Skip to main content

Build From Source

The source build uses Docker for host-side build tools, Buildroot for the target toolchain and userspace, and a staged HyperBEAM checkout for the LapEE devices.

Host Tools

On macOS:

brew install qemu swtpm erlang rebar3 python@3

Install Docker Desktop or another Docker runtime. Linux operators need equivalent packages for Docker, QEMU, swtpm, Erlang, rebar3, Python, and common build tools.

Build Runtime Images

Generate operator signing keys first:

make signing-keys

Build the default signed runtime image:

JOBS="$(sysctl -n hw.ncpu 2>/dev/null || getconf _NPROCESSORS_ONLN)" \
  make runtime-image

Output:

build/images/lapee-runtime-tme-signed.img

Build the no-TME variant when the target hardware cannot satisfy the memory encryption gate:

make runtime-image TME=0

Output:

build/images/lapee-runtime-no-tme-signed.img

The no-TME variant still expects TPM-backed attestation. It only changes the memory-encryption gate.

Reference Builds

For release hashes and CI, use reference mode:

make runtime-image REFERENCE=1

Reference mode forces linux/amd64 for the Docker build image. On Apple Silicon this is slower, but it avoids host-architecture-dependent output bytes.

What Gets Built

The release image includes:

  • Linux 6.19.12.
  • Buildroot initramfs.
  • Erlang/OTP 27.
  • OpenSSL, libtss2, wpa_supplicant, iproute2, firmware, and regulatory data.
  • HyperBEAM from the pinned upstream edge commit.
  • LapEE HyperBEAM devices staged from hyperbeam-overlay/.
  • TPM EK root CA bundle for peer verification.
  • A signed UKI at EFI/Boot/BootX64.efi.

Buildroot builds the target toolchain and target userspace. The Docker image provides host-side tools such as parted, mtools, sbsigntool, efitools, Rust, CMake, and Buildroot dependencies.

QEMU Smoke Tests

Boot the same USB image shape that is written to hardware:

make qemu TME=0

The QEMU test uses OVMF and swtpm, forwards guest port 8734 to 127.0.0.1:18734, and succeeds only after it fetches:

~tpm@2.0a/info
~tpm@2.0a/boot-attestation
~system@1.0/all

Operator config acceptance:

make qemu-operator-config

Green-zone cluster acceptance:

make qemu-green-zone

Write A Built Image

make write-image DEV=/dev/diskN IMAGE=build/images/lapee-runtime-tme-signed.img

The target device is erased.

For a build-and-write flow:

make runtime-write DEV=/dev/diskN