Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-11-14 17:40:43 -05:00
Code Issues Projects Releases Packages Wiki Activity

image: remove old mkosi config

Browse source
This commit is contained in:
Malte Poll 2023-09-11 15:50:55 +02:00 committed by Malte Poll
parent 0979a483b4
commit fc1045a4f7
85 changed files with 0 additions and 2033 deletions
Download patch file Download diff file Expand all files Collapse all files

0
image/.csp/aws
View file

8
image/.gitignore vendored
View file

@ -1,8 +0,0 @@
mkosi.cache
mkosi.extra
pki
image.*
!image.go
mkosi.output.*
pki_*/*.key
pki_*/*.vmgs

113
image/Makefile
View file

@ -1,113 +0,0 @@
SHELL = /bin/bash
SRC_PATH = $(CURDIR)
BASE_PATH ?= $(SRC_PATH)
BOOTSTRAPPER_BINARY ?= $(BASE_PATH)/../build/bootstrapper
DISK_MAPPER_BINARY ?= $(BASE_PATH)/../build/disk-mapper
UPGRADE_AGENT_BINARY ?= $(BASE_PATH)/../build/upgrade-agent
DEBUGD_BINARY ?= $(BASE_PATH)/../build/debugd
MEASUREMENT_READER_BINARY ?= $(BASE_PATH)/../build/measurement-reader
PKI ?= $(BASE_PATH)/pki
MKOSI_EXTRA ?= $(BASE_PATH)/mkosi.extra
EXTRA_SEARCH_PATHS ?=
IMAGE_VERSION ?= v0.0.0
DEBUG ?= false
AUTOLOGIN ?= false
AUTOLOGIN_ARGS := $(if $(filter true,$(AUTOLOGIN)),--autologin) # set "--autologin" if AUTOLOGIN is true
KERNEL_DEBUG_CMDLNE := $(if $(filter true,$(DEBUG)),constellation.debug) # set "constellation.debug" if DEBUG is true
SEARCH_PATHS_PARAM := $(if $(EXTRA_SEARCH_PATHS),--extra-search-path=$(EXTRA_SEARCH_PATHS))
export INSTALL_DEBUGD ?= $(DEBUG)
export CONSOLE_MOTD = $(AUTOLOGIN)
-include $(CURDIR)/config.mk
csps := aws azure gcp openstack qemu
variants := aws_aws-sev-snp aws_aws-nitro-tpm azure_azure-sev-snp gcp_gcp-sev-es gcp_gcp-sev-snp openstack_qemu-vtpm qemu_qemu-vtpm
certs := $(PKI)/PK.cer $(PKI)/KEK.cer $(PKI)/db.cer
SYSTEMD_FIXED_RPMS := systemd-251.11-2.fc37.x86_64.rpm systemd-libs-251.11-2.fc37.x86_64.rpm systemd-networkd-251.11-2.fc37.x86_64.rpm systemd-pam-251.11-2.fc37.x86_64.rpm systemd-resolved-251.11-2.fc37.x86_64.rpm systemd-udev-251.11-2.fc37.x86_64.rpm
KERNEL_RPMS := kernel-6.1.46-100.constellation.fc38.x86_64.rpm kernel-core-6.1.46-100.constellation.fc38.x86_64.rpm kernel-modules-6.1.46-100.constellation.fc38.x86_64.rpm kernel-modules-core-6.1.46-100.constellation.fc38.x86_64.rpm
PREBUILD_RPMS_SYSTEMD := $(addprefix prebuilt/rpms/systemd/,$(SYSTEMD_FIXED_RPMS))
PREBUILD_RPMS_KERNEL := $(addprefix prebuilt/rpms/kernel/,$(KERNEL_RPMS))
.PHONY: all clean inject-bins $(csps) $(variants)
.NOTPARALLEL: mkosi.output.%/fedora~38/image.raw clean-%
all: $(csps)
aws: aws_aws-sev-snp aws_aws-nitro-tpm
azure: azure_azure-sev-snp
gcp: gcp_gcp-sev-es gcp_gcp-sev-snp
openstack: openstack_qemu-vtpm
qemu: qemu_qemu-vtpm
$(variants): %: mkosi.output.%/fedora~38/image.raw
prebuilt/rpms/systemd/%.rpm:
@echo "Downloading $*"
@mkdir -p $(@D)
@curl -fsSL -o $@ https://kojipkgs.fedoraproject.org/packages/systemd/251.11/2.fc37/x86_64/$*.rpm
prebuilt/rpms/kernel/%.rpm:
@echo "Downloading $*"
@mkdir -p $(@D)
@curl -fsSL -o $@ https://cdn.confidential.cloud/constellation/kernel/6.1.46-100.constellation/$*.rpm
mkosi.output.%/fedora~38/image.raw: inject-bins inject-certs
rm -rf .csp/
mkdir -p .csp/
$(eval csp := $(firstword $(subst _, ,$*)))
$(eval attestation_variant := $(lastword $(subst _, ,$*)))
touch .csp/$(csp)
mkosi \
--image-version=$(IMAGE_VERSION) \
$(AUTOLOGIN_ARGS) \
--environment=INSTALL_DEBUGD \
--environment=CONSOLE_MOTD \
--kernel-command-line="$(KERNEL_DEBUG_CMDLNE)" \
--kernel-command-line="constel.attestation-variant=$(attestation_variant)" \
--kernel-command-line="constel.csp=$(csp)" \
--output-dir=mkosi.output.$* \
$(SEARCH_PATHS_PARAM) \
build
secure-boot/signed-shim.sh $@
@if [ -n $(SUDO_UID) ] && [ -n $(SUDO_GID) ]; then \
chown -R $(SUDO_UID):$(SUDO_GID) mkosi.output.$*; \
fi
rm -rf .csp/
@echo "Image is ready: $@"
inject-bins: $(PREBUILD_RPMS_SYSTEMD) $(PREBUILD_RPMS_KERNEL)
mkdir -p $(MKOSI_EXTRA)/usr/bin
mkdir -p $(MKOSI_EXTRA)/usr/sbin
cp $(UPGRADE_AGENT_BINARY) $(MKOSI_EXTRA)/usr/bin/upgrade-agent
cp $(DISK_MAPPER_BINARY) $(MKOSI_EXTRA)/usr/sbin/disk-mapper
cp $(MEASUREMENT_READER_BINARY) $(MKOSI_EXTRA)/usr/sbin/measurement-reader
if [ "$(DEBUG)" = "true" ]; then \
cp $(DEBUGD_BINARY) $(MKOSI_EXTRA)/usr/bin/debugd; \
rm -f $(MKOSI_EXTRA)/usr/bin/bootstrapper; \
rm -f $(MKOSI_EXTRA)/usr/bin/upgrade-agent; \
else \
cp $(BOOTSTRAPPER_BINARY) $(MKOSI_EXTRA)/usr/bin/bootstrapper; \
rm -f $(MKOSI_EXTRA)/usr/bin/debugd; \
fi
inject-certs: $(certs)
# for auto enrollment using systemd-boot (not working yet)
mkdir -p "$(MKOSI_EXTRA)/boot/loader/keys/auto"
cp $(PKI)/{PK,KEK,db}.cer "$(MKOSI_EXTRA)/boot/loader/keys/auto"
cp $(PKI)/{MicWinProPCA2011_2011-10-19,MicCorUEFCA2011_2011-06-27,MicCorKEKCA2011_2011-06-24}.crt "$(MKOSI_EXTRA)/boot/loader/keys/auto"
clean-cache:
rm -rf mkosi.cache/*
clean-%:
rm -rf .csp/
mkdir -p .csp/
touch .csp/$*
mkosi clean
rm -rf .csp/
clean:
rm -rf mkosi.output.*
rm -rf prebuilt/rpms
rm -rf $(MKOSI_EXTRA)
mkdir -p $(MKOSI_EXTRA)

0
image/mkosi.cache/.gitkeep
View file

3
image/mkosi.conf.d/aws.conf
View file

@ -1,3 +0,0 @@
[Content]
Packages=
ec2-utils

3
image/mkosi.conf.d/azure.conf
View file

@ -1,3 +0,0 @@
[Content]
Packages=
WALinuxAgent-udev

10
image/mkosi.conf.d/containers.conf
View file

@ -1,10 +0,0 @@
[Content]
Packages=
containerd,
containernetworking-plugins,
iptables-nft,
ethtool,
socat,
iproute-tc,
conntrack-tools,
podman

3
image/mkosi.conf.d/gcp.conf
View file

@ -1,3 +0,0 @@
[Content]
Packages=
nvme-cli

5
image/mkosi.conf.d/mkosi.aws.conf
View file

@ -1,5 +0,0 @@
[Match]
PathExists=../.csp/aws
[Output]
KernelCommandLine=mitigations=auto idle=poll

5
image/mkosi.conf.d/mkosi.azure.conf
View file

@ -1,5 +0,0 @@
[Match]
PathExists=../.csp/azure
[Output]
KernelCommandLine=mitigations=auto,nosmt

32
image/mkosi.conf.d/mkosi.conf
View file

@ -1,32 +0,0 @@
[Distribution]
Distribution=fedora
Release=38
[Output]
Format=disk
ManifestFormat=json,changelog
Bootable=yes
KernelCommandLine=preempt=full rd.shell=0 rd.emergency=reboot loglevel=8 console=ttyS0
SplitArtifacts=yes
# Enable Secure Boot with own PKI
SecureBoot=yes
SecureBootKey=pki/db.key
SecureBootCertificate=pki/db.crt
# TODO(malt3): Wait for systemd 252 to bring systemd-measure
# Measure=yes
ImageId=constellation
Output=image.raw
[Content]
Packages=prebuilt/rpms/kernel/kernel-6.1.46-100.constellation.fc38.x86_64.rpm
prebuilt/rpms/kernel/kernel-core-6.1.46-100.constellation.fc38.x86_64.rpm
prebuilt/rpms/kernel/kernel-modules-6.1.46-100.constellation.fc38.x86_64.rpm
prebuilt/rpms/kernel/kernel-modules-core-6.1.46-100.constellation.fc38.x86_64.rpm
prebuilt/rpms/systemd/systemd-251.11-2.fc37.x86_64.rpm
prebuilt/rpms/systemd/systemd-libs-251.11-2.fc37.x86_64.rpm
prebuilt/rpms/systemd/systemd-networkd-251.11-2.fc37.x86_64.rpm
prebuilt/rpms/systemd/systemd-pam-251.11-2.fc37.x86_64.rpm
prebuilt/rpms/systemd/systemd-resolved-251.11-2.fc37.x86_64.rpm
prebuilt/rpms/systemd/systemd-udev-251.11-2.fc37.x86_64.rpm
dracut
util-linux

