From e3777123195b4d27b7938dffebbd34f36840c62c Mon Sep 17 00:00:00 2001 From: Olivia Crain Date: Mon, 23 Jan 2023 11:05:31 -0800 Subject: [PATCH] Add ISO image verification instructions (#4667) --- README.md | 36 +++++++++++-------- .../docs/security/iso-image-verification.md | 31 ++++++++++++++++ 2 files changed, 52 insertions(+), 15 deletions(-) create mode 100644 toolkit/docs/security/iso-image-verification.md diff --git a/README.md b/README.md index ecb304fcb0..bd1856b66f 100644 --- a/README.md +++ b/README.md @@ -5,41 +5,47 @@ | 1.0 | [![1.0 Status](https://github.com/microsoft/CBL-Mariner/workflows/Verify%20Quickstart%201.0/badge.svg)](https://github.com/microsoft/CBL-Mariner/actions?query=workflow%3A%22Verify+Quickstart+1.0%22) | | 2.0 | [![2.0 Status](https://github.com/microsoft/CBL-Mariner/workflows/Verify%20Quickstart%202.0/badge.svg)](https://github.com/microsoft/CBL-Mariner/actions?query=workflow%3A%22Verify+Quickstart+2.0%22) | -CBL-Mariner is an internal Linux distribution for Microsoft’s cloud infrastructure and edge products and services. CBL-Mariner is designed to provide a consistent platform for these devices and services and will enhance Microsoft’s ability to stay current on Linux updates. This initiative is part of Microsoft’s increasing investment in a wide range of Linux technologies, such as [SONiC](https://azure.microsoft.com/en-us/blog/sonic-the-networking-switch-software-that-powers-the-microsoft-global-cloud/), [Azure Sphere OS](https://docs.microsoft.com/en-us/azure-sphere/product-overview/what-is-azure-sphere) and [Windows Subsystem for Linux (WSL)](https://docs.microsoft.com/en-us/windows/wsl/about). CBL-Mariner is being shared publicly as part of Microsoft’s commitment to Open Source and to contribute back to the Linux community. CBL-Mariner does not change our approach or commitment to any existing third-party Linux distribution offerings. +CBL-Mariner is an internal Linux distribution for Microsoft’s cloud infrastructure and edge products and services. CBL-Mariner is designed to provide a consistent platform for these devices and services and will enhance Microsoft’s ability to stay current on Linux updates. This initiative is part of Microsoft’s increasing investment in a wide range of Linux technologies, such as [SONiC](https://azure.microsoft.com/en-us/blog/sonic-the-networking-switch-software-that-powers-the-microsoft-global-cloud/), [Azure Sphere OS](https://docs.microsoft.com/en-us/azure-sphere/product-overview/what-is-azure-sphere) and [Windows Subsystem for Linux (WSL)](https://docs.microsoft.com/en-us/windows/wsl/about). CBL-Mariner is being shared publicly as part of Microsoft’s commitment to Open Source and to contribute back to the Linux community. CBL-Mariner does not change our approach or commitment to any existing third-party Linux distribution offerings. CBL-Mariner has been engineered with the notion that a small common core set of packages can address the universal needs of first party cloud and edge services while allowing individual teams to layer additional packages on top of the common core to produce images for their workloads. This is made possible by a simple build system that enables: -- **Package Generation:** This produces the desired set of RPM packages from SPEC files and source files. -- **Image Generation:** This produces the desired image artifacts like ISOs or VHDs from a given set of packages. +- **Package Generation:** This produces the desired set of RPM packages from SPEC files and source files. +- **Image Generation:** This produces the desired image artifacts like ISOs or VHDs from a given set of packages. -Whether deployed as a container or a container host, CBL-Mariner consumes limited disk and memory resources. The lightweight characteristics of CBL-Mariner also provides faster boot times and a minimal attack surface. By focusing the features in the core image to just what is needed for our internal cloud customers there are fewer services to load, and fewer attack vectors. +Whether deployed as a container or a container host, CBL-Mariner consumes limited disk and memory resources. The lightweight characteristics of CBL-Mariner also provides faster boot times and a minimal attack surface. By focusing the features in the core image to just what is needed for our internal cloud customers there are fewer services to load, and fewer attack vectors. -When security vulnerabilities arise, CBL-Mariner supports both a package-based update model and an image based update model. Leveraging the common [RPM Package Manager](https://rpm.org/) system, CBL-Mariner makes the latest security patches and fixes available for download with the goal of fast turn-around times. +When security vulnerabilities