feat: support FDE build and bump kairos version to 3.0

* Initial FDE CanvOS build changes.
Adding new targets for UKI ISO and Provider images

* add a util to smartly link files with prefix

Signed-off-by: Nianyu Shen <[email protected]>

* add keys to gitignore

Signed-off-by: Nianyu Shen <[email protected]>

* fix normal flow

Signed-off-by: Nianyu Shen <[email protected]>

* fix normal iso

Signed-off-by: Nianyu Shen <[email protected]>

* add stylus_uki.yaml

Signed-off-by: Nianyu Shen <[email protected]>

* update os-builder & stylus image copy

Signed-off-by: Nianyu Shen <[email protected]>

* update enki args

Signed-off-by: Nianyu Shen <[email protected]>

* fix stylus uki

Signed-off-by: Nianyu Shen <[email protected]>

* fix userdata

Signed-off-by: Nianyu Shen <[email protected]>

* fix stylus copy

Signed-off-by: Nianyu Shen <[email protected]>

* link agent provider stylus in provider image

Signed-off-by: Nianyu Shen <[email protected]>

* link agent provider stylus

Signed-off-by: Nianyu Shen <[email protected]>

* Adding branding menu string.

* Removing UKI target from non-secure ISO target

* Fix auto-install

* Minor fix. Adding branding for provider image.

* use alpine as provider base image

Signed-off-by: Nianyu Shen <[email protected]>

* install kairos-agent to provider image and change base to ubuntu

Signed-off-by: Nianyu Shen <[email protected]>

* bump os builder version to v0.200.8

Signed-off-by: Nianyu Shen <[email protected]>

* add reset stage

Signed-off-by: Nianyu Shen <[email protected]>

* remove line

Signed-off-by: Nianyu Shen <[email protected]>

* bump os-builder to 200.9

Signed-off-by: Nianyu Shen <[email protected]>

* Bumping up Kairos version and Stylus unpack fix.

* update dep

Signed-off-by: Nianyu Shen <[email protected]>

* fix tag

Signed-off-by: Nianyu Shen <[email protected]>

* Making target change to allow iso target for uki-iso.

* Merging UKI and non-uki provider targets into build-provider-images.
Also enabling K8S_VERSION through .arg file

* support stylus pkg restore after reset

* Fixing OEM size error.

* refractor: stylus image extraction

* fix: fix unpack in initramfs

* Change to move private-keys to different folder. These keys can be copied out and not needed during ISO or upgrade image generation.

* fix typo

* Minor private key fix.

* refractor: only execute uki stages if in uki boot mode

* fix uki mode if condition

* remove sbctl

* bump OSBUILDER to v0.200.11

* use apt-get instead of apt

* bump kairos version to v3.0.5

* add a hardcoded user to get logs during dev

* Fixing the Base Image URL

* Fixing ISO name
Bumping Kairos version to 3.0.6

* Removing the container target for ISO.

* Update stylus_uki.yaml

* Adding key folder changes.
Also handling extra params for MS keys, force auto enroll, custom keys.

* Fixing custom keys generation

* Fixing the image tag issue. (#167)

* Update Earthfile

* genkey target should not use any cache

Signed-off-by: Nianyu Shen <[email protected]>

* use - instead of _ as directory name and print out dir tree after key gen

Signed-off-by: Nianyu Shen <[email protected]>

* update .gitignore

Signed-off-by: Nianyu Shen <[email protected]>

* Ensure no error messages

* fix typo

Signed-off-by: Nianyu Shen <[email protected]>

* PE-3405: Kairos 3.0.x upgrade (#164)

* CIS hardening - enabled by default

* Support UEFI boot for non-UKI ISO

* add iso-disk-image for container disk image

Signed-off-by: Nianyu Shen <[email protected]>

* put ISO_NAME as global arg

Signed-off-by: Nianyu Shen <[email protected]>

* fix image tag

Signed-off-by: Nianyu Shen <[email protected]>

* Pe 3405 (#169)

* fix jetson image

Signed-off-by: Nianyu Shen <[email protected]>

* Ensure kubeadm compatibility

Install linux-headers package if /usr/src is empty when building for kubeadm
Also "apt-mark hold" kernel packages if building for UKI
Streamline "apt-mark hold" HWE logic

* bump kairos to v3.0.7

Signed-off-by: Nianyu Shen <[email protected]>

* add sbctl and mokutil in dockerfile

Signed-off-by: Nianyu Shen <[email protected]>

* add uki related variables to .arg.template and add readme about trusted boot (#170)

Signed-off-by: Nianyu Shen <[email protected]>

* add a script to smartly explain key usage and recommends under a folder

Signed-off-by: Nianyu Shen <[email protected]>

* rename comment.sh to keys.sh

Signed-off-by: Nianyu Shen <[email protected]>

* Add private CA instructions

* Fix example cert location info

* add bring your own key option to genkey

Signed-off-by: Nianyu Shen <[email protected]>

* add if exists

Signed-off-by: Nianyu Shen <[email protected]>

* PE-3405: Update kairos base image (#172)

* update 4.4.0-alpha1 provider versions (#174)

* base images changes

* Don't concatenate the PK

* Adjust messages

* Phase out UKI_SELF_SIGNED_KEYS

* base url change (#175)

