mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-25 23:06:08 -05:00
232 lines
6.3 KiB
Python
232 lines
6.3 KiB
Python
""" Constellation OS image configuration / variants """
|
|
|
|
VARIANTS = [
|
|
{
|
|
"attestation_variant": "aws-sev-snp",
|
|
"csp": "aws",
|
|
},
|
|
{
|
|
"attestation_variant": "aws-nitro-tpm",
|
|
"csp": "aws",
|
|
},
|
|
{
|
|
"attestation_variant": "azure-sev-snp",
|
|
"csp": "azure",
|
|
},
|
|
{
|
|
"attestation_variant": "azure-tdx",
|
|
"csp": "azure",
|
|
},
|
|
{
|
|
"attestation_variant": "gcp-sev-es",
|
|
"csp": "gcp",
|
|
},
|
|
{
|
|
"attestation_variant": "gcp-sev-snp",
|
|
"csp": "gcp",
|
|
},
|
|
{
|
|
"attestation_variant": "qemu-vtpm",
|
|
"csp": "openstack",
|
|
},
|
|
{
|
|
"attestation_variant": "qemu-vtpm",
|
|
"csp": "qemu",
|
|
},
|
|
]
|
|
|
|
STREAMS = [
|
|
"stable",
|
|
"nightly",
|
|
"console",
|
|
"debug",
|
|
]
|
|
|
|
CSPS = [
|
|
"aws",
|
|
"azure",
|
|
"gcp",
|
|
"openstack",
|
|
"qemu",
|
|
]
|
|
|
|
base_cmdline = "selinux=1 enforcing=0 audit=0 console=tty1 console=ttyS0"
|
|
|
|
csp_settings = {
|
|
"aws": {
|
|
"kernel_command_line_dict": {
|
|
"console": "ttyS0",
|
|
"constel.csp": "aws",
|
|
"mitigations": "auto,nosmt",
|
|
},
|
|
},
|
|
"azure": {
|
|
"kernel_command_line_dict": {
|
|
"constel.csp": "azure",
|
|
"mitigations": "auto,nosmt",
|
|
},
|
|
},
|
|
"gcp": {
|
|
"kernel_command_line_dict": {
|
|
"constel.csp": "gcp",
|
|
"mitigations": "auto,nosmt",
|
|
},
|
|
},
|
|
"openstack": {
|
|
"kernel_command_line_dict": {
|
|
"constel.csp": "openstack",
|
|
"kvm_amd.sev": "1",
|
|
"mem_encrypt": "on",
|
|
"mitigations": "auto,nosmt",
|
|
"module_blacklist": "qemu_fw_cfg",
|
|
},
|
|
},
|
|
"qemu": {
|
|
"kernel_command_line": "constel.console", # All qemu images have console enabled independent of stream
|
|
"kernel_command_line_dict": {
|
|
"constel.csp": "qemu",
|
|
"mitigations": "auto,nosmt",
|
|
},
|
|
},
|
|
}
|
|
|
|
attestation_variant_settings = {
|
|
"aws-nitro-tpm": {
|
|
"kernel_command_line_dict": {
|
|
"constel.attestation-variant": "aws-nitro-tpm",
|
|
},
|
|
},
|
|
"aws-sev-snp": {
|
|
"kernel_command_line_dict": {
|
|
"constel.attestation-variant": "aws-sev-snp",
|
|
},
|
|
},
|
|
"azure-sev-snp": {
|
|
"kernel_command_line_dict": {
|
|
"constel.attestation-variant": "azure-sev-snp",
|
|
},
|
|
},
|
|
"azure-tdx": {
|
|
"base_image": "//image/base:mainline",
|
|
"kernel_command_line_dict": {
|
|
"constel.attestation-variant": "azure-tdx",
|
|
},
|
|
},
|
|
"gcp-sev-es": {
|
|
"kernel_command_line_dict": {
|
|
"constel.attestation-variant": "gcp-sev-es",
|
|
},
|
|
},
|
|
"gcp-sev-snp": {
|
|
"kernel_command_line_dict": {
|
|
"constel.attestation-variant": "gcp-sev-snp",
|
|
},
|
|
},
|
|
"qemu-vtpm": {
|
|
"kernel_command_line_dict": {
|
|
"constel.attestation-variant": "qemu-vtpm",
|
|
},
|
|
},
|
|
}
|
|
|
|
stream_settings = {
|
|
"console": {
|
|
"kernel_command_line": "constel.console",
|
|
},
|
|
"debug": {
|
|
"kernel_command_line": "constel.debug",
|
|
},
|
|
"nightly": {},
|
|
"stable": {},
|
|
}
|
|
|
|
def from_settings(csp, attestation_variant, stream, strict = True, default = None):
|
|
"""Generates a list of settings dictionaries for the given csp, attestation_variant and stream.
