Merge pull request #2528 from OSInside/confidental_compute_s390

Confidential compute s390

Author: schaefi

build-tests/s390/tumbleweed/test-image-MicroOS/appliance.kiwi

@@ -0,0 +1,231 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- OBS-Profiles: @BUILD_FLAVOR@ -->
+<image schemaversion="7.5" name="kiwi-test-image-MicroOS">
+    <description type="system">
+        <author>Marcus Schäfer</author>
+        <contact>[email protected]</contact>
+        <specification>MicroOS disk test build for IBM Secure Execution</specification>
+    </description>
+    <profiles>
+        <profile name="SUSE-Infra" description="MicroOS IBM SEL image LinuxONE_III@SUSE"/>
+        <profile name="IBM-Cloud-Secure-Execution" description="MicroOS IBM SEL image LinuxONE@IBM-Cloud-VPC-Region-eu-de(z16)/Region-eu-gb(z15)"/>
+        <profile name="IBM-Cloud-Standard" description="MicroOS IBM Cloud image"/>
+    </profiles>
+    <preferences>
+        <version>16.0.0</version>
+        <packagemanager>zypper</packagemanager>
+        <bootloader-theme>openSUSE</bootloader-theme>
+        <rpm-excludedocs>true</rpm-excludedocs>
+        <locale>en_US</locale>
+    </preferences>
+    <preferences profiles="IBM-Cloud-Standard">
+        <type
+            image="oem"
+            luks="random"
+            luks_pbkdf="pbkdf2"
+            luks_version="luks2"
+            filesystem="btrfs"
+            kernelcmdline="systemd.show_status=yes console=ttyS0,115200 console=tty0 net.ifnames=0 \$ignition_firstboot ignition.platform.id=qemu rd.debug"
+            devicepersistency="by-uuid"
+            btrfs_root_is_snapshot="true"
+            btrfs_root_is_readonly_snapshot="false"
+            btrfs_root_is_subvolume="true"
+            btrfs_quota_groups="true"
+            bootpartition="true"
+            bootfilesystem="ext3"
+            format="qcow2"
+        >
+            <luksformat>
+                <option name="--cipher" value="aes-xts-plain64"/>
+                <option name="--key-size" value="256"/>
+            </luksformat>
+            <oemconfig>
+                <oem-unattended>true</oem-unattended>
+                <oem-resize>true</oem-resize>
+            </oemconfig>
+            <bootloader name="zipl" timeout="10"/>
+            <systemdisk>
+                <volume name="home"/>
+                <volume name="root"/>
+                <volume name="opt"/>
+                <volume name="srv"/>
+                <volume name="boot/writable"/>
+                <volume name="usr/local"/>
+                <volume name="var" copy_on_write="false"/>
+            </systemdisk>
+            <size unit="G">2</size>
+        </type>
+    </preferences>
+    <preferences profiles="IBM-Cloud-Secure-Execution">
+        <type
+            image="oem"
+            luks="random"
+            luks_pbkdf="pbkdf2"
+            luks_version="luks2"
+            filesystem="btrfs"
+            kernelcmdline="systemd.show_status=yes console=ttyS0,115200 console=tty0 net.ifnames=0 \$ignition_firstboot ignition.platform.id=qemu swiotlb=262144 rd.debug"
+            devicepersistency="by-uuid"
+            btrfs_root_is_snapshot="true"
+            btrfs_root_is_readonly_snapshot="false"
+            btrfs_root_is_subvolume="true"
+            btrfs_quota_groups="true"
+            bootpartition="true"
+            bootfilesystem="ext3"
+            format="qcow2"
+        >
+            <luksformat>
+                <option name="--cipher" value="aes-xts-plain64"/>
+                <option name="--key-size" value="256"/>
+            </luksformat>
