grpc.v1.cri".containerd] - default_runtime_name = "runc" - disable_snapshot_annotations = true - discard_unpacked_layers = false - no_pivot = false - snapshotter = "overlayfs" - - [plugins."io.containerd.grpc.v1.cri".containerd.default_runtime] - base_runtime_spec = "" - container_annotations = [] - pod_annotations = [] - privileged_without_host_devices = false - runtime_engine = "" - runtime_root = "" - runtime_type = "" - - [plugins."io.containerd.grpc.v1.cri".containerd.default_runtime.options] - - [plugins."io.containerd.grpc.v1.cri".containerd.runtimes] - - [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] - base_runtime_spec = "" - container_annotations = [] - pod_annotations = [] - privileged_without_host_devices = false - runtime_engine = "" - runtime_root = "" - runtime_type = "io.containerd.runc.v2" - - [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options] - BinaryName = "" - CriuImagePath = "" - CriuPath = "" - CriuWorkPath = "" - IoGid = 0 - IoUid = 0 - NoNewKeyring = false - NoPivotRoot = false - Root = "" - ShimCgroup = "" - SystemdCgroup = true - - [plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime] - base_runtime_spec = "" - container_annotations = [] - pod_annotations = [] - privileged_without_host_devices = false - runtime_engine = "" - runtime_root = "" - runtime_type = "" - - [plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime.options] - - [plugins."io.containerd.grpc.v1.cri".image_decryption] - key_model = "node" - - [plugins."io.containerd.grpc.v1.cri".registry] - config_path = "" - - [plugins."io.containerd.grpc.v1.cri".registry.auths] - - [plugins."io.containerd.grpc.v1.cri".registry.configs] - - [plugins."io.containerd.grpc.v1.cri".registry.headers] - - [plugins."io.containerd.grpc.v1.cri".registry.mirrors] - - [plugins."io.containerd.grpc.v1.cri".x509_key_pair_streaming] - tls_cert_file = "" - tls_key_file = "" - - [plugins."io.containerd.internal.v1.opt"] - path = "/opt/containerd" - - [plugins."io.containerd.internal.v1.restart"] - interval = "10s" - - [plugins."io.containerd.metadata.v1.bolt"] - content_sharing_policy = "shared" - - [plugins."io.containerd.monitor.v1.cgroups"] - no_prometheus = false - - [plugins."io.containerd.runtime.v1.linux"] - no_shim = false - runtime = "runc" - runtime_root = "" - shim = "containerd-shim" - shim_debug = false - - [plugins."io.containerd.runtime.v2.task"] - platforms = ["linux/amd64"] - - [plugins."io.containerd.service.v1.diff-service"] - default = ["walking"] - - [plugins."io.containerd.snapshotter.v1.aufs"] - root_path = "" - - [plugins."io.containerd.snapshotter.v1.btrfs"] - root_path = "" - - [plugins."io.containerd.snapshotter.v1.devmapper"] - async_remove = false - base_image_size = "" - pool_name = "" - root_path = "" - - [plugins."io.containerd.snapshotter.v1.native"] - root_path = "" - - [plugins."io.containerd.snapshotter.v1.overlayfs"] - root_path = "" - - [plugins."io.containerd.snapshotter.v1.zfs"] - root_path = "" - -[proxy_plugins] - -[stream_processors] - - [stream_processors."io.containerd.ocicrypt.decoder.v1.tar"] - accepts = ["application/vnd.oci.image.layer.v1.tar+encrypted"] - args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"] - env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"] - path = "ctd-decoder" - returns = "application/vnd.oci.image.layer.v1.tar" - - [stream_processors."io.containerd.ocicrypt.decoder.v1.tar.gzip"] - accepts = ["application/vnd.oci.image.layer.v1.tar+gzip+encrypted"] - args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"] - env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"] - path = "ctd-decoder" - returns = "application/vnd.oci.image.layer.v1.tar+gzip" - -[timeouts] - "io.containerd.timeout.shim.cleanup" = "5s" - "io.containerd.timeout.shim.load" = "5s" - "io.containerd.timeout.shim.shutdown" = "3s" - "io.containerd.timeout.task.state" = "2s" - -[ttrpc] - address = "" - gid = 0 - uid = 0 diff --git a/image/mkosi.skeleton/usr/etc/containers/containers.conf b/image/mkosi.skeleton/usr/etc/containers/containers.conf deleted file mode 100644 index 7222d72c2..000000000 --- a/image/mkosi.skeleton/usr/etc/containers/containers.conf +++ /dev/null @@ -1,2 +0,0 @@ -[network] - network_config_dir = "/run/containers/networks" diff --git a/image/mkosi.skeleton/usr/etc/containers/registries.conf b/image/mkosi.skeleton/usr/etc/containers/registries.conf deleted file mode 100644 index d44d892da..000000000 --- a/image/mkosi.skeleton/usr/etc/containers/registries.conf +++ /dev/null @@ -1 +0,0 @@ -unqualified-search-registries = ["docker.io"] diff --git a/image/mkosi.skeleton/usr/lib/dracut/modules.d/38azure-provision/azure-provisioning.service b/image/mkosi.skeleton/usr/lib/dracut/modules.d/38azure-provision/azure-provisioning.service deleted file mode 100644 index 7feaadc8f..000000000 --- a/image/mkosi.skeleton/usr/lib/dracut/modules.d/38azure-provision/azure-provisioning.service +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=Azure Provisioning -After=network-online.target -Wants=network-online.target -ConditionKernelCommandLine=constel.csp=azure - -[Service] -Type=oneshot -ExecStart=/usr/local/bin/azure-provisioning -RemainAfterExit=yes -StandardOutput=tty -StandardInput=tty -StandardError=tty diff --git a/image/mkosi.skeleton/usr/lib/dracut/modules.d/38azure-provision/azure-provisioning.sh b/image/mkosi.skeleton/usr/lib/dracut/modules.d/38azure-provision/azure-provisioning.sh deleted file mode 100755 index c2f2ad0c6..000000000 --- a/image/mkosi.skeleton/usr/lib/dracut/modules.d/38azure-provision/azure-provisioning.sh +++ /dev/null @@ -1,64 +0,0 @@ -#!/usr/bin/env bash -# source https://learn.microsoft.com/en-us/azure/virtual-machines/linux/no-agent - -set -euo pipefail -shopt -s inherit_errexit - -attempts=1 -until [[ ${attempts} -gt 5 ]]; do - echo "obtaining goal state - attempt ${attempts}" - goalstate=$(curl --fail -v -X 'GET' -H "x-ms-agent-name: azure-vm-register" \ - -H "Content-Type: text/xml;charset=utf-8" \ - -H "x-ms-version: 2012-11-30" \ - "http://168.63.129.16/machine/?comp=goalstate") - if [[ $? -eq 0 ]]; then - echo "successfully retrieved goal state" - retrieved_goal_state=true - break - fi - sleep 5 - attempts=$((attempts + 1)) -done - -if [[ ${retrieved_goal_state} != "true" ]]; then - echo "failed to obtain goal state - cannot register this VM" - exit 1 -fi - -container_id=$(grep ContainerId <<< "${goalstate}" | sed 's/\s*<\/*ContainerId>//g' | sed 's/\r$//') -instance_id=$(grep InstanceId <<< "${goalstate}" | sed 's/\s*<\/*InstanceId>//g' | sed 's/\r$//') - -ready_doc=$( - cat << EOF - - - 1 - - ${container_id} - - - ${instance_id} - - Ready - - - - - -EOF -) - -attempts=1 -until [[ ${attempts} -gt 5 ]]; do - echo "registering with Azure - attempt ${attempts}" - curl --fail -v -X 'POST' -H "x-ms-agent-name: azure-vm-register" \ - -H "Content-Type: text/xml;charset=utf-8" \ - -H "x-ms-version: 2012-11-30" \ - -d "${ready_doc}" \ - "http://168.63.129.16/machine?comp=health" - if [[ $? -eq 0 ]]; then - echo "successfully register with Azure" - break - fi - sleep 5 # sleep to prevent throttling from wire server -done diff --git a/image/mkosi.skeleton/usr/lib/dracut/modules.d/38azure-provision/module-setup.sh b/image/mkosi.skeleton/usr/lib/dracut/modules.d/38azure-provision/module-setup.sh deleted file mode 100755 index 98d0f3c58..000000000 --- a/image/mkosi.skeleton/usr/lib/dracut/modules.d/38azure-provision/module-setup.sh +++ /dev/null @@ -1,34 +0,0 @@ -#!