Introduce new environmnet variable SIGNING_KEY_NAME
STORY: 2011352 TASK: 52118 Signed-off-by: Scott Little <scott.little@windriver.com> (cherry picked from commit9285275240) (cherry picked from commit112a368726) Change-Id: I53e21410d6df1be4e1b5619b007dcb8ae6aad320
This commit is contained in:
Scott Little
@@ -35,6 +35,11 @@ if [ -z "${SIGNING_USER}" ]; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ -z "${SIGNING_KEY_NAME}" ]; then
|
||||
SIGNING_KEY_NAME='default'
|
||||
echo "Warning: SIGNING_KEY_NAME no set in your environment, using '${SIGNING_KEY_NAME}'"
|
||||
fi
|
||||
|
||||
# Get shim deb version number.
|
||||
SHIM_DEB=$(ls ${MY_WORKSPACE}/std/shim/shim-unsigned_*_amd64.deb)
|
||||
SHIM_DEB=${SHIM_DEB##*/}
|
||||
@@ -89,7 +94,7 @@ scp ${SSH_OPTION_NOCHECKING} shimx64.efi ${SIGNING_USER}@${SIGNING_SERVER}:${UPL
|
||||
|| { echo "Fail to copy shimx64.efi to signing server!"; exit 1; }
|
||||
# Sign shimx64.efi
|
||||
ssh ${SSH_OPTION_NOCHECKING} ${SIGNING_USER}@${SIGNING_SERVER} \
|
||||
sudo /opt/signing/sign-debian.sh -i ${UPLOAD_PATH}/shimx64.efi -t shim \
|
||||
sudo /opt/signing/sign-debian.sh -i ${UPLOAD_PATH}/shimx64.efi -t shim -k ${SIGNING_KEY_NAME} \
|
||||
|| { echo "Fail to sign shimx64.efi!"; exit 1; }
|
||||
# Copy back signed shimx64.efi which is renamed as bootx64.efi
|
||||
sudo scp ${SSH_OPTION_NOCHECKING} ${SIGNING_USER}@${SIGNING_SERVER}:${UPLOAD_PATH}/bootx64.efi ./ \
|
||||
@@ -100,7 +105,7 @@ scp ${SSH_OPTION_NOCHECKING} mmx64.efi ${SIGNING_USER}@${SIGNING_SERVER}:${UPLOA
|
||||
|| { echo "Fail to copy mmx64.efi to signing server!"; exit 1; }
|
||||
# Sign mmx64.efi
|
||||
ssh ${SSH_OPTION_NOCHECKING} ${SIGNING_USER}@${SIGNING_SERVER} \
|
||||
sudo /opt/signing/sign-debian.sh -i ${UPLOAD_PATH}/mmx64.efi -t shimtool \
|
||||
sudo /opt/signing/sign-debian.sh -i ${UPLOAD_PATH}/mmx64.efi -t shimtool -k ${SIGNING_KEY_NAME} \
|
||||
|| { echo "Fail to sign mmx64.efi!"; exit 1; }
|
||||
# Copy back signed mmx64.efi (renamed to grubx64.efi by server and need rename it back)
|
||||
sudo scp ${SSH_OPTION_NOCHECKING} ${SIGNING_USER}@${SIGNING_SERVER}:${UPLOAD_PATH}/mmx64.efi.signed ./mmx64.efi \
|
||||
@@ -133,7 +138,7 @@ scp ${SSH_OPTION_NOCHECKING} grubx64.efi ${SIGNING_USER}@${SIGNING_SERVER}:${UPL
|
||||
|| { echo "Fail to copy grubx64.efi to signing server!"; exit 1; }
|
||||
# Sign grubx64.efi
|
||||
ssh ${SSH_OPTION_NOCHECKING} ${SIGNING_USER}@${SIGNING_SERVER} \
|
||||
sudo /opt/signing/sign-debian.sh -i ${UPLOAD_PATH}/grubx64.efi -t grub \
|
||||
sudo /opt/signing/sign-debian.sh -i ${UPLOAD_PATH}/grubx64.efi -t grub -k ${SIGNING_KEY_NAME} \
|
||||
|| { echo "Fail to sign grubx64.efi!"; exit 1; }
|
||||
# Copy back signed grubx64.efi
|
||||
sudo scp ${SSH_OPTION_NOCHECKING} ${SIGNING_USER}@${SIGNING_SERVER}:${UPLOAD_PATH}/grubx64.efi . \
