confidential-containers · katexochen · Dec 13, 2023 · Oct 20, 2023 · Oct 20, 2023 · Oct 23, 2023
@@ -37,7 +37,7 @@ func getProviderAndUserDataURL(ctx context.Context) (provider string, userDataUr
 func parseAndCopyUserData(userData string, dstFilePath string) error {
 
 	// Write userData to file specified in the dstFilePath var
-	// Create the directory and the file. Default is /peerpod/daemon.json
+	// Create the directory and the file.
 
 	// Split the dstFilePath into directory and file name
 	splitPath := strings.Split(dstFilePath, "/")

@@ -5,9 +5,8 @@ const (
 	providerAzure = "azure"
 	providerAws   = "aws"
 
-	defaultAgentConfigPath  = "/etc/agent-config.toml"
-	defaultAuthJsonFilePath = "/etc/auth.json"
-	offlineKbcAuthFile      = "/etc/aa-offline_fs_kbc-resources.json"
+	defaultAgentConfigPath  = "/run/peerpod/agent-config.toml"
+	defaultAuthJsonFilePath = "/run/peerpod/auth.json"
 )
 
 type Config struct {

@@ -489,6 +489,11 @@ func (p *azureProvider) getVMParameters(instanceSize, diskName, b64EncData strin
 				},
 			},
 			SecurityProfile: securityProfile,
+			DiagnosticsProfile: &armcompute.DiagnosticsProfile{
+				BootDiagnostics: &armcompute.BootDiagnostics{
+					Enabled: to.Ptr(true),
+				},
+			},
 		},
 		// Add tags to the instance
 		Tags: tags,

@@ -27,8 +27,8 @@ const (
 	DefaultListenHost          = "0.0.0.0"
 	DefaultListenPort          = "15150"
 	DefaultListenAddr          = DefaultListenHost + ":" + DefaultListenPort
-	DefaultConfigPath          = "/peerpod/daemon.json"
-	DefaultPodNetworkSpecPath  = "/peerpod/podnetwork.json"
+	DefaultConfigPath          = "/run/peerpod/daemon.json"
+	DefaultPodNetworkSpecPath  = "/run/peerpod/podnetwork.json"
 	DefaultKataAgentSocketPath = "/run/kata-containers/agent.sock"
 	DefaultKataAgentNamespace  = ""
 	AgentURLPath               = "/agent"

@@ -19,6 +19,7 @@ PHONY: binaries
 binaries:
 	docker buildx use default
 	@echo "Building binaries..."
+	rm -rf ./resources/binaries-tree
 	docker buildx build \
 		--build-arg BUILDER_IMG=fedora-binaries-builder \
 		--build-arg AA_KBC=$(AA_KBC) \
@@ -31,15 +32,15 @@ image:
 	rm -rf resources/buildDebugImage
 	rm -rf ./build
 	@echo "Building image..."
-	nix develop ..#podvm-mkosi --command "mkosi"
+	nix develop ..#podvm-mkosi --command mkosi --environment=VARIANT_ID=production
 
 PHONY: image-debug
 image-debug:
 	@echo "Enabling debug preset..."
 	touch resources/buildDebugImage
 	rm -rf ./build
-	@echo "Building image..."
-	nix develop ..#podvm-mkosi --command "mkosi"
+	@echo "Building debug image..."
+	nix develop ..#podvm-mkosi --command mkosi --environment=VARIANT_ID=debug
 
 PHONY: clean
 clean:

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+
+set -euxo pipefail
+
+# move issue files away from /etc
+# to allow /run/issue and /run/issue.d to take precedence
+mv "${BUILDROOT}/etc/issue.d" "${BUILDROOT}/usr/lib/issue.d" || true
+
+# update /etc/os-release
+{
+  echo "IMAGE_ID=\"podvm\""
+  echo "IMAGE_VERSION=\"${IMAGE_VERSION-v0.0.0}\""
+  echo "VARIANT_ID=\"${VARIANT_ID}\""
+} >> "${BUILDROOT}/etc/os-release"
+
+# remove unused units of legacy image
+rm -f "${BUILDROOT}"/etc/systemd/system/{run-image,run-kata\x2dcontainers}.mount
+rm -f "${BUILDROOT}"/etc/systemd/system/multi-user.target.wants/{run-image,run-kata\x2dcontainers}.mount
+
+# mask unwanted sytemd units that measure a bunch of stuff into the vTPM
+ln -s /dev/null "${BUILDROOT}/etc/systemd/system/systemd-pcrmachine.service"
+ln -s /dev/null "${BUILDROOT}/etc/systemd/system/systemd-pcrfs-root.service"
+ln -s /dev/null "${BUILDROOT}/etc/systemd/system/systemd-pcrfs@.service"
+ln -s /dev/null "${BUILDROOT}/etc/systemd/system/systemd-pcrphase@.service"
+ln -s /dev/null "${BUILDROOT}/etc/systemd/system/systemd-pcrphase-initrd.service"
+ln -s /dev/null "${BUILDROOT}/etc/systemd/system/systemd-pcrphase-sysinit.service"
+ln -s /dev/null "${BUILDROOT}/etc/systemd/system/systemd-pcrphase.service"
@@ -4,6 +4,7 @@ Bootloader=uki
 
