18 changed files with 21 additions and 199 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,5 +1,3 @@
-# SPDX-License-Identifier: Unlicense
-
 dtrfs.tar
 build
 tmp
--- a/24
+++ b/24
@ -1,24 +0,0 @@
-This is free and unencumbered software released into the public domain.
-
-Anyone is free to copy, modify, publish, use, compile, sell, or
-distribute this software, either in source code form or as a compiled
-binary, for any purpose, commercial or non-commercial, and by any
-means.
-
-In jurisdictions that recognize copyright laws, the author or authors
-of this software dedicate any and all copyright interest in the
-software to the public domain. We make this dedication for the benefit
-of the public at large and to the detriment of our heirs and
-successors. We intend this dedication to be an overt act of
-relinquishment in perpetuity of all present and future rights to this
-software under copyright law.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
-IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
-OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
-ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
-OTHER DEALINGS IN THE SOFTWARE.
-
-For more information, please refer to <https://unlicense.org/>
--- a/README.md
+++ b/README.md
@ -1,7 +1,3 @@
-<!--
-SPDX-License-Identifier: Unlicense
-->
-
 ## OS template

 You will need a working OS template to work with this project.
--- a/dtrfs_api/Cargo.lock
+++ b/dtrfs_api/Cargo.lock
@ -1,8 +1,6 @@
-# SPDX-License-Identifier: Unlicense
-
 # This file is automatically @generated by Cargo.
 # It is not intended for manual editing.
-version = 4
+version = 3

 [[package]]
 name = "actix-codec"
@ -411,15 +409,6 @@ dependencies = [
 "alloc-stdlib",
 ]

-[[package]]
-name = "bs58"
-version = "0.5.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bf88ba1141d185c399bee5288d850d63b8369520c1eafc32a0430b5b6c287bf4"
-dependencies = [
- "tinyvec",
-]
-
 [[package]]
 name = "byteorder"
 version = "1.5.0"
@ -681,7 +670,6 @@ dependencies = [
 "anyhow",
 "base64",
 "bincode",
- "bs58",
 "ed25519-dalek",
 "lazy_static",
 "regex",
@ -2093,21 +2081,6 @@ dependencies = [
 "zerovec",
 ]

-[[package]]
-name = "tinyvec"
-version = "1.8.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "022db8904dfa342efe721985167e9fcd16c29b226db4397ed752a761cfce81e8"
-dependencies = [
- "tinyvec_macros",
-]
-
-[[package]]
-name = "tinyvec_macros"
-version = "0.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
-
 [[package]]
 name = "tls_codec"
 version = "0.4.1"
--- a/dtrfs_api/Cargo.toml
+++ b/dtrfs_api/Cargo.toml
@ -1,21 +1,18 @@
-# SPDX-License-Identifier: Unlicense
-
 [package]
 name = "dtrfs_api"
 version = "0.1.0"
 edition = "2021"

 [dependencies]
-bs58 = "0.5.1"
 anyhow = "1.0.93"
+base64 = "0.22.1"
 bincode = "1.3.3"
 regex = "1.11.1"
 sev = { version = "4.0", default-features = false, features = ['crypto_nossl','snp'] }
-ed25519-dalek = { version = "2.1.1" }
+ed25519-dalek = { version = "2.1.1", features = ["pem", "pkcs8"] }
 lazy_static = "1.5.0"
 actix-web = { version = "4.9.0", features = ["rustls-0_23"] }
 sha3 = "0.10.8"
 rustls = "0.23.18"
 rustls-pemfile = "2.2.0"
 serde = { version = "1.0.215", features = ["derive"] }
-base64 = "0.22.1"
--- a/dtrfs_api/rustfmt.toml
+++ b/dtrfs_api/rustfmt.toml
@ -1,5 +1,3 @@
-# SPDX-License-Identifier: Unlicense
-
 reorder_impl_items = true
 use_small_heuristics = "Max"
 merge_imports = true
--- a/dtrfs_api/src/main.rs
+++ b/dtrfs_api/src/main.rs
@ -1,10 +1,9 @@
-// SPDX-License-Identifier: Unlicense
-
 mod os;
 mod snp;

 use actix_web::{get, post, web, App, HttpRequest, HttpResponse, HttpServer};
-use ed25519_dalek::{Signature, Verifier, VerifyingKey};
+use base64::prelude::{Engine, BASE64_URL_SAFE};
+use ed25519_dalek::{pkcs8::DecodePublicKey, Signature, Verifier, VerifyingKey};
 use lazy_static::lazy_static;
 use regex::Regex;
 use rustls::{pki_types::PrivateKeyDer, ServerConfig};
@ -46,16 +45,13 @@ fn get_cert_hash() -> [u8; 64] {
 }

