-
Notifications
You must be signed in to change notification settings - Fork 54
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
Do Secure Boot signing for official builds in a separate additional job #2491
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be great if this followed the convention also worked when executed sequentially on a single machine like this:
./build_image
./sbsign_image
./image_to_vm.sh --format=qemu_uefi
7b79030
to
d5927fb
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lgtm but my vote should count for 0.5 😅
So another maintainer should also review.
The --extract_update option used to do exactly that, just extract the USR-A partition for updates and no more. Now it does the same thing as --generate_update, except it names the file flatcar_test_update.gz rather than flatcar_production_update.gz. --generate_update is never actually used because official update payloads are manually generated with the generate_payload script later on. Resolve this confusion by deduplicating the common code between them. Any update payload produced during this stage of the build is only useful for testing, so change --generate_update to always create flatcar_test_update.gz. --generate_update now implies --extract_update and both are enabled by default. Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Debug output was causing a stack smashing error. Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
We only want to do the signing in Azure, not the whole image job. This new job downloads the unsigned image, signs it, and replaces it. Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
We previously did the AKV signing in the image job but temporarily nobbled that code path while we completed the shim review. Now the AKV signing has been split out into a separate job that will only be invoked once changes to the jenkins-os repo have been merged. The only thing we now need to nobble here is copying the signed shim. In the meantime, we copy the unsigned shim instead. Revert this commit once the shim review is complete.
d5927fb
to
e6e3daf
Compare
Do SB signing for official builds in a separate additional job
We only want to do the signing in Azure, not the whole image job. This new job downloads the unsigned image, signs it, and replaces it. This new job will only be invoked once flatcar/jenkins-os#354 has been merged.
We had temporarily nobbled the Azure signing codepath, but now the only thing we need to nobble here is copying the signed shim. In the meantime, we copy the unsigned shim instead. We will revert this new temporary commit once the shim review is complete.
This PR also includes a couple of clean ups I made along the way. I have dropped the "modify_image" code, which is completely unused. I could have possibly used it for this new job, but it did more than I needed it to. I have also deduplicated the build_image
--extract_update
and--generate_update
options because they were just totally confusing as they were.How to use
Do a Jenkins run using the jenkins-os chewi/sbsign_image branch. You need to "replay" the image job and tweak the
is_official
check to force it to run the new job. You also need to tweakCOREOS_OFFICIAL=0
to1
in ci-automation/sbsign_image.sh to force the job to sign using AKV rather than the dev key.Testing done
A Jenkins SDK run was performed and everything passed. I manually tweaked the run as described above to test the new job against AKV. I also grabbed one of the images to check that list of certificates found on vmlinuz-a and grubx64.efi using sbverify.
changelog/
directory (user-facing change, bug fix, security fix, update) -- N/A/boot
and/usr
size, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.