Commit Graph

176 Commits

Author SHA1 Message Date
Otto Bittner
75ce11af14
cli: disable smt via cpu_options (#2291)
Disabling SMT dynamically inside the image creates problems on AWS.
The problem should be fixed by disabling smt through the VMM.
By recommendation from AWS: add idle=poll.
This should improve our launch success rate while they investigate some
upstream issues.
2023-09-01 11:26:21 +02:00
Malte Poll
78fa921746
image: use longterm release of the Linux kernel (#2228) 2023-08-16 10:42:48 +02:00
Otto Bittner
dac690656e
api: add functions to transparently handle signatures upon API interaction (#2142) 2023-08-01 16:48:13 +02:00
Malte Poll
6098ff3612
image: synchronize time via ntp (#2118) 2023-07-19 14:11:24 +02:00
Daniel Weiße
d03f8c7d78
image: use AWS linux kernel for AWS images to fix deadlock (#2115)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-07-18 15:08:34 +02:00
Malte Poll
bae9dc9a36
image: always copy amazon ena driver into initrd (#2112) 2023-07-18 11:23:30 +02:00
Malte Poll
264b2df902
deps: upgrade to Fedora 38 (#1909)
* image: upgrade mkosi distro version to Fedora 38
* image: remove downgrade of GCP kernel
* ci: upgrade expected measurements for Fedora 38
* deps: upgrade bazeldnf packages to Fedora 38
* deps: upgrade container images to Fedora 38
2023-06-15 16:50:35 +02:00
Adrian Stobbe
4284f892ce
api: rename /api/versions to versionsapi and /api/attestationcfig to attestationconfigapi (#1876)
* rename to attestationconfigapi + put client and fetcher inside pkg

* rename api/version to versionsapi and put fetcher + client inside pkg

* rename AttestationConfigAPIFetcher to Fetcher
2023-06-07 16:16:32 +02:00
Malte Poll
e1d3afe8d4
ci: use aws s3 client that invalidates cloudfront cache for places that modify Constellation api (#1839) 2023-06-02 11:20:01 +02:00
Otto Bittner
30f2b332b3
api: restructure api pkg (#1851)
* api: rename AttestationVersionRepo to Client
* api: move client into separate subpkg for
clearer import paths.
* api: rename configapi -> attestationconfig
* api: rename versionsapi -> versions
* api: rename sut to client
* api: split versionsapi client and make it public
* api: split versionapi fetcher and make it public
* config: move attestationversion type to config
* api: fix attestationconfig client test

Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
2023-06-02 09:19:23 +02:00
3u13r
e0285c122e
todo responsibilities and cleanup (#1837)
* chore: add TODO responsibilities

* chore: remove not needed TODOs

* chore: remove outdated migrations

* chore: remove resolved goleak exception

* chore: remove not needed cosign env

* config: add link to our Azure snp docs
2023-06-01 12:33:06 +02:00
Otto Bittner
0c13f3ed8d image: add aws_aws-sev-snp variant
This needs no changes to the existing AWS image.
The images have worked without modification so far.
2023-06-01 11:25:31 +02:00
Adrian Stobbe
0a6e5ec02e
config: dynamic attestation configuration through S3 backed API (#1808) 2023-05-25 17:43:44 +01:00
Malte Poll
217a744606 image: add go code to upload image info and measurements 2023-05-25 15:01:15 +02:00
Malte Poll
b8751f35f9 image: add intermediate "image" verb to upload tool 2023-05-25 15:01:15 +02:00
Malte Poll
d0e53cbb59 cli: image info (v2) 2023-05-25 15:01:15 +02:00
Malte Poll
2ebc0cf2c8 image: set attestation variant explicitly 2023-05-25 15:01:15 +02:00
3u13r
6e574fd52c
ci: fix os image archive path (#1809) 2023-05-22 14:05:34 +02:00
Malte Poll
a2d701f421 image: remove upload scripts 2023-05-05 12:06:44 +02:00
Malte Poll
ee91d8b1cc image: implement idempotent upload of os images 2023-05-05 12:06:44 +02:00
Malte Poll
cb6cc8df22
image: fix pcr 12 calculation (#1706)
Kernel cmdline embedded in UKIs had no null terminator before. With newer versions of mkosi, it is already null-terminated so we shouldn't null terminate it twice.
2023-05-02 12:01:30 +02:00
Paul Meyer
7ab23c28b8 Revert "misc: replace sha256sum with shasum -a 256 (#1681)"
This reverts commit ec1d5e9fb5.

