Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Initial FDE CanvOS build changes. #141

Merged
merged 129 commits into from
May 10, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
129 commits
Select commit Hold shift + click to select a range
fa19a33
Initial FDE CanvOS build changes.
vipsharm Mar 4, 2024
b2870f5
add a util to smartly link files with prefix
nianyush Mar 6, 2024
bdfc3e8
add keys to gitignore
nianyush Mar 6, 2024
f77a12f
fix normal flow
nianyush Mar 6, 2024
ae38875
fix normal iso
nianyush Mar 6, 2024
a277e0c
add stylus_uki.yaml
nianyush Mar 7, 2024
c901cd2
update os-builder & stylus image copy
nianyush Mar 8, 2024
45399e0
update enki args
nianyush Mar 8, 2024
5c4bd91
fix stylus uki
nianyush Mar 8, 2024
56b79f0
fix userdata
nianyush Mar 8, 2024
0c9d7a7
fix stylus copy
nianyush Mar 9, 2024
b711d0c
Merge branch 'main' into FDE
nianyush Mar 9, 2024
a135de1
link agent provider stylus in provider image
nianyush Mar 11, 2024
0b73530
link agent provider stylus
nianyush Mar 11, 2024
8c0f5d5
Merge branch 'main' into FDE
vipsharm Mar 13, 2024
dbef4ca
Adding branding menu string.
vipsharm Mar 13, 2024
336301f
Removing UKI target from non-secure ISO target
vipsharm Mar 14, 2024
eeb6340
Fix auto-install
vipsharm Mar 14, 2024
6b5b3ee
Minor fix. Adding branding for provider image.
vipsharm Mar 19, 2024
4658326
use alpine as provider base image
nianyush Mar 22, 2024
bbefcd6
install kairos-agent to provider image and change base to ubuntu
nianyush Mar 22, 2024
1933fb4
bump os builder version to v0.200.8
nianyush Mar 22, 2024
c3f8398
add reset stage
nianyush Mar 26, 2024
c1be1da
remove line
nianyush Mar 27, 2024
9bbb5c5
bump os-builder to 200.9
nianyush Mar 28, 2024
8a02e99
Bumping up Kairos version and Stylus unpack fix.
vipsharm Apr 1, 2024
4490e13
update dep
nianyush Apr 1, 2024
f7db956
Merge branch 'FDE' of github.com:spectrocloud/CanvOS into FDE
nianyush Apr 1, 2024
a3072b4
fix tag
nianyush Apr 4, 2024
a393df2
Making target change to allow iso target for uki-iso.
vipsharm Apr 4, 2024
1006aa1
Merging UKI and non-uki provider targets into build-provider-images.
vipsharm Apr 5, 2024
debb58f
support stylus pkg restore after reset
nianyush Apr 9, 2024
179a10f
Fixing OEM size error.
vipsharm Apr 10, 2024
be8fcdb
refractor: stylus image extraction
nianyush Apr 10, 2024
3a26fae
fix: fix unpack in initramfs
nianyush Apr 10, 2024
33e1751
fix conflict
nianyush Apr 10, 2024
0b3c5db
Change to move private-keys to different folder. These keys can be co…
vipsharm Apr 10, 2024
4cfc0e6
fix typo
nianyush Apr 10, 2024
8a74bdb
Minor private key fix.
vipsharm Apr 10, 2024
0ae738e
Merge remote-tracking branch 'origin/main' into FDE
nianyush Apr 11, 2024
5e9c056
Merge branch 'main' into FDE
nianyush Apr 11, 2024
dbd5ad4
refractor: only execute uki stages if in uki boot mode
nianyush Apr 11, 2024
3d4c0d7
fix uki mode if condition
nianyush Apr 11, 2024
5654714
remove sbctl
nianyush Apr 11, 2024
83c8d4e
bump OSBUILDER to v0.200.11
nianyush Apr 11, 2024
2fc346c
use apt-get instead of apt
nianyush Apr 11, 2024
c0e41d9
bump kairos version to v3.0.5
nianyush Apr 12, 2024
0f94cce
add a hardcoded user to get logs during dev
nianyush Apr 15, 2024
b919538
Fixing the Base Image URL
vipsharm Apr 16, 2024
98aa265
Fixing ISO name
vipsharm Apr 17, 2024
f2c0f10
Removing the container target for ISO.
vipsharm Apr 17, 2024
3c9844f
Update stylus_uki.yaml
vipsharm Apr 19, 2024
b498053
Adding key folder changes.
vipsharm Apr 19, 2024
550ebb3
Fixing custom keys generation
vipsharm Apr 19, 2024
b3afe37
Fixing the image tag issue. (#167)
vipsharm Apr 19, 2024
0aa0123
Update Earthfile
vipsharm Apr 23, 2024
e3c06d7
genkey target should not use any cache
nianyush Apr 23, 2024
e33af80
use - instead of _ as directory name and print out dir tree after key…
nianyush Apr 23, 2024
5f0c268
update .gitignore
nianyush Apr 24, 2024
8763125
Ensure no error messages
kreeuwijk Apr 24, 2024
b219a22
fix typo
nianyush Apr 24, 2024
30a1246
Merge branch 'FDE' of github.com:spectrocloud/CanvOS into FDE
nianyush Apr 24, 2024
5878858
PE-3405: Kairos 3.0.x upgrade (#164)
Dr-N00B Apr 24, 2024
879adaf
CIS hardening - enabled by default
kreeuwijk Apr 24, 2024
883d963
Support UEFI boot for non-UKI ISO
kreeuwijk Apr 24, 2024
