airgap/Containerfile

FROM stagex/alsa-lib:sx2024.09.0@sha256:a41b481187f76c1e9ed4e237977f4892c1507a3b8f8f6736ff3fdd5144bd2afb AS alsa-lib
FROM stagex/bash:sx2024.09.0@sha256:cb58f55d268fbe7ef629cda86e3a8af893066e4af7f26ef54748b6ad47bdaa66 AS bash
FROM stagex/bc:sx2024.09.0@sha256:039cc5ac357a17d6374445fe4eed1dac15cc72f615bd9657c17e2c3904d42b62 AS bc
FROM stagex/busybox:sx2024.09.0@sha256:d34bfa56566aa72d605d6cbdc154de8330cf426cfea1bc4ba8013abcac594395 AS busybox
FROM stagex/ccid:sx2024.09.0@sha256:3225dc4a6a1af5f828854157a6b16eb09a0b0f7ebe9d9ee34030afe3966afad1 AS ccid
FROM stagex/cpio:sx2024.09.0@sha256:abccb58edb5f1f31b3b9c8b61cffa10cd56de3307e337335927b8df4d9112d24 AS cpio
FROM stagex/curl:sx2024.09.0@sha256:8e5705a77a76c92d058e016184dabd0c4fa2f6117021cc5ff55df35f654cb158 AS curl
FROM stagex/dtc:sx2024.09.0@sha256:57f8aaa94059c43081b32fccb473ebd2c0cf16878dcf0e24e0e56c910467e93a AS dtc
FROM stagex/eudev:sx2024.09.0@sha256:7da7aed7ea7eb73bda86e206e765bdc8e6367c2c2ae535ccd68c7c1b0a936611 AS eudev
FROM stagex/flashtools:sx2024.09.0@sha256:4e61cc6f0af9aa6116bb93f048c20d00026d75c27dc52b7e8604f0e340c55b80 AS flashtools
FROM stagex/gcc:sx2024.09.0@sha256:439bf36289ef036a934129d69dd6b4c196427e4f8e28bc1a3de5b9aab6e062f0 AS gcc
FROM stagex/glib:sx2024.09.0@sha256:d280c18f8b52ce21a26924b0cb1bfb69ea6508b57db73efe22401572e71dbe84 AS glib
FROM stagex/gpg:sx2024.09.0@sha256:f63555b39740db63b34c06894a4a9d5e125d04f5d51e799909d06c490e8ecd42 AS gpg
FROM stagex/grub:sx2024.09.0@sha256:a14c60f152c759185e5702e910053cb5c0d9eee11f43d8d5d40a84123aece9fd AS grub
FROM stagex/ipxe:sx2024.09.0@sha256:5791d9b42c7e9099a0180c4fe6cc4b8e9afc9e6b9ec392099c65c53b71db7908 AS ipxe
FROM stagex/jq:sx2024.09.0@sha256:3e8b44aa54481bdd46406e9d3a63862f4216f81530a1898b3c144e1c38847a82 AS jq
FROM stagex/jq:sx2024.09.0@sha256:3e8b44aa54481bdd46406e9d3a63862f4216f81530a1898b3c144e1c38847a82 AS jq
FROM stagex/keyfork:sx2024.09.0@sha256:2288c1d769a0c3c535835019ad4919cc45b094492b5aa959a0eaf1e883a96214 AS keyfork
FROM stagex/libaio:sx2024.09.0@sha256:c8d6dd6f3e6fbda73ac0620b2bc4b4cfe6fa504bf7a17eee3bb56e286c394b8b AS libaio
FROM stagex/libassuan:sx2024.09.0@sha256:1f31e888ab3f02634009d1a38acca9f25deb827432eb91392e21fd75128a44aa AS libassuan
FROM stagex/libffi:sx2024.09.0@sha256:ab647ebf8464e00cde623f86f716e7f50ce82c30eafde813b7977d917ff7143a AS libffi
FROM stagex/libgcrypt:sx2024.09.0@sha256:49c84a586969ff625b3304dcf8905a98db0da36fb8704e3d7a0771d271509b68 AS libgcrypt
FROM stagex/libgpg-error:sx2024.09.0@sha256:11c17c1ac41f36c85e538bd34a0095a9f17e116f61c38d560350c02a6929e55a AS libgpg-error
FROM stagex/libksba:sx2024.09.0@sha256:2913b382fdb76f02f9d78ee162066e04953ba782b8f722145111617a842f40a3 AS libksba
FROM stagex/libqrencode:sx2024.09.0@sha256:8c0f523bdf8d315e7b67cadd584e23d22a316dd1973232d49603e127717e4d1a AS libqrencode
FROM stagex/libseccomp:sx2024.09.0@sha256:f48d783989da9d509cc6b4c12ec34e14074ffc1ab7a4f2d1e322c417d967e12f AS libseccomp
FROM stagex/libslirp:sx2024.09.0@sha256:9dfb87e4a0adba80b862ce6b96112d96f509ffbca25bb71c60ba5bb5693b481d AS libslirp
