Refactor to use distrust/toolchain project.

This commit is contained in:
Lance Vick 2023-01-30 15:17:54 -08:00
parent 14f89c22d3
commit 4b61b1633d
Signed by: lrvick
GPG Key ID: 8E47A1EC35A1551D
22 changed files with 55 additions and 475 deletions

2
.gitignore vendored
View File

@ -1,4 +1,4 @@
build/
cache/
out/
release/develop
.*

3
.gitmodules vendored Normal file
View File

@ -0,0 +1,3 @@
[submodule "src/toolchain"]
path = src/toolchain
url = git@codeberg.org:distrust/toolchain.git

277
Makefile
View File

@ -1,195 +1,66 @@
NAME := airgap
IMAGE := local/$(NAME):latest
ARCH := x86_64
TARGET := $(ARCH)
USER := $(shell id -u):$(shell id -g)
CPUS := $(shell docker run -it debian nproc)
GIT_REF := $(shell git log -1 --format=%H config)
GIT_AUTHOR := $(shell git log -1 --format=%an config)
GIT_KEY := $(shell git log -1 --format=%GP config)
GIT_EPOCH := $(shell git log -1 --format=%at config)
GIT_DATETIME := \
$(shell git log -1 --format=%cd --date=format:'%Y-%m-%d %H:%M:%S' config)
ifeq ($(strip $(shell git status --porcelain 2>/dev/null)),)
GIT_STATE=clean
else
GIT_STATE=dirty
endif
VERSION := $(shell TZ=UTC0 git show --quiet --date='format-local:%Y%m%dT%H%M%SZ' --format="%cd")
RELEASE_DIR := release/$(VERSION)
CONFIG_DIR := config
BR2_EXTERNAL := $(CONFIG_DIR)/buildroot
HEADS_EXTERNAL := $(CONFIG_DIR)/heads
CACHE_DIR := build
SRC_DIR := src
OUT_DIR := out
docker = docker
executables = $(docker) git patch
include $(PWD)/src/toolchain/Makefile
include $(PWD)/config/config.env
## Use env vars from existing release if present
ifneq (,$(wildcard $(RELEASE_DIR)/release.env))
include $(RELEASE_DIR)/release.env
export
endif
.DEFAULT_GOAL := out/manifest.txt
## Primary Targets
.PHONY: fetch
fetch: $(CACHE_DIR)/toolchain.tar
mkdir -p build release
$(call toolchain,$(USER),"fetch")
.DEFAULT_GOAL := $(OUT_DIR)/airgap.iso
.PHONY: clean
clean: $(CACHE_DIR)/toolchain.tar
$(call toolchain,$(USER),"clean")
clean: toolchain
rm -f $(OUT_DIR) $(CACHE_DIR)/buildroot-ccache || :
$(call toolchain,$(USER)," \
cd $(CACHE_DIR)/buildroot; \
make clean; \
")
.PHONY: mrproper
mrproper:
docker image rm -f $(IMAGE)
rm -rf $(CACHE_DIR) $(OUT_DIR)
## Release Targets
.PHONY: release
release: | \
$(OUT_DIR)/release.env \
$(OUT_DIR)/airgap.iso \
$(OUT_DIR)/manifest.txt
mkdir -p $(RELEASE_DIR)
cp out/release.env $(RELEASE_DIR)/release.env
cp out/airgap.iso $(RELEASE_DIR)/airgap.iso
cp out/manifest.txt $(RELEASE_DIR)/manifest.txt
.PHONY: attest
attest:
rm -rf $(CACHE_DIR) $(OUT_DIR)
$(MAKE) $(OUT_DIR)/manifest.txt
diff -q $(OUT_DIR)/manifest.txt release/$(VERSION)/manifest.txt;
.PHONY: sign
sign:
set -e; \
git config --get user.signingkey 2>&1 >/dev/null || { \
echo "Error: git user.signingkey is not defined"; \
exit 1; \
}; \
fingerprint=$$(\
git config --get user.signingkey \
| sed 's/.*\([A-Z0-9]\{16\}\).*/\1/g' \
); \
gpg --armor \
--detach-sig \
--output $(RELEASE_DIR)/manifest.$${fingerprint}.asc \
