Otto Bittner
75ce11af14
cli: disable smt via cpu_options ( #2291 )
...
Disabling SMT dynamically inside the image creates problems on AWS.
The problem should be fixed by disabling smt through the VMM.
By recommendation from AWS: add idle=poll.
This should improve our launch success rate while they investigate some
upstream issues.
2023-09-01 11:26:21 +02:00
Malte Poll
78fa921746
image: use longterm release of the Linux kernel ( #2228 )
2023-08-16 10:42:48 +02:00
Otto Bittner
dac690656e
api: add functions to transparently handle signatures upon API interaction ( #2142 )
2023-08-01 16:48:13 +02:00
Malte Poll
6098ff3612
image: synchronize time via ntp ( #2118 )
2023-07-19 14:11:24 +02:00
Daniel Weiße
d03f8c7d78
image: use AWS linux kernel for AWS images to fix deadlock ( #2115 )
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-07-18 15:08:34 +02:00
Malte Poll
bae9dc9a36
image: always copy amazon ena driver into initrd ( #2112 )
2023-07-18 11:23:30 +02:00
Malte Poll
264b2df902
deps: upgrade to Fedora 38 ( #1909 )
...
* image: upgrade mkosi distro version to Fedora 38
* image: remove downgrade of GCP kernel
* ci: upgrade expected measurements for Fedora 38
* deps: upgrade bazeldnf packages to Fedora 38
* deps: upgrade container images to Fedora 38
2023-06-15 16:50:35 +02:00
Adrian Stobbe
4284f892ce
api: rename /api/versions to versionsapi and /api/attestationcfig to attestationconfigapi ( #1876 )
...
* rename to attestationconfigapi + put client and fetcher inside pkg
* rename api/version to versionsapi and put fetcher + client inside pkg
* rename AttestationConfigAPIFetcher to Fetcher
2023-06-07 16:16:32 +02:00
Malte Poll
e1d3afe8d4
ci: use aws s3 client that invalidates cloudfront cache for places that modify Constellation api ( #1839 )
2023-06-02 11:20:01 +02:00
Otto Bittner
30f2b332b3
api: restructure api pkg ( #1851 )
...
* api: rename AttestationVersionRepo to Client
* api: move client into separate subpkg for
clearer import paths.
* api: rename configapi -> attestationconfig
* api: rename versionsapi -> versions
* api: rename sut to client
* api: split versionsapi client and make it public
* api: split versionapi fetcher and make it public
* config: move attestationversion type to config
* api: fix attestationconfig client test
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
2023-06-02 09:19:23 +02:00
3u13r
e0285c122e
todo responsibilities and cleanup ( #1837 )
...
* chore: add TODO responsibilities
* chore: remove not needed TODOs
* chore: remove outdated migrations
* chore: remove resolved goleak exception
* chore: remove not needed cosign env
* config: add link to our Azure snp docs
2023-06-01 12:33:06 +02:00
Otto Bittner
0c13f3ed8d
image: add aws_aws-sev-snp variant
...
This needs no changes to the existing AWS image.
The images have worked without modification so far.
2023-06-01 11:25:31 +02:00
Adrian Stobbe
0a6e5ec02e
config: dynamic attestation configuration through S3 backed API ( #1808 )
2023-05-25 17:43:44 +01:00
Malte Poll
217a744606
image: add go code to upload image info and measurements
2023-05-25 15:01:15 +02:00
Malte Poll
b8751f35f9
image: add intermediate "image" verb to upload tool
2023-05-25 15:01:15 +02:00
Malte Poll
d0e53cbb59
cli: image info (v2)
2023-05-25 15:01:15 +02:00
Malte Poll
2ebc0cf2c8
image: set attestation variant explicitly
2023-05-25 15:01:15 +02:00
3u13r
6e574fd52c
ci: fix os image archive path ( #1809 )
2023-05-22 14:05:34 +02:00
Malte Poll
a2d701f421
image: remove upload scripts
2023-05-05 12:06:44 +02:00
Malte Poll
ee91d8b1cc
image: implement idempotent upload of os images
2023-05-05 12:06:44 +02:00
Malte Poll
cb6cc8df22
image: fix pcr 12 calculation ( #1706 )
...
