mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-07 05:38:03 -05:00
1a141c3972
For reproducibility reasons, the final OS image does not ship the rpm database in sqlite format. For supply chain security and license compliance reasons, we want to keep the rpm database of os images as a detached build artifact. We now ship a reproducible, human readable manifest of installed rpms in the image under "/usr/share/constellation/packagemanifest" and upload the full rpm database as a build artifact (rpmdb.tar).
731 lines
29 KiB
YAML
731 lines
29 KiB
YAML
name: Build and Upload OS image
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
imageVersion:
|
|
description: "Semantic version including patch e.g. v<major>.<minor>.<patch> (only used for releases)"
|
|
required: false
|
|
isRelease:
|
|
description: 'Is this a release? (sets "ref" to special value "-")'
|
|
type: boolean
|
|
required: false
|
|
default: false
|
|
stream:
|
|
description: "Image stream / type. (Use 'stable' for releases, 'nightly' for regular non-release images, 'console' for images with serial console access and 'debug' for debug builds)"
|
|
type: choice
|
|
required: true
|
|
options:
|
|
- "debug"
|
|
- "console"
|
|
- "nightly"
|
|
- "stable"
|
|
ref:
|
|
type: string
|
|
description: "Git ref to checkout"
|
|
required: false
|
|
workflow_call:
|
|
inputs:
|
|
imageVersion:
|
|
description: "Semantic version including patch e.g. v<major>.<minor>.<patch> (only used for releases)"
|
|
required: false
|
|
type: string
|
|
isRelease:
|
|
description: 'Is this a release? (sets "ref" to special value "-")'
|
|
type: boolean
|
|
required: false
|
|
default: false
|
|
stream:
|
|
description: "Image stream / type. (Use 'stable' for releases, 'nightly' for regular non-release images and 'debug' for debug builds)"
|
|
type: string
|
|
required: true
|
|
ref:
|
|
type: string
|
|
description: "Git ref to checkout"
|
|
required: false
|
|
|
|
jobs:
|
|
build-settings:
|
|
name: "Determine build settings"
|
|
runs-on: ubuntu-22.04
|
|
outputs:
|
|
ref: ${{ steps.ref.outputs.ref }}
|
|
stream: ${{ steps.stream.outputs.stream }}
|
|
imageType: ${{ steps.image-type.outputs.imageType }}
|
|
imageVersion: ${{ steps.image-version.outputs.imageVersion }}
|
|
imageName: ${{ steps.image-version.outputs.imageName }}
|
|
imageNameShort: ${{ steps.image-version.outputs.imageNameShort }}
|
|
imageApiBasePath: ${{ steps.image-version.outputs.imageApiBasePath }}
|
|
cliApiBasePath: ${{ steps.image-version.outputs.cliApiBasePath }}
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
|
|
with:
|
|
ref: ${{ inputs.ref || github.head_ref }}
|
|
|
|
- name: Determine version
|
|
id: version
|
|
uses: ./.github/actions/pseudo_version
|
|
|
|
- name: Determine ref
|
|
id: ref
|
|
run: |
|
|
if [[ "${{ inputs.isRelease }}" = "true" ]]; then
|
|
echo "ref=-" | tee -a "$GITHUB_OUTPUT"
|
|
else
|
|
echo "ref=${{ steps.version.outputs.branchName }}" | tee -a "$GITHUB_OUTPUT"
|
|
fi
|
|
|
|
- name: Determine and validate stream
|
|
id: stream
|
|
run: |
|
|
if [[ "${{ inputs.isRelease }}" == "true" ]] && [[ "${{ inputs.stream }}" == "nightly" ]]; then
|
|
echo "Nightly builds are not allowed for releases"
|
|
exit 1
|
|
fi
|
|
if [[ "${{ inputs.isRelease }}" != "true" ]] && [[ "${{ inputs.stream }}" == "stable" ]]; then
|
|
echo "Stable builds are only allowed for releases"
|
|
exit 1
|
|
fi
|
|
|
|
echo "stream=${{ inputs.stream }}" | tee -a "$GITHUB_OUTPUT"
|
|
|
|
- name: Determine type of image build
|
|
shell: bash
|
|
id: image-type
|
|
run: |
|
|
case "${{ steps.stream.outputs.stream }}" in
|
|
"debug")
|
|