$(RELEASE_DIR)/manifest.txt
.PHONY: verify
verify: | $(RELEASE_DIR)/manifest.txt
set -e; \
for file in $(RELEASE_DIR)/manifest.*.asc; do \
echo "\nVerifying: $${file}\n"; \
gpg --verify $${file} $(RELEASE_DIR)/manifest.txt; \
done;
.PHONY: audit
audit: $(CACHE_DIR)/toolchain.tar
mkdir -p $(CACHE_DIR)/audit
$(call toolchain,$(USER),"audit")
$(RELEASE_DIR):
mkdir -p $(RELEASE_DIR)
$(RELEASE_DIR)/release.env: \
$(RELEASE_DIR) \
$(OUT_DIR)/release.env
cp $(OUT_DIR)/release.env $(RELEASE_DIR)/release.env
$(RELEASE_DIR)/airgap.iso: \
$(RELEASE_DIR) \
$(OUT_DIR)/airgap.iso
cp $(OUT_DIR)/airgap.iso $(RELEASE_DIR)/airgap.iso
$(RELEASE_DIR)/manifest.txt: \
$(RELEASE_DIR) \
$(OUT_DIR)/manifest.txt
cp $(OUT_DIR)/manifest.txt $(RELEASE_DIR)/manifest.txt
## Development Targets
.PHONY: menuconfig
menuconfig: $(CACHE_DIR)/toolchain.tar
$(call toolchain,$(USER),"menuconfig")
menuconfig: toolchain
$(call toolchain,$(USER)," \
cd $(CACHE_DIR)/buildroot; \
make "airgap_$(TARGET)_defconfig"; \
make menuconfig; \
")
cp $(CACHE_DIR)/buildroot/.config \
"config/buildroot/configs/airgap_$(TARGET)_defconfig"
.PHONY: linux-menuconfig
linux-menuconfig: $(CACHE_DIR)/toolchain.tar
$(call toolchain,$(USER),"linux-menuconfig")
linux-menuconfig: toolchain
$(call toolchain,$(USER),"\
cd $(CACHE_DIR)/buildroot; \
make linux-menuconfig; \
make linux-update-defconfig; \
")
.PHONY: vm
vm: $(CACHE_DIR)/toolchain.tar
$(call toolchain,$(USER),"vm")
vm: toolchain
$(call toolchain,$(USER)," \
qemu-system-i386 \
-M pc \
-nographic \
-cdrom "${HOME}/release/${TARGET}/airgap.iso"; \
")
# Launch a shell inside the toolchain container
.PHONY: toolchain-shell
toolchain-shell: $(CACHE_DIR)/toolchain.tar
$(call toolchain,$(USER),"bash --norc")
.PHONY: release
release: | \
$(OUT_DIR)/airgap.iso \
$(OUT_DIR)/manifest.txt
mkdir -p $(RELEASE_DIR)
cp $(OUT_DIR)/release.env $(RELEASE_DIR)/release.env
cp $(OUT_DIR)/airgap.iso $(RELEASE_DIR)/airgap.iso
cp $(OUT_DIR)/manifest.txt $(RELEASE_DIR)/manifest.txt
# Pin all packages in toolchain container to latest versions
.PHONY: toolchain-update
toolchain-update:
docker run \
--rm \
--env LOCAL_USER=$(USER) \
--platform=linux/$(ARCH) \
--volume $(PWD)/$(CONFIG_DIR):/config \
--volume $(PWD)/$(SRC_DIR)/toolchain/scripts:/usr/local/bin \
--env ARCH=$(ARCH) \
--interactive \
--tty \
debian@sha256:$(DEBIAN_HASH) \
bash -c /usr/local/bin/packages-update
## Real targets
$(CACHE_DIR)/toolchain.tar:
mkdir -p $(CACHE_DIR)
DOCKER_BUILDKIT=1 \
docker build \
--tag $(IMAGE) \
--build-arg DEBIAN_HASH=$(DEBIAN_HASH) \
--build-arg CONFIG_DIR=$(CONFIG_DIR) \
--build-arg SCRIPTS_DIR=$(SRC_DIR)/toolchain/scripts \
--platform=linux/$(ARCH) \
-f $(SRC_DIR)/toolchain/Dockerfile \
.
docker save "$(IMAGE)" -o "$@"
$(CACHE_DIR)/buildroot: $(CACHE_DIR)/toolchain.tar
$(CACHE_DIR)/buildroot: toolchain
$(call git_clone,buildroot,$(BUILDROOT_REPO),$(BUILDROOT_REF))
$(CACHE_DIR)/heads: $(CACHE_DIR)/toolchain.tar
