merge main into trunk/l2

.github/workflows/build.yaml

@@ -0,0 +1,130 @@
+# GitHub Actions workflow for building mkosi images using Nix.
+#
+# Triggers on:
+# - Pushes to main branch: Builds all images (bob-l1, bob-l2) in parallel
+#
+# - Manual dispatch: Allows specifying:
+#   - Branch to build from (default: main)
+#   - Images to build (default: bob-l1)
+#     - "all" → builds bob-l1 and bob-l2
+#     - "bob-l1" → builds only bob-l1
+#     - "bob-l2" → builds only bob-l2
+#     - "bob-l1,bob-l2" → builds both
+
+name: Build mkosi images
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+    inputs:
+      branch:
+        description: 'Branch to build'
+        required: false
+        default: 'main'
+        type: string
+      images:
+        description: 'Images to build (comma-separated: bob-l1,bob-l2 or "all")'
+        required: false
+        default: 'bob-l1'
+        type: string
+
+jobs:
+  validate:
+      runs-on: ubuntu-latest
+      outputs:
+        matrix: ${{ steps.set-matrix.outputs.matrix }}
+      steps:
+        - name: Validate images
+          id: set-matrix
+          shell: python3 {0}
+          env:
+            EVENT_NAME: ${{ github.event_name }}
+            INPUT_IMAGES: ${{ inputs.images }}
+          run: |
+            import json
+            import os
+            import sys
+
+            VALID_IMAGES = ["bob-l1", "bob-l2"]
+
+            event = os.environ["EVENT_NAME"]
+            requested = os.environ.get("INPUT_IMAGES", "all").strip()
+
+            if event == "workflow_dispatch" and requested != "all":
+                images = [img.strip() for img in requested.split(",") if img.strip()]
+                invalid = [img for img in images if img not in VALID_IMAGES]
+
+                if invalid:
+                    print(f"❌ Error: Invalid image(s): {', '.join(invalid)}")
+                    print(f"Valid images are: {', '.join(VALID_IMAGES)}")
+                    sys.exit(1)
+            else:
+                images = VALID_IMAGES
+
+            matrix = json.dumps(images)
+            with open(os.environ["GITHUB_OUTPUT"], "a") as f:
+                f.write(f"matrix={matrix}\n")
+
+            print(f"✓ Building images: {matrix}")
+
+  build:
+    needs: validate
+    strategy:
+      fail-fast: false
+      matrix:
+        image: ${{ fromJSON(needs.validate.outputs.matrix) }}
+
+    name: build ${{ matrix.image }} image
+    runs-on: warp-ubuntu-latest-x64-32x
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          ref: ${{ inputs.branch || github.ref }}
+
+      - name: Install tools
+        run: |
+          sudo apt-get update && sudo apt-get install -y debian-archive-keyring
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@v27
+        with:
+          extra_nix_config: |
+            experimental-features = nix-command flakes
+
+      - name: Enable user namespaces
+        run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
+
+      - name: Build ${{ matrix.image }} image
+        run: |
+          umask 022
+          nix develop --command mkosi --force -I ${{ matrix.image }}.conf --image-id=${{ matrix.image }}
+
+      - name: Fix permissions
+        run: |
+            sudo chown -R $(id -u):$(id -g) build/
+
+      - name: Show build artifacts
+        run: |
+          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+          echo "📦 Image: ${{ matrix.image }}"
+          echo "🔖 Commit: ${{ github.sha }}"
+          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+
+          if [ -d "build" ]; then
+            echo ""
+            # Show only filename and size for matching files
+            ls -lh build/ | grep -E "${{ matrix.image }}" | awk '{print $9, "(" $5 ")"}'
+          else
+            echo "⚠️  Build directory not found"
+          fi
+
+      - name: Generate SHA256 checksums
+        run: |
+          cd build/
+          TIMESTAMP=$(git show -s --format=%ct HEAD)
+          SHORT_SHA="${GITHUB_SHA::8}"
+          CHECKSUM_FILE="${{ matrix.image }}_${TIMESTAMP}_${SHORT_SHA}.sha256"
+          sha256sum ${{ matrix.image }}_* > "$CHECKSUM_FILE"
+          cat "$CHECKSUM_FILE"

