Merge pull request #10 from sorenisanerd/dev

Merge dev branch

Author: sorenisanerd

.github/workflows/build.yml

@@ -17,8 +17,6 @@ jobs:
     steps:
       - name: Install cosign
         uses: sigstore/[email protected]
-      - name: Prevent man-db dpkg trigger (speeds up setup-mkosi)
-        run: sudo rm /var/lib/man-db/auto-update
       - name: setup-mkosi
         uses: sorenisanerd/mkosi@main
       - name: Checkout code
@@ -65,6 +63,7 @@ jobs:
       - name: Run mkosi
         env:
           profiles: ${{ matrix.profiles }}
+          MANGOS_GITHUB_URL: ${{ github.server_url }}/${{ github.repository }}
         run: mkosi --debug --profile="${profiles}"
       - name: List built artifacts
         run: find out/
@@ -76,7 +75,11 @@ jobs:
           set -x
           set -e
 
-          screen -d -m -S vm mkosi vm -- -uuid $(uuidgen)
+          # mkosi doesn't pick this up from the tools dir for some reason
+          sudo apt-get install -y ovmf
+
+          mkosi --debug vm -- -uuid $(uuidgen) > vm.log 2>&1 &
+          pid=$!
 
           success=0
           for try in {1..10}
@@ -88,14 +91,22 @@ jobs:
                   fi
                   sleep 5
           done
-          test $success -eq 1
+
+          if [ $success -eq 1 ]
+          then
+                  echo "mkosi ssh succeeded"
+          else
+                  echo "mkosi ssh failed"
+                  cat vm.log
+                  exit 1
+          fi
           mkosi ssh -- shutdown -h now || true
           sleep 5
 
       - name: Remove symlinks
         run: find out/ -type l -delete
       - name: Compress artifacts
-        run: for file in out/mangos_*.raw out/mangos_*.efi; do zstd --rm "$file" ; done
+        run: for file in out/mangos{,-installer}_*.raw out/mangos_*.efi; do zstd --rm "$file" ; done
       - name: Sign artifacts
         run: for file in out/mangos* ; do cosign sign-blob -d -y --bundle "${file}.sigbundle" "${file}" > /dev/null; done
       - name: Upload build artifact (disk)
@@ -113,6 +124,16 @@ jobs:
             out/mangos_${{ env.IMAGE_VERSION }}.spdx.json
             out/mangos_${{ env.IMAGE_VERSION }}.syft.json
           name: mangos.${{ matrix.profiles }}.disk
+      - name: Upload build artifact (installer)
+        uses: actions/upload-artifact@v4
+        with:
+          path: |
+            out/mangos-installer_${{ env.IMAGE_VERSION }}.raw.zst
+            out/mangos-installer_${{ env.IMAGE_VERSION }}.cyclonedx.json
+            out/mangos-installer_${{ env.IMAGE_VERSION }}.github.json
+            out/mangos-installer_${{ env.IMAGE_VERSION }}.spdx.json
+            out/mangos-installer_${{ env.IMAGE_VERSION }}.syft.json
+          name: mangos.${{ matrix.profiles }}.installer
 
   release:
     if: github.ref_type == 'tag'
@@ -131,7 +152,7 @@ jobs:
           mkdir release
 
           mv artifacts/mangos.verity-full.disk/* release/
-
+          mv artifacts/mangos.verity-full.installer/* release/
           for f in artifacts/mangos.verity-full,docker.disk/* ; do
             mv "$f" "release/mangos+docker_$(basename $f | cut -f2- -d_)"
           done

.github/workflows/pr.yml

@@ -58,7 +58,10 @@ jobs:
           set -x
           set -e
 
-          screen -d -m -S vm mkosi vm -- -uuid $(uuidgen)
+          # mkosi doesn't pick this up from the tools dir for some reason
+          sudo apt-get install -y ovmf
+
+          mkosi --debug vm -- -uuid $(uuidgen) > vm.log 2>&1 &
 
           success=0
           for try in {1..10}
@@ -70,14 +73,22 @@ jobs:
                   fi
                   sleep 5
           done
-          test $success -eq 1
+
+          if [ $success -eq 1 ]
+          then
+                  echo "mkosi ssh succeeded"
+          else
+                  echo "mkosi ssh failed"
+                  cat vm.log
+                  exit 1
+          fi
           mkosi ssh -- shutdown -h now || true
           sleep 5
 
