airgap/Makefile

NAME := airgap
IMAGE := local/$(NAME):latest
TARGET := x86_64
DEVICES := librem13v4 librem15v4
GIT_REF := $(shell git log -1 --format=%H config)
GIT_AUTHOR := $(shell git log -1 --format=%an config)
GIT_KEY := $(shell git log -1 --format=%GP config)
GIT_EPOCH := $(shell git log -1 --format=%at config)
GIT_DATETIME := \
	$(shell git log -1 --format=%cd --date=format:'%Y-%m-%d %H:%M:%S' config)
VERSION := "develop"
RELEASE_DIR := release/$(VERSION)
ifeq ($(strip $(shell git status --porcelain 2>/dev/null)),)
	GIT_STATE=clean
else
	GIT_STATE=dirty
endif
OUT_DIR := build/buildroot/output/images
docker = docker
executables = $(docker)

.DEFAULT_GOAL := all

## Primary Targets

.PHONY: all
all: image fetch build hash

.PHONY: build
build: build-os build-fw

.PHONY: image
image:
	$(docker) build \
		--tag $(IMAGE) \
		--file $(PWD)/config/container/Dockerfile \
		$(IMAGE_OPTIONS) \
		$(PWD)

.PHONY: fetch
fetch:
	mkdir -p build release
	$(contain) fetch

.PHONY: clean
clean:
	$(contain) clean

.PHONY: mrproper
mrproper:
	docker image rm -f $(IMAGE)
	rm -rf build

.PHONY: build-os
build-os:
	$(contain) build-os
	mkdir -p $(RELEASE_DIR)
	cp $(OUT_DIR)/rootfs.iso9660 $(RELEASE_DIR)/airgap_$(TARGET).iso

.PHONY: build-fw
build-fw:
	$(contain) build-fw
	mkdir -p $(RELEASE_DIR)
	for device in $(DEVICES); do \
		cp \
			build/heads/build/$${device}/coreboot.rom \
			$(RELEASE_DIR)/$${device}.rom ; \
	done

## Release Targets

.PHONY: audit
audit:
	mkdir -p build/audit
	$(contain) audit

.PHONY: hash
hash:
	if [ ! -f release/$(VERSION)/hashes.txt ]; then \
		openssl sha256 -r release/$(VERSION)/*.rom \
			> release/$(VERSION)/hashes.txt; \
		openssl sha256 -r release/$(VERSION)/*.iso \
			>> release/$(VERSION)/hashes.txt; \
	fi

.PHONY: verify
verify:
	mkdir -p build/audit/$(VERSION)
	openssl sha256 -r $(RELEASE_DIR)/*.rom \
		> build/audit/$(VERSION)/release_hashes.txt
	openssl sha256 -r $(RELEASE_DIR)/*.iso \
		>> build/audit/$(VERSION)/release_hashes.txt
	diff -q build/audit/$(VERSION)/release_hashes.txt $(RELEASE_DIR)/hashes.txt;

.PHONY: sign
sign: $(RELEASE_DIR)/*.rom $(RELEASE_DIR)/*.iso
	set -e; \
	for file in $^; do \
		gpg --armor --detach-sig "$${file}"; \
		fingerprint=$$(\
			gpg --list-packets $${file}.asc \
				| grep "issuer key ID" \
				| sed 's/.*\([A-Z0-9]\{16\}\).*/\1/g' \
		); \
		mv $${file}.asc $${file}.$${fingerprint}.asc; \
	done


## Development Targets

.PHONY: shell
shell:
	$(docker) inspect "$(NAME)" \
	&& $(docker) exec --interactive --user=root --tty "$(NAME)" shell \
	|| $(contain) shell


.PHONY: menuconfig
menuconfig:
	$(contain) menuconfig

.PHONY: linux-menuconfig
linux-menuconfig:
	$(contain) linux-menuconfig

.PHONY: vm
vm:
	$(contain) vm

.PHONY: update-packages
update-packages:
	docker rm -f "$(NAME)-update-packages" || :
	docker run \
		--rm \
		--detach \
		--name "$(NAME)-update-packages" \
		--user $(userid):$(groupid) \
		--env GIT_EPOCH="$(GIT_EPOCH)" \
		--volume $(PWD)/config/container/packages.list:/etc/apt/packages-old.list \
		--volume $(PWD)/config/container/apt.conf:/etc/apt/apt.conf \
		--volume $(PWD)/scripts:/usr/local/bin \
		debian tail -f /dev/null
	docker exec -it --user=root "$(NAME)-update-packages" update-packages
	docker cp \
		"$(NAME)-update-packages:/etc/apt/packages.list" \
		"$(PWD)/config/container/packages.list"
	docker cp \
		"$(NAME)-update-packages:/etc/apt/sources.list" \
		"$(PWD)/config/container/sources.list"
	docker cp \
		"$(NAME)-update-packages:/etc/apt/package-hashes.txt" \
		"$(PWD)/config/container/package-hashes.txt"
	docker rm -f "$(NAME)-update-packages"