FROM stagex/libtpms:sx2024.09.0@sha256:d909a55137d0bf4a76331c2bf0358ee192d6c93ad77a5099af09ce1bcca2a6cd AS libtpms
FROM stagex/libusb:sx2024.09.0@sha256:6c0dcf2b9519b1a41066ad71d3b597e9dae84fb73e5d031a3bdd2eb40f78ef94 AS libusb
FROM stagex/libzstd:sx2024.09.0@sha256:a055f8cd6e11b0b8836b2e5e1d755f672edbd344a4f4b5aba94919a6511be4c3 AS libzstd
FROM stagex/linux-airgap:sx2024.09.0@sha256:efb98b59ab37a7e33db423eda7a49bb7273b087838fda8098ce6736a0860fc73 AS linux-airgap
FROM stagex/lzo:sx2024.09.0@sha256:09c60840e3e3e5835ec027c21283febc9f8cf53ab887576fbe9c38dbdbdfd571 AS lzo
FROM stagex/mtools:sx2024.09.0@sha256:c83f7aebce9076903dbf1082aac981d3c0950d9e8952a900e5e072e2a811cda7 AS mtools
FROM stagex/musl:sx2024.09.0@sha256:ad351b875f26294562d21740a3ee51c23609f15e6f9f0310e0994179c4231e1d AS musl
FROM stagex/npth:sx2024.09.0@sha256:21d50ec1421fe75af4bea240d76022ddb8c114fd2805bfeb06fb938e5a58fc0d AS npth
FROM stagex/numactl:sx2024.09.0@sha256:39e667b966a443f42e1c7a8c944203945bd1808ce759df1706bb3b93b0b674c2 AS numactl
FROM stagex/openpgp-card-tools:sx2024.09.0@sha256:56d4696d111b309e536f1b70980db7098cd7823005432e4130432cb2f625cf9f AS openpgp-card-tools
FROM stagex/opensc:sx2024.09.0@sha256:5117a9d39d3b77655b29bf661d9e04eea2001a5b033b2fd6b4297048330ff6e7 AS opensc
FROM stagex/openssl:sx2024.09.0@sha256:2c1a9d8fcc6f52cb11a206f380b17d74c1079f04cbb08071a4176648b4df52c1 AS openssl
FROM stagex/pcsc-lite:sx2024.09.0@sha256:4fe37671197ac768637e95f7395ae1a18412b3f42359d0c0aa9f4e7f684aef4e AS pcsc-lite
FROM stagex/pcsc-tools:sx2024.09.0@sha256:05046ca5d41a09163eda26785563fd98f0cb1179030c3f4ee3243997a907bb96 AS pcsc-tools
# FROM stagex/qemu:sx2024.09.0@sha256:c9b099bc7d810a581e0e0f68061dd525d7efdb5334d119b4253249a459bd907e AS qemu
FROM stagex/seabios:sx2024.09.0@sha256:f4e535fb1bfc2c7ae1756cdaa2404b1572f6ad195ceabba90d87ed0599fd97d7 AS seabios
FROM stagex/sops:sx2024.09.0@sha256:c742fb1f0c5a4f9d9bc9afc37ba686b247d2b17d55d179409d33736b43c9aaa5 AS sops
FROM stagex/swtpm:sx2024.09.0@sha256:c47fb2c4d8690936b4adef832a3f354231bb5a04206bf2fb565218034ce27792 AS swtpm
FROM stagex/syslinux:sx2024.09.0@sha256:a41388558d7f6d9a29847ee2ff5507ab3100bfe9032ef3b99a3d783ad60ed390 AS syslinux
FROM stagex/tpm2-tools:sx2024.09.0@sha256:c2fc693ec68a9d097151e5b3dd5b923f0dcc35fd4e0624b91ade3bf21367162c AS tpm2-tools
FROM stagex/tpm2-tss:sx2024.09.0@sha256:a8bf8c0973e1b5ba62ce5034a6230684ebe5a142da275d09e81fa2f2f9c87411 AS tpm2-tss
FROM stagex/util-linux:sx2024.09.0@sha256:7e3f3c1e748f5c216503e69b9f8f2e9f8084ec675fb29b23f3a6f0ed3b20c54a AS util-linux
FROM stagex/xorriso:sx2024.09.0@sha256:2205a8f53d4fc569880c311061daa085f40c62b2fd94d556e72bd31b4df9e63a AS xorriso
FROM stagex/xz:sx2024.09.0@sha256:b57c5e6144117bc0124855e9538e60c302cc7bf53fafb53e2eef3434015366f1 AS xz
FROM stagex/yq:sx2024.09.0@sha256:bd6882f0f3ea664e9de6cf732cef2fa2781fc2852f5e6502a6aea1e63eb9708b AS yq
FROM stagex/zlib:sx2024.09.0@sha256:96b4100550760026065dac57148d99e20a03d17e5ee20d6b32cbacd61125dbb6 AS zlib