       - name: Remove symlinks
         run: find out/ -type l -delete
       - name: Compress artifacts
-        run: for file in out/mangos_*.raw out/mangos_*.efi; do zstd --rm "$file" ; done
+        run: for file in out/mangos{,-installer}_*.raw out/mangos_*.efi ; do zstd --rm "$file" ; done
       - name: Upload build artifact (disk)
         id: upload-disk
         uses: actions/upload-artifact@v4
@@ -93,3 +104,13 @@ jobs:
             out/mangos_${{ env.IMAGE_VERSION }}.spdx.json
             out/mangos_${{ env.IMAGE_VERSION }}.syft.json
           name: mangos.${{ matrix.profiles }}.disk
+      - name: Upload build artifact (installer)
+        uses: actions/upload-artifact@v4
+        with:
+          path: |
+            out/mangos-installer_${{ env.IMAGE_VERSION }}.raw.zst
+            out/mangos-installer_${{ env.IMAGE_VERSION }}.cyclonedx.json
+            out/mangos-installer_${{ env.IMAGE_VERSION }}.github.json
+            out/mangos-installer_${{ env.IMAGE_VERSION }}.spdx.json
+            out/mangos-installer_${{ env.IMAGE_VERSION }}.syft.json
+          name: mangos.${{ matrix.profiles }}.installer

.gitignore

@@ -6,3 +6,5 @@
 /mkosi.key
 /build
 /pkg
+/mkosi.packages
+/gpg

README.md

@@ -4,20 +4,50 @@
 
 If you look around, you can see that this is very much in its infancy, and not something you'd find running at Mastercard, so the name is more aspirational than anything.
 
-## What is it?
+## Installation instructions
+
+The installer is provided as a disk image. Look for the `mangos-installer_x.y.z.raw` artifact. Write it to a USB stick and reboot. By default, it will use DHCP to configure the network. If you need to provide different network config, you can replace `ip=any` from the kernel command line by pressing `E` when the the boot prompt shows up.
+
+Once the network is up, the installer enumerates the block devices and presents a screen to choose the target device. Once selected, the installer streams the appropriate release from Github and writes it directly to the selected block device and reboots. On my test rig, the whole thing takes less than 10 seconds. Very few guard rails and obviously destructive. Any existing data on the target device will be overwritten. Beware.
+
+## First boot process
+
+When mangos boots, it ensures all the right partitions have been created. The disk images we distribute only contain a subset:
+
+* An ESP (EFI System Partition),
+* a root partition,
+* a verity hash partition, and
+* a signature partition.
+
+On first boot, the rest are created:
+
+* An alternate root partition,
+* an alternate verity hash partition,
+* an alternate signature partition,
+* a swap partition,
+* `/var/tmp`, and
+* `/var`.
+
+See the [Updates](#updates) section for more details on the alternate partitions.
+
+The last three are encrypted using a TPM backed key. The key is bound directly to PCR 7 (`--tpm2-pcrs=7`) and indirectly to PCR 11 (`--tpm2-public-key-pcrs=11`). The signatures for the expected values of PCR 11 are embedded in the UKI (Unified Kernel Image). This allows unlocking when booting any UKI signed with the same key, provided PCR 7 has not been changed. PCR 7 records the Secure Boot policy, so disabling Secure Boot, adding/removing keys in the firmware, etc. will all prevent accessing the keys.
+
+## Updates
+
+1. When a new version of Mangos is released, it is made available as a disk image for new installs, and split into partition files for updates.
+1. `systemd-sysupdate` periodically checks for updates. However, it expects to find updates in a flat directory structure. A small, local proxy (`mangos-sd-gh-proxy`) performs the necessary translation.
+1. When an update is found, it is written to the inactive partition set.
+1. On reboot, the bootloader will attempt to boot into the newest version and fall back to the older one if it fails.
+
+## What is MANGOS anyway?
 
 With MANGOS, we want to build a highly secure operating system beyond what you can achieve with garden variety Linux distros.
 