## Make Helpers

check_executables := $(foreach exec,$(executables),\$(if \
	$(shell which $(exec)),some string,$(error "No $(exec) in PATH")))

userid = $(shell id -u)
groupid = $(shell id -g)
contain := \
	$(docker) run \
		--rm \
		--tty \
		--interactive \
		--name "$(NAME)" \
		--hostname "$(NAME)" \
		--env TARGET="$(TARGET)" \
		--env DEVICES="$(DEVICES)" \
		--env GIT_DATETIME="$(GIT_DATETIME)" \
		--env GIT_EPOCH="$(GIT_EPOCH)" \
		--env GIT_REF="$(GIT_REF)" \
		--env GIT_AUTHOR="$(GIT_AUTHOR)" \
		--env GIT_KEY="$(GIT_KEY)" \
		--env GIT_STATE="$(GIT_STATE)" \
		--env UID="$(shell id -u)" \
		--env GID="$(shell id -g)" \
		--volume $(PWD)/build:/home/build/build \
		--volume $(PWD)/config:/home/build/config \
		--volume $(PWD)/release:/home/build/release \
		--volume $(PWD)/scripts:/home/build/scripts \
		$(IMAGE)
rename to airgap 2020-06-15 18:04:50 +00:00			`NAME := airgap`
			`IMAGE := local/$(NAME):latest`
add release verification and signing 2020-07-19 08:31:10 +00:00			`TARGET := x86_64`
			`DEVICES := librem13v4 librem15v4`
embed build details into build as splash screen 2020-07-17 02:15:03 +00:00			`GIT_REF := $(shell git log -1 --format=%H config)`
			`GIT_AUTHOR := $(shell git log -1 --format=%an config)`
			`GIT_KEY := $(shell git log -1 --format=%GP config)`
			`GIT_EPOCH := $(shell git log -1 --format=%at config)`
add release verification and signing 2020-07-19 08:31:10 +00:00			`GIT_DATETIME := \`
			`$(shell git log -1 --format=%cd --date=format:'%Y-%m-%d %H:%M:%S' config)`
			`VERSION := "develop"`
			`RELEASE_DIR := release/$(VERSION)`
embed build details into build as splash screen 2020-07-17 02:15:03 +00:00			`ifeq ($(strip $(shell git status --porcelain 2>/dev/null)),)`
			`GIT_STATE=clean`
			`else`
			`GIT_STATE=dirty`
			`endif`
Deterministic iso support (on supported filesystems) 2020-07-11 23:08:30 +00:00			`OUT_DIR := build/buildroot/output/images`
working qemu target and containerized vm booting 2020-06-15 08:08:20 +00:00			`docker = docker`
			`executables = $(docker)`

			`.DEFAULT_GOAL := all`

			`## Primary Targets`

			`.PHONY: all`
add release verification and signing 2020-07-19 08:31:10 +00:00			`all: image fetch build hash`

			`.PHONY: build`
			`build: build-os build-fw`

working qemu target and containerized vm booting 2020-06-15 08:08:20 +00:00			`.PHONY: image`
			`image:`
revert docker buildkit which seems to be buggy in docker < 19 2020-10-10 07:56:44 +00:00			`$(docker) build \`
working qemu target and containerized vm booting 2020-06-15 08:08:20 +00:00			`--tag $(IMAGE) \`
			`--file $(PWD)/config/container/Dockerfile \`
			`$(IMAGE_OPTIONS) \`
			`$(PWD)`

			`.PHONY: fetch`
			`fetch:`
			`mkdir -p build release`
			`$(contain) fetch`

			`.PHONY: clean`
			`clean:`
			`$(contain) clean`

add release verification and signing 2020-07-19 08:31:10 +00:00			`.PHONY: mrproper`
			`mrproper:`
updated hash format: 1.0.0rc4 2020-07-24 10:07:39 +00:00			`docker image rm -f $(IMAGE)`
add release verification and signing 2020-07-19 08:31:10 +00:00			`rm -rf build`

