diff --git a/mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-client.service.d/azure-override.conf b/mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service.d/azure-override.conf similarity index 57% rename from mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-client.service.d/azure-override.conf rename to mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service.d/azure-override.conf index 3a83b7d2..00f0c243 100644 --- a/mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-client.service.d/azure-override.conf +++ b/mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service.d/azure-override.conf @@ -8,8 +8,10 @@ After=tpm2.target ExecStartPre=+/usr/bin/chmod 440 /sys/kernel/security/tpm0/binary_bios_measurements ExecStartPre=+/usr/bin/chown root:tss /sys/kernel/security/tpm0/binary_bios_measurements ExecStart= -ExecStart=/usr/bin/cvm-reverse-proxy-client \ - --listen-addr=localhost:7937 \ - --target-addr=${BUILDERNET_BUILDERHUB_URL} \ +ExecStart=/usr/bin/attested-tls-proxy client \ + --listen-addr 127.0.0.1:7937 \ --client-attestation-type azure-tdx \ - --server-attestation-type none + --allowed-remote-attestation-type none \ + --tls-private-key-path %S/persistent/attested-tls-proxy/key.pem \ + --tls-certificate-path %S/persistent/attested-tls-proxy/cert.pem \ + ${BUILDERNET_BUILDERHUB_URL} diff --git a/mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service.d/azure-override.conf b/mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service.d/azure-override.conf new file mode 100644 index 00000000..02ef9a70 --- /dev/null +++ b/mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service.d/azure-override.conf @@ -0,0 +1,9 @@ +[Service] +ExecStart= +ExecStart=/usr/bin/attested-tls-proxy server \ + --listen-addr 0.0.0.0:7936 \ + --server-attestation-type azure-tdx \ + --allowed-remote-attestation-type none \ + --tls-private-key-path %S/persistent/attested-tls-proxy/key.pem \ + --tls-certificate-path %S/persistent/attested-tls-proxy/cert.pem \ + 127.0.0.1:14727 diff --git a/mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-server.service.d/azure-override.conf b/mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-server.service.d/azure-override.conf deleted file mode 100644 index 4a3b913a..00000000 --- a/mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-server.service.d/azure-override.conf +++ /dev/null @@ -1,7 +0,0 @@ -[Service] -ExecStart= -ExecStart=/usr/bin/cvm-reverse-proxy-server \ - --listen-addr=0.0.0.0:7936 \ - --target-addr=http://localhost:14727 \ - --server-attestation-type azure-tdx \ - --override-azurev6-tcbinfo diff --git a/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service.d/gcp-override.conf b/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service.d/gcp-override.conf new file mode 100644 index 00000000..8c180970 --- /dev/null +++ b/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service.d/gcp-override.conf @@ -0,0 +1,14 @@ +[Service] +ExecStart= +ExecStart=/usr/bin/attested-tls-proxy client \ + --listen-addr 127.0.0.1:7937 \ + --client-attestation-type dcap-tdx + --allowed-remote-attestation-type none \ + --tls-private-key-path %S/persistent/attested-tls-proxy/key.pem \ + --tls-certificate-path %S/persistent/attested-tls-proxy/cert.pem \ + ${BUILDERNET_BUILDERHUB_URL} \ +SupplementaryGroups= +ProtectSystem=strict +ProtectHome=yes +AmbientCapabilities=CAP_DAC_OVERRIDE +ReadWritePaths=/sys/kernel/config/tsm/report diff --git a/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service.d/gcp-override.conf b/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service.d/gcp-override.conf new file mode 100644 index 00000000..643555bd --- /dev/null +++ b/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service.d/gcp-override.conf @@ -0,0 +1,14 @@ +[Service] +ExecStart= +ExecStart=/usr/bin/attested-tls-proxy-server \ + --listen-addr 0.0.0.0:7936 \ + --server-attestation-type dcap-tdx \ + --allowed-remote-attestation-type none \ + --tls-private-key-path %S/persistent/attested-tls-proxy/key.pem \ + --tls-certificate-path %S/persistent/attested-tls-proxy/cert.pem \ + 127.0.0.1:14727 +SupplementaryGroups= +ProtectSystem=strict +ProtectHome=yes +AmbientCapabilities=CAP_DAC_OVERRIDE +ReadWritePaths=/sys/kernel/config/tsm/report diff --git