Skip to content

Commit

Permalink
grub_install.sh: Refactor and sign official builds with Azure Key Vault
Browse files Browse the repository at this point in the history
  • Loading branch information
@chewi
chewi committed Nov 1, 2024
1 parent 7d2a4a1 commit cb828c9
Showing 1 changed file with 33 additions and 62 deletions.
95 changes: 33 additions & 62 deletions build_library/grub_install.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ case "${FLAGS_target}" in
CORE_MODULES+=( serial linux efi_gop efinet pgp http tftp tpm )
CORE_NAME="core.efi"
SBAT_ARG=( --sbat "${BOARD_ROOT}/usr/share/grub/sbat.csv" )
EFI_ARCH="x64"
;;
x86_64-xen)
CORE_NAME="core.elf"
Expand All @@ -64,6 +65,7 @@ case "${FLAGS_target}" in
CORE_MODULES+=( serial linux efi_gop efinet pgp http tftp tpm )
CORE_NAME="core.efi"
SBAT_ARG=( --sbat "${BOARD_ROOT}/usr/share/grub/sbat.csv" )
EFI_ARCH="aa64"
;;
*)
die_notrace "Unknown GRUB target ${FLAGS_target}"
Expand Down Expand Up @@ -106,6 +108,7 @@ trap cleanup EXIT
info "Installing GRUB ${FLAGS_target} in ${FLAGS_disk_image##*/}"
LOOP_DEV=$(sudo losetup --find --show --partscan "${FLAGS_disk_image}")
ESP_DIR=$(mktemp --directory)
SIGN_CERT_DIR=$(mktemp --directory)
MOUNTED=

for (( i=0; i<5; ++i )); do
Expand Down Expand Up @@ -190,44 +193,52 @@ case "${FLAGS_target}" in
sudo dd bs=448 count=1 status=none if="${LOOP_DEV}" \
of="${ESP_DIR}/${GRUB_DIR}/mbr.bin"
;;
x86_64-efi)
info "Installing default x86_64 UEFI bootloader."
x86_64-efi|arm64-efi)
info "Installing default ${FLAGS_target} UEFI bootloader."
sudo mkdir -p "${ESP_DIR}/EFI/boot"
# Use the test keys for signing unofficial builds
if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
export \
PKCS11_MODULE_PATH="/usr/lib64/pkcs11/azure_kms_pkcs11.so" \
AZURE_KEYVAULT_URL="https://chewi-test.vault.azure.net/" \
AWS_KMS_PKCS11_DEBUG=1

p11-kit export-object "pkcs11:token=flatcar-dev-cert;type=cert" \
> "${ESP_DIR}/${SIGN_CERT_DIR}/flatcar-dev-cert.pem"

SBSIGN=(
sudo sbsign
--engine pkcs11
--key "pkcs11:token=flatcar-dev-cert"
--cert "${ESP_DIR}/${SIGN_CERT_DIR}/flatcar-dev-cert.pem"
)

# Sign the GRUB with the shim-embedded key
sudo sbsign --key ${BOARD_ROOT}/usr/share/sb_keys/shim.key \
--cert ${BOARD_ROOT}/usr/share/sb_keys/shim.pem \
"${SBSIGN[@]}" --output "${ESP_DIR}/EFI/boot/grub${EFI_ARCH}.efi" \
"${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}"
sudo mv "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}.signed" \
"${ESP_DIR}/EFI/boot/grubx64.efi"
sudo rm "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}"

# Sign the mokmanager(mm) with the shim-embedded key
sudo sbsign --key ${BOARD_ROOT}/usr/share/sb_keys/shim.key \
--cert ${BOARD_ROOT}/usr/share/sb_keys/shim.pem \
"${BOARD_ROOT}/usr/lib/shim/mmx64.efi"
sudo cp "${BOARD_ROOT}/usr/lib/shim/mmx64.efi.signed" \
"${ESP_DIR}/EFI/boot/mmx64.efi"

sudo sbsign --key ${BOARD_ROOT}/usr/share/sb_keys/DB.key \
--cert ${BOARD_ROOT}/usr/share/sb_keys/DB.crt \
--output "${ESP_DIR}/EFI/boot/bootx64.efi" \
"${SBSIGN[@]}" --output "${ESP_DIR}/EFI/boot/mm${EFI_ARCH}.efi" \
"${BOARD_ROOT}/usr/lib/shim/mm${EFI_ARCH}.efi"