/usr/bin/env bash -# Copyright (c) Edgeless Systems GmbH -# -# SPDX-License-Identifier: AGPL-3.0-only - -# Note: This script is sourced. - -depends() { - echo systemd -} - -install_and_enable_unit() { - unit="$1" - shift - target="$1" - shift - inst_simple "${moddir:?}/${unit}" "${systemdsystemunitdir:?}/${unit}" - mkdir -p "${initdir:?}${systemdsystemconfdir:?}/${target}.wants" - ln_r "${systemdsystemunitdir}/${unit}" \ - "${systemdsystemconfdir}/${target}.wants/${unit}" -} - -install() { - inst_multiple \ - bash \ - curl \ - grep \ - sed - - inst_script "${moddir}/azure-provisioning.sh" \ - "/usr/local/bin/azure-provisioning" - install_and_enable_unit "azure-provisioning.service" \ - "basic.target" -} diff --git a/image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/aws-nvme-disk.service b/image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/aws-nvme-disk.service deleted file mode 100644 index fbbbf36c2..000000000 --- a/image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/aws-nvme-disk.service +++ /dev/null @@ -1,15 +0,0 @@ -[Unit] -Description=Force symlink creation for AWS nvme disks -Before=prepare-state-disk.service -After=network-online.target -Wants=network-online.target -ConditionKernelCommandLine=constel.csp=aws - -[Service] -Type=oneshot -ExecStart=/bin/bash /usr/sbin/aws-nvme-disk -RemainAfterExit=yes -StandardOutput=tty -StandardInput=tty -StandardError=tty -TimeoutSec=infinity diff --git a/image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/aws-nvme-disk.sh b/image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/aws-nvme-disk.sh deleted file mode 100644 index 25f5d5319..000000000 --- a/image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/aws-nvme-disk.sh +++ /dev/null @@ -1,28 +0,0 @@ -#!/usr/bin/env bash -# Copyright (c) Edgeless Systems GmbH -# -# SPDX-License-Identifier: AGPL-3.0-only - -set -euo pipefail -shopt -s extglob nullglob inherit_errexit - -AWS_STATE_DISK_DEVICENAME="sdb" -AWS_STATE_DISK_SYMLINK="/dev/${AWS_STATE_DISK_DEVICENAME}" - -# hack: aws nvme udev rules are never executed. Create symlinks for the nvme devices manually. -while [[ ! -L ${AWS_STATE_DISK_SYMLINK} ]]; do - for nvmedisk in /dev/nvme*n1; do - linkname=$(nvme amzn id-ctrl -b "${nvmedisk}" | tail -c +3073 | head -c 32 | tr -d ' ') || true - if [[ -n ${linkname} ]] && [[ ${linkname} == "${AWS_STATE_DISK_DEVICENAME}" ]]; then - ln -s "${nvmedisk}" "${AWS_STATE_DISK_SYMLINK}" - fi - done - if [[ -L ${AWS_STATE_DISK_SYMLINK} ]]; then - break - fi - echo "Waiting for state disk to appear.." - sleep 2 -done - -echo "AWS state disk found" -echo "${AWS_STATE_DISK_SYMLINK}" → "$(readlink -f "${AWS_STATE_DISK_SYMLINK}")" diff --git a/image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/configure-constel-csp.service b/image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/configure-constel-csp.service deleted file mode 120000 index 47ba0ea98..000000000 --- a/image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/configure-constel-csp.service +++ /dev/null @@ -1 +0,0 @@ -../../../systemd/system/configure-constel-csp.service \ No newline at end of file diff --git a/image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/module-setup.sh b/image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/module-setup.sh deleted file mode 100644 index 9534b1929..000000000 --- a/image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/module-setup.sh +++ /dev/null @@ -1,94 +0,0 @@ -#!/usr/bin/env bash -# Copyright (c) Edgeless Systems GmbH -# -# SPDX-License-Identifier: AGPL-3.0-only - -# Note: This script is sourced. - -depends() { - # systemd-network-management expands to: systemd systemd-hostnamed systemd-networkd systemd-resolved systemd-timedated systemd-timesyncd - echo dracut-systemd systemd-network-management systemd-veritysetup systemd-udevd - return 0 -} - -install_and_enable_unit() { - unit="$1" - shift - target="$1" - shift - inst_simple "${moddir:?}/${unit}" "${systemdsystemunitdir:?}/${unit}" - mkdir -p "${initdir:?}${systemdsystemconfdir:?}/${target}.wants" - ln_r "${systemdsystemunitdir}/${unit}" \ - "${systemdsystemconfdir}/${target}.wants/${unit}" -} - -install_path() { - local dir="$1" - shift - mkdir -p "${initdir}/${dir}" -} - -install() { - inst_multiple \ - bash - inst_script "/usr/sbin/disk-mapper" \ - "/usr/sbin/disk-mapper" - - inst_script "${moddir}/prepare-state-disk.sh" \ - "/usr/sbin/prepare-state-disk" - install_and_enable_unit "prepare-state-disk.service" \ - "basic.target" - install_and_enable_unit "configure-constel-csp.service" \ - "basic.target" - - # aws nvme disks - inst_multiple \ - tail \ - tr \ - head - - # azure scsi disks - inst_multiple \ - cut \ - readlink - - # gcp nvme disks - inst_multiple \ - date \ - xxd \ - grep \ - sed \ - ln \ - command \ - readlink - - inst_script "/usr/sbin/nvme" \ - "/usr/sbin/nvme" - inst_script "/usr/lib/udev/google_nvme_id" \ - "/usr/lib/udev/google_nvme_id" - inst_rules "64-gce-disk-removal.rules" "65-gce-disk-naming.rules" - - inst_script "${moddir}/aws-nvme-disk.sh" \ - "/usr/sbin/aws-nvme-disk" - install_and_enable_unit "aws-nvme-disk.service" \ - "basic.target" - - # TLS / CA store in initramfs - install_path /etc/pki/tls/certs/ - inst_simple /etc/pki/tls/certs/ca-bundle.crt \ - /etc/pki/tls/certs/ca-bundle.crt - - # backport of https://github.com/dracutdevs/dracut/commit/dcbe23c14d13ca335ad327b7bb985071ca442f12 - inst_simple "${moddir}/sysusers-dracut.conf" "${systemdsystemunitdir}/systemd-sysusers.service.d/sysusers-dracut.conf" - # force systemd-networkd in initrd - install_and_enable_unit "systemd-networkd.service" \ - "basic.target" - # shellcheck disable=SC2154 - inst_multiple -o \ - "${tmpfilesdir}"/systemd-network.conf \ - "${systemdnetwork}"/80-6rd-tunnel.network \ - "${systemdnetwork}"/80-container-vb.network \ - "${systemdsystemunitdir}"/systemd-networkd-wait-online@.service - inst_simple /usr/lib/systemd/resolved.conf.d/fallback_dns.conf \ - /usr/lib/systemd/resolved.conf.d/fallback_dns.conf -} diff --git a/image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/prepare-state-disk.service b/image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/prepare-state-disk.service deleted file mode 100644 index 7e8374eb4..000000000 --- a/image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/prepare-state-disk.service +++ /dev/null @@ -1,18 +0,0 @@ -[Unit] -Description=Prepare encrypted state disk -Before=initrd-fs.target -After=network-online.target nss-lookup.target configure-constel-csp.service -Wants=network-online.target -Requires=initrd-root-fs.target -FailureAction=reboot-immediate -After=export_constellation_debug.service - -[Service] -Type=oneshot -EnvironmentFile=/run/constellation.env -ExecStart=/bin/bash /usr/sbin/prepare-state-disk $CONSTELLATION_DEBUG_FLAGS -RemainAfterExit=yes -StandardOutput=tty -StandardInput=tty -StandardError=tty -TimeoutSec=infinity diff --git a/image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/prepare-state-disk.sh b/image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/prepare-state-disk.sh deleted file mode 100644 index 5e57773cf..000000000 --- a/image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/prepare-state-disk.