forked from public/airgap
216 lines
8.6 KiB
Docker
216 lines
8.6 KiB
Docker
FROM stagex/busybox:sx2024.08.1@sha256:8cb9360041cd17e8df33c5cbc6c223875045c0c249254367ed7e0eb445720757 AS busybox
|
|
FROM stagex/musl:sx2024.08.1@sha256:f888fcf45fabaaae3d0268bcec902ceb94edba7bf8d09ef6966ebb20e00b7127 AS musl
|
|
FROM stagex/xorriso:sx2024.08.1@sha256:9ab45852aee077b68ea101173025be6e1cdbde93692efa4ee198e1960f02ab52 AS xorriso
|
|
FROM stagex/syslinux:sx2024.08.1@sha256:909dcabcf13bd39b0138309f6efdeb780e01c00bf17cb1e7ee851e8b8be74d2b AS syslinux
|
|
FROM stagex/cpio:sx2024.08.1@sha256:25afad810fbb9b1d02762030c3e43e07259a79627dbea9b66ef7f797f8377a2a AS cpio
|
|
FROM stagex/linux-airgap:sx2024.08.1@sha256:a4fac3ca7795e171a4d1b3b634fdae1790d4f8d076f3c1ac8a38f3ece72e1ec5 AS linux-airgap
|
|
FROM stagex/mtools:sx2024.08.1@sha256:b6202dc29906ea8d7594bce604cb676f5335cc51e75e3f12b5f619e8fc27cc28 AS mtools
|
|
FROM stagex/xz:sx2024.08.1@sha256:f6ca72fc9096ef5f694b6b7f9b7ad323a571d9447eb5cc790042f72e69b9aad8 AS xz
|
|
FROM stagex/eudev:sx2024.08.1@sha256:66020d28246af1d1e5f8fe3b5bca3da3cbfbd1f89cc1c616b7f8d13f61419026 AS eudev
|
|
FROM stagex/ccid:sx2024.08.1@sha256:0f50ff4441d8b20ff73babab652fc0a563bce46385100240de4ae587012c9505 AS ccid
|
|
FROM stagex/libusb:sx2024.08.1@sha256:c67807377fb18d2a874d975b43e37056eb4067a5be74ebf8c1f5e5ec65ae5650 AS libusb
|
|
FROM stagex/keyfork:sx2024.08.1@sha256:bd6167d2a4a6c3b1c3f9c0accbb1fe0d5854f64997bd1d9d8d822cdf628f8baf AS keyfork
|
|
FROM stagex/openpgp-card-tools:sx2024.08.1@sha256:088dbc336e34f16f7a8e323f114918468a7e4b13b190c43593ca7b0dffea54b4 AS openpgp-card-tools
|
|
FROM stagex/gpg:sx2024.08.1@sha256:b5b0726171f66da437dbd24d2398cd324b96f00115770767b4f72df2547c5323 AS gpg
|
|
FROM stagex/bash:sx2024.08.1@sha256:395e85b2f017c3fd30810d12eea5d59b015f6f5387f79bdec808ca01408cfe86 AS bash
|
|
FROM stagex/grub:sx2024.08.1@sha256:5f382615881470e0cf9c670bead785507545a2b829b391247313f516c63355e3 AS grub
|
|
FROM stagex/npth:sx2024.08.1@sha256:7899c399f2924c5ba0dfbce9ce6f8391e27ecd0564f0341fb85f83ba293e1ebe AS npth
|
|
FROM stagex/libksba:sx2024.08.1@sha256:a5aac434ffd8fca96c435756fac9e300b3d06e04a15c707d09e5e8a16c0bcd89 AS libksba
|
|
FROM stagex/libgpg-error:sx2024.08.1@sha256:e7e4797f38ba1a09ba700c91e2a5c99230f04f31e7961101a72d4e95f653f284 AS libgpg-error
|
|
FROM stagex/libassuan:sx2024.08.1@sha256:1267bb842bcb6e8bff56e2b72599357605a5e141f76629f7e96187ae85a07197 AS libassuan
|
|
FROM stagex/libgcrypt:sx2024.08.1@sha256:ea1906215d18688d96fc5329301af649834fe96c5eadda74c9d485623efb1f90 AS libgcrypt
|
|
FROM stagex/jq:sx2024.08.1@sha256:0297a099ae95eed13d48bce2d4d624544857680095b6201e9919e1d5da45a6cd AS jq
|
|
FROM stagex/yq:sx2024.08.1@sha256:10e80bd7cec3c6e0a7fd36c65bac13600368bff993ad42b03e3b787d2125e5f0 AS yq
|
|
FROM stagex/bc:sx2024.08.1@sha256:1ecf6029ceed91dd62b08c64e49f00518edcf6c10ac4ab2fe7e8f71943607eef AS bc
|
|
FROM stagex/zlib:sx2024.08.1@sha256:d0d6eef463a410191e086448c710441109ae72693cb074fe2b795ee033aa6c9d AS zlib
|
|
FROM stagex/tpm2-tools:sx2024.08.1@sha256:1693d4ef7e0b7df3e9bd60088588d94b7f5bf755fde0c1be695f3c2f00ec2897 AS tpm2-tools