 fn verifying_key() -> Result<VerifyingKey, Box<dyn std::error::Error>> {
-    let re = Regex::new(r"detee_admin=([A-Za-z0-9]+)").unwrap();
+    let re = Regex::new(r"detee_admin=([A-Za-z0-9+/=]+)").unwrap();
    let key_str = re.find(&CMDLINE).map(|m| m.as_str()).unwrap_or("");
-    let key_str =
-        key_str.strip_prefix("detee_admin=").ok_or("Could not get admin key from cmdline")?;
-    Ok(VerifyingKey::from_bytes(
-        &bs58::decode(key_str)
-            .into_vec()?
-            .try_into()
-            .map_err(|_| bs58::decode::Error::BufferTooSmall)?,
-    )?)
+    let key_pem = format!(
+        "-----BEGIN PUBLIC KEY-----\n{}\n-----END PUBLIC KEY-----\n",
+        key_str.strip_prefix("detee_admin=").ok_or("Could not get admin key from cmdline")?
+    );
+    Ok(VerifyingKey::from_public_key_pem(&key_pem)?)
 }

 fn verify(req: &HttpRequest) -> Result<(), Box<dyn std::error::Error>> {
@ -64,8 +60,8 @@ fn verify(req: &HttpRequest) -> Result<(), Box<dyn std::error::Error>> {
        .get("ed25519-signature")
        .ok_or_else(|| "Did not find ed25519-signature header")?;

-    let signature = bs58::decode(signature).into_vec()?;
-    let signature = Signature::from_bytes(signature.as_slice().try_into()?);
+    let signature: &[u8] = &BASE64_URL_SAFE.decode(signature)?;
+    let signature = Signature::from_bytes(signature.try_into()?);
    let verifying_key = verifying_key()?;
    Ok(verifying_key.verify(CRT_CONTENTS.as_bytes(), &signature)?)
 }
@ -86,7 +82,6 @@ async fn get_report() -> HttpResponse {

 #[derive(Deserialize)]
 struct InstallForm {
-    hostname: String,
    url: String,
    sha: String,
    keyfile: String,
@ -98,7 +93,7 @@ async fn post_install_form(req: HttpRequest, form: web::Form<InstallForm>) -> Ht
    if let Err(e) = verify(&req) {
        return HttpResponse::BadRequest().body(format!("Signature verification failed: {}", e));
    };
-    match os::encrypt_and_install_os(&form.url, &form.sha, &form.keyfile, &form.hostname) {
+    match os::encrypt_and_install_os(&form.url, &form.sha, &form.keyfile) {
        Ok(s) => HttpResponse::Ok().body(s),
        Err(e) => HttpResponse::InternalServerError().body(format!("{e:?}")),
    }
--- a/dtrfs_api/src/os.rs
+++ b/dtrfs_api/src/os.rs
@ -1,5 +1,3 @@
-// SPDX-License-Identifier: Unlicense
-
 use crate::snp::get_derived_key;
 use anyhow::{anyhow, Result};
 use base64::prelude::{Engine, BASE64_URL_SAFE};
@ -17,7 +15,6 @@ pub fn encrypt_and_install_os(
    install_url: &str,
    install_sha: &str,
    keyfile: &str,
-    vm_hostname: &str,
 ) -> Result<String> {
    let binary_keyfile = BASE64_URL_SAFE.decode(keyfile)?;
    std::fs::write(BACKUP_KEYFILE_PATH, binary_keyfile)?;
@ -27,7 +24,6 @@ pub fn encrypt_and_install_os(
        .env("INSTALL_SHA", install_sha)
        .env("SNP_KEY_FILE", SNP_KEYFILE_PATH)
        .env("ROOT_KEYFILE", BACKUP_KEYFILE_PATH)
-        .env("VM_HOSTNAME", vm_hostname)
        .output()?;

