svrnty/talos-rpi5
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 23 Wiki Activity

Fix 21 Go stdlib CVEs and enable supply chain attestations
All checks were successful
Build Talos CM5 Image / build (push) Successful in 3m26s
Details

Browse Source 
- Patch sbc-raspberrypi5 overlay to use Go 1.24.13 (fixes 1C/7H/12M/1L CVEs)
- Add ATTESTATION_ARGS (--provenance=true --sbom=true) to all buildx targets
- Override upstream --provenance=false via TARGET_ARGS (last flag wins)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Mathias Beaulieu-Duncan 2026-02-13 15:36:13 -05:00
parent 0d3941eb91
commit 5abca73056
2 changed files with 51 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
Makefile
View File

@ -50,6 +50,9 @@ SBCOVERLAY_TAG = $(shell cd $(CHECKOUTS_DIRECTORY)/sbc-raspberrypi5 && git descr
# Build the --system-extension-image flags from the EXTENSIONS list # Build the --system-extension-image flags from the EXTENSIONS list
EXTENSION_FLAGS = $(foreach ext,$(EXTENSIONS),--system-extension-image=$(ext)) EXTENSION_FLAGS = $(foreach ext,$(EXTENSIONS),--system-extension-image=$(ext))
# Supply chain attestation flags (overrides upstream --provenance=false)
ATTESTATION_ARGS = --provenance=true --sbom=true
# Common imager flags for overlay and extensions # Common imager flags for overlay and extensions
IMAGER_COMMON_FLAGS = \ IMAGER_COMMON_FLAGS = \
--overlay-name="rpi5" \ --overlay-name="rpi5" \
@ -103,7 +106,7 @@ checkouts-clean:
# #
# Patches # Patches
# #
.PHONY: patches-pkgs patches-talos patches .PHONY: patches-pkgs patches-talos patches-overlay patches
patches-pkgs: patches-pkgs:
cd "$(CHECKOUTS_DIRECTORY)/pkgs" && \ cd "$(CHECKOUTS_DIRECTORY)/pkgs" && \
git am "$(PATCHES_DIRECTORY)/siderolabs/pkgs/"*.patch git am "$(PATCHES_DIRECTORY)/siderolabs/pkgs/"*.patch
@ -112,7 +115,11 @@ patches-talos:
cd "$(CHECKOUTS_DIRECTORY)/talos" && \ cd "$(CHECKOUTS_DIRECTORY)/talos" && \
git am "$(PATCHES_DIRECTORY)/siderolabs/talos/"*.patch git am "$(PATCHES_DIRECTORY)/siderolabs/talos/"*.patch
patches: patches-pkgs patches-talos patches-overlay:
cd "$(CHECKOUTS_DIRECTORY)/sbc-raspberrypi5" && \
git am "$(PATCHES_DIRECTORY)/talos-rpi5/sbc-raspberrypi5/"*.patch
patches: patches-pkgs patches-talos patches-overlay
# #
# Kernel — build and push the RPi downstream kernel # Kernel — build and push the RPi downstream kernel
@ -121,7 +128,7 @@ patches: patches-pkgs patches-talos
kernel: kernel:
cd "$(CHECKOUTS_DIRECTORY)/pkgs" && \ cd "$(CHECKOUTS_DIRECTORY)/pkgs" && \
$(MAKE) docker-kernel \ $(MAKE) docker-kernel \
TARGET_ARGS="--tag=$(KERNEL_IMAGE):$(PKGS_TAG) --push=true" \ TARGET_ARGS="--tag=$(KERNEL_IMAGE):$(PKGS_TAG) --push=true $(ATTESTATION_ARGS)" \
PLATFORM=linux/arm64 PLATFORM=linux/arm64
# #
@ -138,7 +145,7 @@ overlay:
rm -f "$(CHECKOUTS_DIRECTORY)/sbc-raspberrypi5/internal/base/pkg.yaml.bak" rm -f "$(CHECKOUTS_DIRECTORY)/sbc-raspberrypi5/internal/base/pkg.yaml.bak"
cd "$(CHECKOUTS_DIRECTORY)/sbc-raspberrypi5" && \ cd "$(CHECKOUTS_DIRECTORY)/sbc-raspberrypi5" && \
$(MAKE) docker-sbc-raspberrypi5 \ $(MAKE) docker-sbc-raspberrypi5 \
TARGET_ARGS="--tag=$(OVERLAY_IMAGE):$(SBCOVERLAY_TAG) --push=true" \ TARGET_ARGS="--tag=$(OVERLAY_IMAGE):$(SBCOVERLAY_TAG) --push=true $(ATTESTATION_ARGS)" \
INSTALLER_ARCH=arm64 PLATFORM=linux/arm64 INSTALLER_ARCH=arm64 PLATFORM=linux/arm64
# #
@ -160,13 +167,13 @@ installer:
PKG_KERNEL=$(KERNEL_IMAGE):$(PKGS_TAG) \ PKG_KERNEL=$(KERNEL_IMAGE):$(PKGS_TAG) \
INSTALLER_ARCH=arm64 PLATFORM=linux/arm64 \ INSTALLER_ARCH=arm64 PLATFORM=linux/arm64 \
target-imager \ target-imager \
TARGET_ARGS="--output type=image,name=$(IMAGER_IMAGE):$(TALOS_TAG),push=true" && \ TARGET_ARGS="--output type=image,name=$(IMAGER_IMAGE):$(TALOS_TAG),push=true $(ATTESTATION_ARGS)" && \
$(MAKE) \ $(MAKE) \
REGISTRY=$(REGISTRY) USERNAME=$(REGISTRY_USERNAME) \ REGISTRY=$(REGISTRY) USERNAME=$(REGISTRY_USERNAME) \
PKG_KERNEL=$(KERNEL_IMAGE):$(PKGS_TAG) \ PKG_KERNEL=$(KERNEL_IMAGE):$(PKGS_TAG) \
INSTALLER_ARCH=arm64 PLATFORM=linux/arm64 \ INSTALLER_ARCH=arm64 PLATFORM=linux/arm64 \
target-installer-base \ target-installer-base \
TARGET_ARGS="--output type=image,name=$(INSTALLER_IMAGE):base-$(TALOS_TAG),push=true" && \ TARGET_ARGS="--output type=image,name=$(INSTALLER_IMAGE):base-$(TALOS_TAG),push=true $(ATTESTATION_ARGS)" && \
docker pull $(IMAGER_IMAGE):$(TALOS_TAG) && \ docker pull $(IMAGER_IMAGE):$(TALOS_TAG) && \
docker run --rm -t -v ./_out:/out --privileged --network=host \ docker run --rm -t -v ./_out:/out --privileged --network=host \
$(IMAGER_IMAGE):$(TALOS_TAG) \ $(IMAGER_IMAGE):$(TALOS_TAG) \

