mirror of
https://github.com/ultravioletrs/cocos.git
synced 2026-06-23 04:10:25 +00:00
Danko Miladinovic
81fe0b11b5
CI / lint (push) Has been cancelled
CI / test (agent) (push) Has been cancelled
CI / test (cli) (push) Has been cancelled
CI / test (cmd) (push) Has been cancelled
CI / test (internal) (push) Has been cancelled
CI / test (manager, true) (push) Has been cancelled
CI / test (pkg) (push) Has been cancelled
CI / upload-coverage (push) Has been cancelled
* initial FDE setup * add Manager support * fix igvmmeasure build * rebase on main * add tests * NOISSUE - Allow interoperability with CC Attestation Agent (#568) * feat: Add Confidential Containers attestation agent as an alternative attestation backend with new proto definitions and build system integration. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * fix: Update protoc-gen-go and protoc-gen-go-grpc versions in CI workflow Signed-off-by: Sammy Oina <sammyoina@gmail.com> * feat: Add mock implementation for AttestationAgentServiceClient and corresponding tests Signed-off-by: Sammy Oina <sammyoina@gmail.com> * fix: Add missing periods to test function comments in provider_test.go Signed-off-by: Sammy Oina <sammyoina@gmail.com> --------- Signed-off-by: Sammy Oina <sammyoina@gmail.com> * NOISSUE - Agent Pull mode for remote resources (#575) * feat(kbs): implement KBS client for attestation and resource retrieval - Added KBS client implementation in pkg/kbs/client.go with methods for attestation and resource retrieval. - Introduced necessary data structures for requests and responses. - Implemented error handling for various scenarios. test(kbs): add unit tests for KBS client - Created comprehensive tests for the KBS client in pkg/kbs/client_test.go. - Included tests for attestation success and failure cases, as well as resource retrieval. feat(registry): introduce HTTP and S3 registry implementations - Added HTTPRegistry for downloading resources over HTTP/HTTPS with retry logic in pkg/registry/http.go. - Implemented S3Registry for downloading resources from AWS S3 and S3-compatible services in pkg/registry/s3.go. - Included error handling and configuration options for both registries. chore(registry): define registry interface and configuration - Created registry interface and configuration struct in pkg/registry/registry.go. - Added default configuration settings for registry clients. docs(cvms): update README for CVMS server configuration and usage - Enhanced documentation for CVMS server with detailed command-line flags and usage examples. - Clarified direct upload and remote resource modes, including KBS integration. fix(cvms): integrate KBS for remote resource handling in main.go - Updated main.go to support remote datasets and algorithms using KBS. - Added validation for command-line flags to ensure proper configuration. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * fix: Move ifeq conditional outside define block in attestation-service.mk Make conditionals cannot be evaluated inside define...endef blocks when used as recipe bodies. Restructured to define the ATTESTATION_SERVICE_INSTALL_INIT_SYSTEMD block conditionally based on BR2_PACKAGE_CC_ATTESTATION_AGENT configuration. * feat: Implement remote resource downloading for algorithms and datasets using AWS S3/MinIO credentials. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * feat: Add comprehensive documentation and agent support for testing remote resource download with KBS attestation. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * feat: Improve agent logging for remote resource configuration and KBS status, and add a testing guide for remote resource downloads with KBS attestation. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * feat: Add a comprehensive guide for testing remote resource download with KBS attestation and update multiple package versions to a specific commit. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * feat: Add failure transitions for resource reception states and a comprehensive guide for testing remote resource downloads with KBS attestation. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * feat: Implement remote resource download with KBS attestation in the agent and add a comprehensive testing guide. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * test: Add comprehensive guide for testing remote resource download with KBS attestation and include a debug log in the attestation client. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * feat: Delegate KBS attestation and token retrieval to a new attestation-agent service and document remote resource testing. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * client fixes Signed-off-by: Sammy Oina <sammyoina@gmail.com> * raw evidence Signed-off-by: Sammy Oina <sammyoina@gmail.com> * fix: Build all Go files in cmd directories, not just main.go This fixes the issue where fetch_raw_evidence.go wasn't being included in the attestation-service build. * fix: Wrap binary evidence in JSON for KBS compatibility Fixes 'invalid character' error by wrapping raw binary evidence in a JSON structure with base64 encoding, as expected by KBS. * chore: Update buildroot packages toc28cefaeIncludes fixes for: 1. attestation-service build (including fetch_raw_evidence.go) 2. Agent KBS evidence format (wrapping binary in JSON) * fix: Implement KBS RCAR handshake with cookies Fixes 'cookie not found' error (401) from KBS by: 1. Adding CookieJar support to KBS client 2. Implementing GetChallenge() to perform /auth handshake and capture session cookie 3. Updating Agent to get challenge, decode nonce, and use it for evidence generation 4. Regenerating mocks * chore: Update buildroot packages tof6981ac5Includes KBS RCAR handshake fix (cookie support + GetChallenge loop) * fix: Update KBS client JSON tags to kebab-case Fixes deserialization error (401) from KBS by: 1. Using kebab-case (e.g. extra-params) for JSON tags as per protocol. 2. Initializing ExtraParams as empty object {} instead of null/omitted. * fix: Wrap attestation evidence in primary_evidence format Updates Agent to construct 'tee-evidence' payload with: - primary_evidence: containing the actual quote/data - additional_evidence: empty JSON object This matches the Confidential Containers KBS Attestation Protocol requirements. * fix: Update KBS protocol version to 0.4.0 KBS rejected 0.1.0 with a version mismatch error. Bumping to 0.4.0 to match server expectation. * fix: Generate ephemeral key for KBS RuntimeData Updates RuntimeData to include a valid ephemeral EC P-256 public key in JWK format, as required by the KBS RCAR protocol. Also fixes the KBS client struct to support TEEPubKey as an object. * fix: Update sample attestation quote to valid JSON The default attestation.bin was binary, but the KBS Sample Verifier expects a valid JSON quote containing 'svn' and 'report_data'. Updated the embedded bin file to contain this JSON structure. * fix: Generate dynamic JSON quote for Sample TEE in FetchRawEvidence The KBS Sample Verifier expects a JSON object with 'svn' and 'report_data'. Previously, we were returning raw binary data (reportData+nonce). This commit updates FetchRawEvidence to return a marshaled JSON structure with: - svn: "1" - report_data: base64(req.ReportData) * refactor: Delegate Sample Attestation to Provider Refactored sample attestation logic: - Moved JSON Quote generation into EmptyProvider (standalone mode). - Updated FetchRawEvidence to call provider.TeeAttestation instead of manual generation. This enables using the real CC Attestation Agent for UNSPECIFIED platform if configured. * feat: Add comprehensive debug logging and enforce CC AA usage Changes: - Updated EmptyProvider to return error instead of generating mock data This forces proper use of CC Attestation Agent's sample attester - Added detailed logging to attestation-service FetchRawEvidence: * Hex dump of evidence (first 200 bytes) * String preview of evidence * Total evidence length - Added detailed logging to agent service: * Raw evidence hex and string previews * KBS evidence JSON preview (first 500 bytes) * Evidence lengths at each transformation step This logging will help diagnose why KBS Sample Verifier is rejecting evidence. * fix: Enable CC AA by default and add attestation-service log forwarding Changes: - Set USE_CC_ATTESTATION_AGENT=true by default in systemd service - Added StandardOutput/StandardError to forward logs to /var/log/cocos/ - Updated HAL makefile to handle new default value - This ensures attestation-service uses CC AA's sample attester - Logs will now be visible in CVMS output for debugging * feat: Add gRPC log forwarding to attestation-service Implemented the same log forwarding mechanism used by the agent: - Added ProtoHandler to write logs to both stdout and logQueue - Connected to log client (/run/cocos/log.sock) for gRPC forwarding - Added goroutine to forward logs to CVMS via log client - Logs will now appear in CVMS output during computation runs This enables visibility into attestation-service debug output including: - CC AA connection status - Evidence generation details (hex dumps, string previews) - Any errors from providers * fix: Parse sample evidence JSON instead of base64-encoding it The attestation-service returns sample evidence as JSON: {"svn":"1","report_data":"base64..."