+            <oemconfig>
+                <oem-unattended>true</oem-unattended>
+                <oem-resize>true</oem-resize>
+            </oemconfig>
+            <bootloader name="zipl" timeout="10">
+                <!-- LinuxONE@IBM-Cloud-VPC-Region-eu-de(z16) -->
+                <securelinux hkd_sign_cert="/var/lib/se-certs/ibm-z-host-key-signing-gen2.crt" hkd_ca_cert="/var/lib/se-certs/DigiCertCA.crt">
+                    <hkd_cert name="/var/lib/se-certs/HKD-3932-02967D8.crt"/>
+                    <hkd_cert name="/var/lib/se-certs/HKD-3932-02967F8.crt"/>
+                    <hkd_cert name="/var/lib/se-certs/HKD-3932-0296878.crt"/>
+                    <hkd_revocation_list name="/var/lib/se-certs/ibm-z-host-key-gen2.crl"/>
+                    <hkd_revocation_list name="/var/lib/se-certs/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl"/>
+                    <hkd_revocation_list name="/var/lib/se-certs/DigiCertTrustedRootG4.crl"/>
+                </securelinux>
+                <!-- LinuxONE@IBM-Cloud-VPC-Region-eu-gb(z15) -->
+                <securelinux hkd_sign_cert="/var/lib/se-certs/ibm-z-host-key-signing.crt" hkd_ca_cert="/var/lib/se-certs/DigiCertCA.crt">
+                    <hkd_cert name="/var/lib/se-certs/HKD-8562-024B858.crt"/>
+                    <hkd_cert name="/var/lib/se-certs/HKD-8562-024B868.crt"/>
+                    <hkd_cert name="/var/lib/se-certs/HKD-8562-024B878.crt"/>
+                    <hkd_revocation_list name="/var/lib/se-certs/ibm-z-host-key.crl"/>
+                    <hkd_revocation_list name="/var/lib/se-certs/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl"/>
+                    <hkd_revocation_list name="/var/lib/se-certs/DigiCertTrustedRootG4.crl"/>
+                </securelinux>
+            </bootloader>
+            <systemdisk>
+                <volume name="home"/>
+                <volume name="root"/>
+                <volume name="opt"/>
+                <volume name="srv"/>
+                <volume name="boot/writable"/>
+                <volume name="usr/local"/>
+                <volume name="var" copy_on_write="false"/>
+            </systemdisk>
+            <size unit="G">2</size>
+        </type>
+    </preferences>
+    <preferences profiles="SUSE-Infra">
+        <type
+            image="oem"
+            luks="random"
+            luks_pbkdf="pbkdf2"
+            luks_version="luks2"
+            filesystem="btrfs"
+            kernelcmdline="systemd.show_status=yes console=ttyS0,115200 console=tty0 net.ifnames=0 \$ignition_firstboot ignition.platform.id=qemu swiotlb=262144 rd.debug"
+            devicepersistency="by-uuid"
+            btrfs_root_is_snapshot="true"
+            btrfs_root_is_readonly_snapshot="false"
+            btrfs_root_is_subvolume="true"
+            btrfs_quota_groups="true"
+            bootpartition="true"
+            bootfilesystem="ext3"
+            format="qcow2"
+        >
+            <luksformat>
+                <option name="--cipher" value="aes-xts-plain64"/>
+                <option name="--key-size" value="256"/>
+            </luksformat>
+            <oemconfig>
+                <oem-unattended>true</oem-unattended>
+                <oem-resize>true</oem-resize>
+            </oemconfig>
+            <bootloader name="zipl" timeout="10">
+                <securelinux hkd_sign_cert="/var/lib/se-certs/ibm-z-host-key-signing.crt" hkd_ca_cert="/var/lib/se-certs/DigiCertCA.crt">
+                    <!-- LinuxONE_III@SUSE -->
+                    <hkd_cert name="/var/lib/se-certs/HKD-8561-02688E8.crt.20241112"/>
