tpm2vm #8

Manually merged
public merged 6 commits from tpm2vm into main 2024-10-02 20:20:19 +00:00
2 changed files with 49 additions and 42 deletions
Showing only changes of commit 1f2abbaee9 - Show all commits

View File

@ -1,4 +1,3 @@
## Build
FROM stagex/busybox:sx2024.08.1@sha256:8cb9360041cd17e8df33c5cbc6c223875045c0c249254367ed7e0eb445720757 AS busybox FROM stagex/busybox:sx2024.08.1@sha256:8cb9360041cd17e8df33c5cbc6c223875045c0c249254367ed7e0eb445720757 AS busybox
FROM stagex/musl:sx2024.08.1@sha256:f888fcf45fabaaae3d0268bcec902ceb94edba7bf8d09ef6966ebb20e00b7127 AS musl FROM stagex/musl:sx2024.08.1@sha256:f888fcf45fabaaae3d0268bcec902ceb94edba7bf8d09ef6966ebb20e00b7127 AS musl
FROM stagex/xorriso:sx2024.08.1@sha256:9ab45852aee077b68ea101173025be6e1cdbde93692efa4ee198e1960f02ab52 AS xorriso FROM stagex/xorriso:sx2024.08.1@sha256:9ab45852aee077b68ea101173025be6e1cdbde93692efa4ee198e1960f02ab52 AS xorriso
@ -7,25 +6,6 @@ FROM stagex/cpio:sx2024.08.1@sha256:25afad810fbb9b1d02762030c3e43e07259a79627dbe
FROM stagex/xz:sx2024.08.1@sha256:f6ca72fc9096ef5f694b6b7f9b7ad323a571d9447eb5cc790042f72e69b9aad8 AS xz FROM stagex/xz:sx2024.08.1@sha256:f6ca72fc9096ef5f694b6b7f9b7ad323a571d9447eb5cc790042f72e69b9aad8 AS xz
FROM stagex/grub:sx2024.08.1@sha256:5f382615881470e0cf9c670bead785507545a2b829b391247313f516c63355e3 AS grub FROM stagex/grub:sx2024.08.1@sha256:5f382615881470e0cf9c670bead785507545a2b829b391247313f516c63355e3 AS grub
FROM stagex/mtools:sx2024.08.1@sha256:b6202dc29906ea8d7594bce604cb676f5335cc51e75e3f12b5f619e8fc27cc28 AS mtools FROM stagex/mtools:sx2024.08.1@sha256:b6202dc29906ea8d7594bce604cb676f5335cc51e75e3f12b5f619e8fc27cc28 AS mtools
## Development
FROM stagex/gcc AS gcc
FROM stagex/glib AS glib
FROM stagex/alsa-lib AS alsa-lib
FROM stagex/lzo AS lzo
FROM stagex/dtc AS dtc
FROM stagex/zlib AS zlib
FROM stagex/numactl AS numactl
FROM stagex/libaio AS libaio
FROM stagex/libseccomp AS libseccomp
FROM stagex/libzstd AS libzstd
FROM stagex/libffi AS libffi
FROM stagex/libslirp AS libslirp
FROM stagex/seabios AS seabios
FROM stagex/ipxe AS ipxe
FROM stagex/qemu AS qemu
## Target
FROM stagex/linux-airgap:sx2024.08.1@sha256:a4fac3ca7795e171a4d1b3b634fdae1790d4f8d076f3c1ac8a38f3ece72e1ec5 AS linux-airgap FROM stagex/linux-airgap:sx2024.08.1@sha256:a4fac3ca7795e171a4d1b3b634fdae1790d4f8d076f3c1ac8a38f3ece72e1ec5 AS linux-airgap
FROM stagex/eudev:sx2024.08.1@sha256:66020d28246af1d1e5f8fe3b5bca3da3cbfbd1f89cc1c616b7f8d13f61419026 AS eudev FROM stagex/eudev:sx2024.08.1@sha256:66020d28246af1d1e5f8fe3b5bca3da3cbfbd1f89cc1c616b7f8d13f61419026 AS eudev
FROM stagex/ccid:sx2024.08.1@sha256:0f50ff4441d8b20ff73babab652fc0a563bce46385100240de4ae587012c9505 AS ccid FROM stagex/ccid:sx2024.08.1@sha256:0f50ff4441d8b20ff73babab652fc0a563bce46385100240de4ae587012c9505 AS ccid
@ -53,6 +33,24 @@ FROM stagex/flashtools:sx2024.08.1@sha256:e2ac807475e66201ad50eee09bf9625ad0e97d
FROM stagex/libqrencode:sx2024.08.1@sha256:1927d17aaf1ad6a9910380714f0dd12c72c69f9ee1b19668bf4cc5f89cbc2b2d AS libqrencode FROM stagex/libqrencode:sx2024.08.1@sha256:1927d17aaf1ad6a9910380714f0dd12c72c69f9ee1b19668bf4cc5f89cbc2b2d AS libqrencode
FROM stagex/util-linux:sx2024.08.1@sha256:41525597d1f5648dc2318da7779e3c5194b4e6d24cb07f2f616ac539bb094d04 AS util-linux FROM stagex/util-linux:sx2024.08.1@sha256:41525597d1f5648dc2318da7779e3c5194b4e6d24cb07f2f616ac539bb094d04 AS util-linux
