name: Build and Upload OS image on: workflow_dispatch: inputs: imageVersion: description: "Semantic version including patch e.g. v.. (only used for releases)" required: false debug: description: "Build debug image" type: boolean default: false required: false jobs: build-dependencies: name: "Build binaries for embedding in the OS" runs-on: ubuntu-22.04 permissions: contents: read packages: read outputs: bootstrapper-sha256: ${{ steps.collect-hashes.outputs.bootstrapper-sha256 }} disk-mapper-sha256: ${{ steps.collect-hashes.outputs.disk-mapper-sha256 }} steps: - name: Checkout uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 # tag=v2.5.0 - name: Build bootstrapper if: ${{ inputs.debug == false }} uses: ./.github/actions/build_bootstrapper with: outputPath: ${{ github.workspace }}/build/bootstrapper - name: Build debugd if: ${{ inputs.debug == true }} uses: ./.github/actions/build_debugd with: outputPath: ${{ github.workspace }}/build/bootstrapper - name: Build disk-mapper uses: ./.github/actions/build_disk_mapper with: outputPath: ${{ github.workspace }}/build/disk-mapper - name: Upload dependencies uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # tag=v3.1.1 with: name: dependencies path: | ${{ github.workspace }}/build/bootstrapper ${{ github.workspace }}/build/disk-mapper - name: Collect hashes id: collect-hashes run: | echo "bootstrapper-sha256=$(sha256sum bootstrapper | head -c 64)" >> $GITHUB_OUTPUT echo "disk-mapper-sha256=$(sha256sum disk-mapper | head -c 64)" >> $GITHUB_OUTPUT working-directory: ${{ github.workspace }}/build build-settings: name: "Determine build settings" runs-on: ubuntu-22.04 outputs: imageType: ${{ steps.image-type.outputs.imageType }} pkiSet: ${{ steps.pki-set.outputs.pkiSet }} steps: - name: Checkout uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 # tag=v2.5.0 - name: Determine version id: version uses: ./.github/actions/pseudo_version - name: Determine type of image build shell: bash id: image-type run: | if [ "${{ startsWith(github.ref, 'refs/heads/release/') && (inputs.debug == false) }}" = true ] then echo "imageType=release" >> $GITHUB_OUTPUT elif [ "${{ ((github.ref == 'refs/heads/main') || startsWith(github.ref, 'refs/heads/release/')) && (inputs.debug == true) }}" = true ] then echo "imageType=debug" >> $GITHUB_OUTPUT else echo "imageType=branch" >> $GITHUB_OUTPUT fi - name: Determine PKI set id: pki-set shell: bash run: | if [ "${{ steps.image-type.outputs.imageType }}" = "release" ] then echo "pkiSet=pki_prod" >> $GITHUB_OUTPUT else echo "pkiSet=pki_testing" >> $GITHUB_OUTPUT fi make-os-image: name: "Build OS using mkosi" needs: [build-settings, build-dependencies] runs-on: ubuntu-22.04 # TODO: flatten outputs once possible # https://github.com/community/community/discussions/17245 outputs: image-raw-aws-sha256: ${{ steps.collect-hashes.outputs.image-raw-aws-sha256 }} image-raw-azure-sha256: ${{ steps.collect-hashes.outputs.image-raw-azure-sha256 }} image-raw-gcp-sha256: ${{ steps.collect-hashes.outputs.image-raw-gcp-sha256 }} image-raw-qemu-sha256: ${{ steps.collect-hashes.outputs.image-raw-qemu-sha256 }} image-efi-aws-sha256: ${{ steps.collect-hashes.outputs.image-efi-aws-sha256 }} image-efi-azure-sha256: ${{ steps.collect-hashes.outputs.image-efi-azure-sha256 }} image-efi-gcp-sha256: ${{ steps.collect-hashes.outputs.image-efi-gcp-sha256 }} image-efi-qemu-sha256: ${{ steps.collect-hashes.outputs.image-efi-qemu-sha256 }} image-initrd-aws-sha256: ${{ steps.collect-hashes.outputs.image-initrd-aws-sha256 }} image-initrd-azure-sha256: ${{ steps.collect-hashes.outputs.image-initrd-azure-sha256 }} image-initrd-gcp-sha256: ${{ steps.collect-hashes.outputs.image-initrd-gcp-sha256 }} image-initrd-qemu-sha256: ${{ steps.collect-hashes.outputs.image-initrd-qemu-sha256 }} image-root-raw-aws-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-aws-sha256 }} image-root-raw-azure-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-azure-sha256 }} image-root-raw-gcp-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-gcp-sha256 }} image-root-raw-qemu-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-qemu-sha256 }} image-root-verity-aws-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-aws-sha256 }} image-root-verity-azure-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-azure-sha256 }} image-root-verity-gcp-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-gcp-sha256 }} image-root-verity-qemu-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-qemu-sha256 }} image-vmlinuz-aws-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-aws-sha256 }} image-vmlinuz-azure-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-azure-sha256 }} image-vmlinuz-gcp-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-gcp-sha256 }} image-vmlinuz-qemu-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-qemu-sha256 }} image-raw-changelog-aws-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-aws-sha256 }} image-raw-changelog-azure-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-azure-sha256 }} image-raw-changelog-gcp-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-gcp-sha256 }} image-raw-changelog-qemu-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-qemu-sha256 }} image-raw-manifest-aws-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-aws-sha256 }} image-raw-manifest-azure-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-azure-sha256 }} image-raw-manifest-gcp-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-gcp-sha256 }} image-raw-manifest-qemu-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-qemu-sha256 }} strategy: fail-fast: false matrix: csp: [aws, azure, gcp, qemu] steps: - name: Checkout uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 # tag=v2.5.0 - name: Download build dependencies uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # tag=v3.0.1 with: name: dependencies path: ${{ github.workspace }}/build - name: Mark bootstrapper and disk-mapper as executable run: | chmod +x ${{ github.workspace }}/build/bootstrapper chmod +x ${{ github.workspace }}/build/disk-mapper - name: Setup mkosi uses: ./.github/actions/setup_mkosi with: version: 058046019e7ed2e8e93af87b8c14a808dcc6bbc3 - name: Prepare PKI for secure boot signing id: prepare-pki shell: bash run: | echo "${DB_KEY}" > ${PKI_SET}/db.key ln -s ${PKI_SET} pki working-directory: ${{ github.workspace }}/image env: PKI_SET: ${{ needs.build-settings.outputs.pkiSet }} DB_KEY: ${{ (needs.build-settings.outputs.imageType == 'release' && secrets.SECURE_BOOT_RELEASE_DB_KEY) || secrets.SECURE_BOOT_TESTING_DB_KEY }} - name: Build shell: bash run: | echo "::group::Build" sudo make "${CSP}" echo "::endgroup::" working-directory: ${{ github.workspace }}/image env: BOOTSTRAPPER_BINARY: ${{ github.workspace }}/build/bootstrapper DISK_MAPPER_BINARY: ${{ github.workspace }}/build/disk-mapper CSP: ${{ matrix.csp }} - name: Collect hashes id: collect-hashes run: | echo "image-raw-${{ matrix.csp }}-sha256=$(sha256sum image.raw | head -c 64)" >> $GITHUB_OUTPUT echo "image-efi-${{ matrix.csp }}-sha256=$(sha256sum image.efi | head -c 64)" >> $GITHUB_OUTPUT echo "image-initrd-${{ matrix.csp }}-sha256=$(sha256sum image.initrd | head -c 64)" >> $GITHUB_OUTPUT echo "image-root-raw-${{ matrix.csp }}-sha256=$(sha256sum image.root.raw | head -c 64)" >> $GITHUB_OUTPUT echo "image-root-verity-${{ matrix.csp }}-sha256=$(sha256sum image.root.verity | head -c 64)" >> $GITHUB_OUTPUT echo "image-vmlinuz-${{ matrix.csp }}-sha256=$(sha256sum image.vmlinuz | head -c 64)" >> $GITHUB_OUTPUT echo "image-raw-changelog-${{ matrix.csp }}-sha256=$(sha256sum image.raw.changelog | head -c 64)" >> $GITHUB_OUTPUT echo "image-raw-manifest-${{ matrix.csp }}-sha256=$(sha256sum image.raw.manifest | head -c 64)" >> $GITHUB_OUTPUT working-directory: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36 continue-on-error: true - name: Upload raw OS image as artifact uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # tag=v3.1.1 with: name: image-${{ matrix.csp }} path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.raw if: always() continue-on-error: true - name: Upload individual OS parts as artifacts uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # tag=v3.1.1 with: name: parts-${{ matrix.csp }} path: | ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.cmdline ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.efi ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.initrd ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.root.raw ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.root.roothash ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.root.verity ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.vmlinuz if: always() continue-on-error: true - name: Upload manifest as artifact uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # tag=v3.1.1 with: name: manifest-${{ matrix.csp }} path: | ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.raw.changelog ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.raw.manifest if: always() continue-on-error: true upload-os-image: name: "Upload OS image to CSP" needs: [build-settings, make-os-image] runs-on: ubuntu-22.04 permissions: id-token: write contents: read strategy: fail-fast: false matrix: csp: [aws, azure, gcp] upload-variant: [""] include: - csp: azure upload-variant: TrustedLaunch steps: - name: Checkout uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 # tag=v2.5.0 - name: Download OS image artifact uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # tag=v3.0.1 with: name: image-${{ matrix.csp }} path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36 - name: Configure input variables id: vars uses: ./.github/actions/os_build_variables with: csp: ${{ matrix.csp }} uploadVariant: ${{ matrix.upload-variant }} basePath: ${{ github.workspace }}/image imageVersion: ${{ inputs.imageVersion }} imageType: ${{ needs.build-settings.outputs.imageType }} debug: ${{ inputs.debug }} - name: Install tools shell: bash run: | echo "::group::Install tools" sudo apt-get update sudo apt-get install -y \ pigz \ qemu-utils \ python3-crc32c echo "::endgroup::" - name: Login to AWS uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # tag=v1.7.0 if: ${{ matrix.csp == 'aws' || matrix.csp == 'azure' }} with: role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline aws-region: eu-central-1 - name: Login to Azure uses: ./.github/actions/azure_login