Security: Update QEMU Instructions & Secure UBI8 downloads in dockerf…

…ile (adoptium#3363) * Improve security of http downloads * Update setup-qemu instructions for deb11
sxa · Jan 30, 2024 · 001b17a · 001b17a
1 parent 0835ff7
commit 001b17a
Show file tree

Hide file tree

Showing 2 changed files with 72 additions and 26 deletions.
diff --git a/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/DockerStatic/Dockerfiles/Dockerfile.ubi8 b/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/DockerStatic/Dockerfiles/Dockerfile.ubi8
@@ -4,9 +4,22 @@ RUN dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.n
 RUN dnf -y update && dnf install -y perl openssh-server unzip zip wget epel-release
 RUN ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -P ""
 # Install Additional Repos
+# N.B https is not available for centos mirror, so adding independently verified checksum validation for http downloads
 RUN wget 'http://mirror.centos.org/centos/8-stream/BaseOS/x86_64/os/Packages/centos-gpg-keys-8-3.el8.noarch.rpm' -O /tmp/gpgkey.rpm
+ARG GPG_CHECKSUM=79cda0505d8dd88b8277c1af9c55021319a0e516df8d24c893d740eac1d74feb
+RUN ACTUAL_CHECKSUM=$(sha256sum /tmp/gpgkey.rpm | awk '{print $1}') \
+    && if [ "$ACTUAL_CHECKSUM" != "$GPG_CHECKSUM" ]; then \
+           echo "Checksum mismatch! Aborting installation."; \
+           exit 1; \
+       fi
 RUN rpm -i '/tmp/gpgkey.rpm'
 RUN wget 'http://mirror.centos.org/centos/8-stream/BaseOS/x86_64/os/Packages/centos-stream-repos-8-3.el8.noarch.rpm' -O /tmp/centosrepos.rpm
+ARG REPO_CHECKSUM=bd0c7fe3f1f6a08f4658cc0cc9b1c1a91e38f8bf60c3af2ed2ee220523ded269
+RUN ACTUAL_CHECKSUM=$(sha256sum /tmp/centosrepos.rpm | awk '{print $1}') \
+    && if [ "$ACTUAL_CHECKSUM" != "$REPO_CHECKSUM" ]; then \
+           echo "Checksum mismatch! Aborting installation."; \
+           exit 1; \
+       fi
 RUN rpm -i '/tmp/centosrepos.rpm'
 # Get latest jdk17 ga
 RUN wget -q 'https://api.adoptium.net/v3/binary/latest/17/ga/linux/x64/jdk/hotspot/normal/eclipse?project=jdk' -O /tmp/jdk17.tar.gz

diff --git a/docs/Setup-QEMU-Images.md b/docs/Setup-QEMU-Images.md
@@ -143,10 +143,12 @@ qemu-system-aarch64 -nographic -machine virt,gic-version=max -m 512M -cpu max -s
 -drive file=flash0.img,format=raw,if=pflash -drive file=flash1.img,format=raw,if=pflash
 ```
 
-### Debian 8 ARM32
+### Debian / ARM32
 
 This disk image was setup using the instructions [here](https://translatedcode.wordpress.com/2016/11/03/installing-debian-on-qemus-32-bit-arm-virt-board/)
 
+** NB ** Debian 8 Has been deprecated so the instructions have been updated for the current stable Debian build based on the instructions [here:](https://www.willhaley.com/blog/debian-arm-qemu/)
+
 To summarize the instructions in the link:
 
 The packages `qemu-system-arm, libguestfs-tools` and `qemu-utils` are installed.
@@ -155,29 +157,46 @@ The packages `qemu-system-arm, libguestfs-tools` and `qemu-utils` are installed.
 Create an empty disk image
 
 ```bash
-qemu-img create -f qcow2 debian8.arm32 20G
+qemu-img create -f qcow2 debian11.arm32 80G
 ```
 
 `qcow2` is the format of the image.
 
 The instructions recommend using an initrd and a kernel from the Debian website
 
-```bash
-wget -O installer-vmlinuz http://http.us.debian.org/debian/dists/jessie/main/installer-armhf/current/images/netboot/vmlinuz
-wget -O installer-initrd.gz http://http.us.debian.org/debian/dists/jessie/main/installer-armhf/current/images/netboot/initrd.gz
+The initrd and kernel should be downloaded from the following links in a secure fashion, the links below are sample links for the current stable version ( Debian 11 ), but can be updated appropriately for the version being installed.
+
+```
+ftp.us.debian.org/debian/dists/stable/main/installer-armhf/current/images/cdrom/initrd.gz
+ftp.us.debian.org/debian/dists/stable/main/installer-armhf/current/images/cdrom/vmlinuz
+```  
+
+The ISO to be used for installing Debian 11 can be downloaded using:
+
+```
+curl -O -L https://cdimage.debian.org/debian-cd/current/armhf/iso-dvd/debian-11.1.0-armhf-DVD-1.iso
 ```
 
