cd58ab18c1
Add scripts for supporting building image for board with secure boot enabled. The signing process in script sign-secure-boot_debian: (1) The kernel/grub efi images are obtained from extracted kernel/grub packages, and they are sent to signing server and signed there and copied back. Then the kernel/grub packages are repacked with the signed efi images. (2) The file sign_rootfs-post-scripts is inserted to where the hook script "rootfs-post-scripts" is defined in the lat config file base-bullseye.yaml. This will sign kernel images and LockDown.efi on signing sever in the lat build process. (3) The file sign_initramfs-sign-script is inserted to where the hook script "initramfs-sign-script" is defined in the lat config file base-bullseye.yaml. This will sign initramfs and mini initrd in the lat build process. (4) EFI_SECURE_BOOT is changed from disabled to enabled. Build process for signed image is as below: (1) Prepare keys on dockers and signing server to setup access to signing server without password: Use "ssh-keygen -t rsa" to create a ssh key pair, e.g. id_rsa.pub and id_rsa. Prepare on lat docker: mkdir ~/.ssh copy id_rsa to ~/.ssh directory Prepare on builder docker: mkdir ~/.ssh copy id_rsa to ~/.ssh directory sudo mkdir /root/.ssh sudo copy id_rsa to /root/.ssh directory (https://review.opendev.org/c/starlingx/tools/+/872742 simplifies those steps on dockers as: stx control keys-add --key-type=signing-server --key=[key file].) Prepare on signing server: append id_rsa.pub to the file on signing server: /home/${signing_user}/.ssh/authorized_keys (2) Run on builder docker: export SIGNING_SERVER="signing_user@signing_server_ip" <PATH>/sign-secure-boot_debian build-image The <PATH> is: /localdisk/designer/${USER}/stx/cgcs-root/build-tools Test plan: The tests are done with all the changes which involve tools/integ/root repo and lat-sdk.sh and signing tools on signing server. - PASS: Follow below build process to build unsigned image and build successfully: build-pkgs build-image - PASS: Follow below build process to build signed image and build successfully: build-pkgs export SIGNING_SERVER="user@signing_server_ip" <PATH>/sign-secure-boot_debian build-image - PASS: Do AIO-DX installation successfully for both unsigned image on secure boot disabled lab and signed image on secure boot enabled lab. - PASS: Failure path tests include: [NG]unsigned image on secure boot enabled [NG]image signed with wrong key on secure boot enabled [OK]signed image on secure boot disabled NG: fail to boot; OK: succeed to boot. Depends-On: https://review.opendev.org/c/starlingx/tools/+/868918 Story: 2009221 Task: 47097 Signed-off-by: Li Zhou <li.zhou@windriver.com> Change-Id: Iea0d03c39f6d3d1fa84577e870675ab103937fbd
52 lines
3.0 KiB
Plaintext
52 lines
3.0 KiB
Plaintext
#
|
|
# Copyright (c) 2023 Wind River Systems, Inc.
|
|
#
|
|
# Licensed to the Apache Software Foundation (ASF) under one
|
|
# or more contributor license agreements. The ASF licenses this
|
|
# file to you under the Apache License, Version 2.0 (the
|
|
# "License"); you may not use this file except in compliance
|
|
# with the License. You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing,
|
|
# software distributed under the License is distributed on an
|
|
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
# KIND, either express or implied. See the License for the
|
|
# specific language governing permissions and limitations
|
|
# under the License.
|
|
#
|
|
# Fragment of base-bullseye.yaml for initramfs-sign-script definition
|
|
echo "***Start initramfs-sign-script***"
|
|
SIGNING_SERVER=INPUT_SIGNING_SERVER
|
|
INITRAMFS_PATH=/localdisk/deploy/
|
|
INITRAMFS_INIT=$(ls ${INITRAMFS_PATH}/starlingx-initramfs-ostree-image-intel-x86-64-*.rootfs.cpio.gz)
|
|
[ -z ${INITRAMFS_INIT} ] && { echo "No initramfs file!"; exit 1; }
|
|
INITRAMFS_FILE=$(basename ${INITRAMFS_INIT})
|
|
INITRD_MINI_FILE=initrd-mini
|
|
INITRD_MINI_PATH=/localdisk/workdir/starlingx/rootfs/var/miniboot/
|
|
SSH_OPTION_NOCHECKING="-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
|
|
REQUEST=$(ssh ${SSH_OPTION_NOCHECKING} ${SIGNING_SERVER} sudo /opt/signing/sign-debian.sh -r)
|
|
UPLOAD_PATH=${REQUEST#*Upload: }
|
|
echo UPLOAD_PATH: ${UPLOAD_PATH}
|
|
[ -z ${UPLOAD_PATH}] && { echo "Fail to request for upload path!"; exit 1; }
|
|
echo "(4) Sign initramfs"
|
|
scp ${SSH_OPTION_NOCHECKING} ${INITRAMFS_PATH}/${INITRAMFS_FILE} ${SIGNING_SERVER}:${UPLOAD_PATH} \
|
|
|| { echo "Fail to copy initramfs file to signing server!"; exit 1; }
|
|
ssh ${SSH_OPTION_NOCHECKING} ${SIGNING_SERVER} \
|
|
sudo /opt/signing/sign-debian.sh -i ${UPLOAD_PATH}/${INITRAMFS_FILE} -t grub-gpg \
|
|
|| { echo "Fail to sign initramfs file!"; exit 1; }
|
|
scp ${SSH_OPTION_NOCHECKING} ${SIGNING_SERVER}:${UPLOAD_PATH}/${INITRAMFS_FILE}.sig ${INITRAMFS_PATH} \
|
|
|| { echo "Fail to copy back initramfs sig file!"; exit 1; }
|
|
ln -snf -r ${INITRAMFS_PATH}/${INITRAMFS_FILE}.sig ${INITRAMFS_PATH}/starlingx-initramfs-ostree-image-intel-x86-64.cpio.gz.sig \
|
|
|| { echo "Fail to create the initramfs sig file's link!"; exit 1; }
|
|
echo "(5) Sign mini initramfs"
|
|
scp ${SSH_OPTION_NOCHECKING} ${INITRD_MINI_PATH}/${INITRD_MINI_FILE} ${SIGNING_SERVER}:${UPLOAD_PATH} \
|
|
|| { echo "Fail to copy mini initrd file to signing server!"; exit 1; }
|
|
ssh ${SSH_OPTION_NOCHECKING} ${SIGNING_SERVER} \
|
|
sudo /opt/signing/sign-debian.sh -i ${UPLOAD_PATH}/${INITRD_MINI_FILE} -t grub-gpg \
|
|
|| { echo "Fail to sign mini initrd file!"; exit 1; }
|
|
scp ${SSH_OPTION_NOCHECKING} ${SIGNING_SERVER}:${UPLOAD_PATH}/${INITRD_MINI_FILE}.sig ${INITRD_MINI_PATH} \
|
|
|| { echo "Fail to copy back mini initrd sig file!"; exit 1; }
|
|
echo "***Finish initramfs-sign-script***"
|