airgap/Containerfile

FROM stagex/busybox AS busybox
FROM stagex/musl AS musl
FROM stagex/xorriso AS xorriso
FROM stagex/syslinux AS syslinux
FROM stagex/cpio AS cpio
FROM stagex/linux-airgap AS linux
FROM stagex/mtools AS mtools
FROM stagex/xz AS xz
FROM stagex/eudev AS eudev
FROM stagex/ccid AS ccid
FROM stagex/libusb AS libusb
FROM stagex/keyfork AS keyfork
FROM stagex/openpgp-card-tools AS openpgp-card-tools
FROM stagex/gpg AS gpg
FROM stagex/bash AS bash
FROM stagex/grub:local AS grub
FROM stagex/npth AS npth
FROM stagex/libksba AS libksba
FROM stagex/libgpg-error AS libgpg-error
FROM stagex/libassuan AS libassuan
FROM stagex/libgcrypt AS libgcrypt
FROM stagex/jq AS jq
FROM stagex/yq AS yq
FROM stagex/bc AS bc
FROM stagex/git AS git
FROM stagex/zlib AS zlib
FROM stagex/tpm2-tools AS tpm2-tools
FROM stagex/tpm2-tss AS tpm2-tss
FROM stagex/openssl AS openssl
FROM stagex/sops AS sops
FROM stagex/pcsc-lite AS pcsc-lite
FROM stagex/pcsc-tools AS pcsc-tools
FROM stagex/flashtools AS flashtools
FROM stagex/libqrencode AS libqrencode
FROM stagex/util-linux AS util-linux
FROM stagex/opensc AS opensc

FROM scratch AS base
ARG VERSION development
ARG GIT_TIMESTAMP null
ARG GIT_AUTHOR null
ARG GIT_REF null
ARG GIT_KEY null
COPY --from=busybox . /
COPY --from=musl . /
COPY --from=xorriso . /
COPY --from=cpio . /
COPY --from=mtools . /
COPY --from=xz . /
COPY --from=grub . /

FROM base AS build

## Kernel
COPY --from=linux /bzImage iso/boot/vmlinuz

## Initramfs
COPY --from=busybox . initramfs
COPY --from=eudev . initramfs
COPY --from=musl . initramfs
COPY --from=zlib . initramfs
COPY --from=npth . initramfs
COPY --from=libksba . initramfs
COPY --from=libgpg-error . initramfs
COPY --from=libassuan . initramfs
COPY --from=libgcrypt . initramfs
COPY --from=keyfork . initramfs
COPY --from=bash . initramfs
COPY --from=gpg . initramfs
COPY --from=jq . initramfs
COPY --from=yq . initramfs
COPY --from=bc . initramfs
COPY --from=git . initramfs
COPY --from=flashtools . initramfs
COPY --from=tpm2-tools . initramfs
COPY --from=tpm2-tss . initramfs
COPY --from=openssl . initramfs
COPY --from=libusb . initramfs
COPY --from=ccid . initramfs
COPY --from=pcsc-lite . initramfs
COPY --from=pcsc-tools . initramfs
COPY --from=openpgp-card-tools . initramfs
COPY --from=libqrencode . initramfs
COPY --from=opensc . initramfs
COPY --from=util-linux . initramfs
COPY --from=sops . initramfs
COPY rootfs/ initramfs
COPY <<-EOF initramfs/etc/environment
    export VERSION="$VERSION"
    export GIT_TIMESTAMP="$GIT_TIMESTAMP"
    export GIT_AUTHOR="$GIT_AUTHOR"
    export GIT_REF="$GIT_REF"
    export GIT_KEY="$GIT_KEY"
EOF
RUN <<-EOF
	cd initramfs
	find . -print0 \
	| cpio --null --create --verbose --format=newc \
	| gzip --best > ../iso/boot/initramfs
EOF

## Grub (EFI Boot)
COPY config/grub.cfg iso/boot/grub/grub.cfg
COPY config/grub_early.cfg grub_early.cfg
RUN <<-EOF
    set -eux
    mkdir -p efi/boot
    grub-mkimage \
        --config="grub_early.cfg" \
        --prefix="/boot/grub" \
        --output="efi/boot/bootx64.efi" \
        --format="x86_64-efi" \
        --compression="xz" \
        all_video \
        disk \
        part_gpt \
        part_msdos \
        linux \
        normal \
        configfile \
        search \
        search_label \
        efi_gop \
        fat \
        iso9660 \
        gzio \
        serial \
        terminal
    mformat -i iso/boot/grub/efi.img -C -f 1440 -N 0 ::
    mcopy -i iso/boot/grub/efi.img -s efi ::
    touch -md "@0" iso/boot/grub/efi.img
EOF

## Syslinux (BIOS Boot)
COPY config/syslinux.cfg iso/boot/syslinux/
COPY --from=syslinux \
    /usr/share/syslinux/isohdpfx.bin \
    /usr/share/syslinux/isolinux.bin \
    /usr/share/syslinux/ldlinux.c32 \
    /usr/share/syslinux/libutil.c32 \
    /usr/share/syslinux/libcom32.c32 \
    /usr/share/syslinux/mboot.c32 \
    iso/boot/syslinux/

## Build Hybrid EFI/BIOS ISO
FROM build AS install
RUN xorrisofs \
    -output airgap.iso \
    -full-iso9660-filenames \
    -joliet \
    -rational-rock \
    -sysid LINUX \
    -volid "airgap" \
    -isohybrid-mbr iso/boot/syslinux/isohdpfx.bin \
    -eltorito-boot boot/syslinux/isolinux.bin \
    -eltorito-catalog boot/syslinux/boot.cat \
    -no-emul-boot \
    -boot-load-size 4 \
    -boot-info-table \
    -eltorito-alt-boot \
    -e boot/grub/efi.img \
    -no-emul-boot \
    -isohybrid-gpt-basdat \
    -follow-links \
   iso/

## Minimal Autorun SD card image
COPY sdcard sdcard
RUN <<-EOF
    set -eux
    dd if=/dev/zero of=sdcard.img bs=1M count=32
    mformat -v external -i sdcard.img ::
    mcopy -i sdcard.img -s sdcard/* ::
EOF

FROM scratch AS package
COPY --from=install /iso /iso
COPY --from=install /initramfs /initramfs
COPY --from=install /sdcard.img /
COPY --from=install /airgap.iso /