# This file defines the artifact to be used for the s390x secex platform. version: '2' mpp-vars: root_size_mb: mpp-format-int: $rootfs_size_mb mpp-define-images: # Secure Execution image. It MUST contain same partitions as `image` plus 3 additional - id: image_secex sector_size: mpp-format-int: "{sector_size}" size: mpp-format-string: "{metal_image_size_mb * 1024 * 1024}" table: uuid: 00000000-0000-4000-a000-000000000001 label: gpt partitions: - name: se type: 0FC63DAF-8483-4772-8E79-3D69D8477DE4 partnum: 1 size: mpp-format-int: "{se_size_mb * 1024 * 1024 / sector_size}" - name: boot type: 0FC63DAF-8483-4772-8E79-3D69D8477DE4 partnum: 3 size: mpp-format-int: "{boot_size_mb * 1024 * 1024 / sector_size}" - name: root type: 0FC63DAF-8483-4772-8E79-3D69D8477DE4 partnum: 4 size: mpp-format-int: "{root_size_mb * 1024 * 1024 / sector_size}" - name: boothash partnum: 5 size: mpp-format-int: "{boot_verity_size_mb * 1024 * 1024 / sector_size}" - name: roothash type: B325BFBE-C7BE-4AB8-8357-139E652D2F6B partnum: 6 size: mpp-format-int: "{root_verity_size_mb * 1024 * 1024 / sector_size}" pipelines: # IBM Secure Execution (secex) image has special layout - name: raw-secex-image build: mpp-format-string: '{buildroot}' stages: - type: org.osbuild.truncate options: filename: disk.img size: mpp-format-string: '{image_secex.size}' - type: org.osbuild.sfdisk devices: device: type: org.osbuild.loopback options: filename: disk.img options: mpp-format-json: '{image_secex.layout}' - type: org.osbuild.mkfs.ext4 devices: device: type: org.osbuild.loopback options: filename: disk.img start: mpp-format-int: '{image_secex.layout[''boot''].start}' size: mpp-format-int: '{image_secex.layout[''boot''].size}' lock: true options: uuid: mpp-format-string: '{boot_fs_uuid}' label: mpp-format-string: '{boot_fs_label}' # Set manually the metadata_csum_seed ext4 option otherwise changing the # filesystem UUID while it's mounted doesn't work. Can remove this when # metadata_csum_seed is default in RHEL, which can be checked by looking # in /etc/mke2fs.conf. metadata_csum_seed: true - type: org.osbuild.mkfs.xfs devices: device: type: org.osbuild.loopback options: filename: disk.img start: mpp-format-int: '{image_secex.layout[''root''].start}' size: mpp-format-int: '{image_secex.layout[''root''].size}' lock: true options: uuid: mpp-format-string: '{root_fs_uuid}' label: mpp-format-string: '{root_fs_label}' - type: org.osbuild.mkfs.ext4 devices: device: type: org.osbuild.loopback options: filename: disk.img start: mpp-format-int: '{image_secex.layout[''se''].start}' size: mpp-format-int: '{image_secex.layout[''se''].size}' lock: true options: uuid: random label: mpp-format-string: '{sd_fs_label}' - type: org.osbuild.copy inputs: tree: type: org.osbuild.tree origin: org.osbuild.pipeline references: - name:tree options: paths: - from: input://tree/ to: mount://root/ devices: disk: type: org.osbuild.loopback options: filename: disk.img partscan: true mounts: - name: root type: org.osbuild.xfs source: disk partition: mpp-format-int: '{image_secex.layout[''root''].partnum}' target: / - name: boot type: org.osbuild.ext4 source: disk partition: mpp-format-int: '{image_secex.layout[''boot''].partnum}' target: /boot - type: org.osbuild.chattr options: items: mount://root/: immutable: true devices: disk: type: org.osbuild.loopback options: filename: disk.img partscan: true mounts: - name: root type: org.osbuild.xfs source: disk partition: mpp-format-int: '{image_secex.layout[''root''].partnum}' target: / - name: ostree.deployment type: org.osbuild.ostree.deployment options: source: mount deployment: default: true # For secex mkdir for filesytem labeled `se`, where `sdboot` image gets stored - type: org.osbuild.mkdir options: paths: - path: mount://root/se devices: disk: type: org.osbuild.loopback options: filename: disk.img partscan: true mounts: - name: root type: org.osbuild.xfs source: disk partition: mpp-format-int: '{image_secex.layout[''root''].partnum}' target: / - name: raw-qemu-secex-image build: mpp-format-string: '{buildroot}' stages: - type: org.osbuild.copy inputs: tree: type: org.osbuild.tree origin: org.osbuild.pipeline references: - name:raw-secex-image options: paths: - from: input://tree/disk.img to: tree:///disk.img # Increase the size to the cloud image size - type: org.osbuild.truncate options: filename: disk.img size: mpp-format-string: "{cloud_image_size_mb * 1024 * 1024}" # Still use `qemu` as the platform name here even though this # is the `qemu-secex` artifact we are creating. similar to how # `metal4k` still uses `metal` as its platform. - type: org.osbuild.coreos.platform options: platform: qemu devices: disk: type: org.osbuild.loopback options: filename: disk.img partscan: true mounts: - name: root type: org.osbuild.xfs source: disk partition: mpp-format-int: '{image.layout[''root''].partnum}' target: / - name: ostree.deployment type: org.osbuild.ostree.deployment options: source: mount deployment: default: true - name: boot type: org.osbuild.ext4 source: disk partition: mpp-format-int: '{image.layout[''boot''].partnum}' target: /boot # For secex setup dm-verity for 'boot' - type: org.osbuild.dmverity options: root_hash_file: "bootfs_hash" devices: data_device: type: org.osbuild.loopback options: filename: disk.img start: mpp-format-int: '{image_secex.layout[''boot''].start}' size: mpp-format-int: '{image_secex.layout[''boot''].size}' hash_device: type: org.osbuild.loopback options: filename: disk.img start: mpp-format-int: '{image_secex.layout[''boothash''].start}' size: mpp-format-int: '{image_secex.layout[''boothash''].size}' # For secex setup dm-verity for 'root' - type: org.osbuild.dmverity options: root_hash_file: "rootfs_hash" devices: data_device: type: org.osbuild.loopback options: filename: disk.img start: mpp-format-int: '{image_secex.layout[''root''].start}' size: mpp-format-int: '{image_secex.layout[''root''].size}' hash_device: type: org.osbuild.loopback options: filename: disk.img start: mpp-format-int: '{image_secex.layout[''roothash''].start}' size: mpp-format-int: '{image_secex.layout[''roothash''].size}' - name: qemu-secex build: mpp-format-string: '{qemu_stage_buildroot}' stages: - type: org.osbuild.qemu inputs: image: type: org.osbuild.files origin: org.osbuild.pipeline references: name:raw-qemu-secex-image: file: disk.img options: filename: mpp-format-string: '{filename}' format: type: qcow2 compression: false compat: '1.1' # For secex export hash for 'boot' - type: org.osbuild.copy inputs: tree: type: org.osbuild.tree origin: org.osbuild.pipeline references: - name:raw-qemu-secex-image options: paths: - from: input://tree/bootfs_hash to: tree:///bootfs_hash # For secex export hash for 'root' - type: org.osbuild.copy inputs: tree: type: org.osbuild.tree origin: org.osbuild.pipeline references: - name:raw-qemu-secex-image options: paths: - from: input://tree/rootfs_hash to: tree:///rootfs_hash