From 8755ec3d20ca14bdf982b4a617903f39115689d1 Mon Sep 17 00:00:00 2001 From: peg Date: Tue, 16 Dec 2025 09:37:16 +0100 Subject: [PATCH 1/6] Use attested-tls-proxy --- .../azure-override.conf | 10 +++--- .../azure-override.conf | 8 +++++ .../azure-override.conf | 7 ---- .../gcp-override.conf | 14 ++++++++ .../gcp-override.conf | 14 ++++++++ .../gcp-override.conf | 11 ------- .../gcp-override.conf | 11 ------- .../mkosi.build.d/20-attested-tls-proxy.sh | 33 +++++++++++++++++++ mkosi.images/buildernet/mkosi.conf | 2 ++ .../system/attested-tls-proxy-client.service | 22 +++++++++++++ .../system/attested-tls-proxy-server.service | 20 +++++++++++ .../system/cvm-reverse-proxy-client.service | 19 ----------- .../system/cvm-reverse-proxy-server.service | 16 --------- .../etc/systemd/system/render-config.service | 4 +-- mkosi.images/buildernet/mkosi.postinst | 2 +- 15 files changed, 122 insertions(+), 71 deletions(-) rename mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/{cvm-reverse-proxy-client.service.d => attested-tls-proxy-client.service.d}/azure-override.conf (58%) create mode 100644 mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service.d/azure-override.conf delete mode 100644 mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-server.service.d/azure-override.conf create mode 100644 mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service.d/gcp-override.conf create mode 100644 mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service.d/gcp-override.conf delete mode 100644 mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-client.service.d/gcp-override.conf delete mode 100644 mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-server.service.d/gcp-override.conf create mode 100644 mkosi.images/buildernet/mkosi.build.d/20-attested-tls-proxy.sh create mode 100644 mkosi.images/buildernet/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service create mode 100644 mkosi.images/buildernet/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service delete mode 100644 mkosi.images/buildernet/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-client.service delete mode 100644 mkosi.images/buildernet/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-server.service diff --git a/mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-client.service.d/azure-override.conf b/mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service.d/azure-override.conf similarity index 58% rename from mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-client.service.d/azure-override.conf rename to mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service.d/azure-override.conf index 3a83b7d2..f7108199 100644 --- a/mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-client.service.d/azure-override.conf +++ b/mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service.d/azure-override.conf @@ -8,8 +8,10 @@ After=tpm2.target ExecStartPre=+/usr/bin/chmod 440 /sys/kernel/security/tpm0/binary_bios_measurements ExecStartPre=+/usr/bin/chown root:tss /sys/kernel/security/tpm0/binary_bios_measurements ExecStart= -ExecStart=/usr/bin/cvm-reverse-proxy-client \ - --listen-addr=localhost:7937 \ - --target-addr=${BUILDERNET_BUILDERHUB_URL} \ +ExecStart=/usr/bin/attested-tls-proxy client \ + --listen-addr 127.0.0.1:7937 \ --client-attestation-type azure-tdx \ - --server-attestation-type none + --allowed-remote-attestation-type none + --tls-private-key-path var/lib/persistent/operator-api/key.pem \ + --tls-certificate-path var/lib/persistent/operator-api/cert.pem \ + ${BUILDERNET_BUILDERHUB_URL} diff --git a/mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service.d/azure-override.conf