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/usr/bin/env bash -# Copyright (c) Edgeless Systems GmbH -# -# SPDX-License-Identifier: AGPL-3.0-only - -set -euo pipefail -shopt -s inherit_errexit - -# parsing of the command line arguments. check if argv[1] is --debug -verbosity=0 -if [[ $# -gt 0 ]]; then - if [[ $1 == "--debug" ]]; then - verbosity=-1 - echo "[Constellation] Debug mode enabled" - else - echo "[Constellation] Unknown argument: $1" - exit 1 - fi -else - echo "[Constellation] Debug mode disabled" -fi - -# Prepare the encrypted volume by either initializing it with a random key or by aquiring the key from another bootstrapper. -# Store encryption key (random or recovered key) in /run/cryptsetup-keys.d/state.key -disk-mapper \ - -csp "${CONSTEL_CSP}" \ - -v "${verbosity}" - -if [[ $? -ne 0 ]]; then - echo "Failed to prepare state disk" - sleep 2 # give the serial console time to print the error message - exit $? # exit with the same error code as disk-mapper -fi diff --git a/image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/sysusers-dracut.conf b/image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/sysusers-dracut.conf deleted file mode 100644 index 4e3630d4a..000000000 --- a/image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/sysusers-dracut.conf +++ /dev/null @@ -1,3 +0,0 @@ -# backport of https://github.com/dracutdevs/dracut/commit/dcbe23c14d13ca335ad327b7bb985071ca442f12 -[Unit] -ConditionNeedsUpdate= diff --git a/image/mkosi.skeleton/usr/lib/environment.d/99-constellation.conf b/image/mkosi.skeleton/usr/lib/environment.d/99-constellation.conf deleted file mode 100644 index 0ac42f7dc..000000000 --- a/image/mkosi.skeleton/usr/lib/environment.d/99-constellation.conf +++ /dev/null @@ -1,2 +0,0 @@ -PATH=/run/state/bin:$PATH -KUBECONFIG=/etc/kubernetes/admin.conf diff --git a/image/mkosi.skeleton/usr/lib/issue.d/01_constellation.issue b/image/mkosi.skeleton/usr/lib/issue.d/01_constellation.issue deleted file mode 100644 index 02629a748..000000000 --- a/image/mkosi.skeleton/usr/lib/issue.d/01_constellation.issue +++ /dev/null @@ -1 +0,0 @@ -\S{IMAGE_ID} \S{IMAGE_VERSION} diff --git a/image/mkosi.skeleton/usr/lib/modules-load.d/k8s.conf b/image/mkosi.skeleton/usr/lib/modules-load.d/k8s.conf deleted file mode 100644 index 43dd5433b..000000000 --- a/image/mkosi.skeleton/usr/lib/modules-load.d/k8s.conf +++ /dev/null @@ -1,2 +0,0 @@ -overlay -br_netfilter diff --git a/image/mkosi.skeleton/usr/lib/sysctl.d/10-cilium.conf b/image/mkosi.skeleton/usr/lib/sysctl.d/10-cilium.conf deleted file mode 100644 index 715ce12a2..000000000 --- a/image/mkosi.skeleton/usr/lib/sysctl.d/10-cilium.conf +++ /dev/null @@ -1,3 +0,0 @@ -# See https://github.com/cilium/cilium/issues/10645 -net.ipv4.conf.lxc*.rp_filter = 0 -net.ipv4.conf.cilium_*.rp_filter = 0 diff --git a/image/mkosi.skeleton/usr/lib/sysctl.d/10-k8s.conf b/image/mkosi.skeleton/usr/lib/sysctl.d/10-k8s.conf deleted file mode 100644 index 0a4dc6e62..000000000 --- a/image/mkosi.skeleton/usr/lib/sysctl.d/10-k8s.conf +++ /dev/null @@ -1,9 +0,0 @@ -net.bridge.bridge-nf-call-ip6tables = 1 -net.bridge.bridge-nf-call-iptables = 1 -net.ipv4.ip_forward = 1 -fs.inotify.max_user_instances = 8192 -fs.inotify.max_user_watches = 524288 -# kubernetes hardening (protectKernelDefaults=true) -vm.overcommit_memory = 1 -kernel.panic = 10 -kernel.panic_on_oops = 1 diff --git a/image/mkosi.skeleton/usr/lib/systemd/network/20-wired.network b/image/mkosi.skeleton/usr/lib/systemd/network/20-wired.network deleted file mode 100644 index aec1849a8..000000000 --- a/image/mkosi.skeleton/usr/lib/systemd/network/20-wired.network +++ /dev/null @@ -1,5 +0,0 @@ -[Match] -Name=en* - -[Network] -DHCP=yes diff --git a/image/mkosi.skeleton/usr/lib/systemd/network/21-azure.network b/image/mkosi.skeleton/usr/lib/systemd/network/21-azure.network deleted file mode 100644 index e1fe7785d..000000000 --- a/image/mkosi.skeleton/usr/lib/systemd/network/21-azure.network +++ /dev/null @@ -1,6 +0,0 @@ -# Used as a fallback rule for Azure NICs as they are not named with "en*" -[Match] -Driver=hv_netvsc - -[Network] -DHCP=yes diff --git a/image/mkosi.skeleton/usr/lib/systemd/resolved.conf.d/fallback_dns.conf b/image/mkosi.skeleton/usr/lib/systemd/resolved.conf.d/fallback_dns.conf deleted file mode 100644 index 1b9e32a50..000000000 --- a/image/mkosi.skeleton/usr/lib/systemd/resolved.conf.d/fallback_dns.conf +++ /dev/null @@ -1,2 +0,0 @@ -[Resolve] -FallbackDNS=1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001 8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844 9.9.9.9 149.112.112.112 2620:fe::fe 2620:fe::9 diff --git a/image/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset b/image/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset deleted file mode 100644 index 19fe3188e..000000000 --- a/image/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset +++ /dev/null @@ -1,11 +0,0 @@ -enable configure-constel-csp.service -enable constellation-upgrade-agent.service -enable constellation-bootstrapper.service -enable containerd.service -enable kubelet.service -enable systemd-networkd.service -enable systemd-networkd.socket -enable systemd-resolved.service -enable measurements.service -enable export_constellation_debug.service -enable systemd-timesyncd diff --git a/image/mkosi.skeleton/usr/lib/systemd/system/configure-constel-csp.service b/image/mkosi.skeleton/usr/lib/systemd/system/configure-constel-csp.service deleted file mode 100644 index 6c2917579..000000000 --- a/image/mkosi.skeleton/usr/lib/systemd/system/configure-constel-csp.service +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=Configures constellation cloud service provider environment variable - -[Service] -Type=oneshot -ExecStart=/bin/bash -c "CSP=$(< /proc/cmdline tr ' ' '\n' | grep constel.csp | sed 's/constel.csp=//'); echo CONSTEL_CSP=$CSP >> /run/constellation.env" -ExecStart=/bin/bash -c "ATTESTATION=$(< /proc/cmdline tr ' ' '\n' | grep constel.attestation-variant | sed 's/constel.attestation-variant=//'); echo CONSTEL_ATTESTATION_VARIANT=$ATTESTATION >> /run/constellation.env" -RemainAfterExit=yes - -[Install] -WantedBy=multi-user.target diff --git a/image/mkosi.skeleton/usr/lib/systemd/system/constellation-bootstrapper.service b/image/mkosi.skeleton/usr/lib/systemd/system/constellation-bootstrapper.service deleted file mode 100644 index 76ef974ce..000000000 --- a/image/mkosi.skeleton/usr/lib/systemd/system/constellation-bootstrapper.service +++ /dev/null @@ -1,16 +0,0 @@ -[Unit] -Description=Constellation Bootstrapper -Wants=network-online.target -After=network-online.target configure-constel-csp.service -After=export_constellation_debug.service - -[Service] -Type=simple -RemainAfterExit=yes -Restart=on-failure -EnvironmentFile=/run/constellation.env -Environment=PATH=/run/state/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin -ExecStart=/usr/bin/bootstrapper $CONSTELLATION_DEBUG_FLAGS - -[Install] -WantedBy=multi-user.target diff --git a/image/mkosi.skeleton/usr/lib/systemd/system/constellation-upgrade-agent.service b/image/mkosi.skeleton/usr/lib/systemd/system/constellation-upgrade-agent.service deleted file mode 100644 index c3fefdcc5..000000000 --- a/image/mkosi.skeleton/usr/lib/systemd/system/constellation-upgrade-agent.service +++ /dev/null @@ -1,14 +0,0 @@ -[Unit] -Description=Constellation Upgrade Agent -After=export_constellation_debug.service - -[Service] -Type=simple -RemainAfterExit=yes -Restart=on-failure -EnvironmentFile=/run/constellation.env -Environment=PATH=/run/state/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin -ExecStart=/usr/bin/upgrade-agent $CONSTELLATION_DEBUG_FLAGS - -[Install] -WantedBy=multi-user.target diff --git a/image/mkosi.skeleton/usr/lib/systemd/system/containerd.service.d/local.conf b/image/mkosi.skeleton/usr/lib/systemd/system/containerd.service.d/local.conf deleted file mode 100644 index e1c02c704..000000000 --- a/image/mkosi.skeleton/usr/lib/systemd/system/containerd.service.d/local.conf +++ /dev/null @@ -1,3 +0,0 @@ -[Service] -ExecStart= -ExecStart=/usr/bin/containerd --config /usr/etc/containerd/config.toml diff --git a/image/mkosi.skeleton/usr/lib/systemd/system/export_constellation_debug.service b/image/mkosi.skeleton/usr/lib/systemd/system/export_constellation_debug.service deleted file mode 100644 index 6858dab9b..000000000 --- a/image/mkosi.skeleton/usr/lib/systemd/system/export_constellation_debug.service +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=Export Constellation Debug Level to Environment - -[Service] -Type=oneshot -ExecStart=/bin/bash -c "tr ' ' '\n' < /proc/cmdline | grep -q 'constellation.debug' && echo CONSTELLATION_DEBUG_FLAGS=--debug >> /run/constellation.env" -RemainAfterExit=yes - -[Install] -WantedBy=multi-user.target diff --git a/image/mkosi.skeleton/usr/lib/systemd/system/kubelet.service b/image/mkosi.skeleton/usr/lib/systemd/system/kubelet.service deleted file mode 100644 index bfe1b8b85..000000000 --- a/image/mkosi.skeleton/usr/lib/systemd/system/kubelet.service +++ /dev/null @@ -1,21 +0,0 @@ -[Unit] -Description=kubelet: The Kubernetes Node Agent -Documentation=https://kubernetes.io/docs/home/ -Wants=network-online.target -After=network-online.target - -[Service] -Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf" -Environment="KUBELET_CONFIG_ARGS=--config=/var/lib/kubelet/config.yaml" -# This is a file that "kubeadm init" and "kubeadm join" generates at runtime, populating the KUBELET_KUBEADM_ARGS variable dynamically -EnvironmentFile=-/var/lib/kubelet/kubeadm-flags.env -# This is a file that the user can use for overrides of the kubelet args as a last resort. Preferably, the user should use -# the .NodeRegistration.KubeletExtraArgs object in the configuration files instead. KUBELET_EXTRA_ARGS should be sourced from this file. -EnvironmentFile=-/etc/default/kubelet -ExecStart=/run/state/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS -Restart=always -StartLimitInterval=0 -RestartSec=10 - -[Install] -WantedBy=multi-user.target diff --git a/image/mkosi.skeleton/usr/lib/systemd/system/measurements.service b/image/mkosi.skeleton/usr/lib/systemd/system/measurements.service deleted file mode 100644 index e99020e3a..000000000 --- a/image/mkosi.skeleton/usr/lib/systemd/system/measurements.service +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=Print image measurements on startup -Before=constellation-bootstrapper.service - -[Service] -Type=oneshot -RemainAfterExit=yes -EnvironmentFile=/run/constellation.env -ExecStart=/usr/libexec/constellation-pcrs - -[Install] -WantedBy=multi-user.target diff --git a/image/mkosi.skeleton/usr/lib/systemd/timesyncd.conf.d/constellation.conf b/image/mkosi.skeleton/usr/lib/systemd/timesyncd.conf.d/constellation.conf deleted file mode 100644 index 0a3e99909..000000000 --- a/image/mkosi.skeleton/usr/lib/systemd/timesyncd.conf.d/constellation.conf +++ /dev/null @@ -1 +0,0 @@ -FallbackNTP=time.google.com time.cloudflare.com time.windows.com time.apple.com time.nist.gov europe.pool.ntp.org 0.rhel.pool.ntp.org 1.rhel.pool.ntp.org 2.rhel.pool.ntp.org 3.rhel.pool.ntp.org diff --git a/image/mkosi.skeleton/usr/lib/sysusers.d/constellation.conf b/image/mkosi.skeleton/usr/lib/sysusers.d/constellation.conf deleted file mode 100644 index 98de75087..000000000 --- a/image/mkosi.skeleton/usr/lib/sysusers.d/constellation.conf +++ /dev/null @@ -1,2 +0,0 @@ -#Type Name ID GECOS Home directory Shell -u etcd 998:997 "etcd user" /var/lib/etcd diff --git a/image/mkosi.skeleton/usr/lib/tmpfiles.d/constellation.conf b/image/mkosi.skeleton/usr/lib/tmpfiles.d/constellation.conf deleted file mode 100644 index 41024bb0b..000000000 --- a/image/mkosi.skeleton/usr/lib/tmpfiles.d/constellation.conf +++ /dev/null @@ -1,10 +0,0 @@ -#Type Path Mode User Group Age Argument -d /var/lib/etcd 0700 998 997 - - -d /var/log/kubernetes/audit/ 0700 0 0 - - -d /run/state/bin 0755 0 0 - - -C /run/issue.d - - - - /usr/lib/issue.d/ -C /run/issue - - - - /usr/lib/issue -C /run/motd.d - - - - /usr/lib/motd.d/ -C /run/motd - - - - /usr/lib/motd -# merge all CNI binaries in writable folder until containerd can use multiple CNI bins: https://github.com/containerd/containerd/issues/6600 -C /opt/cni/bin - - - - /usr/libexec/cni/ diff --git a/image/mkosi.skeleton/usr/lib/udev/google_nvme_id b/image/mkosi.skeleton/usr/lib/udev/google_nvme_id deleted file mode 100755 index 85ca3dd77..000000000 --- a/image/mkosi.skeleton/usr/lib/udev/google_nvme_id +++ /dev/null @@ -1,248 +0,0 @@ -#!/bin/bash -# Copyright 2020 Google Inc. All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Used to generate symlinks for PD-NVMe devices using the disk names reported by -# the metadata server - -# Locations of the script's dependencies -readonly nvme_cli_bin=/usr/sbin/nvme - -# Bash regex to parse device paths and controller identification -readonly NAMESPACE_NUMBER_REGEX="/dev/nvme[[:digit:]]+n([[:digit:]]+).*" -readonly PARTITION_NUMBER_REGEX="/dev/nvme[[:digit:]]+n[[:digit:]]+p([[:digit:]]+)" - -# Globals used to generate the symlinks for a PD-NVMe disk. These are populated -# by the identify_pd_disk function and exported for consumption by udev rules. -ID_SERIAL='' -ID_SERIAL_SHORT='' - -####################################### -# Helper function to log an error message to stderr. -# Globals: -# None -# Arguments: -# String to print as the log message -# Outputs: -# Writes error to STDERR -####################################### -function err() { - echo "[$(date +'%Y-%m-%dT%H:%M:%S%z')]: $*" >&2 -} - -####################################### -# Retrieves the device name for an NVMe namespace using nvme-cli. -# Globals: -# Uses nvme_cli_bin -# Arguments: -# The path to the nvme namespace (/dev/nvme0n?) -# Outputs: -# The device name parsed from the JSON in the vendor ext of the ns-id command. -# Returns: -# 0 if the device name for the namespace could be retrieved, 1 otherwise -####################################### -function get_namespace_device_name() { - local nvme_json - nvme_json="$("${nvme_cli_bin}" id-ns -b "$1" | xxd -p -seek 384 | xxd -p -r)" - if [[ $? -ne 0 ]]; then - return 1 - fi - - if [[ -z ${nvme_json} ]]; then - err "NVMe Vendor Extension disk information not present" - return 1 - fi - - local device_name - device_name="$(echo "${nvme_json}" | grep device_name | sed -e 's/.*"device_name":[ \t]*"\([a-zA-Z0-9_-]\+\)".*/\1/')" - - # Error if our device name is empty - if [[ -z ${device_name} ]]; then - err "Empty name" - return 1 - fi - - echo "${device_name}" - return 0 -} - -####################################### -# Retrieves the nsid for an NVMe namespace -# Globals: -# None -# Arguments: -# The path to the nvme namespace (/dev/nvme0n*) -# Outputs: -# The namespace number/id -# Returns: -# 0 if the namespace id could be retrieved, 1 otherwise -####################################### -function get_namespace_number() { - local dev_path="$1" - local namespace_number - if [[ ${dev_path} =~ ${NAMESPACE_NUMBER_REGEX} ]]; then - namespace_number="${BASH_REMATCH[1]}" - else - return 1 - fi - - echo "${namespace_number}" - return 0 -} - -####################################### -# Retrieves the partition number for a device path if it exists -# Globals: -# None -# Arguments: -# The path to the device partition (/dev/nvme0n*p*) -# Outputs: -# The value after 'p' in the device path, or an empty string if the path has -# no partition. -####################################### -function get_partition_number() { - local dev_path="$1" - local partition_number - if [[ ${dev_path} =~ ${PARTITION_NUMBER_REGEX} ]]; then - partition_number="${BASH_REMATCH[1]}" - echo "${partition_number}" - else - echo '' - fi - return 0 -} - -####################################### -# Generates a symlink for a PD-NVMe device using the metadata's disk name. -# Primarily used for testing but can be used if the script is directly invoked. -# Globals: -# Uses ID_SERIAL_SHORT (can be populated by identify_pd_disk) -# Arguments: -# The device path for the disk -####################################### -function gen_symlink() { - local dev_path="$1" - local partition_number - partition_number="$(get_partition_number "${dev_path}")" - - if [[ -n ${partition_number} ]]; then - ln -s "${dev_path}" /dev/disk/by-id/google-"${ID_SERIAL_SHORT}"-part"${partition_number}" > /dev/null 2>&1 - else - ln -s "${dev_path}" /dev/disk/by-id/google-"${ID_SERIAL_SHORT}" > /dev/null 2>&1 - fi - - return 0 -} - -####################################### -# Populates the ID_* global variables with a disk's device name and namespace -# Globals: -# Populates ID_SERIAL_SHORT, and ID_SERIAL -# Arguments: -# The device path for the disk -# Returns: -# 0 on success and 1 if an error occurrs -####################################### -function identify_pd_disk() { - local dev_path="$1" - local dev_name - dev_name="$(get_namespace_device_name "${dev_path}")" - if [[ $? -ne 0 ]]; then - return 1 - fi - - ID_SERIAL_SHORT="${dev_name}" - ID_SERIAL="Google_PersistentDisk_${ID_SERIAL_SHORT}" - return 0 -} - -function print_help_message() { - echo "Usage: google_nvme_id [-s] [-h] -d device_path" - echo " -d (Required): Specifies the path to generate a name" - echo " for. This needs to be a path to an nvme device or namespace" - echo " -s: Create symbolic link for the disk under /dev/disk/by-id." - echo " Otherwise, the disk name will be printed to STDOUT" - echo " -h: Print this help message" -} - -function main() { - local opt_gen_symlink='false' - local device_path='' - - while getopts :d:sh flag; do - case "${flag}" in - d) device_path="${OPTARG}" ;; - s) opt_gen_symlink='true' ;; - h) - print_help_message - return 0 - ;; - :) - echo "Invalid option: ${OPTARG} requires an argument" 1>&2 - return 1 - ;; - *) return 1 ;; - esac - done - - if [[ -z ${device_path} ]]; then - echo "Device path (-d) argument required. Use -h for full usage." 1>&2 - exit 1 - fi - - # Ensure the nvme-cli command is installed - command -v "${nvme_cli_bin}" > /dev/null 2>&1 - if [[ $? -ne 0 ]]; then - err "The nvme utility (/usr/sbin/nvme) was not found. You may need to run \ -with sudo or install nvme-cli." - return 1 - fi - - # Ensure the passed device is actually an NVMe device - "${nvme_cli_bin}" id-ctrl "${device_path}" &> /dev/null - if [[ $? -ne 0 ]]; then - err "Passed device was not an NVMe device. (You may need to run this \ -script as root/with sudo)." - return 1 - fi - - # Detect the type of attached nvme device - local controller_id - controller_id=$("${nvme_cli_bin}" id-ctrl "${device_path}") - if [[ ! ${controller_id} =~ nvme_card-pd ]]; then - err "Device is not a PD-NVMe device" - return 1 - fi - - # Fill the global variables for the id command for the given disk type - # Error messages will be printed closer to error, no need to reprint here - identify_pd_disk "${device_path}" - ret=$? - if [[ ${ret} -ne 0 ]]; then - return "${ret}" - fi - - # Gen symlinks or print out the globals set by the identify command - if [[ ${opt_gen_symlink} == 'true' ]]; then - gen_symlink "${device_path}" - else - # These will be consumed by udev - echo "ID_SERIAL_SHORT=${ID_SERIAL_SHORT}" - echo "ID_SERIAL=${ID_SERIAL}" - fi - - return $? - -} -main "$@" diff --git a/image/mkosi.skeleton/usr/lib/udev/rules.d/64-gce-disk-removal.rules b/image/mkosi.skeleton/usr/lib/udev/rules.d/64-gce-disk-removal.rules deleted file mode 100755 index dee719afe..000000000 --- a/image/mkosi.skeleton/usr/lib/udev/rules.d/64-gce-disk-removal.rules +++ /dev/null @@ -1,17 +0,0 @@ -# Copyright 2016 Google Inc. All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# When a disk is removed, unmount any remaining attached volumes. - -ACTION=="remove", SUBSYSTEM=="block", KERNEL=="sd*|vd*|nvme*", RUN+="/bin/sh -c '/bin/umount -fl /dev/$name && /usr/bin/logger -p daemon.warn -s WARNING: hot-removed /dev/$name that was still mounted, data may have been corrupted'" diff --git a/image/mkosi.skeleton/usr/lib/udev/rules.d/65-gce-disk-naming.rules b/image/mkosi.skeleton/usr/lib/udev/rules.d/65-gce-disk-naming.rules deleted file mode 100755 index 9258b92e1..000000000 --- a/image/mkosi.skeleton/usr/lib/udev/rules.d/65-gce-disk-naming.rules +++ /dev/null @@ -1,37 +0,0 @@ -# Copyright 2016 Google Inc. All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# Name the attached disks as the specified by deviceName. - -ACTION!="add|change", GOTO="gce_disk_naming_end" -SUBSYSTEM!="block", GOTO="gce_disk_naming_end" - -# SCSI naming -KERNEL=="sd*|vd*", IMPORT{program}="scsi_id --export --whitelisted -d $tempnode" - -# NVME Local SSD naming -KERNEL=="nvme*n*", ATTRS{model}=="nvme_card", PROGRAM="/bin/sh -c 'nsid=$$(echo %k|sed -re s/nvme[0-9]+n\([0-9]+\).\*/\\1/); echo $$((nsid-1))'", ENV{ID_SERIAL_SHORT}="local-nvme-ssd-%c" -KERNEL=="nvme*", ATTRS{model}=="nvme_card", ENV{ID_SERIAL}="Google_EphemeralDisk_$env{ID_SERIAL_SHORT}" - -# NVME Persistent Disk IO Timeout -KERNEL=="nvme*n*", ENV{DEVTYPE}=="disk", ATTRS{model}=="nvme_card-pd", ATTR{queue/io_timeout}="4294967295" - -# NVME Persistent Disk Naming -KERNEL=="nvme*n*", ATTRS{model}=="nvme_card-pd", IMPORT{program}="google_nvme_id -d $tempnode" - -# Symlinks -KERNEL=="sd*|vd*|nvme*", ENV{DEVTYPE}=="disk", SYMLINK+="disk/by-id/google-$env{ID_SERIAL_SHORT}" -KERNEL=="sd*|vd*|nvme*", ENV{DEVTYPE}=="partition", SYMLINK+="disk/by-id/google-$env{ID_SERIAL_SHORT}-part%n" - -LABEL="gce_disk_naming_end" diff --git a/image/mkosi.skeleton/usr/lib/udev/rules.d/98-override-systemd.rules b/image/mkosi.skeleton/usr/lib/udev/rules.d/98-override-systemd.rules deleted file mode 100644 index 057d84e8d..000000000 --- a/image/mkosi.skeleton/usr/lib/udev/rules.d/98-override-systemd.rules +++ /dev/null @@ -1,4 +0,0 @@ -# prevent systemd udev rules from marking unformatted device mapper device as unready (SYSTEMD_READY=0) -# this is the offending rule from systemd: SUBSYSTEM=="block", ENV{DM_UUID}=="CRYPT-*", ENV{ID_PART_TABLE_TYPE}=="", ENV{ID_FS_USAGE}=="", ENV{SYSTEMD_READY}="0" -SUBSYSTEM=="block", ENV{DM_UUID}=="CRYPT-*", ENV{ID_PART_TABLE_TYPE}=="", ENV{ID_FS_USAGE}="constellation-encrypted-disk" -SUBSYSTEM=="block", ENV{DM_NAME}=="state", ENV{DM_UUID}=="CRYPT-*", ENV{ID_PART_TABLE_TYPE}=="", ENV{ID_FS_USAGE}="constellation-state" diff --git a/image/mkosi.skeleton/usr/libexec/constellation-pcrs b/image/mkosi.skeleton/usr/libexec/constellation-pcrs deleted file mode 100755 index 1d9abc3a7..000000000 --- a/image/mkosi.skeleton/usr/libexec/constellation-pcrs +++ /dev/null @@ -1,14 +0,0 @@ -#!/usr/bin/env bash -# Copyright (c) Edgeless Systems GmbH -# -# SPDX-License-Identifier: AGPL-3.0-only - -# This script reads the measurements of the system -# and prints the message to the serial console - -main() { - pcr_state="$(/usr/sbin/measurement-reader)" - echo -e "${pcr_state}\n" > /run/issue.d/35_constellation_pcrs.issue -} - -main diff --git a/image/secure-boot/aws/create_uefivars.sh b/image/secure-boot/aws/create_uefivars.sh deleted file mode 100755 index 8e4df51e7..000000000 --- a/image/secure-boot/aws/create_uefivars.