examples/unified-secureboot: Add Secure Boot signed example #60
Conversation
travier
force-pushed
the
main-sb-signed
branch
from
be395c1 to
00ee1c0
Compare
|
I think the issues were caused by using |
travier
force-pushed
the
main-sb-signed
branch
4 times, most recently
from
c41d676 to
83a3268
Compare
travier
force-pushed
the
main-sb-signed
branch
from
83a3268 to
a2c2d14
Compare
Signed-off-by: Timothée Ravier <[email protected]>
We need an fs-verity enabled for this operation so mount it from the host which is more likely to have it (btrfs or ext4). Signed-off-by: Timothée Ravier <[email protected]>
- Based on `unified` example - Generate keys for Secure Boot signing on demand - Add mokutil to list Secure Boot related info - Sign the UKI & systemd-boot - Generate EUFI VARS including only our own keys and pass it to the EDK2 firwmare with QEMU Signed-off-by: Timothée Ravier <[email protected]>
travier
force-pushed
the
main-sb-signed
branch
from
a2c2d14 to
694362a
Compare
travier
changed the title
| Image](https://github.com/uapi-group/specifications/blob/main/specs/unified_kernel_image.md). If this image is signed then the signature effectively covers every single file in the filesystem. This works with a special form of multi-stage `Containerfile` which builds a base image, measures it using `cfsctl` and then uses that measurement to inject the composefs image fs-verity hash into the second stage of the build which actually builds the UKI (and embeds the hash into the `.cmdline`). We avoid a circular hash dependency by removing the UKI from the final image via a white-out (but `cfsctl` still knows how to find it). | ||
| - `bls`: an OS built around a separate kernel and initramfs installed with a [Type #1 Boot Loader Specification Entries](https://uapi-group.org/specifications/specs/boot_loader_specification/#type-1-boot-loader-specification-entries). In this case we simply hack the bootloader entry to refer to the correct composefs hash at install type. | ||
| - `unified`: similar to the `uki` example, but avoiding the intermediate `cfsctl` step by running `cfsctl` inside a build stage from the `Containerfile` itself. This involves bind-mounting the earlier build stage of the base image so that we can measure it from inside the stage that builds the UKI. | ||
| - `uki`: an OS built around a [Unified Kernel Image](https://github.com/uapi-group/specifications/blob/main/specs/unified_kernel_image.md). |
There was a problem hiding this comment.
I'm not sure why I did such long lines here. Maybe it would make more sense to wrap on 72 or something?
| @@ -13,10 +13,12 @@ CFSCTL='./cfsctl --repo tmp/sysroot/composefs' | |||
| rm -rf tmp | |||
| mkdir -p tmp/sysroot/composefs tmp/sysroot/var | |||
|
|
|||
| # mkdir tmp/internal-sysroot # for debugging | |||
| # podman build -v $(pwd)/tmp/internal-sysroot:/tmp/sysroot:z,U --iidfile=tmp/iid "$@" . | |||
There was a problem hiding this comment.
This is really strange: in my head I committed this without this code commented out. Thanks for bringing it back.
I wonder if this would let us enable the unified example in GitHub Actions.
|
|
||
| set -eux | ||
|
|
||
| cd "${0%/*}" | ||
|
|
||
| if [[ -d "secureboot" ]]; then |
There was a problem hiding this comment.
Do you think it might make sense to make this into a separate script as well? The secureboot-related bits of it are ~80-90% of the file at this point.
There was a problem hiding this comment.
On the other hand, it might be interesting (in theory) to be able to add secure boot support to the other examples. hmm.
There was a problem hiding this comment.
Yes, ideally we should add Secure Boot to all examples so we don't need distinct ones for Secure Boot.
I can also copy this script if you prefer.
| if [[ ! -d "secureboot" ]]; then | ||
| echo "Generating test Secure Boot keys" | ||
| mkdir secureboot | ||
| pushd secureboot > /dev/null |
There was a problem hiding this comment.
I sort of like doing this pattern:
(
cd secureboot
...
)| mkdir -p tmp/efi/loader | ||
| echo 'timeout 3' > tmp/efi/loader/loader.conf | ||
| mkdir -p tmp/efi/EFI/BOOT tmp/efi/EFI/systemd | ||
| sbsign --key secureboot/db.key --cert secureboot/db.crt \ |
There was a problem hiding this comment.
So we sign the UKI inside of the container build but we do this out of band. That's interesting...
Of course we can't sign the kernel out here, because it's part of the image itself...
I guess this starts to brush up against ideas about bootupd and how to get the boot resources from inside of the container...
There was a problem hiding this comment.
This is clearly a shortcut here. We should sign it in the container like we do for the UKI and then extract it for the image setup.
The might be future setups where people would want to "pause" the build to be able to send their artifacts for signing "somewhere" (HSM, remote service, etc.) and then resume it with the signed artifacts.
examples/README: Split each sentence on its own line
Signed-off-by: Timothée Ravier [email protected]
examples/unified: Bind mount /tmp/sysroot
We need an fs-verity enabled for this operation so mount it from the
host which is more likely to have it (btrfs or ext4).
Signed-off-by: Timothée Ravier [email protected]
examples/unified-secureboot: Add Secure Boot signed example
unifiedexamplefirwmare with QEMU
Signed-off-by: Timothée Ravier [email protected]