5
image/mkosi.conf.d/mkosi.gcp.conf
View file

@ -1,5 +0,0 @@
[Match]
PathExists=../.csp/gcp
[Output]
KernelCommandLine=mitigations=auto,nosmt

9
image/mkosi.conf.d/mkosi.openstack.conf
View file

@ -1,9 +0,0 @@
[Match]
PathExists=../.csp/openstack
[Output]
KernelCommandLine=mem_encrypt=on kvm_amd.sev=1 module_blacklist=qemu_fw_cfg console=tty0 console=ttyS0 mitigations=auto,nosmt
[Content]
Autologin=yes
Environment=CONSOLE_MOTD=true

9
image/mkosi.conf.d/mkosi.qemu.conf
View file

@ -1,9 +0,0 @@
[Match]
PathExists=../.csp/qemu
[Content]
Autologin=yes
Environment=CONSOLE_MOTD=true
[Output]
KernelCommandLine=mitigations=auto,nosmt

8
image/mkosi.conf.d/network.conf
View file

@ -1,8 +0,0 @@
[Content]
Packages=
iproute,
dbus-broker,
systemd-networkd,
systemd-resolved,
dracut-network,
dhclient, # prevent NetworkManager from being pulled in by dracut-network

7
image/mkosi.conf.d/secure-boot-tpm.conf
View file

@ -1,7 +0,0 @@
[Content]
# Secure Boot / EFI related packages for manual enrollment / verification of Secure Boot
Packages=
e2fsprogs,
sbsigntools,
efitools,
mokutil,

8
image/mkosi.conf.d/selinux.conf
View file

@ -1,8 +0,0 @@
[Output]
# set selinux to permissive
KernelCommandLine=!selinux=0 selinux=1 enforcing=0 audit=0
[Content]
# Secure Boot / EFI related packages for manual enrollment / verification of Secure Boot
Packages=selinux-policy,
selinux-policy-targeted,

8
image/mkosi.conf.d/tools.conf
View file

@ -1,8 +0,0 @@
[Content]
Packages=
passwd,
nano,
nano-default-editor,
vim,
curl,
wget

9
image/mkosi.finalize
View file

@ -1,9 +0,0 @@
#!/usr/bin/env bash
# Copyright (c) Edgeless Systems GmbH
#
# SPDX-License-Identifier: AGPL-3.0-only
set -euxo pipefail
# cleanup dracut generation files (disk-mapper) to save space
rm -rf "${BUILDROOT}/usr/lib/dracut/modules.d/39constellation-mount/"

36
image/mkosi.postinst
View file

@ -1,36 +0,0 @@
#!/usr/bin/env bash
set -euxo pipefail
# This will work in sd-boot 251 to auto-enroll secure boot keys.
# https://www.freedesktop.org/software/systemd/man/systemd-boot.html
# > CHANGES WITH 252 in spe:
# > [...]
# > * sd-boot can automatically enroll SecureBoot keys from files found on
# > the ESP. This enrollment can be either automatic ('force' mode) or
# > controlled by the user ('manual' mode).
# > [...]
#
# echo "secure-boot-enroll force" >> /boot/loader/loader.conf
# create mountpoints in /etc
mkdir -p /etc/{cni,kubernetes}
# move issue files away from /etc
# to allow /run/issue and /run/issue.d to take precedence
mv /etc/issue.d /usr/lib/issue.d || true
rm -f /etc/issue
rm -f /etc/issue.net
# add motd for constellation console access
if [[ ${CONSOLE_MOTD:-false} == "true" ]]; then
cat << EOF > /usr/lib/motd.d/10-constellation-console-access.motd
~ Welcome to Constellation! ~
Usually, on release versions of Constellation running in the cloud, you are not able to login through the serial console.
This shell access is specifically granted for debug images and MiniConstellation to allow users to research the environment Constellation runs in.
Have fun! Feel free to report any issues to GitHub or security@edgeless.systems (for security vulnerabilities only).
EOF
fi
# update /etc/os-release
echo "IMAGE_ID=\"${IMAGE_ID}\"" >> /etc/os-release
echo "IMAGE_VERSION=\"${IMAGE_VERSION}\"" >> /etc/os-release

33
image/mkosi.prepare
View file

@ -1,33 +0,0 @@
#!/usr/bin/env bash
set -euxo pipefail
# set selinux to permissive
sed -i 's/^SELINUX=.*/SELINUX=permissive/' /etc/selinux/config
# backport of https://github.com/dracutdevs/dracut/commit/dcbe23c14d13ca335ad327b7bb985071ca442f12
sed -i 's/WantedBy=multi-user.target/WantedBy=basic.target/' /usr/lib/systemd/system/systemd-resolved.service
# write + enable debugd.service if INSTALL_DEBUGD is set
if [[ ${INSTALL_DEBUGD:-false} == "true" ]]; then
cat << EOF > /usr/lib/systemd/system/debugd.service
[Unit]
Description=Constellation Debug Daemon
Wants=network-online.target
After=network-online.target configure-constel-csp.service
[Service]
Type=simple
RemainAfterExit=yes
Restart=on-failure
EnvironmentFile=/run/constellation.env
Environment=PATH=/run/state/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
ExecStart=/usr/bin/debugd
[Install]
WantedBy=multi-user.target
EOF
echo "enable debugd.service" > /usr/lib/systemd/system-preset/31-constellation-debug.preset
systemctl enable debugd.service
# ensure constellation-bootstrapper.service uses downloaded binaries on reboots
sed -i 's#ExecStart=.*#ExecStart=/run/state/bin/bootstrapper#' /usr/lib/systemd/system/constellation-bootstrapper.service
fi

6
image/mkosi.repart/00-esp.conf
View file

@ -1,6 +0,0 @@
[Partition]
Type=esp
Format=vfat
CopyFiles=/boot:/
SizeMinBytes=256M
SizeMaxBytes=512M

7
image/mkosi.repart/10-root.conf
View file

@ -1,7 +0,0 @@
[Partition]
Type=root
Format=squashfs
Verity=data
VerityMatchKey=root
CopyFiles=/
Minimize=guess

6
image/mkosi.repart/20-root-verity.conf
View file

@ -1,6 +0,0 @@
[Partition]
Type=root-verity
Verity=hash
VerityMatchKey=root
SizeMinBytes=64M
SizeMaxBytes=64M

39
image/mkosi.reposdir/amzn2-core.repo
View file

@ -1,39 +0,0 @@
[amzn2-core]
name=Amazon Linux 2 core repository
#mirrorlist=$awsproto://$amazonlinux.$awsregion.$awsdomain/$releasever/$product/$target/$basearch/mirror.list
mirrorlist=https://amazonlinux-2-repos-us-east-2.s3.dualstack.us-east-2.amazonaws.com/2/core/latest/x86_64/mirror.list
priority=10
gpgcheck=1
#gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2
gpgkey=https://cdn.amazonlinux.com/_assets/11CF1F95C87F5B1A.asc
enabled=1
metadata_expire=300
mirrorlist_expire=300
report_instanceid=yes
includepkgs=ec2-utils
# [amzn2-core-source]
# name=Amazon Linux 2 core repository - source packages
# mirrorlist=$awsproto://$amazonlinux.$awsregion.$awsdomain/$releasever/$product/$target/SRPMS/mirror.list
# priority=10
# gpgcheck=1
# #gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2
# gpgkey=https://cdn.amazonlinux.com/_assets/11CF1F95C87F5B1A.asc
# enabled=0
# metadata_expire=300
# mirrorlist_expire=300
# report_instanceid=yes
# includepkgs=ec2-utils
# [amzn2-core-debuginfo]
# name=Amazon Linux 2 core repository - debuginfo packages
# mirrorlist=$awsproto://$amazonlinux.$awsregion.$awsdomain/$releasever/$product/$target/debuginfo/$basearch/mirror.list
# priority=10
# gpgcheck=1
# #gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2
# gpgkey=https://cdn.amazonlinux.com/_assets/11CF1F95C87F5B1A.asc
# enabled=0
# metadata_expire=300
# mirrorlist_expire=300
# report_instanceid=yes
# includepkgs=ec2-utils

1
image/mkosi.skeleton/etc/crictl.yaml
View file

@ -1 +0,0 @@
runtime-endpoint: "unix:///run/containerd/containerd.sock"

5
image/mkosi.skeleton/etc/dracut.conf.d/90-networkd.conf
View file

@ -1,5 +0,0 @@
# enable networking in initrd (initramfs) with dracut and systemd-networkd
install_items+=" /usr/lib/systemd/network/20-wired.network "
install_items+=" /usr/lib/systemd/network/21-azure.network "
# see https://github.com/dracutdevs/dracut/tree/master/modules.d for a list of modules
add_dracutmodules+=" systemd-networkd systemd-resolved "

2
image/mkosi.skeleton/etc/dracut.conf.d/aws.conf
View file

@ -1,2 +0,0 @@
# add Amazon ena driver to the list of drivers to be loaded
force_drivers+=" ena "

3
image/mkosi.skeleton/etc/dracut.conf.d/azure.conf
View file

@ -1,3 +0,0 @@
# add hyperv drivers to initramfs
# (important for early networking)
force_drivers+=" hv_netvsc hv_sock hv_storvsc hv_vmbus "

2
image/mkosi.skeleton/etc/dracut.conf.d/gce.conf
View file

@ -1,2 +0,0 @@
# Include NVMe driver in initrd to boot on NVMe devices.
force_drivers+=" nvme "

5
image/mkosi.skeleton/etc/fstab
View file

@ -1,5 +0,0 @@
/dev/mapper/state /run/state ext4 defaults,x-systemd.makefs,x-mount.mkdir 0 0
/run/state/var /var none defaults,bind,x-mount.mkdir 0 0
/run/state/kubernetes /etc/kubernetes none defaults,bind,x-mount.mkdir 0 0
/run/state/etccni /etc/cni/ none defaults,bind,x-mount.mkdir 0 0
/run/state/opt /opt none defaults,bind,x-mount.mkdir 0 0