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/usr/bin/env bash - -set -euo pipefail -shopt -s inherit_errexit - -TMPDIR=$(mktemp -d /tmp/uefivars-XXXXXXXXXXXXXX) -git clone --branch v1.0.0 https://github.com/awslabs/python-uefivars "${TMPDIR}" -cd "${TMPDIR}" && git reset 9679002a4392d8e7831d2dbda3fab41ccc5c6b8c --hard - -"${TMPDIR}/uefivars.py" -i none -o aws -O "$1" -P "${PKI}"/PK.esl -K "${PKI}"/KEK.esl --db "${PKI}"/db.esl - -rm -rf "${TMPDIR}" diff --git a/image/secure-boot/azure/delete.sh b/image/secure-boot/azure/delete.sh deleted file mode 100755 index 788acbdf3..000000000 --- a/image/secure-boot/azure/delete.sh +++ /dev/null @@ -1,76 +0,0 @@ -#!/usr/bin/env bash - -set -euo pipefail -shopt -s inherit_errexit - -if [[ -z ${CONFIG_FILE-} ]] && [[ -f ${CONFIG_FILE-} ]]; then - # shellcheck source=/dev/null - . "${CONFIG_FILE}" -fi -POSITIONAL_ARGS=() - -while [[ $# -gt 0 ]]; do - case $1 in - -n | --name) - AZURE_VM_NAME="$2" - shift # past argument - shift # past value - ;; - -*) - echo "Unknown option $1" - exit 1 - ;; - *) - POSITIONAL_ARGS+=("$1") # save positional arg - shift # past argument - ;; - esac -done - -set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters - -AZ_VM_INFO=$(az vm show --name "${AZURE_VM_NAME}" --resource-group "${AZURE_RESOURCE_GROUP_NAME}" -o json) -NIC=$(echo "${AZ_VM_INFO}" | jq -r '.networkProfile.networkInterfaces[0].id') -NIC_INFO=$(az network nic show --ids "${NIC}" -o json) -PUBIP=$(echo "${NIC_INFO}" | jq -r '.ipConfigurations[0].publicIpAddress.id') -NSG=$(echo "${NIC_INFO}" | jq -r '.networkSecurityGroup.id') -SUBNET=$(echo "${NIC_INFO}" | jq -r '.ipConfigurations[0].subnet.id') -VNET=${SUBNET//\/subnets\/.*/} -DISK=$(echo "${AZ_VM_INFO}" | jq -r '.storageProfile.osDisk.managedDisk.id') - -delete_vm() { - az vm delete -y --name "${AZURE_VM_NAME}" \ - --resource-group "${AZURE_RESOURCE_GROUP_NAME}" || true -} - -delete_vnet() { - az network vnet delete --ids "${VNET}" || true -} - -delete_subnet() { - az network vnet subnet delete --ids "${SUBNET}" || true -} - -delete_nsg() { - az network nsg delete --ids "${NSG}" || true -} - -delete_pubip() { - az network public-ip delete --ids "${PUBIP}" || true -} - -delete_disk() { - az disk delete -y --ids "${DISK}" || true -} - -delete_nic() { - az network nic delete --ids "${NIC}" || true -} - -delete_vm -delete_disk -delete_nic -delete_nsg -delete_subnet -delete_vnet -delete_pubip diff --git a/image/secure-boot/azure/extract_vmgs.sh b/image/secure-boot/azure/extract_vmgs.sh deleted file mode 100755 index d8aa08bd2..000000000 --- a/image/secure-boot/azure/extract_vmgs.sh +++ /dev/null @@ -1,68 +0,0 @@ -#!/usr/bin/env bash - -set -euo pipefail -shopt -s inherit_errexit - -if [[ -z ${CONFIG_FILE-} ]] && [[ -f ${CONFIG_FILE-} ]]; then - # shellcheck source=/dev/null - . "${CONFIG_FILE}" -fi -AZURE_SUBSCRIPTION=$(az account show --query id -o tsv) -POSITIONAL_ARGS=() - -while [[ $# -gt 0 ]]; do - case $1 in - -n | --name) - AZURE_VM_NAME="$2" - shift # past argument - shift # past value - ;; - -*) - echo "Unknown option $1" - exit 1 - ;; - *) - POSITIONAL_ARGS+=("$1") # save positional arg - shift # past argument - ;; - esac -done - -set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters - -VM_DISK=$(az vm show -g "${AZURE_RESOURCE_GROUP_NAME}" --name "${AZURE_VM_NAME}" --query "storageProfile.osDisk.managedDisk.id" -o tsv) -LOCATION=$(az disk show --ids "${VM_DISK}" --query "location" -o tsv) - -az snapshot create \ - -g "${AZURE_RESOURCE_GROUP_NAME}" \ - --source "${VM_DISK}" \ - --name "${AZURE_SNAPSHOT_NAME}" \ - -l "${LOCATION}" - -# Azure CLI does not implement getSecureVMGuestStateSAS for snapshots yet -# az snapshot grant-access \ -# --duration-in-seconds 3600 \ -# --access-level Read \ -# --name "${AZURE_SNAPSHOT_NAME}" \ -# -g "${AZURE_RESOURCE_GROUP_NAME}" - -BEGIN=$(az rest \ - --method post \ - --url "https://management.azure.com/subscriptions/${AZURE_SUBSCRIPTION}/resourceGroups/${AZURE_RESOURCE_GROUP_NAME}/providers/Microsoft.Compute/snapshots/${AZURE_SNAPSHOT_NAME}/beginGetAccess" \ - --uri-parameters api-version="2021-12-01" \ - --body '{"access": "Read", "durationInSeconds": 3600, "getSecureVMGuestStateSAS": true}' \ - --verbose 2>&1) -ASYNC_OPERATION_URI=$(echo "${BEGIN}" | grep Azure-AsyncOperation | cut -d ' ' -f 7 | tr -d "'") -sleep 10 -ACCESS=$(az rest --method get --url "${ASYNC_OPERATION_URI}") -VMGS_URL=$(echo "${ACCESS}" | jq -r '.properties.output.securityDataAccessSAS') - -curl -fsSL -o "${AZURE_VMGS_FILENAME}" "${VMGS_URL}" - -az snapshot revoke-access \ - --name "${AZURE_SNAPSHOT_NAME}" \ - -g "${AZURE_RESOURCE_GROUP_NAME}" -az snapshot delete \ - --name "${AZURE_SNAPSHOT_NAME}" \ - -g "${AZURE_RESOURCE_GROUP_NAME}" -echo "VMGS saved to ${AZURE_VMGS_FILENAME}" diff --git a/image/secure-boot/azure/launch.sh b/image/secure-boot/azure/launch.sh deleted file mode 100755 index 8c24385b6..000000000 --- a/image/secure-boot/azure/launch.sh +++ /dev/null @@ -1,104 +0,0 @@ -#!/usr/bin/env bash - -set -euo pipefail -shopt -s inherit_errexit - -if [[ -z ${CONFIG_FILE-} ]] && [[ -f ${CONFIG_FILE-} ]]; then - # shellcheck source=/dev/null - . "${CONFIG_FILE}" -fi -POSITIONAL_ARGS=() - -while [[ $# -gt 0 ]]; do - case $1 in - -n | --name) - AZURE_VM_NAME="$2" - shift # past argument - shift # past value - ;; - -g | --gallery) - CREATE_FROM_GALLERY=YES - shift # past argument - ;; - -d | --disk) - CREATE_FROM_GALLERY=NO - shift # past argument - ;; - --secure-boot) - AZURE_SECURE_BOOT="$2" - shift # past argument - shift # past value - ;; - --disk-name) - AZURE_DISK_NAME="$2" - shift # past argument - shift # past value - ;; - -*) - echo "Unknown option $1" - exit 1 - ;; - *) - POSITIONAL_ARGS+=("$1") # save positional arg - shift # past argument - ;; - esac -done - -set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters - -if [[ ${AZURE_SECURITY_TYPE} == "ConfidentialVM" ]]; then - VMSIZE="Standard_DC2as_v5" -elif [[ ${AZURE_SECURITY_TYPE} == "TrustedLaunch" ]]; then - VMSIZE="standard_D2as_v5" -else - echo "Unknown security type: ${AZURE_SECURITY_TYPE}" - exit 1 -fi - -create_vm_from_disk() { - AZURE_DISK_REFERENCE=$(az disk show --resource-group "${AZURE_RESOURCE_GROUP_NAME}" --name "${AZURE_DISK_NAME}" --query id -o tsv) - az vm create --name "${AZURE_VM_NAME}" \ - --resource-group "${AZURE_RESOURCE_GROUP_NAME}" \ - -l "${AZURE_REGION}" \ - --size "${VMSIZE}" \ - --public-ip-sku Standard \ - --os-type Linux \ - --attach-os-disk "${AZURE_DISK_REFERENCE}" \ - --security-type "${AZURE_SECURITY_TYPE}" \ - --os-disk-security-encryption-type VMGuestStateOnly \ - --enable-vtpm true \ - --enable-secure-boot "${AZURE_SECURE_BOOT}" \ - --boot-diagnostics-storage "" \ - --no-wait -} - -create_vm_from_sig() { - AZURE_IMAGE_REFERENCE=$(az sig image-version show \ - --gallery-image-definition "${AZURE_IMAGE_DEFINITION}" \ - --gallery-image-version "${AZURE_IMAGE_VERSION}" \ - --gallery-name "${AZURE_GALLERY_NAME}" \ - -g "${AZURE_RESOURCE_GROUP_NAME}" \ - --query id -o tsv) - az vm create --name "${AZURE_VM_NAME}" \ - --resource-group "${AZURE_RESOURCE_GROUP_NAME}" \ - -l "${AZURE_REGION}" \ - --size "${VMSIZE}" \ - --public-ip-sku Standard \ - --image "${AZURE_IMAGE_REFERENCE}" \ - --security-type "${AZURE_SECURITY_TYPE}" \ - --os-disk-security-encryption-type VMGuestStateOnly \ - --enable-vtpm true \ - --enable-secure-boot "${AZURE_SECURE_BOOT}" \ - --boot-diagnostics-storage "" \ - --no-wait -} - -if [[ ${CREATE_FROM_GALLERY} == "YES" ]]; then - create_vm_from_sig -else - create_vm_from_disk -fi - -sleep 30 -az vm boot-diagnostics enable --name "${AZURE_VM_NAME}" --resource-group "${AZURE_RESOURCE_GROUP_NAME}" diff --git a/image/secure-boot/generate_nvram_vars.sh b/image/secure-boot/generate_nvram_vars.sh deleted file mode 100755 index 972d1ddbb..000000000 --- a/image/secure-boot/generate_nvram_vars.sh +++ /dev/null @@ -1,95 +0,0 @@ -#!