Switch to authorized keys for image login

Makefile

@@ -5,6 +5,7 @@ SHELL := /usr/bin/env bash
 WRAPPER := scripts/env_wrapper.sh
 
 FILE ?= build/latest.efi
+SERIAL_CONSOLE ?= false
 
 ##@ Help
 
@@ -43,8 +44,9 @@ build: setup ## Build the specified module
 	$(WRAPPER) mkosi --force --image-id $(IMAGE) --include=images/$(IMAGE).conf
 
 # Build module with devtools profile
+build-dev: SERIAL_CONSOLE_PROFILE := $(if $(filter true,$(SERIAL_CONSOLE)),serial-console,)
 build-dev: setup ## Build module with development tools
-	$(WRAPPER) mkosi --force --image-id $(IMAGE)-dev --profile=devtools --include=images/$(IMAGE).conf
+	$(WRAPPER) mkosi --force --image-id $(IMAGE)-dev --profile=devtools,$(SERIAL_CONSOLE_PROFILE) --include=images/$(IMAGE).conf
 
 ##@ Utilities
 

README.md

@@ -47,10 +47,17 @@ make build IMAGE=l2-builder
 # Build with development tools
 make build-dev IMAGE=flashbox-l1
 
+# Build dev image with serial console + password auth enabled
+make build-dev IMAGE=flashbox-l1 SERIAL_CONSOLE=true
+
 # View all available targets
 make help
 ```
 
+#### Serial console
+
+Pass `SERIAL_CONSOLE=true` to enable the serial console service and password authentication. This also sets a fixed root password (`dqSPjo4p`) for SSH login, so only use this for local development/debugging.
+
 ### Measuring TDX Boot Process
 
 **Export TDX measurements** for the built image:

images/l2-op-rbuilder-bproxy.conf

@@ -9,6 +9,4 @@ Include=shared/mkosi.conf
 Include=modules/l2/_common/mkosi.conf
 Include=modules/l2/_gcp/mkosi.conf
 Include=modules/l2/_devtools_users/mkosi.conf
-Include=modules/l2/_devtools_no_console/mkosi.conf
-Include=modules/l2/_devtools_no_root_login/mkosi.conf
 Include=modules/l2/op-rbuilder-bproxy/mkosi.conf

images/l2-op-rbuilder.conf

@@ -9,6 +9,4 @@ Include=shared/mkosi.conf
 Include=modules/l2/_common/mkosi.conf
 Include=modules/l2/_gcp/mkosi.conf
 Include=modules/l2/_devtools_users/mkosi.conf
-Include=modules/l2/_devtools_no_console/mkosi.conf
-Include=modules/l2/_devtools_no_root_login/mkosi.conf
 Include=modules/l2/op-rbuilder/mkosi.conf

images/l2-simulator.conf

@@ -9,6 +9,4 @@ Include=shared/mkosi.conf
 Include=modules/l2/_common/mkosi.conf
 Include=modules/l2/_gcp/mkosi.conf
 Include=modules/l2/_devtools_users/mkosi.conf
-Include=modules/l2/_devtools_no_console/mkosi.conf
-Include=modules/l2/_devtools_no_root_login/mkosi.conf
 Include=modules/l2/simulator/mkosi.conf

mkosi.profiles/devtools/mkosi.conf

@@ -1,6 +1,5 @@
 [Content]
-ExtraTrees=mkosi.extra
-           custom
+ExtraTrees=custom
 PostInstallationScripts=custom.postinst.d/*.sh
 
 Packages=adjtimex

mkosi.profiles/devtools/mkosi.postinst

@@ -2,16 +2,6 @@
 
 set -euxo pipefail
 
-# Enable console service
-mkosi-chroot systemctl unmask serial-console.service
-mkosi-chroot systemctl add-wants minimal.target serial-console.service
-
-# Deterministically set root password
-PASSWORD="dqSPjo4p"
-HASH=$(mkosi-chroot openssl passwd -6 -salt salt "$PASSWORD")
-mkosi-chroot passwd -u root
-mkosi-chroot usermod -p "$HASH" root
-
 # Remove git files in custom/ folder
 mkosi-chroot rm /.gitignore /.gitkeep || true
 
@@ -20,7 +10,6 @@ if [ -f "$BUILDROOT/etc/default/dropbear" ]; then
     sed -i '/^DROPBEAR_EXTRA_ARGS=/s/-[swg] \?//g' "$BUILDROOT/etc/default/dropbear"
 else
     echo "PermitRootLogin yes" >> "$BUILDROOT/etc/ssh/sshd_config"
-    echo "PasswordAuthentication yes" >> "$BUILDROOT/etc/ssh/sshd_config"
     mkosi-chroot systemctl unmask ssh.service ssh.socket systemd-user-sessions.service
     mkosi-chroot systemctl add-wants minimal.target ssh.service systemd-user-sessions.service
 fi

mkosi.profiles/serial-console/mkosi.conf

@@ -0,0 +1,2 @@
+[Content]
+ExtraTrees=serial-console.service:/usr/lib/systemd/system/serial-console.service

mkosi.profiles/serial-console/mkosi.postinst

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -euxo pipefail
+
+# Enable console service
+mkosi-chroot systemctl unmask serial-console.service
+mkosi-chroot systemctl add-wants minimal.target serial-console.service
+
+# Deterministically set root password
+PASSWORD="dqSPjo4p"
+HASH=$(mkosi-chroot openssl passwd -6 -salt salt "$PASSWORD")
+mkosi-chroot passwd -u root
+mkosi-chroot usermod -p "$HASH" root
+
+# Allow login by password
+echo "PasswordAuthentication yes" >> "$BUILDROOT/etc/ssh/sshd_config"