11
image/mkosi.skeleton/etc/profile.d/constellation.sh
View file

@ -1,11 +0,0 @@
#!/usr/bin/env bash
# Copyright (c) Edgeless Systems GmbH
#
# SPDX-License-Identifier: AGPL-3.0-only
# Note: This script is sourced.
export TERM=linux
export PATH=/run/state/bin:${PATH}
export KUBECONFIG=/etc/kubernetes/admin.conf
alias k=kubectl

216
image/mkosi.skeleton/usr/etc/containerd/config.toml
View file

@ -1,216 +0,0 @@
disabled_plugins = []
imports = []
oom_score = 0
plugin_dir = ""
required_plugins = []
root = "/var/lib/containerd"
state = "/run/containerd"
version = 2
[cgroup]
path = ""
[debug]
address = ""
format = ""
gid = 0
level = ""
uid = 0
[grpc]
address = "/run/containerd/containerd.sock"
gid = 0
max_recv_message_size = 16777216
max_send_message_size = 16777216
tcp_address = ""
tcp_tls_cert = ""
tcp_tls_key = ""
uid = 0
[metrics]
address = ""
grpc_histogram = false
[plugins]
[plugins."io.containerd.gc.v1.scheduler"]
deletion_threshold = 0
mutation_threshold = 100
pause_threshold = 0.02
schedule_delay = "0s"
startup_delay = "100ms"
[plugins."io.containerd.grpc.v1.cri"]
disable_apparmor = false
disable_cgroup = false
disable_hugetlb_controller = true
disable_proc_mount = false
disable_tcp_service = true
enable_selinux = false
enable_tls_streaming = false
ignore_image_defined_volumes = false
max_concurrent_downloads = 3
max_container_log_line_size = 16384
netns_mounts_under_state_dir = false
restrict_oom_score_adj = false
sandbox_image = "registry.k8s.io/pause:3.9@sha256:7031c1b283388d2c2e09b57badb803c05ebed362dc88d84b480cc47f72a21097"
selinux_category_range = 1024
stats_collect_period = 10
stream_idle_timeout = "4h0m0s"
stream_server_address = "127.0.0.1"
stream_server_port = "0"
systemd_cgroup = false
tolerate_missing_hugetlb_controller = true
unset_seccomp_profile = ""
[plugins."io.containerd.grpc.v1.cri".cni]
bin_dir = "/opt/cni/bin"
conf_dir = "/etc/cni/net.d"
conf_template = ""
max_conf_num = 1
[plugins."io.containerd.grpc.v1.cri".containerd]
default_runtime_name = "runc"
disable_snapshot_annotations = true
discard_unpacked_layers = false
no_pivot = false
snapshotter = "overlayfs"
[plugins."io.containerd.grpc.v1.cri".containerd.default_runtime]
base_runtime_spec = ""
container_annotations = []
pod_annotations = []
privileged_without_host_devices = false
runtime_engine = ""
runtime_root = ""
runtime_type = ""
[plugins."io.containerd.grpc.v1.cri".containerd.default_runtime.options]
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
base_runtime_spec = ""
container_annotations = []
pod_annotations = []
privileged_without_host_devices = false
runtime_engine = ""
runtime_root = ""
runtime_type = "io.containerd.runc.v2"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
BinaryName = ""
CriuImagePath = ""
CriuPath = ""
CriuWorkPath = ""
IoGid = 0
IoUid = 0
NoNewKeyring = false
NoPivotRoot = false
Root = ""
ShimCgroup = ""
SystemdCgroup = true
[plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime]
base_runtime_spec = ""
container_annotations = []
pod_annotations = []
privileged_without_host_devices = false
runtime_engine = ""
runtime_root = ""
runtime_type = ""
[plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime.options]
[plugins."io.containerd.grpc.v1.cri".image_decryption]
key_model = "node"
[plugins."io.containerd.grpc.v1.cri".registry]
config_path = ""
[plugins."io.containerd.grpc.v1.cri".registry.auths]
[plugins."io.containerd.grpc.v1.cri".registry.configs]
[plugins."io.containerd.grpc.v1.cri".registry.headers]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
[plugins."io.containerd.grpc.v1.cri".x509_key_pair_streaming]
tls_cert_file = ""
tls_key_file = ""
[plugins."io.containerd.internal.v1.opt"]
path = "/opt/containerd"
[plugins."io.containerd.internal.v1.restart"]
interval = "10s"
[plugins."io.containerd.metadata.v1.bolt"]
content_sharing_policy = "shared"
[plugins."io.containerd.monitor.v1.cgroups"]
no_prometheus = false
[plugins."io.containerd.runtime.v1.linux"]
no_shim = false
runtime = "runc"
runtime_root = ""
shim = "containerd-shim"
shim_debug = false
[plugins."io.containerd.runtime.v2.task"]
platforms = ["linux/amd64"]
[plugins."io.containerd.service.v1.diff-service"]
default = ["walking"]
[plugins."io.containerd.snapshotter.v1.aufs"]
root_path = ""
[plugins."io.containerd.snapshotter.v1.btrfs"]
root_path = ""
[plugins."io.containerd.snapshotter.v1.devmapper"]
async_remove = false
base_image_size = ""
pool_name = ""
root_path = ""
[plugins."io.containerd.snapshotter.v1.native"]
root_path = ""
[plugins."io.containerd.snapshotter.v1.overlayfs"]
root_path = ""
[plugins."io.containerd.snapshotter.v1.zfs"]
root_path = ""
[proxy_plugins]
[stream_processors]
[stream_processors."io.containerd.ocicrypt.decoder.v1.tar"]
accepts = ["application/vnd.oci.image.layer.v1.tar+encrypted"]
args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"]
env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"]
path = "ctd-decoder"
returns = "application/vnd.oci.image.layer.v1.tar"
[stream_processors."io.containerd.ocicrypt.decoder.v1.tar.gzip"]
accepts = ["application/vnd.oci.image.layer.v1.tar+gzip+encrypted"]
args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"]
env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"]
path = "ctd-decoder"
returns = "application/vnd.oci.image.layer.v1.tar+gzip"
[timeouts]
"io.containerd.timeout.shim.cleanup" = "5s"
"io.containerd.timeout.shim.load" = "5s"
"io.containerd.timeout.shim.shutdown" = "3s"
"io.containerd.timeout.task.state" = "2s"
[ttrpc]
address = ""
gid = 0
uid = 0

2
image/mkosi.skeleton/usr/etc/containers/containers.conf
View file

@ -1,2 +0,0 @@
[network]
network_config_dir = "/run/containers/networks"

1
image/mkosi.skeleton/usr/etc/containers/registries.conf
View file

@ -1 +0,0 @@
unqualified-search-registries = ["docker.io"]

13
image/mkosi.skeleton/usr/lib/dracut/modules.d/38azure-provision/azure-provisioning.service
View file

@ -1,13 +0,0 @@
[Unit]
Description=Azure Provisioning
After=network-online.target
Wants=network-online.target
ConditionKernelCommandLine=constel.csp=azure
[Service]
Type=oneshot
ExecStart=/usr/local/bin/azure-provisioning
RemainAfterExit=yes
StandardOutput=tty
StandardInput=tty
StandardError=tty

64
image/mkosi.skeleton/usr/lib/dracut/modules.d/38azure-provision/azure-provisioning.sh
View file

@ -1,64 +0,0 @@
#!/usr/bin/env bash
# source https://learn.microsoft.com/en-us/azure/virtual-machines/linux/no-agent
set -euo pipefail
shopt -s inherit_errexit
attempts=1
until [[ ${attempts} -gt 5 ]]; do
echo "obtaining goal state - attempt ${attempts}"
goalstate=$(curl --fail -v -X 'GET' -H "x-ms-agent-name: azure-vm-register" \
-H "Content-Type: text/xml;charset=utf-8" \
-H "x-ms-version: 2012-11-30" \
"http://168.63.129.16/machine/?comp=goalstate")
if [[ $? -eq 0 ]]; then
echo "successfully retrieved goal state"
retrieved_goal_state=true
break
fi
sleep 5
attempts=$((attempts + 1))
done
if [[ ${retrieved_goal_state} != "true" ]]; then
echo "failed to obtain goal state - cannot register this VM"
exit 1
fi
container_id=$(grep ContainerId <<< "${goalstate}" | sed 's/\s*<\/*ContainerId>//g' | sed 's/\r$//')
instance_id=$(grep InstanceId <<< "${goalstate}" | sed 's/\s*<\/*InstanceId>//g' | sed 's/\r$//')
ready_doc=$(
cat << EOF
<?xml version="1.0" encoding="utf-8"?>
<Health xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<GoalStateIncarnation>1</GoalStateIncarnation>
<Container>
<ContainerId>${container_id}</ContainerId>
<RoleInstanceList>
<Role>
<InstanceId>${instance_id}</InstanceId>
<Health>
<State>Ready</State>
</Health>
</Role>
</RoleInstanceList>
</Container>
</Health>
EOF
)
attempts=1
until [[ ${attempts} -gt 5 ]]; do
echo "registering with Azure - attempt ${attempts}"
curl --fail -v -X 'POST' -H "x-ms-agent-name: azure-vm-register" \
-H "Content-Type: text/xml;charset=utf-8" \
-H "x-ms-version: 2012-11-30" \
-d "${ready_doc}" \
"http://168.63.129.16/machine?comp=health"
if [[ $? -eq 0 ]]; then
echo "successfully register with Azure"
break
fi
sleep 5 # sleep to prevent throttling from wire server
done

34
image/mkosi.skeleton/usr/lib/dracut/modules.d/38azure-provision/module-setup.sh
View file

@ -1,34 +0,0 @@
#!/usr/bin/env bash
# Copyright (c) Edgeless Systems GmbH
#
# SPDX-License-Identifier: AGPL-3.0-only
# Note: This script is sourced.
depends() {
echo systemd
}
install_and_enable_unit() {
unit="$1"
shift
target="$1"
shift
inst_simple "${moddir:?}/${unit}" "${systemdsystemunitdir:?}/${unit}"
mkdir -p "${initdir:?}${systemdsystemconfdir:?}/${target}.wants"
ln_r "${systemdsystemunitdir}/${unit}" \
"${systemdsystemconfdir}/${target}.wants/${unit}"
}
install() {
inst_multiple \
bash \
curl \
grep \
sed
inst_script "${moddir}/azure-provisioning.sh" \
"/usr/local/bin/azure-provisioning"
install_and_enable_unit "azure-provisioning.service" \
"basic.target"
}

