HalogenOS/image-builder
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Better additional file copy

Browse Source
This commit is contained in:
River 2025-04-18 15:41:32 -04:00
parent adc7a14884
commit 26f1805fa4
Signed by: shibedrill
GPG Key ID: 5FE0CB25945EFAA2
8 changed files with 108 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -24,7 +24,7 @@ There are a few overridable variables that control configuration elements of Hal
- `SECBOOT`: Default is `true`. This will control whether or not Secure Boot keys are generated and enrolled. Disable if your system does not support Secure Boot. - `SECBOOT`: Default is `true`. This will control whether or not Secure Boot keys are generated and enrolled. Disable if your system does not support Secure Boot.
- `REQSIG`: Default is `true`. This will control whether or not update images and overlays require signatures. Disable ONLY for testing or development purposes. - `REQSIG`: Default is `true`. This will control whether or not update images and overlays require signatures. Disable ONLY for testing or development purposes.
Disabling `SECBOOT` or `REQSIG` sets a flag in the system partition indicating that the installation has a fundamentally insecure configuration, as important system files could be tampered with easily. Disabling `SECBOOT`, `TPM`, or `REQSIG` sets a flag in the system partition indicating that the installation has a fundamentally insecure configuration, as important system files could be tampered with easily.
## Signing Keys ## Signing Keys

48
build/build-image.sh
View File

@ -12,7 +12,7 @@ echo "========== VERSION ==========="
echo "Version: $VERSION" echo "Version: $VERSION"
echo "Distfiles path: $DISTPATH" echo "Distfiles path: $DISTPATH"
echo -n "Distribution URL: " echo -n "Distribution URL: "
if [ -n "$DISTURL" ]; then echo "Not set, OTA disabled" if [ -n "$DISTURL" ]; then echo "Not set, OTA disabled"; DISTURL="none"
else echo "$DISTURL"; fi else echo "$DISTURL"; fi
echo "========== SECURITY ==========" echo "========== SECURITY =========="
echo -en "Secure Boot: \t\t" echo -en "Secure Boot: \t\t"
@ -20,10 +20,10 @@ if [ "$SECBOOT" == "true" ]; then echo "Enabled"
else echo "Disabled"; SECURESYS="false"; fi else echo "Disabled"; SECURESYS="false"; fi
echo -en "TPM Security: \t" echo -en "TPM Security: \t"
if [ "$TPM" == "true" ]; then echo "Enabled" if [ "$TPM" == "true" ]; then echo "Enabled"
else echo "Disabled"; fi else echo "Disabled"; SECURESYS="false"; fi
echo -en "Signature required: \t" echo -en "Signature required: \t"
if [ "$REQSIG" == "true" ]; then echo "Enabled" if [ "$REQSIG" == "true" ]; then echo "Enabled"
else echo "Disabled"; unset SECURESYS="false"; fi else echo "Disabled"; SECURESYS="false"; fi
echo -en "Overall security: \t" echo -en "Overall security: \t"
if [ "$SECURESYS" == "true" ]; then echo "Intact" if [ "$SECURESYS" == "true" ]; then echo "Intact"
else echo "Degraded"; fi else echo "Degraded"; fi
@ -31,6 +31,7 @@ echo "=============================="
set -x set -x
export $DISTPATH
mkdir -p "$DISTPATH" mkdir -p "$DISTPATH"
# Gentoo setup # Gentoo setup
@ -38,13 +39,23 @@ mkdir -p /var/db/repos/gentoo
rm -f /var/db/repos/gentoo/metadata/timestamp.x rm -f /var/db/repos/gentoo/metadata/timestamp.x
emerge-webrsync --quiet emerge-webrsync --quiet
eselect profile set default/linux/amd64/23.0/musl/hardened/selinux eselect profile set default/linux/amd64/23.0/musl/hardened/selinux
# STOP TELLING ME ABOUT THE NEWS
eselect news read new > /dev/null
# SquashFS tools needed for image generation # squashfs-tools needed for image mksquashfs for image generation
emerge --quiet squashfs-tools # gentoolkit needed for euse for setting use flags
emerge --quiet squashfs-tools gentoolkit
# Copy in package list # Copy in package list
mkdir -p /etc/portage/sets mkdir -p /etc/portage/sets
cp /build/packages.txt /etc/portage/sets/halogenos cp /build/emerge/packages.txt /etc/portage/sets/halogenos
cp -r /build/emerge/package.use /etc/portage/
# We have to ensure use.disable contains at least one flag
# Otherwise euse -D will disable all global use flags
if [[ "$(cat /build/emerge/use.disable)" = *[![:space:]]* ]]; then
euse -D "$(cat /build/emerge/use.disable)"
fi
# Set install location # Set install location
export ROOT="$DISTPATH" export ROOT="$DISTPATH"
@ -65,6 +76,11 @@ mkdir -p "$DISTPATH"/usr/share/halogenos
mkdir "$DISTPATH"/usr/share/halogenos/keys mkdir "$DISTPATH"/usr/share/halogenos/keys
mkdir "$DISTPATH"/usr/share/halogenos/bin mkdir "$DISTPATH"/usr/share/halogenos/bin
cp -r /build/include/* "$DISTPATH"/
# Install gvisor OCI runtime
/build/external/gvisor.sh
# Require inclusion of public key if $REQSIG is true # Require inclusion of public key if $REQSIG is true
if [ "$REQSIG" == "true" ]; then if [ "$REQSIG" == "true" ]; then
cp /run/secrets/signing_key_public "$DISTPATH"/usr/share/halogenos/keys/release_key_pub.asc cp /run/secrets/signing_key_public "$DISTPATH"/usr/share/halogenos/keys/release_key_pub.asc
@ -79,20 +95,18 @@ fi
# Metadata & build-time configs # Metadata & build-time configs
mkdir "$DISTPATH"/usr/share/halogenos/meta mkdir "$DISTPATH"/usr/share/halogenos/meta
echo "$VERSION" > "$DISTPATH"/usr/share/halogenos/meta/version echo "VERSION=$VERSION
if [ -n "$DISTURL" ]; then echo "$DISTURL" > "$DISTPATH"/usr/share/halogenos/meta/ota OTA=$DISTURL
else echo "DISABLED" > "$DISTPATH"/usr/share/halogenos/meta/ota; fi TPM=$TPM
if [ "$SECBOOT" == "true" ]; then echo "ENABLED" > "$DISTPATH"/usr/share/halogenos/meta/secboot REQSIG=$REQSIG
else echo "DISABLED" > "$DISTPATH"/usr/share/halogenos/meta/secboot; fi SECBOOT=$SECBOOT
if [ "$TPM" == "true" ]; then echo "ENABLED" > "$DISTPATH"/usr/share/halogenos/meta/tpm SECURESYS=$SECURESYS" > "$DISTPATH"/usr/share/halogenos/release.meta
else echo "DISABLED" > "$DISTPATH"/usr/share/halogenos/meta/tpm; fi
if [ "$SECURESYS" == "true" ]; then echo "TRUE" > "$DISTPATH"/usr/share/halogenos/meta/securesys
else echo "FALSE" > "$DISTPATH"/usr/share/halogenos/meta/securesys; fi
# Make any additional config changes # Make any additional config changes
# Create images dir and img files # Create images dir and img files
mkdir -p /build/images mkdir -p /build/images
cp "$DISTPATH"/usr/share/halogenos/release.meta /build/images/
dd if=/dev/zero of=/build/images/usr.img bs=1 count=0 seek=2G dd if=/dev/zero of=/build/images/usr.img bs=1 count=0 seek=2G
mkfs.ext4 /build/images/usr.img mkfs.ext4 /build/images/usr.img
dd if=/dev/zero of=/build/images/verity.img bs=1 count=0 seek=2000M dd if=/dev/zero of=/build/images/verity.img bs=1 count=0 seek=2000M
@ -106,4 +120,6 @@ mount /build/images/usr.img /mnt/usr
cp /build/artifacts/usr.squashfs /mnt/usr cp /build/artifacts/usr.squashfs /mnt/usr
umount /mnt/usr umount /mnt/usr
# Build verity # Build verity
tar -czf /build/images/usr.img /build/images/verity.img /build/images/

