FROM alsa-lib:sx2024.09.0@sha256:a41b481187f76c1e9ed4e237977f4892c1507a3b8f8f6736ff3fdd5144bd2afb AS alsa-lib FROM bash:sx2024.09.0@sha256:cb58f55d268fbe7ef629cda86e3a8af893066e4af7f26ef54748b6ad47bdaa66 AS bash FROM bc:sx2024.09.0@sha256:039cc5ac357a17d6374445fe4eed1dac15cc72f615bd9657c17e2c3904d42b62 AS bc FROM busybox:sx2024.09.0@sha256:d34bfa56566aa72d605d6cbdc154de8330cf426cfea1bc4ba8013abcac594395 AS busybox FROM ccid:sx2024.09.0@sha256:3225dc4a6a1af5f828854157a6b16eb09a0b0f7ebe9d9ee34030afe3966afad1 AS ccid FROM cpio:sx2024.09.0@sha256:abccb58edb5f1f31b3b9c8b61cffa10cd56de3307e337335927b8df4d9112d24 AS cpio FROM curl:sx2024.09.0@sha256:8e5705a77a76c92d058e016184dabd0c4fa2f6117021cc5ff55df35f654cb158 AS curl FROM dtc:sx2024.09.0@sha256:57f8aaa94059c43081b32fccb473ebd2c0cf16878dcf0e24e0e56c910467e93a AS dtc FROM eudev:sx2024.09.0@sha256:7da7aed7ea7eb73bda86e206e765bdc8e6367c2c2ae535ccd68c7c1b0a936611 AS eudev FROM flashtools:sx2024.09.0@sha256:4e61cc6f0af9aa6116bb93f048c20d00026d75c27dc52b7e8604f0e340c55b80 AS flashtools FROM gcc:sx2024.09.0@sha256:439bf36289ef036a934129d69dd6b4c196427e4f8e28bc1a3de5b9aab6e062f0 AS gcc FROM glib:sx2024.09.0@sha256:d280c18f8b52ce21a26924b0cb1bfb69ea6508b57db73efe22401572e71dbe84 AS glib FROM gpg:sx2024.09.0@sha256:f63555b39740db63b34c06894a4a9d5e125d04f5d51e799909d06c490e8ecd42 AS gpg FROM grub:sx2024.09.0@sha256:a14c60f152c759185e5702e910053cb5c0d9eee11f43d8d5d40a84123aece9fd AS grub FROM ipxe:sx2024.09.0@sha256:5791d9b42c7e9099a0180c4fe6cc4b8e9afc9e6b9ec392099c65c53b71db7908 AS ipxe FROM jq:sx2024.09.0@sha256:3e8b44aa54481bdd46406e9d3a63862f4216f81530a1898b3c144e1c38847a82 AS jq FROM jq:sx2024.09.0@sha256:3e8b44aa54481bdd46406e9d3a63862f4216f81530a1898b3c144e1c38847a82 AS jq FROM keyfork:sx2024.09.0@sha256:2288c1d769a0c3c535835019ad4919cc45b094492b5aa959a0eaf1e883a96214 AS keyfork FROM libaio:sx2024.09.0@sha256:c8d6dd6f3e6fbda73ac0620b2bc4b4cfe6fa504bf7a17eee3bb56e286c394b8b AS libaio FROM libassuan:sx2024.09.0@sha256:1f31e888ab3f02634009d1a38acca9f25deb827432eb91392e21fd75128a44aa AS libassuan FROM libffi:sx2024.09.0@sha256:ab647ebf8464e00cde623f86f716e7f50ce82c30eafde813b7977d917ff7143a AS libffi FROM libgcrypt:sx2024.09.0@sha256:49c84a586969ff625b3304dcf8905a98db0da36fb8704e3d7a0771d271509b68 AS libgcrypt FROM libgpg-error:sx2024.09.0@sha256:11c17c1ac41f36c85e538bd34a0095a9f17e116f61c38d560350c02a6929e55a AS libgpg-error FROM libksba:sx2024.09.0@sha256:2913b382fdb76f02f9d78ee162066e04953ba782b8f722145111617a842f40a3 AS libksba FROM libqrencode:sx2024.09.0@sha256:8c0f523bdf8d315e7b67cadd584e23d22a316dd1973232d49603e127717e4d1a AS libqrencode FROM libseccomp:sx2024.09.0@sha256:f48d783989da9d509cc6b4c12ec34e14074ffc1ab7a4f2d1e322c417d967e12f AS libseccomp FROM libslirp:sx2024.09.0@sha256:9dfb87e4a0adba80b862ce6b96112d96f509ffbca25bb71c60ba5bb5693b481d AS libslirp FROM libtpms:sx2024.09.0@sha256:d909a55137d0bf4a76331c2bf0358ee192d6c93ad77a5099af09ce1bcca2a6cd AS libtpms FROM libusb:sx2024.09.0@sha256:6c0dcf2b9519b1a41066ad71d3b597e9dae84fb73e5d031a3bdd2eb40f78ef94 AS libusb FROM libzstd:sx2024.09.0@sha256:a055f8cd6e11b0b8836b2e5e1d755f672edbd344a4f4b5aba94919a6511be4c3 AS libzstd FROM linux-airgap:sx2024.09.0@sha256:efb98b59ab37a7e33db423eda7a49bb7273b087838fda8098ce6736a0860fc73 AS linux-airgap FROM lzo:sx2024.09.0@sha256:09c60840e3e3e5835ec027c21283febc9f8cf53ab887576fbe9c38dbdbdfd571 AS lzo FROM