Skip to content

Commit

Permalink
Merge branch 'master' into alpine-initrd
Browse files Browse the repository at this point in the history
  • Loading branch information
Itxaka authored May 30, 2023
2 parents e1f0ac8 + 4e555cd commit 06226fc
Show file tree
Hide file tree
Showing 8 changed files with 326 additions and 21 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/image.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -263,7 +263,7 @@ jobs:
latest-release:
runs-on: ubuntu-latest
steps:
- uses: robinraju/release-downloader@v1.7
- uses: robinraju/release-downloader@v1.8
with:
# A flag to set the download target as latest release
# The default value is 'false'
Expand Down
43 changes: 38 additions & 5 deletions .github/workflows/release-arm.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ jobs:
# end of optional handling for multi line json
echo "::set-output name=matrix::{\"include\": $content }"
docker:
runs-on: ubuntu-latest
runs-on: ${{ matrix.worker }}
needs:
- get-matrix
permissions:
Expand All @@ -35,9 +35,38 @@ jobs:
matrix: ${{fromJson(needs.get-matrix.outputs.matrix)}}
steps:
- name: Release space from worker
if: ${{ matrix.worker != 'self-hosted' }}
run: |
sudo rm -rf /usr/local/lib/android # will release about 10 GB if you don't need Android
sudo rm -rf /usr/share/dotnet # will release about 20GB if you don't need .NET
echo "Listing top largest packages"
pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr)
head -n 30 <<< "${pkgs}"
echo
df -h
echo
sudo apt-get remove -y '^llvm-.*|^libllvm.*' || true
sudo apt-get remove --auto-remove android-sdk-platform-tools || true
sudo apt-get purge --auto-remove android-sdk-platform-tools || true
sudo rm -rf /usr/local/lib/android
sudo apt-get remove -y '^dotnet-.*|^aspnetcore-.*' || true
sudo rm -rf /usr/share/dotnet
sudo apt-get remove -y '^mono-.*' || true
sudo apt-get remove -y '^ghc-.*' || true
sudo apt-get remove -y '.*jdk.*|.*jre.*' || true
sudo apt-get remove -y 'php.*' || true
sudo apt-get remove -y hhvm powershell firefox monodoc-manual msbuild || true
sudo apt-get remove -y '^google-.*' || true
sudo apt-get remove -y azure-cli || true
sudo apt-get remove -y '^mongo.*-.*|^postgresql-.*|^mysql-.*|^mssql-.*' || true
sudo apt-get remove -y '^gfortran-.*' || true
sudo apt-get autoremove -y
sudo apt-get clean
echo
echo "Listing top largest packages"
pkgs=$(dpkg-query -Wf '${Installed-Size}\t${Package}\t${Status}\n' | awk '$NF == "installed"{print $1 "\t" $2}' | sort -nr)
head -n 30 <<< "${pkgs}"
echo
sudo rm -rfv build || true
df -h
- uses: actions/checkout@v3
- run: |
git fetch --prune --unshallow
Expand All @@ -47,6 +76,11 @@ jobs:
platforms: all
- name: Install Cosign
uses: sigstore/cosign-installer@main
- name: Install earthly
uses: Luet-lab/luet-install-action@v1
with:
repository: quay.io/kairos/packages
packages: utils/earthly
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@master
Expand All @@ -56,7 +90,7 @@ jobs:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}
- name: Build 🔧
- name: Standard Build 🔧
if: ${{ matrix.worker != 'self-hosted' }}
env:
FLAVOR: ${{ matrix.flavor }}
Expand Down Expand Up @@ -84,7 +118,6 @@ jobs:
EOF
export TAG=${GITHUB_REF##*/}
docker run --privileged -v $HOME/.earthly/config.yml:/etc/.earthly/config.yml -v /var/run/docker.sock:/var/run/docker.sock --rm --env EARTHLY_BUILD_ARGS -t -v "$(pwd)":/workspace -v earthly-tmp:/tmp/earthly:rw earthly/earthly:v0.7.5 --allow-privileged +all-arm --IMAGE_NAME=kairos-$FLAVOR-$TAG.img --IMAGE=quay.io/kairos/core-$FLAVOR:$TAG --MODEL=$MODEL --FLAVOR=$FLAVOR
- name: Push 🔧
env:
FLAVOR: ${{ matrix.flavor }}
Expand Down
21 changes: 21 additions & 0 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,27 @@ jobs:
with:
sarif_file: 'sarif'
category: ${{ matrix.flavor }}
build-uki:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- run: |
git fetch --prune --unshallow
- name: Install earthly
uses: Luet-lab/luet-install-action@v1
with:
repository: quay.io/kairos/packages
packages: utils/earthly
- name: Build uki image 🔧
run: |
# Do fedora as its the smaller uki possible
earthly +uki --FLAVOR=fedora
- name: Release
uses: softprops/action-gh-release@v1
if: startsWith(github.ref, 'refs/tags/')
with:
files: |
build/efi
# build-vm-images:
# needs: build
# runs-on: macos-12
Expand Down
141 changes: 132 additions & 9 deletions Earthfile
Original file line number Diff line number Diff line change
Expand Up @@ -248,6 +248,7 @@ base-image:
ARG MODEL
ARG FLAVOR
ARG VARIANT
ARG BUILD_INITRD="true"
IF [ "$BASE_IMAGE" = "" ]
# Source the flavor-provided docker file
FROM DOCKERFILE --build-arg MODEL=$MODEL -f images/Dockerfile.$FLAVOR .
Expand Down Expand Up @@ -331,16 +332,17 @@ base-image:
RUN find /usr/lib/modules -type f -name "*.ko" -execdir zstd --rm -9 {} \+
END


