cache/determinism fixes and doc updates

This commit is contained in:
Lance Vick 2024-08-03 15:52:30 -07:00
parent 74bf27bc66
commit 721ffad1f0
Signed by: lrvick
GPG Key ID: 8E47A1EC35A1551D
2 changed files with 17 additions and 3 deletions

View File

@ -9,6 +9,7 @@ export
## Use env vars from latest release when reproducing ## Use env vars from latest release when reproducing
ifdef REPRODUCE ifdef REPRODUCE
include dist/release.env include dist/release.env
NO_CACHE := --no-cache
export export
endif endif
@ -24,12 +25,13 @@ default: \
out/airgap.iso: Containerfile $(shell git ls-files rootfs) out/airgap.iso: Containerfile $(shell git ls-files rootfs)
docker build \ docker build \
--progress=plain \ --progress=plain \
--output type=local,dest=out \ --output type=local,rewrite-timestamp=true,dest=out \
--build-arg VERSION="$(VERSION)" \ --build-arg VERSION="$(VERSION)" \
--build-arg GIT_REF="$(GIT_REF)" \ --build-arg GIT_REF="$(GIT_REF)" \
--build-arg GIT_AUTHOR="$(GIT_AUTHOR)" \ --build-arg GIT_AUTHOR="$(GIT_AUTHOR)" \
--build-arg GIT_KEY="$(GIT_KEY)" \ --build-arg GIT_KEY="$(GIT_KEY)" \
--build-arg GIT_TIMESTAMP="$(GIT_TIMESTAMP)" \ --build-arg GIT_TIMESTAMP="$(GIT_TIMESTAMP)" \
$(NO_CACHE) \
-f Containerfile \ -f Containerfile \
. .

View File

@ -66,6 +66,18 @@ make attest
make sign make sign
``` ```
## Provisioning ##
1. Write airgap.iso to CD-ROM or SD Card
a. `dd if=out/airgap.iso of=/dev/sda bs=1M conv=sync status=progress`
b. `cdrecord out/airgap.iso`
2. Verify media still produces expected hash
```
sha256sum out/airgap.iso
head -c $(stat -c '%s' airgap.iso) /dev/sda | sha256sum
```
## Setup ## ## Setup ##
Assumes target is running Pureboot or Coreboot/heads Assumes target is running Pureboot or Coreboot/heads