While the change enabled shasum calculation on mac, it broke it
on some Linux distros.
2023-05-02 11:07:05 +02:00
Malte Poll
ec1d5e9fb5
misc: replace sha256sum with shasum -a 256 (#1681) 2023-04-26 13:40:18 +02:00
Malte Poll
84dd25600f
image: upgrade mkosi to support repart (#1684) 2023-04-25 18:22:40 +02:00
Malte Poll
69de06dd1f
image: OpenStack vTPM (#1616)
* cli: allow vpc traffic between nodes on OpenStack
* image: enable vTPM on OpenStack
* cli: add create tests for OpenStack
2023-04-05 16:49:03 +02:00
Malte Poll
3e73530b4f image: use dummy attestation for OpenStack 2023-03-21 10:51:09 +01:00
Nils Hanke
1a35eab765
image: update Azure and GCP to kernel 6.1.18 (#1406) 2023-03-13 17:48:31 +01:00
Malte Poll
d34f4d4457
image: increase esp size (#1393) 2023-03-10 11:08:40 +01:00
Daniel Weiße
8c87bba755
Add measurement reader (#1381)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-03-09 11:22:58 +01:00
Malte Poll
ac94e01642
image: downgrade systemd to 251.11-2 (#1369) 2023-03-08 10:45:53 +01:00
Malte Poll
0ba2c1c2bd
image: add systemd-boot as explicit dependency (#1351) 2023-03-07 10:19:28 +01:00
Malte Poll
e02183b9d9
Merge pull request from GHSA-6w5f-5wgr-qjg5 2023-03-07 09:26:36 +01:00
Malte Poll
1624af0cc7
image: pin aws uefivars version and install new deps (#1345) 2023-03-06 13:29:15 +01:00
Malte Poll
96b4b74a7a
image: set attestation variant on kernel cmdline (#1323) 2023-03-02 12:20:10 +01:00
Malte Poll
b79f7d0c8c
cli: add basic support for constellation create on OpenStack (#1283)
* image: support OpenStack image build / upload