|
|
FROM stagex/tpm2-tss:sx2024.08.1@sha256:5e362f43a5e0c49f774605a0e3e1b7523dc6bc775f537c206a3aaa8b8b733c93 AS tpm2-tss
|
|
FROM stagex/openssl:sx2024.08.1@sha256:9bd55ed05263a538e6a23c0262edc356c998a24674f3b8ad008a4b117a4cdf3b AS openssl
|
|
FROM stagex/sops:sx2024.08.1@sha256:7d8d51e41c7cab21b8ae75f557961f20405f727a21107d669080e3804d09665c AS sops
|
|
FROM stagex/pcsc-lite:sx2024.08.1@sha256:fd9b0600f7f73f87d9d678b8b8a7119e0f9b9314c9959bd0d180c31736cb97d6 AS pcsc-lite
|
|
FROM stagex/pcsc-tools:sx2024.08.1@sha256:d83997bda2b9500c8a4567df827a90d65efa842f9a2bb361b6f394589cf167d5 AS pcsc-tools
|
|
FROM stagex/flashtools:sx2024.08.1@sha256:e2ac807475e66201ad50eee09bf9625ad0e97dc136818ff11775cb13a54d764b AS flashtools
|
|
FROM stagex/libqrencode:sx2024.08.1@sha256:1927d17aaf1ad6a9910380714f0dd12c72c69f9ee1b19668bf4cc5f89cbc2b2d AS libqrencode
|
|
FROM stagex/util-linux:sx2024.08.1@sha256:41525597d1f5648dc2318da7779e3c5194b4e6d24cb07f2f616ac539bb094d04 AS util-linux
|
|
FROM stagex/opensc:sx2024.08.1@sha256:8da704d0078d445d3af0338764b9f3a87ba4841744c396c8eddef15466366553 AS opensc
|
|
|
|
FROM scratch AS base
|
|
ARG VERSION development
|
|
ARG GIT_TIMESTAMP null
|
|
ARG GIT_AUTHOR null
|
|
ARG GIT_REF null
|
|
ARG GIT_PUBKEY null
|
|
COPY --from=busybox . /
|
|
COPY --from=musl . /
|
|
COPY --from=xorriso . /
|
|
COPY --from=cpio . /
|
|
COPY --from=mtools . /
|
|
COPY --from=xz . /
|
|
COPY --from=grub . /
|
|
|
|
FROM base AS build
|
|
|
|
## Kernel
|
|
COPY --from=linux-airgap /bzImage iso/boot/vmlinuz
|
|
|
|
## Initramfs
|
|
COPY --from=busybox . initramfs
|
|
COPY --from=eudev . initramfs
|
|
COPY --from=musl . initramfs
|
|
COPY --from=zlib . initramfs
|
|
COPY --from=npth . initramfs
|
|
COPY --from=libksba . initramfs
|
|
COPY --from=libgpg-error . initramfs
|
|
COPY --from=libassuan . initramfs
|
|
COPY --from=libgcrypt . initramfs
|
|
COPY --from=keyfork . initramfs
|
|
COPY --from=bash . initramfs
|
|
COPY --from=gpg . initramfs
|
|
COPY --from=jq . initramfs
|
|
COPY --from=yq . initramfs
|
|
COPY --from=bc . initramfs
|
|
COPY --from=flashtools . initramfs
|
|
COPY --from=tpm2-tools . initramfs
|
|
COPY --from=tpm2-tss . initramfs
|
|
COPY --from=openssl . initramfs
|
|
COPY --from=libusb . initramfs
|
|
COPY --from=ccid . initramfs
|
|
COPY --from=pcsc-lite . initramfs
|
|
COPY --from=pcsc-tools . initramfs
|
|
COPY --from=openpgp-card-tools . initramfs
|
|
COPY --from=libqrencode . initramfs
|
|
COPY --from=opensc . initramfs
|
|
COPY --from=util-linux . initramfs
|
|
COPY --from=sops . initramfs
|
|
COPY rootfs/ initramfs
|
|
COPY <<-EOF initramfs/etc/environment
|
|
export VERSION="$VERSION"
|
|
export GIT_TIMESTAMP="$GIT_TIMESTAMP"
|
|
export GIT_AUTHOR="$GIT_AUTHOR"
|
|
export GIT_REF="$GIT_REF"
|
|
export GIT_PUBKEY="$GIT_PUBKEY"
|
|
EOF
|
|
RUN <<-EOF
|
|
set -eux
|
|
cd initramfs
|
|
find . -exec touch -hcd "@0" "{}" +
|
|
find . -print0 \
|
|
| sort -z \
|
|
| cpio \
|
|
--null \
|
|
--create \
|
|
--verbose \
|
|
--reproducible \
|
|
--format=newc \