} The agent was incorrectly base64-encoding this JSON string again. KBS Sample Verifier expects the parsed JSON object directly. Fixed by: - Parsing the JSON evidence from attestation-service - Passing the parsed object directly in primary_evidence.evidence - This matches what KBS Sample Verifier expects * debug: Increase KBS evidence logging preview to 1000 bytes Show the complete JSON structure being sent to KBS to debug the attestation failure. * debug: Add comprehensive CC AA configuration logging Added debug logs to show: - Whether CC AA is enabled in config - CC AA address being used - Connection success/failure - Which provider is ultimately selected - Warning when falling back to EmptyProvider This will help diagnose why EmptyProvider is being used instead of CC Attestation Agent. * debug: Add startup logging for log client connection Added log message to show if log client connection succeeds at attestation-service startup. This will help diagnose why logs aren't appearing in CVMS output. * feat: Add retry logic with exponential backoff to log client Added simple retry mechanism to handle concurrent log requests: - 3 retry attempts with exponential backoff (10ms, 20ms, 40ms) - Applies to both SendLog and SendEvent methods - Centralized in log client so all services benefit - Should eliminate 'failed to send log' errors from concurrent requests This fixes the issue where attestation-service logs weren't appearing in CVMS output due to dropped messages. * fix: Flatten sample evidence fields in primary_evidence for KBS KBS Sample Verifier expects svn and report_data at the top level of primary_evidence, not nested under an 'evidence' key. Changed structure from: {"primary_evidence": {"tee": "sample", "evidence": {"svn": "1", ...}}} To: {"primary_evidence": {"tee": "sample", "svn": "1", "report_data": "...", ...}} This matches what KBS expects when deserializing the Quote structure. * fix: Use sample quote directly as primary_evidence per KBS protocol According to KBS attestation protocol spec, for sample TEE type, primary_evidence should be the sample quote JSON directly: {"svn": "1", "report_data": "..."} Removed extra 'tee' and 'platform' fields that were causing KBS to fail deserializing the Quote structure. The 'tee' field is already sent in the Request payload during RCAR handshake. Refs: - https://github.com/confidential-containers/trustee/blob/main/kbs/docs/kbs_attestation_protocol.md - https://github.com/confidential-containers/guest-components/blob/main/attestation-agent/attester/src/sample/mod.rs * fix: Make CC AA required for sample attestation when configured When USE_CC_ATTESTATION_AGENT=true, attestation-service now requires AA to be available for NoCC/sample platform. This ensures sample evidence always comes from AA with the correct KBS format. Changes: - Error out if AA connection fails for NoCC platform when AA is configured - Only use EmptyProvider if AA is explicitly NOT configured - Prevents incorrect sample evidence format from EmptyProvider This ensures attestation-service delegates to AA for sample evidence generation instead of creating it itself. * fix: Implement proper RCAR protocol with tee-pubkey and runtime-data hash Fixed KBS attestation error 'REPORT_DATA is different from that in Sample Quote' Changes: 1. Generate ephemeral EC key pair BEFORE getting evidence from AA 2. Create runtime-data with nonce + tee-pubkey (JWK format) 3. Hash runtime-data (SHA-256) and use as report_data for AA 4. This binds the tee-pubkey to the TEE evidence per RCAR protocol The report_data in the evidence now matches what KBS expects: hash(runtime-data) instead of computation ID. This completes the full RCAR protocol implementation: - Request → Challenge → Attestation (with bound tee-pubkey) → Response * fix(agent): use simple nonce for Sample attestation report_data For Sample/NoCC attestation, use the raw nonce bytes directly as report_data instead of hashing runtime-data. This avoids JSON serialization mismatches with the KBS Sample verifier. Real TEEs (TDX/SNP) still use runtime-data hash binding to cryptographically bind the ephemeral tee-pubkey to the evidence. * fix(agent): use RFC 8785 canonical JSON for runtime-data hashing The KBS Sample attestation verifier (and likely others) expects the report_data to be the SHA-256 hash of the *canonical* JSON serialization (RFC 8785) of the runtime-data. Standard Go JSON marshaling does not guarantee key ordering, leading to hash mismatches. This change uses github.com/gowebpki/jcs to canonicalize the runtime-data before hashing, ensuring compatibility with the KBS RCAR implementation. Also reverted the temporary 'simple nonce' workaround. * feat(hal): add CoCo Keyprovider and Skopeo packages - Add coco-keyprovider buildroot package with systemd service - Add skopeo buildroot package for OCI image handling - Add ocicrypt_keyprovider.conf for encrypted image decryption - Update Config.in to include new packages This enables standard CoCo ecosystem integration for