Add (temporary) signed shim and sign official builds with Azure Key Vault #2441
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sayanchowdhury
approved these changes
Nov 13, 2024
There was a problem hiding this comment.
Looks good to me - but let @krnowak / @dongsupark / @tormath1 do a review.
krnowak
reviewed
Nov 13, 2024
sdk_container/src/third_party/coreos-overlay/app-crypt/p11-kit/README.md
Outdated
Show resolved
Hide resolved
sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
Outdated
Show resolved
Hide resolved
sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.8-r1.ebuild
Outdated
Show resolved
Hide resolved
chewi
force-pushed
the
chewi/akv-signing
branch
from
4d2f6c7
to
432d8c8
Compare
Signed-off-by: Sayan Chowdhury <[email protected]>
Signed-off-by: Sayan Chowdhury <[email protected]>
Signed-off-by: Sayan Chowdhury <[email protected]>
Signed-off-by: Sayan Chowdhury <[email protected]>
Signed-off-by: James Le Cuirot <[email protected]>
Signed-off-by: Sayan Chowdhury <[email protected]>
It's from Gentoo commit d286faf494dcb60f81f0de921fa623d952962fc1.
It's from Gentoo commit 69e4044b72d971f5603df77793db86c40e582e2e.
It's from Gentoo commit 768b3c1959debce15854362ff7db176cda76c055.
It's from Gentoo commit 82ec02943f7f0ddaa87f623cee138608571a3978.
It hasn't been added to Gentoo yet.
Signed-off-by: Sayan Chowdhury <[email protected]>
p11-kit is a dependency of azure-keyvault-pkcs11, but we will also use it directly to fetch the certificate from Azure Key Vault. Signed-off-by: James Le Cuirot <[email protected]>
The cross issues that were previously addressed by our fork are no longer an issue since p11-kit migrated to Meson. Signed-off-by: James Le Cuirot <[email protected]>
Signed-off-by: James Le Cuirot <[email protected]>
We always use the board's GRUB now. Signed-off-by: James Le Cuirot <[email protected]>
Signed-off-by: James Le Cuirot <[email protected]>
Signed-off-by: James Le Cuirot <[email protected]>
We don't want to be blocked from doing releases in the meantime. Revert this commit when ready. Signed-off-by: James Le Cuirot <[email protected]>
chewi
force-pushed
the
chewi/akv-signing
branch
from
432d8c8
to
101efbf
Compare
Signed-off-by: Sayan Chowdhury <[email protected]>
sayanchowdhury
requested a deployment
to
development
GitHub Actions
Waiting
krnowak
approved these changes
Nov 14, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add (temp) signed shim and sign official builds with AKV
This adds the SBAT data to the shim binary, adds a pre-signed shim package for official builds, adds the tools needed to sign with Azure Key Vault, and reworks the signing code to do that... then effectively undoes the AKV signing because we need to pass the shim review first. We will revert the final commit later.
Flatcar has not yet completed the shim review, so the signed shim is a temporary one that will be replaced shortly.
The Azure Key Vault signing only works when performed on Azure. This happens during the images job, which is currently still configured to run on Equinix. This configuration lives in another repository. It should be adjusted before we need to perform the next official build. We may split out the signing part of the job so that the actual building can still be performed on Equinix, but that has yet to be agreed.
azure-keyvault-pkcs11 is still undergoing a cleanup following its transformation from AWS, so the commit currently used by the package points to an early iteration, but the plugin is sufficiently functional to be used here.
How to use
The changes mostly concern CI, but you can check that the flatcar_production_qemu_uefi_secure_efi image still works with Secure Boot enabled.
Testing done
A Jenkins run for the unofficial build mostly passed successfully, including qemu_uefi_secure on amd64. qemu_uefi_secure on arm64 failed, but only on the kubeadm jobs we often see fail. We have already seen that an official build works when the image job is run on Azure.
changelog/directory (user-facing change, bug fix, security fix, update) -- The change is probably only worth mentioning to users when we add the officially signed shim./bootand/usrsize, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.