IF [ "$FLAVOR" = "debian" ]
RUN rm -rf /boot/initrd.img-*
END
IF [ "$BUILD_INITRD" = "true" ]
IF [ "$FLAVOR" = "debian" ]
RUN rm -rf /boot/initrd.img-*
END


IF [ -e "/usr/bin/dracut" ]
# Regenerate initrd if necessary
RUN --no-cache kernel=$(ls /lib/modules | head -n1) && depmod -a "${kernel}"
RUN --no-cache kernel=$(ls /lib/modules | head -n1) && dracut -f "/boot/initrd-${kernel}" "${kernel}" && ln -sf "initrd-${kernel}" /boot/initrd
IF [ -e "/usr/bin/dracut" ]
# Regenerate initrd if necessary
RUN --no-cache kernel=$(ls /lib/modules | head -n1) && depmod -a "${kernel}"
RUN --no-cache kernel=$(ls /lib/modules | head -n1) && dracut -f "/boot/initrd-${kernel}" "${kernel}" && ln -sf "initrd-${kernel}" /boot/initrd
END
END

# Set /boot/vmlinuz pointing to our kernel so kairos-agent can use it
Expand Down Expand Up @@ -377,10 +379,12 @@ base-image:
END
END


RUN rm -rf /tmp/*

image:
FROM +base-image
ARG BUILD_INITRD="true"
FROM +base-image --BUILD_INITRD=$BUILD_INITRD
ARG FLAVOR
ARG VARIANT
ARG MODEL
Expand All @@ -406,6 +410,125 @@ image-rootfs:
FROM +image
SAVE ARTIFACT --keep-own /. rootfs

uki-artifacts:
FROM +image --BUILD_INITRD=false
RUN /usr/bin/immucore version
RUN ln -s /usr/bin/immucore /init
RUN find . \( -path ./sys -prune -o -path ./run -prune -o -path ./dev -prune -o -path ./tmp -prune -o -path ./proc -prune \) -o -print | cpio -R root:root -H newc -o | gzip -2 > /tmp/initramfs.cpio.gz
RUN echo "console=tty1 console=ttyS0 net.ifnames=1 rd.immucore.debug rd.immucore.uki selinux=0" > /tmp/Cmdline
RUN basename $(ls /boot/vmlinuz-* |grep -v rescue | head -n1)| sed --expression "s/vmlinuz-//g" > /tmp/Uname
SAVE ARTIFACT /boot/vmlinuz Kernel
SAVE ARTIFACT /etc/os-release Osrelease
SAVE ARTIFACT /tmp/Cmdline Cmdline
SAVE ARTIFACT /tmp/Uname Uname
SAVE ARTIFACT /tmp/initramfs.cpio.gz Initrd

