build-iso: better ISO & secureboot signing config

* Jenkins scripts:
- remove POST_ISO_SIGNING job parameter, as ISO signing is controled
  by build.conf, as originally intended.

* build.conf:
- rename SIGN_ISO => SIGN_ISO_FORMAL to better reflect purpose. ISOs
  are always signed, with developer keys (SIGN_ISO_FORMAL=false) or
  the signing server (SIGN_ISO_FORMAL=true).
- add SECUREBOOT_FORMAL - whether to generate secureboot signatures
  using the signing server (true), or not to generate them at all
  (false)

* Added code in job_utils.sh to set the defaults for these new config
  options as necessary, in case the job runs against an older build.conf
  that still has the obsolete BUILD_ISO option.

TESTS
========================
* Make sure SIGN_ISO_FORMAL==true calls "build-image --no-sign"
  followed by "sign_iso_formal.sh"
* Make sure SIGN_ISO_FORMAL==false calls "build-image" not
  followed by "sign_iso_formal.sh" and the dev-key based ISO signature
  gets created
* Make sure SECUREBOOT_FORMAL==true calls calls the secureboot script
* Make sure SECUREBOOT_FORMAL==false does not call the secureboot script
* Test with both the new parameters undefined, but SIGN_ISO defined,
  and make sure they aquire expected defaults

Story: 2010226
Task: 47777

Depends-On: https://review.opendev.org/c/starlingx/root/+/879206
Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
Change-Id: I928de97fefc70b3062820547d1256c2a3ce106e8
This commit is contained in:
Davlet Panech 2023-03-31 16:35:19 -04:00
parent f4232d02d6
commit 04f9dea597
6 changed files with 88 additions and 32 deletions

View File

@ -163,9 +163,6 @@ pipeline {
booleanParam ( booleanParam (
name: 'BUILD_ISO' name: 'BUILD_ISO'
) )
booleanParam (
name: 'POST_ISO_SIGNING'
)
booleanParam ( booleanParam (
name: 'BUILD_RT' name: 'BUILD_RT'
) )

View File

@ -43,9 +43,6 @@ pipeline {
booleanParam ( booleanParam (
name: 'BUILD_ISO' name: 'BUILD_ISO'
) )
booleanParam (
name: 'POST_ISO_SIGNING'
)
} }
stages { stages {
stage ("build-iso") { stage ("build-iso") {
@ -54,7 +51,6 @@ pipeline {
} }
} }
stage ("sign-iso") { stage ("sign-iso") {
when { expression { params.POST_ISO_SIGNING } }
steps { steps {
sh ("${Constants.SCRIPTS_DIR}/sign-iso.sh") sh ("${Constants.SCRIPTS_DIR}/sign-iso.sh")
} }

View File

@ -14,12 +14,25 @@ require_job_env BUILD_ISO
load_build_env load_build_env
require_job_env SECUREBOOT_FORMAL
require_job_env SIGN_ISO_FORMAL
$BUILD_ISO || bail "BUILD_ISO=false, bailing out" $BUILD_ISO || bail "BUILD_ISO=false, bailing out"
if [[ -n "$SIGNING_SERVER" ]] ; then if $SECUREBOOT_FORMAL ; then
notice "preparing secureboot signatures" notice "signing secureboot packages"
stx_docker_cmd $DRY_RUN_ARG "SIGNING_SERVER=${SIGNING_USER:-signing}@${SIGNING_SERVER} PATH=\$MY_REPO/build-tools:\$PATH sign-secure-boot_debian" [[ -n "$SIGNING_SERVER" ]] || die "SECUREBOOT_FORMAL requires SIGNING_SERVER"
sign_secure_boot_env="SIGNING_SERVER=${SIGNING_USER:-signing}@${SIGNING_SERVER}"
stx_docker_cmd $DRY_RUN_ARG "$sign_secure_boot_env PATH=\$MY_REPO/build-tools:\$PATH sign-secure-boot_debian"
fi fi
build_img_args=
# Job is configured to sign the ISO with official keys.
if $SIGN_ISO_FORMAL ; then
[[ -n "$SIGNING_SERVER" ]] || die "SIGN_ISO_FORMAL requires SIGNING_SERVER"
# Don't sign ISO with developer keys; we will sign it separately
# in sign-iso.sh
build_img_args+=" --no-sign"
fi
notice "building STD ISO" notice "building STD ISO"
stx_docker_cmd $DRY_RUN_ARG "build-image" stx_docker_cmd $DRY_RUN_ARG "build-image $build_img_args"