encrypted OCI images instead of custom S3/HTTP registry clients. * feat(oci): add OCI image handling package with Skopeo integration - Add pkg/oci/types.go with ResourceSource and ImageManifest types - Add pkg/oci/skopeo.go with Skopeo wrapper for pull/decrypt - Add pkg/oci/extract.go for extracting algorithms and datasets from layers This package provides OCI image handling using Skopeo and CoCo Keyprovider for encrypted image decryption, replacing custom S3/HTTP registry clients. * chore: regenerate protobuf files for updated cvms.proto * refactor(agent): replace S3/HTTP/KBS with OCI package - Remove pkg/kbs and pkg/registry imports - Add pkg/oci import for OCI image handling - Replace downloadAndDecryptResource with OCI-based implementation - Use Skopeo + CoCo Keyprovider for automatic decryption - Reduce code from ~240 lines to ~70 lines This eliminates custom KBS RCAR handshake, S3/HTTP registry clients, and manual decryption logic. CoCo Keyprovider handles all decryption automatically via ocicrypt protocol. * chore: remove obsolete pkg/kbs and pkg/registry packages - Delete pkg/kbs/ (custom KBS client, ~300 lines) - Delete pkg/registry/ (S3/HTTP registry clients, ~400 lines) - Remove unused imports from agent/service.go - Run go mod tidy to clean up dependencies These packages have been replaced by pkg/oci with Skopeo and CoCo Keyprovider for standard CoCo ecosystem integration. * fix(agent): update ResourceSource struct to include type and encryption fields Signed-off-by: Sammy Oina <sammyoina@gmail.com> * fix(hal): update CoCo Keyprovider to v0.16.0 and fix build path - Update version from v0.11.0 to v0.16.0 (matches attestation agent) - Fix install path: target is at repo root, not in coco_keyprovider subdir - This fixes the build error where coco_keyprovider binary wasn't found The cargo workspace in guest-components builds to a shared target/ directory at the repository root, not within each crate's subdirectory. * feat: Update remote resources testing guide to use kbs-client and coco-keyprovider for key management and encryption, enable insecure TLS for Skopeo, and enhance CVMS with Signed-off-by: Sammy Oina <sammyoina@gmail.com> * feat: Update component versions, revise image encryption documentation, and sanitize OCI image paths for Skopeo compatibility. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * feat: Add `decompress` option to Dataset and `algo_type`/`algo_args` to Algorithm protobuf messages, updating client, test, and build configurations. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Update multiple package versions and enhance OCI image extraction error reporting for missing algorithm files. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * chore: Bump package versions, improve OCI image extraction debugging by returning seen files, and remove unused dataset type parsing from test code. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * refactor: Migrate OCI extraction to use structured logging with `slog` and `context`, and update package versions. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * feat: Bump multiple component versions, add encrypted status for computation inputs and algorithms, and refine OCI layer extraction warnings. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * logging Signed-off-by: Sammy Oina <sammyoina@gmail.com> * feat: Add `Encrypted` field to algorithm and dataset resource sources and update all component versions. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * feat: update component versions, integrate coco-keyprovider service, and configure ocicrypt key provider. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * feat: add support for KBS parameters and dataset/algorithm hash calculations in CVMS Signed-off-by: Sammy Oina <sammyoina@gmail.com> * feat: update resource download and extraction logic to support requirements.txt and improve hash verification Signed-off-by: Sammy Oina <sammyoina@gmail.com> * chore: Update dependencies, improve code style, and add GetRawEvidence to attestation client mocks. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Refactor code structure for improved readability and maintainability Signed-off-by: Sammy Oina <sammyoina@gmail.com> * fix: update golangci configuration to include errcheck for build path and remove unnecessary exclusions Signed-off-by: Sammy Oina <sammyoina@gmail.com> * fix: streamline kernel command line handling in QEMU args construction Signed-off-by: Sammy Oina <sammyoina@gmail.com> * feat: add attestation binary and update checksum tests and policy structure Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Add unit tests for attestation agent, attestation, log, crypto, OCI, and Skopeo clients - Implement tests for the attestation agent client including Unix socket and TCP address handling, token retrieval, and error scenarios. - Enhance attestation client tests to cover fetching raw evidence for various platforms (SNP, TDX, VTPM, SNPvTPM) and validate error handling. - Introduce log client tests to verify retry behavior for sending logs and events. - Create comprehensive tests for crypto package focusing on AES-GCM decryption, encrypted resource parsing, and key unwrapping. - Add tests for OCI package to validate algorithm and dataset extraction, including JSON serialization of OCILayout. - Implement Skopeo client tests to ensure proper functionality for image pulling, inspecting, and resource source handling. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * fix: handle JSON marshal errors in test cases for decrypt and extract functions Signed-off-by: Sammy Oina <sammyoina@gmail.com> * test: add comprehensive tests for algorithm and dataset extraction with various scenarios Signed-off-by: Sammy Oina <sammyoina@gmail.com> * refactor: replace hardcoded Python script content with constant variable Signed-off-by: Sammy Oina <sammyoina@gmail.com> * fix: remove redundant mock expectation for SendAgentConfig in TestCreateVMWithAaKbsParams Signed-off-by: Sammy Oina <sammyoina@gmail.com> * test: add tests for event sending failure, dataset extraction with path traversal, and Skopeo client behavior Signed-off-by: Sammy Oina <sammyoina@gmail.com> * test: add tests for download and decryption of resources with various URL formats Signed-off-by: Sammy Oina <sammyoina@gmail.com> * refactor: Introduce OCIClient interface for agent service to improve testability of OCI image operations and enhance related tests. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * refactor: Change `get_uint64_from_tcb` to accept `TcbVersion` by value and use `u64::from` for type conversions. --------- Signed-off-by: Sammy Oina <sammyoina@gmail.com> * initial FDE setup * add Manager support * add cloud-init script * rebase onto main * add blank lines * add tdx rtmr support * add FDE flow * use DiskConfig.Format instead of fixed values * add tests and expand Manager README.md * add curl command * add encrypted partition support * remove nbd * add dm-verity * fix manager boot sequence --------- Signed-off-by: Sammy Oina <sammyoina@gmail.com> Co-authored-by: ultraviolet <cocosai@worker-52.local.pragmatic-it.com> Co-authored-by: Sammy Kerata Oina <44265300+SammyOina@users.noreply.github.com>
274 lines
9.8 KiB
Bash
Executable File
274 lines
9.8 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
COCOS_BOARD_DIR="$(dirname "$0")"
|
|
DEFCONFIG_NAME="$(basename "$2")"
|
|
README_FILES="${COCOS_BOARD_DIR}/readme.txt"
|
|
START_QEMU_SCRIPT="${BINARIES_DIR}/start-qemu.sh"
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Build a minimal FDE initramfs (rootfs.cpio.gz) containing only the tools
|
|
# needed to mount the root partition read-only, provision LUKS2, and switch_root.
|
|
# All other packages live
|
|
# on the ext4 disk image and are available after switch_root.
|
|
# ---------------------------------------------------------------------------
|
|
echo "[post-image] Building minimal FDE initramfs..."
|
|
|
|
INITRAMFS_STAGE="${BUILD_DIR}/initramfs-staging"
|
|
rm -rf "${INITRAMFS_STAGE}"
|
|
|
|
# Merged-usr layout: bin/sbin/lib/lib64 are symlinks into usr/, matching the
|
|
# Buildroot target layout so that hardcoded ELF interpreter paths (ld-linux)
|
|
# and the #!/bin/sh shebang both resolve correctly inside the initramfs.
|
|
mkdir -p "${INITRAMFS_STAGE}/usr/bin" \
|
|
"${INITRAMFS_STAGE}/usr/sbin" \
|
|
"${INITRAMFS_STAGE}/usr/lib" \
|
|
"${INITRAMFS_STAGE}/dev" \
|
|
"${INITRAMFS_STAGE}/proc" \
|
|
"${INITRAMFS_STAGE}/sys" \
|
|
"${INITRAMFS_STAGE}/tmp" \
|
|
"${INITRAMFS_STAGE}/run" \
|
|
"${INITRAMFS_STAGE}/root" \
|
|
"${INITRAMFS_STAGE}/etc/udev/rules.d"
|
|
ln -s usr/bin "${INITRAMFS_STAGE}/bin"
|
|
ln -s usr/sbin "${INITRAMFS_STAGE}/sbin"
|
|
ln -s usr/lib "${INITRAMFS_STAGE}/lib"
|
|
ln -s usr/lib "${INITRAMFS_STAGE}/lib64"
|
|
|
|
# init script (PID 1)
|
|
install -m 0755 "${BR2_EXTERNAL_COCOS_PATH}/board/rootfs-overlay/init" \
|
|
"${INITRAMFS_STAGE}/init"
|
|
|
|
# Binaries required by the init script
|
|
FDE_BINS="
|
|
bash
|
|
cryptsetup
|
|
veritysetup
|
|
mkfs.ext4
|
|
mount
|
|
umount
|
|
losetup
|
|
switch_root
|
|
dd
|
|
shred
|
|
tr
|
|
cut
|
|
grep
|
|
awk
|
|
cat
|
|
ls
|
|
cp
|
|
mkdir
|
|
readlink
|
|
dirname
|
|
lsblk
|
|
udevadm
|
|
blkid
|
|
rm
|
|
"
|
|
|
|
for BIN in ${FDE_BINS}; do
|
|
SRC="$(find "${TARGET_DIR}/usr/bin" "${TARGET_DIR}/usr/sbin" \
|
|
"${TARGET_DIR}/bin" "${TARGET_DIR}/sbin" \
|
|
-name "${BIN}" \( -type f -o -type l \) 2>/dev/null | head -1)"
|
|
if [ -n "${SRC}" ]; then
|
|
cp -P "${SRC}" "${INITRAMFS_STAGE}/usr/bin/${BIN}"