15
image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/aws-nvme-disk.service
View file

@ -1,15 +0,0 @@
[Unit]
Description=Force symlink creation for AWS nvme disks
Before=prepare-state-disk.service
After=network-online.target
Wants=network-online.target
ConditionKernelCommandLine=constel.csp=aws
[Service]
Type=oneshot
ExecStart=/bin/bash /usr/sbin/aws-nvme-disk
RemainAfterExit=yes
StandardOutput=tty
StandardInput=tty
StandardError=tty
TimeoutSec=infinity

28
image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/aws-nvme-disk.sh
View file

@ -1,28 +0,0 @@
#!/usr/bin/env bash
# Copyright (c) Edgeless Systems GmbH
#
# SPDX-License-Identifier: AGPL-3.0-only
set -euo pipefail
shopt -s extglob nullglob inherit_errexit
AWS_STATE_DISK_DEVICENAME="sdb"
AWS_STATE_DISK_SYMLINK="/dev/${AWS_STATE_DISK_DEVICENAME}"
# hack: aws nvme udev rules are never executed. Create symlinks for the nvme devices manually.
while [[ ! -L ${AWS_STATE_DISK_SYMLINK} ]]; do
for nvmedisk in /dev/nvme*n1; do
linkname=$(nvme amzn id-ctrl -b "${nvmedisk}" | tail -c +3073 | head -c 32 | tr -d ' ') || true
if [[ -n ${linkname} ]] && [[ ${linkname} == "${AWS_STATE_DISK_DEVICENAME}" ]]; then
ln -s "${nvmedisk}" "${AWS_STATE_DISK_SYMLINK}"
fi
done
if [[ -L ${AWS_STATE_DISK_SYMLINK} ]]; then
break
fi
echo "Waiting for state disk to appear.."
sleep 2
done
echo "AWS state disk found"
echo "${AWS_STATE_DISK_SYMLINK}""$(readlink -f "${AWS_STATE_DISK_SYMLINK}")"

1
image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/configure-constel-csp.service
View file

@ -1 +0,0 @@
../../../systemd/system/configure-constel-csp.service

94
image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/module-setup.sh
View file

@ -1,94 +0,0 @@
#!/usr/bin/env bash
# Copyright (c) Edgeless Systems GmbH
#
# SPDX-License-Identifier: AGPL-3.0-only
# Note: This script is sourced.
depends() {
# systemd-network-management expands to: systemd systemd-hostnamed systemd-networkd systemd-resolved systemd-timedated systemd-timesyncd
echo dracut-systemd systemd-network-management systemd-veritysetup systemd-udevd
return 0
}
install_and_enable_unit() {
unit="$1"
shift
target="$1"
shift
inst_simple "${moddir:?}/${unit}" "${systemdsystemunitdir:?}/${unit}"
mkdir -p "${initdir:?}${systemdsystemconfdir:?}/${target}.wants"
ln_r "${systemdsystemunitdir}/${unit}" \
"${systemdsystemconfdir}/${target}.wants/${unit}"
}
install_path() {
local dir="$1"
shift
mkdir -p "${initdir}/${dir}"
}
install() {
inst_multiple \
bash
inst_script "/usr/sbin/disk-mapper" \
"/usr/sbin/disk-mapper"
inst_script "${moddir}/prepare-state-disk.sh" \
"/usr/sbin/prepare-state-disk"
install_and_enable_unit "prepare-state-disk.service" \
"basic.target"
install_and_enable_unit "configure-constel-csp.service" \
"basic.target"
# aws nvme disks
inst_multiple \
tail \
tr \
head
# azure scsi disks
inst_multiple \
cut \
readlink
# gcp nvme disks
inst_multiple \
date \
xxd \
grep \
sed \
ln \
command \
readlink
inst_script "/usr/sbin/nvme" \
"/usr/sbin/nvme"
inst_script "/usr/lib/udev/google_nvme_id" \
"/usr/lib/udev/google_nvme_id"
inst_rules "64-gce-disk-removal.rules" "65-gce-disk-naming.rules"
inst_script "${moddir}/aws-nvme-disk.sh" \
"/usr/sbin/aws-nvme-disk"
install_and_enable_unit "aws-nvme-disk.service" \
"basic.target"
# TLS / CA store in initramfs
install_path /etc/pki/tls/certs/
inst_simple /etc/pki/tls/certs/ca-bundle.crt \
/etc/pki/tls/certs/ca-bundle.crt
# backport of https://github.com/dracutdevs/dracut/commit/dcbe23c14d13ca335ad327b7bb985071ca442f12
inst_simple "${moddir}/sysusers-dracut.conf" "${systemdsystemunitdir}/systemd-sysusers.service.d/sysusers-dracut.conf"
# force systemd-networkd in initrd
install_and_enable_unit "systemd-networkd.service" \
"basic.target"
# shellcheck disable=SC2154
inst_multiple -o \
"${tmpfilesdir}"/systemd-network.conf \
"${systemdnetwork}"/80-6rd-tunnel.network \
"${systemdnetwork}"/80-container-vb.network \
"${systemdsystemunitdir}"/systemd-networkd-wait-online@.service
inst_simple /usr/lib/systemd/resolved.conf.d/fallback_dns.conf \
/usr/lib/systemd/resolved.conf.d/fallback_dns.conf
}

18
image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/prepare-state-disk.service
View file

@ -1,18 +0,0 @@
[Unit]
Description=Prepare encrypted state disk
Before=initrd-fs.target
After=network-online.target nss-lookup.target configure-constel-csp.service
Wants=network-online.target
Requires=initrd-root-fs.target
FailureAction=reboot-immediate
After=export_constellation_debug.service
[Service]
Type=oneshot
EnvironmentFile=/run/constellation.env
ExecStart=/bin/bash /usr/sbin/prepare-state-disk $CONSTELLATION_DEBUG_FLAGS
RemainAfterExit=yes
StandardOutput=tty
StandardInput=tty
StandardError=tty
TimeoutSec=infinity

33
image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/prepare-state-disk.sh
View file

@ -1,33 +0,0 @@
#!/usr/bin/env bash
# Copyright (c) Edgeless Systems GmbH
#
# SPDX-License-Identifier: AGPL-3.0-only
set -euo pipefail
shopt -s inherit_errexit
# parsing of the command line arguments. check if argv[1] is --debug
verbosity=0
if [[ $# -gt 0 ]]; then
if [[ $1 == "--debug" ]]; then
verbosity=-1
echo "[Constellation] Debug mode enabled"
else
echo "[Constellation] Unknown argument: $1"
exit 1
fi
else
echo "[Constellation] Debug mode disabled"
fi
# Prepare the encrypted volume by either initializing it with a random key or by aquiring the key from another bootstrapper.
# Store encryption key (random or recovered key) in /run/cryptsetup-keys.d/state.key
disk-mapper \
-csp "${CONSTEL_CSP}" \
-v "${verbosity}"
if [[ $? -ne 0 ]]; then
echo "Failed to prepare state disk"
sleep 2 # give the serial console time to print the error message
exit $? # exit with the same error code as disk-mapper
fi

3
image/mkosi.skeleton/usr/lib/dracut/modules.d/39constellation-mount/sysusers-dracut.conf
View file

@ -1,3 +0,0 @@
# backport of https://github.com/dracutdevs/dracut/commit/dcbe23c14d13ca335ad327b7bb985071ca442f12
[Unit]
ConditionNeedsUpdate=

2
image/mkosi.skeleton/usr/lib/environment.d/99-constellation.conf
View file

@ -1,2 +0,0 @@
PATH=/run/state/bin:$PATH
KUBECONFIG=/etc/kubernetes/admin.conf

1
image/mkosi.skeleton/usr/lib/issue.d/01_constellation.issue
View file

@ -1 +0,0 @@
\S{IMAGE_ID} \S{IMAGE_VERSION}

2
image/mkosi.skeleton/usr/lib/modules-load.d/k8s.conf
View file

@ -1,2 +0,0 @@
overlay
br_netfilter

3
image/mkosi.skeleton/usr/lib/sysctl.d/10-cilium.conf
View file

@ -1,3 +0,0 @@
# See https://github.com/cilium/cilium/issues/10645
net.ipv4.conf.lxc*.rp_filter = 0
net.ipv4.conf.cilium_*.rp_filter = 0

9
image/mkosi.skeleton/usr/lib/sysctl.d/10-k8s.conf
View file

@ -1,9 +0,0 @@
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
fs.inotify.max_user_instances = 8192
fs.inotify.max_user_watches = 524288
# kubernetes hardening (protectKernelDefaults=true)
vm.overcommit_memory = 1
kernel.panic = 10
kernel.panic_on_oops = 1

5
image/mkosi.skeleton/usr/lib/systemd/network/20-wired.network
View file

@ -1,5 +0,0 @@
[Match]
Name=en*
[Network]
DHCP=yes

6
image/mkosi.skeleton/usr/lib/systemd/network/21-azure.network
View file

@ -1,6 +0,0 @@
# Used as a fallback rule for Azure NICs as they are not named with "en*"
[Match]
Driver=hv_netvsc
[Network]
DHCP=yes

2
image/mkosi.skeleton/usr/lib/systemd/resolved.conf.d/fallback_dns.conf
View file

@ -1,2 +0,0 @@
[Resolve]
FallbackDNS=1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001 8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844 9.9.9.9 149.112.112.112 2620:fe::fe 2620:fe::9

11
image/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset
View file

@ -1,11 +0,0 @@
enable configure-constel-csp.service
enable constellation-upgrade-agent.service
enable constellation-bootstrapper.service
enable containerd.service
enable kubelet.service
enable systemd-networkd.service
enable systemd-networkd.socket
enable systemd-resolved.service
enable measurements.service
enable export_constellation_debug.service
enable systemd-timesyncd

11
image/mkosi.skeleton/usr/lib/systemd/system/configure-constel-csp.service
View file

