mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-07 04:56:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

Temporarily undo AKV signing while we complete the shim review

Browse Source 
We don't want to be blocked from doing releases in the meantime. Revert
this commit when ready.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
This commit is contained in:
James Le Cuirot 2024-11-13 12:07:40 +00:00
parent 2853c77c66
commit 101efbff39
No known key found for this signature in database
GPG Key ID: 1226415D00DD3137
2 changed files with 10 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
build_library/build_image_util.sh
View File

@ -827,6 +827,7 @@ EOF
fi fi
# Sign the kernel after /usr is in a consistent state and verity is calculated # Sign the kernel after /usr is in a consistent state and verity is calculated
[[ ${COREOS_OFFICIAL:-0} -ne 1 ]] && \
do_sbsign --output "${root_fs_dir}/boot/flatcar/vmlinuz-a"{,} do_sbsign --output "${root_fs_dir}/boot/flatcar/vmlinuz-a"{,}
cleanup_sbsign_certs cleanup_sbsign_certs

16
build_library/grub_install.sh
View File

@ -186,12 +186,12 @@ case "${FLAGS_target}" in
x86_64-efi|arm64-efi) x86_64-efi|arm64-efi)
info "Installing default ${FLAGS_target} UEFI bootloader." info "Installing default ${FLAGS_target} UEFI bootloader."
# Sign GRUB and mokmanager(mm) with the shim-embedded key.
do_sbsign --output "${ESP_DIR}/${GRUB_IMAGE}"{,}
do_sbsign --output "${ESP_DIR}/EFI/boot/mm${EFI_ARCH}.efi" \
"${BOARD_ROOT}/usr/lib/shim/mm${EFI_ARCH}.efi"
if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
# Sign GRUB and mokmanager(mm) with the shim-embedded key.
do_sbsign --output "${ESP_DIR}/${GRUB_IMAGE}"{,}
do_sbsign --output "${ESP_DIR}/EFI/boot/mm${EFI_ARCH}.efi" \
"${BOARD_ROOT}/usr/lib/shim/mm${EFI_ARCH}.efi"
# Unofficial build: Sign shim with our development key. # Unofficial build: Sign shim with our development key.
sudo sbsign \ sudo sbsign \
--key /usr/share/sb_keys/DB.key \ --key /usr/share/sb_keys/DB.key \
@ -199,8 +199,10 @@ case "${FLAGS_target}" in
--output "${ESP_DIR}/EFI/boot/boot${EFI_ARCH}.efi" \ --output "${ESP_DIR}/EFI/boot/boot${EFI_ARCH}.efi" \
"${BOARD_ROOT}/usr/lib/shim/shim${EFI_ARCH}.efi" "${BOARD_ROOT}/usr/lib/shim/shim${EFI_ARCH}.efi"
else else
# Official build: Copy our pre-signed shim. # Official build: Copy the unsigned files.
sudo cp "${BOARD_ROOT}/usr/lib/shim/shim${EFI_ARCH}.efi.signed" \ sudo cp "${BOARD_ROOT}/usr/lib/shim/mm${EFI_ARCH}.efi" \
"${ESP_DIR}/EFI/boot/mm${EFI_ARCH}.efi"
sudo cp "${BOARD_ROOT}/usr/lib/shim/shim${EFI_ARCH}.efi" \
"${ESP_DIR}/EFI/boot/boot${EFI_ARCH}.efi" "${ESP_DIR}/EFI/boot/boot${EFI_ARCH}.efi"
fi fi