diff --git a/mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-client.service.d/azure-override.conf b/mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service.d/azure-override.conf similarity index 57% rename from mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-client.service.d/azure-override.conf rename to mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service.d/azure-override.conf index 3a83b7d2..00f0c243 100644 --- a/mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-client.service.d/azure-override.conf +++ b/mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service.d/azure-override.conf @@ -8,8 +8,10 @@ After=tpm2.target ExecStartPre=+/usr/bin/chmod 440 /sys/kernel/security/tpm0/binary_bios_measurements ExecStartPre=+/usr/bin/chown root:tss /sys/kernel/security/tpm0/binary_bios_measurements ExecStart= -ExecStart=/usr/bin/cvm-reverse-proxy-client \ - --listen-addr=localhost:7937 \ - --target-addr=${BUILDERNET_BUILDERHUB_URL} \ +ExecStart=/usr/bin/attested-tls-proxy client \ + --listen-addr 127.0.0.1:7937 \ --client-attestation-type azure-tdx \ - --server-attestation-type none + --allowed-remote-attestation-type none \ + --tls-private-key-path %S/persistent/attested-tls-proxy/key.pem \ + --tls-certificate-path %S/persistent/attested-tls-proxy/cert.pem \ + ${BUILDERNET_BUILDERHUB_URL} diff --git a/mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service.d/azure-override.conf b/mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service.d/azure-override.conf new file mode 100644 index 00000000..02ef9a70 --- /dev/null +++ b/mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service.d/azure-override.conf @@ -0,0 +1,9 @@ +[Service] +ExecStart= +ExecStart=/usr/bin/attested-tls-proxy server \ + --listen-addr 0.0.0.0:7936 \ + --server-attestation-type azure-tdx \ + --allowed-remote-attestation-type none \ + --tls-private-key-path %S/persistent/attested-tls-proxy/key.pem \ + --tls-certificate-path %S/persistent/attested-tls-proxy/cert.pem \ + 127.0.0.1:14727 diff --git a/mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-server.service.d/azure-override.conf b/mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-server.service.d/azure-override.conf deleted file mode 100644 index 4a3b913a..00000000 --- a/mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-server.service.d/azure-override.conf +++ /dev/null @@ -1,7 +0,0 @@ -[Service] -ExecStart= -ExecStart=/usr/bin/cvm-reverse-proxy-server \ - --listen-addr=0.0.0.0:7936 \ - --target-addr=http://localhost:14727 \ - --server-attestation-type azure-tdx \ - --override-azurev6-tcbinfo diff --git a/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service.d/gcp-override.conf b/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service.d/gcp-override.conf new file mode 100644 index 00000000..8c180970 --- /dev/null +++ b/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service.d/gcp-override.conf @@ -0,0 +1,14 @@ +[Service] +ExecStart= +ExecStart=/usr/bin/attested-tls-proxy client \ + --listen-addr 127.0.0.1:7937 \ + --client-attestation-type dcap-tdx + --allowed-remote-attestation-type none \ + --tls-private-key-path %S/persistent/attested-tls-proxy/key.pem \ + --tls-certificate-path %S/persistent/attested-tls-proxy/cert.pem \ + ${BUILDERNET_BUILDERHUB_URL} \ +SupplementaryGroups= +ProtectSystem=strict +ProtectHome=yes +AmbientCapabilities=CAP_DAC_OVERRIDE +ReadWritePaths=/sys/kernel/config/tsm/report diff --git a/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service.d/gcp-override.conf b/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service.d/gcp-override.conf new file mode 100644 index 00000000..643555bd --- /dev/null +++ b/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service.d/gcp-override.conf @@ -0,0 +1,14 @@ +[Service] +ExecStart= +ExecStart=/usr/bin/attested-tls-proxy-server \ + --listen-addr 0.0.0.0:7936 \ + --server-attestation-type