From 1a141c39728c88d9a5c8b36ab453cf055e3968dc Mon Sep 17 00:00:00 2001
From: Malte Poll <1780588+malt3@users.noreply.github.com>
Date: Tue, 17 Oct 2023 14:04:41 +0200
Subject: [PATCH] image: add rpm database as build output (#2442)

For reproducibility reasons, the final OS image does not ship the rpm database in sqlite format.
For supply chain security and license compliance reasons, we want to keep the rpm database of os images as a detached build artifact.
We now ship a reproducible, human readable manifest of installed rpms in the image under "/usr/share/constellation/packagemanifest" and upload the full rpm database as a build artifact (rpmdb.tar).
---
 .github/workflows/build-os-image.yml | 36 ++++++++++++++++++++++++++++
 image/base/BUILD.bazel               | 26 ++++++++++++++++++++
 image/base/mkosi.conf                |  4 ----
 image/base/mkosi.postinst            |  8 +++++++
 image/initrd/mkosi.conf              |  2 --
 image/system/BUILD.bazel             |  2 +-
 image/system/mkosi.conf              |  2 --
 7 files changed, 71 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/build-os-image.yml b/.github/workflows/build-os-image.yml
index 8bbdeafe63..38b0105c68 100644
--- a/.github/workflows/build-os-image.yml
+++ b/.github/workflows/build-os-image.yml
@@ -172,6 +172,7 @@ jobs:
           bazel build "${TARGET}"
           {
             echo "image-dir=$(bazel cquery --output=files "$TARGET")"
+            echo "rpmdb=$(bazel cquery --output=files //image/base:rpmdb)"
           } | tee -a "$GITHUB_OUTPUT"
           echo "::endgroup::"
 
@@ -190,6 +191,12 @@ jobs:
             ${{ steps.build.outputs.image-dir }}/constellation.initrd
             ${{ steps.build.outputs.image-dir }}/constellation.vmlinuz
 
+      - name: Upload sbom info as artifact
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        with:
+          name: sbom-${{ matrix.csp }}-${{ matrix.attestation_variant }}
+          path: ${{ steps.build.outputs.rpmdb }}
+
   upload-os-image:
     name: "Upload OS image to CSP"
     needs: [build-settings, make-os-image]
@@ -616,6 +623,35 @@ jobs:
             --signature measurements.json.sig
           echo "::endgroup::"
 
+  upload-sbom:
+    name: "Upload SBOM"
+    needs: [build-settings, make-os-image]
+    permissions:
+      id-token: write
+      contents: read
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Login to AWS
+        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
+        with:
+          role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
+          aws-region: eu-central-1
+
+      - name: Download sbom
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        with:
+          # downloading / using only the QEMU manifest is fine
+          # since the images only differ in the ESP partition
+          name: sbom-qemu-qemu-vtpm
+
+      - name: Upload SBOMs to S3
+        shell: bash
+        run: |
+          aws s3 cp \
+          rpmdb.tar \
+            "s3://cdn-constellation-backend/${{needs.build-settings.outputs.imageApiBasePath}}/${file}" \
+            --no-progress
+
   upload-artifacts:
     name: "Upload image lookup table and CLI compatibility info"
     runs-on: ubuntu-22.04
diff --git a/image/base/BUILD.bazel b/image/base/BUILD.bazel
index 20155ca04e..b226f472df 100644
--- a/image/base/BUILD.bazel
+++ b/image/base/BUILD.bazel
@@ -1,5 +1,6 @@
 load("@aspect_bazel_lib//lib:copy_file.bzl", "copy_file")
 load("@aspect_bazel_lib//lib:copy_to_directory.bzl", "copy_to_directory")
+load("@rules_pkg//:pkg.bzl", "pkg_tar")
 load("//bazel/mkosi:mkosi_image.bzl", "mkosi_image")
 
