s390x: add secex image layout to osbuild manifest

Author: nikita-dubrovskii

src/osbuild-manifests/coreos.osbuild.s390x.mpp.yaml

@@ -15,12 +15,17 @@ mpp-vars:
   ppc_prep_size_mb: 4
   reserved_part_size_mb: 1
   efi_system_size_mb: 127
+  se_size_mb:   200
   boot_size_mb: 384
+  root_size_mb: 1800
+  boot_verity_size_mb: 128
+  root_verity_size_mb: 256
   sector_size: 512
   four_k_sector_size: 4096
   # Filesystem UUID and label definitions. These UUIDs
   # are looked for on boot and if found replaced with
   # a new random UUID to make each install unique.
+  sd_fs_label: se
   boot_fs_uuid: 96d15588-3596-4b3c-adca-a2ff7279ea63
   boot_fs_label: boot
   root_fs_uuid: 910678ff-f77e-4a7d-8d53-86f2ac47a823
@@ -40,6 +45,8 @@ mpp-vars:
   # the host buildroot is the default if nothing is specified.
   # We're still defining it here in an attempt to be explicit.
   qemu_stage_buildroot: ""
+  # IBM Secure Execution
+  qemu_secex: $qemu_secex
 mpp-define-images:
   - id: image
     sector_size:
@@ -75,6 +82,40 @@ mpp-define-images:
         - name: root
           type: 0FC63DAF-8483-4772-8E79-3D69D8477DE4
           partnum: 4
+  # Secure Execution image. It MUST contain same partitions as `image` plus 3 additional
+  - id: image_secex
+    sector_size:
+      mpp-format-int: "{sector_size}"
+    size:
+      mpp-format-string: "{metal_image_size_mb * 1024 * 1024}"
+    table:
+      uuid: 00000000-0000-4000-a000-000000000001
+      label: gpt
+      partitions:
+        - name: se
+          type: 0FC63DAF-8483-4772-8E79-3D69D8477DE4
+          partnum: 1
+          size:
+            mpp-format-int: "{se_size_mb * 1024 * 1024 / sector_size}"
+        - name: boot
+          type: 0FC63DAF-8483-4772-8E79-3D69D8477DE4
+          partnum: 3
+          size:
+            mpp-format-int: "{boot_size_mb * 1024 * 1024 / sector_size}"
+        - name: root
+          type: 0FC63DAF-8483-4772-8E79-3D69D8477DE4
+          partnum: 4
+          size:
+            mpp-format-int: "{root_size_mb * 1024 * 1024 / sector_size}"
+        - name: boothash
+          partnum: 5
+          size:
+            mpp-format-int: "{boot_verity_size_mb * 1024 * 1024 / sector_size}"
+        - name: roothash
+          type: B325BFBE-C7BE-4AB8-8357-139E652D2F6B
+          partnum: 6
+          size:
+            mpp-format-int: "{root_verity_size_mb * 1024 * 1024 / sector_size}"
 pipelines:
   # If installing from container then let's pull the container file into a pipeline
   - name: oci-archive
@@ -148,6 +189,13 @@ pipelines:
               # filesystem by OSTree (boot -> .) that makes it so that /boot paths
               # will always work.
               bootprefix: true
+      # If on s390x with secex then mkdir for filesytem labeled `se`, where `sdboot` image gets stored
+      - mpp-if: qemu_secex != ''
+        then:
+          type: org.osbuild.mkdir
+          options:
+            paths:
+              - path: /se
       - type: org.osbuild.ignition
       # Deploy via OSTree repo if specified, otherwise ociarchive or container.
       - mpp-if: ostree_repo != ''
@@ -475,6 +523,130 @@ pipelines:
               source: mount
               deployment:
                 default: true
+  # IBM Secure Execution (secex) image has special layout
+  - name: raw-secex-image
+    build:
+      mpp-format-string: '{buildroot}'
+    stages:
+      - type: org.osbuild.truncate
+        options:
+          filename: disk.img
+          size:
+            mpp-format-string: '{image_secex.size}'
+      - type: org.osbuild.sfdisk
+        devices:
+          device:
+            type: org.osbuild.loopback
+            options:
