podvm-mkosi: reproducible builds

Disabling the newer systemd-measure services as they are not needed and use a lot of PCRs. Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
confidential-containers · Nov 30, 2023 · bd3332d · bd3332d
1 parent e194515
commit bd3332d
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/podvm-mkosi/mkosi.postinst b/podvm-mkosi/mkosi.postinst
@@ -12,3 +12,12 @@ mv "${BUILDROOT}/etc/issue.d" "${BUILDROOT}/usr/lib/issue.d" || true
   echo "IMAGE_VERSION=\"${IMAGE_VERSION-v0.0.0}\""
   echo "VARIANT_ID=\"${VARIANT_ID}\""
 } >> "${BUILDROOT}/etc/os-release"
+
+# mask unwanted sytemd units that measure a bunch of stuff into the vTPM
+ln -s /dev/null "${BUILDROOT}/etc/systemd/system/systemd-pcrmachine.service"
+ln -s /dev/null "${BUILDROOT}/etc/systemd/system/systemd-pcrfs-root.service"
+ln -s /dev/null "${BUILDROOT}/etc/systemd/system/systemd-pcrfs@.service"
+ln -s /dev/null "${BUILDROOT}/etc/systemd/system/systemd-pcrphase@.service"
+ln -s /dev/null "${BUILDROOT}/etc/systemd/system/systemd-pcrphase-initrd.service"
+ln -s /dev/null "${BUILDROOT}/etc/systemd/system/systemd-pcrphase-sysinit.service"
+ln -s /dev/null "${BUILDROOT}/etc/systemd/system/systemd-pcrphase.service"
diff --git a/podvm-mkosi/mkosi.presets/system/mkosi.conf.d/fedora.conf b/podvm-mkosi/mkosi.presets/system/mkosi.conf.d/fedora.conf
@@ -27,3 +27,9 @@ Packages=
 
 RemoveFiles=/etc/issue
 RemoveFiles=/etc/issue.net
+
+# Remove for reproducible builds
+RemoveFiles=/var/log
+RemoveFiles=/var/cache
+RemoveFiles=/etc/pki/ca-trust/extracted/java/cacerts
+            /usr/lib/sysimage/libdnf5/transaction_history.sqlite*