@ -1,11 +0,0 @@
[Unit]
Description=Configures constellation cloud service provider environment variable
[Service]
Type=oneshot
ExecStart=/bin/bash -c "CSP=$(< /proc/cmdline tr ' ' '\n' | grep constel.csp | sed 's/constel.csp=//'); echo CONSTEL_CSP=$CSP >> /run/constellation.env"
ExecStart=/bin/bash -c "ATTESTATION=$(< /proc/cmdline tr ' ' '\n' | grep constel.attestation-variant | sed 's/constel.attestation-variant=//'); echo CONSTEL_ATTESTATION_VARIANT=$ATTESTATION >> /run/constellation.env"
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

16
image/mkosi.skeleton/usr/lib/systemd/system/constellation-bootstrapper.service
View file

@ -1,16 +0,0 @@
[Unit]
Description=Constellation Bootstrapper
Wants=network-online.target
After=network-online.target configure-constel-csp.service
After=export_constellation_debug.service
[Service]
Type=simple
RemainAfterExit=yes
Restart=on-failure
EnvironmentFile=/run/constellation.env
Environment=PATH=/run/state/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
ExecStart=/usr/bin/bootstrapper $CONSTELLATION_DEBUG_FLAGS
[Install]
WantedBy=multi-user.target

14
image/mkosi.skeleton/usr/lib/systemd/system/constellation-upgrade-agent.service
View file

@ -1,14 +0,0 @@
[Unit]
Description=Constellation Upgrade Agent
After=export_constellation_debug.service
[Service]
Type=simple
RemainAfterExit=yes
Restart=on-failure
EnvironmentFile=/run/constellation.env
Environment=PATH=/run/state/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
ExecStart=/usr/bin/upgrade-agent $CONSTELLATION_DEBUG_FLAGS
[Install]
WantedBy=multi-user.target

3
image/mkosi.skeleton/usr/lib/systemd/system/containerd.service.d/local.conf
View file

@ -1,3 +0,0 @@
[Service]
ExecStart=
ExecStart=/usr/bin/containerd --config /usr/etc/containerd/config.toml

10
image/mkosi.skeleton/usr/lib/systemd/system/export_constellation_debug.service
View file

@ -1,10 +0,0 @@
[Unit]
Description=Export Constellation Debug Level to Environment
[Service]
Type=oneshot
ExecStart=/bin/bash -c "tr ' ' '\n' < /proc/cmdline | grep -q 'constellation.debug' && echo CONSTELLATION_DEBUG_FLAGS=--debug >> /run/constellation.env"
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

21
image/mkosi.skeleton/usr/lib/systemd/system/kubelet.service
View file

@ -1,21 +0,0 @@
[Unit]
Description=kubelet: The Kubernetes Node Agent
Documentation=https://kubernetes.io/docs/home/
Wants=network-online.target
After=network-online.target
[Service]
Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf"
Environment="KUBELET_CONFIG_ARGS=--config=/var/lib/kubelet/config.yaml"
# This is a file that "kubeadm init" and "kubeadm join" generates at runtime, populating the KUBELET_KUBEADM_ARGS variable dynamically
EnvironmentFile=-/var/lib/kubelet/kubeadm-flags.env
# This is a file that the user can use for overrides of the kubelet args as a last resort. Preferably, the user should use
# the .NodeRegistration.KubeletExtraArgs object in the configuration files instead. KUBELET_EXTRA_ARGS should be sourced from this file.
EnvironmentFile=-/etc/default/kubelet
ExecStart=/run/state/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS
Restart=always
StartLimitInterval=0
RestartSec=10
[Install]
WantedBy=multi-user.target

12
image/mkosi.skeleton/usr/lib/systemd/system/measurements.service
View file

@ -1,12 +0,0 @@
[Unit]
Description=Print image measurements on startup
Before=constellation-bootstrapper.service
[Service]
Type=oneshot
RemainAfterExit=yes
EnvironmentFile=/run/constellation.env
ExecStart=/usr/libexec/constellation-pcrs
[Install]
WantedBy=multi-user.target

1
image/mkosi.skeleton/usr/lib/systemd/timesyncd.conf.d/constellation.conf
View file

@ -1 +0,0 @@
FallbackNTP=time.google.com time.cloudflare.com time.windows.com time.apple.com time.nist.gov europe.pool.ntp.org 0.rhel.pool.ntp.org 1.rhel.pool.ntp.org 2.rhel.pool.ntp.org 3.rhel.pool.ntp.org

2
image/mkosi.skeleton/usr/lib/sysusers.d/constellation.conf
View file

@ -1,2 +0,0 @@
#Type Name ID GECOS Home directory Shell
u etcd 998:997 "etcd user" /var/lib/etcd

10
image/mkosi.skeleton/usr/lib/tmpfiles.d/constellation.conf
View file

@ -1,10 +0,0 @@
#Type Path Mode User Group Age Argument
d /var/lib/etcd 0700 998 997 - -
d /var/log/kubernetes/audit/ 0700 0 0 - -
d /run/state/bin 0755 0 0 - -
C /run/issue.d - - - - /usr/lib/issue.d/
C /run/issue - - - - /usr/lib/issue
C /run/motd.d - - - - /usr/lib/motd.d/
C /run/motd - - - - /usr/lib/motd
# merge all CNI binaries in writable folder until containerd can use multiple CNI bins: https://github.com/containerd/containerd/issues/6600
C /opt/cni/bin - - - - /usr/libexec/cni/

248
image/mkosi.skeleton/usr/lib/udev/google_nvme_id
View file

@ -1,248 +0,0 @@
#!/bin/bash
# Copyright 2020 Google Inc. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Used to generate symlinks for PD-NVMe devices using the disk names reported by
# the metadata server
# Locations of the script's dependencies
readonly nvme_cli_bin=/usr/sbin/nvme
# Bash regex to parse device paths and controller identification
readonly NAMESPACE_NUMBER_REGEX="/dev/nvme[[:digit:]]+n([[:digit:]]+).*"
readonly PARTITION_NUMBER_REGEX="/dev/nvme[[:digit:]]+n[[:digit:]]+p([[:digit:]]+)"
# Globals used to generate the symlinks for a PD-NVMe disk. These are populated
# by the identify_pd_disk function and exported for consumption by udev rules.
ID_SERIAL=''
ID_SERIAL_SHORT=''
#######################################
# Helper function to log an error message to stderr.
# Globals:
# None
# Arguments:
# String to print as the log message
# Outputs:
# Writes error to STDERR
#######################################
function err() {
echo "[$(date +'%Y-%m-%dT%H:%M:%S%z')]: $*" >&2
}
#######################################
# Retrieves the device name for an NVMe namespace using nvme-cli.
# Globals:
# Uses nvme_cli_bin
# Arguments:
# The path to the nvme namespace (/dev/nvme0n?)
# Outputs:
# The device name parsed from the JSON in the vendor ext of the ns-id command.
# Returns:
# 0 if the device name for the namespace could be retrieved, 1 otherwise
#######################################
function get_namespace_device_name() {
local nvme_json
nvme_json="$("${nvme_cli_bin}" id-ns -b "$1" | xxd -p -seek 384 | xxd -p -r)"
if [[ $? -ne 0 ]]; then
return 1
fi
if [[ -z ${nvme_json} ]]; then
err "NVMe Vendor Extension disk information not present"
return 1
fi
local device_name
device_name="$(echo "${nvme_json}" | grep device_name | sed -e 's/.*"device_name":[ \t]*"\([a-zA-Z0-9_-]\+\)".*/\1/')"
# Error if our device name is empty
if [[ -z ${device_name} ]]; then
err "Empty name"
return 1
fi
echo "${device_name}"
return 0
}
#######################################
# Retrieves the nsid for an NVMe namespace
# Globals:
# None
# Arguments:
# The path to the nvme namespace (/dev/nvme0n*)
# Outputs:
# The namespace number/id
# Returns:
# 0 if the namespace id could be retrieved, 1 otherwise
#######################################
function get_namespace_number() {
local dev_path="$1"
local namespace_number
if [[ ${dev_path} =~ ${NAMESPACE_NUMBER_REGEX} ]]; then
namespace_number="${BASH_REMATCH[1]}"
else
return 1
fi
echo "${namespace_number}"
return 0
}
#######################################
# Retrieves the partition number for a device path if it exists
# Globals:
# None
# Arguments:
# The path to the device partition (/dev/nvme0n*p*)
# Outputs:
# The value after 'p' in the device path, or an empty string if the path has
# no partition.
#######################################
function get_partition_number() {
local dev_path="$1"
local partition_number
if [[ ${dev_path} =~ ${PARTITION_NUMBER_REGEX} ]]; then
partition_number="${BASH_REMATCH[1]}"
echo "${partition_number}"
else
echo ''
fi
return 0
}
#######################################
# Generates a symlink for a PD-NVMe device using the metadata's disk name.
# Primarily used for testing but can be used if the script is directly invoked.
# Globals:
# Uses ID_SERIAL_SHORT (can be populated by identify_pd_disk)
# Arguments:
# The device path for the disk
#######################################
function gen_symlink() {
local dev_path="$1"
local partition_number
partition_number="$(get_partition_number "${dev_path}")"
if [[ -n ${partition_number} ]]; then
ln -s "${dev_path}" /dev/disk/by-id/google-"${ID_SERIAL_SHORT}"-part"${partition_number}" > /dev/null 2>&1
else
ln -s "${dev_path}" /dev/disk/by-id/google-"${ID_SERIAL_SHORT}" > /dev/null 2>&1
fi
return 0
}
#######################################
# Populates the ID_* global variables with a disk's device name and namespace
# Globals:
# Populates ID_SERIAL_SHORT, and ID_SERIAL
# Arguments:
# The device path for the disk
# Returns:
# 0 on success and 1 if an error occurrs
#######################################
function identify_pd_disk() {
local dev_path="$1"
local dev_name
dev_name="$(get_namespace_device_name "${dev_path}")"
if [[ $? -ne 0 ]]; then
return 1
fi
ID_SERIAL_SHORT="${dev_name}"
ID_SERIAL="Google_PersistentDisk_${ID_SERIAL_SHORT}"
return 0
}
function print_help_message() {
echo "Usage: google_nvme_id [-s] [-h] -d device_path"
echo " -d <device_path> (Required): Specifies the path to generate a name"
echo " for. This needs to be a path to an nvme device or namespace"
echo " -s: Create symbolic link for the disk under /dev/disk/by-id."
echo " Otherwise, the disk name will be printed to STDOUT"
echo " -h: Print this help message"
}
function main() {
local opt_gen_symlink='false'
local device_path=''
while getopts :d:sh flag; do
case "${flag}" in
d) device_path="${OPTARG}" ;;
s) opt_gen_symlink='true' ;;
h)
print_help_message
return 0
;;
:)
echo "Invalid option: ${OPTARG} requires an argument" 1>&2
return 1
;;
*) return 1 ;;
esac
done
if [[ -z ${device_path} ]]; then
echo "Device path (-d) argument required. Use -h for full usage." 1>&2
exit 1
fi
# Ensure the nvme-cli command is installed
command -v "${nvme_cli_bin}" > /dev/null 2>&1
if [[ $? -ne 0 ]]; then
err "The nvme utility (/usr/sbin/nvme) was not found. You may need to run \
with sudo or install nvme-cli."
return 1
fi
# Ensure the passed device is actually an NVMe device
"${nvme_cli_bin}" id-ctrl "${device_path}" &> /dev/null
if [[ $? -ne 0 ]]; then
err "Passed device was not an NVMe device. (You may need to run this \
script as root/with sudo)."
return 1
fi
# Detect the type of attached nvme device
local controller_id
controller_id=$("${nvme_cli_bin}" id-ctrl "${device_path}")
if [[ ! ${controller_id} =~ nvme_card-pd ]]; then
err "Device is not a PD-NVMe device"
return 1
fi
# Fill the global variables for the id command for the given disk type
# Error messages will be printed closer to error, no need to reprint here
identify_pd_disk "${device_path}"
ret=$?
if [[ ${ret} -ne 0 ]]; then
return "${ret}"
fi
# Gen symlinks or print out the globals set by the identify command
if [[ ${opt_gen_symlink} == 'true' ]]; then
gen_symlink "${device_path}"
else
# These will be consumed by udev
echo "ID_SERIAL_SHORT=${ID_SERIAL_SHORT}"
echo "ID_SERIAL=${ID_SERIAL}"
fi
return $?
}
main "$@"