FROM stagex/opensc:sx2024.08.1@sha256:8da704d0078d445d3af0338764b9f3a87ba4841744c396c8eddef15466366553 AS opensc FROM stagex/opensc:sx2024.08.1@sha256:8da704d0078d445d3af0338764b9f3a87ba4841744c396c8eddef15466366553 AS opensc
FROM stagex/gcc AS gcc
FROM stagex/glib AS glib
FROM stagex/alsa-lib AS alsa-lib
FROM stagex/lzo AS lzo
FROM stagex/dtc AS dtc
FROM stagex/zlib AS zlib
FROM stagex/numactl AS numactl
FROM stagex/libaio AS libaio
FROM stagex/libseccomp AS libseccomp
FROM stagex/libzstd AS libzstd
FROM stagex/libffi AS libffi
FROM stagex/libslirp AS libslirp
FROM stagex/seabios AS seabios
FROM stagex/ipxe AS ipxe
FROM stagex/qemu AS qemu
FROM stagex/libtpms AS libtpms
FROM stagex/swtpm AS swtpm
FROM stagex/curl AS curl
FROM scratch AS base FROM scratch AS base
ARG VERSION development ARG VERSION development
@ -67,6 +65,7 @@ COPY --from=cpio . /
COPY --from=mtools . / COPY --from=mtools . /
COPY --from=xz . / COPY --from=xz . /
COPY --from=grub . / COPY --from=grub . /
COPY --from=util-linux . /
FROM base as dev FROM base as dev
COPY --from=gcc . / COPY --from=gcc . /
@ -84,6 +83,12 @@ COPY --from=libslirp . /
COPY --from=seabios . / COPY --from=seabios . /
COPY --from=ipxe . / COPY --from=ipxe . /
COPY --from=qemu . / COPY --from=qemu . /
COPY --from=swtpm . /
COPY --from=openssl . /
COPY --from=curl . /
COPY --from=libtpms . /
COPY --from=tpm2-tss . /
COPY --from=tpm2-tools . /
FROM base AS build FROM base AS build
@ -107,6 +112,7 @@ COPY --from=jq . initramfs
COPY --from=yq . initramfs COPY --from=yq . initramfs
COPY --from=bc . initramfs COPY --from=bc . initramfs
COPY --from=flashtools . initramfs COPY --from=flashtools . initramfs
COPY --from=curl . initramfs
COPY --from=tpm2-tools . initramfs COPY --from=tpm2-tools . initramfs
COPY --from=tpm2-tss . initramfs COPY --from=tpm2-tss . initramfs
COPY --from=openssl . initramfs COPY --from=openssl . initramfs
@ -190,8 +196,6 @@ COPY --from=syslinux \
## Build Hybrid EFI/BIOS ISO ## Build Hybrid EFI/BIOS ISO
FROM build AS install FROM build AS install
ENV SOURCE_DATE_EPOCH=1 ENV SOURCE_DATE_EPOCH=1
# --set_all_file_dates='1'
# --modification-date='1970010100000000' \
RUN <<-EOF RUN <<-EOF
set -eux set -eux
find iso -exec touch -hcd "@0" "{}" + find iso -exec touch -hcd "@0" "{}" +
@ -214,13 +218,8 @@ RUN <<-EOF
-isohybrid-gpt-basdat \ -isohybrid-gpt-basdat \
-follow-links \ -follow-links \
iso/ iso/
EOF
# Need sfdisk from util-linux # Increase ISO size by 512 MB to create space for the third partition
COPY --from=util-linux . .
RUN <<-EOF
set -eux
# Increase the size of the ISO by 512 MB to create space for the third partition
dd if=/dev/zero bs=1M count=512 >> airgap.iso dd if=/dev/zero bs=1M count=512 >> airgap.iso
# Append a new partition that uses the additional space # Append a new partition that uses the additional space
@ -230,8 +229,8 @@ RUN <<-EOF
sfdisk --part-type airgap.iso 3 b sfdisk --part-type airgap.iso 3 b
# Calculate the byte offset of the third partition # Calculate the byte offset of the third partition
# This is done by finding the end of the first partition using fdisk, adding 1 sector, # This is done by finding the end of the first partition using fdisk,
# and multiplying by 512 (since each sector is 512 bytes). # adding 1 sector, and multiplying by 512 (since each sector is 512 bytes).
OFFSET=$(fdisk -l airgap.iso | awk '/^airgap.iso1/ {print ($4 + 1) * 512}') OFFSET=$(fdisk -l airgap.iso | awk '/^airgap.iso1/ {print ($4 + 1) * 512}')
# Format the third partition as FAT32 and label it 'USER' # Format the third partition as FAT32 and label it 'USER'