mtools:sx2024.09.0@sha256:c83f7aebce9076903dbf1082aac981d3c0950d9e8952a900e5e072e2a811cda7 AS mtools FROM musl:sx2024.09.0@sha256:ad351b875f26294562d21740a3ee51c23609f15e6f9f0310e0994179c4231e1d AS musl FROM npth:sx2024.09.0@sha256:21d50ec1421fe75af4bea240d76022ddb8c114fd2805bfeb06fb938e5a58fc0d AS npth FROM numactl:sx2024.09.0@sha256:39e667b966a443f42e1c7a8c944203945bd1808ce759df1706bb3b93b0b674c2 AS numactl FROM openpgp-card-tools:sx2024.09.0@sha256:56d4696d111b309e536f1b70980db7098cd7823005432e4130432cb2f625cf9f AS openpgp-card-tools FROM opensc:sx2024.09.0@sha256:5117a9d39d3b77655b29bf661d9e04eea2001a5b033b2fd6b4297048330ff6e7 AS opensc FROM openssl:sx2024.09.0@sha256:2c1a9d8fcc6f52cb11a206f380b17d74c1079f04cbb08071a4176648b4df52c1 AS openssl FROM pcsc-lite:sx2024.09.0@sha256:4fe37671197ac768637e95f7395ae1a18412b3f42359d0c0aa9f4e7f684aef4e AS pcsc-lite FROM pcsc-tools:sx2024.09.0@sha256:05046ca5d41a09163eda26785563fd98f0cb1179030c3f4ee3243997a907bb96 AS pcsc-tools FROM qemu:sx2024.09.0@sha256:c9b099bc7d810a581e0e0f68061dd525d7efdb5334d119b4253249a459bd907e AS qemu FROM seabios:sx2024.09.0@sha256:f4e535fb1bfc2c7ae1756cdaa2404b1572f6ad195ceabba90d87ed0599fd97d7 AS seabios FROM sops:sx2024.09.0@sha256:c742fb1f0c5a4f9d9bc9afc37ba686b247d2b17d55d179409d33736b43c9aaa5 AS sops FROM swtpm:sx2024.09.0@sha256:c47fb2c4d8690936b4adef832a3f354231bb5a04206bf2fb565218034ce27792 AS swtpm FROM syslinux:sx2024.09.0@sha256:a41388558d7f6d9a29847ee2ff5507ab3100bfe9032ef3b99a3d783ad60ed390 AS syslinux FROM tpm2-tools:sx2024.09.0@sha256:c2fc693ec68a9d097151e5b3dd5b923f0dcc35fd4e0624b91ade3bf21367162c AS tpm2-tools FROM tpm2-tss:sx2024.09.0@sha256:a8bf8c0973e1b5ba62ce5034a6230684ebe5a142da275d09e81fa2f2f9c87411 AS tpm2-tss FROM util-linux:sx2024.09.0@sha256:7e3f3c1e748f5c216503e69b9f8f2e9f8084ec675fb29b23f3a6f0ed3b20c54a AS util-linux FROM xorriso:sx2024.09.0@sha256:2205a8f53d4fc569880c311061daa085f40c62b2fd94d556e72bd31b4df9e63a AS xorriso FROM xz:sx2024.09.0@sha256:b57c5e6144117bc0124855e9538e60c302cc7bf53fafb53e2eef3434015366f1 AS xz FROM yq:sx2024.09.0@sha256:bd6882f0f3ea664e9de6cf732cef2fa2781fc2852f5e6502a6aea1e63eb9708b AS yq FROM zlib:sx2024.09.0@sha256:96b4100550760026065dac57148d99e20a03d17e5ee20d6b32cbacd61125dbb6 AS zlib FROM scratch AS base ARG VERSION development ARG GIT_TIMESTAMP null ARG GIT_AUTHOR null ARG GIT_REF null ARG GIT_PUBKEY null COPY --from=busybox . / COPY --from=musl . / COPY --from=xorriso . / COPY --from=cpio . / COPY --from=mtools . / COPY --from=xz . / COPY --from=grub . / COPY --from=util-linux . / FROM base as dev COPY --from=gcc . / COPY --from=glib . / COPY --from=alsa-lib . / COPY --from=lzo . / COPY --from=dtc . / COPY --from=zlib . / COPY --from=numactl . / COPY --from=libaio . / COPY --from=libseccomp . / COPY --from=libffi . / COPY --from=libzstd . / COPY --from=libslirp . / COPY --from=seabios . / COPY --from=ipxe . / COPY --from=qemu . / COPY --from=swtpm . / COPY --from=openssl . / COPY --from=curl . / COPY --from=libtpms . / COPY --from=tpm2-tss . / COPY --from=tpm2-tools . / FROM base AS build ## Kernel COPY --from=linux-airgap /bzImage iso/boot/vmlinuz ## Initramfs COPY --from=busybox . initramfs COPY --from=eudev . initramfs COPY --from=musl . initramfs COPY --from=zlib . initramfs COPY --from=npth . initramfs COPY --from=libksba . initramfs COPY --from=libgpg-error . initramfs COPY --from=libassuan . initramfs COPY --from=libgcrypt . initramfs COPY --from=keyfork . initramfs COPY --from=bash . initramfs COPY --from=gpg . initramfs COPY --from=jq . initramfs COPY --from=yq . initramfs COPY --from=bc . initramfs COPY --from=flashtools . initramfs COPY --from=curl . initramfs COPY --from=tpm2-tools . initramfs COPY --from=tpm2-tss . initramfs COPY --from=openssl . initramfs COPY --from=libusb . initramfs COPY --from=ccid . initramfs COPY --from=pcsc-lite . initramfs COPY --from=pcsc-tools . initramfs COPY --from=openpgp-card-tools . initramfs COPY --from=libqrencode . initramfs COPY --from=opensc . initramfs COPY --from=util-linux . initramfs COPY --from=sops . initramfs COPY rootfs/ initramfs COPY <<-EOF initramfs/etc/environment export VERSION="$VERSION" export GIT_TIMESTAMP="$GIT_TIMESTAMP" export GIT_AUTHOR="$GIT_AUTHOR" export GIT_REF="$GIT_REF" export GIT_PUBKEY="$GIT_PUBKEY" EOF RUN <<-EOF set -eux cd initramfs find . -exec touch -hcd "@0" "{}" + find . -print0 \ | sort -z \ | cpio \ --null \ --create \ --verbose \ --reproducible \ --format=newc \ | gzip --best \ > ../iso/boot/initramfs EOF ## Grub (EFI Boot) COPY config/grub.cfg iso/boot/grub/grub.cfg COPY config/grub_early.cfg grub_early.cfg RUN <<-EOF set -eux mkdir -p efi/boot grub-mkimage \ --config="grub_early.cfg" \ --prefix="/boot/grub" \ --output="efi/boot/bootx64.efi" \ --format="x86_64-efi" \ --compression="xz" \ all_video \ disk \ part_gpt \ part_msdos \ linux \ normal \ configfile \ search \ search_label \ efi_gop \ fat \ iso9660 \ gzio \ serial \ terminal find efi -exec touch -hcd "@0" "{}" + mformat -i iso/boot/grub/efi.img -C -f 1440 -N 0 :: mcopy -i iso/boot/grub/efi.img -ms efi :: touch -md "@0" iso/boot/grub/efi.img EOF ## Syslinux (BIOS Boot) COPY config/syslinux.cfg iso/boot/syslinux/ COPY --from=syslinux \ /usr/share/syslinux/isohdpfx.bin \ /usr/share/syslinux/isolinux.bin \ /usr/share/syslinux/ldlinux.c32 \ /usr/share/syslinux/libutil.c32 \ /usr/share/syslinux/libcom32.c32 \ /usr/share/syslinux/mboot.c32 \ iso/boot/syslinux/ ## Build Hybrid EFI/BIOS ISO FROM build AS install ENV SOURCE_DATE_EPOCH=1 RUN <<-EOF set -eux find iso -exec touch -hcd "@0" "{}" + xorrisofs \ -output airgap.iso \ -full-iso9660-filenames \ -joliet \ -rational-rock \ -sysid LINUX \ -volid "airgap" \ -isohybrid-mbr iso/boot/syslinux/isohdpfx.bin \ -eltorito-boot boot/syslinux/isolinux.bin \ -eltorito-catalog boot/syslinux/boot.cat \ -no-emul-boot \ -boot-load-size 4 \ -boot-info-table \ -eltorito-alt-boot \ -e boot/grub/efi.img \ -no-emul-boot \ -isohybrid-gpt-basdat \ -follow-links \ iso/ # Increase ISO size by 512 MB to create space for the third partition dd if=/dev/zero bs=1M count=512 >> airgap.iso # Append a new partition that uses the additional space echo ", +" | sfdisk --append airgap.iso # Set the newly added third partition to FAT32 sfdisk --part-type airgap.iso 3 b # Calculate the byte offset of the third partition # This is done by finding the end of the first partition using fdisk, # adding 1 sector, and multiplying by 512 (since each sector is 512 bytes). OFFSET=$(fdisk -l airgap.iso | awk '/^airgap.iso1/ {print ($4 + 1) * 512}') # Format the third partition as FAT32 and label it 'USER' mformat -v USER -i airgap.iso@@$OFFSET :: EOF ## Minimal Autorun SD card image COPY sdcard sdcard RUN <<-EOF set -eux dd if=/dev/zero of=sdcard.img bs=1M count=32 mformat -v external -i sdcard.img :: mcopy -i sdcard.img -s sdcard/* :: EOF FROM scratch AS package COPY --from=install /sdcard.img / COPY --from=install /airgap.iso /