"${SBSIGN[@]}" --output "${ESP_DIR}/EFI/boot/boot${EFI_ARCH}.efi" \
"/usr/lib/shim/shim.efi"
else
sudo mv "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}" \
"${ESP_DIR}/EFI/boot/grubx64.efi"
sudo cp "${BOARD_ROOT}/usr/lib/shim/shimx64.efi.signed" \
"${ESP_DIR}/EFI/boot/bootx64.efi"
sudo cp "${BOARD_ROOT}/usr/lib/shim/mmx64.efi" \
"${ESP_DIR}/EFI/boot/mmx64.efi"
"${ESP_DIR}/EFI/boot/grub${EFI_ARCH}.efi"
sudo cp "${BOARD_ROOT}/usr/lib/shim/shim${EFI_ARCH}.efi.signed" \
"${ESP_DIR}/EFI/boot/boot${EFI_ARCH}.efi"
sudo cp "${BOARD_ROOT}/usr/lib/shim/mm${EFI_ARCH}.efi" \
"${ESP_DIR}/EFI/boot/mm${EFI_ARCH}.efi"
fi
# copying from vfat so ignore permissions
if [[ -n "${FLAGS_copy_efi_grub}" ]]; then
cp --no-preserve=mode "${ESP_DIR}/EFI/boot/grubx64.efi" \
cp --no-preserve=mode "${ESP_DIR}/EFI/boot/grub${EFI_ARCH}.efi" \
"${FLAGS_copy_efi_grub}"
fi
if [[ -n "${FLAGS_copy_shim}" ]]; then
cp --no-preserve=mode "${ESP_DIR}/EFI/boot/bootx64.efi" \
cp --no-preserve=mode "${ESP_DIR}/EFI/boot/boot${EFI_ARCH}.efi" \
"${FLAGS_copy_shim}"
fi
;;
Expand All @@ -239,46 +250,6 @@ case "${FLAGS_target}" in
sudo cp "${BUILD_LIBRARY_DIR}/menu.lst" \
"${ESP_DIR}/boot/grub/menu.lst"
;;
arm64-efi)
info "Installing default arm64 UEFI bootloader."
sudo mkdir -p "${ESP_DIR}/EFI/boot"
# Use the test keys for signing unofficial builds
if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
# Sign the GRUB with the shim-embedded key
sudo sbsign --key ${BOARD_ROOT}/usr/share/sb_keys/shim.key \
--cert ${BOARD_ROOT}/usr/share/sb_keys/shim.pem \
"${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}"
sudo mv "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}.signed" \
"${ESP_DIR}/EFI/boot/grubaa64.efi"
sudo rm "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}"
# Sign the mokmanager(mm) with the shim-embedded key
sudo sbsign --key ${BOARD_ROOT}/usr/share/sb_keys/shim.key \
--cert ${BOARD_ROOT}/usr/share/sb_keys/shim.pem \
"/usr/lib/shim/mmaa64.efi"
sudo cp "${BOARD_ROOT}/usr/lib/shim/mmaa64.efi.signed" \
"${ESP_DIR}/EFI/boot/mmaa64.efi"

sudo sbsign --key ${BOARD_ROOT}/usr/share/sb_keys/DB.key \
--cert ${BOARD_ROO}/usr/share/sb_keys/DB.crt \
--output "${ESP_DIR}/EFI/boot/bootaa64.efi" \
"/usr/lib/shim/shim.efi"
else
sudo mv "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}" \
"${ESP_DIR}/EFI/boot/grubaa64.efi"
sudo cp "${BOARD_ROOT}/usr/lib/shim/shimaa64.efi.signed" \
"${ESP_DIR}/EFI/boot/bootaa64.efi"
sudo cp "${BOARD_ROOT}/usr/lib/shim/mmaa64.efi" \
"${ESP_DIR}/EFI/boot/mmaa64.efi"
fi
#FIXME(andrejro): shim not ported to aarch64
sudo mv "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}" \
"${ESP_DIR}/EFI/boot/bootaa64.efi"
if [[ -n "${FLAGS_copy_efi_grub}" ]]; then
# copying from vfat so ignore permissions
cp --no-preserve=mode "${ESP_DIR}/EFI/boot/grubaa64.efi" \
"${FLAGS_copy_efi_grub}"
fi
;;
esac

cleanup
Expand Down

0 comments on commit cb828c9

Please sign in to comment.