# Base image for uki operations so we only run the install once
uki-tools-image:
FROM fedora:38
# objcopy from binutils and systemd-stub from systemd
RUN dnf install -y binutils systemd-boot mtools efitools sbsigntools shim openssl

uki:
FROM +uki-tools-image
WORKDIR build
COPY +uki-artifacts/Kernel Kernel
COPY +uki-artifacts/Initrd Initrd
COPY +uki-artifacts/Osrelease Osrelease
COPY +uki-artifacts/Uname Uname
COPY +uki-artifacts/Cmdline Cmdline
ARG KVERSION=$(cat Uname)
RUN objcopy /usr/lib/systemd/boot/efi/linuxx64.efi.stub \
--add-section .osrel=Osrelease --set-section-flags .osrel=data,readonly \
--add-section .cmdline=Cmdline --set-section-flags .cmdline=data,readonly \
--add-section .initrd=Initrd --set-section-flags .initrd=data,readonly \
--add-section .uname=Uname --set-section-flags .uname=data,readonly \
--add-section .linux=Kernel --set-section-flags .linux=code,readonly \
$ISO_NAME.unsigned.efi \
--change-section-vma .osrel=0x17000 \
--change-section-vma .cmdline=0x18000 \
--change-section-vma .initrd=0x19000 \
--change-section-vma .uname=0x5a0ed000 \
--change-section-vma .linux=0x5a0ee000
SAVE ARTIFACT Uname Uname
SAVE ARTIFACT $ISO_NAME.unsigned.efi uki.efi AS LOCAL build/$ISO_NAME.unsigned-$KVERSION.efi


uki-signed:
FROM +uki-tools-image
# Platform key
RUN openssl req -new -x509 -subj "/CN=Kairos PK/" -days 3650 -nodes -newkey rsa:2048 -sha256 -keyout PK.key -out PK.crt
# CER keys are for FW install
RUN openssl x509 -in PK.crt -out PK.cer -outform DER
# Key exchange
RUN openssl req -new -x509 -subj "/CN=Kairos KEK/" -days 3650 -nodes -newkey rsa:2048 -sha256 -keyout KEK.key -out KEK.crt
# CER keys are for FW install
RUN openssl x509 -in KEK.crt -out KEK.cer -outform DER
# Signature DB
RUN openssl req -new -x509 -subj "/CN=Kairos DB/" -days 3650 -nodes -newkey rsa:2048 -sha256 -keyout DB.key -out DB.crt
# CER keys are for FW install
RUN openssl x509 -in DB.crt -out DB.cer -outform DER
COPY +uki/uki.efi uki.efi
COPY +uki/Uname Uname
ARG KVERSION=$(cat Uname)

RUN sbsign --key DB.key --cert DB.crt --output uki.signed.efi uki.efi


SAVE ARTIFACT /boot/efi/EFI/fedora/mmx64.efi MokManager.efi
SAVE ARTIFACT PK.key PK.key AS LOCAL build/PK.key
SAVE ARTIFACT PK.crt PK.crt AS LOCAL build/PK.crt
SAVE ARTIFACT PK.cer PK.cer AS LOCAL build/PK.cer
SAVE ARTIFACT KEK.key KEK.key AS LOCAL build/KEK.key
SAVE ARTIFACT KEK.crt KEK.crt AS LOCAL build/KEK.crt
SAVE ARTIFACT KEK.cer KEK.cer AS LOCAL build/KEK.cer
SAVE ARTIFACT DB.key DB.key AS LOCAL build/DB.key
SAVE ARTIFACT DB.crt DB.crt AS LOCAL build/DB.crt
SAVE ARTIFACT DB.cer DB.cer AS LOCAL build/DB.cer
SAVE ARTIFACT uki.signed.efi uki.efi AS LOCAL build/$ISO_NAME.signed-$KVERSION.efi