dcap-tdx \ + --allowed-remote-attestation-type none \ + --tls-private-key-path %S/persistent/attested-tls-proxy/key.pem \ + --tls-certificate-path %S/persistent/attested-tls-proxy/cert.pem \ + 127.0.0.1:14727 +SupplementaryGroups= +ProtectSystem=strict +ProtectHome=yes +AmbientCapabilities=CAP_DAC_OVERRIDE +ReadWritePaths=/sys/kernel/config/tsm/report diff --git a/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-client.service.d/gcp-override.conf b/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-client.service.d/gcp-override.conf deleted file mode 100644 index a883b2b2..00000000 --- a/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-client.service.d/gcp-override.conf +++ /dev/null @@ -1,11 +0,0 @@ -[Service] -ExecStart= -ExecStart=/usr/bin/cvm-reverse-proxy-client \ - --listen-addr=localhost:7937 \ - --target-addr=${BUILDERNET_BUILDERHUB_URL} \ - --client-attestation-type=dcap-tdx -SupplementaryGroups= -ProtectSystem=strict -ProtectHome=yes -AmbientCapabilities=CAP_DAC_OVERRIDE -ReadWritePaths=/sys/kernel/config/tsm/report diff --git a/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-server.service.d/gcp-override.conf b/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-server.service.d/gcp-override.conf deleted file mode 100644 index 4cdc32ea..00000000 --- a/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-server.service.d/gcp-override.conf +++ /dev/null @@ -1,11 +0,0 @@ -[Service] -ExecStart= -ExecStart=/usr/bin/cvm-reverse-proxy-server \ - --listen-addr=0.0.0.0:7936 \ - --target-addr=http://localhost:14727 \ - --server-attestation-type dcap-tdx -SupplementaryGroups= -ProtectSystem=strict -ProtectHome=yes -AmbientCapabilities=CAP_DAC_OVERRIDE -ReadWritePaths=/sys/kernel/config/tsm/report diff --git a/mkosi.images/buildernet/mkosi.build.d/20-attested-tls-proxy.sh b/mkosi.images/buildernet/mkosi.build.d/20-attested-tls-proxy.sh new file mode 100755 index 00000000..35397bde --- /dev/null +++ b/mkosi.images/buildernet/mkosi.build.d/20-attested-tls-proxy.sh @@ -0,0 +1,6 @@ +#!/usr/bin/env bash +set -euo pipefail + +EXPECTED_SHA256="815d6734ac2f78ea7e9e12b02efa8f9b0b3b283e07f898ebf90ede6910eb1843" +curl -sSfL https://github.com/flashbots/attested-tls-proxy/releases/download/vtest00/attested-tls-proxy_1.vtest00_amd64.deb -o $PACKAGEDIR/attested-tls-proxy.deb +echo "${EXPECTED_SHA256}" $PACKAGEDIR/attested-tls-proxy.deb | sha256sum --check diff --git a/mkosi.images/buildernet/mkosi.conf b/mkosi.images/buildernet/mkosi.conf index 786f5d30..0f4d60bf 100644 --- a/mkosi.images/buildernet/mkosi.conf +++ b/mkosi.images/buildernet/mkosi.conf @@ -12,6 +12,7 @@ Packages=cryptsetup curl haproxy jq + libtss2-dev openssh-server prometheus-node-exporter rclone diff --git a/mkosi.images/buildernet/mkosi.extra/etc/acme-le/hooks/post-post-hook.sh b/mkosi.images/buildernet/mkosi.extra/etc/acme-le/hooks/post-post-hook.sh index 22de01f4..4f400d67 100755 --- a/mkosi.images/buildernet/mkosi.extra/etc/acme-le/hooks/post-post-hook.sh +++ b/mkosi.images/buildernet/mkosi.extra/etc/acme-le/hooks/post-post-hook.sh @@ -10,3 +10,8 @@ ln -fsr "$(dirname $CERT_PATH)/fullchain.cer" /var/lib/persistent/operator-api/c chmod 660 /var/lib/persistent/haproxy/certs/*.pem chown haproxy:haproxy /var/lib/persistent/haproxy/certs/*.pem systemctl reload haproxy.service + +# Copy the certificate and private key for use by attested-tls-proxy +install -D -m 600 --owner=attested-tls-proxy --group=attested-tls-proxy \ + "$PRIV_KEY" /var/lib/persistent/attested-tls-proxy/key.pem +ln -fsr "$(dirname $CERT_PATH)/fullchain.cer" /var/lib/persistent/attested-tls-proxy/cert.pem diff --git a/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-client.service b/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service similarity index 55% rename from mkosi.images/buildernet/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-client.service rename to