diff --git a/recovery/README.md b/recovery/README.md index a4d6589..8a4982c 100644 --- a/recovery/README.md +++ b/recovery/README.md @@ -9,40 +9,3 @@ the recovery tool. While that repo does offer prebuilt binary releases, we rebuild from scratch here so we can be sure about which TamaGo toolchain version is used, etc. -## Build and Release Process - -A -[Cloud Build trigger](https://cloud.google.com/build/docs/automating-builds/create-manage-triggers) -is defined by a yaml config file. The Transparency.dev team invokes it manually -when we want to publish a release. - -The pipeline includes two main steps: building and making available the recovery -tool files, and writing the release metadata (Claimant Model Statement) to the -firmware transparency log. - -1. Cloud Build builds the recovery builder Docker image and copies the compiled - recovery imx file to a public Google Cloud Storage bucket. -1. Cloud Build runs the - [`manifest`](https://github.com/transparency-dev/armored-witness/tree/main/cmd/manifest) - tool to construct the Claimant Model Statement with arguments specific to - this release. It signs the Statement with the - [`sign`](https://github.com/transparency-dev/armored-witness/tree/main/cmd/sign) - tool and adds the resulting signed Statement as an entry to the public - firmware transparency log. - -TODO: add links for the GCS buckets once public. - -## Claimant Model - -| Role | Description | -| ----------- | ----------- | -| **Claimant** | Transparency.dev team | -| **Claim** |
  1. The digest of the recovery tool is derived from this source Github repository, and is reproducible.
  2. The recovery tool is issued by the Transparency.dev team.
| -| **Believer** | The [provision](https://github.com/transparency-dev/armored-witness/tree/main/cmd/provision) and [verify](https://github.com/transparency-dev/armored-witness/tree/main/cmd/verify) tools. | -| **Verifier** |
  1. For Claim #1: third party auditing the Transparency.dev team
  2. For Claim #2: the Transparency.dev team
| -| **Arbiter** | Log ecosystem participants and reliers | - -The **Statement** is defined in -[https://github.com/transparency-dev/armored-witness-common/tree/main/release/firmware/ftlog/log_entries.go](https://github.com/transparency-dev/armored-witness-common/tree/main/release/firmware/ftlog/log_entries.go). -An example is available at -[https://github.com/transparency-dev/armored-witness-common/tree/main/release/firmware/ftlog//example_firmware_release.json](https://github.com/transparency-dev/armored-witness-common/tree/main/release/firmware/ftlog//example_firmware_release.json). \ No newline at end of file diff --git a/recovery/cloudbuild_ci.yaml b/recovery/cloudbuild_ci.yaml deleted file mode 100644 index 30a910f..0000000 --- a/recovery/cloudbuild_ci.yaml +++ /dev/null @@ -1,207 +0,0 @@ -steps: - ### Build the recovery binary and upload it to GCS. - # Build an image containing the trusted applet artifacts with the Dockerfile. - - name: gcr.io/cloud-builders/docker - args: - - build - - --build-arg - - TAMAGO_VERSION=${_TAMAGO_VERSION} - - --build-arg - - ARMORY_UMS_VERSION=${_ARMORY_UMS_VERSION} - - -t - - builder-image - - recovery - # Prepare a container with a copy of the artifacts. - - name: gcr.io/cloud-builders/docker - args: - - create - - --name - - builder_scratch - - builder-image - # Copy the artifacts from the container to the Cloud Build VM. - - name: gcr.io/cloud-builders/docker - args: - - cp - - builder_scratch:/build/armory-ums - - output - # List the artifacts. - - name: bash - args: - - ls - - output - # Copy the artifacts from the Cloud Build VM to GCS. - - name: gcr.io/cloud-builders/gcloud - entrypoint: bash - args: - - -c - - | - gcloud storage cp \ - output/armory-ums.imx \ - gs://${_FIRMWARE_BUCKET}/$(sha256sum output/armory-ums.imx | cut -f1 -d" ") - # HAB: Create SRK table & hash - # TODO(al): we should probably store the generated SRK/hash in a GCS bucket and then compare each time to ensure that nothing