 ### Disk layout
 
 First, MANGOS gets installed as an image. The filesystem is [erofs](https://docs.kernel.org/filesystems/erofs.html), so the filesystem driver doesn't even implement any write operations. The image also contains a [Verity](https://docs.kernel.org/admin-guide/device-mapper/verity.html) hash partition. The kernel uses this to verify that the erofs filesystem hasn't been tampered with. A third partition contains a signature for the hash partition. The kernel will check this signature against a certificate that is embedded in the kernel at build time. Also, the kernel itself is signed, and systems are configured with Secure Boot to only allow kernels (or boot managers/loaders) signed by this key. Finally, the system will refuse to start if Secure Boot is disabled.
-
-System updates are also provided as images. As they are made available, they are downloaded and written to a second set of 3 partitions as (data + hash + signature). On reboot, the bootloader will attempt to boot into the newest version and fall back to the older one if it fails.
-
 The filesystem in the image is the root filesystem, so even `/etc` is read-only.  Configuration is done using [configuration extensions](https://www.freedesktop.org/software/systemd/man/latest/systemd-sysext.html). These are also signed and verified against the certificate in the kernel.
 
-On first boot, `systemd-repart` creates 3 partitions: swap, `/var`, and `/var/tmp`. They are encrypted using a key rooted in the TPM, so can't be decrypted anywhere else.
-
 If you've ever used CoreOS, a lot of these concepts will seem familiar. If you're an Android user, you're using a lot of this already!
 
 ### Runtime environment and compatibility

docs/keys.md

@@ -0,0 +1,58 @@
+# Encryption and signing key types and sizes
+
+Different parts of the system need different key types and sizes, and the tooling doesn't alwways prevent you from making the wrong choices.
+
+## Kernel signing key
+
+| Type | Size      | Extra info                    | Working? |
+|------|-----------|-------------------------------|----------|
+| RSA  | 4096 bits | Extensions as below           | Yes      |
+| RSA  | 2048 bits | As produced by `mkosi genkey` | No       |
+
+The kernel's build system creates a signing key using [this config](https://github.com/torvalds/linux/blob/8f5ae30d69d7543eee0d70083daf4de8fe15d585/certs/default_x509.genkey) (shown here with irrelevant parts removed):
+
+```
+[ req ]
+default_bits = 4096
+x509_extensions = myexts
+
+[ myexts ]
+basicConstraints=critical,CA:FALSE
+keyUsage=digitalSignature
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid
+```
+
+I'm not sure if the extensions must be set up exactly like this.
+
+## Verity signing key
+
+| Type | Size      | Extra info                    | Working? |
+|------|-----------|-------------------------------|----------|
+| RSA  | 4096 bits | Extensions as for kernel      | Yes      |
+| RSA  | 2048 bits | As produced by `mkosi genkey` | Yes      |
+
+
+## Expected PCR signatures
+
+| Type | Size      | Working? |
+|------|-----------|----------|
+| RSA  | 4096 bits | No       |
+| RSA  | 2048 bits | Yes      |
+
+When creating the encrypted, local storage, a key is loaded into the TPM along with the conditions required to get access to the key.
+Validating those conditions involves loading a public key into the TPM to verify a signature.
+It may depend on your specific TPM, but with 4096 bit keys, I'd get errors.
+With a 2048 bit key, everything was fine.
+
+mkosi uses `SignExpectedPCRKey` to sign the expected PCR values that are embedded in the UKI.
+If one is not provided, it will use `mkosi.key` if it exists.
+
+## Secure boot key
+
+(Add info)
+
+## Repository signing key (sysupdate)
+
+`SHA256SUMS` needs to be signed by a GPG key.
+Not sure if there are any special requirements for the key.