FROM stagex/git as git
FROM stagex/ca-certificates as ca-certificates
FROM stagex/cmake as cmake
FROM stagex/make as make
FROM stagex/glibc as glibc
FROM stagex/gcc as gcc
FROM stagex/binutils as binutils
FROM stagex/gawk as gawk
FROM stagex/autoconf as autoconf
FROM stagex/automake as automake

## qemu
FROM stagex/busybox AS busybox
FROM stagex/bash AS bash
FROM stagex/gzip AS gzip
FROM stagex/gcc AS gcc
FROM stagex/binutils AS binutils 
FROM stagex/python AS python 
FROM stagex/py-packaging AS py-packaging
FROM stagex/py-urllib3 AS py-urllib3
FROM stagex/make AS make
FROM stagex/bison AS bison
FROM stagex/meson AS meson
FROM stagex/samurai AS samurai
FROM stagex/libtool AS libtool
FROM stagex/openssl AS opensll
FROM stagex/git AS git
FROM stagex/zlib AS zlib
FROM stagex/libffi AS libffi
FROM stagex/libzstd AS libzstd
FROM stagex/ncurses AS ncurses
FROM stagex/curl AS curl
FROM stagex/flex AS flex
FROM stagex/perl AS perl
FROM stagex/pcre2 AS pcre2
FROM stagex/autoconf AS autoconf
FROM stagex/automake AS automake
FROM stagex/pkgconf AS pkgconf
FROM stagex/gettext AS gettext
FROM stagex/m4 AS m4
FROM stagex/argp-standalone AS argp-standalone
FROM stagex/musl AS musl
FROM stagex/musl-fts AS musl-fts
FROM stagex/musl-obstack AS musl-obstack
FROM stagex/linux-headers AS linux-headers
FROM stagex/py-docutils AS py-docutils
FROM stagex/py-pygments AS py-pygments
FROM stagex/py-babel AS py-babel
FROM stagex/py-sphinx AS py-sphinx
FROM stagex/py-sphinx_rtd_theme AS py-sphinx_rtd_theme
FROM stagex/py-sphinxcontrib-applehelp AS py-sphinxcontrib-applehelp
FROM stagex/py-sphinxcontrib-devhelp AS py-sphinxcontrib-devhelp
FROM stagex/py-sphinxcontrib-htmlhelp AS py-sphinxcontrib-htmlhelp
FROM stagex/py-sphinxcontrib-qthelp AS py-sphinxcontrib-qthelp
FROM stagex/py-sphinxcontrib-serializinghtml AS py-sphinxcontrib-serializinghtml
FROM stagex/py-sphinxcontrib-jquery AS py-sphinxcontrib-jquery
FROM stagex/py-jinja2 AS py-jinja2
FROM stagex/py-markupsafe AS py-markupsafe
FROM stagex/py-snowballstemmer AS py-snowballstemmer
FROM stagex/py-imagesize AS py-imagesize
FROM stagex/py-requests AS py-requests
FROM stagex/py-idna AS py-idna
FROM stagex/py-certifi AS py-certifi
FROM stagex/py-alabaster AS py-alabaster
FROM stagex/libaio AS libaio
FROM stagex/libseccomp AS libseccomp
FROM stagex/libcap-ng AS libcap-ng
FROM stagex/libslirp AS libslirp
FROM stagex/alsa-lib AS alsa-lib
FROM stagex/openssh AS openssh
FROM stagex/glib AS glib
FROM stagex/lzo AS lzo
FROM stagex/dtc AS dtc
FROM stagex/numactl AS numactl

