From d4bdb2c1eb6a8a616d1725a6c4ff7fc661109033 Mon Sep 17 00:00:00 2001 From: James Pace Date: Mon, 22 Aug 2022 20:12:52 -0400 Subject: [PATCH] Delete encryption. --- osbuild-manifests/images/encrypted.mpp.yml | 67 -------- .../include/image-directboot.ipp.yml | 12 -- .../include/image-ostree.ipp.yml | 6 - .../include/image-regular.ipp.yml | 6 - osbuild-manifests/include/image.ipp.yml | 154 ------------------ 5 files changed, 245 deletions(-) delete mode 100644 osbuild-manifests/images/encrypted.mpp.yml diff --git a/osbuild-manifests/images/encrypted.mpp.yml b/osbuild-manifests/images/encrypted.mpp.yml deleted file mode 100644 index 29f918a..0000000 --- a/osbuild-manifests/images/encrypted.mpp.yml +++ /dev/null @@ -1,67 +0,0 @@ -# This image demontrates how to use an encrypted rootfs -# Due to the use of luks_auto_unlock, the passphrase is copied to the initrd and -# the rootfs uses this to automatically unlock the system on the first boot. -# However, the autosig-sample-tpm-enroll service is also installed, and this -# will replace the passphrase with a TPM based token, meaning that later -# boots are tied to this machine only. -# Remember to pass --tpm2 to runvm when testing this. -version: '2' -mpp-vars: - name: encrypted - use_luks: true - luks_auto_unlock: true - extra_boot_rpms: - - clevis-dracut -pipelines: -- mpp-import-pipelines: - path: include/build.ipp.yml -- name: rootfs - build: name:build - stages: - - type: org.osbuild.kernel-cmdline - options: - root_fs_uuid: - mpp-eval: rootfs_uuid - kernel_opts: - mpp-eval: ''' '' .join(kernel_opts)' - - type: org.osbuild.rpm - options: - gpgkeys: - - mpp-eval: centos_gpg_key - - mpp-eval: redhat_gpg_key - disable_dracut: true - exclude: - docs: true - inputs: - packages: - type: org.osbuild.files - origin: org.osbuild.source - mpp-depsolve: - architecture: $arch - ignore-weak-deps: true - module-platform-id: $distro_module_id - baseurl: $distro_baseurl/BaseOS/$arch/os/ - repos: - mpp-join: - - mpp-eval: distro_repos - - mpp-eval: target_repos - - mpp-eval: extra_repos - packages: - mpp-join: - - mpp-eval: base_rpms - - mpp-eval: image_rpms - - mpp-eval: extra_rpms - # Install the tools and service files - - - autosig-sample-tpm-enroll - excludes: - - dracut-config-rescue - - type: org.osbuild.locale - options: - language: en_US.UTF-8 - - type: org.osbuild.systemd - options: - enabled_services: - - NetworkManager.service - - rngd.service -- mpp-import-pipelines: - path: include/image.ipp.yml diff --git a/osbuild-manifests/include/image-directboot.ipp.yml b/osbuild-manifests/include/image-directboot.ipp.yml index 1be2b19..c4e19a1 100644 --- a/osbuild-manifests/include/image-directboot.ipp.yml +++ b/osbuild-manifests/include/image-directboot.ipp.yml @@ -54,18 +54,12 @@ pipelines: mpp-embed: id: directboot.csv path: directboot.csv - extra-tree: - type: org.osbuild.tree - origin: org.osbuild.pipeline - references: - - name:extra-tree-content options: paths: mpp-join: - - from: mpp-format-string: input://bootcsv/{embedded['directboot.csv']} to: tree:///boot/efi/EFI/Linux/boot.csv - - mpp-eval: extra_tree_content - type: org.osbuild.dracut options: kernel: @@ -95,17 +89,11 @@ pipelines: origin: org.osbuild.pipeline references: - name:rootfs - extra-tree: - type: org.osbuild.tree - origin: org.osbuild.pipeline - references: - - name:extra-tree-content options: paths: mpp-join: - - from: input://tree/ to: tree:/// - - mpp-eval: extra_tree_content - type: org.osbuild.copy inputs: kernel: diff --git a/osbuild-manifests/include/image-ostree.ipp.yml b/osbuild-manifests/include/image-ostree.ipp.yml index 87fd940..a81aaff 100644 --- a/osbuild-manifests/include/image-ostree.ipp.yml +++ b/osbuild-manifests/include/image-ostree.ipp.yml @@ -25,17 +25,11 @@ pipelines: origin: org.osbuild.pipeline references: - name:rootfs - extra-tree: - type: org.osbuild.tree - origin: org.osbuild.pipeline - references: - - name:extra-tree-content options: paths: mpp-join: - - from: input://tree/ to: tree:/// - - mpp-eval: extra_tree_content - type: org.osbuild.systemd options: enabled_services: diff --git a/osbuild-manifests/include/image-regular.ipp.yml b/osbuild-manifests/include/image-regular.ipp.yml index 8747ba8..1132515 100644 --- a/osbuild-manifests/include/image-regular.ipp.yml +++ b/osbuild-manifests/include/image-regular.ipp.yml @@ -18,17 +18,11 @@ pipelines: origin: org.osbuild.pipeline references: - name:rootfs - extra-tree: - type: org.osbuild.tree - origin: org.osbuild.pipeline - references: - - name:extra-tree-content options: paths: mpp-join: - - from: input://tree/ to: tree:/// - - mpp-eval: extra_tree_content - type: org.osbuild.users options: users: diff --git a/osbuild-manifests/include/image.ipp.yml b/osbuild-manifests/include/image.ipp.yml index 636e40b..9b26573 100644 --- a/osbuild-manifests/include/image.ipp.yml +++ b/osbuild-manifests/include/image.ipp.yml @@ -1,16 +1,8 @@ version: '2' mpp-vars: - extra_tree_content: - - mpp-if: use_luks and luks_auto_unlock - then: - from: input://extra-tree/luks-key - to: tree:///usr/.auto-unlock-key dracut_install: mpp-join: - mpp-eval: dracut_install - - mpp-if: use_luks and luks_auto_unlock - then: - - /usr/.auto-unlock-key kernel_opts: mpp-join: - - ro @@ -18,30 +10,8 @@ mpp-vars: - mpp-if: use_efi_runtime then: efi=runtime - mpp-eval: kernel_opts - - mpp-if: use_luks - then: - - rd.luks.uuid=$luks_uuid - - rd.luks.options=discard - - mpp-if: luks_auto_unlock - then: rd.luks.key=$luks_uuid=/usr/.auto-unlock-key pipelines: # Some variables need to be written to files, do that here -- name: extra-tree-content - build: name:build - stages: - - type: org.osbuild.copy - inputs: - inlinefile: - type: org.osbuild.files - origin: org.osbuild.source - mpp-embed: - id: luks-key - text: $luks_passphrase - options: - paths: - - from: - mpp-format-string: input://inlinefile/{embedded['luks-key']} - to: tree:///luks-key - mpp-import-pipelines: path: image-$image_type.ipp.yml - name: image @@ -87,83 +57,9 @@ pipelines: uuid: mpp-eval: bootfs_uuid label: boot - - mpp-if: use_luks - then: - type: org.osbuild.luks2.format - devices: - device: - type: org.osbuild.loopback - options: - filename: disk.img - start: - mpp-eval: image.layout['root'].start - size: - mpp-eval: image.layout['root'].size - lock: true - options: - passphrase: - mpp-eval: luks_passphrase - uuid: - mpp-eval: luks_uuid - label: luks-rootfs - pbkdf: - method: argon2i - memory: 32 - parallelism: 1 - iterations: 4 - integrity: - mpp-if: luks_use_integrity - then: hmac-sha256 - - mpp-if: use_luks - then: - type: org.osbuild.lvm2.create - devices: - luks: - type: org.osbuild.loopback - options: - filename: disk.img - start: - mpp-eval: image.layout['root'].start - size: - mpp-eval: image.layout['root'].size - device: - type: org.osbuild.luks2 - parent: luks - options: - passphrase: - mpp-eval: luks_passphrase - options: - volumes: - - name: root - extents: 100%FREE - type: org.osbuild.mkfs.ext4 devices: - luks: - mpp-if: use_luks - then: - type: org.osbuild.loopback - options: - filename: disk.img - start: - mpp-eval: image.layout['root'].start - size: - mpp-eval: image.layout['root'].size - lvm: - mpp-if: use_luks - then: - type: org.osbuild.luks2 - parent: luks - options: - passphrase: - mpp-eval: luks_passphrase device: - mpp-if: use_luks - then: - type: org.osbuild.lvm2.lv - parent: lvm - options: - volume: root - else: type: org.osbuild.loopback options: filename: disk.img @@ -187,13 +83,6 @@ pipelines: origin: org.osbuild.pipeline references: - name:build - extra-tree: - mpp-if: "'extra_image_source_' + image_type in locals()" - then: - type: org.osbuild.tree - origin: org.osbuild.pipeline - references: - - mpp-format-string: "name:{locals().get('extra_image_source_' + image_type)}" options: paths: mpp-join: @@ -218,13 +107,6 @@ pipelines: size: mpp-eval: image.layout['boot'].size root: - mpp-if: use_luks - then: - type: org.osbuild.lvm2.lv - parent: root-luks - options: - volume: root - else: type: org.osbuild.loopback options: filename: disk.img @@ -232,24 +114,6 @@ pipelines: mpp-eval: image.layout['root'].start size: mpp-eval: image.layout['root'].size - root-raw: - mpp-if: use_luks - then: - type: org.osbuild.loopback - options: - filename: disk.img - start: - mpp-eval: image.layout['root'].start - size: - mpp-eval: image.layout['root'].size - root-luks: - mpp-if: use_luks - then: - type: org.osbuild.luks2 - parent: root-raw - options: - passphrase: - mpp-eval: luks_passphrase mounts: - name: root type: org.osbuild.ext4 @@ -263,24 +127,6 @@ pipelines: type: org.osbuild.fat source: efi target: /boot/efi - - mpp-if: use_luks - then: - type: org.osbuild.lvm2.metadata - devices: - luks: - type: org.osbuild.loopback - options: - filename: disk.img - start: - mpp-eval: image.layout['root'].start - size: - mpp-eval: image.layout['root'].size - device: - type: org.osbuild.luks2 - parent: luks - options: - passphrase: - mpp-eval: luks_passphrase options: vg_name: osbuild creation_host: osbuild