    if !install_result.status.success() {
--- a/dtrfs_api/src/snp.rs
+++ b/dtrfs_api/src/snp.rs
@ -1,5 +1,3 @@
-// SPDX-License-Identifier: Unlicense
-
 use anyhow::{Context, Result};
 use sev::firmware::guest::{AttestationReport, DerivedKey, Firmware, GuestFieldSelect};
 use base64::prelude::{Engine, BASE64_URL_SAFE};
--- a/scripts/arch_guest_mods
+++ b/scripts/arch_guest_mods
@ -3,8 +3,6 @@ asn1_encoder
 async_tx
 async_xor
 atkbd
-bridge
-br_netfilter
 cbc
 cdrom
 crc16
@ -14,7 +12,6 @@ crc32_pclmul
 crct10dif_pclmul
 cryptd
 crypto_simd
-curve25519_x86_64
 dm_bufio
 dm_crypt
 dm-integrity
@ -30,53 +27,23 @@ i2c_i801
 i2c_mux
 i2c_smbus
 i8042
-inet_diag
 intel_agp
 intel_gtt
 intel_pmc_bxt
 intel_rapl_common
 intel_rapl_msr
-ip6table_filter
-ip6table_mangle
-ip6table_nat
-ip6_tables
-ip6_udp_tunnel
-ip_set
-ip_set_hash_net
-iptable_filter
-iptable_mangle
-iptable_nat
-iptable_raw
 ip_tables
-ipt_REJECT
 iTCO_vendor_support
 iTCO_wdt
 jbd2
-libaesgcm
-libchacha20poly1305
-libcrc32c
-libcurve25519_generic
 libps2
-llc
 loop
 lpc_ich
 mac_hid
 mbcache
 mousedev
 net_failover
-nf_conntrack
-nf_conntrack_netlink
-nf_defrag_ipv4
-nf_defrag_ipv6
-nf_nat
 nfnetlink
-nfnetlink_acct
-nfnetlink_log
-nf_reject_ipv4
-nf_tables
-nft_chain_nat
-nft_compat
-overlay
 parport
 parport_pc
 pcspkr
@ -94,13 +61,9 @@ sha256
 sha256_ssse3
 sha512_ssse3
 sr_mod
-stp
-tcp_diag
 tee
 trusted
 tsm
-udp_tunnel
-veth
 virtio_blk
 virtio_net
 vivaldi_fmap
@ -109,23 +72,5 @@ vmw_vsock_virtio_transport_common
 vmw_vsock_vmci_transport
 vsock
 vsock_loopback
-vxlan
-wireguard
-xfrm_algo
-xfrm_user
 xor
 x_tables
-xt_addrtype
-xt_comment
-xt_conntrack
-xt_limit
-xt_mark
-xt_MASQUERADE
-xt_multiport
-xt_nat
-xt_nfacct
-xt_NFLOG
-xt_physdev
-xt_REDIRECT
-xt_set
-xt_tcpudp
--- a/scripts/create.sh
+++ b/scripts/create.sh
@ -1,7 +1,4 @@
 #!/bin/bash
-
-# SPDX-License-Identifier: Unlicense
-
 cd -- "$( dirname -- "${BASH_SOURCE[0]}" )"
 source creator_exports.sh
 source creator_functions.sh
@ -24,7 +21,6 @@ install_binary $(which blkid)
 install_binary $(which fdisk)
 install_binary $(which sysctl)
 install_binary $(which mkfs.ext4)
-install_binary $(which ssh-keygen)
 install_binary $(which fsarchiver)
 install_kmod
 install_busybox
--- a/scripts/creator_exports.sh
+++ b/scripts/creator_exports.sh
@ -1,7 +1,4 @@
 #!/bin/bash
-
-# SPDX-License-Identifier: Unlicense
-
 script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )

 # root of the initrd, that will be used to create the cpio archive
--- a/scripts/creator_functions.sh
+++ b/scripts/creator_functions.sh
@ -1,7 +1,5 @@
 #!/bin/bash

-# SPDX-License-Identifier: Unlicense
-
 echo_cyan() {
  echo -e "\033[0;36m$1\033[0m"
 }
--- a/scripts/init.sh
+++ b/scripts/init.sh
@ -1,7 +1,4 @@
 #!/bin/bash
-
-# SPDX-License-Identifier: Unlicense
-
 source /usr/lib/dtrfs/init_functions.sh

 install_url="/tmp/detee_install_url"
--- a/scripts/init_functions.sh
+++ b/scripts/init_functions.sh
@ -1,7 +1,5 @@
 #!/bin/bash

-# SPDX-License-Identifier: Unlicense
-
 load_modules() {
  cat /load_modules.sh | bash
 }
--- a/scripts/install_os.sh
+++ b/scripts/install_os.sh
@ -1,7 +1,5 @@
 #!/bin/bash

-# SPDX-License-Identifier: Unlicense
-
 # This script is called by dtrfs_api to install an OS.

