-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
podvm-mkosi: dm-verity, reproducible builds & measurements #1606
podvm-mkosi: dm-verity, reproducible builds & measurements #1606
Commits on Nov 30, 2023
-
podvm-mkosi: use squashFS and dm-verity for rootFS
This is a big step in our remote attestation story. With introducing a dm-verity protected root file system, the content of our root FS is measured, including binaries and configuration that is part of the image. The root FS is now read-only. Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for b4bd0d8 - Browse repository at this point
Copy the full SHA b4bd0d8View commit details -
forwarder: change paths to /run
As the root file system is now read-only, files that need to be written must reside in /run. Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for c41413e - Browse repository at this point
Copy the full SHA c41413eView commit details -
process-user-data: change paths to /run
As the root file system is now read-only, files that need to be written must reside in /run. Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 9452ec4 - Browse repository at this point
Copy the full SHA 9452ec4View commit details -
podvm-mkosi: sshd on read-only FS
sshd generates server keys on boot. This change moves the generated keys to /run, as their original destination is now read-only. Fedora uses a custom script 'sshd-keygen' to generate the keys that cannot be configured with the target path, so we need to vendor the script and fix the path there. Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 8b7a40f - Browse repository at this point
Copy the full SHA 8b7a40fView commit details -
podvm-mkosi: print info and PCRs to serial console
Working with the new images, two information about the image are of fundamental interest both for devs as for users: the vTPM PCR values of the image and whether the image is a debug image or intended for production use. This changes adds printing capabilities for those information. As production images don't allow access via SSH or serial console, we print everything to the serial console after boot. For dev convenience, the debug image will also print the image info on SSH login. Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for a26ac4d - Browse repository at this point
Copy the full SHA a26ac4dView commit details -
azure: always enable boot diagnostics
This enables foremost the serial console. It is helpful for debug images as they allow access through the serial consol for debugging as well as for production images which display PCR values and don't allow login. Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 3f269a3 - Browse repository at this point
Copy the full SHA 3f269a3View commit details -
Adding packages and enabling units explicitly that were running before. Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 07bde3a - Browse repository at this point
Copy the full SHA 07bde3aView commit details
Commits on Dec 11, 2023
-
podvm-mkosi: remove mount units
Removing the mount units as there currently isn't a way to secure them. This triggered a bug in kata-agent/ttrpc-rust as the path of the socket is not created automatically. Adding a workaround to the kata-agent unit until this is fixed upstream. Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for c013e1a - Browse repository at this point
Copy the full SHA c013e1aView commit details -
podvm-mkosi: reproducible builds
Disabling the newer systemd-measure services as they are not needed and use a lot of PCRs. Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for f89eec8 - Browse repository at this point
Copy the full SHA f89eec8View commit details -
podvm-mkosi: convenience alias to query PCRs
It is a commen task to check the pcrs when using measured boot, so we are providing an alias to do that with ease. Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 4483f9b - Browse repository at this point
Copy the full SHA 4483f9bView commit details
Commits on Dec 13, 2023
-
versions: update guest-components
To include confidential-containers/guest-components#401 Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 555648a - Browse repository at this point
Copy the full SHA 555648aView commit details