17
image/mkosi.skeleton/usr/lib/udev/rules.d/64-gce-disk-removal.rules
View file

@ -1,17 +0,0 @@
# Copyright 2016 Google Inc. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# When a disk is removed, unmount any remaining attached volumes.
ACTION=="remove", SUBSYSTEM=="block", KERNEL=="sd*|vd*|nvme*", RUN+="/bin/sh -c '/bin/umount -fl /dev/$name && /usr/bin/logger -p daemon.warn -s WARNING: hot-removed /dev/$name that was still mounted, data may have been corrupted'"

37
image/mkosi.skeleton/usr/lib/udev/rules.d/65-gce-disk-naming.rules
View file

@ -1,37 +0,0 @@
# Copyright 2016 Google Inc. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Name the attached disks as the specified by deviceName.
ACTION!="add|change", GOTO="gce_disk_naming_end"
SUBSYSTEM!="block", GOTO="gce_disk_naming_end"
# SCSI naming
KERNEL=="sd*|vd*", IMPORT{program}="scsi_id --export --whitelisted -d $tempnode"
# NVME Local SSD naming
KERNEL=="nvme*n*", ATTRS{model}=="nvme_card", PROGRAM="/bin/sh -c 'nsid=$$(echo %k|sed -re s/nvme[0-9]+n\([0-9]+\).\*/\\1/); echo $$((nsid-1))'", ENV{ID_SERIAL_SHORT}="local-nvme-ssd-%c"
KERNEL=="nvme*", ATTRS{model}=="nvme_card", ENV{ID_SERIAL}="Google_EphemeralDisk_$env{ID_SERIAL_SHORT}"
# NVME Persistent Disk IO Timeout
KERNEL=="nvme*n*", ENV{DEVTYPE}=="disk", ATTRS{model}=="nvme_card-pd", ATTR{queue/io_timeout}="4294967295"
# NVME Persistent Disk Naming
KERNEL=="nvme*n*", ATTRS{model}=="nvme_card-pd", IMPORT{program}="google_nvme_id -d $tempnode"
# Symlinks
KERNEL=="sd*|vd*|nvme*", ENV{DEVTYPE}=="disk", SYMLINK+="disk/by-id/google-$env{ID_SERIAL_SHORT}"
KERNEL=="sd*|vd*|nvme*", ENV{DEVTYPE}=="partition", SYMLINK+="disk/by-id/google-$env{ID_SERIAL_SHORT}-part%n"
LABEL="gce_disk_naming_end"

4
image/mkosi.skeleton/usr/lib/udev/rules.d/98-override-systemd.rules
View file

@ -1,4 +0,0 @@
# prevent systemd udev rules from marking unformatted device mapper device as unready (SYSTEMD_READY=0)
# this is the offending rule from systemd: SUBSYSTEM=="block", ENV{DM_UUID}=="CRYPT-*", ENV{ID_PART_TABLE_TYPE}=="", ENV{ID_FS_USAGE}=="", ENV{SYSTEMD_READY}="0"
SUBSYSTEM=="block", ENV{DM_UUID}=="CRYPT-*", ENV{ID_PART_TABLE_TYPE}=="", ENV{ID_FS_USAGE}="constellation-encrypted-disk"
SUBSYSTEM=="block", ENV{DM_NAME}=="state", ENV{DM_UUID}=="CRYPT-*", ENV{ID_PART_TABLE_TYPE}=="", ENV{ID_FS_USAGE}="constellation-state"

14
image/mkosi.skeleton/usr/libexec/constellation-pcrs
View file

@ -1,14 +0,0 @@
#!/usr/bin/env bash
# Copyright (c) Edgeless Systems GmbH
#
# SPDX-License-Identifier: AGPL-3.0-only
# This script reads the measurements of the system
# and prints the message to the serial console
main() {
pcr_state="$(/usr/sbin/measurement-reader)"
echo -e "${pcr_state}\n" > /run/issue.d/35_constellation_pcrs.issue
}
main

12
image/secure-boot/aws/create_uefivars.sh
View file

@ -1,12 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
shopt -s inherit_errexit
TMPDIR=$(mktemp -d /tmp/uefivars-XXXXXXXXXXXXXX)
git clone --branch v1.0.0 https://github.com/awslabs/python-uefivars "${TMPDIR}"
cd "${TMPDIR}" && git reset 9679002a4392d8e7831d2dbda3fab41ccc5c6b8c --hard
"${TMPDIR}/uefivars.py" -i none -o aws -O "$1" -P "${PKI}"/PK.esl -K "${PKI}"/KEK.esl --db "${PKI}"/db.esl
rm -rf "${TMPDIR}"

76
image/secure-boot/azure/delete.sh
View file

@ -1,76 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
shopt -s inherit_errexit
if [[ -z ${CONFIG_FILE-} ]] && [[ -f ${CONFIG_FILE-} ]]; then
# shellcheck source=/dev/null
. "${CONFIG_FILE}"
fi
POSITIONAL_ARGS=()
while [[ $# -gt 0 ]]; do
case $1 in
-n | --name)
AZURE_VM_NAME="$2"
shift # past argument
shift # past value
;;
-*)
echo "Unknown option $1"
exit 1
;;
*)
POSITIONAL_ARGS+=("$1") # save positional arg
shift # past argument
;;
esac
done
set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
AZ_VM_INFO=$(az vm show --name "${AZURE_VM_NAME}" --resource-group "${AZURE_RESOURCE_GROUP_NAME}" -o json)
NIC=$(echo "${AZ_VM_INFO}" | jq -r '.networkProfile.networkInterfaces[0].id')
NIC_INFO=$(az network nic show --ids "${NIC}" -o json)
PUBIP=$(echo "${NIC_INFO}" | jq -r '.ipConfigurations[0].publicIpAddress.id')
NSG=$(echo "${NIC_INFO}" | jq -r '.networkSecurityGroup.id')
SUBNET=$(echo "${NIC_INFO}" | jq -r '.ipConfigurations[0].subnet.id')
VNET=${SUBNET//\/subnets\/.*/}
DISK=$(echo "${AZ_VM_INFO}" | jq -r '.storageProfile.osDisk.managedDisk.id')
delete_vm() {
az vm delete -y --name "${AZURE_VM_NAME}" \
--resource-group "${AZURE_RESOURCE_GROUP_NAME}" || true
}
delete_vnet() {
az network vnet delete --ids "${VNET}" || true
}
delete_subnet() {
az network vnet subnet delete --ids "${SUBNET}" || true
}
delete_nsg() {
az network nsg delete --ids "${NSG}" || true
}
delete_pubip() {
az network public-ip delete --ids "${PUBIP}" || true
}
delete_disk() {
az disk delete -y --ids "${DISK}" || true
}
delete_nic() {
az network nic delete --ids "${NIC}" || true
}
delete_vm
delete_disk
delete_nic
delete_nsg
delete_subnet
delete_vnet
delete_pubip

68
image/secure-boot/azure/extract_vmgs.sh
View file

@ -1,68 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
shopt -s inherit_errexit
if [[ -z ${CONFIG_FILE-} ]] && [[ -f ${CONFIG_FILE-} ]]; then
# shellcheck source=/dev/null
. "${CONFIG_FILE}"
fi
AZURE_SUBSCRIPTION=$(az account show --query id -o tsv)
POSITIONAL_ARGS=()
while [[ $# -gt 0 ]]; do
case $1 in
-n | --name)
AZURE_VM_NAME="$2"
shift # past argument
shift # past value
;;
-*)
echo "Unknown option $1"
exit 1
;;
*)
POSITIONAL_ARGS+=("$1") # save positional arg
shift # past argument
;;
esac
done
set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
VM_DISK=$(az vm show -g "${AZURE_RESOURCE_GROUP_NAME}" --name "${AZURE_VM_NAME}" --query "storageProfile.osDisk.managedDisk.id" -o tsv)
LOCATION=$(az disk show --ids "${VM_DISK}" --query "location" -o tsv)
az snapshot create \
-g "${AZURE_RESOURCE_GROUP_NAME}" \
--source "${VM_DISK}" \
--name "${AZURE_SNAPSHOT_NAME}" \
-l "${LOCATION}"
# Azure CLI does not implement getSecureVMGuestStateSAS for snapshots yet
# az snapshot grant-access \
# --duration-in-seconds 3600 \
# --access-level Read \
# --name "${AZURE_SNAPSHOT_NAME}" \
# -g "${AZURE_RESOURCE_GROUP_NAME}"
BEGIN=$(az rest \
--method post \
--url "https://management.azure.com/subscriptions/${AZURE_SUBSCRIPTION}/resourceGroups/${AZURE_RESOURCE_GROUP_NAME}/providers/Microsoft.Compute/snapshots/${AZURE_SNAPSHOT_NAME}/beginGetAccess" \
--uri-parameters api-version="2021-12-01" \
--body '{"access": "Read", "durationInSeconds": 3600, "getSecureVMGuestStateSAS": true}' \
--verbose 2>&1)
ASYNC_OPERATION_URI=$(echo "${BEGIN}" | grep Azure-AsyncOperation | cut -d ' ' -f 7 | tr -d "'")
sleep 10
ACCESS=$(az rest --method get --url "${ASYNC_OPERATION_URI}")
VMGS_URL=$(echo "${ACCESS}" | jq -r '.properties.output.securityDataAccessSAS')
curl -fsSL -o "${AZURE_VMGS_FILENAME}" "${VMGS_URL}"
az snapshot revoke-access \
--name "${AZURE_SNAPSHOT_NAME}" \
-g "${AZURE_RESOURCE_GROUP_NAME}"
az snapshot delete \
--name "${AZURE_SNAPSHOT_NAME}" \
-g "${AZURE_RESOURCE_GROUP_NAME}"
echo "VMGS saved to ${AZURE_VMGS_FILENAME}"

