name: Build and Upload OS image on: workflow_dispatch: inputs: imageVersion: description: "Semantic version including patch e.g. v.. (only used for releases)" required: false debug: description: "Build debug image" type: boolean default: false required: false jobs: build-dependencies: name: "Build binaries for embedding in the OS" runs-on: ubuntu-22.04 permissions: contents: read packages: read outputs: bootstrapper-sha256: ${{ steps.collect-hashes.outputs.bootstrapper-sha256 }} disk-mapper-sha256: ${{ steps.collect-hashes.outputs.disk-mapper-sha256 }} steps: - name: Checkout uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 - name: Build bootstrapper if: ${{ inputs.debug == false }} uses: ./.github/actions/build_bootstrapper with: outputPath: ${{ github.workspace }}/build/bootstrapper - name: Build debugd if: ${{ inputs.debug == true }} uses: ./.github/actions/build_debugd with: outputPath: ${{ github.workspace }}/build/bootstrapper - name: Build disk-mapper uses: ./.github/actions/build_disk_mapper with: outputPath: ${{ github.workspace }}/build/disk-mapper - name: Upload dependencies uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 with: name: dependencies path: | ${{ github.workspace }}/build/bootstrapper ${{ github.workspace }}/build/disk-mapper - name: Collect hashes id: collect-hashes run: | echo "bootstrapper-sha256=$(sha256sum bootstrapper | head -c 64)" >> $GITHUB_OUTPUT echo "disk-mapper-sha256=$(sha256sum disk-mapper | head -c 64)" >> $GITHUB_OUTPUT working-directory: ${{ github.workspace }}/build make-os-image: name: "Build OS using mkosi" needs: build-dependencies runs-on: ubuntu-22.04 # TODO: flatten outputs once possible # https://github.com/community/community/discussions/17245 outputs: image-raw-azure-sha256: ${{ steps.collect-hashes.outputs.image-raw-azure-sha256 }} image-raw-gcp-sha256: ${{ steps.collect-hashes.outputs.image-raw-gcp-sha256 }} image-raw-qemu-sha256: ${{ steps.collect-hashes.outputs.image-raw-qemu-sha256 }} image-efi-azure-sha256: ${{ steps.collect-hashes.outputs.image-efi-azure-sha256 }} image-efi-gcp-sha256: ${{ steps.collect-hashes.outputs.image-efi-gcp-sha256 }} image-efi-qemu-sha256: ${{ steps.collect-hashes.outputs.image-efi-qemu-sha256 }} image-initrd-azure-sha256: ${{ steps.collect-hashes.outputs.image-initrd-azure-sha256 }} image-initrd-gcp-sha256: ${{ steps.collect-hashes.outputs.image-initrd-gcp-sha256 }} image-initrd-qemu-sha256: ${{ steps.collect-hashes.outputs.image-initrd-qemu-sha256 }} image-root-raw-azure-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-azure-sha256 }} image-root-raw-gcp-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-gcp-sha256 }} image-root-raw-qemu-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-qemu-sha256 }} image-root-verity-azure-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-azure-sha256 }} image-root-verity-gcp-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-gcp-sha256 }} image-root-verity-qemu-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-qemu-sha256 }} image-vmlinuz-azure-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-azure-sha256 }} image-vmlinuz-gcp-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-gcp-sha256 }} image-vmlinuz-qemu-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-qemu-sha256 }} image-raw-changelog-azure-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-azure-sha256 }} image-raw-changelog-gcp-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-gcp-sha256 }} image-raw-changelog-qemu-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-qemu-sha256 }} image-raw-manifest-azure-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-azure-sha256 }} image-raw-manifest-gcp-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-gcp-sha256 }} image-raw-manifest-qemu-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-qemu-sha256 }} strategy: matrix: csp: [azure, gcp, qemu] steps: - name: Checkout uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 - name: Download build dependencies uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 with: name: dependencies path: ${{ github.workspace }}/build - name: Mark bootstrapper and disk-mapper as executable run: | chmod +x ${{ github.workspace }}/build/bootstrapper chmod +x ${{ github.workspace }}/build/disk-mapper - name: Setup mkosi uses: ./.github/actions/setup_mkosi with: version: 1750fc261a071f39c54f8b64ce2424195f750ee0 - name: Prepare PKI for secure boot signing shell: bash run: | ln -s pki_testing pki echo "${DB_KEY}" > pki/db.key working-directory: ${{ github.workspace }}/image/mkosi env: DB_KEY: ${{ secrets.SECURE_BOOT_TESTING_DB_KEY }} - name: Build shell: bash run: | echo "::group::Build" sudo make "${CSP}" echo "::endgroup::" working-directory: ${{ github.workspace }}/image/mkosi env: BOOTSTRAPPER_BINARY: ${{ github.workspace }}/build/bootstrapper DISK_MAPPER_BINARY: ${{ github.workspace }}/build/disk-mapper CSP: ${{ matrix.csp }} - name: Collect hashes id: collect-hashes run: | echo "image-raw-${{ matrix.csp }}-sha256=$(sha256sum image.raw | head -c 64)" >> $GITHUB_OUTPUT echo "image-efi-${{ matrix.csp }}-sha256=$(sha256sum image.efi | head -c 64)" >> $GITHUB_OUTPUT echo "image-initrd-${{ matrix.csp }}-sha256=$(sha256sum image.initrd | head -c 64)" >> $GITHUB_OUTPUT echo "image-root-raw-${{ matrix.csp }}-sha256=$(sha256sum image.root.raw | head -c 64)" >> $GITHUB_OUTPUT echo "image-root-verity-${{ matrix.csp }}-sha256=$(sha256sum image.root.verity | head -c 64)" >> $GITHUB_OUTPUT echo "image-vmlinuz-${{ matrix.csp }}-sha256=$(sha256sum image.vmlinuz | head -c 64)" >> $GITHUB_OUTPUT echo "image-raw-changelog-${{ matrix.csp }}-sha256=$(sha256sum image.raw.changelog | head -c 64)" >> $GITHUB_OUTPUT echo "image-raw-manifest-${{ matrix.csp }}-sha256=$(sha256sum image.raw.manifest | head -c 64)" >> $GITHUB_OUTPUT working-directory: ${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36 continue-on-error: true - name: Upload raw OS image as artifact uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 with: name: image-${{ matrix.csp }} path: ${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.raw if: always() continue-on-error: true - name: Upload individual OS parts as artifacts uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 with: name: parts-${{ matrix.csp }} path: | ${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.cmdline ${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.efi ${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.initrd ${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.root.raw ${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.root.roothash ${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.root.verity ${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.vmlinuz if: always() continue-on-error: true - name: Upload manifest as artifact uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 with: name: manifest-${{ matrix.csp }} path: | ${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.raw.changelog ${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36/image.raw.manifest if: always() continue-on-error: true upload-os-image: name: "Upload OS image to CSP" needs: make-os-image runs-on: ubuntu-22.04 strategy: matrix: csp: [azure, gcp] upload-variant: [""] include: - csp: azure upload-variant: TrustedLaunch steps: - name: Checkout uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 - name: Download OS image artifact uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 with: name: image-${{ matrix.csp }} path: ${{ github.workspace }}/image/mkosi/mkosi.output.