 [[ -z "$INSTALL_URL" ]] && {
@ -9,16 +7,11 @@
  exit 1
 }

-[[ -z "$INSTALL_SHA" ]] && {
+[[ -z "$INSTALL_URL" ]] && {
  echo "Did not find INSTALL_SHA env variable".
  exit 2
 }

-[[ -z "$VM_HOSTNAME" ]] && {
-  echo "Did not find VM_HOSTNAME env variable".
-  exit 2
-}
-
 [[ -f "$ROOT_KEYFILE" ]] || {
  echo "Did not find keyfile at the following location: $ROOT_KEYFILE"
  exit 3
@ -62,15 +55,16 @@ fsarchiver restdir /mnt/template.fsa /
 rm /mnt/template.fsa
 # TODO: decide for UX if maybe we should allow user to inject fstab
 echo "" > /mnt/etc/fstab
-echo "=== Setting up guest hostname as $VM_HOSTNAME"
-echo $VM_HOSTNAME > /mnt/etc/hostname
+hostname=$(cat /proc/cmdline | grep -oE 'detee_name=[0-9a-z\_\.\-]+' | cut -d '=' -f2)
+echo "=== Setting up guest hostname as $hostname"
+[[ -n "$hostname" ]] && echo $hostname > /mnt/etc/hostname

 echo "=== Generating SSH public keys"
 echo "root:x:0:0:root:/root:/bin/sh" > /etc/passwd
 [[ -f "/mnt/etc/ssh/ssh_host_rsa_key" ]] ||
-  ssh-keygen -t rsa -f /mnt/etc/ssh/ssh_host_rsa_key -N '' > /dev/null
+  /mnt/usr/bin/ssh-keygen -t rsa -f /mnt/etc/ssh/ssh_host_rsa_key -N '' > /dev/null
 [[ -f "/mnt/etc/ssh/ssh_host_ecdsa_key" ]] ||
-  ssh-keygen -t ecdsa -f /mnt/etc/ssh/ssh_host_ecdsa_key -N '' > /dev/null
+  /mnt/usr/bin/ssh-keygen -t ecdsa -f /mnt/etc/ssh/ssh_host_ecdsa_key -N '' > /dev/null
 [[ -f "/mnt/etc/ssh/ssh_host_ed25519_key" ]] ||
-  ssh-keygen -t ed25519 -f /mnt/etc/ssh/ssh_host_ed25519_key -N '' > /dev/null
+  /mnt/usr/bin/ssh-keygen -t ed25519 -f /mnt/etc/ssh/ssh_host_ed25519_key -N '' > /dev/null
 echo "=== Done! Download keys from /server_pubkeys"
--- a/scripts/remote_create.sh
+++ b/scripts/remote_create.sh
@ -1,7 +1,4 @@
 #!/bin/bash
-
-# SPDX-License-Identifier: Unlicense
-
 cd -- "$( dirname -- "${BASH_SOURCE[0]}" )"

 dir="/tmp/dtrfs"
--- a/scripts/upload_to_registry.sh
+++ b/scripts/upload_to_registry.sh
@ -1,27 +0,0 @@
-#!/bin/bash
-
-# SPDX-License-Identifier: Unlicense
-
-kernel_path="/boot/vmlinuz-linux"
-
-dtrfs_path="$1"
-dtrfs_name=$(basename $dtrfs_path)
-dtrfs_sha=$(sha256sum $dtrfs_path | awk '{ print $1 }')
-kernel_name="vmlinuz-linux-$(uname -r)"
-kernel_sha=$(sha256sum $kernel_path | awk '{ print $1 }')
-
-scp $dtrfs_path registry.detee.ltd:/var/www/html/${dtrfs_name}
-ssh registry.detee.ltd ln -s $dtrfs_name /var/www/html/${dtrfs_sha}
-
-scp $kernel_path registry.detee.ltd:/var/www/html/${kernel_name}
-ssh registry.detee.ltd ln -s $kernel_name /var/www/html/${kernel_sha}
-
-echo "Also add this to detee-cli/src/snp/mod.rs"
-echo "
-        name: \"dtrfs-$(uname -r)\".to_string(),
-        vendor: \"ghe0\".to_string(),
-        dtrfs_url: \"http://registry.detee.ltd/${dtrfs_name}\".to_string(),
-        dtrfs_sha: \"${dtrfs_sha}\".to_string(),
-        kernel_url: \"http://registry.detee.ltd/${kernel_name}\".to_string(),
-        kernel_sha: \"${kernel_sha}\".to_string()
-"