/usr/bin/env bash -# Copyright (c) Edgeless Systems GmbH -# -# SPDX-License-Identifier: AGPL-3.0-only - -set -euo pipefail -shopt -s inherit_errexit - -SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &> /dev/null && pwd) -BASE_DIR=$(realpath "${SCRIPT_DIR}/..") - -# Set to qemu+tcp://localhost:16599/system for dockerized libvirt setup -if [[ -z ${LIBVIRT_SOCK} ]]; then - LIBVIRT_SOCK=qemu:///system -fi - -libvirt_nvram_gen() { - local image_path="${1}" - if test -f "${BASE_DIR}/image.nvram.template"; then - echo "NVRAM template already generated: $(realpath "--relative-to=$(pwd)" "${BASE_DIR}"/image.nvram.template)" - return - fi - if ! test -f "${image_path}"; then - echo "Image \"${image_path}\" does not exist yet. To generate nvram, create disk image first." - return - fi - - OVMF_CODE=/usr/share/OVMF/OVMF_CODE_4M.ms.fd - OVMF_VARS=/usr/share/OVMF/OVMF_VARS_4M.ms.fd - if ! test -f "${OVMF_CODE}"; then - OVMF_CODE=/usr/share/OVMF/OVMF_CODE.secboot.fd - fi - if ! test -f "${OVMF_VARS}"; then - OVMF_VARS=/usr/share/OVMF/OVMF_VARS.secboot.fd - fi - - echo "Using OVMF_CODE: ${OVMF_CODE}" - echo "Using OVMF_VARS: ${OVMF_VARS}" - - # generate nvram file using libvirt - virt-install --name constell-nvram-gen \ - --connect "${LIBVIRT_SOCK}" \ - --nonetworks \ - --description 'Constellation' \ - --ram 1024 \ - --vcpus 1 \ - --osinfo detect=on,require=off \ - --disk "${image_path},format=raw" \ - --boot "machine=q35,menu=on,loader=${OVMF_CODE},loader.readonly=yes,loader.type=pflash,nvram.template=${OVMF_VARS},nvram=${BASE_DIR}/image.nvram,loader_secure=yes" \ - --features smm.state=on \ - --noautoconsole - echo -e 'connect using' - echo -e ' \u001b[1mvirsh console constell-nvram-gen\u001b[0m' - echo -e '' - echo -e 'Load db cert with MokManager or enroll full PKI with firmware setup' - echo -e '' - echo -e ' \u001b[1mMokManager\u001b[0m' - echo -e ' For mokmanager, try to boot as usual. You will see this message:' - echo -e ' > "Verification failed: (0x1A) Security Violation"' - echo -e ' Press OK, then ENTER, then "Enroll key from disk"' - echo -e ' Select the following key:' - echo -e ' > \u001b[1m/EFI/loader/keys/auto/db.cer\u001b[0m' - echo -e ' Press Continue, then choose "Yes" to the question "Enroll the key(s)?"' - echo -e ' Choose reboot and continue this script.' - echo -e '' - echo -e ' \u001b[1mFirmware setup\u001b[0m' - echo -e ' For firmware setup, press F2.' - echo -e ' Go to "Device Manager">"Secure Boot Configuration">"Secure Boot Mode"' - echo -e ' Choose "Custom Mode"' - echo -e ' Go to "Custom Securee Boot Options"' - echo -e ' Go to "PK Options">"Enroll PK", Press "Y" if queried, "Enroll PK using File"' - echo -e ' Select the following cert: \u001b[1m/EFI/loader/keys/auto/PK.cer\u001b[0m' - echo -e ' Choose "Commit Changes and Exit"' - echo -e ' Go to "KEK Options">"Enroll KEK", Press "Y" if queried, "Enroll KEK using File"' - echo -e ' Select the following cert: \u001b[1m/EFI/loader/keys/auto/KEK.cer\u001b[0m' - echo -e ' Choose "Commit Changes and Exit"' - echo -e ' Go to "DB Options">"Enroll Signature">"Enroll Signature using File"' - echo -e ' Select the following cert: \u001b[1m/EFI/loader/keys/auto/db.cer\u001b[0m' - echo -e ' Choose "Commit Changes and Exit"' - echo -e ' Repeat the last step for the following certs:' - echo -e ' > \u001b[1m/EFI/loader/keys/auto/MicWinProPCA2011_2011-10-19.crt\u001b[0m' - echo -e ' > \u001b[1m/EFI/loader/keys/auto/MicCorUEFCA2011_2011-06-27.crt\u001b[0m' - echo -e ' Reboot and continue this script.' - echo -e '' - echo -e 'Press ENTER to continue after you followed one of the guides from above.' - read -r - sudo cp "${BASE_DIR}/image.nvram" "${BASE_DIR}/image.nvram.template" - virsh --connect "${LIBVIRT_SOCK}" destroy --domain constell-nvram-gen - virsh --connect "${LIBVIRT_SOCK}" undefine --nvram constell-nvram-gen - rm -f "${BASE_DIR}/image.nvram" - - echo "NVRAM template generated: $(realpath "--relative-to=$(pwd)" "${BASE_DIR}"/image.nvram.template)" -} - -libvirt_nvram_gen "$1" diff --git a/image/secure-boot/genkeys.sh b/image/secure-boot/genkeys.sh deleted file mode 100755 index f3ba2b385..000000000 --- a/image/secure-boot/genkeys.sh +++ /dev/null @@ -1,66 +0,0 @@ -#!/usr/bin/env bash -# Copyright (c) Edgeless Systems GmbH -# -# SPDX-License-Identifier: AGPL-3.0-only - -# This script generates a PKI for secure boot. -# It is based on the example from https://github.com/systemd/systemd/blob/main/man/loader.conf.xml -# This is meant to be used for development purposes only. -# Release images are signed using a different set of keys. -# Set PKI to an empty folder and PKI_SET to "dev". - -set -euo pipefail -shopt -s inherit_errexit - -script_dir=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &> /dev/null && pwd) -templates=${script_dir}/templates -base_dir=$(realpath "${script_dir}/..") -pki="${PKI:-${base_dir}/pki}" -pki_set="${PKI_SET:-dev}" - -gen_pki() { - # Only use for non-production images. - # Use real PKI for production images instead. - mkdir -p "${pki}" - count=$(find "${pki}" -maxdepth 1 \( -name '*.key' -o -name '*.crt' -o -name '*.cer' -o -name '*.esl' -o -name '*.auth' \) 2> /dev/null | wc -l) - if [[ ${count} != 0 ]]; then - echo PKI files "$(ls -1 "$(realpath "--relative-to=$(pwd)" "${pki}")"/*.{key,crt,cer,esl,auth})" already exist - return - fi - pushd "${pki}" || exit 1 - - uuid=$(systemd-id128 new --uuid) - for key in PK KEK db; do - openssl req -new -x509 -config "${templates}/${pki_set}_${key}.conf" -keyout "${key}.key" -out "${key}.crt" -nodes - openssl x509 -outform DER -in "${key}.crt" -out "${key}.cer" - cert-to-efi-sig-list -g "${uuid}" "${key}.crt" "${key}.esl" - done - - for key in MicWinProPCA2011_2011-10-19.crt MicCorUEFCA2011_2011-06-27.crt MicCorKEKCA2011_2011-06-24.crt; do - curl -fsSL "https://www.microsoft.com/pkiops/certs/${key}" --output "${key}" - sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output "${key%crt}esl" "${key}" - done - - # Optionally add Microsoft Windows Production CA 2011 (needed to boot into Windows). - cat MicWinProPCA2011_2011-10-19.esl >> db.esl - - # Optionally add Microsoft Corporation UEFI CA 2011 (for firmware drivers / option ROMs - # and third-party boot loaders (including shim). This is highly recommended on real - # hardware as not including this may soft-brick your device (see next paragraph). - cat MicCorUEFCA2011_2011-06-27.esl >> db.esl - - # Optionally add Microsoft Corporation KEK CA 2011. Recommended if either of the - # Microsoft keys is used as the official UEFI revocation database is signed with this - # key. The revocation database can be updated with [fwupdmgr(1)](https://www.freedesktop.org/software/systemd/man/fwupdmgr.html#). - cat MicCorKEKCA2011_2011-06-24.esl >> KEK.esl - - sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth - sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth - sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth - - popd || exit 1 -} - -# gen_pki generates a PKI for testing purposes only. -# if keys/certs are already present in the pki folder, they are not regenerated. -gen_pki diff --git a/image/secure-boot/signed-shim.sh b/image/secure-boot/signed-shim.sh deleted file mode 100755 index 623430c38..000000000 --- a/image/secure-boot/signed-shim.sh +++ /dev/null @@ -1,48 +0,0 @@ -#!