${{ matrix.csp }}/fedora~36 - name: Install tools shell: bash run: | echo "::group::Install tools" sudo apt-get update sudo apt-get install -y pigz qemu-utils echo "::endgroup::" - name: Login to Azure uses: azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 if: ${{ matrix.csp == 'azure' }} with: creds: ${{ secrets.AZURE_CREDENTIALS }} - name: Login to GCP uses: ./.github/actions/gcp_login if: ${{ matrix.csp == 'gcp' }} with: gcp_service_account_json: ${{ secrets.GCP_IMAGE_UPLOAD_SERVICE_ACCOUNT }} - name: Prepare PKI for image upload shell: bash run: ln -s pki_testing pki working-directory: ${{ github.workspace }}/image/mkosi - name: Determine version id: version uses: ./.github/actions/pseudo_version # Make sure to set valid names for GCP and Azure # Azure # gallery name may include alphanumeric characters, dots and underscores. Must end and begin with an alphanumeric character # image definition may include alphanumeric characters, dots, dashes and underscores. Must end and begin with an alphanumeric character # image version has to be semantic version in the form .. . uint may not be larger than 2,147,483,647 # # GCP # image family and image name may include lowercase alphanumeric characters and dashes. Must not end or begin with a dash - name: Configure input variables shell: bash run: | timestamp=${{ steps.version.outputs.timestamp }} semver=${{ steps.version.outputs.semanticVersion }} imageVersion=${{ inputs.imageVersion }} pseudover=${{ steps.version.outputs.pseudoVersion }} echo "PKI=${{ github.workspace }}/image/mkosi/pki" >> $GITHUB_ENV echo "GCP_PROJECT=constellation-images" >> $GITHUB_ENV echo "GCP_BUCKET=constellation-images" >> $GITHUB_ENV echo "GCP_REGION=europe-west3" >> $GITHUB_ENV echo "GCP_RAW_IMAGE_PATH=${{ github.workspace }}/image/mkosi/mkosi.output.gcp/fedora~36/image.raw" >> $GITHUB_ENV echo "GCP_IMAGE_PATH=${{ github.workspace }}/image/mkosi/mkosi.output.gcp/fedora~36/image.tar.gz" >> $GITHUB_ENV echo "AZURE_RESOURCE_GROUP_NAME=constellation-images" >> $GITHUB_ENV echo "AZURE_REGION=northeurope" >> $GITHUB_ENV echo "AZURE_REPLICATION_REGIONS=northeurope eastus westeurope westus" >> $GITHUB_ENV echo "AZURE_SKU=constellation" >> $GITHUB_ENV echo "AZURE_PUBLISHER=edgelesssys" >> $GITHUB_ENV echo "AZURE_RAW_IMAGE_PATH=${{ github.workspace }}/image/mkosi/mkosi.output.azure/fedora~36/image.raw" >> $GITHUB_ENV echo "AZURE_IMAGE_PATH=${{ github.workspace }}/image/mkosi/mkosi.output.azure/fedora~36/image.vhd" >> $GITHUB_ENV # TODO: set default security type to "ConfidentialVM" once replication is possible AZURE_SECURITY_TYPE=${{ matrix.upload-variant }} if [ -z "${AZURE_SECURITY_TYPE}" ]; then AZURE_SECURITY_TYPE=ConfidentialVMSupported fi echo "AZURE_SECURITY_TYPE=${AZURE_SECURITY_TYPE}" >> $GITHUB_ENV echo "AZURE_DISK_NAME=constellation-${pseudover//./-}-${AZURE_SECURITY_TYPE,,}" >> $GITHUB_ENV if [ "${{ startsWith(github.ref, 'refs/heads/release/') && (inputs.debug == false) }}" = true ] then GCP_IMAGE_NAME=constellation-${imageVersion//./-} echo "GCP_IMAGE_FAMILY=constellation" >> $GITHUB_ENV AZURE_IMAGE_DEFINITION=constellation echo "AZURE_IMAGE_VERSION=${imageVersion:1}" >> $GITHUB_ENV AZURE_GALLERY_NAME=Constellation elif [ "${{ ((github.ref == 'refs/heads/main') || startsWith(github.ref, 'refs/heads/release/')) && (inputs.debug == true) }}" = true ] then GCP_IMAGE_NAME=constellation-${{ steps.version.outputs.timestamp }} echo "GCP_IMAGE_FAMILY=constellation-debug-${semver//./-}" >> $GITHUB_ENV AZURE_IMAGE_DEFINITION=${semver} echo "AZURE_IMAGE_VERSION=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_ENV AZURE_GALLERY_NAME=Constellation_Debug else GCP_IMAGE_NAME=constellation-${{ steps.version.outputs.timestamp }} echo "GCP_IMAGE_FAMILY=constellation-${{ steps.version.outputs.branchName }}" >> $GITHUB_ENV AZURE_IMAGE_DEFINITION=${{ steps.version.outputs.branchName }} echo "AZURE_IMAGE_VERSION=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_ENV AZURE_GALLERY_NAME=Constellation_Testing fi # TODO: enable VMGS upload for ConfidentialVM images once replication is possible if [ "${AZURE_SECURITY_TYPE}" == "ConfidentialVMSupported" ]; then echo "AZURE_GALLERY_NAME=${AZURE_GALLERY_NAME}_CVM" >> $GITHUB_ENV