improved handling of modules and cleaned a bit

README.md

@@ -1,17 +1,37 @@
+## OS template
+
 You will need a working OS template to work with this project.
 
 Easy solution create an OS template:
-- mount the archlinux installation .iso in a VM
+- start any archlinux machine (the arch installer also works)
-- run `pacstrap /mnt base linux openssh`
+- install `arch-install-scripts`
+- run `pacstrap /mnt base openssh` to install base packages to /mnt
 - run `ln -s /usr/lib/systemd/system/sshd.service /mnt/etc/systemd/system/multi-user.target.wants/sshd.service`
-- run `fsarchiver savedir /tmp/os_template.fsa /mnt`
+- run `fsarchiver savedir /tmp/os_template.fsa /mnt` to save your OS template
-- download `/tmp/os_template.fsa`
+- download `/tmp/os_template.fsa` to your machine
 - upload the `os_template.fsa` anywhere so that it can be downloaded with wget
 
 Some notes on the above:
-- base and linux are the only packages to run a VM
+- base is the only package required to run a dtrfs VM; the kernel is not needed cause we are using SNP
 - you will need sshd to operate the VM, so create the symlink to make it start with the OS
 - fsarchiver is very good at preserving OS data
+- fsarchiver saves the absolute path (which means you must use `/mnt` as this is hardcoded)
 - the initrd will dump that template to the encrypted disk
 - the same procedure can be used with any distribution, but we didn't test that yet
 
+## initrd and linux
+
+You will need an initrd and a kernel to run SNP VMs.
+
+- start any archlinux machine
+- clone this repo
+- inspect your kernel version by running `file -sL /boot/vmlinuz-linux`.
+- (optional) update the kernel version in `./creator_exports.sh`
+- create the initrd by running `./create.sh`; this will save the initrd in the build folder
+- grab your kernel from `/boot/vmlinuz-linux` and...
+- ... upload kernel and initrd to your hypervizor
+
+## module scanner
+
+Optionally, you can use `./remote_create.sh` to upload this repo to remote node and build your initrd.
+This will automatically scan the kernel modules running on the remote host, and package all modules in the initrd. This is ideal if your VM has a setup that is not cover by the modules hardcoded in this repo.

arch_guest_mods

@@ -0,0 +1,76 @@
+aesni_intel
+asn1_encoder
+async_tx
+async_xor
+atkbd
+cbc
+cdrom
+crc16
+crc32c_generic
+crc32c_intel
+crc32_pclmul
+crct10dif_pclmul
+cryptd
+crypto_simd
+dm_bufio
+dm_crypt
+dm-integrity
+dm_integrity
+dm_mod
+efi_secret
+encrypted_keys
+ext4
+failover
+gf128mul
+ghash_clmulni_intel
+i2c_i801
+i2c_mux
+i2c_smbus
+i8042
+intel_agp
+intel_gtt
+intel_pmc_bxt
+intel_rapl_common
+intel_rapl_msr
+ip_tables
+iTCO_vendor_support
+iTCO_wdt
+jbd2
+libps2
+loop
+lpc_ich
+mac_hid
+mbcache
+mousedev
+net_failover
+nfnetlink
+parport
+parport_pc
+pcspkr
+polyval_clmulni
+polyval_generic
+ppdev
+psmouse
+qemu_fw_cfg
+serio
+serio_raw
+sev-guest
+sev_guest
+sha1_ssse3
+sha256
+sha256_ssse3
+sha512_ssse3
+sr_mod
+tee
+trusted
+tsm
+virtio_blk
+virtio_net
+vivaldi_fmap
+vmw_vmci
+vmw_vsock_virtio_transport_common
+vmw_vsock_vmci_transport
+vsock
+vsock_loopback
+xor
+x_tables

create.sh

@@ -5,6 +5,9 @@ source creator_functions.sh
 mkdir -p build
 cd build
 
+echo_cyan "Installing build dependencies..."
+install_build_deps
+
 echo_cyan "Starting installation at $ROOT."
 create_dirs
 
@@ -25,20 +28,15 @@ install_guest_api
 echo_cyan "Installing scripts..."
 install_init_script
 
-echo_cyan "Installing kernel modules mandatory for DTRFS..."
+echo_cyan "Installing base modules required to boot"
 install_module virtio_net
 install_module ext4
 install_module virtio_blk
-install_module msr
 install_module sev-guest
 install_module dm_crypt
-install_module hid-generic
 install_module dm-integrity
-install_module cbc
+
-install_module hmac
+install_guest_mods
-install_module sha256
-install_module rng
-install_module aes
 
 [[ "$GRAB_LOCAL_MODS" == "YES" ]] && {
   scan_modules

creator_functions.sh

@@ -16,6 +16,20 @@ echo_red() {
   echo -e "\033[0;31m$1\033[0m"
 }
 
+# TODO: prepare DTRFS to create initrd for other distros
+install_build_deps() {
+  if grep "Arch Linux" /etc/os-release > /dev/null; then
+    which wget fsarchiver cpio mkinitcpio || {
+      echo_red "Please install build deps: wget fsarchiver cpio mkinitcpio"
+      exit 1
+    }
+    qemu_guest_modules="../arch_guest_mods"
+  else
+    echo_red "ArchLinux is the only distribution currently supported by DTRFS."
+    exit 1
+  fi
+}
+
 create_dirs() {
   rm -rf "$ROOT" 2>/dev/null
   mkdir -p "${ROOT}/usr/bin/"
@@ -135,6 +149,15 @@ _install_module() {
   done <<< "$( echo "$depends" )"
 }
 
+install_guest_mods() {
+  local mod=''
+  echo_cyan "Installing kernel modules needed for QEMU guests..."
+  while read -r mod; do
+    [[ -z $mod ]] && continue
+    _install_module "$mod"
+  done <<< "$(cat "$qemu_guest_modules")"
+}
+
 backup_active_modules() {
   local modules='' mod=''
   echo_yellow "Installing to the initrd all kernel modules currently loaded..."
@@ -160,6 +183,7 @@ scan_modules() {
 }
 
 install_guest_api() {
+  echo_cyan "Installing the guest API from https://gitea.detee.cloud/SNP/remote_decryption/"
   wget -O guest_api.zst "$GUEST_API_URL" 2> /dev/null
   zstd --decompress guest_api.zst
   chmod +x guest_api

init.sh

@@ -35,7 +35,9 @@ try_hot_decrypt || {
 github_ssh_key
 detee_ssh_key
 
+cp /etc/resolv.conf /mnt/etc/resolv.conf
 # copy kernel modules in case the user deleted the old modules
+mkdir -p /mnt/lib/modules/
 cp -rn /lib/modules/* /mnt/lib/modules/
 
 exec switch_root /mnt /sbin/init "$@"