Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Do Secure Boot signing for official builds in a separate additional job #2491

Merged
merged 5 commits into from
Dec 4, 2024

Conversation

chewi
Copy link
Contributor

@chewi chewi commented Dec 2, 2024

Do SB signing for official builds in a separate additional job

We only want to do the signing in Azure, not the whole image job. This new job downloads the unsigned image, signs it, and replaces it. This new job will only be invoked once flatcar/jenkins-os#354 has been merged.

We had temporarily nobbled the Azure signing codepath, but now the only thing we need to nobble here is copying the signed shim. In the meantime, we copy the unsigned shim instead. We will revert this new temporary commit once the shim review is complete.

This PR also includes a couple of clean ups I made along the way. I have dropped the "modify_image" code, which is completely unused. I could have possibly used it for this new job, but it did more than I needed it to. I have also deduplicated the build_image --extract_update and --generate_update options because they were just totally confusing as they were.

How to use

Do a Jenkins run using the jenkins-os chewi/sbsign_image branch. You need to "replay" the image job and tweak the is_official check to force it to run the new job. You also need to tweak COREOS_OFFICIAL=0 to 1 in ci-automation/sbsign_image.sh to force the job to sign using AKV rather than the dev key.

Testing done

A Jenkins SDK run was performed and everything passed. I manually tweaked the run as described above to test the new job against AKV. I also grabbed one of the images to check that list of certificates found on vmlinuz-a and grubx64.efi using sbverify.

  • Changelog entries added in the respective changelog/ directory (user-facing change, bug fix, security fix, update) -- N/A
  • Inspected CI output for image differences: /boot and /usr size, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.

@chewi chewi self-assigned this Dec 2, 2024
@chewi chewi requested a review from a team December 2, 2024 12:21
Copy link
Member

@jepio jepio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be great if this followed the convention also worked when executed sequentially on a single machine like this:

./build_image
./sbsign_image
./image_to_vm.sh --format=qemu_uefi

sbsign_image Outdated Show resolved Hide resolved
sbsign_image Outdated Show resolved Hide resolved
build_library/build_image_util.sh Outdated Show resolved Hide resolved
build_library/prod_image_util.sh Outdated Show resolved Hide resolved
ci-automation/sbsign_image.sh Outdated Show resolved Hide resolved
ci-automation/sbsign_image.sh Show resolved Hide resolved
@chewi chewi force-pushed the chewi/split-sbsign-job branch from 7b79030 to d5927fb Compare December 2, 2024 16:05
@chewi chewi requested a review from jepio December 2, 2024 16:06
Copy link
Member

@jepio jepio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lgtm but my vote should count for 0.5 😅
So another maintainer should also review.

@chewi chewi requested a review from a team December 3, 2024 13:16
build_library/build_image_util.sh Outdated Show resolved Hide resolved
build_library/build_image_util.sh Outdated Show resolved Hide resolved
chewi added 5 commits December 3, 2024 16:01
The --extract_update option used to do exactly that, just extract the
USR-A partition for updates and no more. Now it does the same thing as
--generate_update, except it names the file flatcar_test_update.gz
rather than flatcar_production_update.gz. --generate_update is never
actually used because official update payloads are manually generated
with the generate_payload script later on.

Resolve this confusion by deduplicating the common code between them.
Any update payload produced during this stage of the build is only
useful for testing, so change --generate_update to always create
flatcar_test_update.gz. --generate_update now implies --extract_update
and both are enabled by default.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Debug output was causing a stack smashing error.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
We only want to do the signing in Azure, not the whole image job. This
new job downloads the unsigned image, signs it, and replaces it.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
We previously did the AKV signing in the image job but temporarily
nobbled that code path while we completed the shim review.

Now the AKV signing has been split out into a separate job that will
only be invoked once changes to the jenkins-os repo have been merged.
The only thing we now need to nobble here is copying the signed shim. In
the meantime, we copy the unsigned shim instead. Revert this commit once
the shim review is complete.
@chewi chewi force-pushed the chewi/split-sbsign-job branch from d5927fb to e6e3daf Compare December 3, 2024 16:02
@chewi chewi requested a review from krnowak December 3, 2024 16:02
@chewi chewi merged commit 0059a33 into main Dec 4, 2024
1 check failed
@chewi chewi deleted the chewi/split-sbsign-job branch December 4, 2024 10:39
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
Projects
Development

Successfully merging this pull request may close these issues.

4 participants