 KernelCommandLine=console=ttyS0
 KernelCommandLine=systemd.firstboot=off
+KernelCommandLine=systemd.volatile=state
 KernelCommandLine=selinux=0 enforcing=0 audit=0
 
 Initrds=../../build/initrd

@@ -8,7 +8,7 @@ PathExists=../../resources/buildDebugImage
 Autologin=true
 KernelCommandLine=rd.shell
 KernelCommandLine=systemd.setenv=SYSTEMD_SULOGIN_FORCE=1
-SkeletonTrees=../../mkosi.skeleton-debug
+ExtraTrees=../../mkosi.skeleton-debug
 Packages=
     nano
     vim
@@ -18,3 +18,4 @@ Packages=
     iputils
     curl
     wget
+    ncurses
@@ -23,3 +23,13 @@ Packages=
     iproute
     iptables
     afterburn
+    neofetch
+
+RemoveFiles=/etc/issue
+RemoveFiles=/etc/issue.net
+
+# Remove for reproducible builds
+RemoveFiles=/var/log
+RemoveFiles=/var/cache
+RemoveFiles=/etc/pki/ca-trust/extracted/java/cacerts
+            /usr/lib/sysimage/libdnf5/transaction_history.sqlite*
@@ -1,5 +1,7 @@
 [Partition]
 Type=root
-Format=ext4
+Format=squashfs
+Verity=data
+VerityMatchKey=root
 CopyFiles=/
 Minimize=guess
@@ -0,0 +1,6 @@
+[Partition]
+Type=root-verity
+Verity=hash
+VerityMatchKey=root
+SizeMinBytes=64M
+SizeMaxBytes=64M
@@ -1 +1,4 @@
 PermitRootLogin yes
+HostKey /run/ssh/ssh_host_rsa_key
+HostKey /run/ssh/ssh_host_ecdsa_key
+HostKey /run/ssh/ssh_host_ed25519_key
@@ -0,0 +1,9 @@
+# generate server SSH keys in /run
+[Unit]
+ConditionFileNotEmpty=
+ConditionFileNotEmpty=|!/run/ssh/ssh_host_%i_key
+
+[Service]
+ExecStartPre=mkdir -p /run/ssh
+ExecStart=
+ExecStart=/usr/libexec/openssh/sshd-keygen %i -f /run/ssh/ssh_host_%i_key
@@ -0,0 +1,39 @@
+#!/usr/bin/bash
+
+# Create the host keys for the OpenSSH server.
+KEYTYPE=$1
+case $KEYTYPE in
+        "dsa") ;& # disabled in FIPS
+        "ed25519")
+                FIPS=/proc/sys/crypto/fips_enabled
+                if [[ -r "$FIPS" && $(cat $FIPS) == "1" ]]; then
+                        exit 0
+                fi ;;
+        "rsa") ;; # always ok
+        "ecdsa") ;;
+        *) # wrong argument
+                exit 12 ;;
+esac
+KEY=/run/ssh/ssh_host_${KEYTYPE}_key # Patched for ro FS.
+
+KEYGEN=/usr/bin/ssh-keygen
+if [[ ! -x $KEYGEN ]]; then
+        exit 13
+fi
+
+# remove old keys
+rm -f $KEY{,.pub}
+
+# create new keys
+if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then
+        exit 1
+fi
+
+# sanitize permissions
+/usr/bin/chmod 600 $KEY
+/usr/bin/chmod 644 $KEY.pub
+if [[ -x /usr/sbin/restorecon ]]; then
+        /usr/sbin/restorecon $KEY{,.pub}
+fi
+
+exit 0
@@ -0,0 +1,22 @@
+${c1}                        ...
+                    .-=**++*+=:
+                 :=**=:.    .-+*+-.
+             .-+*+-.            :=+*=:
+          .-+*=:                   .-+*+-
+        -+*=:          ${c2} .-: ${c1}           -+*=.
+       :*+          ${c2} :=*****+-. ${c1}         :**
+       =*-      ${c2} .-+************=: ${c1}       +*.
+       +*:     ${c2} +****************#%- ${c1}     +*:
+       +*.     ${c2} +************##%@@@= ${c1}     =*:
+       +*.     ${c2} +*********#%%@@@@@@= ${c1}     =*:
+       +*.     ${c2} +********#@@@@@@@@@= ${c1}     =*:
+       +*.     ${c2} +********#@@@@@@@@@= ${c1}     =*:
+       =*:     ${c2} =********#@@@@@@@@%: ${c1}     +*:
+       =*-       ${c2} :=*****#@@@@@%+: ${c1}       **.
+       :*+.         ${c2} :-+*#@@#=. ${c1}          :*+
+        :+*+:           ${c2} -: ${c1}           .-+*=.
+          .-+*+-.                  :=+*=:
+             .:=*+-:           .:=*+=:
+                 :-+*+-.   .:=+*=-.
+                     :=+*+**+-.
+                         ..
@@ -0,0 +1,92 @@
+# See this wiki page for more info:
+# https://github.com/dylanaraps/neofetch/wiki/Customizing-Info
+print_info() {
+    prin
+    prin "PodVM image for cloud-api-adaptor"
+    info underline
+    prin "\033[0m$(color 12)Part of Confidential Containers project"
+    prin
+
+    prin "Image variant" $(grep "VARIANT_ID" /etc/os-release | cut -d'=' -f2 | tr -d '"')
+    # prin "Image variant" $(grep "IMAGE_VERSION" /etc/os-release | cut -d'=' -f2 | tr -d '"')
+    prin
+
+    info "OS" distro
+    info "Host" model
+    info "Kernel" kernel
+    info "Shell" shell
+    info "Terminal" term
+    info "CPU" cpu
+    info "GPU" gpu
+    info "Memory" memory
+    info "Disk" disk
+}
+
+title_fqdn="off"
+kernel_shorthand="on"
+distro_shorthand="off"
+os_arch="on"
+uptime_shorthand="on"
+memory_percent="on"
+memory_unit="mib"
+package_managers="on"
+shell_path="off"
+shell_version="on"
+speed_type="bios_limit"
+speed_shorthand="off"
+cpu_brand="on"
+cpu_speed="on"
+cpu_cores="logical"
+cpu_temp="off"
+gpu_brand="on"
+gpu_type="all"
+refresh_rate="off"
+gtk_shorthand="off"
+gtk2="on"
+gtk3="on"
+public_ip_host="http://ident.me"
+public_ip_timeout=2
+local_ip_interface=('auto')
+de_version="on"
+disk_show=('/')
+disk_subtitle="mount"
+disk_percent="on"
+music_player="auto"
+song_format="%artist% - %album% - %title%"
+song_shorthand="off"
+mpc_args=()
+colors=(distro)
+bold="on"
+underline_enabled="on"
+underline_char="-"
+separator=":"
+block_range=(0 15)
+color_blocks="on"
+block_width=3
+block_height=1
+col_offset="auto"
+bar_char_elapsed="-"
+bar_char_total="="
+bar_border="on"
+bar_length=15
+bar_color_elapsed="distro"
+bar_color_total="distro"
+memory_display="off"
+battery_display="off"
+disk_display="off"
+image_backend="ascii"
+image_source="auto"
+ascii_distro="auto"
+ascii_colors=(distro)
+ascii_bold="on"
+image_loop="off"
+thumbnail_dir="${XDG_CACHE_HOME:-${HOME}/.cache}/thumbnails/neofetch"
+crop_mode="normal"
+crop_offset="center"
+image_size="auto"
+catimg_size="2"
+gap=3
+yoffset=0
+xoffset=0
+background_color=
+stdout="off"
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+alias neofetch='neofetch \
+      --config /etc/neofetch/config.conf \
+      --ascii /etc/neofetch/coco.ascii \
+      --colors 9 9 9 9 9 12 \
+      --ascii_colors 24 9'
+alias pcrs='tpm2_pcrread sha256:all'
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+if [[ -n ${SSH_CONNECTION} && $- == *i* ]] ; then
+    neofetch
+fi
@@ -1,4 +1,5 @@
 enable systemd-networkd.service
+enable systemd-networkd.socket
 enable systemd-resolved.service
 enable dbus.service
 enable afterburn-checkin.service

