Merge branch 'eero/pseudo-hsm-fixes' into 'master'

Fixes for pseudo-HSM flow

- Switches SEV cert pulling to use `curl` instead of `wget`.
- Disables cert pulling (and makes `curl` explicitly ipv6) - NODE-817.
- Adjusts HSM message for pseudo flow. Checked that orchestrator is not signaling when HSM not in use.
- Clone NO key to "sanitized" config.
- Adds `--insecure` flag to `curl` when checking for NNS nodes, to avoid failing when on testnets. 

See merge request dfinity-lab/public/ic!11014

ic-os/hostos/rootfs/opt/ic/bin/generate-guestos-config.sh

@@ -104,7 +104,8 @@ function assemble_config_media() {
     cmd+=(--name_servers "$(/opt/ic/bin/fetch-property.sh --key=.dns.name_servers --metric=hostos_dns_name_servers --config=${DEPLOYMENT})")
     cmd+=(--hostname "guest-$(/opt/ic/bin/fetch-mgmt-mac.sh | sed 's/://g')")
     cmd+=(--nns_url "$(/opt/ic/bin/fetch-property.sh --key=.nns.url --metric=hostos_nns_url --config=${DEPLOYMENT})")
-    cmd+=(--get_sev_certs)
+    # AMDs cert download links do not support IPv6; NODE-817
+    # cmd+=(--get_sev_certs)
     if [ -f "/boot/config/node_operator_private_key.pem" ]; then
         cmd+=(--node_operator_private_key "/boot/config/node_operator_private_key.pem")
     fi

ic-os/hostos/rootfs/opt/ic/bin/get-sev-certs.sh

@@ -19,14 +19,14 @@ fi
 
 if [[ -e /dev/sev ]]; then
     # Get ark.pem and ask.pem, and convert ask.pem to ask.dir
-    wget -O "${DIR}/cert_chain.pem" "https://kdsintf.amd.com/vcek/v1/Milan/cert_chain"
+    curl -6 --output "${DIR}/cert_chain.pem" "https://kdsintf.amd.com/vcek/v1/Milan/cert_chain"
     csplit -z -f "${DIR}/cert-chain-" "${DIR}/cert_chain.pem" '/-----BEGIN CERTIFICATE-----/' '{*}'
     mv "${DIR}/cert-chain-00" "${DIR}/ask.pem"
     mv "${DIR}/cert-chain-01" "${DIR}/ark.pem"
     openssl x509 -in "${DIR}/ark.pem" -inform PEM -out "${DIR}/ark.der" -outform DER
     # Get vcek.der and convert to vcek.pem
     vcek_url=$("${VCEKURL}")
-    wget -O "${DIR}/vcek.der" "${vcek_url}"
+    curl -6 --output "${DIR}/vcek.der" "${vcek_url}"
     openssl x509 -in "${DIR}/vcek.der" -inform DER -out "${DIR}/vcek.pem" -outform PEM
 else
     echo "/dev/sev not available, exiting..."

ic-os/setupos/rootfs/opt/ic/bin/config.sh

@@ -34,6 +34,11 @@ function clone_config() {
         log_and_reboot_on_error "1" "Cloned 'config.ini' configuration file does not exist."
     fi
 
+    if [ -f "${CONFIG_DIR}/node_operator_private_key.pem" ]; then
+        cp ${CONFIG_DIR}/node_operator_private_key.pem ${CONFIG_TMP}/node_operator_private_key.pem
+        log_and_reboot_on_error "${?}" "Unable to copy 'node_operator_private_key.pem' configuration file."
+    fi
+
     if [ -d "${SSH_AUTHORIZED_KEYS}" ]; then
         cp -r "${SSH_AUTHORIZED_KEYS}" "${CONFIG_TMP}"
         log_and_reboot_on_error "${?}" "Unable to copy 'ssh_authorized_keys' directory."

ic-os/setupos/rootfs/opt/ic/bin/network.sh

@@ -162,7 +162,10 @@ function query_nns_nodes() {
         verify=$(awk "BEGIN {printf \"%.0f\n\", ${nodes}*0.20}")
     fi
     for url in $(echo $NNS_URL_LIST); do
-        curl --head --connect-timeout 3 --silent ${url} >/dev/null 2>&1
+        # When running against testnets, we need to ignore self signed certs
+        # with `--insecure`. This check is only meant to confirm from SetupOS
+        # that NNS urls are reachable, so we do not mind that it is "weak".
+        curl --insecure --head --connect-timeout 3 --silent ${url} >/dev/null 2>&1
         if [ "${?}" -ne 0 ]; then
             echo "  fail: ${url}"
         else

ic-os/setupos/rootfs/opt/ic/bin/setupos.sh

@@ -20,7 +20,7 @@ function start_setupos() {
 
 function reboot_setupos() {
     echo -e "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"
-    echo "          Please do NOT unplug the Nitrokey HSM USB device just yet."
+    echo "          If a Nitrokey HSM USB device is in use, please do NOT unplug it just yet."
     echo -e "\n\n"
     echo "                 Wait for the message after the first boot..."
     echo -e "\n\n\n\n"