s390x: enable osbuild based secex build

nikita-dubrovskii · jlebon · commit 57d158fa2e3b · 2024-07-11T15:47:47.000-04:00
diff --git a/src/cmd-buildextend-metal b/src/cmd-buildextend-metal
@@ -190,20 +190,9 @@ disk_args=()
 qemu_args=()
 # SecureExecution extra stuff
 if [[ $secure_execution -eq "1" ]]; then
-    ignition_pubkey=$(mktemp -p "${tmp_builddir}")
-    disk_args+=("--with-secure-execution" "--write-ignition-pubkey-to" "${ignition_pubkey}")
-    if [ -z "${hostkey}" ]; then
-        if [ ! -f "${genprotimgvm}" ]; then
-            fatal "No genprotimgvm provided at ${genprotimgvm}"
-        fi
-        genprotimg_img="${PWD}/secex-genprotimg.img"
-        qemu-img create -f raw "${genprotimg_img}" 512M
-        mkfs.ext4 "${genprotimg_img}"
-        qemu_args+=("-drive" "if=none,id=genprotimg,format=raw,file=${genprotimg_img}" \
-                            "-device" "virtio-blk,serial=genprotimg,drive=genprotimg")
-    else
-        qemu_args+=("-drive" "if=none,id=hostkey,format=raw,file=$hostkey,readonly=on" \
-                            "-device" "virtio-blk,serial=hostkey,drive=hostkey")
+    disk_args+=("--with-secure-execution")
+    if [ ! -f "${genprotimgvm}" ]; then
+        fatal "No genprotimgvm provided at ${genprotimgvm}"
     fi
 fi
 
@@ -219,10 +208,12 @@ rootfs_size_mb="$(jq '."estimate-mb".final' "$PWD/tmp/ostree-size.json")"
 # the platforms require and we want a "default" disk size that has some
 # free space.
 nonroot_partition_sizes=513
-# In the Secure Execution case, we need to also include the sizes of the se and verity
-# partitions so that they don't "eat into" the 35% buffer (though note this is
-# all blown away on first boot anyway).
-if [[ $secure_execution -eq "1" ]]; then
+# On s390x there is one more build - Secure Execution case, which has
+# different image layout. We add the sizes of the se and verity
+# partitions so that they don't "eat into" the 35% buffer (though note
+# this is all blown away on first boot anyway). For 's390x.mpp.yaml'
+# simplicity all s390x images have same size (of secex image).
+if [[ $basearch == "s390x" ]]; then
     nonroot_partition_sizes=$((nonroot_partition_sizes + 200 + 128 + 256 + 1))
 fi
 metal_image_size_mb="$(( rootfs_size_mb + nonroot_partition_sizes ))"
@@ -274,10 +265,11 @@ platforms_json="${tmp_builddir}/platforms.json"
 yaml2json "${configdir}/platforms.yaml" "${platforms_json}"
 
 # Currently we only support OSBuild for qemu and metal disk images
+osbuild_extra_args=()
 if [ "${image_type}" == "qemu" ] || [ "${image_type}" == "metal" ] || [ "${image_type}" == "metal4k" ]; then
-    # Right now we don't have support fully fleshed out for secex on s390x
-    if [[ $secure_execution -ne "1" ]]; then
-        OSBUILD_SUPPORTED=1
+    OSBUILD_SUPPORTED=1
+    if [[ $secure_execution -eq "1" ]]; then
+        osbuild_extra_args+=("--secex" "1")
     fi
 fi
 
@@ -293,7 +285,7 @@ if [ "${OSBUILD_SUPPORTED:-}" != "" ] && [ "${COSA_USE_OSBUILD:-}" != "0" ]; the
     runvm_with_cache_snapshot "$snapshot" -- /usr/lib/coreos-assembler/runvm-osbuild                    \
                 --config "${image_for_disk_json}"                                                       \
                 --mpp "/usr/lib/coreos-assembler/osbuild-manifests/coreos.osbuild.${basearch}.mpp.yaml" \
-                --filepath "${path}.tmp"
+                --filepath "${path}.tmp" "${osbuild_extra_args[@]}"
 else
     runvm "${qemu_args[@]}" -- \
             /usr/lib/coreos-assembler/create_disk.sh \
@@ -309,9 +301,36 @@ else
     fi
 fi
 