* cli: add OpenStack terraform template

* config: add OpenStack as CSP

* versionsapi: add OpenStack as CSP

* cli: add OpenStack as provider for `config generate` and `create`

* disk-mapper: add basic support for boot on OpenStack

* debugd: add placeholder for OpenStack

* image: fix config file sourcing for image upload
2023-02-27 18:19:52 +01:00
Nils Hanke
b013a7ab32 image: update to Linux 6.1.14 for Azure 2023-02-27 17:04:24 +01:00
leongross
efc0cec4e1
image: verbose debugging options (#1159) 2023-02-24 14:25:39 +01:00
Nils Hanke
109177880e
image: upgrade to Linux 6.1.12 for Azure (#1184) 2023-02-15 15:00:05 +01:00
Fabian Kammel
c65b677f58
fix path for qemu/image.raw in S3/CDN (#1106)
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2023-01-31 10:44:19 +01:00
Malte Poll
5eb0b88bd7 image: setup debugd as a separate systemd unit 2023-01-25 09:58:56 +01:00
Paul Meyer
a31d79e9cb ci: curl flags
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-20 14:23:32 +01:00
Malte Poll
58cc67c736
image: upgrade azure kernel to 6.1.7 (#1027) 2023-01-19 18:03:56 +01:00
Nils Hanke
912384a87d
image: fix "ignored null byte in input" warning on AWS 2023-01-17 21:25:04 +01:00
Paul Meyer
f90a13ad86 image: fix shell code format
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-01-16 14:49:33 +01:00
Otto Bittner
0b0e0ba46a image: apply shellfmt suggestions 2023-01-16 12:20:54 +01:00
Malte Poll
938f114086
ci: implement "console" stream for OS images (#969)
* image: add AUTOLOGIN environment variable to conditionally enable serial console login
* ci: implement "console" stream for OS images
* debugd: remove serial console login access code
2023-01-16 12:20:01 +01:00
Malte Poll
82462fab17
image: enable serial console access for MiniConstellation to simplify troubleshooting (#964)
- enable serial console access for QEMU / mini Constellation
- print motd if serial console access is enabled
2023-01-13 16:01:45 +01:00
Malte Poll
67be4016f5 ci: generate signed measurements for QEMU 2023-01-12 13:24:07 +01:00
Leonard Cohnen
703f73a761 upgrade-agent: non-interactive mode 2023-01-09 12:16:54 +01:00
Malte Poll
25eaff26ff
Downgrade azure kernel to 5.19.4 (#862) 2023-01-04 17:48:27 +01:00
3u13r
473e16feb2
image: add upgrade-agent (#827) 2022-12-29 17:50:11 +01:00
Paul Meyer
b9a1a9ae5e
image: set runtime-endpoint in crictl config (#821)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-22 12:34:28 +01:00
Paul Meyer
c741ccfb4b kubernetes: use new registry
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-13 16:08:19 +01:00
Paul Meyer
0150fcc22c
ci: fix new shellcheck v0.9.0 findings (#795)
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-13 13:24:03 +01:00
Malte Poll
4a8ebfd921 OS images: use "ref", "stream" and "version"
Switch azure default region to west us
Update find-image script to work with new API spec
Add version for every os image build
generate measurements: Use new API paths
CLI: config fetch measurements: Use image short versions to fetch measurements
CLI: allows shortnames to specify image in config
Image build pipeline: Change paths to contain "ref" and "stream"
2022-12-09 13:37:43 +01:00
Malte Poll
53576d63a0
Downgrade GCP kernel to 5.19.17-300 (#763) 2022-12-09 13:20:00 +01:00
Paul Meyer
1709da0085 image: fix script for PKI generation
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-12-08 18:07:54 +01:00
Paul Meyer
a0a7294546 image: set TERM environmet variable
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-30 16:26:25 +01:00
Paul Meyer
b93b24e058 debugd: add logcollector
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-30 16:26:25 +01:00
Paul Meyer
8224d4cd1f image: install podman
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-30 16:26:25 +01:00
Daniel Weiße
ad7baa667a
CSI driver fixes (#668)
* Fix invalid key id for resize operations