/usr/bin/env bash -# Copyright (c) Edgeless Systems GmbH -# -# SPDX-License-Identifier: AGPL-3.0-only - -# This script is used to add a signed shim to the image.raw file EFI partition after running `mkosi build`. - -set -euo pipefail -shopt -s inherit_errexit - -if (($# != 1)); then - echo "Usage: $0 " - exit 1 -fi - -# SOURCE is the URL used to download the signed shim RPM -SOURCE=https://kojipkgs.fedoraproject.org/packages/shim/15.6/2/x86_64/shim-x64-15.6-2.x86_64.rpm -# EXPECTED_SHA512 is the SHA512 checksum of the signed shim RPM -EXPECTED_SHA512=971978bddee95a6a134ef05c4d88cf5df41926e631de863b74ef772307f3e106c82c8f6889c18280d47187986abd774d8671c5be4b85b1b0bb3d1858b65d02cf -TMPDIR=$(mktemp -d) - -pushd "${TMPDIR}" - -curl -fsSL -o shim.rpm "${SOURCE}" -echo "Checking SHA512 checksum of signed shim..." -sha512sum -c <<< "${EXPECTED_SHA512} shim.rpm" -rpm2cpio shim.rpm | cpio -idmv -echo "${TMPDIR}" - -popd - -MOUNTPOINT=$(mktemp -d) -sectoroffset=$(sfdisk -J "${1}" | jq -r '.partitiontable.partitions[0].start') -byteoffset=$((sectoroffset * 512)) -mount -o offset="${byteoffset}" "${1}" "${MOUNTPOINT}" - -mkdir -p "${MOUNTPOINT}/EFI/BOOT/" -cp "${TMPDIR}/boot/efi/EFI/BOOT/BOOTX64.EFI" "${MOUNTPOINT}/EFI/BOOT/" -cp "${TMPDIR}/boot/efi/EFI/fedora/mmx64.efi" "${MOUNTPOINT}/EFI/BOOT/" -cp "${MOUNTPOINT}/EFI/systemd/systemd-bootx64.efi" "${MOUNTPOINT}/EFI/BOOT/grubx64.efi" - -# Remove unused kernel and initramfs from EFI to save space -# We boot from unified kernel image anyway -rm -f "${MOUNTPOINT}"/*/*/{linux,initrd} - -umount "${MOUNTPOINT}" -rm -rf "${MOUNTPOINT}" -rm -rf "${TMPDIR}" diff --git a/image/secure-boot/templates/dev_KEK.conf b/image/secure-boot/templates/dev_KEK.conf deleted file mode 100644 index 4ec425d77..000000000 --- a/image/secure-boot/templates/dev_KEK.conf +++ /dev/null @@ -1,20 +0,0 @@ - [ req ] - default_bits = 2048 - distinguished_name = req_distinguished_name - x509_extensions = v3_req - req_extensions = v3_req - prompt = no - - dirstring_type = nobmp - - [ req_distinguished_name ] - C = DE - ST = Nordrhein Westfalen - L = Bochum - O = Edgeless Systems GmbH - CN = Constellation Development KEK CA 2022 - - [ v3_req ] - subjectKeyIdentifier = hash - basicConstraints = critical,CA:true - keyUsage = digitalSignature,keyCertSign,cRLSign diff --git a/image/secure-boot/templates/dev_PK.conf b/image/secure-boot/templates/dev_PK.conf deleted file mode 100644 index be5d0699d..000000000 --- a/image/secure-boot/templates/dev_PK.conf +++ /dev/null @@ -1,20 +0,0 @@ - [ req ] - default_bits = 2048 - distinguished_name = req_distinguished_name - x509_extensions = v3_req - req_extensions = v3_req - prompt = no - - dirstring_type = nobmp - - [ req_distinguished_name ] - C = DE - ST = Nordrhein Westfalen - L = Bochum - O = Edgeless Systems GmbH - CN = Constellation Development UEFI CA 2022 - - [ v3_req ] - subjectKeyIdentifier = hash - basicConstraints = critical,CA:true - keyUsage = digitalSignature,keyCertSign,cRLSign diff --git a/image/secure-boot/templates/dev_db.conf b/image/secure-boot/templates/dev_db.conf deleted file mode 100644 index 6f2b6fdfb..000000000 --- a/image/secure-boot/templates/dev_db.conf +++ /dev/null @@ -1,20 +0,0 @@ - [ req ] - default_bits = 2048 - distinguished_name = req_distinguished_name - x509_extensions = v3_req - req_extensions = v3_req - prompt = no - - dirstring_type = nobmp - - [ req_distinguished_name ] - C = DE - ST = Nordrhein Westfalen - L = Bochum - O = Edgeless Systems GmbH - CN = Constellation Development PCA 2022 - - [ v3_req ] - subjectKeyIdentifier = hash - basicConstraints = critical,CA:true - keyUsage = digitalSignature,keyCertSign,cRLSign diff --git a/image/secure-boot/templates/prod_KEK.conf b/image/secure-boot/templates/prod_KEK.conf deleted file mode 100644 index a9e7d3f77..000000000 --- a/image/secure-boot/templates/prod_KEK.conf +++ /dev/null @@ -1,20 +0,0 @@ - [ req ] - default_bits = 2048 - distinguished_name = req_distinguished_name - x509_extensions = v3_req - req_extensions = v3_req - prompt = no - - dirstring_type = nobmp - - [ req_distinguished_name ] - C = DE - ST = Nordrhein Westfalen - L = Bochum - O = Edgeless Systems GmbH - CN = Constellation KEK CA 2022 - - [ v3_req ] - subjectKeyIdentifier = hash - basicConstraints = critical,CA:true - keyUsage = digitalSignature,keyCertSign,cRLSign diff --git a/image/secure-boot/templates/prod_PK.conf b/image/secure-boot/templates/prod_PK.conf deleted file mode 100644 index 755bf14e4..000000000 --- a/image/secure-boot/templates/prod_PK.conf +++ /dev/null @@ -1,20 +0,0 @@ - [ req ] - default_bits = 2048 - distinguished_name = req_distinguished_name - x509_extensions = v3_req - req_extensions = v3_req - prompt = no - - dirstring_type = nobmp - - [ req_distinguished_name ] - C = DE - ST = Nordrhein Westfalen - L = Bochum - O = Edgeless Systems GmbH - CN = Constellation UEFI CA 2022 - - [ v3_req ] - subjectKeyIdentifier = hash - basicConstraints = critical,CA:true - keyUsage = digitalSignature,keyCertSign,cRLSign diff --git a/image/secure-boot/templates/prod_db.conf b/image/secure-boot/templates/prod_db.conf deleted file mode 100644 index 99fa7ec48..000000000 --- a/image/secure-boot/templates/prod_db.conf +++ /dev/null @@ -1,20 +0,0 @@ - [ req ] - default_bits = 2048 - distinguished_name = req_distinguished_name - x509_extensions = v3_req - req_extensions = v3_req - prompt = no - - dirstring_type = nobmp - - [ req_distinguished_name ] - C = DE - ST = Nordrhein Westfalen - L = Bochum - O = Edgeless Systems GmbH - CN = Constellation Production PCA 2022 - - [ v3_req ] - subjectKeyIdentifier = hash - basicConstraints = critical,CA:true - keyUsage = digitalSignature,keyCertSign,cRLSign diff --git a/image/secure-boot/templates/testing_KEK.conf b/image/secure-boot/templates/testing_KEK.conf deleted file mode 100644 index 94efac5ee..000000000 --- a/image/secure-boot/templates/testing_KEK.conf +++ /dev/null @@ -1,20 +0,0 @@ - [ req ] - default_bits = 2048 - distinguished_name = req_distinguished_name - x509_extensions = v3_req - req_extensions = v3_req - prompt = no - - dirstring_type = nobmp - - [ req_distinguished_name ] - C = DE - ST = Nordrhein Westfalen - L = Bochum - O = Edgeless Systems GmbH - CN = Constellation Testing KEK CA 2022 - - [ v3_req ] - subjectKeyIdentifier = hash - basicConstraints = critical,CA:true - keyUsage = digitalSignature,keyCertSign,cRLSign diff --git a/image/secure-boot/templates/testing_PK.conf b/image/secure-boot/templates/testing_PK.conf deleted file mode 100644 index dd6e60469..000000000 --- a/image/secure-boot/templates/testing_PK.conf +++ /dev/null @@ -1,20 +0,0 @@ - [ req ] - default_bits = 2048 - distinguished_name = req_distinguished_name - x509_extensions = v3_req - req_extensions = v3_req - prompt = no - - dirstring_type = nobmp - - [ req_distinguished_name ] - C = DE - ST = Nordrhein Westfalen - L = Bochum - O = Edgeless Systems GmbH - CN = Constellation Testing UEFI CA 2022 - - [ v3_req ] - subjectKeyIdentifier = hash - basicConstraints = critical,CA:true - keyUsage = digitalSignature,keyCertSign,cRLSign diff --git a/image/secure-boot/templates/testing_db.conf b/image/secure-boot/templates/testing_db.conf deleted file mode 100644 index a9bf43a09..000000000 --- a/image/secure-boot/templates/testing_db.conf +++ /dev/null @@ -1,20 +0,0 @@ - [ req ] - default_bits = 2048 - distinguished_name = req_distinguished_name - x509_extensions = v3_req - req_extensions = v3_req - prompt = no - - dirstring_type = nobmp - - [ req_distinguished_name ] - C = DE - ST = Nordrhein Westfalen - L = Bochum - O = Edgeless Systems GmbH - CN = Constellation Testing PCA 2022 - - [ v3_req ] - subjectKeyIdentifier = hash - basicConstraints = critical,CA:true - keyUsage = digitalSignature,keyCertSign,cRLSign