with: azure_credentials: ${{ secrets.AZURE_CREDENTIALS }} - name: Login to GCP uses: ./.github/actions/gcp_login if: ${{ matrix.csp == 'gcp' }} with: gcp_service_account_json: ${{ secrets.GCP_IMAGE_UPLOAD_SERVICE_ACCOUNT }} - name: Prepare PKI for image upload id: prepare-pki shell: bash run: | ln -s ${{ needs.build-settings.outputs.pkiSet }} pki working-directory: ${{ github.workspace }}/image - name: Download VMGS blob run: | aws s3 cp \ --region ${AZURE_VMGS_REGION} \ s3://constellation-secure-boot/${PKI_SET}/${AZURE_SECURITY_TYPE}.vmgs \ ${PKI_SET}/${AZURE_SECURITY_TYPE}.vmgs \ --no-progress working-directory: ${{ github.workspace }}/image if: ${{ matrix.csp == 'azure' && !endsWith(env.AZURE_SECURITY_TYPE, 'Supported') }} env: PKI_SET: ${{ needs.build-settings.outputs.pkiSet }} AZURE_VMGS_REGION: ${{ steps.vars.outputs.azureVmgsRegion }} AZURE_SECURITY_TYPE: ${{ steps.vars.outputs.azureSecurityType }} - name: Upload AWS image shell: bash run: | echo "::group::Upload AWS image" secure-boot/aws/create_uefivars.sh "${AWS_EFIVARS_PATH}" upload/upload_aws.sh "${AWS_AMI_OUTPUT}" echo -e "Uploaded AWS image: \`\`\`$(cat "${AWS_AMI_OUTPUT}" | jq)\`\`\`" >> $GITHUB_STEP_SUMMARY echo "::endgroup::" working-directory: ${{ github.workspace }}/image if: ${{ matrix.csp == 'aws' }} env: PKI: ${{ github.workspace }}/image/pki AWS_AMI_OUTPUT: ${{ steps.vars.outputs.awsAmiOutput }} AWS_BUCKET: ${{ steps.vars.outputs.awsBucket }} AWS_EFIVARS_PATH: ${{ steps.vars.outputs.awsEfivarsPath }} AWS_IMAGE_FILENAME: ${{ steps.vars.outputs.awsImageFilename }} AWS_IMAGE_NAME: ${{ steps.vars.outputs.awsImageName }} AWS_IMAGE_PATH: ${{ steps.vars.outputs.awsImagePath }} AWS_REGION: ${{ steps.vars.outputs.awsRegion }} AWS_REPLICATION_REGIONS: ${{ steps.vars.outputs.awsReplicationRegions }} - name: Upload GCP image shell: bash run: | echo "::group::Upload GCP image" upload/pack.sh gcp "${GCP_RAW_IMAGE_PATH}" "${GCP_IMAGE_PATH}" upload/upload_gcp.sh echo -e "Uploaded GCP image: \`projects/${GCP_PROJECT}/global/images/${GCP_IMAGE_NAME}\`" >> $GITHUB_STEP_SUMMARY echo "::endgroup::" working-directory: ${{ github.workspace }}/image if: ${{ matrix.csp == 'gcp' }} env: PKI: ${{ github.workspace }}/image/pki GCP_BUCKET: ${{ steps.vars.outputs.gcpBucket }} GCP_IMAGE_FAMILY: ${{ steps.vars.outputs.gcpImageFamily }} GCP_IMAGE_FILENAME: ${{ steps.vars.outputs.gcpImageFilename }} GCP_IMAGE_NAME: ${{ steps.vars.outputs.gcpImageName }} GCP_IMAGE_PATH: ${{ steps.vars.outputs.gcpImagePath }} GCP_PROJECT: ${{ steps.vars.outputs.gcpProject }} GCP_RAW_IMAGE_PATH: ${{ steps.vars.outputs.gcpRawImagePath }} GCP_REGION: ${{ steps.vars.outputs.gcpRegion }} - name: Upload Azure image shell: bash run: | echo "::group::Upload Azure image" upload/pack.sh azure "${AZURE_RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}" upload/upload_azure.sh -g --disk-name "${AZURE_DISK_NAME}" "${AZURE_VMGS_PATH}" echo -e "Uploaded Azure ${AZURE_SECURITY_TYPE} image: \`/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/${AZURE_RESOURCE_GROUP_NAME^^}/providers/Microsoft.Compute/galleries/${AZURE_GALLERY_NAME}/images/${AZURE_IMAGE_DEFINITION}/versions/${AZURE_IMAGE_VERSION}\`" >> $GITHUB_STEP_SUMMARY echo "::endgroup::" working-directory: ${{ github.workspace }}/image if: ${{ matrix.csp == 'azure' }} env: PKI: ${{ github.workspace }}/image/pki AZURE_DISK_NAME: ${{ steps.vars.outputs.azureDiskName }} AZURE_GALLERY_NAME: ${{ steps.vars.outputs.azureGalleryName }} AZURE_IMAGE_DEFINITION: ${{ steps.vars.outputs.azureImageDefinition }} AZURE_IMAGE_OFFER: ${{ steps.vars.outputs.azureImageOffer }} AZURE_IMAGE_PATH: ${{ steps.vars.outputs.azureImagePath }} AZURE_IMAGE_VERSION: ${{ steps.vars.outputs.azureImageVersion }} AZURE_PUBLISHER: ${{ steps.vars.outputs.azurePublisher }} AZURE_RAW_IMAGE_PATH: ${{ steps.vars.outputs.azureRawImagePath }} AZURE_REGION: ${{ steps.vars.outputs.azureRegion }} AZURE_REPLICATION_REGIONS: ${{ steps.vars.outputs.azureReplicationRegions }} AZURE_VMGS_REGION: ${{ steps.vars.outputs.azureVmgsRegion }} AZURE_RESOURCE_GROUP_NAME: ${{ steps.vars.outputs.azureResourceGroupName }} AZURE_SECURITY_TYPE: ${{ steps.vars.outputs.azureSecurityType }} AZURE_SKU: ${{ steps.vars.outputs.azureSku }} AZURE_VMGS_PATH: ${{ steps.vars.outputs.azureVmgsPath }} calculate-pcrs: name: "Calculate PCRs" needs: [make-os-image] runs-on: ubuntu-22.04 strategy: fail-fast: false matrix: csp: [aws, azure, gcp, qemu] steps: - name: Checkout repository uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 # tag=v2.5.0 - name: Download OS image artifact uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # tag=v3.0.1 with: name: image-${{ matrix.csp }} - name: Install dependencies run: | echo "::group::Install dependencies" python -m pip install --user lief==0.12.2 sudo apt-get update sudo apt-get install -y systemd-container # for systemd-dissect echo "::endgroup::" - name: Calculate expected PCRs run: | echo "::group::Calculate expected PCRs" ./precalculate_pcr_4.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-4-${{ matrix.csp }}.json >> $GITHUB_STEP_SUMMARY ./precalculate_pcr_8.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-8-${{ matrix.csp }}.json ${{ matrix.csp }} >> $GITHUB_STEP_SUMMARY ./precalculate_pcr_9.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-9-${{ matrix.csp }}.json >> $GITHUB_STEP_SUMMARY cp pcr-stable.json ${{ github.workspace }}/ jq --sort-keys -s '.[0] * .[1] * .[2] * .[3]' ${{ github.workspace }}/pcr-* > ${{ github.workspace }}/pcrs-${{ matrix.csp }}.json echo "::endgroup::" working-directory: ${{ github.workspace }}/image/measured-boot - name: Upload expected PCRs as artifact uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # tag=v3.1.1 with: name: pcrs path: pcrs-${{ matrix.csp }}.json generate-sbom: name: "Generate SBOM" needs: [build-dependencies, make-os-image] runs-on: ubuntu-22.04 steps: - name: Install squashfs tools run: | echo "::group::Install squashfs tools" sudo apt-get update sudo apt-get install -y squashfs-tools echo "::endgroup::" - name: Download rootfs uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # tag=v3.0.1 with: # downloading / using only the QEMU rootfs is fine # since the images only differ in the ESP partition name: parts-qemu - name: Unpack squashfs run: | echo "::group::Unpack squashfs" unsquashfs -user-xattrs -d image.root.tree image.root.raw echo "::endgroup::" - uses: anchore/sbom-action@06e109483e6aa305a2b2395eabae554e51530e1d # tag=v0.13.1 with: path: image.root.tree artifact-name: sbom.spdx.json format: spdx-json - uses: anchore/sbom-action@06e109483e6aa305a2b2395eabae554e51530e1d # tag=v0.13.1 with: path: image.root.tree artifact-name: sbom.cyclonedx.json format: cyclonedx-json - uses: anchore/sbom-action@06e109483e6aa305a2b2395eabae554e51530e1d # tag=v0.13.1 with: path: image.root.tree artifact-name: sbom.syft.json format: syft-json - name: Combine hashes run: | cat > SHA256SUMS <> $GITHUB_STEP_SUMMARY