$(call git_clone,heads,$(HEADS_REPO),$(HEADS_REF))
$(OUT_DIR):
mkdir -p $(OUT_DIR)
$(OUT_DIR)/release.env: $(OUT_DIR)
echo 'VERSION=$(VERSION)' > $(OUT_DIR)/release.env
echo 'GIT_REF=$(GIT_REF)' >> $(OUT_DIR)/release.env
echo 'GIT_AUTHOR=$(GIT_AUTHOR)' >> $(OUT_DIR)/release.env
echo 'GIT_KEY=$(GIT_KEY)' >> $(OUT_DIR)/release.env
echo 'GIT_DATETIME=$(GIT_DATETIME)' >> $(OUT_DIR)/release.env
$(OUT_DIR)/airgap.iso: \
toolchain \
$(CACHE_DIR)/buildroot \
$(OUT_DIR)/release.env
$(call apply_patches,buildroot,$(BR2_EXTERNAL)/patches)
$(call apply_patches,$(CACHE_DIR)/buildroot,$(BR2_EXTERNAL)/patches)
$(call toolchain,$(USER)," \
cd buildroot; \
cd $(CACHE_DIR)/buildroot; \
make "airgap_$(TARGET)_defconfig"; \
unset FAKETIME; \
make source; \
@ -198,73 +69,3 @@ $(OUT_DIR)/airgap.iso: \
mkdir -p $(OUT_DIR)
cp $(CACHE_DIR)/buildroot/output/images/rootfs.iso9660 \
$(OUT_DIR)/airgap.iso
$(OUT_DIR)/manifest.txt: \
$(OUT_DIR)/airgap.iso \
$(OUT_DIR)/release.env
cd $(OUT_DIR); \
openssl sha256 -r release.env > manifest.txt; \
openssl sha256 -r airgap.iso >> manifest.txt;
## Make Helpers
check_executables := $(foreach exec,$(executables),\$(if \
$(shell which $(exec)),some string,$(error "No $(exec) in PATH")))
define git_clone
[ -d $(CACHE_DIR)/$(1) ] || git clone $(2) $(CACHE_DIR)/$(1)
git -C $(CACHE_DIR)/$(1) checkout $(3)
git -C $(CACHE_DIR)/$(1) rev-parse --verify HEAD | grep -q $(3) || { \
echo 'Error: Git ref/branch collision.'; exit 1; \
};
endef
define apply_patches
[ -d $(2) ] && $(call toolchain,$(USER)," \
cd $(1); \
git restore .; \
find /$(2) -type f -iname '*.patch' -print0 \
| xargs -t -0 -n 1 patch -p1 --no-backup-if-mismatch -i ; \
")
endef
define toolchain
docker load -i $(CACHE_DIR)/toolchain.tar
docker run \
--rm \
--tty \
--interactive \
--user=$(1) \
--platform=linux/$(ARCH) \
--volume $(PWD)/config:/config \
--volume $(PWD)/$(KEY_DIR):/keys \
--volume $(PWD)/$(SRC_DIR):/src \
--volume $(PWD)/$(CACHE_DIR):/home/build \
--volume $(PWD)/scripts:/usr/local/bin \
--cpus $(CPUS) \
--workdir /home/build \
--env HOME=/home/build \
--env PS1="$(NAME)-toolchain" \
--env GNUPGHOME=/cache/.gnupg \
--env ARCH=$(ARCH) \
--env TARGET="$(ARCH)" \
--env GIT_REF="$(GIT_REF)" \
--env GIT_AUTHOR="$(GIT_AUTHOR)" \
--env GIT_KEY="$(GIT_KEY)" \
--env GIT_DATETIME="$(GIT_DATETIME)" \
--env GIT_EPOCH="$(GIT_EPOCH)" \
--env KBUILD_BUILD_USER=$(KBUILD_BUILD_USER) \
--env KBUILD_BUILD_HOST=$(KBUILD_BUILD_HOST) \
--env KBUILD_BUILD_VERSION=$(KBUILD_BUILD_VERSION) \
--env KBUILD_BUILD_TIMESTAMP=$(KBUILD_BUILD_TIMESTAMP) \
--env KCONFIG_NOTIMESTAMP=$(KCONFIG_NOTIMESTAMP) \
--env SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \
--env FAKETIME_FMT=$(FAKETIME_FMT) \
--env FAKETIME=$(FAKETIME) \
--env BR2_EXTERNAL="/$(BR2_EXTERNAL)" \
--env HEADS_EXTERNAL="/$(HEADS_EXTERNAL)" \
--env UID="$(shell id -u)" \
--env GID="$(shell id -g)" \
$(IMAGE) \
bash -c $(2)
endef

