LAT: upgrade to 20221226
We need to improve secure boot on below issues: (1)The shim/grub are compiled in debian stx instead of lat now, but they need to take affect by rebuilding lat sdk; (2)The kernel/initramfs are signed by keys embedded in meta-secure-core (upstream source code related with lat sdk); (3)There is no automatic process for signing all of them (on signing server) and building them into image by lat, although the signing interface is designed on signing server; (4)We need to divide signed build and unsigned build because most developers don't have access to signing server. So these commits are brought out in this topic: https://review.opendev.org/q/topic:secure_boot_enhancement To corporate with these commits, changes are done for lat-sdk.sh: (1) When we move shim/grub images out of lat sdk and use the packages built by starlingx debian, issues occur. Below changes are done to solve the errors reported: When grub.cfg's path in grub-efi-amd64*.deb is same with the path it is to be copied as "BOOT_GRUB_CFG", this copying should be avoided. There are grub mods installed in grub-efi-amd64*.deb in path /boot/efi/EFI/BOOT/x86_64-efi, so flag "-r" is needed when rootfs_efi is copied. When EFI_SECURE_BOOT is disabled, bootx64-nosig.efi is copied to bootx64.efi and there is no need to check if bootx64.efi exits or not. (2) Remove all the gpg signings from genimage and add script interface initramfs-sign-script for signing initramfs and mini_initramfs. The files about grub.cfg aren't verified by starlingx debian any more, so the signings aren't needed. The LockDown.efi and kernel images will be signed in script rootfs-post-scripts. Test plan: The tests are done with all the changes which involve tools/integ/root repo and lat-sdk.sh and signing tools on signing server. - PASS: Follow below build process to build unsigned image and build successfully: build-pkgs build-image - PASS: Follow below build process to build signed image and build successfully: Prepare keys on dockers and signing server to setup access to signing server without password. build-pkgs export SIGNING_SERVER="user@signing_server_ip" <PATH>/sign-secure-boot_debian build-image The <PATH> is: /localdisk/designer/${USER}/stx/cgcs-root/build-tool - PASS: Do AIO-DX installation successfully for both unsigned image on secure boot disabled lab and signed image on secure boot enabled lab. Depends-On: https://review.opendev.org/c/starlingx/tools/+/868918 Story: 2009221 Task: 47097 Signed-off-by: Li Zhou <li.zhou@windriver.com> Change-Id: Ia144b8e04c110af46ba5732e270ed239adf37aa1
This commit is contained in:
parent
c87e465a01
commit
066f34ea9e
|
@ -16,7 +16,7 @@ FROM debian:bullseye
|
|||
|
||||
MAINTAINER Chen Qi <Qi.Chen@windriver.com>
|
||||
|
||||
ARG LAT_BINARY_RESOURCE_PATH=http://mirror.starlingx.cengn.ca/mirror/lat-sdk/lat-sdk-20221008
|
||||
ARG LAT_BINARY_RESOURCE_PATH=http://mirror.starlingx.cengn.ca/mirror/lat-sdk/lat-sdk-20221226
|
||||
|
||||
# Install necessary packages
|
||||
RUN apt-get -y update && apt-get --no-install-recommends -y install \
|
||||
|
|
Loading…
Reference in New Issue