			`.PHONY: build-os`
			`build-os:`
			`$(contain) build-os`
			`mkdir -p $(RELEASE_DIR)`
			`cp $(OUT_DIR)/rootfs.iso9660 $(RELEASE_DIR)/airgap_$(TARGET).iso`

			`.PHONY: build-fw`
			`build-fw:`
			`$(contain) build-fw`
			`mkdir -p $(RELEASE_DIR)`
			`for device in $(DEVICES); do \`
			`cp \`
			`build/heads/build/$${device}/coreboot.rom \`
			`$(RELEASE_DIR)/$${device}.rom ; \`
			`done`

updated hash format: 1.0.0rc4 2020-07-24 10:07:39 +00:00			`## Release Targets`

			`.PHONY: audit`
			`audit:`
add build container cve reporting 2020-07-25 00:51:05 +00:00			`mkdir -p build/audit`
updated hash format: 1.0.0rc4 2020-07-24 10:07:39 +00:00			`$(contain) audit`

add release verification and signing 2020-07-19 08:31:10 +00:00			`.PHONY: hash`
			`hash:`
			`if [ ! -f release/$(VERSION)/hashes.txt ]; then \`
updated hash format: 1.0.0rc4 2020-07-24 10:07:39 +00:00			`openssl sha256 -r release/$(VERSION)/*.rom \`
add release verification and signing 2020-07-19 08:31:10 +00:00			`> release/$(VERSION)/hashes.txt; \`
updated hash format: 1.0.0rc4 2020-07-24 10:07:39 +00:00			`openssl sha256 -r release/$(VERSION)/*.iso \`
add release verification and signing 2020-07-19 08:31:10 +00:00			`>> release/$(VERSION)/hashes.txt; \`
			`fi`

updated hash format: 1.0.0rc4 2020-07-24 10:07:39 +00:00			`.PHONY: verify`
			`verify:`
fix verify hash path 2020-07-25 01:00:07 +00:00			`mkdir -p build/audit/$(VERSION)`
updated hash format: 1.0.0rc4 2020-07-24 10:07:39 +00:00			`openssl sha256 -r $(RELEASE_DIR)/*.rom \`
fix verify hash path 2020-07-25 01:00:07 +00:00			`> build/audit/$(VERSION)/release_hashes.txt`
updated hash format: 1.0.0rc4 2020-07-24 10:07:39 +00:00			`openssl sha256 -r $(RELEASE_DIR)/*.iso \`
fix verify hash path 2020-07-25 01:00:07 +00:00			`>> build/audit/$(VERSION)/release_hashes.txt`
			`diff -q build/audit/$(VERSION)/release_hashes.txt $(RELEASE_DIR)/hashes.txt;`
updated hash format: 1.0.0rc4 2020-07-24 10:07:39 +00:00
			`.PHONY: sign`
			`sign: $(RELEASE_DIR)/.rom $(RELEASE_DIR)/.iso`
allow multiple detached signatures named by fingerprint 2020-07-26 00:53:15 +00:00			`set -e; \`
updated hash format: 1.0.0rc4 2020-07-24 10:07:39 +00:00			`for file in $^; do \`
			`gpg --armor --detach-sig "$${file}"; \`
allow multiple detached signatures named by fingerprint 2020-07-26 00:53:15 +00:00			`fingerprint=$$(\`
			`gpg --list-packets $${file}.asc \`
			`\| grep "issuer key ID" \`
			`\| sed 's/.\([A-Z0-9]\{16\}\)./\1/g' \`
			`); \`
			`mv $${file}.asc $${file}.$${fingerprint}.asc; \`
updated hash format: 1.0.0rc4 2020-07-24 10:07:39 +00:00			`done`

add release verification and signing 2020-07-19 08:31:10 +00:00
working qemu target and containerized vm booting 2020-06-15 08:08:20 +00:00			`## Development Targets`

			`.PHONY: shell`
			`shell:`
			`$(docker) inspect "$(NAME)" \`
safer/simpler uid/gid mapping w/ reduced build privs 2020-10-15 23:26:28 +00:00			`&& $(docker) exec --interactive --user=root --tty "$(NAME)" shell \`
working qemu target and containerized vm booting 2020-06-15 08:08:20 +00:00			`\|\| $(contain) shell`