|
|
chmod 0755 "${INITRAMFS_STAGE}/usr/bin/${BIN}" 2>/dev/null || true
|
|
# If this is a symlink, also copy the resolved target binary (e.g. busybox, coreutils, mke2fs)
|
|
# so that other applet symlinks pointing to the same target also work at runtime.
|
|
if [ -L "${SRC}" ]; then
|
|
REAL_SRC="$(readlink -f "${SRC}")"
|
|
REAL_NAME="$(basename "${REAL_SRC}")"
|
|
if [ -f "${REAL_SRC}" ] && [ ! -e "${INITRAMFS_STAGE}/usr/bin/${REAL_NAME}" ]; then
|
|
cp "${REAL_SRC}" "${INITRAMFS_STAGE}/usr/bin/${REAL_NAME}"
|
|
chmod 0755 "${INITRAMFS_STAGE}/usr/bin/${REAL_NAME}" 2>/dev/null || true
|
|
fi
|
|
fi
|
|
else
|
|
echo "[post-image] WARNING: ${BIN} not found in target, skipping"
|
|
fi
|
|
done
|
|
|
|
# sh symlink so #!/bin/sh in the init script resolves correctly
|
|
ln -sf bash "${INITRAMFS_STAGE}/usr/bin/sh"
|
|
|
|
# Shared libraries from usr/lib (TARGET_DIR uses merged-usr so lib → usr/lib)
|
|
# Skip large runtimes that are only needed on the real root.
|
|
find "${TARGET_DIR}/usr/lib" \( \
|
|
-path "*/python3*" -o \
|
|
-path "*/gcc*" -o \
|
|
-path "*/wasmedge*" \
|
|
\) -prune -o \
|
|
\( -name "*.so" -o -name "*.so.*" \) -print | while read -r LIB; do
|
|
REL="${LIB#${TARGET_DIR}/usr/lib/}"
|
|
DEST="${INITRAMFS_STAGE}/usr/lib/${REL}"
|
|
mkdir -p "$(dirname "${DEST}")"
|
|
cp -P "${LIB}" "${DEST}"
|
|
done
|
|
|
|
# udev rules (needed for udevadm settle)
|
|
if [ -d "${TARGET_DIR}/etc/udev" ]; then
|
|
cp -a "${TARGET_DIR}/etc/udev/." "${INITRAMFS_STAGE}/etc/udev/"
|
|
fi
|
|
|
|
# /dev seed nodes
|
|
mknod -m 0600 "${INITRAMFS_STAGE}/dev/console" c 5 1 2>/dev/null || true
|
|
mknod -m 0666 "${INITRAMFS_STAGE}/dev/null" c 1 3 2>/dev/null || true
|
|
|
|
echo "[post-image] Packing initramfs..."
|
|
( cd "${INITRAMFS_STAGE}" && \
|
|
find . | cpio --quiet -o -H newc -R 0:0 | gzip -9 \
|
|
> "${BINARIES_DIR}/rootfs.cpio.gz" )
|
|
echo "[post-image] rootfs.cpio.gz: $(du -sh "${BINARIES_DIR}/rootfs.cpio.gz" | cut -f1)"
|
|
|
|
ROOTFS_IMAGE="${BINARIES_DIR}/rootfs.ext4"
|
|
VERITY_IMAGE="${BINARIES_DIR}/rootfs.verity"
|
|
ROOT_HASH_FILE="${BINARIES_DIR}/rootfs.roothash"
|
|
VERITYSETUP_BIN="${HOST_DIR}/bin/veritysetup"
|
|
|
|
if [ ! -x "${VERITYSETUP_BIN}" ]; then
|
|
VERITYSETUP_BIN="${HOST_DIR}/sbin/veritysetup"
|
|
fi
|
|
|
|
if [ ! -x "${VERITYSETUP_BIN}" ]; then
|
|
echo "[post-image] FATAL: host veritysetup not found at ${VERITYSETUP_BIN}"
|
|
exit 1
|
|
fi
|
|
|
|
echo "[post-image] Building dm-verity hash image..."