* update

Signed-off-by: Nianyu Shen <[email protected]>

* rename to 80_stylus_uki.yaml

Signed-off-by: Nianyu Shen <[email protected]>

* comment out sbctl

Signed-off-by: Nianyu Shen <[email protected]>

* updating kairos version 3.0.8 (#176)

* Native Ubuntu Pro support

* fix: content not copied into uki iso (#177)

Signed-off-by: Nianyu Shen <[email protected]>

* Simplify uki-build-iso

* Update private CA instructions

* Improve wording

* correct extension

* dynamic cryptsetup close

* Correct procedure to uki-genkey

* Add instructions for the TPM key

* Split the ZST file to 3GB chunks. (#178)

Co-authored-by: Nianyu Shen <[email protected]>

* kairos upgrade to v3.0.9 and ubuntu-fips snapd remove (#179)

* Fix broken pam settings

* fix zst file missing error

Signed-off-by: Nianyu Shen <[email protected]>

* fix content split

Signed-off-by: Nianyu Shen <[email protected]>

* fix split eval

* fix typo

* Copy content for non-UKI iso

* Fix logic

* Generate secure-boot directory structuire

* Only save artifacts when needed

* support INCLUDE_MS_SECUREBOOT_KEYS for BYOK

* Update .arg template instructions

* Ignore privately generated keys

* Improve private CA instructions

* set INCLUDE_MS_SECUREBOOT_KEYS to false by default

Signed-off-by: Nianyu Shen <[email protected]>

* set INCLUDE_MS_SECUREBOOT_KEYS to true by default

Signed-off-by: Nianyu Shen <[email protected]>

* bump k3s provider version to 4.4.0-alpha2 (#180)

* Don't install libpam-pwquality twice

* Install correct yum packages

* fix SPECTRO_PUB_REPO

Signed-off-by: Nianyu Shen <[email protected]>

* fix arch

Signed-off-by: Nianyu Shen <[email protected]>

* build slink

Signed-off-by: Nianyu Shen <[email protected]>

* add spc.tgz to gitignore

Signed-off-by: Nianyu Shen <[email protected]>

* add efi-size-check

Signed-off-by: Nianyu Shen <[email protected]>

---------

Signed-off-by: Nianyu Shen <[email protected]>
Signed-off-by: Nianyu Shen <[email protected]>
Co-authored-by: Nianyu Shen <[email protected]>
Co-authored-by: Nianyu Shen <[email protected]>
Co-authored-by: Kevin Reeuwijk <[email protected]>
Co-authored-by: Arun Sharma <[email protected]>
Co-authored-by: Kevin Reeuwijk <[email protected]>
Co-authored-by: Santhosh <[email protected]>
Co-authored-by: Piyush Kumar <[email protected]>

.arg.template

@@ -10,4 +10,15 @@ HTTPS_PROXY=
 HTTP_PROXY=
 PROXY_CERT_PATH=
 UPDATE_KERNEL=false
-CLUSTERCONFIG=spc.tgz
+CLUSTERCONFIG=spc.tgz
+CIS_HARDENING=true
+
+# If you have Ubuntu Pro, use the UBUNTU_PRO_KEY variable to activate it as part of the image build
+# UBUNTU_PRO_KEY=your-key
+
+# For enabling Secure Boot with Full Disk Encryption
+# IS_UKI=true
+# MY_ORG="ACME Corporation"
+# UKI_BRING_YOUR_OWN_KEYS=false         # See sb-private-ca/howto.md for instructions on bringing your own certiticates
+# INCLUDE_MS_SECUREBOOT_KEYS=true       # Adds Microsoft Secure Boot certificates; if you export existing keys from a device, you typically won't need this
+# AUTO_ENROLL_SECUREBOOT_KEYS=false     # Set to true to automatically enroll certificates on devices in Setup Mode, useful for flashing devices without user interaction

.earthlyignore

@@ -0,0 +1,2 @@
+local/
+build/*

.gitignore

@@ -8,11 +8,13 @@ config.yaml
 content-*/*
 *.arg
 .idea
-
 .DS_Store
-
 build/
 local/
 keys/
 secure-boot/
-spectro-luet-auth.yaml
+sb-private-ca/*.pem
+sb-private-ca/*.key
+sb-private-ca/*.req
+spectro-luet-auth.yaml
+spc.tgz

Dockerfile

@@ -23,6 +23,19 @@ RUN if [ "${OS_DISTRIBUTION}" = "opensuse-leap" ] && [ "${PROXY_CERT_PATH}" != "
 
 ### To install the nginx package for Ubuntu  ###
 
+#TODO: Remove the following line. This is only for dev purpose.
+
+# RUN useradd -m kairos && echo "kairos:kairos" | chpasswd
+# RUN adduser kairos sudo
+# RUN echo '%sudo ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers
+
+# sbctl and mokutil are useful tools to check secure boot status, manage secure boot keys.
+# RUN curl -Ls https://github.com/Foxboron/sbctl/releases/download/0.13/sbctl-0.13-linux-amd64.tar.gz | tar -xvzf - && mv sbctl/sbctl /usr/bin/sbctl
+# RUN chmod +x /usr/bin/sbctl
+# RUN apt-get update && apt-get install -y \
+#     mokutil \
+#     && apt-get clean
+
 # RUN apt-get update && apt-get install nginx -y
 ### or