This is a big step in our remote attestation story. With introducing
a dm-verity protected root file system, the content of our root FS is
measured, including binaries and configuration that is part of the
image. The root FS is now read-only.

Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>

As the root file system is now read-only, files that need to be written
must reside in /run.

Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>

As the root file system is now read-only, files that need to be written
must reside in /run.

Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>

sshd generates server keys on boot. This change moves the generated
keys to /run, as their original destination is now read-only. Fedora
uses a custom script 'sshd-keygen' to generate the keys that cannot be
configured with the target path, so we need to vendor the script and
fix the path there.

Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>

Working with the new images, two information about the image are of
fundamental interest both for devs as for users: the vTPM PCR values
of the image and whether the image is a debug image or intended for
production use. This changes adds printing capabilities for those
information.

As production images don't allow access via SSH or serial console, we
print everything to the serial console after boot. For dev convenience,
the debug image will also print the image info on SSH login.

Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>

This enables foremost the serial console. It is helpful for debug images
as they allow access through the serial consol for debugging as well as
for production images which display PCR values and don't allow login.

Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>

Adding packages and enabling units explicitly that were running before.

Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>

Removing the mount units as there currently isn't a way to secure them.

This triggered a bug in kata-agent/ttrpc-rust as the path of the socket
is not created automatically. Adding a workaround to the kata-agent
unit until this is fixed upstream.

Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>

Disabling the newer systemd-measure services as they are not needed and
use a lot of PCRs.

Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>

It is a commen task to check the pcrs when using measured boot, so
we are providing an alias to do that with ease.

Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>

To include confidential-containers/guest-components#401

Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>