echo "AZURE_VMGS_PATH=" >> $GITHUB_ENV else echo "AZURE_GALLERY_NAME=${AZURE_GALLERY_NAME}" >> $GITHUB_ENV echo "AZURE_VMGS_PATH=${{ github.workspace }}/image/mkosi/pki/${AZURE_SECURITY_TYPE}.vmgs" >> $GITHUB_ENV fi echo "AZURE_IMAGE_DEFINITION=${AZURE_IMAGE_DEFINITION}" >> $GITHUB_ENV echo "AZURE_IMAGE_OFFER=${AZURE_IMAGE_DEFINITION}" >> $GITHUB_ENV echo "GCP_IMAGE_NAME=${GCP_IMAGE_NAME}" >> $GITHUB_ENV echo "GCP_IMAGE_FILENAME=${GCP_IMAGE_NAME}.tar.gz" >> $GITHUB_ENV - name: Download VMGS blob run: aws s3 cp \ s3://constellation-secure-boot/pki_testing/${AZURE_SECURITY_TYPE}.vmgs \ pki_testing/${AZURE_SECURITY_TYPE}.vmgs \ --no-progress working-directory: ${{ github.workspace }}/image/mkosi if: ${{ matrix.csp == 'azure' }} - name: Upload GCP image shell: bash run: | echo "::group::Upload GCP image" upload/pack.sh gcp "${GCP_RAW_IMAGE_PATH}" "${GCP_IMAGE_PATH}" upload/upload_gcp.sh echo -e "Uploaded GCP image: \`projects/${GCP_PROJECT}/global/images/${GCP_IMAGE_NAME}\`" >> $GITHUB_STEP_SUMMARY echo "::endgroup::" working-directory: ${{ github.workspace }}/image/mkosi if: ${{ matrix.csp == 'gcp' }} - name: Upload Azure image shell: bash run: | echo "::group::Upload Azure image" upload/pack.sh azure "${AZURE_RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}" upload/upload_azure.sh -g --disk-name "${AZURE_DISK_NAME}" "${AZURE_VMGS_PATH}" echo -e "Uploaded Azure ${AZURE_SECURITY_TYPE} image: \`/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/${AZURE_RESOURCE_GROUP_NAME^^}/providers/Microsoft.Compute/galleries/${AZURE_GALLERY_NAME}/images/${AZURE_IMAGE_DEFINITION}/versions/${AZURE_IMAGE_VERSION}\`" >> $GITHUB_STEP_SUMMARY echo "::endgroup::" working-directory: ${{ github.workspace }}/image/mkosi if: ${{ matrix.csp == 'azure' }} calculate-pcrs: name: "Calculate PCRs" needs: [make-os-image] runs-on: ubuntu-22.04 strategy: matrix: csp: [azure, gcp, qemu] steps: - name: Checkout repository uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b - name: Download OS image artifact uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 with: name: image-${{ matrix.csp }} - name: Install dependencies run: | echo "::group::Install dependencies" python -m pip install --user lief==0.12.2 sudo apt-get update sudo apt-get install -y systemd-container # for systemd-dissect echo "::endgroup::" - name: Calculate expected PCRs run: | echo "::group::Calculate expected PCRs" ./precalculate_pcr_4.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcrs-${{ matrix.csp }}.json >> $GITHUB_STEP_SUMMARY echo "::endgroup::" working-directory: ${{ github.workspace }}/image/mkosi/measured-boot - name: Upload expected PCRs as artifact uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 with: name: pcrs path: pcrs-${{ matrix.csp }}.json generate-sbom: name: "Generate SBOM" needs: [build-dependencies, make-os-image] runs-on: ubuntu-22.04 steps: - name: Install squashfs tools run: | echo "::group::Install squashfs tools" sudo apt-get update sudo apt-get install -y squashfs-tools echo "::endgroup::" - name: Download rootfs uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 with: # downloading / using only the QEMU rootfs is fine # since the images only differ in the ESP partition name: parts-qemu - name: Unpack squashfs run: | echo "::group::Unpack squashfs" unsquashfs -user-xattrs -d image.root.tree image.root.raw echo "::endgroup::" - uses: anchore/sbom-action@eda59434a8e5ce9bda93a202dfe50f6a2e637bb6 with: path: image.root.tree artifact-name: sbom.spdx.json format: spdx-json - uses: anchore/sbom-action@eda59434a8e5ce9bda93a202dfe50f6a2e637bb6 with: path: image.root.tree artifact-name: sbom.cyclonedx.json format: cyclonedx-json - uses: anchore/sbom-action@eda59434a8e5ce9bda93a202dfe50f6a2e637bb6 with: path: image.root.tree artifact-name: sbom.syft.json format: syft-json - name: Combine hashes run: | cat > SHA256SUMS <> $GITHUB_STEP_SUMMARY