bad has happened with our PKI. - - name: golang - entrypoint: bash - args: - - -c - - | - go run github.com/usbarmory/crucible/cmd/habtool@c77ff4b67b3cd86b4328ecbcad23394d54638ddc \ - -z gcp \ - -1 projects/armored-witness/locations/us-central1/caPools/aw-hab-ca-pool-rev0-ci/certificateAuthorities/hab-srk1-rev4-ci \ - -2 projects/armored-witness/locations/us-central1/caPools/aw-hab-ca-pool-rev0-ci/certificateAuthorities/hab-srk2-rev4-ci \ - -3 projects/armored-witness/locations/us-central1/caPools/aw-hab-ca-pool-rev0-ci/certificateAuthorities/hab-srk3-rev4-ci \ - -4 projects/armored-witness/locations/us-central1/caPools/aw-hab-ca-pool-rev0-ci/certificateAuthorities/hab-srk4-rev4-ci \ - -o output/gcp_hab_rev4_ci_srk.hash \ - -t output/gcp_hab_rev4_ci_srk.srk - # Assert SRK hash value - - name: golang - entrypoint: bash - args: - - -c - - | - if [ -n "${_EXPECTED_SRK_HASH} "]; then \ - GOT=$(od -An -tx1 output/gcp_hab_rev4_ci_srk.hash | tr -d ' \n'); \ - if [ "${_EXPECTED_SRK_HASH}" != "$${GOT}" ]; then \ - echo "Got SRK hash '$${GOT}'"; \ - echo "Expected SRK hash '${_EXPECTED_SRK_HASH}'"; \ - exit 1; \ - fi; \ - fi - - name: golang - entrypoint: bash - args: - - -c - - | - go run github.com/usbarmory/crucible/cmd/habtool@c77ff4b67b3cd86b4328ecbcad23394d54638ddc \ - -z gcp \ - -a projects/1071548024491/locations/us-central1/caPools/aw-hab-ca-pool-rev0-ci/certificates/hab-csf1-rev4-2-ci \ - -A projects/armored-witness/locations/global/keyRings/hab-ci/cryptoKeys/hab-csf1-rev4-ci/cryptoKeyVersions/1 \ - -b projects/1071548024491/locations/us-central1/caPools/aw-hab-ca-pool-rev0-ci/certificates/hab-img1-rev4-2-ci \ - -B projects/armored-witness/locations/global/keyRings/hab-ci/cryptoKeys/hab-img1-rev4-ci/cryptoKeyVersions/1 \ - -x 1 \ - -s \ - -t output/gcp_hab_rev4_ci_srk.srk \ - -i output/armory-ums.imx \ - -o output/armory-ums.csf - # Copy the HAB signature into the CAS - - name: gcr.io/cloud-builders/gcloud - entrypoint: bash - args: - - -c - - | - gcloud storage cp \ - output/armory-ums.csf \ - gs://${_FIRMWARE_BUCKET}/$(sha256sum output/armory-ums.csf | cut -f1 -d" ") - ### Construct log entry / Claimant Model statement. - # This step needs to be a bash script in order to substitute the fake tag in - # the command args. - - name: golang - entrypoint: bash - args: - - -c - - | - go run github.com/transparency-dev/armored-witness/cmd/manifest@main \ - create \ - --git_tag=${_MANUAL_TAG} \ - --git_commit_fingerprint=${_ARMORY_UMS_VERSION} \ - --firmware_file=output/armory-ums.imx \ - --firmware_type=RECOVERY \ - --tamago_version=${_TAMAGO_VERSION} \ - --hab_signature_file=output/armory-ums.csf \ - --hab_target=ci \ - --raw \ - --output_file=output/recovery_manifest_unsigned.json - # Sign the log entry. - - name: golang - args: - - go - - run - - github.com/transparency-dev/armored-witness/cmd/sign@main - - --project_name=${PROJECT_ID} - - --release=ci - - --artefact=recovery - - --manifest_file=output/recovery_manifest_unsigned.json - - --output_file=output/recovery_manifest - # Print the content of the signed manifest. - - name: bash - args: - - cat - - output/recovery_manifest - ### Write the firmware release to the transparency log. - # Copy the log entry to the sequence bucket, preparing to write to log. - # - # Use the SHA256 of the manifest as the name of the manifest. This allows - # multiple triggers to run without colliding. - - name: gcr.io/cloud-builders/gcloud - entrypoint: bash - args: - - -c - - | - gcloud storage cp output/recovery_manifest \ - gs://${_LOG_NAME}/${_ENTRIES_DIR}/$(sha256sum output/recovery_manifest | cut -f1 -d" ")/recovery_manifest - # Sequence log entry. - - name: gcr.io/cloud-builders/gcloud - entrypoint: bash - args: - - -c - - > - gcloud functions call sequence \ - - --data="{ - \"entriesDir\": \"${_ENTRIES_DIR}/$(sha256sum output/recovery_manifest | cut -f1 -d" ")\", - \"origin\": \"${_ORIGIN}\", - \"bucket\": \"${_LOG_NAME}\", - \"kmsKeyName\": \"ft-log-ci\", - \"kmsKeyRing\": \"firmware-release-ci\", - \"kmsKeyVersion\": ${_KEY_VERSION}, - \"kmsKeyLocation\": \"global\", - \"noteKeyName\": \"transparency.dev-aw-ftlog-ci-${_KEY_VERSION}\", - \"checkpointCacheControl\": \"${_CHECKPOINT_CACHE}\" - }" - # Integrate log entry. - - name: gcr.io/cloud-builders/gcloud - args: - - functions - - call - - integrate - - --data - - >- - { - "origin": "${_ORIGIN}", - "bucket": "${_LOG_NAME}", - "kmsKeyName": "ft-log-ci", - "kmsKeyRing": "firmware-release-ci", - "kmsKeyVersion": ${_KEY_VERSION}, - "kmsKeyLocation": "global", - "noteKeyName": "transparency.dev-aw-ftlog-ci-${_KEY_VERSION}", - "checkpointCacheControl": "${_CHECKPOINT_CACHE}" - } - # Clean up the file we added to the _ENTRIES_DIR bucket now that it's been - # integrated to the log. - - name: gcr.io/cloud-builders/gcloud - entrypoint: bash - args: - - -c - - | - gcloud storage rm \ - gs://${_LOG_NAME}/${_ENTRIES_DIR}/$(sha256sum output/recovery_manifest | cut -f1 -d" ")/recovery_manifest -substitutions: - # Note that to be a valid CloudBuild config these MUST all be strings. - # Without explicit quotes, some things may be interpreted as other types since - # this is a YAML file, so to avoid future tears let's keep these all quoted. - # - # Build-related. - _FIRMWARE_BUCKET: 'armored-witness-firmware-ci-2' - _MANUAL_TAG: '0.0.0' - _TAMAGO_VERSION: '1.22.0' - # Pinned at tag [v20231018](https://github.com/usbarmory/armory-ums/releases/tag/v20231018) - # This MUST be a full git commit tag for the armory-ums repo - _ARMORY_UMS_VERSION: '850baf54809bd29548d6f817933240043400a4e1' - # Log-related. - # This must correspond with the trailing number on the _FIRMWARE_BUCKET, _ORIGIN, _LOG_NAME values. - _KEY_VERSION: '2' - _LOG_NAME: 'armored-witness-firmware-log-ci-2' - _ORIGIN: 'transparency.dev/armored-witness/firmware_transparency/ci/2' - _CHECKPOINT_CACHE: 'public, max-age=30' - # Pinned SRK hash - _EXPECTED_SRK_HASH: 'b8ba457320663bf006accd3c57e06720e63b21ce5351cb91b4650690bb08d85a' diff --git a/recovery/cloudbuild_presubmit.yaml b/recovery/cloudbuild_presubmit.yaml deleted file mode 100644 index bcfd396..0000000 --- a/recovery/cloudbuild_presubmit.yaml +++ /dev/null @@ -1,110 +0,0 @@ -steps: - ### Build the recovery binary and upload it to GCS. - # Build an image containing the trusted applet artifacts with the Dockerfile. - - name: gcr.io/cloud-builders/docker - args: - - build - - --build-arg - - TAMAGO_VERSION=${_TAMAGO_VERSION} - - -t - - builder-image - - recovery - # Prepare a container with a copy of the artifacts. - - name: gcr.io/cloud-builders/docker - args: - - create - - --name - - builder_scratch - - builder-image - # Copy the artifacts from the container to the Cloud Build VM. - - name: gcr.io/cloud-builders/docker - args: - - cp - - builder_scratch:/build/armory-ums - - output - # List the artifacts. - - name: bash - args: - - ls - - output - # HAB: Create SRK table & hash - - name: golang - entrypoint: bash - args: - - -c - - | - go run github.com/usbarmory/crucible/cmd/habtool@c77ff4b67b3cd86b4328ecbcad23394d54638ddc \ - -z gcp \ - -1 projects/armored-witness/locations/us-central1/caPools/aw-hab-ca-pool-rev0-presubmit/certificateAuthorities/hab-srk1-rev0-presubmit \ - -2 projects/armored-witness/locations/us-central1/caPools/aw-hab-ca-pool-rev0-presubmit/certificateAuthorities/hab-srk2-rev0-presubmit \ - -3 projects/armored-witness/locations/us-central1/caPools/aw-hab-ca-pool-rev0-presubmit/certificateAuthorities/hab-srk3-rev0-presubmit \ - -4 projects/armored-witness/locations/us-central1/caPools/aw-hab-ca-pool-rev0-presubmit/certificateAuthorities/hab-srk4-rev0-presubmit \ - -o output/gcp_hab_rev0_presubmit_srk.hash \ - -t output/gcp_hab_rev0_presubmit_srk.srk - # Assert SRK hash value - - name: golang - entrypoint: bash - args: - - -c - - | - if [ -n "${_EXPECTED_SRK_HASH}" ]; then \ - GOT=$(od -An -tx1 output/gcp_hab_rev0_presubmit_srk.hash | tr -d ' \n'); \ - if [ "${_EXPECTED_SRK_HASH}" != "$${GOT}" ]; then \ - echo "Got SRK hash '$${GOT}'"; \ - echo "Expected SRK hash '${_EXPECTED_SRK_HASH}'"; \ - exit 1; \ - fi; \ - fi - - name: golang - entrypoint: bash - args: - - -c - - | - go run github.com/usbarmory/crucible/cmd/habtool@c77ff4b67b3cd86b4328ecbcad23394d54638ddc \ - -z gcp \ - -a projects/1071548024491/locations/us-central1/caPools/aw-hab-ca-pool-rev0-presubmit/certificates/hab-csf1-rev0-presubmit \ - -A projects/armored-witness/locations/global/keyRings/hab-presubmit/cryptoKeys/hab-csf1-rev0-presubmit/cryptoKeyVersions/1 \ - -b projects/1071548024491/locations/us-central1/caPools/aw-hab-ca-pool-rev0-presubmit/certificates/hab-img1-rev0-presubmit \ - -B projects/armored-witness/locations/global/keyRings/hab-presubmit/cryptoKeys/hab-img1-rev0-presubmit/cryptoKeyVersions/1 \ - -x 1 \ - -s \ - -t output/gcp_hab_rev0_presubmit_srk.srk \ - -i output/armory-ums.imx \ - -o output/armory-ums.csf - ### Construct log entry / Claimant Model statement. - # This step needs to be a bash script in order to substitute the fake tag in - # the command args. - - name: golang - entrypoint: bash - args: - - -c - - | - go run github.com/transparency-dev/armored-witness/cmd/manifest@main \ - create \ - --git_tag=${_MANUAL_TAG} \ - --git_commit_fingerprint=${COMMIT_SHA} \ - --firmware_file=output/armory-ums.imx \ - --firmware_type=RECOVERY \ - --tamago_version=${_TAMAGO_VERSION} \ - --hab_signature_file=output/armory-ums.csf \ - --hab_target=ci \ - --raw \ - --output_file=output/recovery_manifest_unsigned.json - # TODO: sign the log entry with github.com/transparency-dev/armored-witness/cmd/sign - # after we create presubmit keys. - # - # Print the content of the signed manifest. - - name: bash - args: - - cat - - output/recovery_manifest_unsigned.json -substitutions: - # Note that to be a valid CloudBuild config these MUST all be strings. - # Without explicit quotes, some things may be interpreted as other types since - # this is a YAML file, so to avoid future tears let's keep these all quoted. - # - # Build-related. - _MANUAL_TAG: '0.0.0' - _TAMAGO_VERSION: '1.22.0' - # Pinned SRK hash - _EXPECTED_SRK_HASH: 'c91245871a69bd54b9ebd0e540b42c485396d19c338c8a94dc1c4c3a42a8c25e' diff --git a/release/README.md b/release/README.md deleted file mode 100644 index 3cfdbd5..0000000 --- a/release/README.md +++ /dev/null @@ -1,50 +0,0 @@ -# Bootloader Release Process - -## File structure - -* The Dockerfile found in the root of the repo builds an image which installs - dependencies and compiles the bootloader with TamaGo. The version of - TamaGo to use can be specified with the Docker - [build arg](https://docs.docker.com/engine/reference/commandline/build/#build-arg) - `TAMAGO_VERSION`. -* Cloud Build triggers for the presubmit, continuous integration (CI)m and - prod environments are defined on the Cloud Build yaml files in this - directory. - -## Build and Release Process - -A -[Cloud Build trigger](https://cloud.google.com/build/docs/automating-builds/create-manage-triggers) -is defined by a yaml config file and is invoked when a new tag is published in -this repository. - -The pipeline includes two main steps: building and making available the -bootloader imx, and writing the release metadata (Claimant Model Statement) to -the firmware transparency log. - -1. Cloud Build builds the bootloader builder Docker image and uploads the - compiled bootloader imx file to a public Google Cloud Storage bucket. -1. Cloud Build runs the - [`manifest`](https://github.com/transparency-dev/armored-witness/tree/main/cmd/manifest) - tool to construct the Claimant Model Statement with arguments specific to - this release. It signs the Statement with the - [`sign`](https://github.com/transparency-dev/armored-witness/tree/main/cmd/sign) - tool and adds the resulting signed Statement as an entry to the public - firmware transparency log. - -TODO: add links for the GCS buckets once public. - -## Claimant Model - -| Role | Description | -| ----------- | ----------- | -| **Claimant** | Transparency.dev team | -| **Claim** |