echo "imageType=debug" | tee -a "$GITHUB_OUTPUT"
|
|
;;
|
|
"console")
|
|
echo "imageType=console" | tee -a "$GITHUB_OUTPUT"
|
|
;;
|
|
*)
|
|
echo "imageType=default" | tee -a "$GITHUB_OUTPUT"
|
|
;;
|
|
esac
|
|
|
|
- name: Determine image version
|
|
id: image-version
|
|
shell: bash
|
|
env:
|
|
REF: ${{ steps.ref.outputs.ref }}
|
|
STREAM: ${{ steps.stream.outputs.stream }}
|
|
IMAGE_VERSION: ${{ inputs.imageVersion || steps.version.outputs.version }}
|
|
run: |
|
|
{
|
|
echo "imageVersion=${IMAGE_VERSION}"
|
|
echo "imageName=ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}"
|
|
echo "imageApiBasePath=constellation/v1/ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}/image"
|
|
echo "cliApiBasePath=constellation/v1/ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}/cli"
|
|
} | tee -a "$GITHUB_OUTPUT"
|
|
|
|
if [[ "${REF}" = "-" ]] && [[ "${STREAM}" = "stable" ]]; then
|
|
echo "imageNameShort=${IMAGE_VERSION}" | tee -a "$GITHUB_OUTPUT"
|
|
elif [[ "${REF}" = "-" ]]; then
|
|
echo "imageNameShort=stream/${STREAM}/${IMAGE_VERSION}" | tee -a "$GITHUB_OUTPUT"
|
|
else
|
|
echo "imageNameShort=ref/${REF}/stream/${STREAM}/${IMAGE_VERSION}" | tee -a "$GITHUB_OUTPUT"
|
|
fi
|
|
|
|
make-os-image:
|
|
name: "Build OS using mkosi"
|
|
needs: [build-settings]
|
|
runs-on: ubuntu-latest-8-cores
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
include:
|
|
- csp: aws
|
|
attestation_variant: aws-nitro-tpm
|
|
- csp: aws
|
|
attestation_variant: aws-sev-snp
|
|
- csp: azure
|
|
attestation_variant: azure-sev-snp
|
|
- csp: gcp
|
|
attestation_variant: gcp-sev-es
|
|
- csp: gcp
|
|
attestation_variant: gcp-sev-snp
|
|
- csp: qemu
|
|
attestation_variant: qemu-vtpm
|
|
- csp: openstack
|
|
attestation_variant: qemu-vtpm
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
|
|
with:
|
|
ref: ${{ inputs.ref || github.head_ref }}
|
|
|
|
- uses: ./.github/actions/setup_bazel_nix
|
|
with:
|
|
useCache: "false"
|
|
|
|
- name: Build
|
|
id: build
|
|
shell: bash
|
|
working-directory: ${{ github.workspace }}/image
|
|
env:
|
|
TARGET: //image/system:${{ matrix.csp }}_${{ matrix.attestation_variant }}_${{ needs.build-settings.outputs.stream }}
|
|
run: |
|
|
echo "::group::Build"
|
|
bazel build "${TARGET}"
|
|
{
|
|
echo "image-dir=$(bazel cquery --output=files "$TARGET")"
|
|
echo "rpmdb=$(bazel cquery --output=files //image/base:rpmdb)"
|
|
} | tee -a "$GITHUB_OUTPUT"
|
|
echo "::endgroup::"
|
|
|
|
- name: Upload raw OS image as artifact
|
|
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
|
with:
|
|
name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
|
|
path: ${{ steps.build.outputs.image-dir }}/constellation.raw
|
|
|
|
- name: Upload individual OS parts as artifacts
|
|
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
|
with:
|
|
name: parts-${{ matrix.csp }}-${{ matrix.attestation_variant }}
|
|
path: |
|
|
${{ steps.build.outputs.image-dir }}/constellation.efi
|
|
${{ steps.build.outputs.image-dir }}/constellation.initrd
|
|
${{ steps.build.outputs.image-dir }}/constellation.vmlinuz
|
|
|
|
- name: Upload sbom info as artifact
|
|
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
|
|
with:
|
|
name: sbom-${{ matrix.csp }}-${{ matrix.attestation_variant }}
|
|
path: ${{ steps.build.outputs.rpmdb }}
|
|
|
|
upload-os-image:
|
|
name: "Upload OS image to CSP"
|
|
needs: [build-settings, make-os-image]
|
|
runs-on: ubuntu-22.04
|
|
permissions:
|
|
id-token: write
|
|
contents: read
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
include:
|
|
- csp: aws
|
|
attestation_variant: aws-nitro-tpm
|
|
- csp: aws
|
|