FROM scratch AS base
ARG VERSION development
ARG GIT_TIMESTAMP null
ARG GIT_AUTHOR null
ARG GIT_REF null
ARG GIT_PUBKEY null
COPY --from=busybox . /
COPY --from=musl . /
COPY --from=xorriso . /
COPY --from=cpio . /
COPY --from=mtools . /
COPY --from=xz . /
COPY --from=grub . /

FROM base as dev
COPY --from=gcc . /
COPY --from=glib . /
COPY --from=alsa-lib . /
COPY --from=lzo . /
COPY --from=dtc . /
COPY --from=zlib . /
COPY --from=numactl . /
COPY --from=libaio . /
COPY --from=libseccomp . /
COPY --from=libffi . /
COPY --from=libzstd . /
COPY --from=libslirp . /
COPY --from=seabios . /
COPY --from=ipxe . /
# COPY --from=qemu . /
COPY --from=swtpm . /
COPY --from=openssl . /
COPY --from=curl . /
COPY --from=libtpms . /
COPY --from=tpm2-tss . /
COPY --from=tpm2-tools . /

## Deps for qemu-canokey
COPY --from=git . /
COPY --from=zlib . /
COPY --from=curl . /
COPY --from=ca-certificates . /
COPY --from=openssl . /
COPY --from=cmake . /
COPY --from=glibc . /
COPY --from=gcc . /
COPY --from=binutils . /
COPY --from=busybox . /
COPY --from=make . / 
COPY --from=gawk . /
COPY --from=autoconf . /
COPY --from=automake . /
COPY --from=busybox . /
COPY --from=bash . /

## Build canokey-qemu
RUN git clone https://github.com/canokeys/canokey-qemu
RUN mkdir canokey-qemu/build
WORKDIR canokey-qemu/build
RUN git submodule update --init --recursive
RUN cmake .. && make && make install

