Fix systemd-boot signing on sealed image test #1809
Conversation
gerblesh
force-pushed
the
sign-sdboot
branch
from
64da24a to
a20e12c
Compare
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request effectively addresses the systemd-boot signing issue for sealed images, which is a great step forward for secure boot testing. The introduction of a dedicated Dockerfile.sdboot for the signing process is a clean approach. My review includes a few suggestions to enhance the new Dockerfile's robustness and readability, and a note on a temporarily disabled lint check.
gerblesh
force-pushed
the
sign-sdboot
branch
2 times, most recently
from
6bd32cd to
4ffe2f6
Compare
|
added automatic key enrollment (with sdboot) in |
cgwalters
left a comment
cgwalters
left a comment
There was a problem hiding this comment.
Thanks so much for starting this! Basically let's get the buildsystem rework in to properly sign systemd-boot first, and then look at the key autoenrollment as a distinct second step.
I can take a look at the first one, starting from the work here if you prefer!
Signed-off-by: Gareth Widlansky <gareth.widlansky@proton.me>
|
alright split out the code for autoenroll to just focus on signing systemd-boot in CI |
|
#1818 new PR for auto enrollment here |
| certutil -N -d pesign --empty-password | ||
| openssl pkcs12 -export -password 'pass:' -inkey /run/secrets/key -in /run/secrets/cert -out db.p12 | ||
| pk12util -i db.p12 -W '' -d pesign | ||
| subject=$(openssl x509 -in /run/secrets/cert -subject | grep '^subject=CN=' | sed 's/^subject=CN=//') |
There was a problem hiding this comment.
Having a second copy of this code isn't fatal, but I think we could factor out a shared helper for this too.
cgwalters
left a comment
cgwalters
left a comment
There was a problem hiding this comment.
Thanks again for starting this! Is it OK if I try some force pushing to this PR and we co-author?
Yeah go for it, just was cleaning up the comments and extra mounts |
2 participants
Fixes systemd-boot signing, before the systemd-boot binary was signed on the buildroot but not on the target image, resulting in an unbootable image with secure boot enabled and the proper keys enrolled. This PR fixes it by first signing the systemd-boot on image (assumes it is installed), copying it over to the final image, then computing the digest, and then finally signing and creating the UKI with a different multi stage build. Definitely a little jank and #1498 does look like a better solution in the long term, however this at least gets the image in a bootable state on secure boot and allows for testing the secure boot in VMs. Would be happy to take a stab at proper image building UX but I'm not sure if that already has work done or if y'all have a particular vision in mind for the build system