|
|
rm -f "${VERITY_IMAGE}" "${ROOT_HASH_FILE}"
|
|
truncate -s 256M "${VERITY_IMAGE}"
|
|
VERITY_FORMAT_OUTPUT="$("${VERITYSETUP_BIN}" format "${ROOTFS_IMAGE}" "${VERITY_IMAGE}")" || {
|
|
echo "[post-image] FATAL: veritysetup format failed"
|
|
exit 1
|
|
}
|
|
|
|
ROOT_HASH="$(printf '%s\n' "${VERITY_FORMAT_OUTPUT}" | awk -F': ' '/^Root hash:/ {print $2}' | tr -d '[:space:]')"
|
|
if [ -z "${ROOT_HASH}" ]; then
|
|
echo "[post-image] FATAL: failed to parse dm-verity root hash"
|
|
printf '%s\n' "${VERITY_FORMAT_OUTPUT}"
|
|
exit 1
|
|
fi
|
|
printf '%s\n' "${ROOT_HASH}" > "${ROOT_HASH_FILE}"
|
|
echo "[post-image] dm-verity root hash: ${ROOT_HASH}"
|
|
|
|
# Stage kernel and initramfs for the EFI partition.
|
|
# Buildroot's GRUB2 package has already placed bootx64.efi at
|
|
# ${BINARIES_DIR}/efi-part/EFI/BOOT/bootx64.efi; we add the kernel,
|
|
# initramfs, and overwrite the default grub.cfg with our boot entry.
|
|
echo "[post-image] Staging EFI partition files..."
|
|
mkdir -p "${BINARIES_DIR}/efi-part/EFI/BOOT"
|
|
cp "${BINARIES_DIR}/bzImage" "${BINARIES_DIR}/efi-part/bzImage"
|
|
cp "${BINARIES_DIR}/rootfs.cpio.gz" "${BINARIES_DIR}/efi-part/initrd.cpio.gz"
|
|
|
|
cat > "${BINARIES_DIR}/efi-part/EFI/BOOT/grub.cfg" << GRUBCFG
|
|
set default=0
|
|
set timeout=0
|
|
|
|
menuentry "Cocos" {
|
|
linux /bzImage console=ttyS0 roothash=${ROOT_HASH} systemd.verity=0 systemd.gpt_auto=0
|
|
initrd /initrd.cpio.gz
|
|
}
|
|
GRUBCFG
|
|
|
|
# Regenerate bootx64.efi with --disable-shim-lock so GRUB can load the kernel
|
|
# directly without requiring the shim bootloader (OVMF still verifies GRUB via
|
|
# Secure Boot; shim is not needed when booting from a custom OVMF with own DB key).
|
|
GRUB_CORE="$(ls -d "${BUILD_DIR}"/grub2-*/build-x86_64-efi/grub-core 2>/dev/null | head -1)"
|
|
if [ -n "${GRUB_CORE}" ]; then
|
|
echo "[post-image] Regenerating bootx64.efi with --disable-shim-lock..."
|
|
"${HOST_DIR}/bin/grub-mkimage" \
|
|
-d "${GRUB_CORE}" \
|
|
-O x86_64-efi \
|
|
-o "${BINARIES_DIR}/efi-part/EFI/BOOT/bootx64.efi" \
|
|
-p "/EFI/BOOT" \
|
|
--disable-shim-lock \
|
|
boot linux echo normal part_gpt fat ls search || {
|
|
echo "[post-image] FATAL: grub-mkimage failed"
|
|
exit 1
|
|
}
|
|
else
|
|
echo "[post-image] WARNING: GRUB core dir not found, skipping --disable-shim-lock rebuild"
|
|
fi
|
|
|
|
# Sign GRUB and kernel for UEFI Secure Boot.
|
|
# Keys are resolved in order: env var → board/secure-boot/ defaults.
|
|
SB_KEY="${SB_KEY:-${COCOS_BOARD_DIR}/secure-boot/db.key}"
|
|
SB_CERT="${SB_CERT:-${COCOS_BOARD_DIR}/secure-boot/db.crt}"
|
|
if [ -f "${SB_KEY}" ] && [ -f "${SB_CERT}" ]; then
|
|
echo "[post-image] Signing EFI binaries for Secure Boot..."