Kernel cmdline embedded in UKIs had no null terminator before. With newer versions of mkosi, it is already null-terminated so we shouldn't null terminate it twice.
2023-05-02 12:01:30 +02:00
Paul Meyer
7ab23c28b8
Revert "misc: replace sha256sum with shasum -a 256 ( #1681 )"
...
This reverts commit ec1d5e9fb5
.
While the change enabled shasum calculation on mac, it broke it
on some Linux distros.
2023-05-02 11:07:05 +02:00
Malte Poll
ec1d5e9fb5
misc: replace sha256sum with shasum -a 256 ( #1681 )
2023-04-26 13:40:18 +02:00
Malte Poll
84dd25600f
image: upgrade mkosi to support repart ( #1684 )
2023-04-25 18:22:40 +02:00
Malte Poll
69de06dd1f
image: OpenStack vTPM ( #1616 )
...
* cli: allow vpc traffic between nodes on OpenStack
* image: enable vTPM on OpenStack
* cli: add create tests for OpenStack
2023-04-05 16:49:03 +02:00
Malte Poll
3e73530b4f
image: use dummy attestation for OpenStack
2023-03-21 10:51:09 +01:00
Nils Hanke
1a35eab765
image: update Azure and GCP to kernel 6.1.18 ( #1406 )
2023-03-13 17:48:31 +01:00
Malte Poll
d34f4d4457
image: increase esp size ( #1393 )
2023-03-10 11:08:40 +01:00
Daniel Weiße
8c87bba755
Add measurement reader ( #1381 )
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-03-09 11:22:58 +01:00
Malte Poll
ac94e01642
image: downgrade systemd to 251.11-2 ( #1369 )
2023-03-08 10:45:53 +01:00
Malte Poll
0ba2c1c2bd
image: add systemd-boot as explicit dependency ( #1351 )
2023-03-07 10:19:28 +01:00
Malte Poll
e02183b9d9
Merge pull request from GHSA-6w5f-5wgr-qjg5
2023-03-07 09:26:36 +01:00
Malte Poll
1624af0cc7
image: pin aws uefivars version and install new deps ( #1345 )
2023-03-06 13:29:15 +01:00
Malte Poll
96b4b74a7a
image: set attestation variant on kernel cmdline ( #1323 )
2023-03-02 12:20:10 +01:00
Malte Poll
b79f7d0c8c
cli: add basic support for constellation create
on OpenStack ( #1283 )
...
* image: support OpenStack image build / upload
* cli: add OpenStack terraform template
* config: add OpenStack as CSP
* versionsapi: add OpenStack as CSP
* cli: add OpenStack as provider for `config generate` and `create`
* disk-mapper: add basic support for boot on OpenStack
* debugd: add placeholder for OpenStack
* image: fix config file sourcing for image upload
2023-02-27 18:19:52 +01:00
Nils Hanke
b013a7ab32
image: update to Linux 6.1.14 for Azure
2023-02-27 17:04:24 +01:00
leongross
efc0cec4e1
image: verbose debugging options ( #1159 )
2023-02-24 14:25:39 +01:00
Nils Hanke
109177880e
image: upgrade to Linux 6.1.12 for Azure ( #1184 )
2023-02-15 15:00:05 +01:00
Fabian Kammel
c65b677f58
fix path for qemu/image.raw in S3/CDN ( #1106 )
...
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2023-01-31 10:44:19 +01:00
Malte Poll
5eb0b88bd7
image: setup debugd as a separate systemd unit
2023-01-25 09:58:56 +01:00
Paul Meyer
a31d79e9cb
ci: curl flags
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-20 14:23:32 +01:00
Malte Poll
58cc67c736
image: upgrade azure kernel to 6.1.7 ( #1027 )
2023-01-19 18:03:56 +01:00
Nils Hanke
912384a87d
image: fix "ignored null byte in input" warning on AWS
2023-01-17 21:25:04 +01:00
Paul Meyer
f90a13ad86
image: fix shell code format
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-16 14:49:33 +01:00
Otto Bittner
0b0e0ba46a
image: apply shellfmt suggestions
2023-01-16 12:20:54 +01:00
Malte Poll
938f114086
ci: implement "console" stream for OS images ( #969 )
...