# This target will prepare a disk.img ready with the uki artifact on it for qemu. Just attach it to qemu and mark you vm to boot from that disk
# here we take advantage of the uefi fallback method, which will load an efi binary in /EFI/BOOT/BOOTX64.efi if there is nothing
# else that it can boot from :D Just make sure to have your disk.img set as boot device in qemu.
prepare-uki-disk-image:
FROM +uki-tools-image
ARG SIGNED_EFI=false
IF [ "$SIGNED_EFI" = "true" ]
COPY +uki-signed/uki.efi .
COPY +uki-signed/PK.key .
COPY +uki-signed/PK.crt .
COPY +uki-signed/PK.cer .
COPY +uki-signed/KEK.key .
COPY +uki-signed/KEK.crt .
COPY +uki-signed/KEK.cer .
COPY +uki-signed/DB.key .
COPY +uki-signed/DB.crt .
COPY +uki-signed/DB.cer .
COPY +uki-signed/MokManager.efi .
ELSE
COPY +uki/uki.efi .
END
RUN dd if=/dev/zero of=disk.img bs=1G count=1
RUN mformat -i disk.img -F ::
RUN mmd -i disk.img ::/EFI
RUN mmd -i disk.img ::/EFI/BOOT
RUN mcopy -i disk.img uki.efi ::/EFI/BOOT/BOOTX64.efi
IF [ "$SIGNED_EFI" = "true" ]
RUN mcopy -i disk.img PK.key ::/EFI/BOOT/PK.key
RUN mcopy -i disk.img PK.crt ::/EFI/BOOT/PK.crt
RUN mcopy -i disk.img PK.cer ::/EFI/BOOT/PK.cer
RUN mcopy -i disk.img KEK.key ::/EFI/BOOT/KEK.key
RUN mcopy -i disk.img KEK.crt ::/EFI/BOOT/KEK.crt
RUN mcopy -i disk.img KEK.cer ::/EFI/BOOT/KEK.cer
RUN mcopy -i disk.img DB.key ::/EFI/BOOT/DB.key
RUN mcopy -i disk.img DB.crt ::/EFI/BOOT/DB.crt
RUN mcopy -i disk.img DB.cer ::/EFI/BOOT/DB.cer
RUN mcopy -i disk.img MokManager.efi ::/EFI/BOOT/mmx64.efi
END
RUN mdir -i disk.img ::/EFI/BOOT
SAVE ARTIFACT disk.img AS LOCAL build/disk.img


###
### Artifacts targets (ISO, netboot, ARM)
###
Expand Down
92 changes: 92 additions & 0 deletions UKI-experimental.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
# UKI: Unified Kernel Image


It's basically a kernel, initrd and cmdline for the kernel all lumped up together in an efi binary. Mixing it with something like systemd-stub
means that you can boot from the EFI shell directly into the system.

You can add more stuff to it like the os-release info, the kernel version (uname), splash image, Devicetree , etc...

This way you got everything in one nice package and can sign the whole thing for secureboot or calculate the hashes for measured boot.


Usually under secureboot the initrd is not signed (as its generated locally), so once the kernel is run initrd signature is not verified. Nor you can measure it with TPM PCRs

UKI bundles the kernel with initrd and everything else, so you can sign the whole thing AND pre-calculate the hashes for TPM PCRs in advance.


Good writeup: https://0pointer.net/blog/brave-new-trusted-boot-world.html


### So why not a bit more?

So why not store the whole system in the initramfs?

In this branch on the earthfile there is a new target called uki. This will generate an efi with the whole kairos system under the initramfs.
This uses immucore to mount and set up the whole system.