@@ -3,6 +3,7 @@ enable api-server-rest.service
 enable kata-agent.service
 enable netns@.service
 enable process-user-data.service
-enable run-image.mount
-enable run-kata\x2dcontainers.mount
 enable setup-nat-for-imds.service
+
+enable gen-issue.service
+enable image-env.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=Generate issue to print to serial console at startup
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/libexec/gen-issue
+
+[Install]
+WantedBy=multi-user.target
@@ -0,0 +1,2 @@
+#Type   Path                            Mode User Group Age     Argument
+C       /run/peerpod/agent-config.toml   -    -    -     -       /etc/agent-config.toml
@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+# Copyright (c) Edgeless Systems GmbH
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# This script reads the measurements of the system
+# and prints it together with helpful information
+# to the serial consol on startup.
+
+set -euo pipefail
+
+main() {
+  mkdir -p /run/issue.d
+  /usr/bin/neofetch \
+    --config /etc/neofetch/config.conf \
+    --ascii /etc/neofetch/coco.ascii \
+    --colors 9 9 9 9 9 12 \
+    --ascii_colors 24 9 \
+    > /run/issue.d/20-neofetch.issue
+  {
+    echo "Detected vTPM PCR values:"
+    /usr/bin/tpm2_pcrread sha256:all
+    echo
+  } > /run/issue.d/30-pcrs.issue
+}
+
+main