			`.PHONY: menuconfig`
			`menuconfig:`
			`$(contain) menuconfig`

safer/simpler uid/gid mapping w/ reduced build privs 2020-10-15 23:26:28 +00:00			`.PHONY: linux-menuconfig`
working usb, yubikeys, and some kernel hardening 2020-07-15 01:35:16 +00:00			`linux-menuconfig:`
			`$(contain) linux-menuconfig`

working qemu target and containerized vm booting 2020-06-15 08:08:20 +00:00			`.PHONY: vm`
			`vm:`
			`$(contain) vm`

			`.PHONY: update-packages`
			`update-packages:`
cleaned up, updated, and more reliable package updates 2020-10-08 01:24:58 +00:00			`docker rm -f "$(NAME)-update-packages" \|\| :`
			`docker run \`
working qemu target and containerized vm booting 2020-06-15 08:08:20 +00:00			`--rm \`
			`--detach \`
cleaned up, updated, and more reliable package updates 2020-10-08 01:24:58 +00:00			`--name "$(NAME)-update-packages" \`
working qemu target and containerized vm booting 2020-06-15 08:08:20 +00:00			`--user $(userid):$(groupid) \`
automate snapshot date bump 2020-07-23 11:12:31 +00:00			`--env GIT_EPOCH="$(GIT_EPOCH)" \`
cleaned up, updated, and more reliable package updates 2020-10-08 01:24:58 +00:00			`--volume $(PWD)/config/container/packages.list:/etc/apt/packages-old.list \`
			`--volume $(PWD)/config/container/apt.conf:/etc/apt/apt.conf \`
			`--volume $(PWD)/scripts:/usr/local/bin \`
			`debian tail -f /dev/null`
			`docker exec -it --user=root "$(NAME)-update-packages" update-packages`
			`docker cp \`
			`"$(NAME)-update-packages:/etc/apt/packages.list" \`
working qemu target and containerized vm booting 2020-06-15 08:08:20 +00:00			`"$(PWD)/config/container/packages.list"`
cleaned up, updated, and more reliable package updates 2020-10-08 01:24:58 +00:00			`docker cp \`
			`"$(NAME)-update-packages:/etc/apt/sources.list" \`
automate snapshot date bump 2020-07-23 11:12:31 +00:00			`"$(PWD)/config/container/sources.list"`
overhaul update-packages to be faster, and save sha256 hash manifest of downloaded debs 2020-10-16 00:08:15 +00:00			`docker cp \`
			`"$(NAME)-update-packages:/etc/apt/package-hashes.txt" \`
			`"$(PWD)/config/container/package-hashes.txt"`
cleaned up, updated, and more reliable package updates 2020-10-08 01:24:58 +00:00			`docker rm -f "$(NAME)-update-packages"`
working qemu target and containerized vm booting 2020-06-15 08:08:20 +00:00
			`## Make Helpers`

			`check_executables := $(foreach exec,$(executables),\$(if \`
			`$(shell which $(exec)),some string,$(error "No $(exec) in PATH")))`

			`userid = $(shell id -u)`
			`groupid = $(shell id -g)`
			`contain := \`
			`$(docker) run \`
			`--rm \`
			`--tty \`
			`--interactive \`
			`--name "$(NAME)" \`
			`--hostname "$(NAME)" \`
add release verification and signing 2020-07-19 08:31:10 +00:00			`--env TARGET="$(TARGET)" \`
			`--env DEVICES="$(DEVICES)" \`
Deterministic iso support (on supported filesystems) 2020-07-11 23:08:30 +00:00			`--env GIT_DATETIME="$(GIT_DATETIME)" \`
			`--env GIT_EPOCH="$(GIT_EPOCH)" \`
embed build details into build as splash screen 2020-07-17 02:15:03 +00:00			`--env GIT_REF="$(GIT_REF)" \`
			`--env GIT_AUTHOR="$(GIT_AUTHOR)" \`
			`--env GIT_KEY="$(GIT_KEY)" \`
			`--env GIT_STATE="$(GIT_STATE)" \`
safer/simpler uid/gid mapping w/ reduced build privs 2020-10-15 23:26:28 +00:00			`--env UID="$(shell id -u)" \`
			`--env GID="$(shell id -g)" \`
working qemu target and containerized vm booting 2020-06-15 08:08:20 +00:00			`--volume $(PWD)/build:/home/build/build \`
			`--volume $(PWD)/config:/home/build/config \`
			`--volume $(PWD)/release:/home/build/release \`
			`--volume $(PWD)/scripts:/home/build/scripts \`
			`$(IMAGE)`