Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update template build logic to use debian10-buster #9

Merged
merged 2 commits into from Oct 31, 2019
Merged

Update template build logic to use debian10-buster #9

merged 2 commits into from Oct 31, 2019

Conversation

emkll
Copy link
Contributor

@emkll emkll commented Oct 31, 2019
edited

Closes freedomofpress/securedrop-workstation#308

Background

Test plan:

  • Create (or repurpose) a fedora-based Qube with at least 20GB of private storage
  • Check out securedrop-workstation's master branch
  • apply the following diff (this is for testing only, to make testing easier and to avoid the manual build steps)
diff --git a/builder/build-workstation-template b/builder/build-workstation-template
index 103ae03..eb5323e 100755
--- a/builder/build-workstation-template
+++ b/builder/build-workstation-template
@@ -24,7 +24,7 @@ fi
 rm -rf "${qubes_builder_dir}" "${sd_template_dir}"
 
 git clone https://github.com/qubesos/qubes-builder "${build_dir}/qubes-builder"
-git clone https://github.com/freedomofpress/qubes-template-securedrop-workstation "${sd_template_dir}"
+git clone -b debian-buster https://github.com/freedomofpress/qubes-template-securedrop-workstation "${sd_template_dir}"
 
 cd "${qubes_builder_dir}"
  • make template completes without error (this should take 20-30 minutes depending on internet speed)
  • Copy the built template into dom0 (the template is in securedrop-workstation/builder/qubes-builder/qubes-src/rpmbuild/rpm/noarch)
  • install the template in dom0
  • template installs successfully in dom0
  • Run qvm-prefs securedrop-workstation-buster virt_mode hvm
  • Run qvm-prefs securedrop-workstation-buster kernel ""
  • The templateVM boots, and uname -r returns 4.14.151-grsec
  • The name of the template makes sense (it was purposely not named securedrop-worksation so that this template can coexist happily with securedrop-workstation template

pre merge

Before merging, please revert commit 250f989 which was introduced for testing only

post merge:

  • push a signed tag pointing to master's HEAD with the FPF Authority Key
    250f989

@emkll emkll requested a review from conorsch October 31, 2019 20:14
@emkll emkll added this to In Development in SecureDrop Team Board Oct 31, 2019
@emkll emkll moved this from In Development to Ready for Review in SecureDrop Team Board Oct 31, 2019
@conorsch
Copy link
Contributor

Success!

sdw-buster-kernel-working

Followed the test plan exactly. Encountered two small bumps in the road:

  1. Had to update the pubkey logic in the securedrop-workstation repo; I'll submit a PR over there for your review, @emkll, which I expect will smooth over the build process for the broader team.
  2. The kernel version reported in the template is not 4.14.151-grsec, but rather 4.14.151-grsec-workstation (see screenshot above). That's not a problem, merely a consequence of freedomofpress/ansible-role-grsecurity-build@60d3fb9 . Still, worth mentioning, so we're all on the same page.

Since you clearly flagged the need to drop a test-only commit, I'll do that now, then mark with final approval.

conorsch
conorsch approved these changes Oct 31, 2019
View reviewed changes
Copy link
Contributor

@conorsch conorsch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Confirmed successful local build. Dropped test-only commit prior to merging. Post-merge, we'll follow up with a signed tag.

@conorsch conorsch merged commit 0c6e5ea into master Oct 31, 2019
SecureDrop Team Board automation moved this from Ready for Review to Done Oct 31, 2019
@conorsch conorsch mentioned this pull request Oct 31, 2019
Merged
2 tasks
conorsch pushed a commit to freedomofpress/securedrop-workstation that referenced this pull request Oct 31, 2019
References FPF Authority key in template build
e4e4057 
We'd previously been tracking a personal staff pubkey (@emkll) for the
Qubes template build process. We've since transitioned to using the FPF
Authority Key to sign tags in the qubes-template-securedrop-workstation
repository, so the builder logic in this repo must be updated
accordingly. Done.

Used this patch during review of freedomofpress/qubes-template-securedrop-workstation#9
@conorsch conorsch mentioned this pull request Oct 31, 2019
Merged
@emkll emkll mentioned this pull request Nov 1, 2019
Closed
@emkll emkll deleted the debian-buster branch February 14, 2020 19:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@conorsch conorsch conorsch approved these changes

Assignees
No one assigned
Labels
None yet
Projects
No open projects
SecureDrop Team Board
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Test experimental securedrop-workstation (w/ grsec) template on Buster
2 participants
@emkll @conorsch