build.sh: add backward compatible AIRGAP build

This change look for AIRGAP environment variable and if it is set it
perform airgap build of Dasharo for Odroid H4 and its version for
Intel Boot Guard.

This is required for security, privacy and trainers who would like to
perform 100% offline build.

To make that possible couple requirements have to be fulfilled:
- repository cannot be distcleaned, because it remove all artifacts, the
  assumption is that provided repository already has all dependencies
  fetched, so only make clean is made before proceeding
- since whole process rely on mounting edk2 as volume inside Dasharo SDK
  container, workspace directory to which it would be mount needs proper
  permissions otherwise docker will create mountpoint with root
  privileges, what cause issues in further use and build process
- finally we take into consideration BUILD_TIMELESS environment
  variable, which improve testability of build process and toolchain
  change

This change was tested by:
1. cloning relevant version of edk2
2. cloning coreboot, cd coreboot
3. running checkout on ipxe:

docker run --rm --user $(id -u):$(id -g) -v $PWD:/home/coreboot/coreboot \
  ${DASHARO_SDK} \
  make -C /home/coreboot/coreboot/payloads/external/iPXE checkout

4. Build

EDK2_REPO_PATH="${PWD}/../edk2" AIRGAP=1 BUILD_TIMELESS=1 ./build.sh odroid_h4_btg
EDK2_REPO_PATH="${PWD}/../edk2" AIRGAP=1 BUILD_TIMELESS=1 ./build.sh odroid_h4

Signed-off-by: Piotr Król <[email protected]>

Author: pietrushnic

build.sh

@@ -244,19 +244,52 @@ function build_odroid_h4 {
   git submodule update --init --force --checkout \
       3rdparty/dasharo-blobs
 
-  docker run --rm -t -u $UID -v $PWD:/home/coreboot/coreboot \
-    -v $HOME/.ssh:/home/coreboot/.ssh \
-    -w /home/coreboot/coreboot ${DASHARO_SDK} \
-    /bin/bash -c "make distclean"
+  if [ "${AIRGAP}" -eq 1 ]; then
+    docker run --rm -t -u $UID -v $PWD:/home/coreboot/coreboot \
+      -v $HOME/.ssh:/home/coreboot/.ssh \
+      -w /home/coreboot/coreboot ${DASHARO_SDK} \
+      /bin/bash -c "make clean"
+  else
+    docker run --rm -t -u $UID -v $PWD:/home/coreboot/coreboot \
+      -v $HOME/.ssh:/home/coreboot/.ssh \
+      -w /home/coreboot/coreboot ${DASHARO_SDK} \
+      /bin/bash -c "make distclean"
+  fi
 
   cp $DEFCONFIG .config
 
   echo "Building Dasharo compatbile with Hardkernel ODROID H4 (version $FW_VERSION)"
 
-  docker run --rm -t -u $UID -v $PWD:/home/coreboot/coreboot \
-    -v $HOME/.ssh:/home/coreboot/.ssh \
-    -w /home/coreboot/coreboot ${DASHARO_SDK} \
-    /bin/bash -c "make olddefconfig && make -j$(nproc)"
+  if [ "${AIRGAP}" -eq 1 ]; then
+
+    # In this situation we assume that provided repository is ready to be used
+    # and nothing should be downloaded during build process.
+
+    if [ -d "${EDK2_REPO_PATH}" ]; then
+      # Without following sequence workspce would be created by docker with root
+      # privilidges and build will fail.
+      # Target directory
+      TARGET_DIR="payloads/external/edk2/workspace/Dasharo"
+      mkdir -p "$TARGET_DIR"
+      chown -R $(id -u):$(id -g) "$TARGET_DIR"
+      chmod -R 755 "$TARGET_DIR"
+      docker run --rm -t -u $UID -v $PWD:/home/coreboot/coreboot \
+        -v $HOME/.ssh:/home/coreboot/.ssh \
+        --network none \
+        ${EDK2_REPO_PATH:+-v $EDK2_REPO_PATH:/home/coreboot/coreboot/payloads/external/edk2/workspace/Dasharo} \
+        -e BUILD_TIMELESS=${BUILD_TIMELESS} \
+        -w /home/coreboot/coreboot ${DASHARO_SDK} \
+        /bin/bash -c "make olddefconfig && make -j$(nproc)"
+    else
+      echo "EDK2_REPO_PATH is not defined in AIRGAP!"
+      exit 1
+    fi
+  else
+    docker run --rm -t -u $UID -v $PWD:/home/coreboot/coreboot \
+      -v $HOME/.ssh:/home/coreboot/.ssh \
+      -w /home/coreboot/coreboot ${DASHARO_SDK} \
+      /bin/bash -c "make olddefconfig && make -j$(nproc)"
+  fi
 
   cp build/coreboot.rom hardkernel_odroid_h4_${FW_VERSION}.rom
   if [ $? -eq 0 ]; then