attestation_variant: aws-sev-snp
|
|
- csp: azure
|
|
attestation_variant: azure-sev-snp
|
|
- csp: gcp
|
|
attestation_variant: gcp-sev-es
|
|
- csp: gcp
|
|
attestation_variant: gcp-sev-snp
|
|
- csp: qemu
|
|
attestation_variant: qemu-vtpm
|
|
- csp: openstack
|
|
attestation_variant: qemu-vtpm
|
|
env:
|
|
RAW_IMAGE_PATH: mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/constellation.raw
|
|
JSON_OUTPUT: mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38/image-upload.json
|
|
AZURE_IMAGE_PATH: mkosi.output.azure_${{ matrix.attestation_variant }}/fedora~38/image.vhd
|
|
GCP_IMAGE_PATH: mkosi.output.gcp_${{ matrix.attestation_variant }}/fedora~38/image.tar.gz
|
|
SHORTNAME: ${{ needs.build-settings.outputs.imageNameShort }}
|
|
ATTESTATION_VARIANT: ${{ matrix.attestation_variant }}
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
|
|
with:
|
|
ref: ${{ inputs.ref || github.head_ref }}
|
|
|
|
- uses: ./.github/actions/setup_bazel_nix
|
|
with:
|
|
useCache: "false"
|
|
|
|
- name: Download OS image artifact
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
|
with:
|
|
name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
|
|
path: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}_${{ matrix.attestation_variant }}/fedora~38
|
|
|
|
- name: Install tools
|
|
shell: bash
|
|
run: |
|
|
echo "::group::Install tools"
|
|
sudo apt-get update
|
|
sudo apt-get install -y \
|
|
pigz \
|
|
qemu-utils \
|
|
python3-pip
|
|
echo "::endgroup::"
|
|
|
|
- name: Login to AWS
|
|
uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
|
|
with:
|
|
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
|
|
aws-region: eu-central-1
|
|
|
|
- name: Login to Azure
|
|
if: matrix.csp == 'azure'
|
|
uses: ./.github/actions/login_azure
|
|
with:
|
|
azure_credentials: ${{ secrets.AZURE_CREDENTIALS }}
|
|
|
|
- name: Login to GCP
|
|
if: matrix.csp == 'gcp'
|
|
uses: ./.github/actions/login_gcp
|
|
with:
|
|
service_account: "constellation-cos-builder@constellation-331613.iam.gserviceaccount.com"
|
|
|
|
- name: Upload AWS image
|
|
if: matrix.csp == 'aws'
|
|
shell: bash
|
|
working-directory: ${{ github.workspace }}/image
|
|
run: |
|
|
echo "::group::Upload AWS image"
|
|
bazel run //image/upload -- image aws \
|
|
--verbose \
|
|
--raw-image "${RAW_IMAGE_PATH}" \
|
|
--attestation-variant "${ATTESTATION_VARIANT}" \
|
|
--version "${SHORTNAME}" \
|
|
--out "${JSON_OUTPUT}"
|
|
echo -e "Uploaded AWS image: \n\n\`\`\`\n$(jq < "${JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
|
|
echo "::endgroup::"
|
|
|
|
- name: Upload GCP image
|
|
if: matrix.csp == 'gcp'
|
|
shell: bash
|
|
working-directory: ${{ github.workspace }}/image
|
|
run: |
|
|
echo "::group::Upload GCP image"
|
|
upload/pack.sh gcp "${RAW_IMAGE_PATH}" "${GCP_IMAGE_PATH}"
|
|
bazel run //image/upload -- image gcp \
|
|
--verbose \
|
|
--raw-image "${GCP_IMAGE_PATH}" \
|
|
--attestation-variant "${ATTESTATION_VARIANT}" \
|
|
--version "${SHORTNAME}" \
|
|
--out "${JSON_OUTPUT}"
|
|
echo -e "Uploaded GCP image: \n\n\`\`\`\n$(jq < "${JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
|
|
echo "::endgroup::"
|
|
|
|
- name: Upload Azure image
|
|
if: matrix.csp == 'azure'
|
|
shell: bash
|
|
working-directory: ${{ github.workspace }}/image
|
|
run: |
|
|
echo "::group::Upload Azure image"
|
|
upload/pack.sh azure "${RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}"
|
|
bazel run //image/upload -- image azure \
|
|
--verbose \
|
|
--raw-image "${AZURE_IMAGE_PATH}" \
|
|
--attestation-variant "${ATTESTATION_VARIANT}" \
|
|
--version "${SHORTNAME}" \
|
|
--out "${JSON_OUTPUT}"
|
