From b99f776156d58183ec6f96d3744bc9f7f86f6d3a Mon Sep 17 00:00:00 2001 From: Gerald Pinder Date: Fri, 5 Sep 2025 17:58:34 -0400 Subject: [PATCH] Start creating base images --- .gitlab-ci.yml | 73 +++++++++++++++++++-------------- files/scripts/sign-check.sh | 39 ++++++++++++++++++ files/scripts/signkernel.sh | 26 ++++++++++++ files/scripts/signmodules.sh | 55 +++++++++++++++++++++++++ recipes/base-cosmic-nvidia.yml | 30 ++++++++++++++ recipes/base-cosmic.yml | 28 +++++++++++++ recipes/base-kinoite-nvidia.yml | 18 ++++++++ recipes/base-kinoite.yml | 16 ++++++++ recipes/common/base-common.yml | 12 ++++++ recipes/common/nvidia.yml | 18 ++++++++ recipes/common/post-build.yml | 10 +---- 11 files changed, 287 insertions(+), 38 deletions(-) create mode 100644 files/scripts/sign-check.sh create mode 100644 files/scripts/signkernel.sh create mode 100644 files/scripts/signmodules.sh create mode 100644 recipes/base-cosmic-nvidia.yml create mode 100644 recipes/base-cosmic.yml create mode 100644 recipes/base-kinoite-nvidia.yml create mode 100644 recipes/base-kinoite.yml create mode 100644 recipes/common/base-common.yml create mode 100644 recipes/common/nvidia.yml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 16ce228..107d481 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -9,14 +9,53 @@ workflow: - if: "$CI_COMMIT_BRANCH" stages: + - base-images - build -build-image: - stage: build - interruptible: true - image: ghcr.io/blue-build/cli:$TAG +variables: + DOCKER_HOST: tcp://docker:2376 + DOCKER_TLS_CERTDIR: /certs + DOCKER_TLS_VERIFY: 1 + DOCKER_CERT_PATH: $DOCKER_TLS_CERTDIR/client + RUST_LOG_STYLE: always + BB_SIGNING_DRIVER: sigstore + CLICOLOR_FORCE: 1 + TAG: main + +.build: services: - docker:dind + interruptible: true + image: ghcr.io/blue-build/cli:$TAG + before_script: + - curl --silent "https://gitlab.com/gitlab-org/incubation-engineering/mobile-devops/download-secure-files/-/raw/main/installer" | bash + - export COSIGN_PRIVATE_KEY=$(cat .secure_files/cosign.key) + - sleep 5 + script: + - bluebuild build "./recipes/${RECIPE}" + +base-images: + extends: + - .build + # stage: base-images + stage: build + parallel: + matrix: + - RECIPE: + - base-kinoite.yml + - base-cosmic.yml + - base-kinoite-nvidia.yml + - base-cosmic-nvidia.yml + TAG: 519-device-or-resource-busy-when-trying-to-rechunk-the-image-in-gitlab-ci + # BB_BUILD_PUSH: 'true' + # BB_BUILD_RECHUNK: 'true' + +build-image: + extends: + - .build + stage: build + # needs: + # - base-images parallel: matrix: - RECIPE: @@ -25,31 +64,5 @@ build-image: - wke-server.yml - wke-worker.yml - jp-laptop.yml - TAG: main BB_CACHE_LAYERS: 'true' BB_BUILD_PUSH: 'true' - # - RECIPE: jp-desktop-nvidia.yml - # TAG: 519-device-or-resource-busy-when-trying-to-rechunk-the-image-in-gitlab-ci - # BB_BUILD_PUSH: 'true' - # BB_BUILD_RECHUNK: 'true' - # - RECIPE: wke-server.yml - # TAG: 519-device-or-resource-busy-when-trying-to-rechunk-the-image-in-gitlab-ci - # BB_BUILD_DRIVER: podman - # BB_BUILD_SQUASH: 'true' - # BB_BUILD_RECHUNK: - # - 'true' - # - 'false' - variables: - DOCKER_HOST: tcp://docker:2376 - DOCKER_TLS_CERTDIR: /certs - DOCKER_TLS_VERIFY: 1 - DOCKER_CERT_PATH: $DOCKER_TLS_CERTDIR/client - RUST_LOG_STYLE: always - BB_SIGNING_DRIVER: sigstore - CLICOLOR_FORCE: 1 - before_script: - - curl --silent "https://gitlab.com/gitlab-org/incubation-engineering/mobile-devops/download-secure-files/-/raw/main/installer" | bash - - export COSIGN_PRIVATE_KEY=$(cat .secure_files/cosign.key) - script: - - sleep 5 - - bluebuild build "./recipes/${RECIPE}" diff --git a/files/scripts/sign-check.sh b/files/scripts/sign-check.sh new file mode 100644 index 0000000..bc04f60 --- /dev/null +++ b/files/scripts/sign-check.sh @@ -0,0 +1,39 @@ +#!/usr/bin/env bash + +# Copyright 2025 Universal Blue +# Copyright 2025 The Secureblue Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed under the License is +# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and limitations under the License. + +set -oue pipefail + +KERNEL="$1" +module="$2" +PUBLIC_CERT="$3" + +kmod_sig="/tmp/kmod.sig" +kmod_p7s="/tmp/kmod.p7s" +kmod_data="/tmp/kmod.data" +/usr/src/kernels/"${KERNEL}"/scripts/extract-module-sig.pl -s "${module}" > "${kmod_sig}" +openssl pkcs7 -inform der -in "${kmod_sig}" -out "${kmod_p7s}" +/usr/src/kernels/"${KERNEL}"/scripts/extract-module-sig.pl -0 "${module}" > "${kmod_data}" +if openssl cms -verify -binary -inform PEM \ + -in "${kmod_p7s}" \ + -content "${kmod_data}" \ + -certfile "${PUBLIC_CERT}" \ + -out "/dev/null" \ + -nointern -noverify + then + echo "Signature Verified for ${module}" +else + echo "Signature Failed for ${module}" + exit 1 +fi diff --git a/files/scripts/signkernel.sh b/files/scripts/signkernel.sh new file mode 100644 index 0000000..9fd8ad2 --- /dev/null +++ b/files/scripts/signkernel.sh @@ -0,0 +1,26 @@ +#!/usr/bin/env bash + +# Copyright 2025 Universal Blue +# Copyright 2025 The Secureblue Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed under the License is +# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and limitations under the License. + +set -oue pipefail + +KERNEL_VERSION="$(rpm -q "kernel" --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}')" + +PUBLIC_KEY_DER_PATH="../system/etc/pki/akmods/certs/akmods-secureblue.der" +PUBLIC_KEY_CRT_PATH="./certs/public_key.crt" +PRIVATE_KEY_PATH="/tmp/certs/private_key.priv" + +openssl x509 -in "$PUBLIC_KEY_DER_PATH" -out "$PUBLIC_KEY_CRT_PATH" +sbsign --cert "$PUBLIC_KEY_CRT_PATH" --key "$PRIVATE_KEY_PATH" /usr/lib/modules/"${KERNEL_VERSION}"/vmlinuz --output /usr/lib/modules/"${KERNEL_VERSION}"/vmlinuz +sbverify --list /usr/lib/modules/"${KERNEL_VERSION}"/vmlinuz diff --git a/files/scripts/signmodules.sh b/files/scripts/signmodules.sh new file mode 100644 index 0000000..38639e1 --- /dev/null +++ b/files/scripts/signmodules.sh @@ -0,0 +1,55 @@ +#!