root/build-tools/sign-secure-boot_debian

#!/bin/bash
#
# Copyright (c) 2023 Wind River Systems, Inc.
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. The ASF licenses this
# file to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
#
#  http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.
#

# Input for the script:
# export SIGNING_SERVER="user name for the signing server"+@+"ip for the signing server"
# Tools needed by the script: ssh/cut/scp/sed

echo "sign-secure-boot_debian: start"

# If no right input, exit.
if [ -z "${SIGNING_SERVER}" ]; then
    echo "ERROR: Please export SIGNING_SERVER first!"
    exit 1
fi

# Get shim deb version number.
SHIM_DEB=$(ls ${MY_WORKSPACE}/std/shim/shim-unsigned_*_amd64.deb)
SHIM_DEB=${SHIM_DEB##*/}
if [ -z "${SHIM_DEB}" ]; then
    echo "No shim-unsigned deb!"
    exit 1
fi
SHIM_VERSION=$(echo ${SHIM_DEB} | cut -d '_' -f 2)
if [ -z "${SHIM_VERSION}" ]; then
    echo "Wrong shim deb version!"
    exit 1
fi

# Get grub-efi deb version number.
GRUB_EFI_DEB=$(ls ${MY_WORKSPACE}/std/grub-efi/grub-efi-amd64_*_amd64.deb)
GRUB_EFI_DEB=${GRUB_EFI_DEB##*/}
if [ -z "${GRUB_EFI_DEB}" ]; then
    echo "No grub-efi-amd64 deb!"
    exit 1
fi
GRUB_EFI_VERSION=$(echo ${GRUB_EFI_DEB} | cut -d '_' -f 2)
if [ -z "${GRUB_EFI_VERSION}" ]; then
    echo "Wrong grub-efi-amd64 deb version!"
    exit 1
fi

SSH_OPTION_NOCHECKING="-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"

# Request upload path from signing server.
REQUEST=$(ssh ${SSH_OPTION_NOCHECKING} ${SIGNING_SERVER} sudo /opt/signing/sign-debian.sh -r)
UPLOAD_PATH=${REQUEST#*Upload: }
echo UPLOAD_PATH: ${UPLOAD_PATH}
if [ -z "${UPLOAD_PATH}" ]; then
    echo "Fail to request for upload path!"
    exit 1
fi

echo "***(1) Start signing shim***"
cd ${MY_WORKSPACE}/std/shim
ls sign > /dev/null && echo "Removing old sign folder!" && sudo rm sign -rf
mkdir sign
cp shim-unsigned_${SHIM_VERSION}_amd64.deb ./sign \
    || { echo "No right shim-unsigned deb!"; exit 1; }
cd sign
# Raw-extract shim deb
sudo dpkg-deb -R shim-unsigned_${SHIM_VERSION}_amd64.deb ./shim-unsigned/ \
    || { echo "Fail to extract shim-unsigned deb!"; exit 1; }
cd shim-unsigned/usr/lib/shim

# Copy shimx64.efi to signing server
scp ${SSH_OPTION_NOCHECKING} shimx64.efi ${SIGNING_SERVER}:${UPLOAD_PATH} \
    || { echo "Fail to copy shimx64.efi to signing server!"; exit 1; }
# Sign shimx64.efi
ssh ${SSH_OPTION_NOCHECKING} ${SIGNING_SERVER} \
    sudo /opt/signing/sign-debian.sh -i ${UPLOAD_PATH}/shimx64.efi -t shim \
    || { echo "Fail to sign shimx64.efi!"; exit 1; }
# Copy back signed shimx64.efi which is renamed as bootx64.efi
sudo scp ${SSH_OPTION_NOCHECKING} ${SIGNING_SERVER}:${UPLOAD_PATH}/bootx64.efi ./ \
    || { echo "Fail to copy back signed shim image!"; exit 1; }

# Copy mmx64.efi to signing server
scp ${SSH_OPTION_NOCHECKING} mmx64.efi ${SIGNING_SERVER}:${UPLOAD_PATH} \
    || { echo "Fail to copy mmx64.efi to signing server!"; exit 1; }
# Sign mmx64.efi
ssh ${SSH_OPTION_NOCHECKING} ${SIGNING_SERVER} \
    sudo /opt/signing/sign-debian.sh -i ${UPLOAD_PATH}/mmx64.efi -t shimtool \
    || { echo "Fail to sign mmx64.efi!"; exit 1; }
# Copy back signed mmx64.efi (renamed to grubx64.efi by server and need rename it back)
sudo scp ${SSH_OPTION_NOCHECKING} ${SIGNING_SERVER}:${UPLOAD_PATH}/mmx64.efi.signed ./mmx64.efi \
    || { echo "Fail to copy back signed shim tool image!"; exit 1; }

cd -
# Repack the shim package and replace the one in the repo
dpkg-deb -b ./shim-unsigned shim-unsigned_${SHIM_VERSION}_amd64.deb \
    || { echo "Fail to repack the shim package with signed images!"; exit 1; }
repo_manage.py delete_pkg -r deb-local-build -p shim-unsigned -t binary -v ${SHIM_VERSION} \
    || { echo "Fail to delete the old shim-unsigned package from repo!"; exit 1; }
repo_manage.py upload_pkg -r deb-local-build -p ./shim-unsigned_${SHIM_VERSION}_amd64.deb \
    || { echo "Fail to upload the new shim package to repo!"; exit 1; }
echo "***Finish signing shim***"

