diff --git a/.github/workflows/build-os-image.yml b/.github/workflows/build-os-image.yml index 8bbdeafe63..38b0105c68 100644 --- a/.github/workflows/build-os-image.yml +++ b/.github/workflows/build-os-image.yml @@ -172,6 +172,7 @@ jobs: bazel build "${TARGET}" { echo "image-dir=$(bazel cquery --output=files "$TARGET")" + echo "rpmdb=$(bazel cquery --output=files //image/base:rpmdb)" } | tee -a "$GITHUB_OUTPUT" echo "::endgroup::" @@ -190,6 +191,12 @@ jobs: ${{ steps.build.outputs.image-dir }}/constellation.initrd ${{ steps.build.outputs.image-dir }}/constellation.vmlinuz + - name: Upload sbom info as artifact + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + with: + name: sbom-${{ matrix.csp }}-${{ matrix.attestation_variant }} + path: ${{ steps.build.outputs.rpmdb }} + upload-os-image: name: "Upload OS image to CSP" needs: [build-settings, make-os-image] @@ -616,6 +623,35 @@ jobs: --signature measurements.json.sig echo "::endgroup::" + upload-sbom: + name: "Upload SBOM" + needs: [build-settings, make-os-image] + permissions: + id-token: write + contents: read + runs-on: ubuntu-22.04 + steps: + - name: Login to AWS + uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0 + with: + role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline + aws-region: eu-central-1 + + - name: Download sbom + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + # downloading / using only the QEMU manifest is fine + # since the images only differ in the ESP partition + name: sbom-qemu-qemu-vtpm + + - name: Upload SBOMs to S3 + shell: bash + run: | + aws s3 cp \ + rpmdb.tar \ + "s3://cdn-constellation-backend/${{needs.build-settings.outputs.imageApiBasePath}}/${file}" \ + --no-progress + upload-artifacts: name: "Upload image lookup table and CLI compatibility info" runs-on: ubuntu-22.04 diff --git a/image/base/BUILD.bazel b/image/base/BUILD.bazel index 20155ca04e..b226f472df 100644 --- a/image/base/BUILD.bazel +++ b/image/base/BUILD.bazel @@ -1,5 +1,6 @@ load("@aspect_bazel_lib//lib:copy_file.bzl", "copy_file") load("@aspect_bazel_lib//lib:copy_to_directory.bzl", "copy_to_directory") +load("@rules_pkg//:pkg.bzl", "pkg_tar") load("//bazel/mkosi:mkosi_image.bzl", "mkosi_image") copy_to_directory( @@ -40,6 +41,11 @@ mkosi_image( outs = [ "image", "image.tar", + "image-.rpm.lock", + "image-packagemanifest", + "image-rpmdb.sqlite", + "image-rpmdb.sqlite-shm", + "image-rpmdb.sqlite-wal", ], extra_trees = [ "//image:sysroot_tar", @@ -58,3 +64,23 @@ mkosi_image( ], visibility = ["//visibility:public"], ) + +pkg_tar( + name = "rpmdb", + srcs = [ + "image-.rpm.lock", + "image-packagemanifest", + "image-rpmdb.sqlite", + "image-rpmdb.sqlite-shm", + "image-rpmdb.sqlite-wal", + ], + remap_paths = { + "/image-.rpm.lock": "/var/lib/rpm/.rpm.lock", + "/image-packagemanifest": "/usr/share/constellation/packagemanifest", + "/image-rpmdb.sqlite": "/var/lib/rpm/rpmdb.sqlite", + "/image-rpmdb.sqlite-shm": "/var/lib/rpm/rpmdb.sqlite-shm", + "/image-rpmdb.sqlite-wal": "/var/lib/rpm/image-rpmdb.sqlite-wal", + }, + tags = ["manual"], + visibility = ["//visibility:public"], +) diff --git a/image/base/mkosi.conf b/image/base/mkosi.conf index 3f041eac2b..8d00493269 100644 --- a/image/base/mkosi.conf +++ b/image/base/mkosi.conf @@ -61,10 +61,6 @@ Packages=passwd RemoveFiles=/var/log RemoveFiles=/var/cache RemoveFiles=/etc/pki/ca-trust/extracted/java/cacerts - /usr/lib/sysimage/libdnf5/transaction_history.sqlite* /var/cache/ldconfig/aux-cache -# https://github.com/authselect/authselect/pull/348 -# RemoveFiles=/etc/authselect/* RemoveFiles=/etc/issue RemoveFiles=/etc/issue.net -CleanPackageMetadata=true diff --git a/image/base/mkosi.postinst b/image/base/mkosi.postinst index 99a2ec0bcb..9e02d6c321 100755 --- a/image/base/mkosi.postinst +++ b/image/base/mkosi.postinst @@ -7,3 +7,11 @@ mkdir -p "${BUILDROOT}"/etc/{cni,kubernetes} # move issue files away from /etc # to allow /run/issue and /run/issue.d to take precedence mv "${BUILDROOT}/etc/issue.d" "${BUILDROOT}/usr/lib/issue.d" || true + +# generate reproducible package manifest +mkdir -p "${BUILDROOT}/usr/share/constellation" +rpm -qa --qf '%{name};%{version};%{license}\n' --dbpath "${BUILDROOT}/var/lib/rpm/" | LC_ALL=C sort | tee "${BUILDROOT}/usr/share/constellation/packagemanifest" +cp "${BUILDROOT}/usr/share/constellation/packagemanifest" "${OUTPUTDIR}/" + +# copy rpmdb to outputs +cp "${BUILDROOT}"/var/lib/rpm/{rpmdb.sqlite-wal,rpmdb.sqlite-shm,rpmdb.sqlite,.rpm.lock} "${OUTPUTDIR}/" diff --git a/image/initrd/mkosi.conf b/image/initrd/mkosi.conf index 173691555a..9c32e11ad6 100644 --- a/image/initrd/mkosi.conf +++ b/image/initrd/mkosi.conf @@ -36,6 +36,4 @@ RemoveFiles=/var/cache RemoveFiles=/etc/pki/ca-trust/extracted/java/cacerts /usr/lib/sysimage/libdnf5/transaction_history.sqlite* /var/cache/ldconfig/aux-cache -# https://github.com/authselect/authselect/pull/348 -# RemoveFiles=/etc/authselect/* CleanPackageMetadata=true diff --git a/image/system/BUILD.bazel b/image/system/BUILD.bazel index a1be956980..ddc7ae621b 100644 --- a/image/system/BUILD.bazel +++ b/image/system/BUILD.bazel @@ -15,7 +15,7 @@ load(":variants.bzl", "CSPS", "STREAMS", "VARIANTS", "autologin", "constellation stream, ), base_trees = [ - "//image/base", + "//image/base:image.tar", ], extra_trees = constellation_packages(stream), initrds = [ diff --git a/image/system/mkosi.conf b/image/system/mkosi.conf index c45f0cc233..f49c9ebd8c 100644 --- a/image/system/mkosi.conf +++ b/image/system/mkosi.conf @@ -19,6 +19,4 @@ RemoveFiles=/var/cache RemoveFiles=/etc/pki/ca-trust/extracted/java/cacerts /usr/lib/sysimage/libdnf5/transaction_history.sqlite* /var/cache/ldconfig/aux-cache -# https://github.com/authselect/authselect/pull/348 -# RemoveFiles=/etc/authselect/* CleanPackageMetadata=true