name: Build and Upload OS image on: workflow_dispatch: inputs: imageVersion: description: "Semantic version including patch e.g. v.. (only used for releases)" required: false debug: description: "Build debug image" type: boolean default: false required: false jobs: build-dependencies: name: "Build binaries for embedding in the OS" runs-on: ubuntu-22.04 permissions: contents: read packages: read outputs: bootstrapper-sha256: ${{ steps.collect-hashes.outputs.bootstrapper-sha256 }} disk-mapper-sha256: ${{ steps.collect-hashes.outputs.disk-mapper-sha256 }} steps: - name: Checkout uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 # tag=v2.5.0 - name: Build bootstrapper if: ${{ inputs.debug == false }} uses: ./.github/actions/build_bootstrapper with: outputPath: ${{ github.workspace }}/build/bootstrapper - name: Build debugd if: ${{ inputs.debug == true }} uses: ./.github/actions/build_debugd with: outputPath: ${{ github.workspace }}/build/bootstrapper - name: Build disk-mapper uses: ./.github/actions/build_disk_mapper with: outputPath: ${{ github.workspace }}/build/disk-mapper - name: Upload dependencies uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # tag=v3.1.1 with: name: dependencies path: | ${{ github.workspace }}/build/bootstrapper ${{ github.workspace }}/build/disk-mapper - name: Collect hashes id: collect-hashes run: | echo "bootstrapper-sha256=$(sha256sum bootstrapper | head -c 64)" >> $GITHUB_OUTPUT echo "disk-mapper-sha256=$(sha256sum disk-mapper | head -c 64)" >> $GITHUB_OUTPUT working-directory: ${{ github.workspace }}/build make-os-image: name: "Build OS using mkosi" needs: build-dependencies runs-on: ubuntu-22.04 # TODO: flatten outputs once possible # https://github.com/community/community/discussions/17245 outputs: image-raw-aws-sha256: ${{ steps.collect-hashes.outputs.image-raw-aws-sha256 }} image-raw-azure-sha256: ${{ steps.collect-hashes.outputs.image-raw-azure-sha256 }} image-raw-gcp-sha256: ${{ steps.collect-hashes.outputs.image-raw-gcp-sha256 }} image-raw-qemu-sha256: ${{ steps.collect-hashes.outputs.image-raw-qemu-sha256 }} image-efi-aws-sha256: ${{ steps.collect-hashes.outputs.image-efi-aws-sha256 }} image-efi-azure-sha256: ${{ steps.collect-hashes.outputs.image-efi-azure-sha256 }} image-efi-gcp-sha256: ${{ steps.collect-hashes.outputs.image-efi-gcp-sha256 }} image-efi-qemu-sha256: ${{ steps.collect-hashes.outputs.image-efi-qemu-sha256 }} image-initrd-aws-sha256: ${{ steps.collect-hashes.outputs.image-initrd-aws-sha256 }} image-initrd-azure-sha256: ${{ steps.collect-hashes.outputs.image-initrd-azure-sha256 }} image-initrd-gcp-sha256: ${{ steps.collect-hashes.outputs.image-initrd-gcp-sha256 }} image-initrd-qemu-sha256: ${{ steps.collect-hashes.outputs.image-initrd-qemu-sha256 }} image-root-raw-aws-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-aws-sha256 }} image-root-raw-azure-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-azure-sha256 }} image-root-raw-gcp-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-gcp-sha256 }} image-root-raw-qemu-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-qemu-sha256 }} image-root-verity-aws-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-aws-sha256 }} image-root-verity-azure-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-azure-sha256 }} image-root-verity-gcp-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-gcp-sha256 }} image-root-verity-qemu-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-qemu-sha256 }} image-vmlinuz-aws-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-aws-sha256 }} image-vmlinuz-azure-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-azure-sha256 }} image-vmlinuz-gcp-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-gcp-sha256 }} image-vmlinuz-qemu-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-qemu-sha256 }} image-raw-changelog-aws-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-aws-sha256 }} image-raw-changelog-azure-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-azure-sha256 }} image-raw-changelog-gcp-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-gcp-sha256 }} image-raw-changelog-qemu-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-qemu-sha256 }} image-raw-manifest-aws-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-aws-sha256 }} image-raw-manifest-azure-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-azure-sha256 }} image-raw-manifest-gcp-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-gcp-sha256 }} image-raw-manifest-qemu-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-qemu-sha256 }} strategy: matrix: csp: [aws, azure, gcp, qemu] steps: - name: Checkout uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 # tag=v2.5.0 - name: Download build dependencies uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # tag=v3.0.1 with: name: dependencies path: ${{ github.workspace }}/build - name: Mark bootstrapper and disk-mapper as executable run: | chmod +x ${{ github.workspace }}/build/bootstrapper chmod +x ${{ github.workspace }}/build/disk-mapper - name: Setup mkosi uses: ./.github/actions/setup_mkosi with: version: 058046019e7ed2e8e93af87b8c14a808dcc6bbc3 - name: Prepare PKI for secure boot signing shell: bash run: | ln -s pki_testing pki echo "${DB_KEY}" > pki/db.key working-directory: ${{ github.workspace }}/image env: DB_KEY: ${{ secrets.SECURE_BOOT_TESTING_DB_KEY }} - name: Build shell: bash run: | echo "::group::Build" sudo make "${CSP}" echo "::endgroup::" working-directory: ${{ github.workspace }}/image env: BOOTSTRAPPER_BINARY: ${{ github.workspace }}/build/bootstrapper DISK_MAPPER_BINARY: ${{ github.workspace }}/build/disk-mapper CSP: ${{ matrix.csp }} - name: Collect hashes id: collect-hashes run: | echo "image-raw-${{ matrix.csp }}-sha256=$(sha256sum image.raw | head -c 64)" >> $GITHUB_OUTPUT echo "image-efi-${{ matrix.csp }}-sha256=$(sha256sum image.efi | head -c 64)" >> $GITHUB_OUTPUT echo "image-initrd-${{ matrix.csp }}-sha256=$(sha256sum image.initrd | head -c 64)" >> $GITHUB_OUTPUT echo "image-root-raw-${{ matrix.csp }}-sha256=$(sha256sum image.root.raw | head -c 64)" >> $GITHUB_OUTPUT echo "image-root-verity-${{ matrix.csp }}-sha256=$(sha256sum image.root.verity | head -c 64)" >> $GITHUB_OUTPUT echo "image-vmlinuz-${{ matrix.csp }}-sha256=$(sha256sum image.vmlinuz | head -c 64)" >> $GITHUB_OUTPUT echo "image-raw-changelog-${{ matrix.csp }}-sha256=$(sha256sum image.raw.changelog | head -c 64)" >> $GITHUB_OUTPUT echo "image-raw-manifest-${{ matrix.csp }}-sha256=$(sha256sum image.raw.manifest | head -c 64)" >> $GITHUB_OUTPUT working-directory: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36 continue-on-error: true - name: Upload raw OS image as artifact uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # tag=v3.1.1 with: name: image-${{ matrix.csp }} path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.raw if: always() continue-on-error: true - name: Upload individual OS parts as artifacts uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # tag=v3.1.1 with: name: parts-${{ matrix.csp }} path: | ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.cmdline ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.efi ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.initrd ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.root.raw ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.root.roothash ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.root.verity ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.vmlinuz if: always() continue-on-error: true - name: Upload manifest as artifact uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # tag=v3.1.1 with: name: manifest-${{ matrix.csp }} path: | ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.raw.changelog ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36/image.raw.manifest if: always() continue-on-error: true upload-os-image: name: "Upload OS image to CSP" needs: make-os-image runs-on: ubuntu-22.04 permissions: id-token: write contents: read strategy: matrix: csp: [aws, azure, gcp] upload-variant: [""] include: - csp: azure upload-variant: TrustedLaunch steps: - name: Checkout uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 # tag=v2.5.0 - name: Download OS image artifact uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # tag=v3.0.1 with: name: image-${{ matrix.csp }} path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36 - name: Install tools shell: bash run: | echo "::group::Install tools" sudo apt-get update sudo apt-get install -y \ pigz \ qemu-utils \ python3-crc32c echo "::endgroup::" - name: Login to AWS uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # tag=v1.7.0 if: ${{ matrix.csp == 'aws' || matrix.csp == 'azure' }} with: role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline aws-region: eu-central-1 - name: Login to Azure uses: ./.github/actions/azure_login with: azure_credentials: ${{ secrets.AZURE_CREDENTIALS }} - name: Login to GCP uses: ./.github/actions/gcp_login if: ${{ matrix.csp == 'gcp' }} with: gcp_service_account_json: ${{ secrets.GCP_IMAGE_UPLOAD_SERVICE_ACCOUNT }} - name: Prepare PKI for image upload shell: bash run: ln -s pki_testing pki working-directory: ${{ github.workspace }}/image - name: Determine version id: version uses: ./.github/actions/pseudo_version # Make sure to set valid names for AWS, Azure and GCP # Azure # gallery name may include alphanumeric characters, dots and underscores. Must end and begin with an alphanumeric character # image definition may include alphanumeric characters, dots, dashes and underscores. Must end and begin with an alphanumeric character # image version has to be semantic version in the form .. . uint may not be larger than 2,147,483,647 # # GCP # image family and image name may include lowercase alphanumeric characters and dashes. Must not end or begin with a dash - name: Configure input variables shell: bash run: | timestamp=${{ steps.version.outputs.timestamp }} semver=${{ steps.version.outputs.semanticVersion }} imageVersion=${{ inputs.imageVersion }} pseudover=${{ steps.version.outputs.pseudoVersion }} echo "PKI=${{ github.workspace }}/image/pki" >> $GITHUB_ENV echo "AWS_REGION=eu-central-1" >> $GITHUB_ENV echo "AWS_REPLICATION_REGIONS=us-east-2 ap-south-1" >> $GITHUB_ENV echo "AWS_BUCKET=constellation-images" >> $GITHUB_ENV echo "AWS_EFIVARS_PATH=${{ github.workspace }}/image/mkosi.output.aws/fedora~36/efivars.bin" >> $GITHUB_ENV echo "AWS_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.aws/fedora~36/image.raw" >> $GITHUB_ENV echo "AWS_AMI_OUTPUT=${{ github.workspace }}/image/mkosi.output.aws/fedora~36/ami.json" >> $GITHUB_ENV echo "AWS_IMAGE_FILENAME=image-$(date +%s).raw" >> $GITHUB_ENV echo "GCP_PROJECT=constellation-images" >> $GITHUB_ENV echo "GCP_BUCKET=constellation-images" >> $GITHUB_ENV echo "GCP_REGION=europe-west3" >> $GITHUB_ENV echo "GCP_RAW_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.gcp/fedora~36/image.raw" >> $GITHUB_ENV echo "GCP_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.gcp/fedora~36/image.tar.gz" >> $GITHUB_ENV echo "AZURE_RESOURCE_GROUP_NAME=constellation-images" >> $GITHUB_ENV echo "AZURE_REGION=northeurope" >> $GITHUB_ENV echo "AZURE_REPLICATION_REGIONS=northeurope eastus westeurope westus" >> $GITHUB_ENV echo "AZURE_SKU=constellation" >> $GITHUB_ENV echo "AZURE_PUBLISHER=edgelesssys" >> $GITHUB_ENV echo "AZURE_RAW_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.azure/fedora~36/image.raw" >> $GITHUB_ENV echo "AZURE_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.azure/fedora~36/image.vhd" >> $GITHUB_ENV # TODO: set default security type to "ConfidentialVM" once replication is possible AZURE_SECURITY_TYPE=${{ matrix.upload-variant }} if [ -z "${AZURE_SECURITY_TYPE}" ]; then AZURE_SECURITY_TYPE=ConfidentialVMSupported fi echo "AZURE_SECURITY_TYPE=${AZURE_SECURITY_TYPE}" >> $GITHUB_ENV echo "AZURE_DISK_NAME=constellation-${pseudover//./-}-${AZURE_SECURITY_TYPE,,}" >> $GITHUB_ENV if [ "${{ startsWith(github.ref, 'refs/heads/release/') && (inputs.debug == false) }}" = true ] then echo "AWS_IMAGE_NAME=constellation-${imageVersion}" >> $GITHUB_ENV GCP_IMAGE_NAME=constellation-${imageVersion//./-} echo "GCP_IMAGE_FAMILY=constellation" >> $GITHUB_ENV AZURE_IMAGE_DEFINITION=constellation echo "AZURE_IMAGE_VERSION=${imageVersion:1}" >> $GITHUB_ENV AZURE_GALLERY_NAME=Constellation elif [ "${{ ((github.ref == 'refs/heads/main') || startsWith(github.ref, 'refs/heads/release/')) && (inputs.debug == true) }}" = true ] then echo "AWS_IMAGE_NAME=constellation-debug-${semver}-${{ steps.version.outputs.timestamp }}" >> $GITHUB_ENV GCP_IMAGE_NAME=constellation-${{ steps.version.outputs.timestamp }} echo "GCP_IMAGE_FAMILY=constellation-debug-${semver//./-}" >> $GITHUB_ENV AZURE_IMAGE_DEFINITION=${semver} echo "AZURE_IMAGE_VERSION=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_ENV AZURE_GALLERY_NAME=Constellation_Debug else echo "AWS_IMAGE_NAME=constellation-${{ steps.version.outputs.branchName }}-${{ steps.version.outputs.timestamp }}" >> $GITHUB_ENV GCP_IMAGE_NAME=constellation-${{ steps.version.outputs.timestamp }} echo "GCP_IMAGE_FAMILY=constellation-${{ steps.version.outputs.branchName }}" >> $GITHUB_ENV AZURE_IMAGE_DEFINITION=${{ steps.version.outputs.branchName }} echo "AZURE_IMAGE_VERSION=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_ENV AZURE_GALLERY_NAME=Constellation_Testing fi # TODO: enable VMGS upload for ConfidentialVM images once replication is possible if [ "${AZURE_SECURITY_TYPE}" == "ConfidentialVMSupported" ]; then echo "AZURE_GALLERY_NAME=${AZURE_GALLERY_NAME}_CVM" >> $GITHUB_ENV echo "AZURE_VMGS_PATH=" >> $GITHUB_ENV else echo "AZURE_GALLERY_NAME=${AZURE_GALLERY_NAME}" >> $GITHUB_ENV echo "AZURE_VMGS_PATH=${{ github.workspace }}/image/pki/${AZURE_SECURITY_TYPE}.vmgs" >> $GITHUB_ENV fi echo "AZURE_IMAGE_DEFINITION=${AZURE_IMAGE_DEFINITION}" >> $GITHUB_ENV echo "AZURE_IMAGE_OFFER=${AZURE_IMAGE_DEFINITION}" >> $GITHUB_ENV echo "GCP_IMAGE_NAME=${GCP_IMAGE_NAME}" >> $GITHUB_ENV echo "GCP_IMAGE_FILENAME=${GCP_IMAGE_NAME}.tar.gz" >> $GITHUB_ENV - name: Download VMGS blob run: | aws s3 cp \ --region ${AWS_REGION} \ s3://constellation-secure-boot/pki_testing/${AZURE_SECURITY_TYPE}.vmgs \ pki_testing/${AZURE_SECURITY_TYPE}.vmgs \ --no-progress working-directory: ${{ github.workspace }}/image if: ${{ matrix.csp == 'azure' && !endsWith(env.AZURE_SECURITY_TYPE, 'Supported') }} - name: Upload AWS image shell: bash run: | echo "::group::Upload AWS image" secure-boot/aws/create_uefivars.sh "${AWS_EFIVARS_PATH}" upload/upload_aws.sh "${AWS_AMI_OUTPUT}" echo -e "Uploaded AWS image: \`\`\`$(cat "${AWS_AMI_OUTPUT}" | jq)\`\`\`" >> $GITHUB_STEP_SUMMARY echo "::endgroup::" working-directory: ${{ github.workspace }}/image if: ${{ matrix.csp == 'aws' }} - name: Upload GCP image shell: bash run: | echo "::group::Upload GCP image" upload/pack.sh gcp "${GCP_RAW_IMAGE_PATH}" "${GCP_IMAGE_PATH}" upload/upload_gcp.sh echo -e "Uploaded GCP image: \`projects/${GCP_PROJECT}/global/images/${GCP_IMAGE_NAME}\`" >> $GITHUB_STEP_SUMMARY echo "::endgroup::" working-directory: ${{ github.workspace }}/image if: ${{ matrix.csp == 'gcp' }} - name: Upload Azure image shell: bash run: | echo "::group::Upload Azure image" upload/pack.sh azure "${AZURE_RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}" upload/upload_azure.sh -g --disk-name "${AZURE_DISK_NAME}" "${AZURE_VMGS_PATH}" echo -e "Uploaded Azure ${AZURE_SECURITY_TYPE} image: \`/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/${AZURE_RESOURCE_GROUP_NAME^^}/providers/Microsoft.Compute/galleries/${AZURE_GALLERY_NAME}/images/${AZURE_IMAGE_DEFINITION}/versions/${AZURE_IMAGE_VERSION}\`" >> $GITHUB_STEP_SUMMARY echo "::endgroup::" working-directory: ${{ github.workspace }}/image if: ${{ matrix.csp == 'azure' }} calculate-pcrs: name: "Calculate PCRs" needs: [make-os-image] runs-on: ubuntu-22.04 strategy: matrix: csp: [aws, azure, gcp, qemu] steps: - name: Checkout repository uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 # tag=v2.5.0 - name: Download OS image artifact uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # tag=v3.0.1 with: name: image-${{ matrix.csp }} - name: Install dependencies run: | echo "::group::Install dependencies" python -m pip install --user lief==0.12.2 sudo apt-get update sudo apt-get install -y systemd-container # for systemd-dissect echo "::endgroup::" - name: Calculate expected PCRs run: | echo "::group::Calculate expected PCRs" ./precalculate_pcr_4.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-4-${{ matrix.csp }}.json >> $GITHUB_STEP_SUMMARY ./precalculate_pcr_8.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-8-${{ matrix.csp }}.json ${{ matrix.csp }} >> $GITHUB_STEP_SUMMARY ./precalculate_pcr_9.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-9-${{ matrix.csp }}.json >> $GITHUB_STEP_SUMMARY cp pcr-stable.json ${{ github.workspace }}/ jq --sort-keys -s '.[0] * .[1] * .[2] * .[3]' ${{ github.workspace }}/pcr-* > ${{ github.workspace }}/pcrs-${{ matrix.csp }}.json echo "::endgroup::" working-directory: ${{ github.workspace }}/image/measured-boot - name: Upload expected PCRs as artifact uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # tag=v3.1.1 with: name: pcrs path: pcrs-${{ matrix.csp }}.json generate-sbom: name: "Generate SBOM" needs: [build-dependencies, make-os-image] runs-on: ubuntu-22.04 steps: - name: Install squashfs tools run: | echo "::group::Install squashfs tools" sudo apt-get update sudo apt-get install -y squashfs-tools echo "::endgroup::" - name: Download rootfs uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # tag=v3.0.1 with: # downloading / using only the QEMU rootfs is fine # since the images only differ in the ESP partition name: parts-qemu - name: Unpack squashfs run: | echo "::group::Unpack squashfs" unsquashfs -user-xattrs -d image.root.tree image.root.raw echo "::endgroup::" - uses: anchore/sbom-action@b7e8507c6a3c89b7099a0198366d862c8f3ad8f1 # tag=v0.13.0 with: path: image.root.tree artifact-name: sbom.spdx.json format: spdx-json - uses: anchore/sbom-action@b7e8507c6a3c89b7099a0198366d862c8f3ad8f1 # tag=v0.13.0 with: path: image.root.tree artifact-name: sbom.cyclonedx.json format: cyclonedx-json - uses: anchore/sbom-action@b7e8507c6a3c89b7099a0198366d862c8f3ad8f1 # tag=v0.13.0 with: path: image.root.tree artifact-name: sbom.syft.json format: syft-json - name: Combine hashes run: | cat > SHA256SUMS <> $GITHUB_STEP_SUMMARY