root/build-tools/sign_rootfs-post-scripts
Li Zhou cd58ab18c1 debian: secure boot: add scripts for remote signing
Add scripts for supporting building image for board with
secure boot enabled.

The signing process in script sign-secure-boot_debian:
(1) The kernel/grub efi images are obtained from extracted kernel/grub
packages, and they are sent to signing server and signed there and
copied back. Then the kernel/grub packages are repacked with the
signed efi images.
(2) The file sign_rootfs-post-scripts is inserted to where the
hook script "rootfs-post-scripts" is defined in the lat config file
base-bullseye.yaml. This will sign kernel images and LockDown.efi
on signing sever in the lat build process.
(3) The file sign_initramfs-sign-script is inserted to where the hook
script "initramfs-sign-script" is defined in the lat config file
base-bullseye.yaml. This will sign initramfs and mini initrd in
the lat build process.
(4) EFI_SECURE_BOOT is changed from disabled to enabled.

Build process for signed image is as below:
(1) Prepare keys on dockers and signing server to setup access
to signing server without password:
Use "ssh-keygen -t rsa" to create a ssh key pair, e.g.
    id_rsa.pub and id_rsa.

Prepare on lat docker:
    mkdir ~/.ssh
    copy id_rsa to ~/.ssh directory
Prepare on builder docker:
    mkdir ~/.ssh
    copy id_rsa to ~/.ssh directory
    sudo mkdir /root/.ssh
    sudo copy id_rsa to /root/.ssh directory
(https://review.opendev.org/c/starlingx/tools/+/872742
 simplifies those steps on dockers as:
 stx control keys-add --key-type=signing-server --key=[key file].)

Prepare on signing server:
    append id_rsa.pub to the file on signing server:
    /home/${signing_user}/.ssh/authorized_keys

(2) Run on builder docker:
export SIGNING_SERVER="signing_user@signing_server_ip"
<PATH>/sign-secure-boot_debian
build-image

The <PATH> is:
/localdisk/designer/${USER}/stx/cgcs-root/build-tools

Test plan:
 The tests are done with all the changes which involve tools/integ/root
 repo and lat-sdk.sh and signing tools on signing server.
 - PASS: Follow below build process to build unsigned image
         and build successfully:
         build-pkgs
         build-image
 - PASS: Follow below build process to build signed image
         and build successfully:
         build-pkgs
         export SIGNING_SERVER="user@signing_server_ip"
         <PATH>/sign-secure-boot_debian
         build-image
 - PASS: Do AIO-DX installation successfully for both
         unsigned image on secure boot disabled lab and
         signed image on secure boot enabled lab.
 - PASS: Failure path tests include:
         [NG]unsigned image on secure boot enabled
         [NG]image signed with wrong key on secure boot enabled
         [OK]signed image on secure boot disabled
         NG: fail to boot; OK: succeed to boot.

Depends-On: https://review.opendev.org/c/starlingx/tools/+/868918

Story: 2009221
Task: 47097

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: Iea0d03c39f6d3d1fa84577e870675ab103937fbd
2023-02-23 08:10:30 +00:00

60 lines
3.3 KiB
Plaintext

- |-
#
# Copyright (c) 2023 Wind River Systems, Inc.
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. The ASF licenses this
# file to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
# Fragment of base-bullseye.yaml for signing part of rootfs-post-scripts definition
echo "***Start signing part of rootfs-post-scripts***"
SIGNING_SERVER=INPUT_SIGNING_SERVER
LOCKD_FILE=LockDown.efi
LOCKD_PATH=${IMAGE_ROOTFS}/boot/efi/EFI/BOOT/
LOCKD_INIT=${IMAGE_ROOTFS}/usr/lib/efitools/x86_64-linux-gnu/LockDown.efi
KERNEL_RT_FILE=vmlinuz-5.10.0-6-rt-amd64
KERNEL_RT_PATH=${IMAGE_ROOTFS}/boot/
KERNEL_FILE=vmlinuz-5.10.0-6-amd64
KERNEL_PATH=${IMAGE_ROOTFS}/boot/
SSH_OPTION_NOCHECKING="-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
REQUEST=$(ssh ${SSH_OPTION_NOCHECKING} ${SIGNING_SERVER} sudo /opt/signing/sign-debian.sh -r)
UPLOAD_PATH=${REQUEST#*Upload: }
echo "UPLOAD_PATH: ${UPLOAD_PATH}"
[ -z ${UPLOAD_PATH}] && { echo "Fail to request for upload path!"; exit 1; }
echo "(1) Sign LockDown.efi"
scp ${SSH_OPTION_NOCHECKING} ${LOCKD_INIT} ${SIGNING_SERVER}:${UPLOAD_PATH} \
|| { echo "Fail to copy LockDown.efi to signing server!"; exit 1; }
ssh ${SSH_OPTION_NOCHECKING} ${SIGNING_SERVER} \
sudo /opt/signing/sign-debian.sh -i ${UPLOAD_PATH}/${LOCKD_FILE} -t grub-gpg \
|| { echo "Fail to sign LockDown.efi!"; exit 1; }
scp ${SSH_OPTION_NOCHECKING} ${SIGNING_SERVER}:${UPLOAD_PATH}/${LOCKD_FILE}.sig ${LOCKD_PATH} \
|| { echo "Fail to copy back LockDown.efi sig file!"; exit 1; }
echo "(2) Sign kernel-rt"
scp ${SSH_OPTION_NOCHECKING} ${KERNEL_RT_PATH}/${KERNEL_RT_FILE} ${SIGNING_SERVER}:${UPLOAD_PATH} \
|| { echo "Fail to copy kernel-rt image to signing server!"; exit 1; }
ssh ${SSH_OPTION_NOCHECKING} ${SIGNING_SERVER} \
sudo /opt/signing/sign-debian.sh -i ${UPLOAD_PATH}/${KERNEL_RT_FILE} -t grub-gpg \
|| { echo "Fail to sign kernel-rt image!"; exit 1; }
scp ${SSH_OPTION_NOCHECKING} ${SIGNING_SERVER}:${UPLOAD_PATH}/${KERNEL_RT_FILE}.sig ${KERNEL_RT_PATH} \
|| { echo "Fail to copy back kernel-rt image sig file!"; exit 1; }
echo "(3) Sign kernel-std"
scp ${SSH_OPTION_NOCHECKING} ${KERNEL_PATH}/${KERNEL_FILE} ${SIGNING_SERVER}:${UPLOAD_PATH} \
|| { echo "Fail to copy kernel-std image to signing server!"; exit 1; }
ssh ${SSH_OPTION_NOCHECKING} ${SIGNING_SERVER} \
sudo /opt/signing/sign-debian.sh -i ${UPLOAD_PATH}/${KERNEL_FILE} -t grub-gpg \
|| { echo "Fail to sign kernel-std image!"; exit 1; }
scp ${SSH_OPTION_NOCHECKING} ${SIGNING_SERVER}:${UPLOAD_PATH}/${KERNEL_FILE}.sig ${KERNEL_PATH} \
|| { echo "Fail to copy back kernel-std image sig file"; exit 1; }
echo "***Finish signing part of rootfs-post-scripts***"