e40229f
add iso-disk-image for container disk image
nianyush Apr 24, 2024
b65d392
put ISO_NAME as global arg
nianyush Apr 24, 2024
8b9112e
fix image tag
nianyush Apr 24, 2024
4744a68
Pe 3405 (#169)
Dr-N00B Apr 25, 2024
30f8ee7
fix jetson image
nianyush Apr 25, 2024
370064f
Ensure kubeadm compatibility
kreeuwijk Apr 25, 2024
5394c68
bump kairos to v3.0.7
nianyush Apr 25, 2024
a57b491
add sbctl and mokutil in dockerfile
nianyush Apr 26, 2024
e92adf3
add uki related variables to .arg.template and add readme about trust…
nianyush Apr 26, 2024
4f6a92d
add a script to smartly explain key usage and recommends under a folder
nianyush Apr 26, 2024
6390e64
rename comment.sh to keys.sh
nianyush Apr 26, 2024
1dca7eb
Add private CA instructions
kreeuwijk Apr 26, 2024
9c05bfb
Fix example cert location info
kreeuwijk Apr 26, 2024
f4d1cc3
add bring your own key option to genkey
nianyush Apr 26, 2024
d1a2b4b
add if exists
nianyush Apr 26, 2024
bd8f84e
Merge remote-tracking branch 'origin/main' into FDE
nianyush Apr 27, 2024
4db1115
PE-3405: Update kairos base image (#172)
Dr-N00B Apr 27, 2024
02c05df
update 4.4.0-alpha1 provider versions (#174)
santhoshdaivajna Apr 27, 2024
2430964
base images changes
Dr-N00B Apr 29, 2024
45be77f
Don't concatenate the PK
kreeuwijk Apr 29, 2024
406f195
Adjust messages
kreeuwijk Apr 29, 2024
9e04f57
Phase out UKI_SELF_SIGNED_KEYS
kreeuwijk Apr 29, 2024
58e6ed9
base url change (#175)
Dr-N00B Apr 29, 2024
3103586
update
nianyush Apr 29, 2024
bfdc563
rename to 80_stylus_uki.yaml
nianyush Apr 30, 2024
3757dec
comment out sbctl
nianyush Apr 30, 2024
fc82e0f
updating kairos version 3.0.8 (#176)
Dr-N00B Apr 30, 2024
0f5ddce
Native Ubuntu Pro support
kreeuwijk May 1, 2024
68083d7
fix: content not copied into uki iso (#177)
nianyush May 1, 2024
9d2ab83
Simplify uki-build-iso
kreeuwijk May 2, 2024
0c62d62
Update private CA instructions
kreeuwijk May 2, 2024
9c02bf5
Improve wording
kreeuwijk May 2, 2024
50824ca
correct extension
kreeuwijk May 2, 2024
a95df18
dynamic cryptsetup close
kreeuwijk May 2, 2024
2402541
Correct procedure to uki-genkey
kreeuwijk May 2, 2024
8e21a5c
Add instructions for the TPM key
kreeuwijk May 2, 2024
b04a63d
Split the ZST file to 3GB chunks. (#178)
vipsharm May 2, 2024
9bcb4f7
kairos upgrade to v3.0.9 and ubuntu-fips snapd remove (#179)
Dr-N00B May 3, 2024
f5e7eae
Fix broken pam settings
kreeuwijk May 3, 2024
398f738
fix zst file missing error
nianyush May 6, 2024
8b2a775
fix content split
nianyush May 6, 2024
dff9bf6
fix split eval
kreeuwijk May 6, 2024
f9d2fbd
fix typo
kreeuwijk May 6, 2024
26d703c
Copy content for non-UKI iso
kreeuwijk May 6, 2024
daaf2e2
Fix logic
kreeuwijk May 6, 2024
f8bf35b
Generate secure-boot directory structuire
kreeuwijk May 6, 2024
479c339
Only save artifacts when needed
kreeuwijk May 6, 2024
0ead43a
support INCLUDE_MS_SECUREBOOT_KEYS for BYOK
kreeuwijk May 6, 2024
1912e5e
Update .arg template instructions
kreeuwijk May 6, 2024
f8b626c
Ignore privately generated keys
kreeuwijk May 6, 2024
d824c2b
Improve private CA instructions
kreeuwijk May 6, 2024
2ddfb41
set INCLUDE_MS_SECUREBOOT_KEYS to false by default
nianyush May 6, 2024
f89fbb8
Merge branch 'FDE' of github.com:spectrocloud/CanvOS into FDE
nianyush May 6, 2024
704548e
set INCLUDE_MS_SECUREBOOT_KEYS to true by default
nianyush May 6, 2024
f7a10bb
bump k3s provider version to 4.4.0-alpha2 (#180)
kpiyush17 May 7, 2024
54b6014
Merge remote-tracking branch 'origin/main' into FDE
nianyush May 7, 2024
08652ea
Don't install libpam-pwquality twice
kreeuwijk May 8, 2024
6f1d829
Install correct yum packages
kreeuwijk May 8, 2024
decf36a
fix SPECTRO_PUB_REPO
nianyush May 8, 2024
09f53b6
Merge branch 'FDE' of github.com:spectrocloud/CanvOS into FDE
nianyush May 8, 2024
3ac44d2
fix arch
nianyush May 8, 2024
6cb9a27
build slink
nianyush May 9, 2024
639fa98
add spc.tgz to gitignore
nianyush May 9, 2024
d4812e7
add efi-size-check
nianyush May 9, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 12 additions & 1 deletion .arg.template
Original file line number Diff line number Diff line change
Expand Up @@ -10,4 +10,15 @@ HTTPS_PROXY=
HTTP_PROXY=
PROXY_CERT_PATH=
UPDATE_KERNEL=false
CLUSTERCONFIG=spc.tgz
CLUSTERCONFIG=spc.tgz
CIS_HARDENING=true