## Deps for qemu
COPY --from=busybox . /
COPY --from=bash . /
COPY --from=gzip . /
COPY --from=gcc . /
COPY --from=binutils . /
COPY --from=python . /
COPY --from=py-packaging . /
COPY --from=py-urllib3 . /
COPY --from=make . /
COPY --from=bison . /
COPY --from=meson . /
COPY --from=samurai . /
COPY --from=libtool . /
COPY --from=openssl . /
COPY --from=git . /
COPY --from=zlib . /
COPY --from=libffi . /
COPY --from=libzstd . /
COPY --from=ncurses . /
COPY --from=curl . /
COPY --from=flex . /
COPY --from=perl . /
COPY --from=pcre2 . /
COPY --from=autoconf . /
COPY --from=automake . /
COPY --from=pkgconf . /
COPY --from=gettext . /
COPY --from=m4 . /
COPY --from=argp-standalone . /
COPY --from=musl . /
COPY --from=musl-fts . /
COPY --from=musl-obstack . /
COPY --from=linux-headers . /
COPY --from=py-docutils . /
COPY --from=py-pygments . /
COPY --from=py-babel . /
COPY --from=py-sphinx . /
COPY --from=py-sphinx_rtd_theme . /
COPY --from=py-sphinxcontrib-applehelp . /
COPY --from=py-sphinxcontrib-devhelp . /
COPY --from=py-sphinxcontrib-htmlhelp . /
COPY --from=py-sphinxcontrib-qthelp . /
COPY --from=py-sphinxcontrib-serializinghtml . /
COPY --from=py-sphinxcontrib-jquery . /
COPY --from=py-jinja2 . /
COPY --from=py-markupsafe . /
COPY --from=py-snowballstemmer . /
COPY --from=py-imagesize . /
COPY --from=py-requests . /
COPY --from=py-idna . /
COPY --from=py-certifi . /
COPY --from=py-alabaster . /
COPY --from=libaio . /
COPY --from=libseccomp . /
COPY --from=libcap-ng . /
COPY --from=libslirp . /
COPY --from=alsa-lib . /
COPY --from=openssh . /
COPY --from=glib . /
COPY --from=lzo . /
COPY --from=dtc . /
COPY --from=numactl . /
ADD https://download.qemu.org/qemu-9.1.0.tar.xz .
RUN tar -xvf qemu-9.1.0.tar.xz
WORKDIR qemu-9.1.0
RUN ls -la .
ENV SOURCE_DATE_EPOCH=1
ENV LDFLAGS=" \
		-Wl,-O1 -Wl,--sort-common -Wl,--as-needed -Wl,-z,relro \
		-Wl,-z,now -Wl,-z,pack-relative-relocs"
ENV CFLAGS=" \
		-march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions \
		-Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security \
		-fstack-clash-protection -fcf-protection \
		-fno-omit-frame-pointer -mno-omit-leaf-frame-pointer"
ENV CXXFLAGS="$CFLAGS -Wp,-D_GLIBCXX_ASSERTIONS"
ENV LTOFLAGS="-flto=auto"
ENV TARGET_LIST="x86_64-softmmu,x86_64-linux-user,i386-softmmu,i386-linux-user"
COPY <<-EOF pc-bios/optionrom/config.mak
		TOPSRC_DIR=/qemu-9.1.0
		CC=gcc
		CCAS=gcc
		AR=ar
		AS=as
		LD=ld
		NM=nm
		OBJCOPY=objcopy
		RANLIB=ranlib
		STRIP=strip
EOF
RUN export PKG_CONFIG_PATH=/pkgconf:$PKG_CONFIG_PATH 
RUN <<-EOF
    set -eux
	# rm -rf pc-bios/*.bz2
	rm -rf \
		pc-bios/*.bin \
		pc-bios/*.rom \
		pc-bios/*.img \
		pc-bios/*.e500 \
		pc-bios/*.dtb \
		pc-bios/*.lid \
		pc-bios/*.ndrv \
		pc-bios/palcode-clipper \
		pc-bios/openbios-*
	make -j "$(nproc)" -C pc-bios/optionrom all
	./configure \
		--target-list="$TARGET_LIST" \
		--prefix=/usr \
		--sysconfdir=/etc \
		--localstatedir=/var \
		--libexecdir=/usr/lib/qemu \
		--docdir=/usr/share/doc/qemu \
		--python=/usr/bin/python \
		--cc=gcc \
		--audio-drv-list=oss,alsa \
		--enable-curses \
        --enable-canokey \
		--enable-modules \
		--enable-tpm \
		--enable-vhost-net \
		--enable-attr \
		--enable-linux-user \
		--enable-slirp \
		--enable-tcg \
		--disable-install-blobs \
		--disable-docs \
		--disable-sdl \
		--disable-gtk \
		--disable-bpf \
		--disable-capstone \
		--disable-glusterfs \
		--disable-debug-info \
		--disable-opengl \
		--disable-bsd-user \
		--disable-werror \
		--disable-libnfs \
		--disable-libssh \
		--disable-snappy \
		--disable-spice \
		--disable-usb-redir \
		--disable-vde \
		--disable-virglrenderer \
		--disable-virtfs \
		--disable-vnc \
		--disable-vnc-jpeg \
		--disable-xen
	make ARFLAGS="rc" -j "$(nproc)"
	make install
	rm -rf /rootfs/var/run
	strip /rootfs/usr/bin/qemu-*
	install -vDm 644 pc-bios/optionrom/*.bin -t /rootfs/usr/share/qemu
	install -vDm 644 pc-bios/optionrom/*.img -t /rootfs/usr/share/qemu
EOF

