Merge branch 'main' into 2.0

microsoft · Nov 15, 2023 · 42bc30b · 42bc30b
2 parents 5b3b93f + bde2e39
commit 42bc30b
Show file tree

Hide file tree

Showing 32 changed files with 8,735 additions and 168 deletions.
diff --git a/.pipelines/prchecks/PackageBuildPRCheck.yml b/.pipelines/prchecks/PackageBuildPRCheck.yml
@@ -14,10 +14,12 @@ parameters:
     default:
       - name: "AMD64"
         agentPool: "$(DEV_AMD64_Managed)" # Pool defined inside the "Agent pools (DEV)" variable group.
+        maxCPUs: "$(($(nproc) / 2))"
         rawToolchainCacheURL: "$(rawToolchainCacheURL_AMD64)"
         rawToolchainExpectedHash: "f56df34b90915c93f772d3961bf5e9eeb8c1233db43dd92070214e4ce6b72894"
       - name: "ARM64"
         agentPool: "$(DEV_ARM64_Managed)" # Pool defined inside the "Agent pools (DEV)" variable group.
+        maxCPUs: "$(($(nproc) / 3))"
         rawToolchainCacheURL: "$(rawToolchainCacheURL_ARM64)"
         rawToolchainExpectedHash: "65de43b3bdcfdaac71df1f11fd1f830a8109b1eb9d7cb6cbc2e2d0e929d0ef76"
 
@@ -68,6 +70,10 @@ extends:
                       outputArtifactsFolder: $(ob_outputDirectory)
                       selfRepoName: self
 
+                  # Toolchain package tests should be run through the full package build, calculate the list of packages that should be re-tested
+                  # and make it available to the next stage via an output variable: 'CalculateToolchainPackageRetestList.toolchainPackageRetestList'
+                  - template: .pipelines/templates/ToolchainCalculatePackageRetests.yml@self
+
                   # 1. Automatic publishing won't work if 'isCustom: true' is set on the pool. We cannot do 'isCustom: false' because
                   #    then OneBranch attempts to perform additional actions (adding build tags for instance), which require additional permissions
                   #    that the PR check pipeline does not have.
@@ -90,16 +96,19 @@ extends:
                 variables:
                   ob_artifactBaseName: ${{ variables.rpmsArtifactNameBase }}_${{ configuration.name }}
                   ob_outputDirectory: $(Build.ArtifactStagingDirectory)
+                  testListFromToolchain: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['CalculateToolchainPackageRetestList.toolchainPackageRetestList'] ]
                 steps:
                   - template: .pipelines/templates/PackageBuild.yml@self
                     parameters:
                       customToolchainArtifactName: $(toolchainArtifactNameBase)_${{ configuration.name }}
                       isCheckBuild: true
                       isQuickRebuildPackages: true
                       outputArtifactsFolder: $(ob_outputDirectory)
+                      maxCPU: "${{ configuration.maxCPUs }}"
                       pipArtifactFeeds: "mariner/Mariner-Pypi-Feed"
                       selfRepoName: self
                       testSuiteName: "[${{ configuration.name }}] Package test"
+                      testRerunList: "$(testListFromToolchain)"
 
                   - task: PublishPipelineArtifact@1
                     inputs:

diff --git a/.pipelines/templates/PackageBuild.yml b/.pipelines/templates/PackageBuild.yml
@@ -22,6 +22,10 @@ parameters:
     type: string
     default: ""
 
+  - name: testRerunList
+    type: string
+    default: ""
+
   - name: failOnTestFailures
     type: boolean
     default: true
@@ -74,6 +78,10 @@ parameters:
     type: string
     default: "TESTS"
 
+  - name: maxCPU
+    type: string
+    default: ""
+
   - name: pipArtifactFeeds
     type: string
     default: ""
@@ -187,13 +195,15 @@ steps:
       sudo make -C "${{ parameters.buildRepoRoot }}/toolkit" build-packages -j$(nproc) \
         CONCURRENT_PACKAGE_BUILDS=${{ parameters.concurrentPackageBuilds }} \
         CONFIG_FILE="" \
+        MAX_CPU="${{ parameters.maxCPU }}" \
         REBUILD_TOOLS=y \
         REPO_LIST="${{ parameters.extraPackageRepos }}" \
         SPECS_DIR="${{ parameters.buildRepoRoot }}/${{ parameters.specsFolderPath }}" \
         SRPM_PACK_LIST="${{ parameters.srpmPackList }}" \
         $delta_fetch_arg \
         $quick_rebuild_packages_arg \
         $run_check_arg \
+        TEST_RERUN_LIST="${{ parameters.testRerunList }}" \
         $use_ccache_arg
     displayName: "Build packages"
 

