edgelessci
60921fcc14
image: update locked rpms ( #2614 )
...
Co-authored-by: malt3 <malt3@users.noreply.github.com>
2023-11-20 14:19:26 +01:00
edgelessci
285b7bc47d
image: update locked rpms ( #2575 )
...
Co-authored-by: malt3 <malt3@users.noreply.github.com>
2023-11-12 11:20:48 +01:00
edgelessci
e29d32af7f
image: update locked rpms ( #2555 )
...
Co-authored-by: malt3 <malt3@users.noreply.github.com>
2023-11-10 19:50:38 +01:00
Malte Poll
4fe51cd5f4
image: use dissect from nix ( #2558 )
2023-11-06 17:50:21 +01:00
3u13r
618da92c7f
image: use all of cilium's sysctl overrides ( #2532 )
2023-10-30 11:19:58 +01:00
edgelessci
b76bd3dfcc
image: update locked rpms ( #2535 )
...
Co-authored-by: malt3 <malt3@users.noreply.github.com>
2023-10-30 09:31:05 +01:00
edgelessci
9c89b75a53
image: update locked rpms ( #2498 )
2023-10-22 10:10:48 +02:00
Malte Poll
1a141c3972
image: add rpm database as build output ( #2442 )
...
For reproducibility reasons, the final OS image does not ship the rpm database in sqlite format.
For supply chain security and license compliance reasons, we want to keep the rpm database of os images as a detached build artifact.
We now ship a reproducible, human readable manifest of installed rpms in the image under "/usr/share/constellation/packagemanifest" and upload the full rpm database as a build artifact (rpmdb.tar).
2023-10-17 14:04:41 +02:00
Malte Poll
e93de82c0b
image: use systemd-dissect from the host when calculating measurements ( #2473 )
...
* image: use systemd-dissect from the host when calculating measurements
* ci: setup bazel and nix toolchains before merging os image measurements
2023-10-17 13:26:07 +02:00
Malte Poll
bad9edb99b
image: move mkosi settings into their actual sections ( #2471 )
...
mkosi now warns about what settings are defined in what sections.
Soon, the config parsing might fail when settings are in the wrong sections.
2023-10-17 12:44:19 +02:00
edgelessci
d9bd870dbd
image: update locked rpms ( #2463 )
...
Co-authored-by: malt3 <malt3@users.noreply.github.com>
2023-10-17 09:42:00 +02:00
Malte Poll
8bc1d80d86
image: install rpms from lockfile
2023-10-17 09:23:56 +02:00
Malte Poll
d22f53d7cc
bazel: always use nix
2023-10-12 14:42:24 +02:00
Malte Poll
f6d9f91877
image: reimplement and adapt measurement generation in Go
2023-09-27 17:58:19 +02:00
Malte Poll
8e706d6de3
image: update README
2023-09-27 17:58:19 +02:00
Malte Poll
3543fe140e
image: allow toggling secure boot in image upload
2023-09-27 17:58:19 +02:00
Malte Poll
c6ea596eb9
image: system layer
2023-09-27 17:58:19 +02:00
Malte Poll
4ef3d10be3
image: initrd layer
2023-09-27 17:58:19 +02:00
Malte Poll
d904766b9c
image: base layer
2023-09-27 17:58:19 +02:00
Malte Poll
fc1045a4f7
image: remove old mkosi config
2023-09-27 17:58:19 +02:00
Malte Poll
825dab0e0b
image: add sysroot files
2023-09-27 17:58:19 +02:00
Paul Meyer
53e48f453f
image: remove unused upload script
...
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-09-27 15:06:55 +02:00
Otto Bittner
cb934ed087
image: move idle and nosmt to aws-only images ( #2297 )
...
We don't want these options on other CSPs. This is temporary until AWS
fixed some background issues.
We need to set the option we want to set differently on each provider
once per provider as we need to keep some of the options we set with
higher priority.
2023-09-04 14:02:10 +02:00
Malte Poll
ecfb6d9b1f
image: update to Linux 6.1.46 ( #2268 )
2023-09-04 11:41:25 +02:00
Otto Bittner
75ce11af14
cli: disable smt via cpu_options ( #2291 )
...
Disabling SMT dynamically inside the image creates problems on AWS.
The problem should be fixed by disabling smt through the VMM.
By recommendation from AWS: add idle=poll.
This should improve our launch success rate while they investigate some
upstream issues.
2023-09-01 11:26:21 +02:00
Malte Poll
78fa921746
image: use longterm release of the Linux kernel ( #2228 )
2023-08-16 10:42:48 +02:00
Otto Bittner
dac690656e
api: add functions to transparently handle signatures upon API interaction ( #2142 )
2023-08-01 16:48:13 +02:00
Malte Poll
6098ff3612
image: synchronize time via ntp ( #2118 )
2023-07-19 14:11:24 +02:00
Daniel Weiße
d03f8c7d78
image: use AWS linux kernel for AWS images to fix deadlock ( #2115 )
...