FROM base AS build

## Kernel
COPY --from=linux-airgap /bzImage iso/boot/vmlinuz

## Initramfs
COPY --from=busybox . initramfs
COPY --from=eudev . initramfs
COPY --from=musl . initramfs
COPY --from=zlib . initramfs
COPY --from=npth . initramfs
COPY --from=libksba . initramfs
COPY --from=libgpg-error . initramfs
COPY --from=libassuan . initramfs
COPY --from=libgcrypt . initramfs
COPY --from=keyfork . initramfs
COPY --from=bash . initramfs
COPY --from=gpg . initramfs
COPY --from=jq . initramfs
COPY --from=yq . initramfs
COPY --from=bc . initramfs
COPY --from=flashtools . initramfs
COPY --from=curl . initramfs
COPY --from=tpm2-tools . initramfs
COPY --from=tpm2-tss . initramfs
COPY --from=openssl . initramfs
COPY --from=libusb . initramfs
COPY --from=ccid . initramfs
COPY --from=pcsc-lite . initramfs
COPY --from=pcsc-tools . initramfs
COPY --from=openpgp-card-tools . initramfs
COPY --from=libqrencode . initramfs
COPY --from=opensc . initramfs
COPY --from=util-linux . initramfs
COPY --from=sops . initramfs
COPY rootfs/ initramfs
COPY <<-EOF initramfs/etc/environment
    export VERSION="$VERSION"
    export GIT_TIMESTAMP="$GIT_TIMESTAMP"
    export GIT_AUTHOR="$GIT_AUTHOR"
    export GIT_REF="$GIT_REF"
    export GIT_PUBKEY="$GIT_PUBKEY"
EOF
RUN <<-EOF
    set -eux
    cd initramfs
    find . -exec touch -hcd "@0" "{}" +
    find . -print0 \
    | sort -z \
    | cpio \
        --null \
        --create \
        --verbose \
        --reproducible \
        --format=newc \
    | gzip --best \
    > ../iso/boot/initramfs
EOF

## Grub (EFI Boot)
COPY config/grub.cfg iso/boot/grub/grub.cfg
COPY config/grub_early.cfg grub_early.cfg
RUN <<-EOF
    set -eux
    mkdir -p efi/boot
    grub-mkimage \
        --config="grub_early.cfg" \
        --prefix="/boot/grub" \
        --output="efi/boot/bootx64.efi" \
        --format="x86_64-efi" \
        --compression="xz" \
        all_video \
        disk \
        part_gpt \
        part_msdos \
        linux \
        normal \
        configfile \
        search \
        search_label \
        efi_gop \
        fat \
        iso9660 \
        gzio \
        serial \
        terminal
    find efi -exec touch -hcd "@0" "{}" +
    mformat -i iso/boot/grub/efi.img -C -f 1440 -N 0 ::
    mcopy -i iso/boot/grub/efi.img -ms efi ::
    touch -md "@0" iso/boot/grub/efi.img
EOF

## Syslinux (BIOS Boot)
COPY config/syslinux.cfg iso/boot/syslinux/
COPY --from=syslinux \
    /usr/share/syslinux/isohdpfx.bin \
    /usr/share/syslinux/isolinux.bin \
    /usr/share/syslinux/ldlinux.c32 \
    /usr/share/syslinux/libutil.c32 \
    /usr/share/syslinux/libcom32.c32 \
    /usr/share/syslinux/mboot.c32 \
    iso/boot/syslinux/

## Build Hybrid EFI/BIOS ISO
FROM build AS install
ENV SOURCE_DATE_EPOCH=1
RUN <<-EOF
    set -eux
    dd if=/dev/zero bs=1M count=10 >> user.img
    mformat -v user -i user.img -N 0 ::
    find iso -exec touch -hcd "@0" "{}" +
    xorrisofs \
        -output airgap.iso \
        -full-iso9660-filenames \
        -joliet \
        -rational-rock \
        -sysid LINUX \
        -volid "airgap" \
        -isohybrid-mbr iso/boot/syslinux/isohdpfx.bin \
        -eltorito-boot boot/syslinux/isolinux.bin \
        -eltorito-catalog boot/syslinux/boot.cat \
        -no-emul-boot \
        -boot-load-size 4 \
        -boot-info-table \
        -eltorito-alt-boot \
        -e boot/grub/efi.img \
        -no-emul-boot \
        -isohybrid-gpt-basdat \
        -follow-links \
        -append_partition 3 0xb user.img \
        iso/
EOF

## Minimal Autorun SD card image
COPY sdcard sdcard
RUN <<-EOF
    set -eux
    dd if=/dev/zero of=sdcard.img bs=1M count=32
    mformat -v external -i sdcard.img ::
    mcopy -i sdcard.img -s sdcard/* ::
EOF

FROM scratch AS package
COPY --from=install /sdcard.img /
COPY --from=install /airgap.iso /