build-iso: better ISO & secureboot signing config

* Jenkins scripts: - remove POST_ISO_SIGNING job parameter, as ISO signing is controled by build.conf, as originally intended. * build.conf: - rename SIGN_ISO => SIGN_ISO_FORMAL to better reflect purpose. ISOs are always signed, with developer keys (SIGN_ISO_FORMAL=false) or the signing server (SIGN_ISO_FORMAL=true). - add SECUREBOOT_FORMAL - whether to generate secureboot signatures using the signing server (true), or not to generate them at all (false) * Added code in job_utils.sh to set the defaults for these new config options as necessary, in case the job runs against an older build.conf that still has the obsolete BUILD_ISO option. TESTS ======================== * Make sure SIGN_ISO_FORMAL==true calls "build-image --no-sign" followed by "sign_iso_formal.sh" * Make sure SIGN_ISO_FORMAL==false calls "build-image" not followed by "sign_iso_formal.sh" and the dev-key based ISO signature gets created * Make sure SECUREBOOT_FORMAL==true calls calls the secureboot script * Make sure SECUREBOOT_FORMAL==false does not call the secureboot script * Test with both the new parameters undefined, but SIGN_ISO defined, and make sure they aquire expected defaults Story: 2010226 Task: 47777 Depends-On: https://review.opendev.org/c/starlingx/root/+/879206 Signed-off-by: Davlet Panech <davlet.panech@windriver.com> Change-Id: I928de97fefc70b3062820547d1256c2a3ce106e8
2023-03-31 16:35:19 -04:00 · 2023-03-31 16:35:19 -04:00 · 04f9dea597
commit 04f9dea597
parent f4232d02d6
6 changed files with 88 additions and 32 deletions
--- a/pipelines/monolithic.Jenkinsfile
+++ b/pipelines/monolithic.Jenkinsfile
@ -163,9 +163,6 @@ pipeline {
        booleanParam (
            name: 'BUILD_ISO'
        )
-        booleanParam (
-            name: 'POST_ISO_SIGNING'
-        )
        booleanParam (
            name: 'BUILD_RT'
        )
--- a/pipelines/parts/build-iso.Jenkinsfile
+++ b/pipelines/parts/build-iso.Jenkinsfile
@ -43,9 +43,6 @@ pipeline {
        booleanParam (
            name: 'BUILD_ISO'
        )
-        booleanParam (
-            name: 'POST_ISO_SIGNING'
-        )
    }
    stages {
        stage ("build-iso") {
@ -54,7 +51,6 @@ pipeline {
            }
        }
        stage ("sign-iso") {
-            when { expression { params.POST_ISO_SIGNING } }
            steps {
                sh ("${Constants.SCRIPTS_DIR}/sign-iso.sh")
            }
--- a/scripts/build-iso.sh
+++ b/scripts/build-iso.sh
@ -14,12 +14,25 @@ require_job_env BUILD_ISO

 load_build_env

+require_job_env SECUREBOOT_FORMAL
+require_job_env SIGN_ISO_FORMAL
+
 $BUILD_ISO || bail "BUILD_ISO=false, bailing out"

-if [[ -n "$SIGNING_SERVER" ]] ; then
-    notice "preparing secureboot signatures"
-    stx_docker_cmd $DRY_RUN_ARG "SIGNING_SERVER=${SIGNING_USER:-signing}@${SIGNING_SERVER} PATH=\$MY_REPO/build-tools:\$PATH sign-secure-boot_debian"
+if $SECUREBOOT_FORMAL ; then
+    notice "signing secureboot packages"
+    [[ -n "$SIGNING_SERVER" ]] || die "SECUREBOOT_FORMAL requires SIGNING_SERVER"
+    sign_secure_boot_env="SIGNING_SERVER=${SIGNING_USER:-signing}@${SIGNING_SERVER}"
+    stx_docker_cmd $DRY_RUN_ARG "$sign_secure_boot_env PATH=\$MY_REPO/build-tools:\$PATH sign-secure-boot_debian"
 fi

