CVM Image Rewriter
The confidential VM guest can be customized as follows:
| Name | Type/Scope | Description |
|---|---|---|
| Launch Identity | Config | MROwner, MRConfig, MROwnerConfig |
| VM Configuration | Config | vCPU, memory, network config |
| Secure Boot Key | OVMF | the PK/DB/KEK for secure boot or Linux MoK |
| Config Variable | OVMF | the configurations in variable |
| Grub | Boot Loader | Grub kernel command, Grub modules |
| initrd | Boot Loader | Customize build-in binaries |
| IMA Policy | OS | Policy via loading systemd |
| Root File System | OS | RootFS customization |
It is based on the cloud-init framework, and the whole flow was divided into three stages:
- Pre Stage: prepare to run cloud-init. It will collect the files for target image, meta-data/x-shellscript/user-data for cloud-init's input.
-
Cloud-Init Stage: it will run cloud init in sequences of
- Generate meta files via
cloud-init make-mime - Generate
ciiso.isoviagenisoimage - Run cloud-init via
virt-install
- Generate meta files via
- Post Stage: clean up and run post check
A plugin is put into the directory of plugins,
with the number as directory name's prefix. So the execution of plugin will be
dispatched according to number sequence for example 99-byebye is the final one.
A plugin includes several customization approaches:
- File override: all files under
<plugin directory>/fileswill be copied into the corresponding directory in the target guest image. - Pre-stage execution on the host: the
<plugin directory>/pre-stage/host_run.shwill be executed before cloud-init stage. - cloud-init customization: please put the config yaml in
<plugin directory>/cloud-init/cloud-config, and put the scripts in<plugin directory>/cloud-init/x-shellscript.
Please refer to the sample plugin.