-if [[ $secure_execution -eq "1" && -z "${hostkey}" ]]; then
+if [[ $secure_execution -eq "1" ]]; then
+    # SecureVM (holding Universal Key for all IBM Z Mainframes) requires scripts to execute genprotimg
+    se_script_dir="/usr/lib/coreos-assembler/secex-genprotimgvm-scripts"
+    genprotimg_img="${PWD}/secex-genprotimg.img"
+    genprotimg_dir=$(mktemp -p "${tmp_builddir}" -d)
+    cp "${se_script_dir}/genprotimg-script.sh" "${se_script_dir}/post-script.sh" "${genprotimg_dir}"
+    # Extra kargs with dm-verity hashes
+    secex_kargs="ignition.firstboot rootfs.roothash=$(<"${PWD}"/rootfs_hash) bootfs.roothash=$(<"${PWD}"/bootfs_hash)"
+    echo "${secex_kargs}" > "${genprotimg_dir}/parmfile"
+    virt-make-fs --format=raw --type=ext4 "${genprotimg_dir}" "${genprotimg_img}"
+    rm -rf "${genprotimg_dir}"
+    qemu_args+=("-drive" "if=none,id=genprotimg,format=raw,file=${genprotimg_img}" \
+                "-device" "virtio-blk,serial=genprotimg,drive=genprotimg")
+
+    # GPG keys used for protecting Ignition config
+    tmp_gpg_home=$(mktemp -p "${tmp_builddir}" -d)
+    ignition_pubkey=$(mktemp -p "${tmp_builddir}")
+    ignition_prikey=$(mktemp -p "${tmp_builddir}")
+    gpg --homedir "${tmp_gpg_home}" --batch --passphrase '' --yes --quick-gen-key "Secure Execution (secex) ${build}" rsa4096 encr none
+    gpg --homedir "${tmp_gpg_home}" --armor --export secex > "${ignition_pubkey}"
+    gpg --homedir "${tmp_gpg_home}" --armor --export-secret-key secex > "${ignition_prikey}"
+    exec 9<"${ignition_prikey}"
+    rm -rf "${tmp_gpg_home}" "${ignition_prikey}"
+    qemu_args+=("-add-fd" "fd=9,set=3" "-drive" "if=none,id=gpgkey,format=raw,file=/dev/fdset/3,readonly=on" \
+		"-device" "virtio-blk,serial=gpgkey,drive=gpgkey")
+
     /usr/lib/coreos-assembler/secex-genprotimgvm-scripts/runvm.sh \
         --genprotimgvm "${genprotimgvm}" -- "${qemu_args[@]}"
+    rm -f "${genprotimg_img}"
+    exec 9>&-
 fi
 
 /usr/lib/coreos-assembler/finalize-artifact "${path}.tmp" "${path}"
diff --git a/src/secex-genprotimgvm-scripts/genprotimg-script.sh b/src/secex-genprotimgvm-scripts/genprotimg-script.sh
@@ -1,30 +1,54 @@
 #!bin/bash
-
 set -exuo pipefail
 
 echo "Preparing for genprotimg-daemon"
 
-source="/build/genprotimg"
-destination="/genprotimg"
-pkey="usr/lib/coreos/ignition.asc"
+# CoreOS based secure-vm uses '/var' as prefix
+PREFIX=/
+if [ -e /var/genprotimg ]; then
+    PREFIX=/var
+fi
+
+destination="${PREFIX}/genprotimg"
+parmfile="${PREFIX}/build/parmfile"
 
-trap "rm -f ${source}/${pkey}" EXIT
+# This is our coreos.qemu-secex.qcow2
+disk=$(realpath /dev/disk/by-id/virtio-target)
 
