starlingx
/
tools
Code Issues Proposed changes

LAT: upgrade to 20221226 

We need to improve secure boot on below issues:
(1)The shim/grub are compiled in debian stx instead of lat now,
   but they need to take affect by rebuilding lat sdk;
(2)The kernel/initramfs are signed by keys embedded in meta-secure-core
   (upstream source code related with lat sdk);
(3)There is no automatic process for signing all of them
   (on signing server) and building them into image by lat, although
   the signing interface is designed on signing server;
(4)We need to divide signed build and unsigned build because most
   developers don't have access to signing server.

So these commits are brought out in this topic:
https://review.opendev.org/q/topic:secure_boot_enhancement

To corporate with these commits, changes are done for lat-sdk.sh:
(1) When we move shim/grub images out of lat sdk and use the packages
built by starlingx debian, issues occur. Below changes are done
to solve the errors reported:
  When grub.cfg's path in grub-efi-amd64*.deb is same with the path
it is to be copied as "BOOT_GRUB_CFG", this copying should be avoided.
  There are grub mods installed in grub-efi-amd64*.deb in path
/boot/efi/EFI/BOOT/x86_64-efi, so flag "-r" is needed when rootfs_efi
is copied.
  When EFI_SECURE_BOOT is disabled, bootx64-nosig.efi is copied to
bootx64.efi and there is no need to check if bootx64.efi exits or
not.
(2) Remove all the gpg signings from genimage and add script interface
initramfs-sign-script for signing initramfs and mini_initramfs.
The files about grub.cfg aren't verified by starlingx debian
any more, so the signings aren't needed.
The LockDown.efi and kernel images will be signed in script
rootfs-post-scripts.

Test plan:
 The tests are done with all the changes which involve tools/integ/root
 repo and lat-sdk.sh and signing tools on signing server.
 - PASS: Follow below build process to build unsigned image
         and build successfully:
         build-pkgs
         build-image
 - PASS: Follow below build process to build signed image
         and build successfully:
         Prepare keys on dockers and signing server to setup access
         to signing server without password.
         build-pkgs
         export SIGNING_SERVER="user@signing_server_ip"
         <PATH>/sign-secure-boot_debian
         build-image
         The <PATH> is:
         /localdisk/designer/${USER}/stx/cgcs-root/build-tool
 - PASS: Do AIO-DX installation successfully for both
         unsigned image on secure boot disabled lab and
         signed image on secure boot enabled lab.

Depends-On: https://review.opendev.org/c/starlingx/tools/+/868918

Story: 2009221
Task: 47097

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: Ia144b8e04c110af46ba5732e270ed239adf37aa1
This commit is contained in:
Li Zhou 2023-02-23 05:15:28 -05:00
parent c87e465a01
commit 066f34ea9e
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
stx/dockerfiles/stx-lat-tool.Dockerfile
View File

@ -16,7 +16,7 @@ FROM debian:bullseye
MAINTAINER Chen Qi <Qi.Chen@windriver.com>
ARG LAT_BINARY_RESOURCE_PATH=http://mirror.starlingx.cengn.ca/mirror/lat-sdk/lat-sdk-20221008
ARG LAT_BINARY_RESOURCE_PATH=http://mirror.starlingx.cengn.ca/mirror/lat-sdk/lat-sdk-20221226
# Install necessary packages
RUN apt-get -y update && apt-get --no-install-recommends -y install \