|
|
| gzip --best \
|
|
> ../iso/boot/initramfs
|
|
EOF
|
|
|
|
## Grub (EFI Boot)
|
|
COPY config/grub.cfg iso/boot/grub/grub.cfg
|
|
COPY config/grub_early.cfg grub_early.cfg
|
|
RUN <<-EOF
|
|
set -eux
|
|
mkdir -p efi/boot
|
|
grub-mkimage \
|
|
--config="grub_early.cfg" \
|
|
--prefix="/boot/grub" \
|
|
--output="efi/boot/bootx64.efi" \
|
|
--format="x86_64-efi" \
|
|
--compression="xz" \
|
|
all_video \
|
|
disk \
|
|
part_gpt \
|
|
part_msdos \
|
|
linux \
|
|
normal \
|
|
configfile \
|
|
search \
|
|
search_label \
|
|
efi_gop \
|
|
fat \
|
|
iso9660 \
|
|
gzio \
|
|
serial \
|
|
terminal
|
|
find efi -exec touch -hcd "@0" "{}" +
|
|
mformat -i iso/boot/grub/efi.img -C -f 1440 -N 0 ::
|
|
mcopy -i iso/boot/grub/efi.img -ms efi ::
|
|
touch -md "@0" iso/boot/grub/efi.img
|
|
EOF
|
|
|
|
## Syslinux (BIOS Boot)
|
|
COPY config/syslinux.cfg iso/boot/syslinux/
|
|
COPY --from=syslinux \
|
|
/usr/share/syslinux/isohdpfx.bin \
|
|
/usr/share/syslinux/isolinux.bin \
|
|
/usr/share/syslinux/ldlinux.c32 \
|
|
/usr/share/syslinux/libutil.c32 \
|
|
/usr/share/syslinux/libcom32.c32 \
|
|
/usr/share/syslinux/mboot.c32 \
|
|
iso/boot/syslinux/
|
|
|
|
## Build Hybrid EFI/BIOS ISO
|
|
FROM build AS install
|
|
ENV SOURCE_DATE_EPOCH=1
|
|
# --set_all_file_dates='1'
|
|
# --modification-date='1970010100000000' \
|
|
RUN <<-EOF
|
|
set -eux
|
|
find iso -exec touch -hcd "@0" "{}" +
|
|
xorrisofs \
|
|
-output airgap.iso \
|
|
-full-iso9660-filenames \
|
|
-joliet \
|
|
-rational-rock \
|
|
-sysid LINUX \
|
|
-volid "airgap" \
|
|
-isohybrid-mbr iso/boot/syslinux/isohdpfx.bin \
|
|
-eltorito-boot boot/syslinux/isolinux.bin \
|
|
-eltorito-catalog boot/syslinux/boot.cat \
|
|
-no-emul-boot \
|
|
-boot-load-size 4 \
|
|
-boot-info-table \
|
|
-eltorito-alt-boot \
|
|
-e boot/grub/efi.img \
|
|
-no-emul-boot \
|
|
-isohybrid-gpt-basdat \
|
|
-follow-links \
|
|
iso/
|
|
EOF
|
|
|
|
# Need sfdisk from util-linux
|
|
COPY --from=util-linux . .
|
|
RUN <<-EOF
|
|
set -eux
|
|
# Increase the size of the ISO by 512 MB to create space for the third partition
|
|
dd if=/dev/zero bs=1M count=512 >> airgap.iso
|
|
|
|
# Append a new partition that uses the additional space
|
|
echo ", +" | sfdisk --append airgap.iso
|
|
|
|
# Set the newly added third partition to FAT32
|
|
sfdisk --part-type airgap.iso 3 b
|
|
|
|
# Calculate the byte offset of the third partition
|
|
# This is done by finding the end of the first partition using fdisk, adding 1 sector,
|
|
# and multiplying by 512 (since each sector is 512 bytes).
|
|
OFFSET=$(fdisk -l airgap.iso | awk '/^airgap.iso1/ {print ($4 + 1) * 512}')
|
|
|
|
# Format the third partition as FAT32 and label it 'USER'
|
|
mformat -v USER -i airgap.iso@@$OFFSET ::
|
|
EOF
|
|
|
|
## Minimal Autorun SD card image
|
|
COPY sdcard sdcard
|
|
RUN <<-EOF
|
|
set -eux
|
|
dd if=/dev/zero of=sdcard.img bs=1M count=32
|
|
mformat -v external -i sdcard.img ::
|
|
mcopy -i sdcard.img -s sdcard/* ::
|
|
EOF
|
|
|
|
FROM scratch AS package
|
|
COPY --from=install /sdcard.img /
|
|
COPY --from=install /airgap.iso /
|