104
image/secure-boot/azure/launch.sh
View file

@ -1,104 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
shopt -s inherit_errexit
if [[ -z ${CONFIG_FILE-} ]] && [[ -f ${CONFIG_FILE-} ]]; then
# shellcheck source=/dev/null
. "${CONFIG_FILE}"
fi
POSITIONAL_ARGS=()
while [[ $# -gt 0 ]]; do
case $1 in
-n | --name)
AZURE_VM_NAME="$2"
shift # past argument
shift # past value
;;
-g | --gallery)
CREATE_FROM_GALLERY=YES
shift # past argument
;;
-d | --disk)
CREATE_FROM_GALLERY=NO
shift # past argument
;;
--secure-boot)
AZURE_SECURE_BOOT="$2"
shift # past argument
shift # past value
;;
--disk-name)
AZURE_DISK_NAME="$2"
shift # past argument
shift # past value
;;
-*)
echo "Unknown option $1"
exit 1
;;
*)
POSITIONAL_ARGS+=("$1") # save positional arg
shift # past argument
;;
esac
done
set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
if [[ ${AZURE_SECURITY_TYPE} == "ConfidentialVM" ]]; then
VMSIZE="Standard_DC2as_v5"
elif [[ ${AZURE_SECURITY_TYPE} == "TrustedLaunch" ]]; then
VMSIZE="standard_D2as_v5"
else
echo "Unknown security type: ${AZURE_SECURITY_TYPE}"
exit 1
fi
create_vm_from_disk() {
AZURE_DISK_REFERENCE=$(az disk show --resource-group "${AZURE_RESOURCE_GROUP_NAME}" --name "${AZURE_DISK_NAME}" --query id -o tsv)
az vm create --name "${AZURE_VM_NAME}" \
--resource-group "${AZURE_RESOURCE_GROUP_NAME}" \
-l "${AZURE_REGION}" \
--size "${VMSIZE}" \
--public-ip-sku Standard \
--os-type Linux \
--attach-os-disk "${AZURE_DISK_REFERENCE}" \
--security-type "${AZURE_SECURITY_TYPE}" \
--os-disk-security-encryption-type VMGuestStateOnly \
--enable-vtpm true \
--enable-secure-boot "${AZURE_SECURE_BOOT}" \
--boot-diagnostics-storage "" \
--no-wait
}
create_vm_from_sig() {
AZURE_IMAGE_REFERENCE=$(az sig image-version show \
--gallery-image-definition "${AZURE_IMAGE_DEFINITION}" \
--gallery-image-version "${AZURE_IMAGE_VERSION}" \
--gallery-name "${AZURE_GALLERY_NAME}" \
-g "${AZURE_RESOURCE_GROUP_NAME}" \
--query id -o tsv)
az vm create --name "${AZURE_VM_NAME}" \
--resource-group "${AZURE_RESOURCE_GROUP_NAME}" \
-l "${AZURE_REGION}" \
--size "${VMSIZE}" \
--public-ip-sku Standard \
--image "${AZURE_IMAGE_REFERENCE}" \
--security-type "${AZURE_SECURITY_TYPE}" \
--os-disk-security-encryption-type VMGuestStateOnly \
--enable-vtpm true \
--enable-secure-boot "${AZURE_SECURE_BOOT}" \
--boot-diagnostics-storage "" \
--no-wait
}
if [[ ${CREATE_FROM_GALLERY} == "YES" ]]; then
create_vm_from_sig
else
create_vm_from_disk
fi
sleep 30
az vm boot-diagnostics enable --name "${AZURE_VM_NAME}" --resource-group "${AZURE_RESOURCE_GROUP_NAME}"

95
image/secure-boot/generate_nvram_vars.sh
View file

@ -1,95 +0,0 @@
#!/usr/bin/env bash
# Copyright (c) Edgeless Systems GmbH
#
# SPDX-License-Identifier: AGPL-3.0-only
set -euo pipefail
shopt -s inherit_errexit
SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &> /dev/null && pwd)
BASE_DIR=$(realpath "${SCRIPT_DIR}/..")
# Set to qemu+tcp://localhost:16599/system for dockerized libvirt setup
if [[ -z ${LIBVIRT_SOCK} ]]; then
LIBVIRT_SOCK=qemu:///system
fi
libvirt_nvram_gen() {
local image_path="${1}"
if test -f "${BASE_DIR}/image.nvram.template"; then
echo "NVRAM template already generated: $(realpath "--relative-to=$(pwd)" "${BASE_DIR}"/image.nvram.template)"
return
fi
if ! test -f "${image_path}"; then
echo "Image \"${image_path}\" does not exist yet. To generate nvram, create disk image first."
return
fi
OVMF_CODE=/usr/share/OVMF/OVMF_CODE_4M.ms.fd
OVMF_VARS=/usr/share/OVMF/OVMF_VARS_4M.ms.fd
if ! test -f "${OVMF_CODE}"; then
OVMF_CODE=/usr/share/OVMF/OVMF_CODE.secboot.fd
fi
if ! test -f "${OVMF_VARS}"; then
OVMF_VARS=/usr/share/OVMF/OVMF_VARS.secboot.fd
fi
echo "Using OVMF_CODE: ${OVMF_CODE}"
echo "Using OVMF_VARS: ${OVMF_VARS}"
# generate nvram file using libvirt
virt-install --name constell-nvram-gen \
--connect "${LIBVIRT_SOCK}" \
--nonetworks \
--description 'Constellation' \
--ram 1024 \
--vcpus 1 \
--osinfo detect=on,require=off \
--disk "${image_path},format=raw" \
--boot "machine=q35,menu=on,loader=${OVMF_CODE},loader.readonly=yes,loader.type=pflash,nvram.template=${OVMF_VARS},nvram=${BASE_DIR}/image.nvram,loader_secure=yes" \
--features smm.state=on \
--noautoconsole
echo -e 'connect using'
echo -e ' \u001b[1mvirsh console constell-nvram-gen\u001b[0m'
echo -e ''
echo -e 'Load db cert with MokManager or enroll full PKI with firmware setup'
echo -e ''
echo -e ' \u001b[1mMokManager\u001b[0m'
echo -e ' For mokmanager, try to boot as usual. You will see this message:'
echo -e ' > "Verification failed: (0x1A) Security Violation"'
echo -e ' Press OK, then ENTER, then "Enroll key from disk"'
echo -e ' Select the following key:'
echo -e ' > \u001b[1m/EFI/loader/keys/auto/db.cer\u001b[0m'
echo -e ' Press Continue, then choose "Yes" to the question "Enroll the key(s)?"'
echo -e ' Choose reboot and continue this script.'
echo -e ''
echo -e ' \u001b[1mFirmware setup\u001b[0m'
echo -e ' For firmware setup, press F2.'
echo -e ' Go to "Device Manager">"Secure Boot Configuration">"Secure Boot Mode"'
echo -e ' Choose "Custom Mode"'
echo -e ' Go to "Custom Securee Boot Options"'
echo -e ' Go to "PK Options">"Enroll PK", Press "Y" if queried, "Enroll PK using File"'
echo -e ' Select the following cert: \u001b[1m/EFI/loader/keys/auto/PK.cer\u001b[0m'
echo -e ' Choose "Commit Changes and Exit"'
echo -e ' Go to "KEK Options">"Enroll KEK", Press "Y" if queried, "Enroll KEK using File"'
echo -e ' Select the following cert: \u001b[1m/EFI/loader/keys/auto/KEK.cer\u001b[0m'
echo -e ' Choose "Commit Changes and Exit"'
echo -e ' Go to "DB Options">"Enroll Signature">"Enroll Signature using File"'
echo -e ' Select the following cert: \u001b[1m/EFI/loader/keys/auto/db.cer\u001b[0m'
echo -e ' Choose "Commit Changes and Exit"'
echo -e ' Repeat the last step for the following certs:'
echo -e ' > \u001b[1m/EFI/loader/keys/auto/MicWinProPCA2011_2011-10-19.crt\u001b[0m'
echo -e ' > \u001b[1m/EFI/loader/keys/auto/MicCorUEFCA2011_2011-06-27.crt\u001b[0m'
echo -e ' Reboot and continue this script.'
echo -e ''
echo -e 'Press ENTER to continue after you followed one of the guides from above.'
read -r
sudo cp "${BASE_DIR}/image.nvram" "${BASE_DIR}/image.nvram.template"
virsh --connect "${LIBVIRT_SOCK}" destroy --domain constell-nvram-gen
virsh --connect "${LIBVIRT_SOCK}" undefine --nvram constell-nvram-gen
rm -f "${BASE_DIR}/image.nvram"
echo "NVRAM template generated: $(realpath "--relative-to=$(pwd)" "${BASE_DIR}"/image.nvram.template)"
}
libvirt_nvram_gen "$1"