+                    <hkd_revocation_list name="/var/lib/se-certs/ibm-z-host-key.crl"/>
+                    <hkd_revocation_list name="/var/lib/se-certs/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl"/>
+                    <hkd_revocation_list name="/var/lib/se-certs/DigiCertTrustedRootG4.crl"/>
+                </securelinux>
+            </bootloader>
+            <systemdisk>
+                <volume name="home"/>
+                <volume name="root"/>
+                <volume name="opt"/>
+                <volume name="srv"/>
+                <volume name="boot/writable"/>
+                <volume name="usr/local"/>
+                <volume name="var" copy_on_write="false"/>
+            </systemdisk>
+            <size unit="G">2</size>
+        </type>
+    </preferences>
+    <users>
+        <user password="$1$wYJUgpM5$RXMMeASDc035eX.NbYWFl0" home="/root" name="root" groups="root"/>
+    </users>
+    <repository type="rpm-md">
+        <source path="obsrepositories:/"/>
+    </repository>
+    <packages type="image" profiles="IBM-Cloud-Secure-Execution">
+        <package name="ibm-se-certificates"/>
+        <package name="ibm-se-revocation-lists"/>
+        <package name="cloud-se-host-certificates"/>
+        <package name="cloud-init"/>
+        <package name="cloud-init-config-suse"/>
+        <package name="systemd-network"/>
+    </packages>
+    <packages type="image" profiles="IBM-Cloud-Standard">
+        <package name="cloud-init"/>
+        <package name="cloud-init-config-suse"/>
+        <package name="systemd-network"/>
+    </packages>
+    <packages type="image" profiles="SUSE-Infra">
+        <package name="ibm-se-certificates"/>
+        <package name="ibm-se-revocation-lists"/>
+        <package name="suse-se-host-certificates"/>
+        <package name="systemd-network"/>
+    </packages>
+    <packages type="image">
+        <package name="patterns-base-bootloader"/>
+        <package name="kernel-default"/>
+        <package name="ignition-dracut"/>
+        <package name="combustion"/>
+        <package name="btrfsmaintenance"/>
+        <package name="btrfsprogs"/>
+        <package name="microos-tools"/>
+        <package name="sudo"/>
+        <package name="s390-tools"/>
+        <package name="dracut-kiwi-oem-repart"/>
+        <package name="shadow"/>
+        <package name="snapper"/>
+        <package name="snapper-zypp-plugin"/>
+        <package name="firewalld"/>
+        <package name="microos-tools"/>
+        <package name="health-checker-plugins-MicroOS"/>
+        <package name="squashfs"/>
+        <package name="openSUSE-repos-Tumbleweed"/>
+        <package name="openssh-server"/>
+        <package name="openssh"/>
+        <package name="iproute2"/>
+        <package name="less"/>
+        <package name="curl"/>
+        <package name="cryptsetup"/>
+        <package name="procps"/>
+    </packages>
+    <packages type="bootstrap">
+        <package name="gawk"/>
+        <package name="grep"/> 
+        <package name="gzip"/>
+        <package name="udev"/>
+        <package name="xz"/>
+        <package name="shadow"/>
+        <package name="filesystem"/>
+        <package name="coreutils"/>
+        <package name="openssl"/>
+        <package name="glibc-locale-base"/>
+        <package name="ca-certificates"/>
+        <package name="ca-certificates-mozilla"/>
+        <package name="MicroOS-release-dvd"/>
+        <package name="systemd-presets-branding-MicroOS"/>
+        <package name="diffutils"/>
+    </packages>
+</image>

