mock: bind mount qubes-pesign socket on build #77
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
marmarek
reviewed
Dec 1, 2023
| @@ -17,6 +17,10 @@ config_opts['use_bootstrap'] = False | |||
| config_opts['plugin_conf']['bind_mount_enable'] = os.environ.get("BIND_MOUNT_ENABLE", False) | |||
| config_opts['plugin_conf']['bind_mount_opts']['dirs'].append(('@BUILDER_DIR@/plugins', '/plugins' )) | |||
|
|
|||
| # mount the pesign socket into the chroot | |||
| config_opts['plugin_conf']['bind_mount_opts']['dirs'].append(('/var/run/qubes-pesign', '/var/run/qubes-pesign' )) | |||
| config_opts['nspawn_args'] += ['--bind=/var/run/qubes-pesign'] | |||
There was a problem hiding this comment.
Aren't those two meaning the same thing? Why both are needed?
There was a problem hiding this comment.
I've copy pasted some snippet in a thread but I've tested and only the second one is needed.
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #77 +/- ##
==========================================
+ Coverage 76.62% 78.25% +1.62%
==========================================
Files 47 47
Lines 5317 5444 +127
==========================================
+ Hits 4074 4260 +186
+ Misses 1243 1184 -59 ☔ View full report in Codecov by Sentry. |
fepitre
changed the title
DemiMarie
reviewed
Dec 22, 2023
|
@fepitre what is the recommended method for redirecting |
fepitre
added a commit
to QubesOS/qubes-vmm-xen-unified
that referenced
this pull request
Aug 2, 2024
Related to QubesOS/qubes-issues#8206
Doc is in vmm-xen-unified repo |
|
And related vmm-xen-unified changes: QubesOS/qubes-vmm-xen-unified#1 |
Disable 'set -x' - it may leak some unintentional data in a future version. Print error message to stderr instead of stdout - otherwise it would be taken as a signed payload. And also rename the service to qubesbuilder.PESign. QubesOS/qubes-issues#8206
DemiMarie
suggested changes
Jan 10, 2025
| head --bytes=100MB > "$payload" | ||
|
|
||
| # We don't allow payload being at least 100MiB | ||
| if [ "$(stat --format=%s "$payload")" -ge $((100 * 1024 * 1024)) ]; then |
There was a problem hiding this comment.
Suggested change
| if [ "$(stat --format=%s "$payload")" -ge $((100 * 1024 * 1024)) ]; then | |
| size=$(stat --format=%s "$payload") | |
| if [ "$size" -ge "$((100 * 1024 * 1024))" ]; then |
Also please include a call to the PE checker I wrote.
There was a problem hiding this comment.
fepitre
commented
Jan 12, 2025
README.md
Outdated
| mkdir -p /rw/bind-dirs/etc/systemd/system/ | ||
| mkdir -p /usr/local/etc/default | ||
| # adjust value if you used different key nickname, replace spaces with __ | ||
| echo 'KEY_NAME="Qubes__OS__Unified__Kernel__Image__Signing__Key"' > /usr/local/etc/default |
There was a problem hiding this comment.
Suggested change
| echo 'KEY_NAME="Qubes__OS__Unified__Kernel__Image__Signing__Key"' > /usr/local/etc/default | |
| echo 'KEY_NAME="Qubes__OS__Unified__Kernel__Image__Signing__Key"' > /usr/local/etc/default/qubes-pesign |
Some certificates (especially stored on a hardware token) may need extra
parameters for `pesign`. Support those by sourcing
`~/.config/qubes-pesign/$CERTIFICATE`. The filename is safe as it's
sanitized by qrexec already. This also allows more flexible certificat
name handling - the config can override CERTIFICATE variable completely,
so the qrexec argument may be a friendly nickname independent of the
actual certificate name in the database (which is also a nickname, not
necessarily full DN).
For tokens, the config may look like this:
# dbpath with pkcs11 module configured
PESIGN_ARGS+=( "--certdir=$HOME/pesign-token-db" )
# token name
PESIGN_ARGS+=( "--token=token name" )
# pinfile path, if relevant
PESIGN_ARGS+=( "--pinfile=$HOME/pesign-token-pin.txt" )
# you can also override CERTIFICATE
CERTIFICATE="certificate name as on the token"
QubesOS/qubes-issues#8206
This includes how to setup builder disposable template, socket->qrexec proxy and all relevant parameters This moves some of the setup steps from README.md in vmm-xen-unified repo. QubesOS/qubes-issues#8206
But don't build it by default, as it requires extra setup (signing keys specifically). QubesOS/qubes-issues#8206
Previously, a CLI options used allow_append=True to allow setting +components etc options without removing all existing entries. This works when adding a single option, but breaks when adding multiple - as later option will override earlier options (even with different name). Replace this special CLI handling, with a more generic merging of dict-like lists. Specifically, when merging two lists and both consists of only one-key dicts (or just strings), merge them similar to merging dicts, but preserving the structure.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
QubesOS/qubes-issues#8206