|
echo -e "Uploaded Azure image: \n\n\`\`\`\n$(jq < "${JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
|
|
echo "::endgroup::"
|
|
|
|
- name: Upload OpenStack image
|
|
if: matrix.csp == 'openstack'
|
|
shell: bash
|
|
working-directory: ${{ github.workspace }}/image
|
|
run: |
|
|
echo "::group::Upload OpenStack image"
|
|
bazel run //image/upload -- image openstack \
|
|
--verbose \
|
|
--raw-image "${RAW_IMAGE_PATH}" \
|
|
--attestation-variant "${ATTESTATION_VARIANT}" \
|
|
--version "${SHORTNAME}" \
|
|
--out "${JSON_OUTPUT}"
|
|
echo -e "Uploaded OpenStack image: \n\n\`\`\`\n$(jq < "${JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
|
|
echo "::endgroup::"
|
|
|
|
- name: Upload QEMU image
|
|
if: matrix.csp == 'qemu'
|
|
shell: bash
|
|
working-directory: ${{ github.workspace }}/image
|
|
run: |
|
|
echo "::group::Upload QEMU image"
|
|
bazel run //image/upload -- image qemu \
|
|
--verbose \
|
|
--raw-image "${RAW_IMAGE_PATH}" \
|
|
--attestation-variant "${ATTESTATION_VARIANT}" \
|
|
--version "${SHORTNAME}" \
|
|
--out "${JSON_OUTPUT}"
|
|
echo -e "Uploaded QEMU image: \n\n\`\`\`\n$(jq < "${JSON_OUTPUT}")\n\`\`\`\n" >> "$GITHUB_STEP_SUMMARY"
|
|
echo "::endgroup::"
|
|
|
|
- name: Upload image lookup table as artifact
|
|
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
|
with:
|
|
name: lookup-table
|
|
path: ${{ github.workspace }}/image/mkosi.output.*/*/image-upload*.json
|
|
|
|
calculate-pcrs:
|
|
name: "Calculate PCRs"
|
|
needs: [build-settings, make-os-image]
|
|
permissions:
|
|
id-token: write
|
|
contents: read
|
|
runs-on: ubuntu-22.04
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
include:
|
|
- csp: aws
|
|
attestation_variant: aws-nitro-tpm
|
|
- csp: aws
|
|
attestation_variant: aws-sev-snp
|
|
- csp: azure
|
|
attestation_variant: azure-sev-snp
|
|
- csp: gcp
|
|
attestation_variant: gcp-sev-es
|
|
- csp: gcp
|
|
attestation_variant: gcp-sev-snp
|
|
- csp: qemu
|
|
attestation_variant: qemu-vtpm
|
|
- csp: openstack
|
|
attestation_variant: qemu-vtpm
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
|
|
with:
|
|
ref: ${{ inputs.ref || github.head_ref }}
|
|
|
|
- name: Download OS image artifact
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
|
with:
|
|
name: image-${{ matrix.csp }}-${{ matrix.attestation_variant }}
|
|
|
|
- uses: ./.github/actions/setup_bazel_nix
|
|
with:
|
|
useCache: "false"
|
|
|
|
- name: Install dependencies
|
|
run: |
|
|
echo "::group::Install dependencies"
|
|
sudo apt-get update
|
|
sudo apt-get install -y systemd-container # for systemd-dissect
|
|
echo "::endgroup::"
|
|
|
|
- name: Calculate expected PCRs
|
|
working-directory: ${{ github.workspace }}/image/measured-boot
|
|
run: |
|
|
echo "::group::Calculate expected PCRs"
|
|
bazel run --run_under="sudo -E" //image/measured-boot/cmd ${{ github.workspace }}/constellation.raw ${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json >> "$GITHUB_STEP_SUMMARY"
|
|
echo "::endgroup::"
|
|
|
|
- name: Add static PCRs
|
|
run: |
|
|
case ${{ matrix.csp }} in
|
|
aws)
|
|
yq e '.csp = "AWS" |
|
|
.attestationVariant = "${{ matrix.attestation_variant }}" |
|
|
.measurements.0.warnOnly = true |
|
|
.measurements.0.expected = "737f767a12f54e70eecbc8684011323ae2fe2dd9f90785577969d7a2013e8c12" |
|
|
.measurements.2.warnOnly = true |
|
|
.measurements.2.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
|
|
.measurements.3.warnOnly = true |
|
|
.measurements.3.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
|
|
.measurements.4.warnOnly = false |
|
|
.measurements.6.warnOnly = true |
|
|