diff --git a/.pipelines/templates/ToolchainBuild.yml b/.pipelines/templates/ToolchainBuild.yml
@@ -54,3 +54,4 @@ steps:
       tar -C "${{ parameters.buildRepoRoot }}/build/logs/toolchain" -czf "$published_logs_dir/toolchain.logs.tar.gz" .
     condition: always()
     displayName: "Copy logs for publishing"
+
diff --git a/.pipelines/templates/ToolchainCalculatePackageRetests.yml b/.pipelines/templates/ToolchainCalculatePackageRetests.yml
@@ -0,0 +1,38 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+parameters:
+  - name: buildRepoRoot
+    type: string
+    default: "$(Build.SourcesDirectory)"
+
+steps:
+  # This template will calculate a list of toolchain packages that might need to be re-tested at a later stage.
+  # It assumes a toolchain build has already been performed in the same job. The value will be made available as
+  # the variable 'CalculateToolchainPackageRetestList.toolchainPackageRetestList'.
+  - bash: |
+      # Calculate the list of packages that should be re-tested during full package build.
+      #   This list will be the contents of 'built_specs_list.txt' in the toolchain build logs directory, but only for
+      #   packages that have a '%check' section in their spec file. The assumption is that all packages will have a 
+      #   '%check' section for all architectures, or none.
+      built_list="${{ parameters.buildRepoRoot }}"/build/logs/toolchain/built_specs_list.txt
+      specs_dir="${{ parameters.buildRepoRoot }}/SPECS/"
+      if [[ -f "$built_list" ]]; then
+        retest_list=()
+        while read -r spec; do
+          if [ ! -f "${specs_dir}/${spec}/${spec}".spec ]; then
+              echo "##[error]ERROR: '${specs_dir}/${spec}/${spec}.spec' does not exist"
+              exit 1
+          fi
+          if grep -q '^%check' "${specs_dir}/${spec}/${spec}.spec"; then
+              retest_list+=("${spec}")
+          fi
+        done < "$built_list"
+      else
+        echo "No file '$built_list' found, so no packages to re-test"
+      fi
+      # Default will be "", which is fine.
+      echo "Setting 'CalculateToolchainPackageRetestList.toolchainPackageRetestList' to '${retest_list[*]}'"
+      echo "##vso[task.setvariable variable=toolchainPackageRetestList;isOutput=true]${retest_list[*]}"
+    name: "CalculateToolchainPackageRetestList"
+    displayName: "Calculating packages that should be re-tested"
diff --git a/SPECS-SIGNED/kernel-mos-signed/kernel-mos-signed.spec b/SPECS-SIGNED/kernel-mos-signed/kernel-mos-signed.spec
@@ -0,0 +1,155 @@
+%global debug_package %{nil}
+%global sha512hmac bash %{_sourcedir}/sha512hmac-openssl.sh
+%global buildarch x86_64
+%define uname_r %{version}-%{release}
+Summary:        Signed Linux Kernel for MOS systems
+Name:           kernel-mos-signed-%{buildarch}
+Version:        5.15.136.1
+Release:        1%{?dist}
+License:        GPLv2
+Vendor:         Microsoft Corporation
+Distribution:   Mariner
+Group:          System Environment/Kernel
+URL:            https://github.com/microsoft/CBL-Mariner-Linux-Kernel
+# This spec purpose is to take an input kernel rpm and input secure-boot-signed
+# kernel binary from the same build and generate a new "kernel" rpm with the
+# signed kernel binary + all of the other original kernel files, triggers,
+# scriptlets, requires, provides, etc.
+#
+# We need to ensure the kernel modules and kernel binary used are from the exact
+# same build because at build time the kernel modules are signed with an
+# ephemeral key that the kernel enrolls in its keyring. We enforce kernel
+# module signature checking when we enable security features like kernel
+# lockdown so our kernel can only load those specific kernel modules at runtime.
+#
+# Additionally, to complete the UEFI Secure Boot chain, we must PE-sign the
+# kernel binary. Ideally we would enable secure-boot signing tools like pesign
+# or sbsign to be callable from inside the rpmbuild environment, that way we can
+# secure-boot sign the kernel binary during the kernel's rpmbuild. It is best
+# practice to sign as soon as possible. However there are issues getting that
+# secure boot signing infrastructure in place today. Hence we sign the
+# resulting kernel binary and "repackage" the kernel-mos RPM (something rpm itself
+# actively tries to make sure you never do...generally for good reasons).
+#
+# To achive this repackaging, this spec creates a new subpackage named
+# "kernel-mos". To retain all of the initial kernel-mos package behaviors, we make sure
+# the subpackage has the same requires, provides, triggers, post steps, and
+# files as the original kernel package.
+#
+# This specific repackaging implementation leaves room for us to enable the