 copy_to_directory(
@@ -40,6 +41,11 @@ mkosi_image(
     outs = [
         "image",
         "image.tar",
+        "image-.rpm.lock",
+        "image-packagemanifest",
+        "image-rpmdb.sqlite",
+        "image-rpmdb.sqlite-shm",
+        "image-rpmdb.sqlite-wal",
     ],
     extra_trees = [
         "//image:sysroot_tar",
@@ -58,3 +64,23 @@ mkosi_image(
     ],
     visibility = ["//visibility:public"],
 )
+
+pkg_tar(
+    name = "rpmdb",
+    srcs = [
+        "image-.rpm.lock",
+        "image-packagemanifest",
+        "image-rpmdb.sqlite",
+        "image-rpmdb.sqlite-shm",
+        "image-rpmdb.sqlite-wal",
+    ],
+    remap_paths = {
+        "/image-.rpm.lock": "/var/lib/rpm/.rpm.lock",
+        "/image-packagemanifest": "/usr/share/constellation/packagemanifest",
+        "/image-rpmdb.sqlite": "/var/lib/rpm/rpmdb.sqlite",
+        "/image-rpmdb.sqlite-shm": "/var/lib/rpm/rpmdb.sqlite-shm",
+        "/image-rpmdb.sqlite-wal": "/var/lib/rpm/image-rpmdb.sqlite-wal",
+    },
+    tags = ["manual"],
+    visibility = ["//visibility:public"],
+)
diff --git a/image/base/mkosi.conf b/image/base/mkosi.conf
index 3f041eac2b..8d00493269 100644
--- a/image/base/mkosi.conf
+++ b/image/base/mkosi.conf
@@ -61,10 +61,6 @@ Packages=passwd
 RemoveFiles=/var/log
 RemoveFiles=/var/cache
 RemoveFiles=/etc/pki/ca-trust/extracted/java/cacerts
-            /usr/lib/sysimage/libdnf5/transaction_history.sqlite*
             /var/cache/ldconfig/aux-cache
-# https://github.com/authselect/authselect/pull/348
-# RemoveFiles=/etc/authselect/*
 RemoveFiles=/etc/issue
 RemoveFiles=/etc/issue.net
-CleanPackageMetadata=true
diff --git a/image/base/mkosi.postinst b/image/base/mkosi.postinst
index 99a2ec0bcb..9e02d6c321 100755
--- a/image/base/mkosi.postinst
+++ b/image/base/mkosi.postinst
@@ -7,3 +7,11 @@ mkdir -p "${BUILDROOT}"/etc/{cni,kubernetes}
 # move issue files away from /etc
 # to allow /run/issue and /run/issue.d to take precedence
 mv "${BUILDROOT}/etc/issue.d" "${BUILDROOT}/usr/lib/issue.d" || true
+
+# generate reproducible package manifest
+mkdir -p "${BUILDROOT}/usr/share/constellation"
+rpm -qa --qf '%{name};%{version};%{license}\n' --dbpath "${BUILDROOT}/var/lib/rpm/" | LC_ALL=C sort | tee "${BUILDROOT}/usr/share/constellation/packagemanifest"
+cp "${BUILDROOT}/usr/share/constellation/packagemanifest" "${OUTPUTDIR}/"
+
+# copy rpmdb to outputs
+cp "${BUILDROOT}"/var/lib/rpm/{rpmdb.sqlite-wal,rpmdb.sqlite-shm,rpmdb.sqlite,.rpm.lock} "${OUTPUTDIR}/"
diff --git a/image/initrd/mkosi.conf b/image/initrd/mkosi.conf
index 173691555a..9c32e11ad6 100644
--- a/image/initrd/mkosi.conf
+++ b/image/initrd/mkosi.conf
@@ -36,6 +36,4 @@ RemoveFiles=/var/cache
 RemoveFiles=/etc/pki/ca-trust/extracted/java/cacerts
             /usr/lib/sysimage/libdnf5/transaction_history.sqlite*
             /var/cache/ldconfig/aux-cache
-# https://github.com/authselect/authselect/pull/348
-# RemoveFiles=/etc/authselect/*
 CleanPackageMetadata=true
diff --git a/image/system/BUILD.bazel b/image/system/BUILD.bazel
index a1be956980..ddc7ae621b 100644
--- a/image/system/BUILD.bazel
+++ b/image/system/BUILD.bazel
@@ -15,7 +15,7 @@ load(":variants.bzl", "CSPS", "STREAMS", "VARIANTS", "autologin", "constellation
             stream,
         ),
         base_trees = [
-            "//image/base",
+            "//image/base:image.tar",
         ],
         extra_trees = constellation_packages(stream),
         initrds = [
diff --git a/image/system/mkosi.conf b/image/system/mkosi.conf
index c45f0cc233..f49c9ebd8c 100644
--- a/image/system/mkosi.conf
+++ b/image/system/mkosi.conf
@@ -19,6 +19,4 @@ RemoveFiles=/var/cache
 RemoveFiles=/etc/pki/ca-trust/extracted/java/cacerts
             /usr/lib/sysimage/libdnf5/transaction_history.sqlite*
             /var/cache/ldconfig/aux-cache
-# https://github.com/authselect/authselect/pull/348
-# RemoveFiles=/etc/authselect/*
 CleanPackageMetadata=true