FreeBSD on AWS Graviton (t4g)

[Rafal Lukawiecki]

> On 1 Jan 2021, at 20:29, Colin Percival <cperciva at tarsnap.com> wrote:
> 
> On 1/1/21 4:33 AM, Rafal Lukawiecki wrote:
>> 
>>>> Oh, and a generic ARM issue: It's not a Tier 1 platform yet, so freebsd-update
>>>> doesn't work and packages aren't always as up-to-date as on x86.  But I think
>>>> those are being worked on...
>> 
>> Colin, would I be able to build an updated RELEASE in the AMI maker before I call mkami? In the days of 11.1 I had to recompile the kernel to use your patch (many thanks!) and so I did something like this:
>> 
>> $ svnlite --non-interactive --trust-server-cert-failures=unknown-ca co https://svn.freebsd.org/base/releng/11.1/ /usr/src/
>> $ make DESTDIR=/mnt kernel -j16
>> 
>> I am not sure what magic is being done by the AMI maker itself to /mnt. I wonder if I could use this approach to build the kernel using the latest patched release of ARM, at least until it moves to Tier 1. Would I need to build the userland, too? Or are the security patches installed by freebsd-update only affecting the kernel?
> 
> You can make any changes you like.  Once you've SSHed into the AMI Builder,
> you're running FreeBSD, you have FreeBSD installed onto the disk, and the
> disk is mounted at /mnt, but those are all independent issues.
> 
> If you wanted you could launch the AMI Builder, unmount /mnt, and then write
> a Linux disk image onto the disk.  (I can't imagine why you would want to,
> of course.  But you're really not limited in what you can do.)

Thanks. I suppose I should have asked a different question, sorry for not being clearer. What is the best way, in your opinion, to create a security-patched ARM AMI? Would this approach do it? I have never tried patching FreeBSD from source since I have always relied on freebsd-update, but since that is not an option on arm64 (yet) I would be grateful for your pointers.

Thank you again, very much.

Rafal
--
Rafal Lukawiecki
Data Scientist 
Project Botticelli Ltd