There is an extra target called `prepare-uki-disk-image` which will generate a disk.img with the efi file inside in the proper place, so you
can just attach that image to a qemu vm and boot from there. An extra arg `SIGNED_EFI` will provide the same image but with a signed efi and all the keys needed
to insert hem into the uefo firmware and test secureboot.

The only special thing the target does is use objcopy to add sections to the systemd-stub pointing to the correct data:

```bash
RUN objcopy /usr/lib/systemd/boot/efi/linuxx64.efi.stub \
--add-section .osrel=Osrelease --set-section-flags .osrel=data,readonly \
--add-section .cmdline=Cmdline --set-section-flags .cmdline=data,readonly \
--add-section .initrd=Initrd --set-section-flags .initrd=data,readonly \
--add-section .uname=Uname --set-section-flags .uname=data,readonly \
--add-section .linux=Kernel --set-section-flags .linux=code,readonly \
$ISO_NAME.unsigned.efi \
--change-section-vma .osrel=0x17000 \
--change-section-vma .cmdline=0x18000 \
--change-section-vma .initrd=0x19000 \
--change-section-vma .uname=0x5a0ed000 \
--change-section-vma .linux=0x5a0ee000
```

Where:
* Kernel is the kernel that will be booted.
* Initrd is the initramfs that will be booted by the kernel. Currently, a dump of the docker-rootfs...rootfs
* Uname the output of `uname -r` (Optional content)
* Osrelease is the /etc/os-release file from the kairos rootfs (Optional content)
* Cmdline is the line to be passed to the kernel (Optional content, but needed in our case)


# Running the efi locally with qemu

For ease of use there is a target in the earthly file that will generate a disk.img with the efi inside.
Run `earthly +prepare-disk-image` and you will get a `build/disk.img` ready to be consumed

To run it under qemu use the following arguments:

```bash
qemu-system-x86_64 -bios $EFI_FIRMWARE -accel kvm -cpu host -m $MEMORY -machine pc \
-drive file=disk.img,if=none,index=0,media=disk,format=raw,id=disk1 -device virtio-blk-pci,drive=disk1,bootindex=0 \
-boot menu=on
```

Where `$EFI_FIRMWARE` is the OVMF efi firmware and `$MEMORY` is at least 4000.


Note that you can also build the uki image signed by passing the `--SIGNED_EFI=true` to earthly. That would produce the same
`build/disk.img` but with some extra files inside, like the certificates needed to be added to the firmware and the MokManager util to install those certificates.

With those certs and MokManager is possible to install the generated certs to test booting with SecureBoot enabled.

Note that the `$EFI_FIRMWARE` needs to be set to the OVMF SecureBoot enabled file to test SecureBoot.

For example under Fedora, the normal firmware with no SecureBoot is found at `/usr/share/edk2/ovmf/OVMF_CODE.fd` while
the SecureBoot enabled one is `/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd`

Good links:

- https://man.archlinux.org/man/systemd-stub.7
- https://wiki.osdev.org/UEFI#UEFI_applications_in_detail
- https://github.com/uapi-group/specifications/blob/main/specs/unified_kernel_image.md
- https://man.archlinux.org/man/systemd-measure.1.en
- https://manuais.iessanclemente.net/images/a/a6/EFI-ShellCommandManual.pdf
- https://0pointer.net/blog/brave-new-trusted-boot-world.html



2 changes: 1 addition & 1 deletion overlay/files/system/oem/00_rootfs.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ stages:
providers: ["aws", "gcp", "openstack", "cdrom"]
path: "/oem"
rootfs:
- if: '[ ! -f "/run/cos/recovery_mode" ]'
- if: '[ ! -f "/run/cos/recovery_mode" ] && [ ! -e "/run/cos/uki_mode" ]'
name: "Layout configuration"
environment_file: /run/cos/cos-layout.env
environment:
Expand Down
Loading

0 comments on commit 06226fc

Please sign in to comment.