#!/bin/bash set -eo pipefail NPROC=$(nproc) VERSION=$(date +%Y%m%d)$MINOR # This variable gets unset if any security-critical elements are disabled SECURESYS=true echo "========== VERSION ===========" echo "Version: $VERSION" echo "Distfiles path: $DISTPATH" echo -n "Distribution URL: " if [ -n "$DISTURL" ]; then echo "Not set, OTA disabled"; DISTURL="none" else echo "$DISTURL"; fi echo "========== SECURITY ==========" echo -en "Secure Boot: \t\t" if [ "$SECBOOT" == "true" ]; then echo "Enabled" else echo "Disabled"; SECURESYS="false"; fi echo -en "TPM Security: \t" if [ "$TPM" == "true" ]; then echo "Enabled" else echo "Disabled"; SECURESYS="false"; fi echo -en "Signature required: \t" if [ "$REQSIG" == "true" ]; then echo "Enabled" else echo "Disabled"; SECURESYS="false"; fi echo -en "Overall security: \t" if [ "$SECURESYS" == "true" ]; then echo "Intact" else echo "Degraded"; fi echo "==============================" set -x export $DISTPATH mkdir -p "$DISTPATH" # Gentoo setup mkdir -p /var/db/repos/gentoo rm -f /var/db/repos/gentoo/metadata/timestamp.x emerge-webrsync --quiet eselect profile set default/linux/amd64/23.0/musl/hardened/selinux # STOP TELLING ME ABOUT THE NEWS eselect news read new > /dev/null # squashfs-tools needed for image mksquashfs for image generation # gentoolkit needed for euse for setting use flags emerge --quiet squashfs-tools gentoolkit # Copy in package list mkdir -p /etc/portage/sets cp /build/emerge/packages.txt /etc/portage/sets/halogenos cp -r /build/emerge/package.use /etc/portage/ # We have to ensure use.disable contains at least one flag # Otherwise euse -D will disable all global use flags if [[ "$(cat /build/emerge/use.disable)" = *[![:space:]]* ]]; then euse -D "$(cat /build/emerge/use.disable)" fi # Set install location export ROOT="$DISTPATH" # Update any existing packages emerge -j "$NPROC" --quiet --update --deep --newuse @world # Emerge all packages emerge -j "$NPROC" --quiet @halogenos # Fix directory locations mv "$DISTPATH"/bin "$DISTPATH"/usr/bin mv "$DISTPATH"/lib "$DISTPATH"/usr/lib mv "$DISTPATH"/sbin "$DISTPATH"/usr/sbin # Include any additional files mkdir -p "$DISTPATH"/usr/share/halogenos mkdir "$DISTPATH"/usr/share/halogenos/keys mkdir "$DISTPATH"/usr/share/halogenos/bin cp -r /build/include/* "$DISTPATH"/ # Install gvisor OCI runtime /build/external/gvisor.sh # Require inclusion of public key if $REQSIG is true if [ "$REQSIG" == "true" ]; then cp /run/secrets/signing_key_public "$DISTPATH"/usr/share/halogenos/keys/release_key_pub.asc else # Otherwise, attempt to copy the key, but don't freak out if it does not exist if [ -f /run/secrets/signing_key_public ]; then cp /run/secrets/signing_key_public "$DISTPATH"/usr/share/halogenos/keys/release_key_pub.asc else echo "Signing key not found, but not enforcing signatures, so it's okay." fi fi # Metadata & build-time configs mkdir "$DISTPATH"/usr/share/halogenos/meta echo "VERSION=$VERSION OTA=$DISTURL TPM=$TPM REQSIG=$REQSIG SECBOOT=$SECBOOT SECURESYS=$SECURESYS" > "$DISTPATH"/usr/share/halogenos/release.meta # Make any additional config changes # Create images dir and img files mkdir -p /build/images cp "$DISTPATH"/usr/share/halogenos/release.meta /build/images/ dd if=/dev/zero of=/build/images/usr.img bs=1 count=0 seek=2G mkfs.ext4 /build/images/usr.img dd if=/dev/zero of=/build/images/verity.img bs=1 count=0 seek=2000M # Create squashfs mksquashfs "$DISTPATH" /build/artifacts/usr.squashfs # Install squashfs filesystem onto usr img mkdir -p /mnt/usr mount /build/images/usr.img /mnt/usr cp /build/artifacts/usr.squashfs /mnt/usr umount /mnt/usr # Build verity tar -czf /build/images/usr.img /build/images/verity.img /build/images/