+
+# 'boot' labeled partition on target image
+disk_boot="${disk}3"
+boot_mnt=$(mktemp -d /tmp/boot-XXXXXX)
+mount -o ro "${disk_boot}" "${boot_mnt}"
+blsfile=$(ls "${boot_mnt}"/loader/entries/*.conf)
+kernel=$(grep linux "${blsfile}" | cut -d' ' -f2)
+initrd=$(grep initrd "${blsfile}" | cut -d' ' -f2)
 # Files need to be named correctly
-# genprotimg daemon can only see /genprotimg folder
-cp "${source}/vmlinuz" "${source}/initrd.img" "${source}/parmfile" "${destination}/"
+cp "${boot_mnt}/${kernel}" "${destination}/vmlinuz"
+cp "${boot_mnt}/${initrd}" "${destination}/initrd.img"
+# Generate full cmdline
+echo "$(grep options "${blsfile}" | cut -d' ' -f2-) $(<${parmfile})" > "${destination}/parmfile"
+umount "${boot_mnt}"
+rmdir "${boot_mnt}"
+
 
+# We pass Ignition gpg private key from COSA to the VM as virtual disk
+gpg_private_key=$(realpath /dev/disk/by-id/virtio-gpgkey)
+gpg_dir=$(mktemp -d)
+pkey="usr/lib/coreos/ignition.asc"
+mkdir -p "${gpg_dir}/usr/lib/coreos"
+cat "${gpg_private_key}" > "${gpg_dir}/${pkey}"
 # Append Ignition GPG private key to initramfs
-cd "${source}"
-echo "${pkey}" | cpio --quiet -H newc -o | gzip -9 -n >> "${destination}/initrd.img"
-rm "${pkey}"
+echo "${pkey}" | cpio -D "${gpg_dir}" --quiet -H newc -o | gzip -9 -n >> "${destination}/initrd.img"
+rm -rf "${gpg_dir}"
+
 
 # Signal daemon that it can run genprotimg
 touch "${destination}/signal.file"
 
 # Wait for genprotimg execution
 while [ -e "$destination/signal.file" ] && [ ! -e "$destination/error" ]; do
-    sleep 5
+    sleep 1
 done
 if [ -e "$destination/error" ] || [ ! -e "${destination}/se.img" ]; then
     ls -lha $destination
diff --git a/src/secex-genprotimgvm-scripts/post-script.sh b/src/secex-genprotimgvm-scripts/post-script.sh
@@ -4,21 +4,26 @@ set -exuo pipefail
 
 echo "Moving sdboot and executing zipl"
 
-workdir="/build"
-sdboot="/genprotimg/se.img"
-genprotimg_dir="${workdir}/genprotimg"
-se_boot=$(mktemp -d /tmp/se-XXXXXX)
+# CoreOS based secure-vm uses '/var' as prefix
+PREFIX=/
+if [ -e /var/genprotimg ]; then
+    PREFIX=/var
+fi
 
+# This is our coreos.qemu-secex.qcow2
 disk=$(realpath /dev/disk/by-id/virtio-target)
+
+
+# 'se' labeled partition on target image, holds 'sdboot' image
 disk_se="${disk}1"
+se_mnt=$(mktemp -d /tmp/se-XXXXXX)
+mount "${disk_se}" "${se_mnt}"
+cp "${PREFIX}/genprotimg/se.img" "${se_mnt}/sdboot"
+zipl -V -i "${se_mnt}/sdboot" -t "${se_mnt}"
+umount "${se_mnt}"
+rmdir "${se_mnt}"
 
-mount "${disk_se}" "${se_boot}"
-cp "${sdboot}" "${se_boot}/sdboot"
-zipl -V -i ${se_boot}/sdboot -t ${se_boot}
 
 # Disable debug output, the last message should be success
 set +x
 echo "Success, added sdboot to image and executed zipl"
-
-umount "${se_boot}"
-rm -rf "${se_boot}"
diff --git a/src/secex-genprotimgvm-scripts/runvm.sh b/src/secex-genprotimgvm-scripts/runvm.sh
@@ -62,11 +62,10 @@ if ! "${kola_args[@]}" -- "${base_qemu_args[@]}" \
     exit 1
 fi
 
-cat "${runvm_console}"
-
 if ! grep -q "Success, added sdboot to image and executed zipl" "${runvm_console}"; then
-   echo "Could not find success message, genprotimg failed."
-   exit 1
+    echo "Could not find success message, genprotimg failed."
+    cat "${runvm_console}"
+    exit 1
 fi
 
 exit 0