+build_img_args=
+# Job is configured to sign the ISO with official keys.
+if $SIGN_ISO_FORMAL ; then
+    [[ -n "$SIGNING_SERVER" ]] || die "SIGN_ISO_FORMAL requires SIGNING_SERVER"
+    # Don't sign ISO with developer keys; we will sign it separately
+    # in sign-iso.sh
+    build_img_args+=" --no-sign"
+fi
 notice "building STD ISO"
-stx_docker_cmd $DRY_RUN_ARG "build-image"
+stx_docker_cmd $DRY_RUN_ARG "build-image $build_img_args"
--- a/scripts/lib/job_utils.sh
+++ b/scripts/lib/job_utils.sh
@ -182,6 +182,39 @@ __set_build_vars() {
    else
        PARALLEL=
    fi
+
+    # Validate & set defaults for ISO & secureboot options
+
+    # SIGN_ISO_FORMAL was spelled as SIGN_ISO in the past
+    if [[ -n "$SIGN_ISO" ]] ; then
+        warn "SIGN_ISO is deprecated, please use SIGN_ISO_FORMAL instead"
+    fi
+    if [[ -z "$SIGN_ISO_FORMAL" ]] ; then
+        if [[ -n "$SIGN_ISO" ]] ; then
+            SIGN_ISO_FORMAL="$SIGN_ISO"
+        elif [[ -n "$SIGNING_SERVER" ]] ; then
+            SIGN_ISO_FORMAL="true"
+        else
+            SIGN_ISO_FORMAL="false"
+        fi
+        warn "SIGN_ISO_FORMAL is missing, assuming \"$SIGN_ISO_FORMAL\""
+    fi
+    if [[ "$SIGN_ISO_FORMAL" != "true" && "$SIGN_ISO_FORMAL" != "false" ]] ; then
+        die "SIGN_ISO_FORMAL must be \"true\" or \"false\""
+    fi
+
+    # SECUREBOOT_FORMAL
+    if [[ -z "$SECUREBOOT_FORMAL" ]] ; then
+        if [[ -n "$SIGNING_SERVER" ]] ; then
+            SECUREBOOT_FORMAL="true"
+        else
+            SECUREBOOT_FORMAL="false"
+        fi
+        warn "SECUREBOOT_FORMAL is missing, assuming \"$SECUREBOOT_FORMAL\""
+    elif [[ "$SECUREBOOT_FORMAL" != "true" && "$SECUREBOOT_FORMAL" != "false" ]] ; then
+        die "SECUREBOOT_FORMAL must be \"true\" or \"false\""
+    fi
+
 }

 __started_by_jenkins() {
--- a/scripts/sign-iso.sh
+++ b/scripts/sign-iso.sh
@ -14,23 +14,23 @@ require_job_env BUILD_ISO

 load_build_env

-require_job_env SIGN_ISO
-$SIGN_ISO || bail "SIGN_ISO=false, bailing out"
-
-require_job_env SIGNING_SERVER
-require_job_env SIGNING_USER
+require_job_env SIGN_ISO_FORMAL

 $BUILD_ISO || bail "BUILD_ISO=false, bailing out"
-$SIGN_ISO || bail "SIGN_ISO=false, bailing out"
-[[ -n "$SIGNING_SERVER" ]] || bail "SIGNING_SERVER is empoty, bailing out"

 sign_iso() {
    local iso_file="$1"
+    local sig_file="${iso_file%.iso}.sig"
+
+    # Job is configured to sign the ISO with formal keys
+    if $SIGN_ISO_FORMAL ; then
+        [[ -n "$SIGNING_SERVER" ]] || die "SECUREBOOT_FORMAL requires SIGNING_SERVER"
        (
            export MY_REPO=$REPO_ROOT/cgcs-root
            export MY_WORKSPACE=$WORKSPACE_ROOT
            export PATH=$MY_REPO/build-tools:$PATH:/usr/local/bin
-        sig_file="${iso_file%.iso}.sig"
+            export SIGNING_SERVER
+            export SIGNING_USER
            maybe_run rm -f "$sig_file"
            maybe_run sign_iso_formal.sh "$iso_file" || die "failed to sign ISO"
            if ! $DRY_RUN ; then
@ -38,6 +38,15 @@ sign_iso() {
                info "created signature $sig_file"
            fi
        )
+        exit 0
+    fi
+
+    # ISO is already signed with developer keys - make sure .sig file exists
+    info "skipping formal ISO signing because it's already signed with developer key"
+    if ! $DRY_RUN ; then
+        [[ -f "$sig_file" ]] || die "$sig_file: file not found"
+        info "using existing ISO signature $sig_file"
+    fi
 }


--- a/scripts/templates/build.conf.example.in
+++ b/scripts/templates/build.conf.example.in
@ -43,11 +43,19 @@ BUILD_PACKAGES_ITERATIONS=3
 DEBIAN_SNAPSHOT_BASE="http://https://snapshot.debian.org/archive/debian"
 DEBIAN_SECURITY_SNAPSHOT_BASE="https://snapshot.debian.org/archive/debian-security"

-# ISO sigining
-SIGN_ISO=false      # If false, don't signe the ISO
+# Signing server for formal ISO and secureboot signing (see below)
 SIGNING_SERVER="some.host.org"
 SIGNING_USER="some_user_id"

+# Sign ISO with a key controlled by $SIGNING_SERVER
+# If false, ISO will be signed with developer key in
+#   cgcs-root/build-tools/signing/dev-private-key.pem
+SIGN_ISO_FORMAL=true
+
+# Sign kernel-related packages with a key & cert controlled by
+# $SIGNING_SERVER. When "false", don't add secureboot signatures.
+SECUREBOOT_FORMAL=true
+
 # Run this command inside the build container at the end of the build
 # Current directory will be set to $MY_WORKSPACE/export.
 # This command must leave any additional files to be published in that