View File

@ -117,7 +117,7 @@ BR2_LUAROCKS_MIRROR="http://rocks.moonscript.org"
BR2_CPAN_MIRROR="http://cpan.metacpan.org"
BR2_JLEVEL=0
BR2_CCACHE=y
BR2_CCACHE_DIR="$(HOME)/build/buildroot-ccache"
BR2_CCACHE_DIR="$(HOME)/cache/buildroot-ccache"
BR2_CCACHE_INITIAL_SETUP=""
BR2_CCACHE_USE_BASEDIR=y
# BR2_ENABLE_DEBUG is not set

View File

@ -3,7 +3,7 @@
# Buildroot 2022.02.8-dirty Configuration
#
BR2_HAVE_DOT_CONFIG=y
BR2_EXTERNAL_Airgap_PATH="/config/buildroot"
BR2_EXTERNAL_Airgap_PATH="/home/build/config/buildroot"
BR2_HOST_GCC_AT_LEAST_4_9=y
BR2_HOST_GCC_AT_LEAST_5=y
BR2_HOST_GCC_AT_LEAST_6=y
@ -129,7 +129,7 @@ BR2_LUAROCKS_MIRROR="http://rocks.moonscript.org"
BR2_CPAN_MIRROR="http://cpan.metacpan.org"
BR2_JLEVEL=0
BR2_CCACHE=y
BR2_CCACHE_DIR="$(HOME)/build/buildroot-ccache"
BR2_CCACHE_DIR="$(HOME)/cache/buildroot-ccache"
BR2_CCACHE_INITIAL_SETUP=""
BR2_CCACHE_USE_BASEDIR=y
# BR2_ENABLE_DEBUG is not set
@ -4500,7 +4500,7 @@ BR2_TARGET_UBOOT_CUSTOM_PATCH_DIR=""
#
#
# Linux distribution for offline cryptography use cases (in /config/buildroot)
# Linux distribution for offline cryptography use cases (in /home/build/config/buildroot)
#
#

View File

@ -1,14 +0,0 @@
export BUILDROOT_REF=ea51485ee9ab44f72f8b1cc019dcb17f276d1def
export HEADS_REF=6e62c83e164231c629d77a45d37569b3bff43d3f
export DEBIAN_HASH=48b28b354484a7f0e683e340fa0e6e4c4bce3dc3aa0146fc2f78f443fde2c55d
export FAKETIME_FMT="%s"
export FAKETIME="1"
export SOURCE_DATE_EPOCH=1
export KBUILD_BUILD_TIMESTAMP="1970-01-01 00:00:00 UTC"
export KCONFIG_NOTIMESTAMP=1
export KBUILD_BUILD_USER=root
export KBUILD_BUILD_HOST=AirgapOS
export KBUILD_BUILD_VERSION=1
export BUILDROOT_REPO=git://git.busybox.net/buildroot
export HEADS_REPO=https://source.puri.sm/coreboot/purism-heads.git

7
config/global.env Normal file
View File

@ -0,0 +1,7 @@
DEBIAN_HASH=48b28b354484a7f0e683e340fa0e6e4c4bce3dc3aa0146fc2f78f443fde2c55d
BUILDROOT_REF=ea51485ee9ab44f72f8b1cc019dcb17f276d1def
HEADS_REF=6e62c83e164231c629d77a45d37569b3bff43d3f
BUILDROOT_REPO=git://git.busybox.net/buildroot
HEADS_REPO=https://source.puri.sm/coreboot/purism-heads.git
BR2_EXTERNAL=/home/build/config/buildroot
HEADS_EXTERNAL=/home/build/config/heads

