build-iso: better ISO & secureboot signing config

* Jenkins scripts:
- remove POST_ISO_SIGNING job parameter, as ISO signing is controled
  by build.conf, as originally intended.

* build.conf:
- rename SIGN_ISO => SIGN_ISO_FORMAL to better reflect purpose. ISOs
  are always signed, with developer keys (SIGN_ISO_FORMAL=false) or
  the signing server (SIGN_ISO_FORMAL=true).
- add SECUREBOOT_FORMAL - whether to generate secureboot signatures
  using the signing server (true), or not to generate them at all
  (false)

* Added code in job_utils.sh to set the defaults for these new config
  options as necessary, in case the job runs against an older build.conf
  that still has the obsolete BUILD_ISO option.

TESTS
========================
* Make sure SIGN_ISO_FORMAL==true calls "build-image --no-sign"
  followed by "sign_iso_formal.sh"
* Make sure SIGN_ISO_FORMAL==false calls "build-image" not
  followed by "sign_iso_formal.sh" and the dev-key based ISO signature
  gets created
* Make sure SECUREBOOT_FORMAL==true calls calls the secureboot script
* Make sure SECUREBOOT_FORMAL==false does not call the secureboot script
* Test with both the new parameters undefined, but SIGN_ISO defined,
  and make sure they aquire expected defaults

Story: 2010226
Task: 47777

Depends-On: https://review.opendev.org/c/starlingx/root/+/879206
Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
Change-Id: I928de97fefc70b3062820547d1256c2a3ce106e8
This commit is contained in:
Davlet Panech 2023-03-31 16:35:19 -04:00
parent f4232d02d6
commit 04f9dea597
6 changed files with 88 additions and 32 deletions

View File

@ -163,9 +163,6 @@ pipeline {
booleanParam (
name: 'BUILD_ISO'
)
booleanParam (
name: 'POST_ISO_SIGNING'
)
booleanParam (
name: 'BUILD_RT'
)

View File

@ -43,9 +43,6 @@ pipeline {
booleanParam (
name: 'BUILD_ISO'
)
booleanParam (
name: 'POST_ISO_SIGNING'
)
}
stages {
stage ("build-iso") {
@ -54,7 +51,6 @@ pipeline {
}
}
stage ("sign-iso") {
when { expression { params.POST_ISO_SIGNING } }
steps {
sh ("${Constants.SCRIPTS_DIR}/sign-iso.sh")
}

View File

@ -14,12 +14,25 @@ require_job_env BUILD_ISO
load_build_env
require_job_env SECUREBOOT_FORMAL
require_job_env SIGN_ISO_FORMAL
$BUILD_ISO || bail "BUILD_ISO=false, bailing out"
if [[ -n "$SIGNING_SERVER" ]] ; then
notice "preparing secureboot signatures"
stx_docker_cmd $DRY_RUN_ARG "SIGNING_SERVER=${SIGNING_USER:-signing}@${SIGNING_SERVER} PATH=\$MY_REPO/build-tools:\$PATH sign-secure-boot_debian"
if $SECUREBOOT_FORMAL ; then
notice "signing secureboot packages"
[[ -n "$SIGNING_SERVER" ]] || die "SECUREBOOT_FORMAL requires SIGNING_SERVER"
sign_secure_boot_env="SIGNING_SERVER=${SIGNING_USER:-signing}@${SIGNING_SERVER}"
stx_docker_cmd $DRY_RUN_ARG "$sign_secure_boot_env PATH=\$MY_REPO/build-tools:\$PATH sign-secure-boot_debian"
fi
build_img_args=
# Job is configured to sign the ISO with official keys.
if $SIGN_ISO_FORMAL ; then
[[ -n "$SIGNING_SERVER" ]] || die "SIGN_ISO_FORMAL requires SIGNING_SERVER"
# Don't sign ISO with developer keys; we will sign it separately
# in sign-iso.sh
build_img_args+=" --no-sign"
fi
notice "building STD ISO"
stx_docker_cmd $DRY_RUN_ARG "build-image"
stx_docker_cmd $DRY_RUN_ARG "build-image $build_img_args"

