Add scripts for supporting building image for board with
secure boot enabled.
The signing process in script sign-secure-boot_debian:
(1) The kernel/grub efi images are obtained from extracted kernel/grub
packages, and they are sent to signing server and signed there and
copied back. Then the kernel/grub packages are repacked with the
signed efi images.
(2) The file sign_rootfs-post-scripts is inserted to where the
hook script "rootfs-post-scripts" is defined in the lat config file
base-bullseye.yaml. This will sign kernel images and LockDown.efi
on signing sever in the lat build process.
(3) The file sign_initramfs-sign-script is inserted to where the hook
script "initramfs-sign-script" is defined in the lat config file
base-bullseye.yaml. This will sign initramfs and mini initrd in
the lat build process.
(4) EFI_SECURE_BOOT is changed from disabled to enabled.
Build process for signed image is as below:
(1) Prepare keys on dockers and signing server to setup access
to signing server without password:
Use "ssh-keygen -t rsa" to create a ssh key pair, e.g.
id_rsa.pub and id_rsa.
Prepare on lat docker:
mkdir ~/.ssh
copy id_rsa to ~/.ssh directory
Prepare on builder docker:
mkdir ~/.ssh
copy id_rsa to ~/.ssh directory
sudo mkdir /root/.ssh
sudo copy id_rsa to /root/.ssh directory
(https://review.opendev.org/c/starlingx/tools/+/872742
simplifies those steps on dockers as:
stx control keys-add --key-type=signing-server --key=[key file].)
Prepare on signing server:
append id_rsa.pub to the file on signing server:
/home/${signing_user}/.ssh/authorized_keys
(2) Run on builder docker:
export SIGNING_SERVER="signing_user@signing_server_ip"
<PATH>/sign-secure-boot_debian
build-image
The <PATH> is:
/localdisk/designer/${USER}/stx/cgcs-root/build-tools
Test plan:
The tests are done with all the changes which involve tools/integ/root
repo and lat-sdk.sh and signing tools on signing server.
- PASS: Follow below build process to build unsigned image
and build successfully:
build-pkgs
build-image
- PASS: Follow below build process to build signed image
and build successfully:
build-pkgs
export SIGNING_SERVER="user@signing_server_ip"
<PATH>/sign-secure-boot_debian
build-image
- PASS: Do AIO-DX installation successfully for both
unsigned image on secure boot disabled lab and
signed image on secure boot enabled lab.
- PASS: Failure path tests include:
[NG]unsigned image on secure boot enabled
[NG]image signed with wrong key on secure boot enabled
[OK]signed image on secure boot disabled
NG: fail to boot; OK: succeed to boot.
Depends-On: https://review.opendev.org/c/starlingx/tools/+/868918
Story: 2009221
Task: 47097
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: Iea0d03c39f6d3d1fa84577e870675ab103937fbd
cd58ab18c1