View File

@ -1,11 +0,0 @@
#!/bin/bash
[ -f /.dockerenv ] || { echo "please run in supplied container"; exit 1; }
set -e; source environment
devices=${DEVICES?}
build_dir="${BUILD_DIR?}"
heads_dir="${build_dir}/heads"
for device in ${devices}; do
(cd "${heads_dir}"; make BOARD="$device")
done

View File

@ -1,8 +0,0 @@
#!/bin/bash
[ -f /.dockerenv ] || { echo "please run in supplied container"; exit 1; }
set -e; source environment
unset FAKETIME
buildroot_dir="${HOME}/buildroot"
(cd "${buildroot_dir}"; make )

View File

@ -1,11 +0,0 @@
#!/bin/bash
[ -f /.dockerenv ] || { echo "please run in supplied container"; exit 1; }
set -e; source environment
build_dir="${BUILD_DIR?}"
release_dir="${RELEASE_DIR?}"
[ -d "${build_dir}/buildroot" ] && (cd ${build_dir}/buildroot && make clean)
[ -d "${build_dir}/heads" ] && (cd ${build_dir}/heads && make real.clean)
[ -d "${build_dir}/buildroot-ccache" ] && rm -rf ${build_dir}/buildroot-ccache
[ -d "${release_dir}" ] && rm -rf ${release_dir}/develop

View File

@ -1,12 +0,0 @@
#!/bin/bash
target=${TARGET?}
env_file=/config/config.env
source ${env_file}
export HOME=/home/build
export RELEASE_DIR="${HOME}/release"
mkdir -p ${HOME}
chown -R "${UID}:${GID}" /home/build/

View File

@ -1,38 +0,0 @@
#!/bin/bash
[ -f /.dockerenv ] || { echo "please run in supplied container"; exit 1; }
set -e; source environment
heads_dir="${HOME}/heads"
heads_repo="${HEADS_REPO?}"
heads_ref=${HEADS_REF?}
heads_external=${HEADS_EXTERNAL?}
devices=${DEVICES?}
target=${TARGET?}
unset FAKETIME
[[ -f ~/.gitconfig ]] || \
printf "[color]\nui=auto\n[user]\nemail=build@local\nname=Build User" \
> ~/.gitconfig
[ "$(ls -A "${heads_dir}")" ] \
|| git clone "$heads_repo" "$heads_dir"
(
cd "$heads_dir";
git checkout "$heads_ref";
git reset --hard;
git tag airgap || :
current_ref="$(git rev-parse --verify HEAD)"
[ "$current_ref" == "$heads_ref" ] || {
echo "Error: $heads_ref was not successfully checked out"; exit 1;
}
if [ "$(ls -A "${heads_external}/patches")" ]; then
for patch in "${heads_external}"/patches/*; do
echo "Applying patch: ${patch}";
patch -p1 --no-backup-if-mismatch < "${patch}";
done;
fi
[ -d "${heads_external}/boards" ] && \
rsync -Pav "${heads_external}/boards/" "${heads_dir}/boards/"
[[ "$devices" =~ "librem" ]] \
&& (cd "$heads_dir/blobs/librem_kbl" && ./get_blobs.sh)
)

View File

@ -1,20 +0,0 @@
#!/bin/bash
set -e
uid=${UID?}
gid=${GID?}
user=${USER:-"build"}
export HOME="/home/${user}"
groupadd -g "$gid" "${user}"
useradd \
-g "$gid" \
-u "$uid" \
-md "/home/${user}" \
-s /bin/bash \
"${user}"
mkdir -p "$HOME"
chown -R "$uid:$gid" "$HOME"
cd "$HOME"
setpriv --reuid="$uid" --regid="$gid" --init-groups "$@"

View File

@ -1,9 +0,0 @@
#!/bin/bash
[ -f /.dockerenv ] || { echo "please run in supplied container"; exit 1; }
set -e; source environment
target=${TARGET?}
cd /home/build/build/buildroot
make linux-menuconfig
make linux-update-defconfig

View File

@ -1,9 +0,0 @@
#!/bin/bash
[ -f /.dockerenv ] || { echo "please run in supplied container"; exit 1; }
set -e; source environment
target=${TARGET?}
cd /home/build/buildroot
make "airgap_${TARGET}_defconfig"
make menuconfig

