132 lines
4.2 KiB
Bash
Executable File
132 lines
4.2 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
set -eo pipefail
|
|
|
|
NPROC=$(nproc)
|
|
VERSION=$(date +%Y%m%d)$MINOR
|
|
IMAGE_ID="standard"
|
|
export VERSION="$VERSION"
|
|
|
|
# This variable gets unset if any security-critical elements are disabled
|
|
SECURESYS=true
|
|
|
|
echo "=========== VERSION ============"
|
|
echo "Version: $VERSION"
|
|
echo "Distfiles path: $DISTPATH"
|
|
echo -n "Distribution URL: "
|
|
if [ "$DISTURL" == "none" ]; then echo "Not set, OTA disabled";
|
|
else echo "$DISTURL"; fi
|
|
echo "=========== SECURITY ==========="
|
|
echo -en "Secure Boot: \t\t"
|
|
if [ "$SECBOOT" == "true" ]; then echo "Enabled"
|
|
else echo "Disabled"; SECURESYS="false"; fi
|
|
echo -en "TPM Security: \t"
|
|
if [ "$TPM" == "true" ]; then echo "Enabled"
|
|
else echo "Disabled"; SECURESYS="false"; fi
|
|
echo -en "Signature required: \t"
|
|
if [ "$REQSIG" == "true" ]; then echo "Enabled"
|
|
else echo "Disabled"; SECURESYS="false"; fi
|
|
echo -en "Overall security: \t"
|
|
if [ "$SECURESYS" == "true" ]; then echo "Intact"
|
|
else echo "Degraded"; fi
|
|
echo "================================"
|
|
|
|
#set -x
|
|
|
|
export DISTPATH=$DISTPATH
|
|
mkdir -p "$DISTPATH"
|
|
|
|
# Gentoo setup
|
|
mkdir -p /var/db/repos/gentoo
|
|
rm -f /var/db/repos/gentoo/metadata/timestamp.x
|
|
emerge-webrsync --quiet
|
|
eselect profile set default/linux/amd64/23.0/musl/hardened/selinux
|
|
# STOP TELLING ME ABOUT THE NEWS
|
|
eselect news read new > /dev/null
|
|
|
|
#id -nu 250 | tee > /build/artifacts/test
|
|
|
|
# Copy in host configs
|
|
cp -r /build/include-host/* /
|
|
|
|
# squashfs-tools needed for image mksquashfs for image generation
|
|
# gentoolkit needed for euse for setting use flags
|
|
# btrfs-progs needed for mkfs.btrfs for generating usr partition fs
|
|
#emerge -j "$NPROC" --quiet --noreplace @halogenos-host
|
|
|
|
# We have to ensure use.disable contains at least one flag
|
|
# Otherwise euse -D will disable all global use flags
|
|
#if [[ "$(cat /etc/portage/use.disable)" = *[![:space:]]* ]]; then
|
|
# euse -D "$(cat /etc/portage/use.disable)"
|
|
#fi
|
|
|
|
# Set install location
|
|
export ROOT="$DISTPATH"
|
|
|
|
# Update any existing packages
|
|
#emerge -j "$NPROC" --quiet --update --deep --newuse @world
|
|
|
|
# Emerge all packages
|
|
#emerge -j "$NPROC" --quiet --autounmask=y --autounmask-write --noreplace @halogenos-image
|
|
#emerge -j "$NPROC" --quiet --update --deep --noreplace @world
|
|
emerge -j "$NPROC" --quiet --autounmask=y --autounmask-write =sys-kernel/gentoo-kernel-6.15.4 | tee /build/artifacts/linux-build-log
|
|
emerge --depclean
|
|
emerge --unmerge --nodeps portage perl-cleaner
|
|
|
|
# Include any additional files
|
|
mkdir -p "$DISTPATH"/usr/share/halogenos
|
|
mkdir -p "$DISTPATH"/usr/share/halogenos/keys
|
|
mkdir -p "$DISTPATH"/usr/share/halogenos/bin
|
|
|
|
cp -r /build/include-image/* "$DISTPATH"/
|
|
|
|
echo "IMAGE_VERSION=$VERSION" >> "$DISTPATH"/usr/lib/os-release
|
|
echo "IMAGE_ID=$IMAGE_ID" >> "$DISTPATH"/usr/lib/os-release
|
|
|
|
# Install gvisor OCI runtime
|
|
/build/external/gvisor.sh
|
|
|
|
# Install GrapheneOS hardened malloc
|
|
cd /build/hardened_malloc/
|
|
make
|
|
cd -
|
|
cp /build/hardened_malloc/out/libhardened_malloc.so "$DISTPATH"/usr/local/lib/libhardened_malloc.so
|
|
|
|
# Require inclusion of public key if $REQSIG is true
|
|
if [ "$REQSIG" == "true" ]; then
|
|
# This will cause an exit if the key is missing
|
|
cp /run/secrets/signing_key_public "$DISTPATH"/usr/share/halogenos/keys/release_key_pub.asc
|
|
else
|
|
# Otherwise, attempt to copy the key, but don't freak out if it does not exist
|
|
if [ -f /run/secrets/signing_key_public ]; then
|
|
cp /run/secrets/signing_key_public "$DISTPATH"/usr/share/halogenos/keys/release_key_pub.asc
|
|
else
|
|
echo "Signing key not found, but not enforcing signatures, so it's okay."
|
|
fi
|
|
fi
|
|
|
|
# Metadata & build-time configs
|
|
mkdir -p "$DISTPATH"/usr/share/halogenos/meta
|
|
echo "VERSION=$VERSION
|
|
OTA=$DISTURL
|
|
TPM=$TPM
|
|
REQSIG=$REQSIG
|
|
SECBOOT=$SECBOOT
|
|
SECURESYS=$SECURESYS" > "$DISTPATH"/usr/share/halogenos/release.meta
|
|
|
|
# Make any additional config changes
|
|
|
|
# Remove unwanted files
|
|
rm "$DISTPATH"/usr/etc/gentoo-release
|
|
rm -rf "$DISTPATH"/usr/lib/gentoo
|
|
|
|
# Create images dir and img files
|
|
mkdir -p /build/images/"$VERSION"
|
|
cp "$DISTPATH"/usr/share/halogenos/release.meta /build/images/"$VERSION"
|
|
mksquashfs "$DISTPATH" /build/images/"$VERSION"/sys.sfs
|
|
SYSHASH=$(sha512sum /build/images/"$VERSION"/sys.sfs)
|
|
echo "$SYSHASH" > /build/images/"$VERSION"/sys.sfs.sha512
|
|
|
|
# Build kernel UKI with syshash embedded
|
|
|
|
tar -czf "$VERSION".tar.gz /build/images/"$VERSION" |