b/mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service.d/azure-override.conf new file mode 100644 index 00000000..059ca495 --- /dev/null +++ b/mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service.d/azure-override.conf @@ -0,0 +1,8 @@ +[Service] +ExecStart= +ExecStart=/usr/bin/attested-tls-proxy server \ + --listen-addr 0.0.0.0:7936 \ + --server-attestation-type azure-tdx \ + --tls-private-key-path var/lib/persistent/operator-api/key.pem \ + --tls-certificate-path var/lib/persistent/operator-api/cert.pem \ + 127.0.0.1:14727 diff --git a/mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-server.service.d/azure-override.conf b/mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-server.service.d/azure-override.conf deleted file mode 100644 index 4a3b913a..00000000 --- a/mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-server.service.d/azure-override.conf +++ /dev/null @@ -1,7 +0,0 @@ -[Service] -ExecStart= -ExecStart=/usr/bin/cvm-reverse-proxy-server \ - --listen-addr=0.0.0.0:7936 \ - --target-addr=http://localhost:14727 \ - --server-attestation-type azure-tdx \ - --override-azurev6-tcbinfo diff --git a/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service.d/gcp-override.conf b/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service.d/gcp-override.conf new file mode 100644 index 00000000..0a6cb2b0 --- /dev/null +++ b/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service.d/gcp-override.conf @@ -0,0 +1,14 @@ +[Service] +ExecStart= +ExecStart=/usr/bin/attested-tls-proxy client \ + --listen-addr 127.0.0.1:7937 \ + --client-attestation-type gcp-tdx + --allowed-remote-attestation-type none \ + --tls-private-key-path var/lib/persistent/operator-api/key.pem \ + --tls-certificate-path var/lib/persistent/operator-api/cert.pem \ + ${BUILDERNET_BUILDERHUB_URL} \ +SupplementaryGroups= +ProtectSystem=strict +ProtectHome=yes +AmbientCapabilities=CAP_DAC_OVERRIDE +ReadWritePaths=/sys/kernel/config/tsm/report diff --git a/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service.d/gcp-override.conf b/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service.d/gcp-override.conf new file mode 100644 index 00000000..7256f549 --- /dev/null +++ b/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service.d/gcp-override.conf @@ -0,0 +1,14 @@ +[Service] +ExecStart= +ExecStart=/usr/bin/attested-tls-proxy-server \ + --listen-addr 0.0.0.0:7936 \ + --server-attestation-type gcp-tdx + --tls-private-key-path var/lib/persistent/operator-api/key.pem \ + --tls-certificate-path var/lib/persistent/operator-api/cert.pem \ + --allowed-remote-attestation-type none \ + 127.0.0.1:14727 +SupplementaryGroups= +ProtectSystem=strict +ProtectHome=yes +AmbientCapabilities=CAP_DAC_OVERRIDE +ReadWritePaths=/sys/kernel/config/tsm/report diff --git a/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-client.service.d/gcp-override.conf b/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-client.service.d/gcp-override.conf deleted file mode 100644 index a883b2b2..00000000 --- a/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-client.service.d/gcp-override.conf +++ /dev/null @@ -1,11 +0,0 @@ -[Service] -ExecStart= -ExecStart=/usr/bin/cvm-reverse-proxy-client \ - --listen-addr=localhost:7937 \ - --target-addr=${BUILDERNET_BUILDERHUB_URL} \ - --client-attestation-type=dcap-tdx -SupplementaryGroups= -ProtectSystem=strict -ProtectHome=yes -AmbientCapabilities=CAP_DAC_OVERRIDE -ReadWritePaths=/sys/kernel/config/tsm/report diff --git a/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-server.service.d/gcp-override.conf