Fix 21 Go stdlib CVEs and enable supply chain attestations
All checks were successful
Build Talos CM5 Image / build (push) Successful in 3m26s
All checks were successful
Build Talos CM5 Image / build (push) Successful in 3m26s
- Patch sbc-raspberrypi5 overlay to use Go 1.24.13 (fixes 1C/7H/12M/1L CVEs) - Add ATTESTATION_ARGS (--provenance=true --sbom=true) to all buildx targets - Override upstream --provenance=false via TARGET_ARGS (last flag wins) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Mathias Beaulieu-Duncan
parent
0d3941eb91
commit
5abca73056
19
Makefile
19
Makefile
@ -50,6 +50,9 @@ SBCOVERLAY_TAG = $(shell cd $(CHECKOUTS_DIRECTORY)/sbc-raspberrypi5 && git descr
|
||||
# Build the --system-extension-image flags from the EXTENSIONS list
|
||||
EXTENSION_FLAGS = $(foreach ext,$(EXTENSIONS),--system-extension-image=$(ext))
|
||||
|
||||
# Supply chain attestation flags (overrides upstream --provenance=false)
|
||||
ATTESTATION_ARGS = --provenance=true --sbom=true
|
||||
|
||||
# Common imager flags for overlay and extensions
|
||||
IMAGER_COMMON_FLAGS = \
|
||||
--overlay-name="rpi5" \
|
||||
@ -103,7 +106,7 @@ checkouts-clean:
|
||||
#
|
||||
# Patches
|
||||
#
|
||||
.PHONY: patches-pkgs patches-talos patches
|
||||
.PHONY: patches-pkgs patches-talos patches-overlay patches
|
||||
patches-pkgs:
|
||||
cd "$(CHECKOUTS_DIRECTORY)/pkgs" && \
|
||||
git am "$(PATCHES_DIRECTORY)/siderolabs/pkgs/"*.patch
|
||||
@ -112,7 +115,11 @@ patches-talos:
|
||||
cd "$(CHECKOUTS_DIRECTORY)/talos" && \
|
||||
git am "$(PATCHES_DIRECTORY)/siderolabs/talos/"*.patch
|
||||
|
||||
patches: patches-pkgs patches-talos
|
||||
patches-overlay:
|
||||
cd "$(CHECKOUTS_DIRECTORY)/sbc-raspberrypi5" && \
|
||||
git am "$(PATCHES_DIRECTORY)/talos-rpi5/sbc-raspberrypi5/"*.patch
|
||||
|
||||
patches: patches-pkgs patches-talos patches-overlay
|
||||
|
||||
#
|
||||
# Kernel — build and push the RPi downstream kernel
|
||||
@ -121,7 +128,7 @@ patches: patches-pkgs patches-talos
|
||||
kernel:
|
||||
cd "$(CHECKOUTS_DIRECTORY)/pkgs" && \
|
||||
$(MAKE) docker-kernel \
|
||||
TARGET_ARGS="--tag=$(KERNEL_IMAGE):$(PKGS_TAG) --push=true" \
|
||||
TARGET_ARGS="--tag=$(KERNEL_IMAGE):$(PKGS_TAG) --push=true $(ATTESTATION_ARGS)" \
|
||||
PLATFORM=linux/arm64
|
||||
|
||||
#
|
||||
@ -138,7 +145,7 @@ overlay:
|
||||
rm -f "$(CHECKOUTS_DIRECTORY)/sbc-raspberrypi5/internal/base/pkg.yaml.bak"
|
||||
cd "$(CHECKOUTS_DIRECTORY)/sbc-raspberrypi5" && \
|
||||
$(MAKE) docker-sbc-raspberrypi5 \
|
||||
TARGET_ARGS="--tag=$(OVERLAY_IMAGE):$(SBCOVERLAY_TAG) --push=true" \
|
||||
TARGET_ARGS="--tag=$(OVERLAY_IMAGE):$(SBCOVERLAY_TAG) --push=true $(ATTESTATION_ARGS)" \
|
||||
INSTALLER_ARCH=arm64 PLATFORM=linux/arm64
|
||||
|
||||
#
|
||||
@ -160,13 +167,13 @@ installer:
|
||||
PKG_KERNEL=$(KERNEL_IMAGE):$(PKGS_TAG) \
|
||||
INSTALLER_ARCH=arm64 PLATFORM=linux/arm64 \
|
||||
target-imager \
|
||||
TARGET_ARGS="--output type=image,name=$(IMAGER_IMAGE):$(TALOS_TAG),push=true" && \
|
||||
TARGET_ARGS="--output type=image,name=$(IMAGER_IMAGE):$(TALOS_TAG),push=true $(ATTESTATION_ARGS)" && \
|
||||
$(MAKE) \
|
||||
REGISTRY=$(REGISTRY) USERNAME=$(REGISTRY_USERNAME) \
|
||||
PKG_KERNEL=$(KERNEL_IMAGE):$(PKGS_TAG) \
|
||||
INSTALLER_ARCH=arm64 PLATFORM=linux/arm64 \
|
||||
target-installer-base \
|
||||
TARGET_ARGS="--output type=image,name=$(INSTALLER_IMAGE):base-$(TALOS_TAG),push=true" && \
|
||||
TARGET_ARGS="--output type=image,name=$(INSTALLER_IMAGE):base-$(TALOS_TAG),push=true $(ATTESTATION_ARGS)" && \
|
||||
docker pull $(IMAGER_IMAGE):$(TALOS_TAG) && \
|
||||
docker run --rm -t -v ./_out:/out --privileged --network=host \
|
||||
$(IMAGER_IMAGE):$(TALOS_TAG) \
|
||||
|
||||
@ -0,0 +1,38 @@
|
||||
From 69f14c84e9e458dcff24905145cac8557c0e2965 Mon Sep 17 00:00:00 2001
|
||||
From: Mathias Beaulieu-Duncan <mathias@svrnty.io>
|
||||
Date: Fri, 13 Feb 2026 15:25:26 -0500
|
||||
Subject: [PATCH] Bump Go toolchain to 1.24.13 to fix stdlib CVEs
|
||||
|
||||
---
|
||||
go.work | 4 +++-
|
||||
installers/rpi5/src/go.mod | 4 +++-
|
||||
2 files changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/go.work b/go.work
|
||||
index f4dafe7..798ea43 100644
|
||||
--- a/go.work
|
||||
+++ b/go.work
|
||||
@@ -1,3 +1,5 @@
|
||||
-go 1.24.0
|
||||
+go 1.24.13
|
||||
+
|
||||
+toolchain go1.24.13
|
||||
|
||||
use ./installers/rpi5/src
|
||||
diff --git a/installers/rpi5/src/go.mod b/installers/rpi5/src/go.mod
|
||||
index 50b72d5..af5f5f8 100644
|
||||
--- a/installers/rpi5/src/go.mod
|
||||
+++ b/installers/rpi5/src/go.mod
|
||||
@@ -1,6 +1,8 @@
|
||||
module rpi_generic
|
||||
|
||||
-go 1.24.0
|
||||
+go 1.24.13
|
||||
+
|
||||
+toolchain go1.24.13
|
||||
|
||||
require (
|
||||
github.com/siderolabs/go-copy v0.1.0
|
||||
--
|
||||
2.50.1 (Apple Git-155)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user