echo "***(2) Start signing grub***"
cd ${MY_WORKSPACE}/std/grub-efi
ls sign > /dev/null && echo "Removing old sign folder!" && sudo rm sign -rf
mkdir sign
cp grub-efi-amd64_${GRUB_EFI_VERSION}_amd64.deb ./sign \
    || { echo "No right grub-efi-amd64 deb!"; exit 1; }
cd sign
# Raw-extract grub-efi-amd64 deb
sudo dpkg-deb -R grub-efi-amd64_${GRUB_EFI_VERSION}_amd64.deb ./grub-efi-amd64 \
    || { echo "Fail to extract grub-efi-amd64 deb"; exit 1; }
cd ./grub-efi-amd64/boot/efi/EFI/BOOT

# Copy grubx64.efi to signing server
scp ${SSH_OPTION_NOCHECKING} grubx64.efi ${SIGNING_SERVER}:${UPLOAD_PATH} \
    || { echo "Fail to copy grubx64.efi to signing server!"; exit 1; }
# Sign grubx64.efi
ssh ${SSH_OPTION_NOCHECKING} ${SIGNING_SERVER} \
    sudo /opt/signing/sign-debian.sh -i ${UPLOAD_PATH}/grubx64.efi -t grub \
    || { echo "Fail to sign grubx64.efi!"; exit 1; }
# Copy back signed grubx64.efi
sudo scp ${SSH_OPTION_NOCHECKING} ${SIGNING_SERVER}:${UPLOAD_PATH}/grubx64.efi . \
    || { echo "Fail to copy back signed grub image!"; exit 1; }

cd -
# Repack the grub-efi-amd64 package and replace the one in the repo
dpkg-deb -b ./grub-efi-amd64 grub-efi-amd64_${GRUB_EFI_VERSION}_amd64.deb \
    || { echo "Fail to repack the grub-efi-amd64 package!"; exit 1; }
repo_manage.py delete_pkg -r deb-local-build -p grub-efi-amd64 -t binary -v ${GRUB_EFI_VERSION} \
    || { echo "Fail to delete the old grub-efi-amd64 package from repo!"; exit 1; }
repo_manage.py upload_pkg -r deb-local-build -p ./grub-efi-amd64_${GRUB_EFI_VERSION}_amd64.deb \
    || { echo "Fail to upload the new grub-efi-amd64 package to repo!"; exit 1; }
echo "***Finish signing grub***"

echo "***(3) Prepare gpg signing for lat genimage***"
# The gpg signings are done when build-image. Here prepare the setting file for lat.
YAML_FILE=${MY_REPO_ROOT_DIR}/stx-tools/debian-mirror-tools/config/debian/common/base-bullseye.yaml
# Definition for signing part of rootfs-post-scripts, which is used to sign kernel std/rt images and LockDown.efi.
ROOTFS_SIGNING_FILE=${MY_REPO_ROOT_DIR}/cgcs-root/build-tools/sign_rootfs-post-scripts
# Definition for initramfs-sign-script, which is used to sign initramfs and mini initrd.
INITRAMFS_SIGNING_FILE=${MY_REPO_ROOT_DIR}/cgcs-root/build-tools/sign_initramfs-sign-script

# Enable secure boot when building for secure boot.
sed -i "s/EFI_SECURE_BOOT: disable/EFI_SECURE_BOOT: enable/g" ${YAML_FILE}

# Find the line in base-bullseye.yaml: rootfs-post-scripts
n=$(sed -n -e '/rootfs-post-scripts:/=' ${YAML_FILE})

# Insert sign_rootfs-post-scripts into base-bullseye.yaml in the place of "rootfs-post-scripts:"
# with a format needed.
cat  ${ROOTFS_SIGNING_FILE} | while read line
do
    n=$(expr ${n} + 1)
    line="2SPACE"${line}
    sed -i "${n} i ${line}" ${YAML_FILE}
done
# No space is needed before "- |-"
sed -i "s/2SPACE- |-/- |-/g" ${YAML_FILE}

# Find the line in base-bullseye.yaml: initramfs-sign-script
n=$(sed -n -e '/initramfs-sign-script:/=' ${YAML_FILE})

# Insert sign_initramfs-sign-script into base-bullseye.yaml in the place of "initramfs-sign-script:"
# with a format needed.
cat  ${INITRAMFS_SIGNING_FILE} | while read line
do
    n=$(expr ${n} + 1)
    line="2SPACE"${line}
    sed -i "${n} i ${line}" ${YAML_FILE}
done

# Deal with space format needed by lat.
sed -i "s/2SPACE/  /g" ${YAML_FILE}

# Replace the signing server in the base-bullseye.yaml with the input of this script.
sed -i "s/INPUT_SIGNING_SERVER/${SIGNING_SERVER}/g" ${YAML_FILE}

echo "***Finish preparing gpg signing***"

echo "sign-secure-boot_debian: done"