.gitignore

@@ -1,4 +1,5 @@
 build/
+build.*/
 mkosi/
 env.json
 mkosi.packages/
@@ -8,4 +9,7 @@ mkosi.builddir/
 .claudesync/
 .claudeignore
 tmp/
+.temp
 NvVars
+.vscode
+.bypass-lima

DEVELOPMENT.md

@@ -15,6 +15,7 @@ This comprehensive guide covers everything you need to know about developing wit
 - [Freezing to Debian Archive Snapshots](#freezing-to-debian-archive-snapshots)
 - [Testing for Reproducibility](#testing-for-reproducibility)
 - [Creating Debian Packages](#creating-debian-packages)
+- [Custom Developer Files](#custom-developer-files)
 - [Debugging and Troubleshooting](#debugging-and-troubleshooting)
 
 ## Project Structure
@@ -27,6 +28,7 @@ flashboxes/
 │   └── debloat*.sh         # System cleanup scripts
 ├── bob-common/             # TEE Searcher common image
 ├── bob-l1/                 # L1 TEE Searcher sandbox image
+├── bob-l2/                 # L2 TEE Searcher sandbox image
 ├── buildernet/             # BuilderNet
 ├── tdx-dummy/              # TDX test environment
 ├── kernel/                 # Kernel configuration
@@ -275,8 +277,8 @@ systemd services are the primary way to run applications in Flashboxes. Here's h
 ```ini
 [Unit]
 Description=My Application
-After=network.target network-setup.service
-Requires=network-setup.service
+After=network-online.target
+Wants=network-online.target
 
 [Service]
 Type=simple
@@ -353,8 +355,8 @@ Conflicts=apache2.service
 ```ini
 [Unit]
 # Network is available
-After=network.target network-setup.service
-Requires=network-setup.service
+After=network-online.target
+Wants=network-online.target
 
 # Persistent storage is mounted
 After=persistent-mount.service
@@ -364,24 +366,14 @@ Requires=persistent-mount.service
 After=basic.target
 ```
 
-### Enabling Services
+### Enabling Packaged Services
 
-**In `mkosi.postinst` script**:
-```bash
-#!/bin/bash
-set -euxo pipefail
-
-# Enable service
-mkosi-chroot systemctl enable myapp.service
+To enable a service installed with a Debian package, add the following to your `mkosi.postinst` script:
 
-# Create symlink for minimal.target
-mkdir -p "$BUILDROOT/etc/systemd/system/minimal.target.wants"
-ln -sf "/etc/systemd/system/myapp.service" \
-    "$BUILDROOT/etc/systemd/system/minimal.target.wants/"
+```bash
+mkosi-chroot systemctl add-wants minimal.target myapp.service
 ```
 
-For comprehensive systemd options, see: [systemd Service Documentation](https://www.freedesktop.org/software/systemd/man/systemd.service.html)
-
 ## Extending Built-in systemd Services
 
 Sometimes you need to modify existing systemd services rather than creating new ones.
@@ -542,8 +534,7 @@ chown myapp:myapp /etc/myapp/config.conf
 chmod 600 /etc/myapp/config.conf
 
 # Enable systemd service
-systemctl enable myapp.service || true
-systemctl start myapp.service || true
+mkosi-chroot systemctl add-wants minimal.target myapp.service || true
 