+# more ideal secure-boot signing flow in the future without introducing any
+# sort of breaking change or new packaging. Users still install a "kernel-mos"
+# package like they normally would.
+#
+# Maintenance Notes:
+# - This spec's "version" and "release" must reflect the unsigned version that
+# was signed. An important consequence is that when making a change to this
+# spec or the normal kernel-mos spec, the other spec's version version/release must
+# be increased to keep the two versions consistent.
+#
+# - Make sure the kernel-mos subpackage's Requires, Provides, triggers, post/postun
+# scriptlets, and files match the normal kernel-mos spec's. The kernel subpackage
+# should contain the same content as the input kernel-mos package but replace the
+# kernel binary with our signed kernel binary. Since all the requires, provides,
+# etc are the same, this new kernel-mos package can be a direct replacement for the
+# normal kernel-mos package and RPM will resolve packages with kernel-mos dependencies
+# correctly.
+#
+# To populate the input sources:
+#   1. Build the unsigned packages as normal
+#   2. Sign the desired binary
+#   3. Place the unsigned package and signed binary in this spec's folder
+#   4. Build this spec
+Source0:        kernel-mos-%{version}-%{release}.%{buildarch}.rpm
+Source1:        vmlinuz-%{uname_r}
+Source2:        sha512hmac-openssl.sh
+BuildRequires:  cpio
+BuildRequires:  openssl
+BuildRequires:  sed
+
+%description
+This package contains the Linux kernel package with kernel signed with the production key
+
+%package -n     kernel-mos
+Summary:        Linux Kernel for MOS
+Group:          System Environment/Kernel
+Requires:       filesystem
+Requires:       kmod
+Requires(post): coreutils
+Requires(postun): coreutils
+
+%description -n kernel-mos
+The kernel-mos package contains the signed Linux kernel for MOS.
+
+%prep
+
+%build
+mkdir rpm_contents
+pushd rpm_contents
+
+# This spec's whole purpose is to inject the signed kernel binary
+rpm2cpio %{SOURCE0} | cpio -idmv
+cp %{SOURCE1} ./boot/vmlinuz-%{uname_r}
+
+popd
+
+%install
+pushd rpm_contents
+
+# Don't use * wildcard. It does not copy over hidden files in the root folder...
+cp -rp ./. %{buildroot}/
+
+popd
+
+# Recalculate sha512hmac for FIPS
+%{sha512hmac} %{buildroot}/boot/vmlinuz-%{uname_r} | sed -e "s,$RPM_BUILD_ROOT,," > %{buildroot}/boot/.vmlinuz-%{uname_r}.hmac
+cp %{buildroot}/boot/.vmlinuz-%{uname_r}.hmac %{buildroot}/lib/modules/%{uname_r}/.vmlinuz.hmac
+
+%triggerin -n kernel-mos -- initramfs
+mkdir -p %{_localstatedir}/lib/rpm-state/initramfs/pending
+touch %{_localstatedir}/lib/rpm-state/initramfs/pending/%{uname_r}
+echo "initrd generation of kernel %{uname_r} will be triggered later" >&2
+
+%triggerun -n kernel-mos -- initramfs
+rm -rf %{_localstatedir}/lib/rpm-state/initramfs/pending/%{uname_r}
+rm -rf /boot/initrd.img-%{uname_r}
+echo "initrd of kernel %{uname_r} removed" >&2
+
+%postun -n kernel-mos
+if [ ! -e /boot/mariner.cfg ]
+then
+     ls /boot/linux-*.cfg 1> /dev/null 2>&1
+     if [ $? -eq 0 ]
+     then
+          list=`ls -tu /boot/linux-*.cfg | head -n1`
+          test -n "$list" && ln -sf "$list" /boot/mariner.cfg
+     fi
+fi
+
+%post -n kernel-mos
+/sbin/depmod -a %{uname_r}
+ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
+
+%files -n kernel-mos
+%defattr(-,root,root)
+%license COPYING
+%exclude %dir %{_libdir}/debug
+/boot/System.map-%{uname_r}
+/boot/config-%{uname_r}
+/boot/vmlinuz-%{uname_r}
+/boot/.vmlinuz-%{uname_r}.hmac
+%config(noreplace) /boot/linux-%{uname_r}.cfg
+%config %{_localstatedir}/lib/initramfs/kernel/%{uname_r}
+%defattr(0644,root,root)
+/lib/modules/%{uname_r}/*
+/lib/modules/%{uname_r}/.vmlinuz.hmac
+%exclude /lib/modules/%{uname_r}/build
+%exclude /lib/modules/%{uname_r}/kernel/drivers/accessibility
+%exclude /lib/modules/%{uname_r}/kernel/drivers/gpu
+%exclude /lib/modules/%{uname_r}/kernel/sound
+%exclude /module_info.ld
+
+%changelog
+* Wed Nov 08 2023 Rachel Menge <[email protected]> - 5.15.136.1-1
+- Original version for CBL-Mariner.
+- License verified
diff --git a/SPECS-SIGNED/kernel-mos-signed/sha512hmac-openssl.sh b/SPECS-SIGNED/kernel-mos-signed/sha512hmac-openssl.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+# Mocks sha512hmac using the openssl tool.
+# Only for use during RPM build.
+
+openssl sha512 -hmac FIPS-FTW-RHT2009 -hex "$1" | cut -f 2 -d ' ' | echo "$(cat -)  $1"
Original file line number	Diff line number	Diff line change
Expand Up		@@ -54,3 +54,4 @@ steps:
		tar -C "${{ parameters.buildRepoRoot }}/build/logs/toolchain" -czf "$published_logs_dir/toolchain.logs.tar.gz" .
		condition: always()
		displayName: "Copy logs for publishing"