|
||||
@@ -190,7 +195,9 @@ done
|
||||
sed -i "s/2SPACE/ /g" ${YAML_FILE}
|
||||
|
||||
# Replace the signing server in the base-bullseye.yaml with the input of this script.
|
||||
sed -i -e "s/INPUT_SIGNING_SERVER/${SIGNING_SERVER}/g" -e "s/INPUT_SIGNING_USER/${SIGNING_USER}/g" ${YAML_FILE}
|
||||
sed -i -e "s/INPUT_SIGNING_SERVER/${SIGNING_SERVER}/g" \
|
||||
-e "s/INPUT_SIGNING_KEY_NAME/${SIGNING_KEY_NAME}/g" \
|
||||
-e "s/INPUT_SIGNING_USER/${SIGNING_USER}/g" ${YAML_FILE}
|
||||
|
||||
echo "***Finish preparing gpg signing***"
|
||||
|
||||
|
||||
@@ -20,6 +20,7 @@
|
||||
echo "***Start initramfs-sign-script***"
|
||||
SIGNING_SERVER=INPUT_SIGNING_SERVER
|
||||
SIGNING_USER=INPUT_SIGNING_USER
|
||||
SIGNING_KEY_NAME=INPUT_SIGNING_KEY_NAME
|
||||
INITRAMFS_PATH=/localdisk/deploy/
|
||||
INITRAMFS_INIT=$(ls ${INITRAMFS_PATH}/starlingx-initramfs-ostree-image-intel-x86-64-*.rootfs.cpio.gz)
|
||||
[ -z ${INITRAMFS_INIT} ] && { echo "No initramfs file!"; exit 1; }
|
||||
@@ -35,7 +36,7 @@
|
||||
scp ${SSH_OPTION_NOCHECKING} ${INITRAMFS_PATH}/${INITRAMFS_FILE} ${SIGNING_USER}@${SIGNING_SERVER}:${UPLOAD_PATH} \
|
||||
|| { echo "Fail to copy initramfs file to signing server!"; exit 1; }
|
||||
ssh ${SSH_OPTION_NOCHECKING} ${SIGNING_USER}@${SIGNING_SERVER} \
|
||||
sudo /opt/signing/sign-debian.sh -i ${UPLOAD_PATH}/${INITRAMFS_FILE} -t grub-gpg \
|
||||
sudo /opt/signing/sign-debian.sh -i ${UPLOAD_PATH}/${INITRAMFS_FILE} -t grub-gpg -k ${SIGNING_KEY_NAME} \
|
||||
|| { echo "Fail to sign initramfs file!"; exit 1; }
|
||||
scp ${SSH_OPTION_NOCHECKING} ${SIGNING_USER}@${SIGNING_SERVER}:${UPLOAD_PATH}/${INITRAMFS_FILE}.sig ${INITRAMFS_PATH} \
|
||||
|| { echo "Fail to copy back initramfs sig file!"; exit 1; }
|
||||
@@ -45,7 +46,7 @@
|
||||
scp ${SSH_OPTION_NOCHECKING} ${INITRD_MINI_PATH}/${INITRD_MINI_FILE} ${SIGNING_USER}@${SIGNING_SERVER}:${UPLOAD_PATH} \
|
||||
|| { echo "Fail to copy mini initrd file to signing server!"; exit 1; }
|
||||
ssh ${SSH_OPTION_NOCHECKING} ${SIGNING_USER}@${SIGNING_SERVER} \
|
||||
sudo /opt/signing/sign-debian.sh -i ${UPLOAD_PATH}/${INITRD_MINI_FILE} -t grub-gpg \
|
||||
sudo /opt/signing/sign-debian.sh -i ${UPLOAD_PATH}/${INITRD_MINI_FILE} -t grub-gpg -k ${SIGNING_KEY_NAME} \
|
||||
|| { echo "Fail to sign mini initrd file!"; exit 1; }
|
||||
scp ${SSH_OPTION_NOCHECKING} ${SIGNING_USER}@${SIGNING_SERVER}:${UPLOAD_PATH}/${INITRD_MINI_FILE}.sig ${INITRD_MINI_PATH} \
|
||||
|| { echo "Fail to copy back mini initrd sig file!"; exit 1; }
|
||||
|
||||
@@ -21,6 +21,7 @@
|
||||
echo "***Start signing part of rootfs-post-scripts***"
