From 8f854993d60404a368fffe0cb7f663f4f15c194f Mon Sep 17 00:00:00 2001 From: ghe0 Date: Wed, 13 Nov 2024 03:57:28 +0200 Subject: [PATCH] improved handling of modules and cleaned a bit --- README.md | 30 +++++++++++--- arch_guest_mods | 76 ++++++++++++++++++++++++++++++++++ create.sh | 14 +++---- creator_functions.sh | 24 +++++++++++ init.sh | 2 + install.sh => remote_create.sh | 0 6 files changed, 133 insertions(+), 13 deletions(-) create mode 100644 arch_guest_mods rename install.sh => remote_create.sh (100%) diff --git a/README.md b/README.md index ce4cdd3..8975e5e 100644 --- a/README.md +++ b/README.md @@ -1,17 +1,37 @@ +## OS template + You will need a working OS template to work with this project. Easy solution create an OS template: -- mount the archlinux installation .iso in a VM -- run `pacstrap /mnt base linux openssh` +- start any archlinux machine (the arch installer also works) +- install `arch-install-scripts` +- run `pacstrap /mnt base openssh` to install base packages to /mnt - run `ln -s /usr/lib/systemd/system/sshd.service /mnt/etc/systemd/system/multi-user.target.wants/sshd.service` -- run `fsarchiver savedir /tmp/os_template.fsa /mnt` -- download `/tmp/os_template.fsa` +- run `fsarchiver savedir /tmp/os_template.fsa /mnt` to save your OS template +- download `/tmp/os_template.fsa` to your machine - upload the `os_template.fsa` anywhere so that it can be downloaded with wget Some notes on the above: -- base and linux are the only packages to run a VM +- base is the only package required to run a dtrfs VM; the kernel is not needed cause we are using SNP - you will need sshd to operate the VM, so create the symlink to make it start with the OS - fsarchiver is very good at preserving OS data +- fsarchiver saves the absolute path (which means you must use `/mnt` as this is hardcoded) - the initrd will dump that template to the encrypted disk - the same procedure can be used with any distribution, but we didn't test that yet +## initrd and linux + +You will need an initrd and a kernel to run SNP VMs. + +- start any archlinux machine +- clone this repo +- inspect your kernel version by running `file -sL /boot/vmlinuz-linux`. +- (optional) update the kernel version in `./creator_exports.sh` +- create the initrd by running `./create.sh`; this will save the initrd in the build folder +- grab your kernel from `/boot/vmlinuz-linux` and... +- ... upload kernel and initrd to your hypervizor + +## module scanner + +Optionally, you can use `./remote_create.sh` to upload this repo to remote node and build your initrd. +This will automatically scan the kernel modules running on the remote host, and package all modules in the initrd. This is ideal if your VM has a setup that is not cover by the modules hardcoded in this repo. diff --git a/arch_guest_mods b/arch_guest_mods new file mode 100644 index 0000000..59d7294 --- /dev/null +++ b/arch_guest_mods @@ -0,0 +1,76 @@ +aesni_intel +asn1_encoder +async_tx +async_xor +atkbd +cbc +cdrom +crc16 +crc32c_generic +crc32c_intel +crc32_pclmul +crct10dif_pclmul +cryptd +crypto_simd +dm_bufio +dm_crypt +dm-integrity +dm_integrity +dm_mod +efi_secret +encrypted_keys +ext4 +failover +gf128mul +ghash_clmulni_intel +i2c_i801 +i2c_mux +i2c_smbus +i8042 +intel_agp +intel_gtt +intel_pmc_bxt +intel_rapl_common +intel_rapl_msr +ip_tables +iTCO_vendor_support +iTCO_wdt +jbd2 +libps2 +loop +lpc_ich +mac_hid +mbcache +mousedev +net_failover +nfnetlink +parport +parport_pc +pcspkr +polyval_clmulni +polyval_generic +ppdev +psmouse +qemu_fw_cfg +serio +serio_raw +sev-guest +sev_guest +sha1_ssse3 +sha256 +sha256_ssse3 +sha512_ssse3 +sr_mod +tee +trusted +tsm +virtio_blk +virtio_net +vivaldi_fmap +vmw_vmci +vmw_vsock_virtio_transport_common +vmw_vsock_vmci_transport +vsock +vsock_loopback +xor +x_tables diff --git a/create.sh b/create.sh index 1cc0283..14db174 100755 --- a/create.sh +++ b/create.sh @@ -5,6 +5,9 @@ source creator_functions.sh mkdir -p build cd build +echo_cyan "Installing build dependencies..." +install_build_deps + echo_cyan "Starting installation at $ROOT." create_dirs @@ -25,20 +28,15 @@ install_guest_api echo_cyan "Installing scripts..." install_init_script -echo_cyan "Installing kernel modules mandatory for DTRFS..." +echo_cyan "Installing base modules required to boot" install_module virtio_net install_module ext4 install_module virtio_blk -install_module msr install_module sev-guest install_module dm_crypt -install_module hid-generic install_module dm-integrity -install_module cbc -install_module hmac -install_module sha256 -install_module rng -install_module aes + +install_guest_mods [[ "$GRAB_LOCAL_MODS" == "YES" ]] && { scan_modules diff --git a/creator_functions.sh b/creator_functions.sh index d630a19..12f0a12 100644 --- a/creator_functions.sh +++ b/creator_functions.sh @@ -16,6 +16,20 @@ echo_red() { echo -e "\033[0;31m$1\033[0m" } +# TODO: prepare DTRFS to create initrd for other distros +install_build_deps() { + if grep "Arch Linux" /etc/os-release > /dev/null; then + which wget fsarchiver cpio mkinitcpio || { + echo_red "Please install build deps: wget fsarchiver cpio mkinitcpio" + exit 1 + } + qemu_guest_modules="../arch_guest_mods" + else + echo_red "ArchLinux is the only distribution currently supported by DTRFS." + exit 1 + fi +} + create_dirs() { rm -rf "$ROOT" 2>/dev/null mkdir -p "${ROOT}/usr/bin/" @@ -135,6 +149,15 @@ _install_module() { done <<< "$( echo "$depends" )" } +install_guest_mods() { + local mod='' + echo_cyan "Installing kernel modules needed for QEMU guests..." + while read -r mod; do + [[ -z $mod ]] && continue + _install_module "$mod" + done <<< "$(cat "$qemu_guest_modules")" +} + backup_active_modules() { local modules='' mod='' echo_yellow "Installing to the initrd all kernel modules currently loaded..." @@ -160,6 +183,7 @@ scan_modules() { } install_guest_api() { + echo_cyan "Installing the guest API from https://gitea.detee.cloud/SNP/remote_decryption/" wget -O guest_api.zst "$GUEST_API_URL" 2> /dev/null zstd --decompress guest_api.zst chmod +x guest_api diff --git a/init.sh b/init.sh index cb4a9d3..fdf36d3 100755 --- a/init.sh +++ b/init.sh @@ -35,7 +35,9 @@ try_hot_decrypt || { github_ssh_key detee_ssh_key +cp /etc/resolv.conf /mnt/etc/resolv.conf # copy kernel modules in case the user deleted the old modules +mkdir -p /mnt/lib/modules/ cp -rn /lib/modules/* /mnt/lib/modules/ exec switch_root /mnt /sbin/init "$@" diff --git a/install.sh b/remote_create.sh similarity index 100% rename from install.sh rename to remote_create.sh