13
build/emerge/packages.txt Normal file
View File

@ -0,0 +1,13 @@
app-containers/distrobox
app-containers/podman
app-crypt/gnupg
app-shells/bash
app-misc/hyfetch
kde-plasma/flatpak-kcm
kde-plasma/plasma-desktop
kde-plasma/plasma-vault
sys-apps/bubblewrap
sys-apps/flatpak
sys-apps/fwupd
sys-libs/musl
virtual/tmpfiles

1
build/emerge/use.disable Normal file
View File

@ -0,0 +1 @@

13
build/external/gvisor.sh vendored Normal file
View File

@ -0,0 +1,13 @@
#!/bin/bash
set -e
ARCH=$(uname -m)
URL=https://storage.googleapis.com/gvisor/releases/release/latest/"${ARCH}"
wget "${URL}"/runsc "${URL}"/runsc.sha512 "${URL}"/containerd-shim-runsc-v1 "${URL}"/containerd-shim-runsc-v1.sha512
sha512sum -c runsc.sha512 -c containerd-shim-runsc-v1.sha512
rm -f ./*.sha512
chmod a+rx runsc containerd-shim-runsc-v1
mv runsc containerd-shim-runsc-v1 "$DISTPATH"/usr/local/bin

29
build/include/usr/etc/containers.conf Normal file
View File

@ -0,0 +1,29 @@
[containers]
cgroupns = "private"
cgroups = "enabled"
default_capabilities = []
default_sysctls = [
"net.ipv4.ping_group_range=0 0",
]
label = true
label_users = true
ipcns = "private"
netns = "private"
pidns = "private"
userns = "auto"
utsns = "private"
privileged = false
[engine]
runtime = "runsc"
[engine.runtimes]
runsc = [
"/usr/local/bin/runsc",
]

19
build/include/usr/sbin/sysupd.sh Normal file
View File

@ -0,0 +1,19 @@
#!/bin/bash
set -euxo pipefail
# These are expected to happen
ERR_GEN = 1 # General error
ERR_NET = 2 # Network link error
ERR_DNS = 3 # DNS error or resolution failure
ERR_SSL = 4 # HTTPS failure
ERR_SIG = 5 # Update file fails signature
# These should probably never happen
ERR_PRM = 6 # Insufficient permission
ERR_BLK = 7 # Block device or partition error
ERR_MNT = 8 # Mounting failure
err_exit() {
>&2 echo $2
}

3
build/packages.txt
View File

@ -1,3 +0,0 @@
app-shells/bash
app-misc/hyfetch
sys-libs/musl