mangos-sd-gh-proxy.py

@@ -0,0 +1,71 @@
+#!/usr/bin/env python3
+import re
+from flask import Flask, redirect
+from github import Github, Auth
+import github
+
+sha256sums = ''
+
+def os_release_to_dict(fname='/usr/lib/os-release'):
+    result = {}
+    with open(fname, 'r') as fp:
+        for l in fp:
+            if '=' in l:
+                key, value = l.split('=', 1)
+                result[key.strip()] = value.strip().strip('"')
+    return result
+
+os_release = os_release_to_dict()
+if 'MANGOS_GITHUB_URL' in os_release:
+    github_url = os_release['MANGOS_GITHUB_URL']
+    repo_full = '/'.join(github_url.split('/')[-2:])
+
+app = Flask(__name__)
+
+def get_github_client() -> Github:
+    """
+    Initialize and return a GitHub client.
+    Replace 'your_token_here' with your actual GitHub token.
+    """
+    return Github()
+
+@app.route('/SHA256SUMS')
+def sha256_sums() -> str:
+    global sha256sums
+    if sha256sums:
+        return sha256sums
+
+    g = get_github_client()
+    repo = g.get_repo(repo_full, lazy=True)
+    releases = repo.get_releases()
+    for release in releases:
+        for asset in release.raw_data['assets']:
+            digest = asset["digest"]
+            name = asset["name"]
+            if digest.startswith("sha256:"):
+                sha256sums += f'{digest[7:]} *{name}\n'
+
+    return sha256sums
+
+@app.route('/<path:filename>')
+def file_content(filename: str) -> str:
+    version = filename.split('_')[1]
+    for ext in ['.gz', '.zst']:
+        if version.endswith(ext):
+            version = version[:-len(ext)]
+            break
+
+    for ext in ['.efi', '.cyclonedx.json', '.github.json', '.raw', '.spdx.json', '.syft.json']:
+        if version.endswith(ext):
+            version = version[:-len(ext)]
+            break
+
+    version = re.sub(r'\.root-x86-64(-verity(-sig)?)?\.[a-z0-9]{32}$', '', version)
+
+    return redirect(f'{github_url}/releases/download/v{version}/filename')
+
+def main():
+    app.run(host='0.0.0.0', port=1002)
+
+if __name__ == "__main__":
+    main()

mkosi.conf

@@ -9,7 +9,7 @@ Release=oracular
 # Generated using `openssl passwd -6`
 RootPassword=hashed:$6$OM2raXimIv8ucv8M$KwmcGa3kMjKlxvvpVdTVZ9khXy5pp2FJU0gNWqJ6nEMG7Yut2sxILhr7bs/yEC.WoUYP.hlBWt0zn4W7XCcyi.
 
-KernelCommandLine=systemd.machine_id=firmware
+KernelCommandLine=systemd.machine_id=firmware lsm=lockdown,capability,landlock,yama,apparmor,ima,evm,bpf
 
 # System TZ should always be UTC. Users can set their own, if they want.
 Timezone=UTC
@@ -75,13 +75,17 @@ Packages=
     gdisk
     pciutils
     lshw
+    python3-flask
+    python3-github
 
 RemoveFiles=
         /usr/share/locale/*
 
 ExtraTrees=sshd-keygen:/usr/lib/sshd-keygen
            [email protected]:/usr/lib/systemd/system/
            sshd-keygen.target:/usr/lib/systemd/system/
+           resources/sysupdate.d:/usr/lib/
+           mangos-sd-gh-proxy.py:/usr/bin/mangos-sd-gh-proxy
 
 [Build]
 BuildDirectory=%D/build
@@ -91,9 +95,11 @@ History=yes
 # Reuses partial builds, so also improves cache use.
 Incremental=yes
 
+Environment=MANGOS_GITHUB_URL
+
 [Config]
 #Dependencies=initrd,admin-toolbox
-Profiles=verity-full
+Profiles=verity-full,secureboot
 
 [Include]
 Include=%D/resources/common-kernel
@@ -132,7 +138,7 @@ KVM=yes
 RuntimeNetwork=user
 RuntimeSize=20G
 Firmware=uefi
-TPM=False
+TPM=yes
 Ephemeral=yes
 RAM=4G
 CPUs=2

mkosi.extra/usr/lib/repart.d/30-swap.conf

@@ -1,7 +1,7 @@
 [Partition]
 Type=swap
 Format=swap
-#Encrypt=tpm2
+Encrypt=tpm2
 SizeMinBytes=4G
 SizeMaxBytes=4G
 FactoryReset=on

mkosi.extra/usr/lib/repart.d/40-var-tmp.conf

@@ -1,7 +1,6 @@
 [Partition]
 Type=tmp
 Format=xfs
+Encrypt=tpm2
 SizeMinBytes=5G
-# Without a TPM, this fails.
-#Encrypt=tpm2
 FactoryReset=on