.measurements.6.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
|
|
.measurements.8.warnOnly = false |
|
|
.measurements.9.warnOnly = false |
|
|
.measurements.11.warnOnly = false |
|
|
.measurements.12.warnOnly = false |
|
|
.measurements.13.warnOnly = false |
|
|
.measurements.14.warnOnly = true |
|
|
.measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" |
|
|
.measurements.15.warnOnly = false' \
|
|
-I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json"
|
|
;;
|
|
azure)
|
|
yq e '.csp = "Azure" |
|
|
.attestationVariant = "${{ matrix.attestation_variant }}" |
|
|
.measurements.1.warnOnly = true |
|
|
.measurements.1.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
|
|
.measurements.2.warnOnly = true |
|
|
.measurements.2.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
|
|
.measurements.3.warnOnly = true |
|
|
.measurements.3.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
|
|
.measurements.4.warnOnly = false |
|
|
.measurements.8.warnOnly = false |
|
|
.measurements.9.warnOnly = false |
|
|
.measurements.11.warnOnly = false |
|
|
.measurements.12.warnOnly = false |
|
|
.measurements.13.warnOnly = false |
|
|
.measurements.14.warnOnly = true |
|
|
.measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" |
|
|
.measurements.15.warnOnly = false' \
|
|
-I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json"
|
|
;;
|
|
gcp)
|
|
yq e '.csp = "GCP" |
|
|
.attestationVariant = "${{ matrix.attestation_variant }}" |
|
|
.measurements.1.warnOnly = true |
|
|
.measurements.1.expected = "745f2fb4235e4647aa0ad5ace781cd929eb68c28870e7dd5d1a1535854325e56" |
|
|
.measurements.2.warnOnly = true |
|
|
.measurements.2.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
|
|
.measurements.3.warnOnly = true |
|
|
.measurements.3.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
|
|
.measurements.4.warnOnly = false |
|
|
.measurements.6.warnOnly = true |
|
|
.measurements.6.expected = "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969" |
|
|
.measurements.8.warnOnly = false |
|
|
.measurements.9.warnOnly = false |
|
|
.measurements.11.warnOnly = false |
|
|
.measurements.12.warnOnly = false |
|
|
.measurements.13.warnOnly = false |
|
|
.measurements.14.warnOnly = true |
|
|
.measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" |
|
|
.measurements.15.warnOnly = false' \
|
|
-I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json"
|
|
;;
|
|
openstack)
|
|
yq e '.csp = "OpenStack" |
|
|
.attestationVariant = "${{ matrix.attestation_variant }}" |
|
|
.measurements.4.warnOnly = false |
|
|
.measurements.8.warnOnly = false |
|
|
.measurements.9.warnOnly = false |
|
|
.measurements.11.warnOnly = false |
|
|
.measurements.12.warnOnly = false |
|
|
.measurements.13.warnOnly = false |
|
|
.measurements.14.warnOnly = true |
|
|
.measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" |
|
|
.measurements.15.warnOnly = false' \
|
|
-I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json"
|
|
;;
|
|
qemu)
|
|
yq e '.csp = "QEMU" |
|
|
.attestationVariant = "${{ matrix.attestation_variant }}" |
|
|
.measurements.4.warnOnly = false |
|
|
.measurements.8.warnOnly = false |
|
|
.measurements.9.warnOnly = false |
|
|
.measurements.11.warnOnly = false |
|
|
.measurements.12.warnOnly = false |
|
|
.measurements.13.warnOnly = false |
|
|
.measurements.14.warnOnly = true |
|
|
.measurements.14.expected = "0000000000000000000000000000000000000000000000000000000000000000" |
|
|
.measurements.15.warnOnly = false' \
|
|
-I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json"
|
|
;;
|
|
*)
|
|
echo "Unknown CSP: ${{ matrix.csp }}"
|
|
exit 1
|
|
;;