View File

@ -182,6 +182,39 @@ __set_build_vars() {
else else
PARALLEL= PARALLEL=
fi fi
# Validate & set defaults for ISO & secureboot options
# SIGN_ISO_FORMAL was spelled as SIGN_ISO in the past
if [[ -n "$SIGN_ISO" ]] ; then
warn "SIGN_ISO is deprecated, please use SIGN_ISO_FORMAL instead"
fi
if [[ -z "$SIGN_ISO_FORMAL" ]] ; then
if [[ -n "$SIGN_ISO" ]] ; then
SIGN_ISO_FORMAL="$SIGN_ISO"
elif [[ -n "$SIGNING_SERVER" ]] ; then
SIGN_ISO_FORMAL="true"
else
SIGN_ISO_FORMAL="false"
fi
warn "SIGN_ISO_FORMAL is missing, assuming \"$SIGN_ISO_FORMAL\""
fi
if [[ "$SIGN_ISO_FORMAL" != "true" && "$SIGN_ISO_FORMAL" != "false" ]] ; then
die "SIGN_ISO_FORMAL must be \"true\" or \"false\""
fi
# SECUREBOOT_FORMAL
if [[ -z "$SECUREBOOT_FORMAL" ]] ; then
if [[ -n "$SIGNING_SERVER" ]] ; then
SECUREBOOT_FORMAL="true"
else
SECUREBOOT_FORMAL="false"
fi
warn "SECUREBOOT_FORMAL is missing, assuming \"$SECUREBOOT_FORMAL\""
elif [[ "$SECUREBOOT_FORMAL" != "true" && "$SECUREBOOT_FORMAL" != "false" ]] ; then
die "SECUREBOOT_FORMAL must be \"true\" or \"false\""
fi
} }
__started_by_jenkins() { __started_by_jenkins() {

View File

@ -14,30 +14,39 @@ require_job_env BUILD_ISO
load_build_env load_build_env
require_job_env SIGN_ISO require_job_env SIGN_ISO_FORMAL
$SIGN_ISO || bail "SIGN_ISO=false, bailing out"
require_job_env SIGNING_SERVER
require_job_env SIGNING_USER
$BUILD_ISO || bail "BUILD_ISO=false, bailing out" $BUILD_ISO || bail "BUILD_ISO=false, bailing out"
$SIGN_ISO || bail "SIGN_ISO=false, bailing out"
[[ -n "$SIGNING_SERVER" ]] || bail "SIGNING_SERVER is empoty, bailing out"
sign_iso() { sign_iso() {
local iso_file="$1" local iso_file="$1"
( local sig_file="${iso_file%.iso}.sig"
export MY_REPO=$REPO_ROOT/cgcs-root
export MY_WORKSPACE=$WORKSPACE_ROOT # Job is configured to sign the ISO with formal keys
export PATH=$MY_REPO/build-tools:$PATH:/usr/local/bin if $SIGN_ISO_FORMAL ; then
sig_file="${iso_file%.iso}.sig" [[ -n "$SIGNING_SERVER" ]] || die "SECUREBOOT_FORMAL requires SIGNING_SERVER"
maybe_run rm -f "$sig_file" (
maybe_run sign_iso_formal.sh "$iso_file" || die "failed to sign ISO" export MY_REPO=$REPO_ROOT/cgcs-root
if ! $DRY_RUN ; then export MY_WORKSPACE=$WORKSPACE_ROOT
[[ -f "$sig_file" ]] || die "failed to sign ISO" export PATH=$MY_REPO/build-tools:$PATH:/usr/local/bin
info "created signature $sig_file" export SIGNING_SERVER
fi export SIGNING_USER
) maybe_run rm -f "$sig_file"
maybe_run sign_iso_formal.sh "$iso_file" || die "failed to sign ISO"
if ! $DRY_RUN ; then
[[ -f "$sig_file" ]] || die "failed to sign ISO"
info "created signature $sig_file"
fi
)
exit 0
fi
# ISO is already signed with developer keys - make sure .sig file exists
info "skipping formal ISO signing because it's already signed with developer key"
if ! $DRY_RUN ; then
[[ -f "$sig_file" ]] || die "$sig_file: file not found"
info "using existing ISO signature $sig_file"
fi
} }

View File

@ -43,11 +43,19 @@ BUILD_PACKAGES_ITERATIONS=3
DEBIAN_SNAPSHOT_BASE="http://https://snapshot.debian.org/archive/debian" DEBIAN_SNAPSHOT_BASE="http://https://snapshot.debian.org/archive/debian"
DEBIAN_SECURITY_SNAPSHOT_BASE="https://snapshot.debian.org/archive/debian-security" DEBIAN_SECURITY_SNAPSHOT_BASE="https://snapshot.debian.org/archive/debian-security"
# ISO sigining # Signing server for formal ISO and secureboot signing (see below)
SIGN_ISO=false # If false, don't signe the ISO
SIGNING_SERVER="some.host.org" SIGNING_SERVER="some.host.org"
SIGNING_USER="some_user_id" SIGNING_USER="some_user_id"
# Sign ISO with a key controlled by $SIGNING_SERVER
# If false, ISO will be signed with developer key in
# cgcs-root/build-tools/signing/dev-private-key.pem
SIGN_ISO_FORMAL=true
# Sign kernel-related packages with a key & cert controlled by
# $SIGNING_SERVER. When "false", don't add secureboot signatures.
SECUREBOOT_FORMAL=true
# Run this command inside the build container at the end of the build # Run this command inside the build container at the end of the build
# Current directory will be set to $MY_WORKSPACE/export. # Current directory will be set to $MY_WORKSPACE/export.
# This command must leave any additional files to be published in that # This command must leave any additional files to be published in that