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-07-18 15:08:34 +02:00
Malte Poll
bae9dc9a36
image: always copy amazon ena driver into initrd ( #2112 )
2023-07-18 11:23:30 +02:00
Malte Poll
264b2df902
deps: upgrade to Fedora 38 ( #1909 )
...
* image: upgrade mkosi distro version to Fedora 38
* image: remove downgrade of GCP kernel
* ci: upgrade expected measurements for Fedora 38
* deps: upgrade bazeldnf packages to Fedora 38
* deps: upgrade container images to Fedora 38
2023-06-15 16:50:35 +02:00
Adrian Stobbe
4284f892ce
api: rename /api/versions to versionsapi and /api/attestationcfig to attestationconfigapi ( #1876 )
...
* rename to attestationconfigapi + put client and fetcher inside pkg
* rename api/version to versionsapi and put fetcher + client inside pkg
* rename AttestationConfigAPIFetcher to Fetcher
2023-06-07 16:16:32 +02:00
Malte Poll
e1d3afe8d4
ci: use aws s3 client that invalidates cloudfront cache for places that modify Constellation api ( #1839 )
2023-06-02 11:20:01 +02:00
Otto Bittner
30f2b332b3
api: restructure api pkg ( #1851 )
...
* api: rename AttestationVersionRepo to Client
* api: move client into separate subpkg for
clearer import paths.
* api: rename configapi -> attestationconfig
* api: rename versionsapi -> versions
* api: rename sut to client
* api: split versionsapi client and make it public
* api: split versionapi fetcher and make it public
* config: move attestationversion type to config
* api: fix attestationconfig client test
Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
2023-06-02 09:19:23 +02:00
3u13r
e0285c122e
todo responsibilities and cleanup ( #1837 )
...
* chore: add TODO responsibilities
* chore: remove not needed TODOs
* chore: remove outdated migrations
* chore: remove resolved goleak exception
* chore: remove not needed cosign env
* config: add link to our Azure snp docs
2023-06-01 12:33:06 +02:00
Otto Bittner
0c13f3ed8d
image: add aws_aws-sev-snp variant
...
This needs no changes to the existing AWS image.
The images have worked without modification so far.
2023-06-01 11:25:31 +02:00
Adrian Stobbe
0a6e5ec02e
config: dynamic attestation configuration through S3 backed API ( #1808 )
2023-05-25 17:43:44 +01:00
Malte Poll
217a744606
image: add go code to upload image info and measurements
2023-05-25 15:01:15 +02:00
Malte Poll
b8751f35f9
image: add intermediate "image" verb to upload tool
2023-05-25 15:01:15 +02:00
Malte Poll
d0e53cbb59
cli: image info (v2)
2023-05-25 15:01:15 +02:00
Malte Poll
2ebc0cf2c8
image: set attestation variant explicitly
2023-05-25 15:01:15 +02:00
3u13r
6e574fd52c
ci: fix os image archive path ( #1809 )
2023-05-22 14:05:34 +02:00
Malte Poll
a2d701f421
image: remove upload scripts
2023-05-05 12:06:44 +02:00
Malte Poll
ee91d8b1cc
image: implement idempotent upload of os images
2023-05-05 12:06:44 +02:00
Malte Poll
cb6cc8df22
image: fix pcr 12 calculation ( #1706 )
...
Kernel cmdline embedded in UKIs had no null terminator before. With newer versions of mkosi, it is already null-terminated so we shouldn't null terminate it twice.
2023-05-02 12:01:30 +02:00
Paul Meyer
7ab23c28b8
Revert "misc: replace sha256sum with shasum -a 256 ( #1681 )"
...
This reverts commit ec1d5e9fb5
.
While the change enabled shasum calculation on mac, it broke it
on some Linux distros.
2023-05-02 11:07:05 +02:00
Malte Poll
ec1d5e9fb5
misc: replace sha256sum with shasum -a 256 ( #1681 )
2023-04-26 13:40:18 +02:00
Malte Poll
84dd25600f
image: upgrade mkosi to support repart ( #1684 )
2023-04-25 18:22:40 +02:00
Malte Poll
69de06dd1f
image: OpenStack vTPM ( #1616 )
...
* cli: allow vpc traffic between nodes on OpenStack
* image: enable vTPM on OpenStack
* cli: add create tests for OpenStack
2023-04-05 16:49:03 +02:00
Malte Poll
3e73530b4f
image: use dummy attestation for OpenStack
2023-03-21 10:51:09 +01:00