* image: add AUTOLOGIN environment variable to conditionally enable serial console login
* ci: implement "console" stream for OS images
* debugd: remove serial console login access code
2023-01-16 12:20:01 +01:00
Malte Poll
82462fab17
image: enable serial console access for MiniConstellation to simplify troubleshooting ( #964 )
...
- enable serial console access for QEMU / mini Constellation
- print motd if serial console access is enabled
2023-01-13 16:01:45 +01:00
Malte Poll
67be4016f5
ci: generate signed measurements for QEMU
2023-01-12 13:24:07 +01:00
Leonard Cohnen
703f73a761
upgrade-agent: non-interactive mode
2023-01-09 12:16:54 +01:00
Malte Poll
25eaff26ff
Downgrade azure kernel to 5.19.4 ( #862 )
2023-01-04 17:48:27 +01:00
3u13r
473e16feb2
image: add upgrade-agent ( #827 )
2022-12-29 17:50:11 +01:00
Paul Meyer
b9a1a9ae5e
image: set runtime-endpoint in crictl config ( #821 )
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-22 12:34:28 +01:00
Paul Meyer
c741ccfb4b
kubernetes: use new registry
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-13 16:08:19 +01:00
Paul Meyer
0150fcc22c
ci: fix new shellcheck v0.9.0 findings ( #795 )
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-13 13:24:03 +01:00
Malte Poll
4a8ebfd921
OS images: use "ref", "stream" and "version"
...
Switch azure default region to west us
Update find-image script to work with new API spec
Add version for every os image build
generate measurements: Use new API paths
CLI: config fetch measurements: Use image short versions to fetch measurements
CLI: allows shortnames to specify image in config
Image build pipeline: Change paths to contain "ref" and "stream"
2022-12-09 13:37:43 +01:00
Malte Poll
53576d63a0
Downgrade GCP kernel to 5.19.17-300 ( #763 )
2022-12-09 13:20:00 +01:00
Paul Meyer
1709da0085
image: fix script for PKI generation
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-08 18:07:54 +01:00
Paul Meyer
a0a7294546
image: set TERM environmet variable
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-30 16:26:25 +01:00
Paul Meyer
b93b24e058
debugd: add logcollector
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-30 16:26:25 +01:00
Paul Meyer
8224d4cd1f
image: install podman
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-30 16:26:25 +01:00
Daniel Weiße
ad7baa667a
CSI driver fixes ( #668 )
...
