root/build-tools/sign_rootfs-post-scripts

- |-
  #
  # Copyright (c) 2023 Wind River Systems, Inc.
  #
  # Licensed to the Apache Software Foundation (ASF) under one
  # or more contributor license agreements. The ASF licenses this
  # file to you under the Apache License, Version 2.0 (the
  # "License"); you may not use this file except in compliance
  # with the License.  You may obtain a copy of the License at
  #
  #  http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing,
  # software distributed under the License is distributed on an
  # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  # KIND, either express or implied.  See the License for the
  # specific language governing permissions and limitations
  # under the License.
  #
  # Fragment of base-bullseye.yaml for signing part of rootfs-post-scripts definition
  echo "***Start signing part of rootfs-post-scripts***"
  SIGNING_SERVER=INPUT_SIGNING_SERVER
  LOCKD_FILE=LockDown.efi
  LOCKD_PATH=${IMAGE_ROOTFS}/boot/efi/EFI/BOOT/
  LOCKD_INIT=${IMAGE_ROOTFS}/usr/lib/efitools/x86_64-linux-gnu/LockDown.efi
  KERNEL_RT_PATH=${IMAGE_ROOTFS}/boot/
  KERNEL_RT_FILE=$(ls ${KERNEL_RT_PATH}/vmlinuz-*[0-9]-rt-amd64)
  KERNEL_RT_FILE=${KERNEL_RT_FILE##*/}
  KERNEL_PATH=${IMAGE_ROOTFS}/boot/
  KERNEL_FILE=$(ls ${KERNEL_PATH}/vmlinuz-*[0-9]-amd64)
  KERNEL_FILE=${KERNEL_FILE##*/}
  SSH_OPTION_NOCHECKING="-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
  REQUEST=$(ssh ${SSH_OPTION_NOCHECKING} ${SIGNING_SERVER} sudo /opt/signing/sign-debian.sh -r)
  UPLOAD_PATH=${REQUEST#*Upload: }
  echo "UPLOAD_PATH: ${UPLOAD_PATH}"
  [ -z ${UPLOAD_PATH}] && { echo "Fail to request for upload path!"; exit 1; }
  echo "(1) Sign LockDown.efi"
  scp ${SSH_OPTION_NOCHECKING} ${LOCKD_INIT} ${SIGNING_SERVER}:${UPLOAD_PATH} \
      || { echo "Fail to copy LockDown.efi to signing server!"; exit 1; }
  ssh ${SSH_OPTION_NOCHECKING} ${SIGNING_SERVER} \
      sudo /opt/signing/sign-debian.sh -i ${UPLOAD_PATH}/${LOCKD_FILE} -t grub-gpg \
      || { echo "Fail to sign LockDown.efi!"; exit 1; }
  scp ${SSH_OPTION_NOCHECKING} ${SIGNING_SERVER}:${UPLOAD_PATH}/${LOCKD_FILE}.sig ${LOCKD_PATH} \
      || { echo "Fail to copy back LockDown.efi sig file!"; exit 1; }
  echo "(2) Sign kernel-rt"
  scp ${SSH_OPTION_NOCHECKING} ${KERNEL_RT_PATH}/${KERNEL_RT_FILE} ${SIGNING_SERVER}:${UPLOAD_PATH} \
      || { echo "Fail to copy kernel-rt image to signing server!"; exit 1; }
  ssh ${SSH_OPTION_NOCHECKING} ${SIGNING_SERVER} \
      sudo /opt/signing/sign-debian.sh -i ${UPLOAD_PATH}/${KERNEL_RT_FILE} -t grub-gpg \
      || { echo "Fail to sign kernel-rt image!"; exit 1; }
  scp ${SSH_OPTION_NOCHECKING} ${SIGNING_SERVER}:${UPLOAD_PATH}/${KERNEL_RT_FILE}.sig ${KERNEL_RT_PATH} \
      || { echo "Fail to copy back kernel-rt image sig file!"; exit 1; }
  echo "(3) Sign kernel-std"
  scp ${SSH_OPTION_NOCHECKING} ${KERNEL_PATH}/${KERNEL_FILE} ${SIGNING_SERVER}:${UPLOAD_PATH} \
      || { echo "Fail to copy kernel-std image to signing server!"; exit 1; }
  ssh ${SSH_OPTION_NOCHECKING} ${SIGNING_SERVER} \
      sudo /opt/signing/sign-debian.sh -i ${UPLOAD_PATH}/${KERNEL_FILE} -t grub-gpg \
      || { echo "Fail to sign kernel-std image!"; exit 1; }
  scp ${SSH_OPTION_NOCHECKING} ${SIGNING_SERVER}:${UPLOAD_PATH}/${KERNEL_FILE}.sig ${KERNEL_PATH} \
      || { echo "Fail to copy back kernel-std image sig file"; exit 1; }
  echo "***Finish signing part of rootfs-post-scripts***"