- |- # # Copyright (c) 2023 Wind River Systems, Inc. # # Licensed to the Apache Software Foundation (ASF) under one # or more contributor license agreements. The ASF licenses this # file to you under the Apache License, Version 2.0 (the # "License"); you may not use this file except in compliance # with the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, # software distributed under the License is distributed on an # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY # KIND, either express or implied. See the License for the # specific language governing permissions and limitations # under the License. # # Fragment of base-bullseye.yaml for signing part of rootfs-post-scripts definition echo "***Start signing part of rootfs-post-scripts***" SIGNING_SERVER=INPUT_SIGNING_SERVER LOCKD_FILE=LockDown.efi LOCKD_PATH=${IMAGE_ROOTFS}/boot/efi/EFI/BOOT/ LOCKD_INIT=${IMAGE_ROOTFS}/usr/lib/efitools/x86_64-linux-gnu/LockDown.efi KERNEL_RT_PATH=${IMAGE_ROOTFS}/boot/ KERNEL_RT_FILE=$(ls ${KERNEL_RT_PATH}/vmlinuz-*[0-9]-rt-amd64) KERNEL_RT_FILE=${KERNEL_RT_FILE##*/} KERNEL_PATH=${IMAGE_ROOTFS}/boot/ KERNEL_FILE=$(ls ${KERNEL_PATH}/vmlinuz-*[0-9]-amd64) KERNEL_FILE=${KERNEL_FILE##*/} SSH_OPTION_NOCHECKING="-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" REQUEST=$(ssh ${SSH_OPTION_NOCHECKING} ${SIGNING_SERVER} sudo /opt/signing/sign-debian.sh -r) UPLOAD_PATH=${REQUEST#*Upload: } echo "UPLOAD_PATH: ${UPLOAD_PATH}" [ -z ${UPLOAD_PATH}] && { echo "Fail to request for upload path!"; exit 1; } echo "(1) Sign LockDown.efi" scp ${SSH_OPTION_NOCHECKING} ${LOCKD_INIT} ${SIGNING_SERVER}:${UPLOAD_PATH} \ || { echo "Fail to copy LockDown.efi to signing server!"; exit 1; } ssh ${SSH_OPTION_NOCHECKING} ${SIGNING_SERVER} \ sudo /opt/signing/sign-debian.sh -i ${UPLOAD_PATH}/${LOCKD_FILE} -t grub-gpg \ || { echo "Fail to sign LockDown.efi!"; exit 1; } scp ${SSH_OPTION_NOCHECKING} ${SIGNING_SERVER}:${UPLOAD_PATH}/${LOCKD_FILE}.sig ${LOCKD_PATH} \ || { echo "Fail to copy back LockDown.efi sig file!"; exit 1; } echo "(2) Sign kernel-rt" scp ${SSH_OPTION_NOCHECKING} ${KERNEL_RT_PATH}/${KERNEL_RT_FILE} ${SIGNING_SERVER}:${UPLOAD_PATH} \ || { echo "Fail to copy kernel-rt image to signing server!"; exit 1; } ssh ${SSH_OPTION_NOCHECKING} ${SIGNING_SERVER} \ sudo /opt/signing/sign-debian.sh -i ${UPLOAD_PATH}/${KERNEL_RT_FILE} -t grub-gpg \ || { echo "Fail to sign kernel-rt image!"; exit 1; } scp ${SSH_OPTION_NOCHECKING} ${SIGNING_SERVER}:${UPLOAD_PATH}/${KERNEL_RT_FILE}.sig ${KERNEL_RT_PATH} \ || { echo "Fail to copy back kernel-rt image sig file!"; exit 1; } echo "(3) Sign kernel-std" scp ${SSH_OPTION_NOCHECKING} ${KERNEL_PATH}/${KERNEL_FILE} ${SIGNING_SERVER}:${UPLOAD_PATH} \ || { echo "Fail to copy kernel-std image to signing server!"; exit 1; } ssh ${SSH_OPTION_NOCHECKING} ${SIGNING_SERVER} \ sudo /opt/signing/sign-debian.sh -i ${UPLOAD_PATH}/${KERNEL_FILE} -t grub-gpg \ || { echo "Fail to sign kernel-std image!"; exit 1; } scp ${SSH_OPTION_NOCHECKING} ${SIGNING_SERVER}:${UPLOAD_PATH}/${KERNEL_FILE}.sig ${KERNEL_PATH} \ || { echo "Fail to copy back kernel-std image sig file"; exit 1; } echo "***Finish signing part of rootfs-post-scripts***"