arise, CBL-Mariner supports both a package-based update model and an image based update model. Leveraging the common [RPM Package Manager](https://rpm.org/) system, CBL-Mariner makes the latest security patches and fixes available for download with the goal of fast turn-around times. + +## Getting Started with CBL-Mariner + +### Build -# Getting Started with CBL-Mariner: -Build Instructions for building CBL-Mariner may be found here: [Toolkit Documentation](./toolkit/README.md). -ISO -You can try CBL-Mariner with the following ISO Image: -- [Mariner 2.0 x86_64 ISO](https://aka.ms/mariner-2.0-x86_64-iso). +### ISO + +You can try CBL-Mariner with the following ISO images: + +- [Mariner 2.0 x86_64 ISO](https://aka.ms/mariner-2.0-x86_64-iso). - [Mariner 1.0 x86_64 ISO](https://aka.ms/mariner-1.0-x86_64-iso). -After downloading the ISO, use these instructions to install and use in a Hyper-V VM. +Before using a downloaded ISO, [verify the checksum and signature of the image](toolkit/docs/security/iso-image-verification.md). + +After downloading the ISO, use [the quickstart instructions](toolkit/docs/quick_start/quickstart.md) to install and use the image in a Hyper-V VM. Note: Support for the ISO is community based. Before filing a new bug or feature request, please search the list of Github Issues. If you are unable to find a matching issue, please report new bugs by clicking [here](https://github.com/microsoft/CBL-Mariner/issues) or create a new feature request by clicking [here](https://github.com/microsoft/CBL-Mariner/issues/new). For additional information refer to the [support.md](https://github.com/microsoft/CBL-Mariner/blob/2.0/SUPPORT.md) file. -# Trademarks +## Trademarks This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow [Microsoft's Trademark & Brand Guidelines](https://www.microsoft.com/en-us/legal/intellectualproperty/trademarks/usage/general). Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies. -# Acknowledgments +## Acknowledgments Any Linux distribution, including CBL-Mariner, benefits from contributions by the open software community. We gratefully acknowledge all contributions made from the broader open source community, in particular: -1) The [Photon OS Project](https://vmware.github.io/photon/) for SPEC files originating from the Photon distribution. +1) The [Photon OS Project](https://vmware.github.io/photon/) for SPEC files originating from the Photon distribution. -2) [The Fedora Project](https://start.fedoraproject.org/) for SPEC files, particularly with respect to Qt, DNF and content in the SPECS-EXTENDED folder. +2) [The Fedora Project](https://start.fedoraproject.org/) for SPEC files, particularly with respect to Qt, DNF and content in the SPECS-EXTENDED folder. 3) [GNU](https://www.gnu.org/) and the [Free Software Foundation](https://www.fsf.org/) diff --git a/toolkit/docs/security/iso-image-verification.md b/toolkit/docs/security/iso-image-verification.md new file mode 100644 index 0000000000..decfca897e --- /dev/null +++ b/toolkit/docs/security/iso-image-verification.md @@ -0,0 +1,31 @@ +# Verifying pre-built ISO image + +| Release Branch | ISO Image | SHA-256 Checksum File | Checksum Signature | +| -------------- | --------- | --------------------- | ------------------ | +| 1.0 | | | | +| 2.0 | | | | + +Once the ISO image, the checksum, and the checksum signature files are downloaded, it is strongly recommended that the integrity of the image is verified. This is a two-step process. First, ensure that the checksum file has not been tampered with by verifying the signature against Mariner's RPM signing public key. Second, check that the ISO image was not corrupted during the download. The following bash script shows the commands necessary to check both steps: + +```bash +# Assumption: we are in the directory containing the downloaded files +# Replace "1.0" in these variables with the release branch being verified +CHECKSUM_FILE="mariner-1.0-x86_64.iso.sha256" +SIGNATURE_FILE="mariner-1.0-x86_64.iso.sha256.gpg" + +# Download the Mariner RPM signing public key +wget https://raw.githubusercontent.com/microsoft/CBL-Mariner/2.0/SPECS/mariner-repos/MICROSOFT-RPM-GPG-KEY + +# Import the RPM signing public key into the local GPG keystore +gpg --import MICROSOFT-RPM-GPG-KEY + +# Verify that the checksum file was produced by the Mariner team +# The output of this command should contain the following string: +# 'Good signature from "Mariner RPM Release Signing "' +gpg --verify "$SIGNATURE_FILE" "$CHECKSUM_FILE" + +# Verify that the ISO image checksum matches the expected checksum +# We need to fix the line endings on the signature file to get sha256sum to accept it +dos2unix "$SIGNATURE_FILE" +sha256sum --check "$CHECKSUM_FILE" +```