  1. The digest of the bootloader is derived from this source Github repository, and is reproducible.
  2. The bootloader firmware is issued by the Transparency.dev team.
| -| **Believer** | The [provision](https://github.com/transparency-dev/armored-witness/tree/main/cmd/provision) and [verify](https://github.com/transparency-dev/armored-witness/tree/main/cmd/verify) tools. | -| **Verifier** |
  1. For Claim #1: third party auditing the Transparency.dev team
  2. For Claim #2: the Transparency.dev team
| -| **Arbiter** | Log ecosystem participants and reliers | - -The **Statement** is defined in -[https://github.com/transparency-dev/armored-witness-common/tree/main/release/firmware/ftlog/log_entries.go](https://github.com/transparency-dev/armored-witness-common/tree/main/release/firmware/ftlog/log_entries.go). -An example is available at -[https://github.com/transparency-dev/armored-witness-common/tree/main/release/firmware/ftlog//example_firmware_release.json](https://github.com/transparency-dev/armored-witness-common/tree/main/release/firmware/ftlog//example_firmware_release.json). \ No newline at end of file diff --git a/release/cloudbuild_ci.yaml b/release/cloudbuild_ci.yaml deleted file mode 100644 index 14c9d80..0000000 --- a/release/cloudbuild_ci.yaml +++ /dev/null @@ -1,228 +0,0 @@ -steps: - # First create a fake tag we'll use throughout the CI build process below. - # Unfortunately, GCB has no concept of dynamically creating substitutions or - # passing ENV vars between steps, so the best we can do is to create a file - # containing our tag in the shared workspace which other steps can inspect. - - name: bash - script: | - date +'0.0.%s-incompatible' > /workspace/fake_tag - cat /workspace/fake_tag - ### Build the bootloader binary and upload it to GCS. - # Use the dockerfile to build an image containing the bootloader artifact. - - name: gcr.io/cloud-builders/docker - entrypoint: bash - args: - - -c - - | - docker build \ - --build-arg=TAMAGO_VERSION=${_TAMAGO_VERSION} \ - --build-arg=GIT_SEMVER_TAG=$(cat /workspace/fake_tag) \ - --build-arg=LOG_ORIGIN=${_ORIGIN} \ - --build-arg=LOG_PUBLIC_KEY=${_LOG_PUBLIC_KEY} \ - --build-arg=OS_PUBLIC_KEY1=${_OS_PUBLIC_KEY1} \ - --build-arg=OS_PUBLIC_KEY2=${_OS_PUBLIC_KEY2} \ - --build-arg=BEE=${_BEE} \ - --build-arg=CONSOLE=${_CONSOLE} \ - -t builder-image \ - . - # Prepare a container with a copy of the artifacts. - - name: gcr.io/cloud-builders/docker - args: - - create - - --name - - builder_scratch - - builder-image - # Copy the artifacts from the container to the Cloud Build VM. - - name: gcr.io/cloud-builders/docker - args: - - cp - - builder_scratch:/build - - output - # List the artifacts. - - name: bash - args: - - ls - - output - # Copy the artifacts from the Cloud Build VM to GCS. - - name: gcr.io/cloud-builders/gcloud - entrypoint: bash - args: - - -c - - | - gcloud storage cp \ - output/armored-witness-boot.imx \ - gs://${_FIRMWARE_BUCKET}/$(sha256sum output/armored-witness-boot.imx | cut -f1 -d" ") - # HAB: Create SRK table & hash - # TODO(al): we should probably store the generated SRK/hash in a GCS bucket and then compare each time to ensure that nothing bad has happened with our PKI. - - name: golang - entrypoint: bash - args: - - -c - - | - go run github.com/usbarmory/crucible/cmd/habtool@c77ff4b67b3cd86b4328ecbcad23394d54638ddc \ - -z gcp \ - -1 projects/armored-witness/locations/us-central1/caPools/aw-hab-ca-pool-rev0-ci/certificateAuthorities/hab-srk1-rev4-ci \ - -2 projects/armored-witness/locations/us-central1/caPools/aw-hab-ca-pool-rev0-ci/certificateAuthorities/hab-srk2-rev4-ci \ - -3 projects/armored-witness/locations/us-central1/caPools/aw-hab-ca-pool-rev0-ci/certificateAuthorities/hab-srk3-rev4-ci \ - -4 projects/armored-witness/locations/us-central1/caPools/aw-hab-ca-pool-rev0-ci/certificateAuthorities/hab-srk4-rev4-ci \ - -o output/gcp_hab_rev4_ci_srk.hash \ - -t output/gcp_hab_rev4_ci_srk.srk - # Assert SRK hash value - - name: golang - entrypoint: bash - args: - - -c - - | - if [ -n "${_EXPECTED_SRK_HASH}" ]; then \ - GOT=$(od -An -tx1 output/gcp_hab_rev4_ci_srk.hash | tr -d ' \n'); \ - if [ "${_EXPECTED_SRK_HASH}" != "$${GOT}" ]; then \ - echo "Got SRK hash '$${GOT}'"; \ - echo "Expected SRK hash '${_EXPECTED_SRK_HASH}'"; \ - exit 1; \ - fi; \ - fi - - name: golang - entrypoint: bash - args: - - -c - - | - go run github.com/usbarmory/crucible/cmd/habtool@c77ff4b67b3cd86b4328ecbcad23394d54638ddc \ - -z gcp \ - -a projects/1071548024491/locations/us-central1/caPools/aw-hab-ca-pool-rev0-ci/certificates/hab-csf1-rev4-2-ci \ - -A projects/armored-witness/locations/global/keyRings/hab-ci/cryptoKeys/hab-csf1-rev4-ci/cryptoKeyVersions/1 \ - -b projects/1071548024491/locations/us-central1/caPools/aw-hab-ca-pool-rev0-ci/certificates/hab-img1-rev4-2-ci \ - -B projects/armored-witness/locations/global/keyRings/hab-ci/cryptoKeys/hab-img1-rev4-ci/cryptoKeyVersions/1 \ - -x 1 \ - -t output/gcp_hab_rev4_ci_srk.srk \ - -i output/armored-witness-boot.imx \ - -o output/armored-witness-boot.csf - # Copy the HAB signature into the CAS - - name: gcr.io/cloud-builders/gcloud - entrypoint: bash - args: - - -c - - | - gcloud storage cp \ - output/armored-witness-boot.csf \ - gs://${_FIRMWARE_BUCKET}/$(sha256sum output/armored-witness-boot.csf | cut -f1 -d" ") - ### Construct log entry / Claimant Model statement. - # This step needs to be a bash script in order to substitute the fake tag in - # the command args. - - name: golang - entrypoint: bash - args: - - -c - - | - go run github.com/transparency-dev/armored-witness/cmd/manifest@main \ - create \ - --git_tag=$(cat /workspace/fake_tag) \ - --git_commit_fingerprint=${COMMIT_SHA} \ - --firmware_file=output/armored-witness-boot.imx \ - --firmware_type=BOOTLOADER \ - --tamago_version=${_TAMAGO_VERSION} \ - --build_env="LOG_ORIGIN=${_ORIGIN}" \ - --build_env="LOG_PUBLIC_KEY=${_LOG_PUBLIC_KEY}" \ - --build_env="OS_PUBLIC_KEY1=${_OS_PUBLIC_KEY1}" \ - --build_env="OS_PUBLIC_KEY2=${_OS_PUBLIC_KEY2}" \ - --build_env="BEE=${_BEE}" \ - --build_env="CONSOLE=${_CONSOLE}" \ - --hab_signature_file=output/armored-witness-boot.csf \ - --hab_target=ci \ - --raw \ - --output_file=output/boot_manifest_unsigned.json - # Sign the log entry. - - name: golang - args: - - go - - run - - github.com/transparency-dev/armored-witness/cmd/sign@main - - --project_name=${PROJECT_ID} - - --release=ci - - --artefact=boot - - --manifest_file=output/boot_manifest_unsigned.json - - --output_file=output/boot_manifest - # Print the content of the signed manifest. - - name: bash - args: - - cat - - output/boot_manifest - ### Write the firmware release to the transparency log. - # Copy the log entry to the sequence bucket, preparing to write to log. - # - # Use the SHA256 of the manifest as the name of the manifest. This allows - # multiple triggers to run without colliding. - - name: gcr.io/cloud-builders/gcloud - entrypoint: bash - args: - - -c - - | - gcloud storage cp output/boot_manifest \ - gs://${_LOG_NAME}/${_ENTRIES_DIR}/$(sha256sum output/boot_manifest | cut -f1 -d" ")/boot_manifest - # Sequence log entry. - - name: gcr.io/cloud-builders/gcloud - entrypoint: bash - args: - - -c - - > - gcloud functions call sequence \ - - --data="{ - \"entriesDir\": \"${_ENTRIES_DIR}/$(sha256sum output/boot_manifest | cut -f1 -d" ")\", - \"origin\": \"${_ORIGIN}\", - \"bucket\": \"${_LOG_NAME}\", - \"kmsKeyName\": \"ft-log-ci\", - \"kmsKeyRing\": \"firmware-release-ci\", - \"kmsKeyVersion\": ${_KEY_VERSION}, - \"kmsKeyLocation\": \"global\", - \"noteKeyName\": \"transparency.dev-aw-ftlog-ci-${_KEY_VERSION}\", - \"checkpointCacheControl\": \"${_CHECKPOINT_CACHE}\" - }" - # Integrate log entry. - - name: gcr.io/cloud-builders/gcloud - args: - - functions - - call - - integrate - - --data - - >- - { - "origin": "${_ORIGIN}", - "bucket": "${_LOG_NAME}", - "kmsKeyName": "ft-log-ci", - "kmsKeyRing": "firmware-release-ci", - "kmsKeyVersion": ${_KEY_VERSION}, - "kmsKeyLocation": "global", - "noteKeyName": "transparency.dev-aw-ftlog-ci-${_KEY_VERSION}", - "checkpointCacheControl": "${_CHECKPOINT_CACHE}" - } - # Clean up the file we added to the _ENTRIES_DIR bucket now that it's been - # integrated to the log. - - name: gcr.io/cloud-builders/gcloud - entrypoint: bash - args: - - -c - - | - gcloud storage rm \ - gs://${_LOG_NAME}/${_ENTRIES_DIR}/$(sha256sum output/boot_manifest | cut -f1 -d" ")/boot_manifest -substitutions: - # Note that to be a valid CloudBuild config these MUST all be strings. - # Without explicit quotes, some things may be interpreted as other types since - # this is a YAML file, so to avoid future tears let's keep these all quoted. - # - # Build-related. - _FIRMWARE_BUCKET: 'armored-witness-firmware-ci-2' - _TAMAGO_VERSION: '1.22.0' - _BEE: '1' - _CONSOLE: 'on' - # Log-related. - _ENTRIES_DIR: 'firmware-log-sequence' - # This must correspond with the trailing number on the _FIRMWARE_BUCKET, _ORIGIN, _LOG_NAME values. - _KEY_VERSION: '2' - _LOG_NAME: 'armored-witness-firmware-log-ci-2' - _ORIGIN: 'transparency.dev/armored-witness/firmware_transparency/ci/2' - _LOG_PUBLIC_KEY: 'transparency.dev-aw-ftlog-ci-2+f77c6276+AZXqiaARpwF4MoNOxx46kuiIRjrML0PDTm+c7BLaAMt6' - _OS_PUBLIC_KEY1: 'transparency.dev-aw-os1-ci+7a0eaef3+AcsqvmrcKIbs21H2Bm2fWb6oFWn/9MmLGNc6NLJty2eQ' - _OS_PUBLIC_KEY2: 'transparency.dev-aw-os2-ci+af8e4114+AbBJk5MgxRB+68KhGojhUdSt1ts5GAdRIT1Eq9zEkgQh' - _CHECKPOINT_CACHE: 'public, max-age=30' - # Pinned SRK hash - _EXPECTED_SRK_HASH: 'b8ba457320663bf006accd3c57e06720e63b21ce5351cb91b4650690bb08d85a' diff --git a/release/cloudbuild_presubmit.yaml b/release/cloudbuild_presubmit.yaml deleted file mode 100644 index f985633..0000000 --- a/release/cloudbuild_presubmit.yaml +++ /dev/null @@ -1,112 +0,0 @@ -steps: - ### Build the bootloader binary and upload it to GCS. - # Use the dockerfile to build an image containing the bootloader artifact. - - name: gcr.io/cloud-builders/docker - args: - - build - - --build-arg - - TAMAGO_VERSION=${_TAMAGO_VERSION} - - --build-arg - - LOG_ORIGIN=${_ORIGIN} - - -t - - builder-image - - . - # Prepare a container with a copy of the artifacts. - - name: gcr.io/cloud-builders/docker - args: - - create - - --name - - builder_scratch - - builder-image - # Copy the artifacts from the container to the Cloud Build VM. - - name: gcr.io/cloud-builders/docker - args: - - cp - - builder_scratch:/build - - output - # List the artifacts. - - name: bash - args: - - ls - - output - # HAB: Create SRK table & hash - - name: golang - entrypoint: bash - args: - - -c - - | - go run github.com/usbarmory/crucible/cmd/habtool@c77ff4b67b3cd86b4328ecbcad23394d54638ddc \ - -z gcp \ - -1 projects/armored-witness/locations/us-central1/caPools/aw-hab-ca-pool-rev0-presubmit/certificateAuthorities/hab-srk1-rev0-presubmit \ - -2 projects/armored-witness/locations/us-central1/caPools/aw-hab-ca-pool-rev0-presubmit/certificateAuthorities/hab-srk2-rev0-presubmit \ - -3 projects/armored-witness/locations/us-central1/caPools/aw-hab-ca-pool-rev0-presubmit/certificateAuthorities/hab-srk3-rev0-presubmit \ - -4 projects/armored-witness/locations/us-central1/caPools/aw-hab-ca-pool-rev0-presubmit/certificateAuthorities/hab-srk4-rev0-presubmit \ - -o output/gcp_hab_rev0_presubmit_srk.hash \ - -t output/gcp_hab_rev0_presubmit_srk.srk - # Assert SRK hash value - - name: golang - entrypoint: bash - args: - - -c - - | - if [ -n "${_EXPECTED_SRK_HASH}" ]; then \ - GOT=$(od -An -tx1 output/gcp_hab_rev0_presubmit_srk.hash | tr -d ' \n'); \ - if [ "${_EXPECTED_SRK_HASH}" != "$${GOT}" ]; then \ - echo "Got SRK hash '$${GOT}'"; \ - echo "Expected SRK hash '${_EXPECTED_SRK_HASH}'"; \ - exit 1; \ - fi; \ - fi; - - name: golang - entrypoint: bash - args: - - -c - - | - go run github.com/usbarmory/crucible/cmd/habtool@c77ff4b67b3cd86b4328ecbcad23394d54638ddc \ - -z gcp \ - -a projects/1071548024491/locations/us-central1/caPools/aw-hab-ca-pool-rev0-presubmit/certificates/hab-csf1-rev0-presubmit \ - -A projects/armored-witness/locations/global/keyRings/hab-presubmit/cryptoKeys/hab-csf1-rev0-presubmit/cryptoKeyVersions/1 \ - -b projects/1071548024491/locations/us-central1/caPools/aw-hab-ca-pool-rev0-presubmit/certificates/hab-img1-rev0-presubmit \ - -B projects/armored-witness/locations/global/keyRings/hab-presubmit/cryptoKeys/hab-img1-rev0-presubmit/cryptoKeyVersions/1 \ - -x 1 \ - -t output/gcp_hab_rev0_presubmit_srk.srk \ - -i output/armored-witness-boot.imx \ - -o output/armored-witness-boot.csf - ### Construct log entry / Claimant Model statement. - # This step needs to be a bash script in order to substitute the fake tag in - # the command args. - - name: golang - entrypoint: bash - args: - - -c - - | - go run github.com/transparency-dev/armored-witness/cmd/manifest@main \ - create \ - --git_tag=${_MANUAL_TAG} \ - --git_commit_fingerprint=${COMMIT_SHA} \ - --firmware_file=output/armored-witness-boot.imx \ - --firmware_type=BOOTLOADER \ - --tamago_version=${_TAMAGO_VERSION} \ - --hab_signature_file=output/armored-witness-boot.csf \ - --hab_target=presubmit \ - --raw \ - --output_file=output/boot_manifest_unsigned.json - # TODO: sign the log entry with github.com/transparency-dev/armored-witness/cmd/sign - # after we create presubmit keys. - # - # Print the content of the signed manifest. - - name: bash - args: - - cat - - output/boot_manifest_unsigned.json -substitutions: - # Note that to be a valid CloudBuild config these MUST all be strings. - # Without explicit quotes, some things may be interpreted as other types since - # this is a YAML file, so to avoid future tears let's keep these all quoted. - # - # Build-related. - _MANUAL_TAG: '0.0.0' - _TAMAGO_VERSION: '1.22.0' - _ORIGIN: 'transparency.dev/armored-witness/firmware_transparency/presubmit/1' - # Pinned SRK hash - _EXPECTED_SRK_HASH: 'c91245871a69bd54b9ebd0e540b42c485396d19c338c8a94dc1c4c3a42a8c25e'