* Add udev rule for unlabeled disks

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-11-30 08:35:38 +01:00
Malte Poll
29ff6cb786 Move hardcoded all zero PCR[12] to PCR[8] 2022-11-22 11:37:53 +01:00
Malte Poll
efaa0622a8 Include image version in mkosi builds 2022-11-18 10:37:45 +01:00
Malte Poll
74aabe86fa Move PCR[8] -> PCR[12] 2022-11-18 10:37:45 +01:00
Malte Poll
239b9f6c26 Upgrade images to Fedora 37 2022-11-18 10:37:45 +01:00
Malte Poll
78481b32e8
Move image artifacts "/v1/" => "/constellation/v1" (#579) 2022-11-17 16:14:38 +01:00
Paul Meyer
7f5a1dd901 ci: use /usr/bin/env instead of /bin/env
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-17 12:01:29 +01:00
Paul Meyer
cca02597c8 image: remove bash options from sourced scripts
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-17 11:28:49 +01:00
Paul Meyer
4847b71faa image: use bash shebang
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-17 11:28:49 +01:00
Malte Poll
cdaf1fc476
OS Image Build pipeline: prepare lookup tables and additional artifacts (#560) 2022-11-16 15:45:10 +01:00
Malte Poll
74a7a80153
Do not quote azure image upload params (#549) 2022-11-14 15:31:50 +01:00
Malte Poll
14f0432624
Undo shell options for dracut module-setup (#545) 2022-11-14 14:28:47 +01:00
Paul Meyer
106b738fab ci: format shellscripts
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-11 15:53:57 +01:00
Paul Meyer
7aa7492474 Fix shellcheck warnings
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2022-11-11 13:40:13 +01:00
Malte Poll
e9fecec0bc Only publish release AMIs 2022-11-09 14:29:58 +01:00
Malte Poll
a96f07dbdd shellcheck upload_aws.sh 2022-11-09 14:29:58 +01:00
Malte Poll
9e12e004bb
Set SELinux from disabled to permissive (#474) 2022-11-09 12:04:58 +01:00
Malte Poll
ac5ad7c378
Clarify Azure Secure Boot / VMGS settings when uploading images (#488) 2022-11-09 10:11:23 +01:00
Malte Poll
e07c6ada5c Backport systemd-resolved fixes for Fedora 36 2022-11-08 00:07:04 +01:00
Malte Poll
2171b9fb31 Install CA certificates in initrd 2022-11-08 00:07:04 +01:00
Malte Poll
0d7e0b44b8 Wait for nss-lookup in initrd 2022-11-08 00:07:04 +01:00
Malte Poll
86001daf7f Install systemd-resolved in dracut to enable DNS 2022-11-08 00:07:04 +01:00
Malte Poll
ed58fcccd3
CI: Add secure boot prod keys (#462)
* Add production secure boot keys
* Refactor OS build and upload settings
2022-11-04 16:48:52 +01:00
Malte Poll
4a7024c469
Make AMI public on creation (#426) 2022-11-03 15:22:51 +01:00
Malte Poll
c1e3231848
Preinstall kubelet systemd unit in OS images (#365) 2022-10-25 16:36:03 +02:00
Otto Bittner
c2814aeddb
AB#2504: Deploy join-service via helm (#358) 2022-10-24 12:23:18 +02:00
Malte Poll
d46408d00b
Dracut: use inst_rules to install udev rules (#359) 2022-10-24 12:05:55 +02:00
Malte Poll
07f2ed94f8
Manually create AWS state disk symlink (#355)
Co-authored-by: Nils Hanke <Nirusu@users.noreply.github.com>
2022-10-24 11:55:11 +02:00
Malte Poll
26cfbfdd1f
Add AWS nvme udev rules (#351) 2022-10-21 14:55:13 +02:00
Malte Poll
f3d78a573f Disable Azure VM agent and report VM as ready 2022-10-21 11:04:25 +02:00
Malte Poll
b57b25fdaa Image upload AWS 2022-10-21 11:04:25 +02:00
Malte Poll
35e2267cf9 Move mkosi folder to old image folder location 2022-10-21 11:04:25 +02:00
Malte Poll
24f3371cf6 Remove CoreOS image folder 2022-10-21 11:04:25 +02:00
Malte Poll
26fdfa4bee Prefill PCR[11], PCR[12], PCR[13], PCR[15] 2022-10-21 11:04:25 +02:00
Malte Poll
835f7702a4 Precalculate expected PCR[9] 2022-10-21 11:04:25 +02:00
Malte Poll
6859c6b00e Precalculate expected PCR[8] 2022-10-21 11:04:25 +02:00
Malte Poll
1e9608c796 Precalculate expected PCR[4] 2022-10-21 11:04:25 +02:00
Malte Poll
21617dc7db Add license identifiers to scripts 2022-10-21 11:04:25 +02:00
Malte Poll
34367ea3cc Create mkosi image build pipeline 2022-10-21 11:04:25 +02:00
katexochen
14017e0f18 Fix typos 2022-09-30 16:50:52 +02:00