View File

@ -182,6 +182,39 @@ __set_build_vars() {
else
PARALLEL=
fi
# Validate & set defaults for ISO & secureboot options
# SIGN_ISO_FORMAL was spelled as SIGN_ISO in the past
if [[ -n "$SIGN_ISO" ]] ; then
warn "SIGN_ISO is deprecated, please use SIGN_ISO_FORMAL instead"
fi
if [[ -z "$SIGN_ISO_FORMAL" ]] ; then
if [[ -n "$SIGN_ISO" ]] ; then
SIGN_ISO_FORMAL="$SIGN_ISO"
elif [[ -n "$SIGNING_SERVER" ]] ; then
SIGN_ISO_FORMAL="true"
else
SIGN_ISO_FORMAL="false"
fi
warn "SIGN_ISO_FORMAL is missing, assuming \"$SIGN_ISO_FORMAL\""
fi
if [[ "$SIGN_ISO_FORMAL" != "true" && "$SIGN_ISO_FORMAL" != "false" ]] ; then
die "SIGN_ISO_FORMAL must be \"true\" or \"false\""
fi
# SECUREBOOT_FORMAL
if [[ -z "$SECUREBOOT_FORMAL" ]] ; then
if [[ -n "$SIGNING_SERVER" ]] ; then
SECUREBOOT_FORMAL="true"
else
SECUREBOOT_FORMAL="false"
fi
warn "SECUREBOOT_FORMAL is missing, assuming \"$SECUREBOOT_FORMAL\""
elif [[ "$SECUREBOOT_FORMAL" != "true" && "$SECUREBOOT_FORMAL" != "false" ]] ; then
die "SECUREBOOT_FORMAL must be \"true\" or \"false\""
fi
}
__started_by_jenkins() {

View File

@ -14,30 +14,39 @@ require_job_env BUILD_ISO
load_build_env
require_job_env SIGN_ISO
$SIGN_ISO || bail "SIGN_ISO=false, bailing out"
require_job_env SIGNING_SERVER
require_job_env SIGNING_USER
require_job_env SIGN_ISO_FORMAL
$BUILD_ISO || bail "BUILD_ISO=false, bailing out"
$SIGN_ISO || bail "SIGN_ISO=false, bailing out"
[[ -n "$SIGNING_SERVER" ]] || bail "SIGNING_SERVER is empoty, bailing out"
sign_iso() {
local iso_file="$1"
(
export MY_REPO=$REPO_ROOT/cgcs-root
export MY_WORKSPACE=$WORKSPACE_ROOT
export PATH=$MY_REPO/build-tools:$PATH:/usr/local/bin
sig_file="${iso_file%.iso}.sig"
maybe_run rm -f "$sig_file"
maybe_run sign_iso_formal.sh "$iso_file" || die "failed to sign ISO"
if ! $DRY_RUN ; then
[[ -f "$sig_file" ]] || die "failed to sign ISO"
info "created signature $sig_file"
fi
)
local sig_file="${iso_file%.iso}.sig"
# Job is configured to sign the ISO with formal keys
if $SIGN_ISO_FORMAL ; then
[[ -n "$SIGNING_SERVER" ]] || die "SECUREBOOT_FORMAL requires SIGNING_SERVER"
(
export MY_REPO=$REPO_ROOT/cgcs-root
export MY_WORKSPACE=$WORKSPACE_ROOT
export PATH=$MY_REPO/build-tools:$PATH:/usr/local/bin
export SIGNING_SERVER
export SIGNING_USER
maybe_run rm -f "$sig_file"
maybe_run sign_iso_formal.sh "$iso_file" || die "failed to sign ISO"
if ! $DRY_RUN ; then
[[ -f "$sig_file" ]] || die "failed to sign ISO"
info "created signature $sig_file"
fi
)
exit 0
fi
# ISO is already signed with developer keys - make sure .sig file exists
info "skipping formal ISO signing because it's already signed with developer key"
if ! $DRY_RUN ; then
[[ -f "$sig_file" ]] || die "$sig_file: file not found"
info "using existing ISO signature $sig_file"
fi
}

View File

@ -43,11 +43,19 @@ BUILD_PACKAGES_ITERATIONS=3
DEBIAN_SNAPSHOT_BASE="http://https://snapshot.debian.org/archive/debian"
DEBIAN_SECURITY_SNAPSHOT_BASE="https://snapshot.debian.org/archive/debian-security"
# ISO sigining
SIGN_ISO=false # If false, don't signe the ISO
# Signing server for formal ISO and secureboot signing (see below)
SIGNING_SERVER="some.host.org"
SIGNING_USER="some_user_id"
# Sign ISO with a key controlled by $SIGNING_SERVER
# If false, ISO will be signed with developer key in
# cgcs-root/build-tools/signing/dev-private-key.pem
SIGN_ISO_FORMAL=true
# Sign kernel-related packages with a key & cert controlled by
# $SIGNING_SERVER. When "false", don't add secureboot signatures.
SECUREBOOT_FORMAL=true
# Run this command inside the build container at the end of the build
# Current directory will be set to $MY_WORKSPACE/export.
# This command must leave any additional files to be published in that