|
||||
SIGNING_SERVER=INPUT_SIGNING_SERVER
|
||||
SIGNING_USER=INPUT_SIGNING_USER
|
||||
SIGNING_KEY_NAME=INPUT_SIGNING_KEY_NAME
|
||||
LOCKD_FILE=LockDown.efi
|
||||
LOCKD_PATH=${IMAGE_ROOTFS}/boot/efi/EFI/BOOT/
|
||||
LOCKD_INIT=${IMAGE_ROOTFS}/usr/lib/efitools/x86_64-linux-gnu/LockDown.efi
|
||||
@@ -39,7 +40,7 @@
|
||||
scp ${SSH_OPTION_NOCHECKING} ${LOCKD_INIT} ${SIGNING_USER}@${SIGNING_SERVER}:${UPLOAD_PATH} \
|
||||
|| { echo "Fail to copy LockDown.efi to signing server!"; exit 1; }
|
||||
ssh ${SSH_OPTION_NOCHECKING} ${SIGNING_USER}@${SIGNING_SERVER} \
|
||||
sudo /opt/signing/sign-debian.sh -i ${UPLOAD_PATH}/${LOCKD_FILE} -t grub-gpg \
|
||||
sudo /opt/signing/sign-debian.sh -i ${UPLOAD_PATH}/${LOCKD_FILE} -t grub-gpg -k ${SIGNING_KEY_NAME} \
|
||||
|| { echo "Fail to sign LockDown.efi!"; exit 1; }
|
||||
scp ${SSH_OPTION_NOCHECKING} ${SIGNING_USER}@${SIGNING_SERVER}:${UPLOAD_PATH}/${LOCKD_FILE}.sig ${LOCKD_PATH} \
|
||||
|| { echo "Fail to copy back LockDown.efi sig file!"; exit 1; }
|
||||
@@ -47,7 +48,7 @@
|
||||
scp ${SSH_OPTION_NOCHECKING} ${KERNEL_RT_PATH}/${KERNEL_RT_FILE} ${SIGNING_USER}@${SIGNING_SERVER}:${UPLOAD_PATH} \
|
||||
|| { echo "Fail to copy kernel-rt image to signing server!"; exit 1; }
|
||||
ssh ${SSH_OPTION_NOCHECKING} ${SIGNING_USER}@${SIGNING_SERVER} \
|
||||
sudo /opt/signing/sign-debian.sh -i ${UPLOAD_PATH}/${KERNEL_RT_FILE} -t grub-gpg \
|
||||
sudo /opt/signing/sign-debian.sh -i ${UPLOAD_PATH}/${KERNEL_RT_FILE} -t grub-gpg -k ${SIGNING_KEY_NAME} \
|
||||
|| { echo "Fail to sign kernel-rt image!"; exit 1; }
|
||||
scp ${SSH_OPTION_NOCHECKING} ${SIGNING_USER}@${SIGNING_SERVER}:${UPLOAD_PATH}/${KERNEL_RT_FILE}.sig ${KERNEL_RT_PATH} \
|
||||
|| { echo "Fail to copy back kernel-rt image sig file!"; exit 1; }
|
||||
@@ -55,7 +56,7 @@
|
||||
scp ${SSH_OPTION_NOCHECKING} ${KERNEL_PATH}/${KERNEL_FILE} ${SIGNING_USER}@${SIGNING_SERVER}:${UPLOAD_PATH} \
|
||||
|| { echo "Fail to copy kernel-std image to signing server!"; exit 1; }
|
||||
ssh ${SSH_OPTION_NOCHECKING} ${SIGNING_USER}@${SIGNING_SERVER} \
|
||||
sudo /opt/signing/sign-debian.sh -i ${UPLOAD_PATH}/${KERNEL_FILE} -t grub-gpg \
|
||||
sudo /opt/signing/sign-debian.sh -i ${UPLOAD_PATH}/${KERNEL_FILE} -t grub-gpg -k ${SIGNING_KEY_NAME} \
|
||||
|| { echo "Fail to sign kernel-std image!"; exit 1; }
|
||||
scp ${SSH_OPTION_NOCHECKING} ${SIGNING_USER}@${SIGNING_SERVER}:${UPLOAD_PATH}/${KERNEL_FILE}.sig ${KERNEL_PATH} \
|
||||
|| { echo "Fail to copy back kernel-std image sig file"; exit 1; }
|
||||
|
||||
Reference in New Issue
Block a user