From cb828c99ddaeceeacfea8f887ca66f3fa7e76016 Mon Sep 17 00:00:00 2001 From: James Le Cuirot Date: Fri, 1 Nov 2024 12:40:43 +0000 Subject: [PATCH] grub_install.sh: Refactor and sign official builds with Azure Key Vault --- build_library/grub_install.sh | 95 ++++++++++++----------------------- 1 file changed, 33 insertions(+), 62 deletions(-) diff --git a/build_library/grub_install.sh b/build_library/grub_install.sh index dffe4059bd..79979e2513 100755 --- a/build_library/grub_install.sh +++ b/build_library/grub_install.sh @@ -56,6 +56,7 @@ case "${FLAGS_target}" in CORE_MODULES+=( serial linux efi_gop efinet pgp http tftp tpm ) CORE_NAME="core.efi" SBAT_ARG=( --sbat "${BOARD_ROOT}/usr/share/grub/sbat.csv" ) + EFI_ARCH="x64" ;; x86_64-xen) CORE_NAME="core.elf" @@ -64,6 +65,7 @@ case "${FLAGS_target}" in CORE_MODULES+=( serial linux efi_gop efinet pgp http tftp tpm ) CORE_NAME="core.efi" SBAT_ARG=( --sbat "${BOARD_ROOT}/usr/share/grub/sbat.csv" ) + EFI_ARCH="aa64" ;; *) die_notrace "Unknown GRUB target ${FLAGS_target}" @@ -106,6 +108,7 @@ trap cleanup EXIT info "Installing GRUB ${FLAGS_target} in ${FLAGS_disk_image##*/}" LOOP_DEV=$(sudo losetup --find --show --partscan "${FLAGS_disk_image}") ESP_DIR=$(mktemp --directory) +SIGN_CERT_DIR=$(mktemp --directory) MOUNTED= for (( i=0; i<5; ++i )); do @@ -190,44 +193,52 @@ case "${FLAGS_target}" in sudo dd bs=448 count=1 status=none if="${LOOP_DEV}" \ of="${ESP_DIR}/${GRUB_DIR}/mbr.bin" ;; - x86_64-efi) - info "Installing default x86_64 UEFI bootloader." + x86_64-efi|arm64-efi) + info "Installing default ${FLAGS_target} UEFI bootloader." sudo mkdir -p "${ESP_DIR}/EFI/boot" # Use the test keys for signing unofficial builds if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then + export \ + PKCS11_MODULE_PATH="/usr/lib64/pkcs11/azure_kms_pkcs11.so" \ + AZURE_KEYVAULT_URL="https://chewi-test.vault.azure.net/" \ + AWS_KMS_PKCS11_DEBUG=1 + + p11-kit export-object "pkcs11:token=flatcar-dev-cert;type=cert" \ + > "${ESP_DIR}/${SIGN_CERT_DIR}/flatcar-dev-cert.pem" + + SBSIGN=( + sudo sbsign + --engine pkcs11 + --key "pkcs11:token=flatcar-dev-cert" + --cert "${ESP_DIR}/${SIGN_CERT_DIR}/flatcar-dev-cert.pem" + ) + # Sign the GRUB with the shim-embedded key - sudo sbsign --key ${BOARD_ROOT}/usr/share/sb_keys/shim.key \ - --cert ${BOARD_ROOT}/usr/share/sb_keys/shim.pem \ + "${SBSIGN[@]}" --output "${ESP_DIR}/EFI/boot/grub${EFI_ARCH}.efi" \ "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}" - sudo mv "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}.signed" \ - "${ESP_DIR}/EFI/boot/grubx64.efi" sudo rm "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}" + # Sign the mokmanager(mm) with the shim-embedded key - sudo sbsign --key ${BOARD_ROOT}/usr/share/sb_keys/shim.key \ - --cert ${BOARD_ROOT}/usr/share/sb_keys/shim.pem \ - "${BOARD_ROOT}/usr/lib/shim/mmx64.efi" - sudo cp "${BOARD_ROOT}/usr/lib/shim/mmx64.efi.signed" \ - "${ESP_DIR}/EFI/boot/mmx64.efi" - - sudo sbsign --key ${BOARD_ROOT}/usr/share/sb_keys/DB.key \ - --cert ${BOARD_ROOT}/usr/share/sb_keys/DB.crt \ - --output "${ESP_DIR}/EFI/boot/bootx64.efi" \ + "${SBSIGN[@]}" --output "${ESP_DIR}/EFI/boot/mm${EFI_ARCH}.efi" \ + "${BOARD_ROOT}/usr/lib/shim/mm${EFI_ARCH}.efi" + + "${SBSIGN[@]}" --output "${ESP_DIR}/EFI/boot/boot${EFI_ARCH}.efi" \ "/usr/lib/shim/shim.efi" else sudo mv "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}" \ - "${ESP_DIR}/EFI/boot/grubx64.efi" - sudo cp "${BOARD_ROOT}/usr/lib/shim/shimx64.efi.signed" \ - "${ESP_DIR}/EFI/boot/bootx64.efi" - sudo cp "${BOARD_ROOT}/usr/lib/shim/mmx64.efi" \ - "${ESP_DIR}/EFI/boot/mmx64.efi" + "${ESP_DIR}/EFI/boot/grub${EFI_ARCH}.efi" + sudo cp "${BOARD_ROOT}/usr/lib/shim/shim${EFI_ARCH}.efi.signed" \ + "${ESP_DIR}/EFI/boot/boot${EFI_ARCH}.efi" + sudo cp "${BOARD_ROOT}/usr/lib/shim/mm${EFI_ARCH}.efi" \ + "${ESP_DIR}/EFI/boot/mm${EFI_ARCH}.efi" fi # copying from vfat so ignore permissions if [[ -n "${FLAGS_copy_efi_grub}" ]]; then - cp --no-preserve=mode "${ESP_DIR}/EFI/boot/grubx64.efi" \ + cp --no-preserve=mode "${ESP_DIR}/EFI/boot/grub${EFI_ARCH}.efi" \ "${FLAGS_copy_efi_grub}" fi if [[ -n "${FLAGS_copy_shim}" ]]; then - cp --no-preserve=mode "${ESP_DIR}/EFI/boot/bootx64.efi" \ + cp --no-preserve=mode "${ESP_DIR}/EFI/boot/boot${EFI_ARCH}.efi" \ "${FLAGS_copy_shim}" fi ;; @@ -239,46 +250,6 @@ case "${FLAGS_target}" in sudo cp "${BUILD_LIBRARY_DIR}/menu.lst" \ "${ESP_DIR}/boot/grub/menu.lst" ;; - arm64-efi) - info "Installing default arm64 UEFI bootloader." - sudo mkdir -p "${ESP_DIR}/EFI/boot" - # Use the test keys for signing unofficial builds - if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then - # Sign the GRUB with the shim-embedded key - sudo sbsign --key ${BOARD_ROOT}/usr/share/sb_keys/shim.key \ - --cert ${BOARD_ROOT}/usr/share/sb_keys/shim.pem \ - "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}" - sudo mv "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}.signed" \ - "${ESP_DIR}/EFI/boot/grubaa64.efi" - sudo rm "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}" - # Sign the mokmanager(mm) with the shim-embedded key - sudo sbsign --key ${BOARD_ROOT}/usr/share/sb_keys/shim.key \ - --cert ${BOARD_ROOT}/usr/share/sb_keys/shim.pem \ - "/usr/lib/shim/mmaa64.efi" - sudo cp "${BOARD_ROOT}/usr/lib/shim/mmaa64.efi.signed" \ - "${ESP_DIR}/EFI/boot/mmaa64.efi" - - sudo sbsign --key ${BOARD_ROOT}/usr/share/sb_keys/DB.key \ - --cert ${BOARD_ROO}/usr/share/sb_keys/DB.crt \ - --output "${ESP_DIR}/EFI/boot/bootaa64.efi" \ - "/usr/lib/shim/shim.efi" - else - sudo mv "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}" \ - "${ESP_DIR}/EFI/boot/grubaa64.efi" - sudo cp "${BOARD_ROOT}/usr/lib/shim/shimaa64.efi.signed" \ - "${ESP_DIR}/EFI/boot/bootaa64.efi" - sudo cp "${BOARD_ROOT}/usr/lib/shim/mmaa64.efi" \ - "${ESP_DIR}/EFI/boot/mmaa64.efi" - fi - #FIXME(andrejro): shim not ported to aarch64 - sudo mv "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}" \ - "${ESP_DIR}/EFI/boot/bootaa64.efi" - if [[ -n "${FLAGS_copy_efi_grub}" ]]; then - # copying from vfat so ignore permissions - cp --no-preserve=mode "${ESP_DIR}/EFI/boot/grubaa64.efi" \ - "${FLAGS_copy_efi_grub}" - fi - ;; esac cleanup