|
|
esac
|
|
|
|
# TODO (malt3): Calculate PCR from firmware blob.
|
|
# AWS SNP machines have a different expected value for PCR 0.
|
|
if [[ ${{ matrix.attestation_variant }} = "aws-sev-snp" ]]
|
|
then
|
|
yq e '.csp = "AWS" |
|
|
.measurements.0.expected = "7b068c0c3ac29afe264134536b9be26f1d4ccd575b88d3c3ceabf36ac99c0278"' \
|
|
-I 0 -o json -i "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json"
|
|
fi
|
|
|
|
- name: Envelope measurements
|
|
shell: bash
|
|
run: |
|
|
echo "::group::Envelope measurements"
|
|
bazel run //image/upload -- measurements envelope \
|
|
--in "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json" \
|
|
--out "${{ github.workspace }}/pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json" \
|
|
--version "${{ needs.build-settings.outputs.imageNameShort }}" \
|
|
--csp "${{ matrix.csp }}" \
|
|
--attestation-variant "${{ matrix.attestation_variant }}"
|
|
echo "::endgroup::"
|
|
|
|
- name: Upload expected measurements as artifact
|
|
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
|
with:
|
|
name: measurements
|
|
path: pcrs-${{ matrix.csp }}-${{ matrix.attestation_variant }}.json
|
|
|
|
upload-pcrs:
|
|
name: "Sign & upload PCRs"
|
|
needs: [build-settings, calculate-pcrs]
|
|
permissions:
|
|
id-token: write
|
|
contents: read
|
|
runs-on: ubuntu-22.04
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
|
|
with:
|
|
ref: ${{ inputs.ref || github.head_ref }}
|
|
|
|
- uses: ./.github/actions/setup_bazel_nix
|
|
with:
|
|
useCache: "false"
|
|
|
|
- name: Download measurements
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
|
with:
|
|
name: measurements
|
|
|
|
- name: Login to AWS
|
|
uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
|
|
with:
|
|
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
|
|
aws-region: eu-central-1
|
|
|
|
- name: Install Cosign
|
|
uses: sigstore/cosign-installer@c85d0e205a72a294fe064f618a87dbac13084086 # v2.8.1
|
|
|
|
- name: Install Rekor
|
|
shell: bash
|
|
run: |
|
|
curl -fsSLO https://github.com/sigstore/rekor/releases/download/v0.12.0/rekor-cli-linux-amd64
|
|
sudo install rekor-cli-linux-amd64 /usr/local/bin/rekor-cli
|
|
rm rekor-cli-linux-amd64
|
|
|
|
- name: Merge measurements
|
|
shell: bash
|
|
run: |
|
|
echo "::group::Merge measurements"
|
|
bazel run //image/upload -- measurements merge \
|
|
--out measurements.json \
|
|
pcrs-*.json
|
|
echo "::endgroup::"
|
|
|
|
- name: Sign measurements
|
|
if: inputs.stream != 'debug'
|
|
shell: bash
|
|
env:
|
|
COSIGN_PUBLIC_KEY: ${{ inputs.isRelease && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
|
|
COSIGN_PRIVATE_KEY: ${{ inputs.isRelease && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
|
|
COSIGN_PASSWORD: ${{ inputs.isRelease && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
|
|
run: |
|
|
echo "${COSIGN_PUBLIC_KEY}" > cosign.pub
|
|
# Enabling experimental mode also publishes signature to Rekor
|
|
COSIGN_EXPERIMENTAL=1 cosign sign-blob --key env://COSIGN_PRIVATE_KEY \
|
|
"${{ github.workspace }}/measurements.json" > "${{ github.workspace }}/measurements.json.sig"
|
|
# Verify - As documentation & check
|
|
# Local Signature (input: artifact, key, signature)
|
|
cosign verify-blob --key cosign.pub \
|
|
--signature "measurements.json.sig" \
|
|
"measurements.json"
|
|
# Transparency Log Signature (input: artifact, key)
|
|
uuid=$(rekor-cli search --artifact "${{ github.workspace }}/measurements.json" | tail -n 1)
|
|
sig=$(rekor-cli get --uuid="${uuid}" --format=json | jq -r .Body.HashedRekordObj.signature.content)
|
|
cosign verify-blob --key cosign.pub --signature <(echo "${sig}") "${{ github.workspace }}/measurements.json"