|
|
|
|
Args:
|
|
csp: The cloud service provider to use.
|
|
attestation_variant: The attestation variant to use.
|
|
stream: The stream to use.
|
|
strict: If True, fail if any of the given csp, attestation_variant or stream is unknown.
|
|
default: The default value to use if any of the given csp, attestation_variant or stream is unknown.
|
|
|
|
Returns:
|
|
A list of settings dictionaries.
|
|
"""
|
|
if strict:
|
|
if not csp in csp_settings:
|
|
fail("Unknown csp: " + csp)
|
|
if not attestation_variant in attestation_variant_settings:
|
|
fail("Unknown attestation_variant: " + attestation_variant)
|
|
if not stream in stream_settings:
|
|
fail("Unknown stream: " + stream)
|
|
return [
|
|
csp_settings.get(csp, default),
|
|
attestation_variant_settings.get(attestation_variant, default),
|
|
stream_settings.get(stream, default),
|
|
]
|
|
|
|
def constellation_packages(stream):
|
|
base_packages = ["//measurement-reader/cmd:measurement-reader-package"]
|
|
if stream == "debug":
|
|
return ["//debugd/cmd/debugd:debugd-package"] + base_packages
|
|
return [
|
|
"//upgrade-agent/cmd:upgrade-agent-package",
|
|
"//bootstrapper/cmd/bootstrapper:bootstrapper-package",
|
|
] + base_packages
|
|
|
|
def kernel_command_line(csp, attestation_variant, stream):
|
|
cmdline = base_cmdline
|
|
for settings in from_settings(csp, attestation_variant, stream, default = {}):
|
|
cmdline = append_cmdline(cmdline, settings.get("kernel_command_line", ""))
|
|
return cmdline
|
|
|
|
def kernel_command_line_dict(csp, attestation_variant, stream):
|
|
commandline_dict = {}
|
|
for settings in from_settings(csp, attestation_variant, stream, default = {}):
|
|
commandline_dict = commandline_dict | settings.get("kernel_command_line_dict", {})
|
|
return commandline_dict
|
|
|
|
def base_image(csp, attestation_variant, stream):
|
|
for settings in from_settings(csp, attestation_variant, stream):
|
|
if "base_image" in settings:
|
|
return settings["base_image"]
|
|
return "//image/base:lts"
|
|
|
|
def append_cmdline(current, append):
|
|
"""Append a string to an existing commandline, separating them with a space.
|
|
|
|
Args:
|
|
current: The existing commandline. May be empty.
|
|
append: The string to append. May be empty.
|
|
|
|
Returns:
|
|
The combined commandline.
|
|
"""
|
|
if len(current) == 0:
|
|
return append
|
|
if len(append) == 0:
|
|
return current
|
|
return current + " " + append
|
|
|
|
def images_for_stream(stream):
|
|
return [
|
|
variant["csp"] + "_" + variant["attestation_variant"] + "_" + stream
|
|
for variant in VARIANTS
|
|
]
|
|
|
|
def images_for_csp(csp):
|
|
return [
|
|
csp + "_" + variant["attestation_variant"] + "_" + stream
|
|
for variant in VARIANTS
|
|
if variant["csp"] == csp
|
|
for stream in STREAMS
|
|
]
|
|
|
|
def images_for_csp_and_stream(csp, stream):
|
|
return [
|
|
csp + "_" + variant["attestation_variant"] + "_" + stream
|
|
for variant in VARIANTS
|
|
if variant["csp"] == csp
|
|
]
|