 exit 0
 ```
@@ -635,6 +626,30 @@ For systems without systemd v250+ or where Nix installation isn't feasible, you
    > Replace "btrfs" with your chosen storage driver
 5. Run the desired `mkosi` command inside the shell Podman environment
 
+## Custom Developer Files
+
+When building with the `devtools` profile, you can add your own custom files to the image without committing them to git. This is useful for adding personal SSH keys, configuration files, or debugging tools during development.
+
+### Adding Custom Files
+
+Place files in `mkosi.profiles/devtools/custom/` mirroring the filesystem structure you want:
+
+```bash
+# Add your SSH authorized keys
+mkdir -p mkosi.profiles/devtools/custom/root/.ssh
+cp ~/.ssh/id_rsa.pub mkosi.profiles/devtools/custom/root/.ssh/authorized_keys
+
+# Add a custom configuration file
+mkdir -p mkosi.profiles/devtools/custom/etc
+echo "my_setting=value" > mkosi.profiles/devtools/custom/etc/myconfig.conf
+
+# Add a debugging script
+mkdir -p mkosi.profiles/devtools/custom/usr/local/bin
+cp my-debug-script.sh mkosi.profiles/devtools/custom/usr/local/bin/
+```
+
+Files placed here will be copied into the image (like any other `ExtraTrees` directory) but will be ignored by git, so they won't be accidentally committed.
+
 ## Debugging and Troubleshooting
 
 ### mkosi Debugging

Makefile

@@ -1,7 +1,7 @@
 .DEFAULT_GOAL := help
 
 VERSION := $(shell git describe --tags --always --dirty="-dev")
-SHELL := /bin/bash
+SHELL := /usr/bin/env bash
 WRAPPER := scripts/env_wrapper.sh
 
 ##@ Help
@@ -24,50 +24,41 @@ ifndef IMAGE
 	$(error IMAGE is not set. Please specify IMAGE=<image> when running make build or make build-dev)
 endif
 
-.PHONY: all build build-dev setup measure clean check-perms check-module
+.PHONY: all build build-dev setup measure clean check-module
 
 # Default target
 all: build
 
-# Ensure repo was cloned with correct permissions
-check-perms: ## Check repository permissions
-	@scripts/check_perms.sh
-
 # Setup dependencies (Linux only)
 setup: ## Install dependencies (Linux only)
 	@scripts/setup_deps.sh
 
 # Build module
-build: check-perms setup ## Build the specified module
-	$(WRAPPER) mkosi --force -I $(IMAGE).conf
+build: setup ## Build the specified module
+	$(WRAPPER) mkosi --force --image-id $(IMAGE) --include=$(IMAGE).conf
 
 # Build module with devtools profile
-build-dev: check-perms setup ## Build module with development tools
-	$(WRAPPER) mkosi --force --profile=devtools -I $(IMAGE).conf
+build-dev: setup ## Build module with development tools
+	$(WRAPPER) mkosi --force --image-id $(IMAGE)-dev --profile=devtools --include=$(IMAGE).conf
 
 ##@ Utilities
 
 measure: ## Export TDX measurements for the built EFI file
-	@if [ ! -f build/tdx-debian.efi ]; then \
-		echo "Error: build/tdx-debian.efi not found. Run 'make build' first."; \
-		exit 1; \
-	fi
-	@$(WRAPPER) measured-boot build/tdx-debian.efi build/measurements.json --direct-uki
+	@$(WRAPPER) measured-boot $(FILE) build/measurements.json --direct-uki
 	echo "Measurements exported to build/measurements.json"
 
 measure-gcp: ## Export TDX measurements for GCP
-	@if [ ! -f build/tdx-debian.efi ]; then \
-		echo "Error: build/tdx-debian.efi not found. Run 'make build' first."; \
-		exit 1; \
-	fi
-	@$(WRAPPER) dstack-mr -uki build/tdx-debian.efi -json > build/gcp_measurements.json
+	@$(WRAPPER) dstack-mr -uki $(FILE) -json > build/gcp_measurements.json
 	echo "GCP Measurements exported to build/gcp_measurements.json"
 
 # Clean build artifacts
 clean: ## Remove cache and build artifacts
 	rm -rf build/ mkosi.builddir/ mkosi.cache/ lima-nix/
-	@if command -v limactl >/dev/null 2>&1 && limactl list | grep -q '^tee-builder'; then \
-		echo "Stopping and deleting lima VM 'tee-builder'..."; \
-		limactl stop tee-builder || true; \
-		limactl delete tee-builder || true; \
+	@REPO_DIR="$$(pwd)"; \
+	REPO_HASH="$$(echo -n "$$REPO_DIR" | sha256sum | cut -c1-8)"; \
+	LIMA_VM="tee-builder-$$REPO_HASH"; \
+	if command -v limactl >/dev/null 2>&1 && limactl list | grep -q "^$$LIMA_VM"; then \
+		echo "Stopping and deleting Lima VM '$$LIMA_VM'..."; \
+		limactl stop "$$LIMA_VM" || true; \
+		limactl delete "$$LIMA_VM" || true; \
 	fi