mkosi.images/buildernet/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service index 79ac5800..966e3cef 100644 --- a/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-client.service +++ b/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service @@ -1,6 +1,6 @@ [Unit] DefaultDependencies=no -Description=CVM Reverse Proxy client +Description=Attested TLS Proxy client Wants=network-online.target After=network.target network-online.target @@ -9,10 +9,11 @@ Type=exec DynamicUser=yes SupplementaryGroups=tss Environment=BUILDERNET_BUILDERHUB_URL=__BUILDERNET_BUILDERHUB_URL -ExecStart=/usr/bin/cvm-reverse-proxy-client \ - --listen-addr=localhost:7937 \ - --target-addr=${BUILDERNET_BUILDERHUB_URL} \ - --server-attestation-type none +ExecStart=/usr/bin/attested-tls-proxy client \ + --listen-addr 127.0.0.1:7937 \ + --allowed-remote-attestation-type none \ + --client-attestation-type auto \ + ${BUILDERNET_BUILDERHUB_URL} Restart=on-failure [Install] diff --git a/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service b/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service new file mode 100644 index 00000000..25f68326 --- /dev/null +++ b/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service @@ -0,0 +1,20 @@ +[Unit] +Description=Attested TLS Proxy server +Wants=network-online.target +After=network.target network-online.target acme-le.service + +[Service] +Type=exec +DynamicUser=yes +SupplementaryGroups=tss +ExecStart=/usr/bin/attested-tls-proxy server \ + --listen-addr 0.0.0.0:7936 \ + --allowed-remote-attestation-type none \ + --server-attestation-type auto \ + --tls-private-key-path %S/persistent/attested-tls-proxy/key.pem \ + --tls-certificate-path %S/persistent/attested-tls-proxy/cert.pem \ + 127.0.0.1:14727 +Restart=on-failure + +[Install] +WantedBy=multi-user.target diff --git a/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-server.service b/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-server.service deleted file mode 100644 index eac591c0..00000000 --- a/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-server.service +++ /dev/null @@ -1,16 +0,0 @@ -[Unit] -Description=CVM Reverse Proxy server -Wants=network-online.target -After=network.target network-online.target - -[Service] -Type=exec -DynamicUser=yes -SupplementaryGroups=tss -ExecStart=/usr/bin/cvm-reverse-proxy-server \ - --listen-addr=0.0.0.0:7936 \ - --target-addr=http://localhost:14727 -Restart=on-failure - -[Install] -WantedBy=multi-user.target diff --git a/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/render-config.service b/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/render-config.service index a735d9d3..1822a45c 100644 --- a/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/render-config.service +++ b/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/render-config.service @@ -1,8 +1,8 @@ [Unit] DefaultDependencies=no Description=Pull and render configs from BuilderHub -Wants=network-online.target cvm-reverse-proxy-client.service -After=network.target network-online.target cvm-reverse-proxy-client.service +Wants=network-online.target attested-tls-proxy-client.service +After=network.target network-online.target attested-tls-proxy-client.service [Service] Type=oneshot diff --git a/mkosi.images/buildernet/mkosi.postinst b/mkosi.images/buildernet/mkosi.postinst index e88d717f..4658212d 100755 --- a/mkosi.images/buildernet/mkosi.postinst +++ b/mkosi.images/buildernet/mkosi.postinst @@ -16,7 +16,7 @@ for var in "${!BUILDERNET_@}"; do replace_underscore_template "$BUILDROOT/etc/systemd/system/persistent-setup.service" "${!var}" ;; BUILDERNET_BUILDERHUB_URL) - replace_underscore_template "$BUILDROOT/etc/systemd/system/cvm-reverse-proxy-client.service" "${!var}" + replace_underscore_template "$BUILDROOT/etc/systemd/system/attested-tls-proxy-client.service" "${!var}" ;; BUILDERNET_SSH_PUBLIC_KEY) replace_underscore_template "$BUILDROOT/home/bnet/.ssh/authorized_keys" "${!var}"