View File

@ -1,4 +0,0 @@
#!/bin/bash --init-file
[ -f /.dockerenv ] || { echo "please run in supplied container"; exit 1; }
source environment
clear

View File

@ -1,9 +0,0 @@
#!/bin/bash
[ -f /.dockerenv ] || { echo "please run in supplied container"; exit 1; }
source environment
set -e
qemu-system-i386 \
-M pc \
-nographic \
-cdrom "${HOME}/release/${TARGET}/airgap.iso"

1
src/toolchain Submodule

@ -0,0 +1 @@
Subproject commit 5191085576e4f9d043bbc2b0ca091d4bb81efaff

View File

@ -1,18 +0,0 @@
ARG DEBIAN_HASH
FROM debian@sha256:${DEBIAN_HASH}
ENV DEBIAN_FRONTEND=noninteractive \
LANG=C.UTF-8 \
TZ=UTC \
PATH=/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ARG CONFIG_DIR
ADD ${CONFIG_DIR} /config
ARG SCRIPTS_DIR
ADD ${SCRIPTS_DIR} /usr/local/bin
RUN packages-install
RUN echo "/usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1" \
> /etc/ld.so.preload

View File

@ -1,26 +0,0 @@
#!/usr/bin/env bash
set -e;
ARCH=$(uname -m)
cp /config/toolchain/* /etc/apt/
apt-get update
apt-get install debian-archive-keyring
until apt-get install --download-only --reinstall --allow-downgrades -y $(cat /etc/apt/packages-${ARCH}.list); do
echo "apt install failed. Likely throttled. Retrying in 10 mins...";
sleep 600;
done;
(
cd /var/cache/apt/archives \
&& find . -type f \( -iname \*.deb \) -exec sha256sum {} \; \
| sed 's/.\///g' \
| LC_ALL=C sort
) > /etc/apt/package-hashes-${ARCH}-compare.txt
diff /etc/apt/package-hashes-${ARCH}{,-compare}.txt
apt-get install --allow-downgrades -y $(cat /etc/apt/packages-${ARCH}.list)
rm -rf /var/cache/apt/archives/* /var/lib/apt/lists/* /tmp/* /var/tmp/*;

View File

@ -1,43 +0,0 @@
#!/bin/bash
[ -f /.dockerenv ] || { echo "please run in supplied container"; exit 1; }
set -e
snapshot_url="http://snapshot.debian.org/archive/debian"
snapshot_date=$(date +"%Y%m%dT000000Z")
cat <<-EOF > /etc/apt/sources.list
deb http://deb.debian.org/debian bookworm main
deb http://security.debian.org/debian-security bookworm-security main
deb http://deb.debian.org/debian bookworm-updates main
deb [check-valid-until=no] ${snapshot_url}/${snapshot_date} bookworm main
deb [check-valid-until=no] ${snapshot_url}-security/${snapshot_date} bookworm-security main
deb [check-valid-until=no] ${snapshot_url}/${snapshot_date} bookworm-updates main
EOF
cp /etc/apt/sources.list /config/toolchain/
ARCH=$(uname -m)
apt-get update
apt-get install -y --download-only --reinstall $( \
dpkg-query \
-W \
-f='${db:Status-Abbrev}\t${binary:Package} - ${binary:Summary}\n' \
| awk -F'\t' '/^ii/ {print $2}' \
| awk '{print $1}' \
)
apt-get install -y --download-only $(cat /config/toolchain/packages-base.list)
( cd /var/cache/apt/archives \
&& find . -type f \( -iname \*.deb \) -exec sha256sum {} \; \
| sed 's/.\///g' \
| LC_ALL=C sort
) > /config/toolchain/package-hashes-${ARCH}.txt
cp /dev/null /config/toolchain/packages-${ARCH}.list
for deb in /var/cache/apt/archives/*.deb; do
package=$(dpkg-deb -f $deb Package);
version=$(dpkg --info ${deb} | grep "^ Version: " | sed 's/^ Version: //g');
echo "${package}=${version}" >> /config/toolchain/packages-${ARCH}.list;
done
chown -R $LOCAL_USER /config/toolchain