Skip to content

Commit

Permalink
Merge pull request #2528 from OSInside/confidental_compute_s390
Browse files Browse the repository at this point in the history 
Confidential compute s390
  • Loading branch information
@schaefi
schaefi authored Nov 21, 2024
2 parents 8ab85d3 + 43cd86d commit 231c3db
Show file tree
Hide file tree
Showing 23 changed files with 1,304 additions and 78 deletions.
231 changes: 231 additions & 0 deletions build-tests/s390/tumbleweed/test-image-MicroOS/appliance.kiwi
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,231 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- OBS-Profiles: @BUILD_FLAVOR@ -->
<image schemaversion="7.5" name="kiwi-test-image-MicroOS">
<description type="system">
<author>Marcus Schäfer</author>
<contact>[email protected]</contact>
<specification>MicroOS disk test build for IBM Secure Execution</specification>
</description>
<profiles>
<profile name="SUSE-Infra" description="MicroOS IBM SEL image LinuxONE_III@SUSE"/>
<profile name="IBM-Cloud-Secure-Execution" description="MicroOS IBM SEL image LinuxONE@IBM-Cloud-VPC-Region-eu-de(z16)/Region-eu-gb(z15)"/>
<profile name="IBM-Cloud-Standard" description="MicroOS IBM Cloud image"/>
</profiles>
<preferences>
<version>16.0.0</version>
<packagemanager>zypper</packagemanager>
<bootloader-theme>openSUSE</bootloader-theme>
<rpm-excludedocs>true</rpm-excludedocs>
<locale>en_US</locale>
</preferences>
<preferences profiles="IBM-Cloud-Standard">
<type
image="oem"
luks="random"
luks_pbkdf="pbkdf2"
luks_version="luks2"
filesystem="btrfs"
kernelcmdline="systemd.show_status=yes console=ttyS0,115200 console=tty0 net.ifnames=0 \$ignition_firstboot ignition.platform.id=qemu rd.debug"
devicepersistency="by-uuid"
btrfs_root_is_snapshot="true"
btrfs_root_is_readonly_snapshot="false"
btrfs_root_is_subvolume="true"
btrfs_quota_groups="true"
bootpartition="true"
bootfilesystem="ext3"
format="qcow2"
>
<luksformat>
<option name="--cipher" value="aes-xts-plain64"/>
<option name="--key-size" value="256"/>
</luksformat>
<oemconfig>
<oem-unattended>true</oem-unattended>
<oem-resize>true</oem-resize>
</oemconfig>
<bootloader name="zipl" timeout="10"/>
<systemdisk>
<volume name="home"/>
<volume name="root"/>
<volume name="opt"/>
<volume name="srv"/>
<volume name="boot/writable"/>
<volume name="usr/local"/>
<volume name="var" copy_on_write="false"/>
</systemdisk>
<size unit="G">2</size>
</type>
</preferences>
<preferences profiles="IBM-Cloud-Secure-Execution">
<type
image="oem"
luks="random"
luks_pbkdf="pbkdf2"
luks_version="luks2"
filesystem="btrfs"
kernelcmdline="systemd.show_status=yes console=ttyS0,115200 console=tty0 net.ifnames=0 \$ignition_firstboot ignition.platform.id=qemu swiotlb=262144 rd.debug"
devicepersistency="by-uuid"
btrfs_root_is_snapshot="true"
btrfs_root_is_readonly_snapshot="false"
btrfs_root_is_subvolume="true"
btrfs_quota_groups="true"
bootpartition="true"
bootfilesystem="ext3"
format="qcow2"
>
<luksformat>
<option name="--cipher" value="aes-xts-plain64"/>
<option name="--key-size" value="256"/>
</luksformat>
<oemconfig>
<oem-unattended>true</oem-unattended>
<oem-resize>true</oem-resize>
</oemconfig>
<bootloader name="zipl" timeout="10">
<!-- LinuxONE@IBM-Cloud-VPC-Region-eu-de(z16) -->
<securelinux hkd_sign_cert="/var/lib/se-certs/ibm-z-host-key-signing-gen2.crt" hkd_ca_cert="/var/lib/se-certs/DigiCertCA.crt">
<hkd_cert name="/var/lib/se-certs/HKD-3932-02967D8.crt"/>
<hkd_cert name="/var/lib/se-certs/HKD-3932-02967F8.crt"/>
<hkd_cert name="/var/lib/se-certs/HKD-3932-0296878.crt"/>
<hkd_revocation_list name="/var/lib/se-certs/ibm-z-host-key-gen2.crl"/>
<hkd_revocation_list name="/var/lib/se-certs/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl"/>
<hkd_revocation_list name="/var/lib/se-certs/DigiCertTrustedRootG4.crl"/>
</securelinux>
<!-- LinuxONE@IBM-Cloud-VPC-Region-eu-gb(z15) -->
<securelinux hkd_sign_cert="/var/lib/se-certs/ibm-z-host-key-signing.crt" hkd_ca_cert="/var/lib/se-certs/DigiCertCA.crt">
<hkd_cert name="/var/lib/se-certs/HKD-8562-024B858.crt"/>
<hkd_cert name="/var/lib/se-certs/HKD-8562-024B868.crt"/>
<hkd_cert name="/var/lib/se-certs/HKD-8562-024B878.crt"/>
<hkd_revocation_list name="/var/lib/se-certs/ibm-z-host-key.crl"/>
<hkd_revocation_list name="/var/lib/se-certs/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl"/>
<hkd_revocation_list name="/var/lib/se-certs/DigiCertTrustedRootG4.crl"/>