 Then boot up the disk image for the first time and install the OS
 
 ```bash
-qemu-system-arm -M virt -m 2G \
-  -kernel installer-vmlinuz \
-  -initrd installer-initrd.gz \
-  -drive if=none,file=debian8.arm32,format=qcow2,id=hd \
-  -device virtio-blk-device,drive=hd \
-  -netdev user,id=mynet \
-  -device virtio-net-device,netdev=mynet \
-  -nographic -no-reboot
+qemu-system-arm \
+  -m 4G \
+  -machine type=virt \
+  -cpu cortex-a7 \
+  -smp 4 \
+  -initrd "./initrd.gz" \
+  -kernel "./vmlinuz" \
+  -append "console=ttyAMA0" \
+  -drive file="./debian-11.1.0-armhf-DVD-1.iso",id=cdrom,if=none,media=cdrom \
+    -device virtio-scsi-device \
+    -device scsi-cd,drive=cdrom \
+  -drive file="./debian-arm.sda.qcow2",id=hd,if=none,media=disk \
+    -device virtio-scsi-device \
+    -device scsi-hd,drive=hd \
+  -netdev user,id=net0,hostfwd=tcp::5555-:22 \
+    -device virtio-net-device,netdev=net0 \
+  -nographic
 ```
 
 During the installation, you will receive a message complaining about no bootloader installed. Disregard this and continue the installation.
@@ -188,33 +207,47 @@ The installer places the initrd and kernel files onto the disk image in the `/bo
 Using `libguestfs-tools` installed earlier (the VM MUST not be running when using `libguestfs-tools`), we can see inside the `/boot` directory of the disk image.
 
 ```bash
-virt-ls -a debian8.arm32 /boot/
+virt-ls -a debian11.arm32 /boot/
+
+## Note The Names Of These Files May Differ
 
-System.map-3.16.0-4-armmp-lpae
-config-3.16.0-4-armmp-lpae
+System.map-x.x.x-x-armmp-lpae
+configx.x.x-x-armmp-lpae
 initrd.img
-initrd.img-3.16.0-4-armmp-lpae
+initrd.img-x.x.x-x-armmp-lpae
 lost+found
 vmlinuz
-vmlinuz-3.16.0-4-armmp-lpae
+vmlinuz-x.x.x-x-armmp-lpae
 ```
 
 Copy out the appropriate files
 
 ```bash
-virt-copy-out -a debian8.arm32 /boot/vmlinuz-3.16.0-4-armmp-lpae /boot/initrd.img-3.16.0-4-armmp-lpae .
+## Start SSHD On The VM
+chroot /target/ sh -c "mkdir -p /var/run/sshd && /sbin/sshd -D"
+## Use SCP To Copy The Appropriate Files
+scp -P 5555 <your username in the VM>@localhost:/boot/vmlinuz ./vmlinuz-from-guest \
+scp -P 5555 <your username in the VM>@localhost:/boot/initrd.img ./initrd.img-from-guest
+##
+exit
 ```
 
 Finally, boot up the VM
 
 ```bash
-qemu-system-arm -M virt -m 2G \
-  -kernel vmlinuz-3.16.0-4-armmp-lpae \
-  -initrd initrd.img-3.16.0-4-armmp-lpae \
-  -append 'root=/dev/vda2' \
-  -drive if=none,file=debian8.arm32,format=qcow2,id=hd \
-  -device virtio-blk-device,drive=hd \
-  -device virtio-net-device,netdev=mynet -netdev user,id=mynet,hostfwd=tcp::10022-:22 \
+qemu-system-arm \
+  -m 4G \
+  -machine type=virt \
+  -cpu cortex-a7 \
+  -smp 4 \
+  -initrd "./initrd.img-from-guest" \
+  -kernel "./vmlinuz-from-guest" \
+  -append "console=ttyAMA0 root=/dev/sda2" \
+  -drive file="./debian-arm.sda.qcow2",id=hd,if=none,media=disk \
+    -device virtio-scsi-device \
+    -device scsi-hd,drive=hd \
+  -netdev user,id=net0,hostfwd=tcp::5555-:22 \
+    -device virtio-net-device,netdev=net0 \
   -nographic
 ```