/usr/bin/env bash + +# Copyright 2025 Universal Blue +# Copyright 2025 The Secureblue Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed under the License is +# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and limitations under the License. + +set -oue pipefail + +MODULE_NAME="${1-}" +if [ -z "$MODULE_NAME" ]; then + echo "MODULE_NAME is empty. Exiting..." + exit 1 +fi + +KERNEL_VERSION="$(rpm -q "kernel" --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}')" + +PUBLIC_KEY_DER_PATH="../system/etc/pki/akmods/certs/akmods-secureblue.der" +PUBLIC_KEY_CRT_PATH="./certs/public_key.crt" +PRIVATE_KEY_PATH="/tmp/certs/private_key.priv" +openssl x509 -in "$PUBLIC_KEY_DER_PATH" -out "$PUBLIC_KEY_CRT_PATH" + +PRIVATE_KEY_PATH="/tmp/certs/private_key.priv" +SIGNING_KEY="./certs/signing_key.pem" +cat "$PRIVATE_KEY_PATH" <(echo) "$PUBLIC_KEY_CRT_PATH" >> "$SIGNING_KEY" + +for module in /usr/lib/modules/"${KERNEL_VERSION}"/extra/"${MODULE_NAME}"/*.ko*; do + module_basename="${module:0:-3}" + module_suffix="${module: -3}" + if [[ "$module_suffix" == ".xz" ]]; then + xz --decompress "$module" + openssl cms -sign -signer "${SIGNING_KEY}" -binary -in "$module_basename" -outform DER -out "${module_basename}.cms" -nocerts -noattr -nosmimecap + /usr/src/kernels/"${KERNEL_VERSION}"/scripts/sign-file -s "${module_basename}.cms" sha256 "${PUBLIC_KEY_CRT_PATH}" "${module_basename}" + /bin/bash ./sign-check.sh "${KERNEL_VERSION}" "${module_basename}" "${PUBLIC_KEY_CRT_PATH}" + xz -C crc32 -f "${module_basename}" + elif [[ "$module_suffix" == ".gz" ]]; then + gzip -d "$module" + openssl cms -sign -signer "${SIGNING_KEY}" -binary -in "$module_basename" -outform DER -out "${module_basename}.cms" -nocerts -noattr -nosmimecap + /usr/src/kernels/"${KERNEL_VERSION}"/scripts/sign-file -s "${module_basename}.cms" sha256 "${PUBLIC_KEY_CRT_PATH}" "${module_basename}" + /bin/bash ./sign-check.sh "${KERNEL_VERSION}" "${module_basename}" "${PUBLIC_KEY_CRT_PATH}" + gzip -9f "${module_basename}" + else + openssl cms -sign -signer "${SIGNING_KEY}" -binary -in "$module" -outform DER -out "${module}.cms" -nocerts -noattr -nosmimecap + /usr/src/kernels/"${KERNEL_VERSION}"/scripts/sign-file -s "${module}.cms" sha256 "${PUBLIC_KEY_CRT_PATH}" "${module}" + /bin/bash ./sign-check.sh "${KERNEL_VERSION}" "${module}" "${PUBLIC_KEY_CRT_PATH}" + fi +done diff --git a/recipes/base-cosmic-nvidia.yml b/recipes/base-cosmic-nvidia.yml new file mode 100644 index 0000000..c8b34b8 --- /dev/null +++ b/recipes/base-cosmic-nvidia.yml @@ -0,0 +1,30 @@ +--- +# yaml-language-server: $schema=https://schema.blue-build.org/recipe-v1.json +name: cosmic-nvidia +base-image: quay.io/fedora/fedora-bootc +image-version: 42 +description: The base image of Wunker OS +modules: + # Latest build + - type: dnf + repos: + cleanup: true + copr: + - ryanabx/cosmic-epoch + install: + packages: + - cosmic-desktop + + # Official release + # - type: dnf + # group-install: + # packages: + # - cosmic-desktop-environment + + # Setup cosmic greeter as DM + - type: systemd + system: + enabled: + - cosmic-greeter + - from-file: common/nvidia.yml + - from-file: common/base-common.yml diff --git a/recipes/base-cosmic.yml b/recipes/base-cosmic.yml new file mode 100644 index 0000000..c87faab --- /dev/null +++ b/recipes/base-cosmic.yml @@ -0,0 +1,28 @@ +--- +# yaml-language-server: $schema=https://schema.blue-build.org/recipe-v1.json +name: cosmic +base-image: ghcr.io/ublue-os/base-main +image-version: 42 +description: The base image of Wunker OS +modules: + - type: dnf + repos: + cleanup: true + copr: + - ryanabx/cosmic-epoch + install: + packages: + - cosmic-desktop + + # Official release + # - type: dnf + # group-install: + # packages: + # - cosmic-desktop-environment + + # Setup cosmic greeter as DM + - type: systemd + system: + enabled: + - cosmic-greeter + - from-file: common/base-common.yml diff --git a/recipes/base-kinoite-nvidia.yml b/recipes/base-kinoite-nvidia.yml new file mode 100644 index 0000000..745532d --- /dev/null +++ b/recipes/base-kinoite-nvidia.yml @@ -0,0 +1,18 @@ +--- +# yaml-language-server: $schema=https://schema.blue-build.org/recipe-v1.json +name: kinoite-nvidia +base-image: ghcr.io/ublue-os/kinoite-main +image-version: 42 +description: The base image of Wunker OS +modules: + - type: dnf + group-install: + packages: + - kde-desktop + - type: systemd + system: + enabled: + - sddm + - from-file: common/nvidia.yml + - from-file: common/base-common.yml + diff --git a/recipes/base-kinoite.yml b/recipes/base-kinoite.yml new file mode 100644 index 0000000..7d077b6 --- /dev/null +++ b/recipes/base-kinoite.yml @@ -0,0 +1,16 @@ +--- +# yaml-language-server: $schema=https://schema.blue-build.org/recipe-v1.json +name: kinoite +base-image: ghcr.io/ublue-os/kinoite-main +image-version: 42 +description: The base image of Wunker OS +modules: + - type: dnf + group-install: + packages: + - kde-desktop + - type: systemd + system: + enabled: + - sddm + - from-file: common/base-common.yml diff --git a/recipes/common/base-common.yml b/recipes/common/base-common.yml new file mode 100644 index 0000000..b3bb53f --- /dev/null +++ b/recipes/common/base-common.yml @@ -0,0 +1,12 @@ +modules: + - type: script + snippets: + - systemctl set-default graphical.target + - from-file: common/updates.yml + - from-file: common/bluebuild-logo.yml + - type: os-release + properties: + NAME: WunkerOS + ID: wunker_os + PRETTY_NAME: Wunker OS + - from-file: common/post-build.yml diff --git a/recipes/common/nvidia.yml b/recipes/common/nvidia.yml new file mode 100644 index 0000000..a76c1c9 --- /dev/null +++ b/recipes/common/nvidia.yml @@ -0,0 +1,18 @@ +--- +# yaml-language-server: $schema=https://schema.blue-build.org/module-list-v1.json +modules: + - type: dnf + repos: + cleanup: true + nonfree: rpmfusion + install: + packages: + - akmod-nvidia + - type: script + snippets: + - echo "%_with_kmod_nvidia_open 1" > /etc/rpm/macros.nvidia-kmod + - akmods --kernels "$(rpm -q "kernel" --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}')" --rebuild + - type: files + files: + - source: nvidia-kargs + destination: /usr/lib/bootc/kargs.d diff --git a/recipes/common/post-build.yml b/recipes/common/post-build.yml index fab727a..88d5e2e 100644 --- a/recipes/common/post-build.yml +++ b/recipes/common/post-build.yml @@ -1,11 +1,5 @@ modules: - # - type: script - # snippets: - # - ldconfig - type: initramfs - # env: - # DRACUT_NO_XATTR: '1' + env: + DRACUT_NO_XATTR: '1' source: local - # - type: script - # scripts: - # - initramfs.sh