|
|
sbsign --key "${SB_KEY}" --cert "${SB_CERT}" \
|
|
--output "${BINARIES_DIR}/efi-part/EFI/BOOT/bootx64.efi" \
|
|
"${BINARIES_DIR}/efi-part/EFI/BOOT/bootx64.efi" || {
|
|
echo "[post-image] FATAL: Failed to sign bootx64.efi"
|
|
exit 1
|
|
}
|
|
sbsign --key "${SB_KEY}" --cert "${SB_CERT}" \
|
|
--output "${BINARIES_DIR}/efi-part/bzImage" \
|
|
"${BINARIES_DIR}/efi-part/bzImage" || {
|
|
echo "[post-image] FATAL: Failed to sign bzImage"
|
|
exit 1
|
|
}
|
|
echo "[post-image] Secure Boot signing complete"
|
|
else
|
|
echo "[post-image] WARNING: Secure Boot keys not found — EFI binaries are unsigned"
|
|
echo "[post-image] Default location: ${COCOS_BOARD_DIR}/secure-boot/db.key + db.crt"
|
|
echo "[post-image] Override: SB_KEY=/path/to/db.key SB_CERT=/path/to/db.crt make"
|
|
fi
|
|
|
|
GENIMAGE_CFG="${COCOS_BOARD_DIR}/genimage.cfg"
|
|
if [ -f "${GENIMAGE_CFG}" ]; then
|
|
GENIMAGE_TMP="${BUILD_DIR}/genimage.tmp"
|
|
rm -rf "${GENIMAGE_TMP}"
|
|
genimage \
|
|
--rootpath "${TARGET_DIR}" \
|
|
--tmppath "${GENIMAGE_TMP}" \
|
|
--inputpath "${BINARIES_DIR}" \
|
|
--outputpath "${BINARIES_DIR}" \
|
|
--config "${GENIMAGE_CFG}"
|
|
fi
|
|
|
|
if [[ "${DEFCONFIG_NAME}" =~ ^"cocos_*" ]]; then
|
|
# Not a Qemu defconfig, can't test.
|
|
exit 0
|
|
fi
|
|
|
|
# Search for "# qemu_*_defconfig" tag in all readme.txt files.
|
|
# Qemu command line on multilines using back slash are accepted.
|
|
# shellcheck disable=SC2086 # glob over each readme file
|
|
QEMU_CMD_LINE="$(sed -r ':a; /\\$/N; s/\\\n//; s/\t/ /; ta; /# '"${DEFCONFIG_NAME}"'$/!d; s/#.*//' ${README_FILES})"
|
|
|
|
if [ -z "${QEMU_CMD_LINE}" ]; then
|
|
# No Qemu cmd line found, can't test.
|
|
exit 0
|
|
fi
|
|
|
|
# Remove output/images path since the script will be in
|
|
# the same directory as the kernel and the rootfs images.
|
|
QEMU_CMD_LINE="${QEMU_CMD_LINE//output\/images\//}"
|
|
|
|
# Remove -serial stdio if present, keep it as default args
|
|
DEFAULT_ARGS="$(sed -r -e '/-serial stdio/!d; s/.*(-serial stdio).*/\1/' <<<"${QEMU_CMD_LINE}")"
|
|
QEMU_CMD_LINE="${QEMU_CMD_LINE//-serial stdio/}"
|
|
|
|
# Remove any string before qemu-system-*
|
|
QEMU_CMD_LINE="$(sed -r -e 's/^.*(qemu-system-)/\1/' <<<"${QEMU_CMD_LINE}")"
|
|
|
|
# Disable graphical output and redirect serial I/Os to console
|
|
case ${DEFCONFIG_NAME} in
|
|
(qemu_sh4eb_r2d_defconfig|qemu_sh4_r2d_defconfig)
|
|
# Special case for SH4
|
|
SERIAL_ARGS="-serial stdio -display none"
|
|
;;
|
|
(*)
|
|
SERIAL_ARGS="-nographic"
|
|
;;
|
|
esac
|
|
|
|
sed -e "s|@SERIAL_ARGS@|${SERIAL_ARGS}|g" \
|
|
-e "s|@DEFAULT_ARGS@|${DEFAULT_ARGS}|g" \
|
|
-e "s|@QEMU_CMD_LINE@|${QEMU_CMD_LINE}|g" \
|
|
-e "s|@HOST_DIR@|${HOST_DIR}|g" \
|
|
<"${COCOS_BOARD_DIR}/start-qemu.sh.in" \
|
|
>"${START_QEMU_SCRIPT}"
|
|
chmod +x "${START_QEMU_SCRIPT}"
|