b/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-server.service.d/gcp-override.conf deleted file mode 100644 index 4cdc32ea..00000000 --- a/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-server.service.d/gcp-override.conf +++ /dev/null @@ -1,11 +0,0 @@ -[Service] -ExecStart= -ExecStart=/usr/bin/cvm-reverse-proxy-server \ - --listen-addr=0.0.0.0:7936 \ - --target-addr=http://localhost:14727 \ - --server-attestation-type dcap-tdx -SupplementaryGroups= -ProtectSystem=strict -ProtectHome=yes -AmbientCapabilities=CAP_DAC_OVERRIDE -ReadWritePaths=/sys/kernel/config/tsm/report diff --git a/mkosi.images/buildernet/mkosi.build.d/20-attested-tls-proxy.sh b/mkosi.images/buildernet/mkosi.build.d/20-attested-tls-proxy.sh new file mode 100644 index 00000000..e932c68b --- /dev/null +++ b/mkosi.images/buildernet/mkosi.build.d/20-attested-tls-proxy.sh @@ -0,0 +1,33 @@ +#!/usr/bin/env bash +set -euo pipefail + +REF=06aafe43335a5d228a3ea2d3b871d15d2d06e855 +CARGO_HOME="$BUILDDIR/.cargo" +PATH="$BUILDDIR/rust-toolchain/bin:$PATH" +BUILDDIR="$BUILDDIR/vector" +export CARGO_HOME="$SRCDIR/mkosi.images/buildernet/mkosi.cache/cargo" + +echo "Installing attested-tls-proxy..." + +mkdir -p $BUILDDIR + +curl -sSfL https://api.github.com/repos/flashbots/attested-tls-proxy/tarball/${REF} | \ + tar xzf - -C $BUILDDIR --strip-components=1 + +cd $BUILDDIR + +RUSTFLAGS="-C target-cpu=x86-64-v4 \ + -C link-arg=-Wl,--build-id=none \ + -C symbol-mangling-version=v0 \ + -L /usr/lib/x86_64-linux-gnu" +CARGO_PROFILE_RELEASE_LTO='thin' +CARGO_PROFILE_RELEASE_CODEGEN_UNITS='1' +CARGO_PROFILE_RELEASE_PANIC='abort' +CARGO_PROFILE_RELEASE_INCREMENTAL='false' +CARGO_PROFILE_RELEASE_OPT_LEVEL='3' +CARGO_TARGET_DIR="$BUILDDIR/target" + +cargo build --release --locked + +mkdir -p $DESTDIR/usr/bin +cp $CARGO_TARGET_DIR/release/attested-tls-proxy $DESTDIR/usr/bin/attested-tls-proxy diff --git a/mkosi.images/buildernet/mkosi.conf b/mkosi.images/buildernet/mkosi.conf index 786f5d30..9980e22f 100644 --- a/mkosi.images/buildernet/mkosi.conf +++ b/mkosi.images/buildernet/mkosi.conf @@ -21,6 +21,8 @@ Packages=cryptsetup systemd-repart systemd-resolved tpm2-tools + libtss2-esys-3.0.2-0t64 + libtss2-tctildr0t64 BuildPackages=build-essential dpkg-dev git diff --git a/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service b/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service new file mode 100644 index 00000000..f50839fb --- /dev/null +++ b/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service @@ -0,0 +1,22 @@ +[Unit] +DefaultDependencies=no +Description=Attested TLS Proxy client +Wants=network-online.target +After=network.target network-online.target + +[Service] +Type=exec +DynamicUser=yes +SupplementaryGroups=tss +Environment=BUILDERNET_BUILDERHUB_URL=__BUILDERNET_BUILDERHUB_URL +ExecStart=/usr/bin/attested-tls-proxy client \ + --listen-addr=127.0.0.1:7937 \ + --allowed-remote-attestation-type none \ + --tls-private-key-path var/lib/persistent/operator-api/key.pem \ + --tls-certificate-path var/lib/persistent/operator-api/cert.pem \ + --client-attestation-type auto \ + ${BUILDERNET_BUILDERHUB_URL} +Restart=on-failure + +[Install] +WantedBy=multi-user.target diff --git a/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service b/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service new file mode 100644 index 00000000..76d9cded --- /dev/null +++ b/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service @@ -0,0 +1,20 @@ +[Unit] +Description=Attested TLS Proxy server +Wants=network-online.target +After=network.target network-online.target + +[Service] +Type=exec +DynamicUser=yes +SupplementaryGroups=tss +ExecStart=/usr/bin/attested-tls-proxy server \ + --listen-addr 0.0.0.0:7936 \ + --allowed-remote-attestation-type none \ + --server-attestation-type auto \ + --tls-private-key-path var/lib/persistent/operator-api/key.pem \ + --tls-certificate-path var/lib/persistent/operator-api/cert.pem \ + 127.0.0.1:14727 +Restart=on-failure + +[Install] +WantedBy=multi-user.target diff --git a/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-client.service b/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-client.service deleted file mode 100644 index 79ac5800..00000000 --- a/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-client.service +++ /dev/null @@ -1,19 +0,0 @@ -[Unit] -DefaultDependencies=no -Description=CVM Reverse Proxy client -Wants=network-online.target -After=network.target network-online.target - -[Service] -Type=exec -DynamicUser=yes -SupplementaryGroups=tss -Environment=BUILDERNET_BUILDERHUB_URL=__BUILDERNET_BUILDERHUB_URL -ExecStart=/usr/bin/cvm-reverse-proxy-client \ - --listen-addr=localhost:7937 \ - --target-addr=${BUILDERNET_BUILDERHUB_URL} \ - --server-attestation-type none -Restart=on-failure - -[Install] -WantedBy=multi-user.target diff --git a/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-server.service b/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-server.service deleted file mode 100644 index eac591c0..00000000 --- a/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/cvm-reverse-proxy-server.service +++ /dev/null @@ -1,16 +0,0 @@ -[Unit] -Description=CVM Reverse Proxy server -Wants=network-online.target -After=network.target network-online.target - -[Service] -Type=exec -DynamicUser=yes -SupplementaryGroups=tss -ExecStart=/usr/bin/cvm-reverse-proxy-server \ - --listen-addr=0.0.0.0:7936 \ - --target-addr=http://localhost:14727 -Restart=on-failure - -[Install] -WantedBy=multi-user.target diff --git a/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/render-config.service b/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/render-config.service index a735d9d3..1822a45c 100644 --- a/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/render-config.service +++ b/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/render-config.service @@ -1,8 +1,8 @@ [Unit] DefaultDependencies=no Description=Pull and render configs from BuilderHub -Wants=network-online.target cvm-reverse-proxy-client.service -After=network.target network-online.target cvm-reverse-proxy-client.service +Wants=network-online.target attested-tls-proxy-client.service +After=network.target network-online.target attested-tls-proxy-client.service [Service] Type=oneshot diff --git a/mkosi.images/buildernet/mkosi.postinst b/mkosi.images/buildernet/mkosi.postinst index e88d717f..4658212d 100755 --- a/mkosi.images/buildernet/mkosi.postinst +++ b/mkosi.images/buildernet/mkosi.postinst @@ -16,7 +16,7 @@ for var in "${!BUILDERNET_@}"; do replace_underscore_template "$BUILDROOT/etc/systemd/system/persistent-setup.service" "${!var}" ;; BUILDERNET_BUILDERHUB_URL) - replace_underscore_template "$BUILDROOT/etc/systemd/system/cvm-reverse-proxy-client.service" "${!var}" + replace_underscore_template "$BUILDROOT/etc/systemd/system/attested-tls-proxy-client.service" "${!var}" ;; BUILDERNET_SSH_PUBLIC_KEY) replace_underscore_template "$BUILDROOT/home/bnet/.ssh/authorized_keys" "${!var}" From af87af1c5b49d7d0a00ad9049244287a0bbb60f9 Mon Sep 17 00:00:00 2001 From: peg Date: Tue, 16 Dec 2025 10:06:45 +0100 Subject: [PATCH 2/6] Make attested-tls-proxy build script executable --- mkosi.images/buildernet/mkosi.build.d/20-attested-tls-proxy.