build-tests/s390/tumbleweed/test-image-MicroOS/config.sh

@@ -0,0 +1,84 @@
+#!/bin/bash
+# shellcheck disable=SC1091
+test -f /.kconfig && . /.kconfig
+set -euxo pipefail
+
+declare kiwi_iname=${kiwi_iname}
+declare kiwi_profiles=${kiwi_profiles}
+
+echo "Configure image: [${kiwi_iname}]-[${kiwi_profiles}]..."
+
+#======================================
+# Setup Core Services
+#--------------------------------------
+systemctl enable sshd.service
+
+#======================================
+# Setup Cloud Services
+#--------------------------------------
+for profile in ${kiwi_profiles//,/ }; do
+    if [ "${profile}" = "IBM-Cloud-Standard" ] || [ "${profile}" = "IBM-Cloud-Secure-Execution" ]; then
+        for service in \
+            cloud-init-local.service \
+            cloud-init.service \
+            cloud-config.service \
+            cloud-final.service \
+            systemd-networkd \
+            systemd-resolved
+        do
+            systemctl enable "${service}"
+        done
+    fi
+    if [ "${profile}" = "SUSE-Infra" ]; then
+        for service in \
+            systemd-networkd \
+            systemd-resolved
+        do
+            systemctl enable "${service}"
+        done
+    fi
+done
+
+#=====================================
+# Configure snapper
+#-------------------------------------
+if [ "${kiwi_btrfs_root_is_snapshot-false}" = 'true' ]; then
+    echo "creating initial snapper config ..."
+    cp /usr/share/snapper/config-templates/default /etc/snapper/configs/root
+    baseUpdateSysConfig /etc/sysconfig/snapper SNAPPER_CONFIGS root
+    # Adjust parameters
+    sed -i'' 's/^TIMELINE_CREATE=.*$/TIMELINE_CREATE="no"/g' \
+        /etc/snapper/configs/root
+    sed -i'' 's/^NUMBER_LIMIT=.*$/NUMBER_LIMIT="2-10"/g' \
+        /etc/snapper/configs/root
+    sed -i'' 's/^NUMBER_LIMIT_IMPORTANT=.*$/NUMBER_LIMIT_IMPORTANT="4-10"/g' \
+        /etc/snapper/configs/root
+fi
+
+for profile in ${kiwi_profiles//,/ }; do
+    if [ "${profile}" = "IBM-Cloud-Standard" ]; then
+        # For image tests with an extra boot partition the
+        # kernel must not be a symlink to another area of
+        # the filesystem. Latest changes on SUSE changed the
+        # layout of the kernel which breaks every image with
+        # an extra boot partition
+        #
+        # All of the following is more than a hack and I
+        # don't like it all
+        #
+        # Complains and discussions about this please with
+        # the SUSE kernel team as we in kiwi can just live
+        # with the consequences of this change
+        #
+        pushd /
+
+        for file in /boot/* /boot/.*; do
+            if [ -L "${file}" ];then
+                link_target=$(readlink "${file}")
+                if [[ "${link_target}" =~ usr/lib/modules ]];then
+                    mv "${link_target}" "${file}"
+                fi
+            fi
+        done
+    fi
+done

build-tests/s390/tumbleweed/test-image-MicroOS/root/etc/dracut.conf.d/oem_resize.conf

@@ -0,0 +1 @@
+add_dracutmodules+=" kiwi-repart "

build-tests/s390/tumbleweed/test-image-MicroOS/root/etc/fstab.script

@@ -0,0 +1,9 @@
+#!/bin/sh
+set -eux
+
+/usr/sbin/setup-fstab-for-overlayfs
+# If /var is on a different partition than /...
+if [ "$(findmnt -snT / -o SOURCE)" != "$(findmnt -snT /var -o SOURCE)" ]; then
+    # ... set options for autoexpanding /var
+    gawk -i inplace '$2 == "/var" { $4 = $4",x-growpart.grow,x-systemd.growfs" } { print $0 }' /etc/fstab
+fi

build-tests/s390/tumbleweed/test-image-MicroOS/root/etc/systemd/network/20-local.network

@@ -0,0 +1,8 @@
+[Match]
+Name=eth0
+
+[Network]
+DHCP=yes
+
+[DHCP]
+ClientIdentifier=mac

build-tests/s390/tumbleweed/test-image-MicroOS/run

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+qemu-system-s390x \
+    -cpu host \
+    -machine accel=kvm,usb=off \
+    -netdev user,id=user0 \
+    -device virtio-net-ccw,netdev=user0 \
+    -object s390-pv-guest,id=pv0 \
+    -machine confidential-guest-support=pv0 \
+    -enable-kvm \
+    -nodefaults \
+    -name suse-cc \
+    -nographic \
+    -drive id=disk0,file="$1",format=qcow2,if=none,cache=writeback \
+    -device virtio-blk,id=data0,drive=disk0,physical_block_size=512,logical_block_size=512 \
+    -device virtio-serial-ccw \
+    -device sclpconsole,chardev=console \
+    -chardev stdio,id=console \
+    -smp 4 \
+    -m 4096 \
+    -mem-prealloc