66
image/secure-boot/genkeys.sh
View file

@ -1,66 +0,0 @@
#!/usr/bin/env bash
# Copyright (c) Edgeless Systems GmbH
#
# SPDX-License-Identifier: AGPL-3.0-only
# This script generates a PKI for secure boot.
# It is based on the example from https://github.com/systemd/systemd/blob/main/man/loader.conf.xml
# This is meant to be used for development purposes only.
# Release images are signed using a different set of keys.
# Set PKI to an empty folder and PKI_SET to "dev".
set -euo pipefail
shopt -s inherit_errexit
script_dir=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &> /dev/null && pwd)
templates=${script_dir}/templates
base_dir=$(realpath "${script_dir}/..")
pki="${PKI:-${base_dir}/pki}"
pki_set="${PKI_SET:-dev}"
gen_pki() {
# Only use for non-production images.
# Use real PKI for production images instead.
mkdir -p "${pki}"
count=$(find "${pki}" -maxdepth 1 \( -name '*.key' -o -name '*.crt' -o -name '*.cer' -o -name '*.esl' -o -name '*.auth' \) 2> /dev/null | wc -l)
if [[ ${count} != 0 ]]; then
echo PKI files "$(ls -1 "$(realpath "--relative-to=$(pwd)" "${pki}")"/*.{key,crt,cer,esl,auth})" already exist
return
fi
pushd "${pki}" || exit 1
uuid=$(systemd-id128 new --uuid)
for key in PK KEK db; do
openssl req -new -x509 -config "${templates}/${pki_set}_${key}.conf" -keyout "${key}.key" -out "${key}.crt" -nodes
openssl x509 -outform DER -in "${key}.crt" -out "${key}.cer"
cert-to-efi-sig-list -g "${uuid}" "${key}.crt" "${key}.esl"
done
for key in MicWinProPCA2011_2011-10-19.crt MicCorUEFCA2011_2011-06-27.crt MicCorKEKCA2011_2011-06-24.crt; do
curl -fsSL "https://www.microsoft.com/pkiops/certs/${key}" --output "${key}"
sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output "${key%crt}esl" "${key}"
done
# Optionally add Microsoft Windows Production CA 2011 (needed to boot into Windows).
cat MicWinProPCA2011_2011-10-19.esl >> db.esl
# Optionally add Microsoft Corporation UEFI CA 2011 (for firmware drivers / option ROMs
# and third-party boot loaders (including shim). This is highly recommended on real
# hardware as not including this may soft-brick your device (see next paragraph).
cat MicCorUEFCA2011_2011-06-27.esl >> db.esl
# Optionally add Microsoft Corporation KEK CA 2011. Recommended if either of the
# Microsoft keys is used as the official UEFI revocation database is signed with this
# key. The revocation database can be updated with [fwupdmgr(1)](https://www.freedesktop.org/software/systemd/man/fwupdmgr.html#).
cat MicCorKEKCA2011_2011-06-24.esl >> KEK.esl
sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth
sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth
sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth
popd || exit 1
}
# gen_pki generates a PKI for testing purposes only.
# if keys/certs are already present in the pki folder, they are not regenerated.
gen_pki

48
image/secure-boot/signed-shim.sh
View file

@ -1,48 +0,0 @@
#!/usr/bin/env bash
# Copyright (c) Edgeless Systems GmbH
#
# SPDX-License-Identifier: AGPL-3.0-only
# This script is used to add a signed shim to the image.raw file EFI partition after running `mkosi build`.
set -euo pipefail
shopt -s inherit_errexit
if (($# != 1)); then
echo "Usage: $0 <image.raw>"
exit 1
fi
# SOURCE is the URL used to download the signed shim RPM
SOURCE=https://kojipkgs.fedoraproject.org/packages/shim/15.6/2/x86_64/shim-x64-15.6-2.x86_64.rpm
# EXPECTED_SHA512 is the SHA512 checksum of the signed shim RPM
EXPECTED_SHA512=971978bddee95a6a134ef05c4d88cf5df41926e631de863b74ef772307f3e106c82c8f6889c18280d47187986abd774d8671c5be4b85b1b0bb3d1858b65d02cf
TMPDIR=$(mktemp -d)
pushd "${TMPDIR}"
curl -fsSL -o shim.rpm "${SOURCE}"
echo "Checking SHA512 checksum of signed shim..."
sha512sum -c <<< "${EXPECTED_SHA512} shim.rpm"
rpm2cpio shim.rpm | cpio -idmv
echo "${TMPDIR}"
popd
MOUNTPOINT=$(mktemp -d)
sectoroffset=$(sfdisk -J "${1}" | jq -r '.partitiontable.partitions[0].start')
byteoffset=$((sectoroffset * 512))
mount -o offset="${byteoffset}" "${1}" "${MOUNTPOINT}"
mkdir -p "${MOUNTPOINT}/EFI/BOOT/"
cp "${TMPDIR}/boot/efi/EFI/BOOT/BOOTX64.EFI" "${MOUNTPOINT}/EFI/BOOT/"
cp "${TMPDIR}/boot/efi/EFI/fedora/mmx64.efi" "${MOUNTPOINT}/EFI/BOOT/"
cp "${MOUNTPOINT}/EFI/systemd/systemd-bootx64.efi" "${MOUNTPOINT}/EFI/BOOT/grubx64.efi"
# Remove unused kernel and initramfs from EFI to save space
# We boot from unified kernel image anyway
rm -f "${MOUNTPOINT}"/*/*/{linux,initrd}
umount "${MOUNTPOINT}"
rm -rf "${MOUNTPOINT}"
rm -rf "${TMPDIR}"

20
image/secure-boot/templates/dev_KEK.conf
View file

@ -1,20 +0,0 @@
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
x509_extensions = v3_req
req_extensions = v3_req
prompt = no
dirstring_type = nobmp
[ req_distinguished_name ]
C = DE
ST = Nordrhein Westfalen
L = Bochum
O = Edgeless Systems GmbH
CN = Constellation Development KEK CA 2022
[ v3_req ]
subjectKeyIdentifier = hash
basicConstraints = critical,CA:true
keyUsage = digitalSignature,keyCertSign,cRLSign

20
image/secure-boot/templates/dev_PK.conf
View file

@ -1,20 +0,0 @@
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
x509_extensions = v3_req
req_extensions = v3_req
prompt = no
dirstring_type = nobmp
[ req_distinguished_name ]
C = DE
ST = Nordrhein Westfalen
L = Bochum
O = Edgeless Systems GmbH
CN = Constellation Development UEFI CA 2022
[ v3_req ]
subjectKeyIdentifier = hash
basicConstraints = critical,CA:true
keyUsage = digitalSignature,keyCertSign,cRLSign

20
image/secure-boot/templates/dev_db.conf
View file

@ -1,20 +0,0 @@
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
x509_extensions = v3_req
req_extensions = v3_req
prompt = no
dirstring_type = nobmp
[ req_distinguished_name ]
C = DE
ST = Nordrhein Westfalen
L = Bochum
O = Edgeless Systems GmbH
CN = Constellation Development PCA 2022
[ v3_req ]
subjectKeyIdentifier = hash
basicConstraints = critical,CA:true
keyUsage = digitalSignature,keyCertSign,cRLSign

20
image/secure-boot/templates/prod_KEK.conf
View file

@ -1,20 +0,0 @@
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
x509_extensions = v3_req
req_extensions = v3_req
prompt = no
dirstring_type = nobmp
[ req_distinguished_name ]
C = DE
ST = Nordrhein Westfalen
L = Bochum
O = Edgeless Systems GmbH
CN = Constellation KEK CA 2022
[ v3_req ]
subjectKeyIdentifier = hash
basicConstraints = critical,CA:true
keyUsage = digitalSignature,keyCertSign,cRLSign

20
image/secure-boot/templates/prod_PK.conf
View file

@ -1,20 +0,0 @@
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
x509_extensions = v3_req
req_extensions = v3_req
prompt = no
dirstring_type = nobmp
[ req_distinguished_name ]
C = DE
ST = Nordrhein Westfalen
L = Bochum
O = Edgeless Systems GmbH
CN = Constellation UEFI CA 2022
[ v3_req ]
subjectKeyIdentifier = hash
basicConstraints = critical,CA:true
keyUsage = digitalSignature,keyCertSign,cRLSign

20
image/secure-boot/templates/prod_db.conf
View file

@ -1,20 +0,0 @@
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
x509_extensions = v3_req
req_extensions = v3_req
prompt = no
dirstring_type = nobmp
[ req_distinguished_name ]
C = DE
ST = Nordrhein Westfalen
L = Bochum
O = Edgeless Systems GmbH
CN = Constellation Production PCA 2022
[ v3_req ]
subjectKeyIdentifier = hash
basicConstraints = critical,CA:true
keyUsage = digitalSignature,keyCertSign,cRLSign

20
image/secure-boot/templates/testing_KEK.conf
View file

@ -1,20 +0,0 @@
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
x509_extensions = v3_req
req_extensions = v3_req
prompt = no
dirstring_type = nobmp
[ req_distinguished_name ]
C = DE
ST = Nordrhein Westfalen
L = Bochum
O = Edgeless Systems GmbH
CN = Constellation Testing KEK CA 2022
[ v3_req ]
subjectKeyIdentifier = hash
basicConstraints = critical,CA:true
keyUsage = digitalSignature,keyCertSign,cRLSign

20
image/secure-boot/templates/testing_PK.conf
View file

@ -1,20 +0,0 @@
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
x509_extensions = v3_req
req_extensions = v3_req
prompt = no
dirstring_type = nobmp
[ req_distinguished_name ]
C = DE
ST = Nordrhein Westfalen
L = Bochum
O = Edgeless Systems GmbH
CN = Constellation Testing UEFI CA 2022
[ v3_req ]
subjectKeyIdentifier = hash
basicConstraints = critical,CA:true
keyUsage = digitalSignature,keyCertSign,cRLSign

20
image/secure-boot/templates/testing_db.conf
View file

@ -1,20 +0,0 @@
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
x509_extensions = v3_req
req_extensions = v3_req
prompt = no
dirstring_type = nobmp
[ req_distinguished_name ]
C = DE
ST = Nordrhein Westfalen
L = Bochum
O = Edgeless Systems GmbH
CN = Constellation Testing PCA 2022
[ v3_req ]
subjectKeyIdentifier = hash
basicConstraints = critical,CA:true
keyUsage = digitalSignature,keyCertSign,cRLSign