View File

@ -49,18 +49,26 @@ shell: out/dev-shell.digest
.PHONY: vm .PHONY: vm
vm: out/dev-shell.digest out/airgap.iso out/sdcard.img vm: out/dev-shell.digest out/airgap.iso out/sdcard.img
docker run -it -v ./out:/out $(shell cat $<) \ docker run -it -v ./out:/out $(shell cat $<) sh -c "\
qemu-system-x86_64 \ swtpm socket \
-m 4G \ --tpmstate dir=. \
-machine pc \ --ctrl type=unixio,path=vtpm-sock \
-usb \ --tpm2 & \
-device sdhci-pci \ qemu-system-x86_64 \
-device sd-card,drive=external \ -m 4G \
-drive id=external,if=none,format=raw,file=out/sdcard.img \ -machine pc \
-device usb-storage,drive=usbdrive \ -chardev socket,id=chrtpm,path=vtpm-sock \
-drive id=usbdrive,if=none,format=raw,file=out/airgap.iso \ -tpmdev emulator,id=tpm0,chardev=chrtpm \
-boot order=c \ -device tpm-tis,tpmdev=tpm0 \
-nographic -usb \
-device sdhci-pci \
-device sd-card,drive=external \
-drive id=external,if=none,format=raw,file=out/sdcard.img \
-device usb-storage,drive=usbdrive \
-drive id=usbdrive,if=none,format=raw,file=out/airgap.iso \
-boot order=c \
-nographic; \
"
## Signing, Verification, and Release Targets ## Signing, Verification, and Release Targets