create ARM64 OSGuard config

Author: SeanDougherty

toolkit/imageconfigs/files/osguard/repart.d/11-boot-a.conf

@@ -1,5 +1,5 @@
 [Partition]
 Type=linux-generic
 Label=boot-a
-SizeMinBytes=100M
-SizeMaxBytes=100M
+SizeMinBytes=128M
+SizeMaxBytes=128M

toolkit/imageconfigs/files/osguard/repart.d/15-boot-b.conf

@@ -1,5 +1,5 @@
 [Partition]
 Type=linux-generic
 Label=boot-b
-SizeMinBytes=100M
-SizeMaxBytes=100M
+SizeMinBytes=128M
+SizeMaxBytes=128M

toolkit/imageconfigs/osguard-amd64.yaml

@@ -12,7 +12,7 @@ storage:
         - id: boot-a
           type: linux-generic
           label: boot-a
-          size: 100M
+          size: 128M
 
         - id: usr-a
           type: linux-generic

toolkit/imageconfigs/osguard-arm64.yaml

@@ -0,0 +1,247 @@
+storage:
+  bootType: efi
+
+  disks:
+    - partitionTableType: gpt
+      partitions:
+        - id: esp
+          type: esp
+          label: esp
+          size: 512M
+
+        - id: boot-a
+          type: linux-generic
+          label: boot-a
+          size: 128M
+
+        - id: usr-a
+          type: linux-generic
+          size: 1G
+
+        - id: usr-hash-a
+          type: usr-verity
+          size: 128M
+
+        - id: root-a
+          type: root
+          label: root-a
+          size: 4G
+
+  verity:
+    - id: usrverity
+      name: usr
+      dataDeviceId: usr-a
+      hashDeviceId: usr-hash-a
+      dataDeviceMountIdType: uuid
+      hashDeviceMountIdType: uuid
+
+  filesystems:
+    - deviceId: esp
+      type: fat32
+      mountPoint:
+        idType: part-label
+        path: /boot/efi
+        options: umask=0077,noexec,nodev,nosuid
+
+    - deviceId: boot-a
+      type: ext4
+      mountPoint:
+        idType: uuid
+        path: /boot
+        options: noexec,nodev,nosuid
+
+    - deviceId: usrverity
+      type: ext4
+      mountPoint:
+        path: /usr
+        options: ro,nodev
+
+    - deviceId: root-a
+      type: ext4
+      mountPoint:
+        path: /
+        options: nodev,nosuid,x-initrd.mount,x-systemd.growfs
+
+os:
+  bootloader:
+    resetType: hard-reset
+  hostname: azure-linux-os-guard
+
+  selinux:
+    mode: permissive
+
+  uki:
+    kernels: auto
+  
+  kernelCommandLine:
+    extraCommandLine:
+      - console=tty0
+      - console=tty1
+      - console=ttyS0
+      - rd.luks=0
+      - rd.hostonly=0
+      - ipe.enforce=0
+      - fips=1
+      - console=ttyAMA0
+      - earlycon=pl011,0xeffec000
+      - initcall_blacklist=arm_pmu_acpi_init
+
+  packages:
+    remove:
+      - initramfs
+      - dracut-hostonly # Not used for UKI images
+      - grub2-efi-binary # Replaced by systemd-boot
+      - kernel # Replaced by kernel-ipe
+
+    install:
+      - syslog
+      - WALinuxAgent
+      # OS
+      - device-mapper
+      - kernel-ipe
+      # servicing
+      # - trident
+      # - trident-service
+      - veritysetup
+      # OCI
+      - cni
+      - containerd2
+      - cri-tools
+      # - erofs-utils
+      # - notation
+      # - tardev-snapshotter
+      # UKI
+      - systemd-boot
+      # hyperv
+      - dracut-hyperv
+      - hyperv-daemons
+      # cloud-init
+      - cloud-init
+      # selinux
+      - checkpolicy
+      - libselinux
+      - policycoreutils-python-utils
+      - secilc
+      - selinux-policy
+      # - selinux-policy-ci
+      - selinux-policy-modules
+      - setools-console
+
+      # === System packages ===
+      - systemd-ukify
+      - systemd-boot
+      - efibootmgr
+      - lvm2
+      - veritysetup
+      - selinux-policy
+      - selinux-policy-modules
+      - gptfdisk
+      - curl
+      - bind-utils
+      - tar
+      # =====AKS=====
+      - ca-certificates
+      - cifs-utils
+      - cloud-init-azure-kvp
+      - conntrack-tools
+      - cracklib
+      - ebtables
+      - ethtool
+      - fuse
+      - inotify-tools
+      - iotop
+      - iproute
+      - ipset
+      - iptables
+      - jq
+      - logrotate
+      - lsof
+      - nmap-ncat
+      - nfs-utils
+      - pam
+      - psmisc
+      - rsyslog
+      - socat
+      - sysstat
+      - traceroute
+      - util-linux
+      - xz
+      - zip
+      - blobfuse2
+      - nftables
+      - iscsi-initiator-utils
+      - netplan
+      - oras
+      - initramfs
+
+  additionalDirs:
+    - source: files/osguard/repart.d
+      destination: /etc/repart.d
+      childFilePermissions: 644
+
+  additionalFiles:
+    # SELinux customizations
+    - source: files/linuxguard/selinux-ci-uki.semanage
+      destination: /etc/selinux/targeted/selinux-ci.semanage
+    - source: files/common/99-dhcp-eth0.network
+      destination: /etc/systemd/network/99-dhcp-eth0.network
+    # Cloud-init configuration
+    - source: files/osguard/cloud.cfg
+      destination: /etc/cloud/cloud.cfg
+      permissions: "644"
+    # Include systemd-repart in the initrd
+    - source: files/osguard/10-repart.conf
+      destination: /etc/dracut.conf.d/10-repart.conf
+      permissions: "644"
+    # Set chrony to use /dev/ptp_hyperv
+    - source: files/osguard/chrony.conf
+      destination: /etc/chrony.conf
+      permissions: "644"
+    # Fix systemd resolved caching
+    - source: files/osguard/resolv-uplink-override.service
+      destination: /etc/systemd/system/resolv-uplink-override.service
+      permissions: "600"
+
+  services:
+    enable:
+      - sshd
+      - systemd-networkd
+      - systemd-resolved
+
+  modules:
+  # Explicitly enable iptable_nat for prometheus
+  - name: iptable_nat
+    loadMode: always
+
+scripts:
+  postCustomization:
+    - path: scripts/linuxguard/performance-tuning.sh
+    # Config AzureLinuxagent
+    - path: scripts/linuxguard/azlinuxagentconfig.sh
+    - path: scripts/linuxguard/duid-type-to-link-layer.sh
+    # Disable unused SELinux policy modules and configure SELinux policy for CI
+    #- path: scripts/linuxguard/selinux-ci-config.sh
+    - path: scripts/linuxguard/cleanup-machineid.sh
+    - path: scripts/linuxguard/prepare_trusted_cni_plugins.sh
+    - path: scripts/linuxguard/tmp-no-exec.sh
+
+    - path: scripts/set_os_release_variant_entries.sh
+      arguments:
+      - --variant-id
+      - osguard
+      - --variant
+      - OS Guard Image
+    - path: scripts/osguard/create-empty-certs-dir.sh
+
+output:
+  artifacts:
+    items:
+      - verity-hash
+      - ukis
+    path: ./output
+  image:
+    format: vhdx
+
+previewFeatures:
+  - output-artifacts
+  - uki