</securelinux>
</bootloader>
<systemdisk>
<volume name="home"/>
<volume name="root"/>
<volume name="opt"/>
<volume name="srv"/>
<volume name="boot/writable"/>
<volume name="usr/local"/>
<volume name="var" copy_on_write="false"/>
</systemdisk>
<size unit="G">2</size>
</type>
</preferences>
<preferences profiles="SUSE-Infra">
<type
image="oem"
luks="random"
luks_pbkdf="pbkdf2"
luks_version="luks2"
filesystem="btrfs"
kernelcmdline="systemd.show_status=yes console=ttyS0,115200 console=tty0 net.ifnames=0 \$ignition_firstboot ignition.platform.id=qemu swiotlb=262144 rd.debug"
devicepersistency="by-uuid"
btrfs_root_is_snapshot="true"
btrfs_root_is_readonly_snapshot="false"
btrfs_root_is_subvolume="true"
btrfs_quota_groups="true"
bootpartition="true"
bootfilesystem="ext3"
format="qcow2"
>
<luksformat>
<option name="--cipher" value="aes-xts-plain64"/>
<option name="--key-size" value="256"/>
</luksformat>
<oemconfig>
<oem-unattended>true</oem-unattended>
<oem-resize>true</oem-resize>
</oemconfig>
<bootloader name="zipl" timeout="10">
<securelinux hkd_sign_cert="/var/lib/se-certs/ibm-z-host-key-signing.crt" hkd_ca_cert="/var/lib/se-certs/DigiCertCA.crt">
<!-- LinuxONE_III@SUSE -->
<hkd_cert name="/var/lib/se-certs/HKD-8561-02688E8.crt.20241112"/>
<hkd_revocation_list name="/var/lib/se-certs/ibm-z-host-key.crl"/>
<hkd_revocation_list name="/var/lib/se-certs/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl"/>
<hkd_revocation_list name="/var/lib/se-certs/DigiCertTrustedRootG4.crl"/>
</securelinux>
</bootloader>
<systemdisk>
<volume name="home"/>
<volume name="root"/>
<volume name="opt"/>
<volume name="srv"/>
<volume name="boot/writable"/>
<volume name="usr/local"/>
<volume name="var" copy_on_write="false"/>
</systemdisk>
<size unit="G">2</size>
</type>
</preferences>
<users>
<user password="$1$wYJUgpM5$RXMMeASDc035eX.NbYWFl0" home="/root" name="root" groups="root"/>
</users>
<repository type="rpm-md">
<source path="obsrepositories:/"/>
</repository>
<packages type="image" profiles="IBM-Cloud-Secure-Execution">
<package name="ibm-se-certificates"/>
<package name="ibm-se-revocation-lists"/>
<package name="cloud-se-host-certificates"/>
<package name="cloud-init"/>
<package name="cloud-init-config-suse"/>
<package name="systemd-network"/>
</packages>
<packages type="image" profiles="IBM-Cloud-Standard">
<package name="cloud-init"/>
<package name="cloud-init-config-suse"/>
<package name="systemd-network"/>
</packages>
<packages type="image" profiles="SUSE-Infra">
<package name="ibm-se-certificates"/>
<package name="ibm-se-revocation-lists"/>
<package name="suse-se-host-certificates"/>
<package name="systemd-network"/>
</packages>
<packages type="image">
<package name="patterns-base-bootloader"/>
<package name="kernel-default"/>
<package name="ignition-dracut"/>
<package name="combustion"/>
<package name="btrfsmaintenance"/>
<package name="btrfsprogs"/>
<package name="microos-tools"/>
<package name="sudo"/>
<package name="s390-tools"/>
<package name="dracut-kiwi-oem-repart"/>
<package name="shadow"/>
<package name="snapper"/>
<package name="snapper-zypp-plugin"/>
<package name="firewalld"/>
<package name="microos-tools"/>
<package name="health-checker-plugins-MicroOS"/>
<package name="squashfs"/>
<package name="openSUSE-repos-Tumbleweed"/>
<package name="openssh-server"/>
<package name="openssh"/>
<package name="iproute2"/>
<package name="less"/>
<package name="curl"/>
<package name="cryptsetup"/>
<package name="procps"/>
</packages>
<packages type="bootstrap">
<package name="gawk"/>
<package name="grep"/>
<package name="gzip"/>
<package name="udev"/>
<package name="xz"/>
<package name="shadow"/>
<package name="filesystem"/>
<package name="coreutils"/>
<package name="openssl"/>
<package name="glibc-locale-base"/>
<package name="ca-certificates"/>
<package name="ca-certificates-mozilla"/>
<package name="MicroOS-release-dvd"/>
<package name="systemd-presets-branding-MicroOS"/>
<package name="diffutils"/>
</packages>
</image>
84 changes: 84 additions & 0 deletions build-tests/s390/tumbleweed/test-image-MicroOS/config.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
#!/bin/bash
# shellcheck disable=SC1091
test -f /.kconfig && . /.kconfig
set -euxo pipefail

declare kiwi_iname=${kiwi_iname}
declare kiwi_profiles=${kiwi_profiles}

echo "Configure image: [${kiwi_iname}]-[${kiwi_profiles}]..."