38
patches/talos-rpi5/sbc-raspberrypi5/0001-Bump-Go-toolchain-to-1.24.13.patch Normal file
View File

@ -0,0 +1,38 @@
From 69f14c84e9e458dcff24905145cac8557c0e2965 Mon Sep 17 00:00:00 2001
From: Mathias Beaulieu-Duncan <mathias@svrnty.io>
Date: Fri, 13 Feb 2026 15:25:26 -0500
Subject: [PATCH] Bump Go toolchain to 1.24.13 to fix stdlib CVEs
---
go.work | 4 +++-
installers/rpi5/src/go.mod | 4 +++-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/go.work b/go.work
index f4dafe7..798ea43 100644
--- a/go.work
+++ b/go.work
@@ -1,3 +1,5 @@
-go 1.24.0
+go 1.24.13
+
+toolchain go1.24.13
use ./installers/rpi5/src
diff --git a/installers/rpi5/src/go.mod b/installers/rpi5/src/go.mod
index 50b72d5..af5f5f8 100644
--- a/installers/rpi5/src/go.mod
+++ b/installers/rpi5/src/go.mod
@@ -1,6 +1,8 @@
module rpi_generic
-go 1.24.0
+go 1.24.13
+
+toolchain go1.24.13
require (
github.com/siderolabs/go-copy v0.1.0
--
2.50.1 (Apple Git-155)