# If you have Ubuntu Pro, use the UBUNTU_PRO_KEY variable to activate it as part of the image build
# UBUNTU_PRO_KEY=your-key

# For enabling Secure Boot with Full Disk Encryption
# IS_UKI=true
# MY_ORG="ACME Corporation"
# UKI_BRING_YOUR_OWN_KEYS=false # See sb-private-ca/howto.md for instructions on bringing your own certiticates
# INCLUDE_MS_SECUREBOOT_KEYS=true # Adds Microsoft Secure Boot certificates; if you export existing keys from a device, you typically won't need this
# AUTO_ENROLL_SECUREBOOT_KEYS=false # Set to true to automatically enroll certificates on devices in Setup Mode, useful for flashing devices without user interaction
2 changes: 2 additions & 0 deletions .earthlyignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
local/
build/*
8 changes: 5 additions & 3 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,13 @@ config.yaml
content-*/*
*.arg
.idea

.DS_Store

build/
local/
keys/
secure-boot/
spectro-luet-auth.yaml
sb-private-ca/*.pem
sb-private-ca/*.key
sb-private-ca/*.req
spectro-luet-auth.yaml
spc.tgz
13 changes: 13 additions & 0 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,19 @@ RUN if [ "${OS_DISTRIBUTION}" = "opensuse-leap" ] && [ "${PROXY_CERT_PATH}" != "

### To install the nginx package for Ubuntu ###

#TODO: Remove the following line. This is only for dev purpose.

# RUN useradd -m kairos && echo "kairos:kairos" | chpasswd
# RUN adduser kairos sudo
# RUN echo '%sudo ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers

# sbctl and mokutil are useful tools to check secure boot status, manage secure boot keys.
# RUN curl -Ls https://github.com/Foxboron/sbctl/releases/download/0.13/sbctl-0.13-linux-amd64.tar.gz | tar -xvzf - && mv sbctl/sbctl /usr/bin/sbctl
# RUN chmod +x /usr/bin/sbctl
# RUN apt-get update && apt-get install -y \
# mokutil \
# && apt-get clean

# RUN apt-get update && apt-get install nginx -y
### or

Expand Down
Loading