+              filename: disk.img
+        options:
+          mpp-format-json: '{image_secex.layout}'
+      - type: org.osbuild.mkfs.ext4
+        devices:
+          device:
+            type: org.osbuild.loopback
+            options:
+              filename: disk.img
+              start:
+                mpp-format-int: '{image_secex.layout[''se''].start}'
+              size:
+                mpp-format-int: '{image_secex.layout[''se''].size}'
+              lock: true
+        options:
+          uuid: random
+          label:
+            mpp-format-string: '{sd_fs_label}'
+      - type: org.osbuild.mkfs.ext4
+        devices:
+          device:
+            type: org.osbuild.loopback
+            options:
+              filename: disk.img
+              start:
+                mpp-format-int: '{image_secex.layout[''boot''].start}'
+              size:
+                mpp-format-int: '{image_secex.layout[''boot''].size}'
+              lock: true
+        options:
+          uuid:
+            mpp-format-string: '{boot_fs_uuid}'
+          label:
+            mpp-format-string: '{boot_fs_label}'
+          # Set manually the metadata_csum_seed ext4 option otherwise changing the
+          # filesystem UUID while it's mounted doesn't work. Can remove this when
+          # metadata_csum_seed is default in RHEL, which can be checked by looking
+          # in /etc/mke2fs.conf.
+          metadata_csum_seed: true
+      - type: org.osbuild.mkfs.xfs
+        devices:
+          device:
+            type: org.osbuild.loopback
+            options:
+              filename: disk.img
+              start:
+                mpp-format-int: '{image_secex.layout[''root''].start}'
+              size:
+                mpp-format-int: '{image_secex.layout[''root''].size}'
+              lock: true
+        options:
+          uuid:
+            mpp-format-string: '{root_fs_uuid}'
+          label:
+            mpp-format-string: '{root_fs_label}'
+      - type: org.osbuild.copy
+        inputs:
+          tree:
+            type: org.osbuild.tree
+            origin: org.osbuild.pipeline
+            references:
+              - name:tree
+        options:
+          paths:
+            - from: input://tree/
+              to: mount://root/
+        devices:
+          disk:
+            type: org.osbuild.loopback
+            options:
+              filename: disk.img
+              partscan: true
+        mounts:
+          - name: root
+            type: org.osbuild.xfs
+            source: disk
+            partition:
+              mpp-format-int: '{image_secex.layout[''root''].partnum}'
+            target: /
+          - name: boot
+            type: org.osbuild.ext4
+            source: disk
+            partition:
+              mpp-format-int: '{image_secex.layout[''boot''].partnum}'
+            target: /boot
+      - type: org.osbuild.chattr
+        options:
+          items:
+            mount://root/:
+              immutable: true
+        devices:
+          disk:
+            type: org.osbuild.loopback
+            options:
+              filename: disk.img
+              partscan: true
+        mounts:
+          - name: root
+            type: org.osbuild.xfs
+            source: disk
+            partition:
+              mpp-format-int: '{image_secex.layout[''root''].partnum}'
+            target: /
+          - name: ostree.deployment
+            type: org.osbuild.ostree.deployment
+            options:
+              source: mount
+              deployment:
+                default: true
   - mpp-import-pipelines:
       path: platform.metal.ipp.yaml
   - mpp-import-pipelines:

src/osbuild-manifests/platform.qemu.ipp.yaml

@@ -5,17 +5,31 @@ pipelines:
     build:
       mpp-format-string: '{buildroot}'
     stages:
-      - type: org.osbuild.copy
-        inputs:
-          tree:
-            type: org.osbuild.tree
-            origin: org.osbuild.pipeline
-            references:
-              - name:raw-image
-        options:
-          paths:
-            - from: input://tree/disk.img
-              to: tree:///disk.img
+      - mpp-if: qemu_secex == ''
+        then:
+          type: org.osbuild.copy
+          inputs:
+            tree:
+              type: org.osbuild.tree
+              origin: org.osbuild.pipeline
+              references:
+                - name:raw-image
+          options:
+            paths:
+              - from: input://tree/disk.img
+                to: tree:///disk.img
+        else:
+          type: org.osbuild.copy
+          inputs:
+            tree:
+              type: org.osbuild.tree
+              origin: org.osbuild.pipeline
+              references:
+                - name:raw-secex-image
+          options:
+            paths:
+              - from: input://tree/disk.img
+                to: tree:///disk.img
       # Increase the size to the cloud image size
       - type: org.osbuild.truncate
         options:
@@ -50,9 +64,9 @@ pipelines:
              partition:
                mpp-format-int: '{image.layout[''boot''].partnum}'
              target: /boot
-      # If on s390x then run zipl, which must run after the kernel
+      # If on s390x without secex then run zipl, which must run after the kernel
       # arguments get finalized in the coreos.platform stage above
-      - mpp-if: arch == 's390x'
+      - mpp-if: arch == 's390x' and qemu_secex == ''
         then:
           type: org.osbuild.zipl.inst
           options:
@@ -80,6 +94,52 @@ pipelines:
               partition:
                 mpp-format-int: '{image.layout[''boot''].partnum}'
               target: /boot
+      # If on s390x with secex then setup dm-verity for 'boot'
+      - mpp-if: arch == 's390x' and qemu_secex != ''
+        then:
+          type: org.osbuild.dmverity
+          options:
+            root_hash_file: "bootfs_hash"
+          devices:
+            data_device:
+              type: org.osbuild.loopback
+              options:
+                filename: disk.img
+                start:
+                  mpp-format-int: '{image_secex.layout[''boot''].start}'
+                size:
+                  mpp-format-int: '{image_secex.layout[''boot''].size}'
+            hash_device:
+              type: org.osbuild.loopback
+              options:
+                filename: disk.img
+                start:
+                  mpp-format-int: '{image_secex.layout[''boothash''].start}'
+                size:
+                  mpp-format-int: '{image_secex.layout[''boothash''].size}'
+      # If on s390x with secex then setup dm-verity for 'root'
+      - mpp-if: arch == 's390x' and qemu_secex != ''
+        then:
+          type: org.osbuild.dmverity
+          options:
+            root_hash_file: "rootfs_hash"
+          devices:
+            data_device:
+              type: org.osbuild.loopback
+              options:
+                filename: disk.img
+                start:
+                  mpp-format-int: '{image_secex.layout[''root''].start}'
+                size:
+                  mpp-format-int: '{image_secex.layout[''root''].size}'
+            hash_device:
+              type: org.osbuild.loopback
+              options:
+                filename: disk.img
+                start:
+                  mpp-format-int: '{image_secex.layout[''roothash''].start}'
+                size:
+                  mpp-format-int: '{image_secex.layout[''roothash''].size}'
   - name: qemu
     build:
       mpp-format-string: '{qemu_stage_buildroot}'
@@ -99,3 +159,31 @@ pipelines:
             type: qcow2
             compression: false
             compat: '1.1'
+      # If on s390x with secex then export hash for 'boot'
+      - mpp-if: arch == 's390x' and qemu_secex != ''
+        then:
+          type: org.osbuild.copy
+          inputs:
+            tree:
+              type: org.osbuild.tree
+              origin: org.osbuild.pipeline
+              references:
+                - name:raw-qemu-image
+          options:
+            paths:
+              - from: input://tree/bootfs_hash
+                to: tree:///bootfs_hash
+      # If on s390x with secex then export hash for 'root'
+      - mpp-if: arch == 's390x' and qemu_secex != ''
+        then:
+          type: org.osbuild.copy
+          inputs:
+            tree:
+              type: org.osbuild.tree
+              origin: org.osbuild.pipeline
+              references:
+                - name:raw-qemu-image
+          options:
+            paths:
+              - from: input://tree/rootfs_hash
+                to: tree:///rootfs_hash

src/runvm-osbuild

@@ -11,6 +11,7 @@ Options:
     --help: show this help
     --mpp: the path to the OSBuild mpp.yaml file
     --filepath: where to write the created image file
+    --secex: Build qemu-secex image
 
 You probably don't want to run this script by hand. This script is
 run as part of 'coreos-assembler build'.
@@ -31,6 +32,7 @@ getconfig_def() {
     jq -re .\""$k"\"//\""${default}"\" < "${config}"
 }
 
+secex=""
 while [ $# -gt 0 ];
 do
     flag="${1}"; shift;
@@ -39,6 +41,7 @@ do
         --help)                    usage; exit;;
         --mpp)                     mppyaml="${1}"; shift;;
         --filepath)                filepath="${1}"; shift;;
+        --secex)                   secex="${1}"; shift;;
          *) echo "${flag} is not understood."; usage; exit 10;;
      esac;
 done
@@ -97,6 +100,7 @@ osbuild-mpp                                             \
     -D extra_kargs=\""${extra_kargs}"\"                 \
     -D metal_image_size_mb="${metal_image_size_mb}"     \
     -D cloud_image_size_mb="${cloud_image_size_mb}"     \
+    -D qemu_secex=\""${secex}"\"                        \
     "${mppyaml}" "${processed_json}"
 
 # Build the image
@@ -114,4 +118,11 @@ osbuild \
 # from the cache qcow2 so we don't cache it.
 mv "${outdir}/${platform}/${filename}" "${filepath}"
 
+# In case of IBM Secure Execution there are more artifacts
+if [ -n "${secex}" ]; then
+    dir=$(dirname "${filepath}")
+    mv "${outdir}/${platform}/bootfs_hash" "${dir}"
+    mv "${outdir}/${platform}/rootfs_hash" "${dir}"
+fi
+
 rm -f "${processed_json}"