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 mkosi.images/buildernet/mkosi.build.d/20-attested-tls-proxy.sh diff --git a/mkosi.images/buildernet/mkosi.build.d/20-attested-tls-proxy.sh b/mkosi.images/buildernet/mkosi.build.d/20-attested-tls-proxy.sh old mode 100644 new mode 100755 From 0236678e8bbe709cc0dc9a89f1e51e3f57a2b366 Mon Sep 17 00:00:00 2001 From: peg Date: Tue, 16 Dec 2025 16:22:06 +0100 Subject: [PATCH 3/6] Use dcap-tdx not gcp-tdx as attestation type on GCP --- .../attested-tls-proxy-client.service.d/gcp-override.conf | 2 +- .../attested-tls-proxy-server.service.d/gcp-override.conf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service.d/gcp-override.conf b/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service.d/gcp-override.conf index 0a6cb2b0..3cf807a3 100644 --- a/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service.d/gcp-override.conf +++ b/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service.d/gcp-override.conf @@ -2,7 +2,7 @@ ExecStart= ExecStart=/usr/bin/attested-tls-proxy client \ --listen-addr 127.0.0.1:7937 \ - --client-attestation-type gcp-tdx + --client-attestation-type dcap-tdx --allowed-remote-attestation-type none \ --tls-private-key-path var/lib/persistent/operator-api/key.pem \ --tls-certificate-path var/lib/persistent/operator-api/cert.pem \ diff --git a/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service.d/gcp-override.conf b/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service.d/gcp-override.conf index 7256f549..de67beaf 100644 --- a/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service.d/gcp-override.conf +++ b/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service.d/gcp-override.conf @@ -2,7 +2,7 @@ ExecStart= ExecStart=/usr/bin/attested-tls-proxy-server \ --listen-addr 0.0.0.0:7936 \ - --server-attestation-type gcp-tdx + --server-attestation-type dcap-tdx --tls-private-key-path var/lib/persistent/operator-api/key.pem \ --tls-certificate-path var/lib/persistent/operator-api/cert.pem \ --allowed-remote-attestation-type none \ From b86c6c497284eeaffb5f6d7bd95ea5f77e825376 Mon Sep 17 00:00:00 2001 From: peg Date: Tue, 16 Dec 2025 16:26:37 +0100 Subject: [PATCH 4/6] Use project-specific build directory --- mkosi.images/buildernet/mkosi.build.d/20-attested-tls-proxy.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mkosi.images/buildernet/mkosi.build.d/20-attested-tls-proxy.sh b/mkosi.images/buildernet/mkosi.build.d/20-attested-tls-proxy.sh index e932c68b..1e1a0907 100755 --- a/mkosi.images/buildernet/mkosi.build.d/20-attested-tls-proxy.sh +++ b/mkosi.images/buildernet/mkosi.build.d/20-attested-tls-proxy.sh @@ -4,7 +4,7 @@ set -euo pipefail REF=06aafe43335a5d228a3ea2d3b871d15d2d06e855 CARGO_HOME="$BUILDDIR/.cargo" PATH="$BUILDDIR/rust-toolchain/bin:$PATH" -BUILDDIR="$BUILDDIR/vector" +BUILDDIR="$BUILDDIR/attested-tls-proxy" export CARGO_HOME="$SRCDIR/mkosi.images/buildernet/mkosi.cache/cargo" echo "Installing attested-tls-proxy..." From 8ec153329a514db676fd3720d17eea530dfb5a16 Mon Sep 17 00:00:00 2001 From: peg Date: Tue, 16 Dec 2025 16:29:21 +0100 Subject: [PATCH 5/6] Omit version numbers from dependencies and put in alphabetical order --- mkosi.images/buildernet/mkosi.