#======================================
# Setup Core Services
#--------------------------------------
systemctl enable sshd.service

#======================================
# Setup Cloud Services
#--------------------------------------
for profile in ${kiwi_profiles//,/ }; do
if [ "${profile}" = "IBM-Cloud-Standard" ] || [ "${profile}" = "IBM-Cloud-Secure-Execution" ]; then
for service in \
cloud-init-local.service \
cloud-init.service \
cloud-config.service \
cloud-final.service \
systemd-networkd \
systemd-resolved
do
systemctl enable "${service}"
done
fi
if [ "${profile}" = "SUSE-Infra" ]; then
for service in \
systemd-networkd \
systemd-resolved
do
systemctl enable "${service}"
done
fi
done

#=====================================
# Configure snapper
#-------------------------------------
if [ "${kiwi_btrfs_root_is_snapshot-false}" = 'true' ]; then
echo "creating initial snapper config ..."
cp /usr/share/snapper/config-templates/default /etc/snapper/configs/root
baseUpdateSysConfig /etc/sysconfig/snapper SNAPPER_CONFIGS root
# Adjust parameters
sed -i'' 's/^TIMELINE_CREATE=.*$/TIMELINE_CREATE="no"/g' \
/etc/snapper/configs/root
sed -i'' 's/^NUMBER_LIMIT=.*$/NUMBER_LIMIT="2-10"/g' \
/etc/snapper/configs/root
sed -i'' 's/^NUMBER_LIMIT_IMPORTANT=.*$/NUMBER_LIMIT_IMPORTANT="4-10"/g' \
/etc/snapper/configs/root
fi

for profile in ${kiwi_profiles//,/ }; do
if [ "${profile}" = "IBM-Cloud-Standard" ]; then
# For image tests with an extra boot partition the
# kernel must not be a symlink to another area of
# the filesystem. Latest changes on SUSE changed the
# layout of the kernel which breaks every image with
# an extra boot partition
#
# All of the following is more than a hack and I
# don't like it all
#
# Complains and discussions about this please with
# the SUSE kernel team as we in kiwi can just live
# with the consequences of this change
#
pushd /

for file in /boot/* /boot/.*; do
if [ -L "${file}" ];then
link_target=$(readlink "${file}")
if [[ "${link_target}" =~ usr/lib/modules ]];then
mv "${link_target}" "${file}"
fi
fi
done
fi
done
1 change: 1 addition & 0 deletions build-tests/s390/tumbleweed/test-image-MicroOS/root/etc/dracut.conf.d/oem_resize.conf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
add_dracutmodules+=" kiwi-repart "
9 changes: 9 additions & 0 deletions build-tests/s390/tumbleweed/test-image-MicroOS/root/etc/fstab.script
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
#!/bin/sh
set -eux

/usr/sbin/setup-fstab-for-overlayfs
# If /var is on a different partition than /...
if [ "$(findmnt -snT / -o SOURCE)" != "$(findmnt -snT /var -o SOURCE)" ]; then
# ... set options for autoexpanding /var
gawk -i inplace '$2 == "/var" { $4 = $4",x-growpart.grow,x-systemd.growfs" } { print $0 }' /etc/fstab
fi
8 changes: 8 additions & 0 deletions build-tests/s390/tumbleweed/test-image-MicroOS/root/etc/systemd/network/20-local.network
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
[Match]
Name=eth0

[Network]
DHCP=yes

[DHCP]
ClientIdentifier=mac
21 changes: 21 additions & 0 deletions build-tests/s390/tumbleweed/test-image-MicroOS/run
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
#!/bin/bash

qemu-system-s390x \
-cpu host \
-machine accel=kvm,usb=off \
-netdev user,id=user0 \
-device virtio-net-ccw,netdev=user0 \
-object s390-pv-guest,id=pv0 \
-machine confidential-guest-support=pv0 \
-enable-kvm \
-nodefaults \
-name suse-cc \
-nographic \
-drive id=disk0,file="$1",format=qcow2,if=none,cache=writeback \
-device virtio-blk,id=data0,drive=disk0,physical_block_size=512,logical_block_size=512 \
-device virtio-serial-ccw \
-device sclpconsole,chardev=console \
-chardev stdio,id=console \
-smp 4 \
-m 4096 \
-mem-prealloc
Loading

0 comments on commit 231c3db

Please sign in to comment.