* Fix invalid key id for resize operations
* Add udev rule for unlabeled disks
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-11-30 08:35:38 +01:00
Malte Poll
29ff6cb786
Move hardcoded all zero PCR[12] to PCR[8]
2022-11-22 11:37:53 +01:00
Malte Poll
efaa0622a8
Include image version in mkosi builds
2022-11-18 10:37:45 +01:00
Malte Poll
74aabe86fa
Move PCR[8] -> PCR[12]
2022-11-18 10:37:45 +01:00
Malte Poll
239b9f6c26
Upgrade images to Fedora 37
2022-11-18 10:37:45 +01:00
Malte Poll
78481b32e8
Move image artifacts "/v1/" => "/constellation/v1" ( #579 )
2022-11-17 16:14:38 +01:00
Paul Meyer
7f5a1dd901
ci: use /usr/bin/env instead of /bin/env
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-17 12:01:29 +01:00
Paul Meyer
cca02597c8
image: remove bash options from sourced scripts
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-17 11:28:49 +01:00
Paul Meyer
4847b71faa
image: use bash shebang
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-17 11:28:49 +01:00
Malte Poll
cdaf1fc476
OS Image Build pipeline: prepare lookup tables and additional artifacts ( #560 )
2022-11-16 15:45:10 +01:00
Malte Poll
74a7a80153
Do not quote azure image upload params ( #549 )
2022-11-14 15:31:50 +01:00
Malte Poll
14f0432624
Undo shell options for dracut module-setup ( #545 )
2022-11-14 14:28:47 +01:00
Paul Meyer
106b738fab
ci: format shellscripts
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-11 15:53:57 +01:00
Paul Meyer
7aa7492474
Fix shellcheck warnings
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-11 13:40:13 +01:00
Malte Poll
e9fecec0bc
Only publish release AMIs
2022-11-09 14:29:58 +01:00
Malte Poll
a96f07dbdd
shellcheck upload_aws.sh
2022-11-09 14:29:58 +01:00
Malte Poll
9e12e004bb
Set SELinux from disabled to permissive ( #474 )
2022-11-09 12:04:58 +01:00
Malte Poll
ac5ad7c378
Clarify Azure Secure Boot / VMGS settings when uploading images ( #488 )
2022-11-09 10:11:23 +01:00
Malte Poll
e07c6ada5c
Backport systemd-resolved fixes for Fedora 36
2022-11-08 00:07:04 +01:00
Malte Poll
2171b9fb31
Install CA certificates in initrd
2022-11-08 00:07:04 +01:00
Malte Poll
0d7e0b44b8
Wait for nss-lookup in initrd
2022-11-08 00:07:04 +01:00
Malte Poll
86001daf7f
Install systemd-resolved in dracut to enable DNS
2022-11-08 00:07:04 +01:00
Malte Poll
ed58fcccd3
CI: Add secure boot prod keys ( #462 )
...
* Add production secure boot keys
* Refactor OS build and upload settings
2022-11-04 16:48:52 +01:00
Malte Poll
4a7024c469
Make AMI public on creation ( #426 )
2022-11-03 15:22:51 +01:00
Malte Poll
c1e3231848
Preinstall kubelet systemd unit in OS images ( #365 )
2022-10-25 16:36:03 +02:00
Otto Bittner
c2814aeddb
AB#2504: Deploy join-service via helm ( #358 )
2022-10-24 12:23:18 +02:00
Malte Poll
d46408d00b
Dracut: use inst_rules to install udev rules ( #359 )
2022-10-24 12:05:55 +02:00
Malte Poll
07f2ed94f8
Manually create AWS state disk symlink ( #355 )
...
Co-authored-by: Nils Hanke <Nirusu@users.noreply.github.com>
2022-10-24 11:55:11 +02:00
Malte Poll
26cfbfdd1f
Add AWS nvme udev rules ( #351 )
2022-10-21 14:55:13 +02:00
Malte Poll
f3d78a573f
Disable Azure VM agent and report VM as ready
2022-10-21 11:04:25 +02:00
Malte Poll
b57b25fdaa
Image upload AWS
2022-10-21 11:04:25 +02:00
Malte Poll
35e2267cf9
Move mkosi folder to old image folder location
2022-10-21 11:04:25 +02:00
Malte Poll
24f3371cf6
Remove CoreOS image folder
2022-10-21 11:04:25 +02:00
Malte Poll
26fdfa4bee
Prefill PCR[11], PCR[12], PCR[13], PCR[15]
2022-10-21 11:04:25 +02:00
Malte Poll
835f7702a4
Precalculate expected PCR[9]
2022-10-21 11:04:25 +02:00
Malte Poll
6859c6b00e
Precalculate expected PCR[8]
2022-10-21 11:04:25 +02:00
Malte Poll
1e9608c796
Precalculate expected PCR[4]
2022-10-21 11:04:25 +02:00
Malte Poll
21617dc7db
Add license identifiers to scripts
2022-10-21 11:04:25 +02:00
Malte Poll
34367ea3cc
Create mkosi image build pipeline
2022-10-21 11:04:25 +02:00
katexochen
14017e0f18
Fix typos
2022-09-30 16:50:52 +02:00