|
|
|
|
- name: Create stub signature file
|
|
if: inputs.stream == 'debug'
|
|
shell: bash
|
|
run: |
|
|
echo "THOSE MEASUREMENTS BELONG TO A DEBUG IMAGE. THOSE ARE NOT SINGED BY ANY KEY." > "${{ github.workspace }}/measurements.json.sig"
|
|
|
|
- name: Upload measurements
|
|
shell: bash
|
|
run: |
|
|
echo "::group::Upload measurements"
|
|
bazel run //image/upload -- measurements upload \
|
|
--measurements measurements.json \
|
|
--signature measurements.json.sig
|
|
echo "::endgroup::"
|
|
|
|
upload-sbom:
|
|
name: "Upload SBOM"
|
|
needs: [build-settings, make-os-image]
|
|
permissions:
|
|
id-token: write
|
|
contents: read
|
|
runs-on: ubuntu-22.04
|
|
steps:
|
|
- name: Login to AWS
|
|
uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
|
|
with:
|
|
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
|
|
aws-region: eu-central-1
|
|
|
|
- name: Download sbom
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
|
with:
|
|
# downloading / using only the QEMU manifest is fine
|
|
# since the images only differ in the ESP partition
|
|
name: sbom-qemu-qemu-vtpm
|
|
|
|
- name: Upload SBOMs to S3
|
|
shell: bash
|
|
run: |
|
|
aws s3 cp \
|
|
rpmdb.tar \
|
|
"s3://cdn-constellation-backend/${{needs.build-settings.outputs.imageApiBasePath}}/${file}" \
|
|
--no-progress
|
|
|
|
upload-artifacts:
|
|
name: "Upload image lookup table and CLI compatibility info"
|
|
runs-on: ubuntu-22.04
|
|
needs: [build-settings, upload-os-image]
|
|
permissions:
|
|
id-token: write
|
|
contents: read
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
|
|
with:
|
|
ref: ${{ inputs.ref || github.head_ref }}
|
|
|
|
- uses: ./.github/actions/setup_bazel_nix
|
|
with:
|
|
useCache: "false"
|
|
|
|
- name: Download image lookup table
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3
|
|
with:
|
|
name: lookup-table
|
|
|
|
- name: Login to AWS
|
|
uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
|
|
with:
|
|
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
|
|
aws-region: eu-central-1
|
|
|
|
- name: Upload lookup table to S3
|
|
shell: bash
|
|
run: bazel run //image/upload -- info --verbose mkosi.output.*/*/image-upload*.json
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
|
|
with:
|
|
ref: ${{ inputs.ref || github.head_ref }}
|
|
|
|
- name: Create CLI compatibility information artifact
|
|
shell: bash
|
|
run: |
|
|
bazel run //hack/cli-k8s-compatibility -- \
|
|
--ref=${{ needs.build-settings.outputs.ref }} \
|
|
--stream=${{ needs.build-settings.outputs.stream }} \
|
|
--version=${{ needs.build-settings.outputs.imageVersion }} \
|
|
|
|
add-image-version-to-versionsapi:
|
|
needs: [upload-artifacts, upload-pcrs, build-settings]
|
|
name: "Add image version to versionsapi"
|
|
if: needs.build-settings.outputs.ref != '-'
|
|
permissions:
|
|
contents: read
|
|
id-token: write
|
|
uses: ./.github/workflows/versionsapi.yml
|
|
with:
|
|
command: add
|
|
ref: ${{ needs.build-settings.outputs.ref }}
|
|
stream: ${{ needs.build-settings.outputs.stream }}
|
|
version: ${{ needs.build-settings.outputs.imageVersion }}
|
|
kind: "image"
|
|
add_latest: true
|
|
|
|
add-cli-version-to-versionsapi:
|
|
needs: [upload-artifacts, build-settings, add-image-version-to-versionsapi]
|
|
name: "Add CLI version to versionsapi"
|
|
if: needs.build-settings.outputs.ref != '-'
|
|
permissions:
|
|
contents: read
|
|
id-token: write
|
|
uses: ./.github/workflows/versionsapi.yml
|
|
with:
|
|
command: add
|
|
ref: ${{ needs.build-settings.outputs.ref }}
|
|
stream: ${{ needs.build-settings.outputs.stream }}
|
|
version: ${{ needs.build-settings.outputs.imageVersion }}
|
|
kind: "cli"
|
|
add_latest: true
|