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mkosi.images/buildernet/mkosi.conf b/mkosi.images/buildernet/mkosi.conf index 9980e22f..d21dcccb 100644 --- a/mkosi.images/buildernet/mkosi.conf +++ b/mkosi.images/buildernet/mkosi.conf @@ -12,6 +12,8 @@ Packages=cryptsetup curl haproxy jq + libtss2-esys + libtss2-tctildr openssh-server prometheus-node-exporter rclone @@ -21,8 +23,6 @@ Packages=cryptsetup systemd-repart systemd-resolved tpm2-tools - libtss2-esys-3.0.2-0t64 - libtss2-tctildr0t64 BuildPackages=build-essential dpkg-dev git From 0cb2c2fe55bfabeacf80310a9d716216bd15b64a Mon Sep 17 00:00:00 2001 From: peg Date: Wed, 17 Dec 2025 09:30:50 +0100 Subject: [PATCH 6/6] Use separate copy of TLS cert and key for this service --- .../attested-tls-proxy-client.service.d/azure-override.conf | 6 +++--- .../attested-tls-proxy-server.service.d/azure-override.conf | 5 +++-- .../attested-tls-proxy-client.service.d/gcp-override.conf | 4 ++-- .../attested-tls-proxy-server.service.d/gcp-override.conf | 6 +++--- .../mkosi.extra/etc/acme-le/hooks/post-post-hook.sh | 5 +++++ .../etc/systemd/system/attested-tls-proxy-client.service | 6 +++--- .../etc/systemd/system/attested-tls-proxy-server.service | 4 ++-- 7 files changed, 21 insertions(+), 15 deletions(-) diff --git a/mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service.d/azure-override.conf b/mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service.d/azure-override.conf index f7108199..00f0c243 100644 --- a/mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service.d/azure-override.conf +++ b/mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service.d/azure-override.conf @@ -11,7 +11,7 @@ ExecStart= ExecStart=/usr/bin/attested-tls-proxy client \ --listen-addr 127.0.0.1:7937 \ --client-attestation-type azure-tdx \ - --allowed-remote-attestation-type none - --tls-private-key-path var/lib/persistent/operator-api/key.pem \ - --tls-certificate-path var/lib/persistent/operator-api/cert.pem \ + --allowed-remote-attestation-type none \ + --tls-private-key-path %S/persistent/attested-tls-proxy/key.pem \ + --tls-certificate-path %S/persistent/attested-tls-proxy/cert.pem \ ${BUILDERNET_BUILDERHUB_URL} diff --git a/mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service.d/azure-override.conf b/mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service.d/azure-override.conf index 059ca495..02ef9a70 100644 --- a/mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service.d/azure-override.conf +++ b/mkosi.images/buildernet-azure/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service.d/azure-override.conf @@ -3,6 +3,7 @@ ExecStart= ExecStart=/usr/bin/attested-tls-proxy server \ --listen-addr 0.0.0.0:7936 \ --server-attestation-type azure-tdx \ - --tls-private-key-path var/lib/persistent/operator-api/key.pem \ - --tls-certificate-path var/lib/persistent/operator-api/cert.pem \ + --allowed-remote-attestation-type none \ + --tls-private-key-path %S/persistent/attested-tls-proxy/key.pem \ + --tls-certificate-path %S/persistent/attested-tls-proxy/cert.pem \ 127.0.0.1:14727 diff --git a/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service.d/gcp-override.conf b/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service.d/gcp-override.conf index 3cf807a3..8c180970 100644 --- a/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service.d/gcp-override.conf +++ b/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service.d/gcp-override.conf @@ -4,8 +4,8 @@ ExecStart=/usr/bin/attested-tls-proxy client \ --listen-addr 127.0.0.1:7937 \ --client-attestation-type dcap-tdx --allowed-remote-attestation-type none \ - --tls-private-key-path var/lib/persistent/operator-api/key.pem \ - --tls-certificate-path var/lib/persistent/operator-api/cert.pem \ + --tls-private-key-path %S/persistent/attested-tls-proxy/key.pem \ + --tls-certificate-path %S/persistent/attested-tls-proxy/cert.pem \ ${BUILDERNET_BUILDERHUB_URL} \ SupplementaryGroups= ProtectSystem=strict diff --git a/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service.d/gcp-override.conf b/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service.d/gcp-override.conf index de67beaf..643555bd 100644 --- a/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service.d/gcp-override.conf +++ b/mkosi.images/buildernet-gcp/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service.d/gcp-override.conf @@ -2,10 +2,10 @@ ExecStart= ExecStart=/usr/bin/attested-tls-proxy-server \ --listen-addr 0.0.0.0:7936 \ - --server-attestation-type dcap-tdx - --tls-private-key-path var/lib/persistent/operator-api/key.pem \ - --tls-certificate-path var/lib/persistent/operator-api/cert.pem \ + --server-attestation-type dcap-tdx \ --allowed-remote-attestation-type none \ + --tls-private-key-path %S/persistent/attested-tls-proxy/key.pem \ + --tls-certificate-path %S/persistent/attested-tls-proxy/cert.pem \ 127.0.0.1:14727 SupplementaryGroups= ProtectSystem=strict diff --git a/mkosi.images/buildernet/mkosi.extra/etc/acme-le/hooks/post-post-hook.sh b/mkosi.images/buildernet/mkosi.extra/etc/acme-le/hooks/post-post-hook.sh index 22de01f4..4f400d67 100755 --- a/mkosi.images/buildernet/mkosi.extra/etc/acme-le/hooks/post-post-hook.sh +++ b/mkosi.images/buildernet/mkosi.extra/etc/acme-le/hooks/post-post-hook.sh @@ -10,3 +10,8 @@ ln -fsr "$(dirname $CERT_PATH)/fullchain.cer" /var/lib/persistent/operator-api/c chmod 660 /var/lib/persistent/haproxy/certs/*.pem chown haproxy:haproxy /var/lib/persistent/haproxy/certs/*.pem systemctl reload haproxy.service + +# Copy the certificate and private key for use by attested-tls-proxy +install -D -m 600 --owner=attested-tls-proxy --group=attested-tls-proxy \ + "$PRIV_KEY" /var/lib/persistent/attested-tls-proxy/key.pem +ln -fsr "$(dirname $CERT_PATH)/fullchain.cer" /var/lib/persistent/attested-tls-proxy/cert.pem diff --git a/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service b/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service index f50839fb..a37ca53e 100644 --- a/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service +++ b/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/attested-tls-proxy-client.service @@ -10,10 +10,10 @@ DynamicUser=yes SupplementaryGroups=tss Environment=BUILDERNET_BUILDERHUB_URL=__BUILDERNET_BUILDERHUB_URL ExecStart=/usr/bin/attested-tls-proxy client \ - --listen-addr=127.0.0.1:7937 \ + --listen-addr 127.0.0.1:7937 \ --allowed-remote-attestation-type none \ - --tls-private-key-path var/lib/persistent/operator-api/key.pem \ - --tls-certificate-path var/lib/persistent/operator-api/cert.pem \ + --tls-private-key-path %S/persistent/attested-tls-proxy/key.pem \ + --tls-certificate-path %S/persistent/attested-tls-proxy/cert.pem \ --client-attestation-type auto \ ${BUILDERNET_BUILDERHUB_URL} Restart=on-failure diff --git a/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service b/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service index 76d9cded..c425445c 100644 --- a/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service +++ b/mkosi.images/buildernet/mkosi.extra/etc/systemd/system/attested-tls-proxy-server.service @@ -11,8 +11,8 @@ ExecStart=/usr/bin/attested-tls-proxy server \ --listen-addr 0.0.0.0:7936 \ --allowed-remote-attestation-type none \ --server-attestation-type auto \ - --tls-private-key-path var/lib/persistent/operator-api/key.pem \ - --tls-certificate-path var/lib/persistent/operator-api/cert.pem \ + --tls-private-key-path %S/persistent/attested-tls-proxy/key.pem \ + --tls-certificate-path %S/persistent/attested-tls-proxy/cert.pem \ 127.0.0.1:14727 Restart=on-failure