a/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-client.service.d/gcp-override.conf b/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-client.service.d/gcp-override.conf deleted file mode 100644 index a883b2b2..00000000 --- a/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-client.service.d/gcp-override.conf +++ /dev/null @@ -1,11 +0,0 @@ -[Service] -ExecStart= -ExecStart=/usr/bin/cvm-reverse-proxy-client \ - --listen-addr=localhost:7937 \ - --target-addr=${BUILDERNET_BUILDERHUB_URL} \ - --client-attestation-type=dcap-tdx -SupplementaryGroups= -ProtectSystem=strict -ProtectHome=yes -AmbientCapabilities=CAP_DAC_OVERRIDE -ReadWritePaths=/sys/kernel/config/tsm/report diff --git a/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-server.service.d/gcp-override.conf b/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-server.service.d/gcp-override.conf deleted file mode 100644 index 4cdc32ea..00000000 --- a/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-server.service.d/gcp-override.conf +++ /dev/null @@ -1,11 +0,0 @@ -[Service] -ExecStart= -ExecStart=/usr/bin/cvm-reverse-proxy-server \ - --listen-addr=0.0.0.0:7936 \ - --target-addr=http://localhost:14727 \ - --server-attestation-type dcap-tdx -SupplementaryGroups= -ProtectSystem=strict -ProtectHome=yes -AmbientCapabilities=CAP_DAC_OVERRIDE -ReadWritePaths=/sys/kernel/config/tsm/report diff --git a/mkosi.images/buildernet/mkosi.build.d/20-attested-tls-proxy.sh b/mkosi.images/buildernet/mkosi.build.d/20-attested-tls-proxy.sh new file mode 100755 index 00000000..1e1a0907 --- /dev/null +++ b/mkosi.images/buildernet/mkosi.build.d/20-attested-tls-proxy.sh @@ -0,0 +1,33 @@ +#!/usr/bin/env bash +set -euo pipefail + +REF=06aafe43335a5d228a3ea2d3b871d15d2d06e855 +CARGO_HOME="$BUILDDIR/.cargo" +PATH="$BUILDDIR/rust-toolchain/bin:$PATH" +BUILDDIR="$BUILDDIR/attested-tls-proxy" +export CARGO_HOME="$SRCDIR/mkosi.images/buildernet/mkosi.cache/cargo" + +echo "Installing attested-tls-proxy..." + +mkdir -p $BUILDDIR + +curl -sSfL https://api.github.com/repos/flashbots/attested-tls-proxy/tarball/${REF} | \ + tar xzf - -C $BUILDDIR --strip-components=1 + +cd $BUILDDIR + +RUSTFLAGS="-C target-cpu=x86-64-v4 \ + -C link-arg=-Wl,--build-id=none \ + -C symbol-mangling-version=v0 \ + -L /usr/lib/x86_64-linux-gnu" +CARGO_PROFILE_RELEASE_LTO='thin' +CARGO_PROFILE_RELEASE_CODEGEN_UNITS='1' +CARGO_PROFILE_RELEASE_PANIC='abort' +CARGO_PROFILE_RELEASE_INCREMENTAL='false' +CARGO_PROFILE_RELEASE_OPT_LEVEL='3' +CARGO_TARGET_DIR="$BUILDDIR/target" + +cargo build --release --locked + +mkdir -p $DESTDIR/usr/bin +cp $CARGO_TARGET_DIR/release/attested-tls-proxy $DESTDIR/usr/bin/attested-tls-proxy diff --git a/mkosi.images/buildernet/mkosi.conf b/mkosi.images/buildernet/mkosi.conf index 786f5d30..d21dcccb 100644 --- a/mkosi.images/buildernet/mkosi.conf +++ b/mkosi.images/buildernet/mkosi.conf @@ -12,6 +12,8 @@ Packages=cryptsetup curl haproxy jq + libtss2-esys + libtss2-tctildr openssh-server prometheus-node-exporter rclone diff --git a/mkosi.images/buildernet/mkosi.extra/etc/acme-le/hooks/post-post-hook.sh b/mkosi.images/buildernet/mkosi.extra/etc/acme-le/hooks/post-post-hook.sh index 22de01f4..4f400d67 100755 --- a/mkosi.images/buildernet/mkosi.extra/etc/acme-le/hooks/post-post-hook.sh +++ b/mkosi.images/buildernet/mkosi.extra/etc/acme-le/hooks/post-post-hook.sh @@ -10,3 +10,8 @@ ln -fsr "$(dirname $CERT_PATH)/fullchain.cer" /var/lib/persistent/operator-api/c chmod 660 /var/lib/persistent/haproxy/certs/*.pem chown haproxy:haproxy /var/lib/persistent/haproxy/certs/*.pem systemctl reload haproxy.service + +# Copy the certificate and private key for use by attested-tls-proxy +install -D -m 600 --owner=attested-tls-proxy --group=attested-tls-proxy \ + "$PRIV_KEY" /var/lib/persistent/attested-tls-proxy/key.pem +ln -fsr "$(dirname $CERT_PATH)/fullchain.cer" /var/lib/persistent/attested-tls-proxy/cert.pem diff --git a/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service b/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service new file mode 100644 index 00000000..a37ca53e --- /dev/null +++ b/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service @@ -0,0 +1,22 @@ +[Unit] +DefaultDependencies=no +Description=Attested TLS Proxy client +Wants=network-online.target +After=network.target network-online.target + +[Service] +Type=exec +DynamicUser=yes +SupplementaryGroups=tss +Environment=BUILDERNET_BUILDERHUB_URL=__BUILDERNET_BUILDERHUB_URL +ExecStart=/usr/bin/attested-tls-proxy client \ + --listen-addr 127.0.0.1:7937 \ + --allowed-remote-attestation-type none \ + --tls-private-key-path %S/persistent/attested-tls-proxy/key.pem \ + --tls-certificate-path %S/persistent/attested-tls-proxy/cert.pem \ + --client-attestation-type auto \ + ${BUILDERNET_BUILDERHUB_URL} +Restart=on-failure + +[Install] +WantedBy=multi-user.target diff --git a/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service b/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service new file mode 100644 index 00000000..c425445c --- /dev/null +++ b/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service @@ -0,0 +1,20 @@ +[Unit] +Description=Attested TLS Proxy server +Wants=network-online.target +After=network.target network-online.target + +[Service] +Type=exec +DynamicUser=yes +SupplementaryGroups=tss +ExecStart=/usr/bin/attested-tls-proxy server \ + --listen-addr 0.0.0.0:7936 \ + --allowed-remote-attestation-type none \ + --server-attestation-type auto \ + --tls-private-key-path %S/persistent/attested-tls-proxy/key.pem \ + --tls-certificate-path %S/persistent/attested-tls-proxy/cert.pem \ + 127.0.0.1:14727 +Restart=on-failure + +[Install] +WantedBy=multi-user.target diff --git a/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-client.service b/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-client.service deleted file mode 100644 index 79ac5800..00000000 --- a/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-client.service +++ /dev/null @@ -1,19 +0,0 @@ -[Unit] -DefaultDependencies=no -Description=CVM Reverse Proxy client -Wants=network-online.target -After=network.target network-online.target - -[Service] -Type=exec -DynamicUser=yes -SupplementaryGroups=tss -Environment=BUILDERNET_BUILDERHUB_URL=__BUILDERNET_BUILDERHUB_URL -ExecStart=/usr/bin/cvm-reverse-proxy-client \ - --listen-addr=localhost:7937 \ - --target-addr=${BUILDERNET_BUILDERHUB_URL} \ - --server-attestation-type none -Restart=on-failure - -[Install] -WantedBy=multi-user.target diff --git a/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-server.service b/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-server.service deleted file mode 100644 index eac591c0..00000000 --- a/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-server.service +++ /dev/null @@ -1,16 +0,0 @@ -[Unit] -Description=CVM Reverse Proxy server -Wants=network-online.target -After=network.target network-online.target - -[Service] -Type=exec -DynamicUser=yes -SupplementaryGroups=tss -ExecStart=/usr/bin/cvm-reverse-proxy-server \ - --listen-addr=0.0.0.0:7936 \ - --target-addr=http://localhost:14727 -Restart=on-failure - -[Install] -WantedBy=multi-user.target diff --git a/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/render-config.service b/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/render-config.service index a735d9d3..1822a45c 100644 --- a/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/render-config.service +++ b/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/render-config.service @@ -1,8 +1,8 @@ [Unit] DefaultDependencies=no Description=Pull and render configs from BuilderHub -Wants=network-online.target cvm-reverse-proxy-client.service -After=network.target network-online.target cvm-reverse-proxy-client.service +Wants=network-online.target attested-tls-proxy-client.service +After=network.target network-online.target attested-tls-proxy-client.service [Service] Type=oneshot diff --git a/mkosi.images/buildernet/mkosi.postinst b/mkosi.images/buildernet/mkosi.postinst index e88d717f..4658212d 100755 --- a/mkosi.images/buildernet/mkosi.postinst +++ b/mkosi.images/buildernet/mkosi.postinst @@ -16,7 +16,7 @@ for var in "${!BUILDERNET_@}"; do replace_underscore_template "$BUILDROOT/etc/systemd/system/persistent-setup.service" "${!var}" ;; BUILDERNET_BUILDERHUB_URL) - replace_underscore_template "$BUILDROOT/etc/systemd/system/cvm-reverse-proxy-client.service" "${!var}" + replace_underscore_template "$BUILDROOT/etc/systemd/system/attested-tls-proxy-client.service" "${!var}" ;; BUILDERNET_SSH_PUBLIC_KEY) replace_underscore_template "$BUILDROOT/home/bnet/.ssh/authorized_keys" "${!var}"