Merge pull request #3954 from jqueuniet/secureboot_params

Parameterize secure boot keys

build_library/grub_install.sh

@@ -37,6 +37,9 @@ switch_to_strict_mode
 . "${BUILD_LIBRARY_DIR}/board_options.sh" || exit 1
 . "${BUILD_LIBRARY_DIR}/sbsign_util.sh" || exit 1
 
+SBSIGN_DB_KEY="${SBSIGN_DB_KEY:-/usr/share/sb_keys/DB.key}"
+SBSIGN_DB_CERT="${SBSIGN_DB_CERT:-/usr/share/sb_keys/DB.crt}"
+
 # Our GRUB lives under flatcar/grub so new pygrub versions cannot find grub.cfg
 GRUB_DIR="flatcar/grub/${FLAGS_target}"
 
@@ -202,8 +205,8 @@ case "${FLAGS_target}" in
 
             # Unofficial build: Sign shim with our development key.
             sudo sbsign \
-                --key /usr/share/sb_keys/DB.key \
-                --cert /usr/share/sb_keys/DB.crt \
+                --key "${SBSIGN_DB_KEY}" \
+                --cert "${SBSIGN_DB_CERT}" \
                 --output "${ESP_DIR}/EFI/boot/boot${EFI_ARCH}.efi" \
                 "${BOARD_ROOT}/usr/lib/shim/shim${EFI_ARCH}.efi"
         else

build_library/sbsign_util.sh

@@ -3,8 +3,8 @@
 # found in the LICENSE file.
 
 if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
-    SBSIGN_KEY="/usr/share/sb_keys/shim.key"
-    SBSIGN_CERT="/usr/share/sb_keys/shim.pem"
+    SBSIGN_KEY="${SBSIGN_KEY:-/usr/share/sb_keys/shim.key}"
+    SBSIGN_CERT="${SBSIGN_CERT:-/usr/share/sb_keys/shim.pem}"
 else
     SBSIGN_KEY="pkcs11:token=flatcar-secure-boot-prod-2026-04"
     unset SBSIGN_CERT

build_library/vm_image_util.sh

@@ -890,11 +890,17 @@ _write_qemu_uefi_secure_conf() {
     esac
 
     # TODO: Remove the temporary flatcar shim signing cert
+    local _sb_db_cert="${SBSIGN_DB_CERT:-/usr/share/sb_keys/DB.crt}"
+    local _sb_extra_db_certs=()
+    if [[ -z ${SBSIGN_DB_CERT:-} ]]; then
+        # Default behavior: include the temporary dev shim cert alongside DB.crt
+        _sb_extra_db_certs=( --add-db "${owner}" "${BUILD_LIBRARY_DIR}/flatcar-sb-dev-shim-2025.cert" )
+    fi
     virt-fw-vars \
         --input "${flash_in}" \
         --output "$(_dst_dir)/${flash_rw}" \
-        --add-db "${owner}" /usr/share/sb_keys/DB.crt \
-        --add-db "${owner}" "${BUILD_LIBRARY_DIR}/flatcar-sb-dev-shim-2025.cert"
+        --add-db "${owner}" "${_sb_db_cert}" \
+        "${_sb_extra_db_certs[@]}"
 
     sed -e "s%^SECURE_BOOT=.*%SECURE_BOOT=1%" -i "${script}"
 }

sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.8-r3.ebuild

@@ -54,7 +54,7 @@ src_compile() {
     fi
     emake_args+=( VENDOR_CERT_FILE="${SHIM_SIGNING_CERTIFICATE}" )
   else
-    emake_args+=( VENDOR_CERT_FILE="/usr/share/sb_keys/shim.der" )
+    emake_args+=( VENDOR_CERT_FILE="${SHIM_SIGNING_CERTIFICATE:-/usr/share/sb_keys/shim.der}" )
   fi
   emake "${emake_args[@]}" || die
 }

sdk_lib/sdk_container_common.sh

@@ -213,6 +213,9 @@ function setup_sdk_env() {
         \
         USE FEATURES PORTAGE_USERNAME FORCE_STAGES \
         SIGNER \
+        SBSIGN_KEY SBSIGN_CERT SBSIGN_DB_KEY SBSIGN_DB_CERT \
+        SHIM_SIGNING_CERTIFICATE \
+        MODULE_SIGNING_KEY_DIR SYSEXT_SIGNING_KEY_DIR \
         all_proxy ftp_proxy http_proxy https_proxy no_proxy; do
 
         if [ -n "${!var:-}" ] ; then

sdk_lib/sdk_entry.sh

@@ -72,10 +72,14 @@ fi
 
 # Create key directory if not already configured in .bashrc
 if ! grep -q 'export MODULE_SIGNING_KEY_DIR=' /home/sdk/.bashrc; then
-    # For official builds, use ephemeral keys. For unofficial builds, use persistent directory
-    if [[ ${COREOS_OFFICIAL:-0} -eq 1 ]]; then
+    if [[ -n ${MODULE_SIGNING_KEY_DIR:-} ]]; then
+        # Pre-set via environment (e.g. .sdkenv) — use as-is
+        :
+    elif [[ ${COREOS_OFFICIAL:-0} -eq 1 ]]; then
+        # For official builds, use ephemeral keys
         MODULE_SIGNING_KEY_DIR=$(su sdk -c "mktemp -d")
     else
+        # For unofficial builds, use persistent directory
         MODULE_SIGNING_KEY_DIR="/home/sdk/.module-signing-keys"
         su sdk -c "mkdir -p ${MODULE_SIGNING_KEY_DIR@Q}"
     fi
@@ -97,7 +101,10 @@ if grep -q 'export SYSEXT_SIGNING_KEY_DIR' /home/sdk/.bashrc; then
     fi
 fi
 grep -q 'export SYSEXT_SIGNING_KEY_DIR' /home/sdk/.bashrc || {
-    if [[ ${COREOS_OFFICIAL:-0} -eq 1 ]]; then
+    if [[ -n ${SYSEXT_SIGNING_KEY_DIR:-} ]]; then
+        # Pre-set via environment (e.g. .sdkenv) — use as-is
+        :
+    elif [[ ${COREOS_OFFICIAL:-0} -eq 1 ]]; then
         SYSEXT_SIGNING_KEY_DIR=$(su sdk -c "mktemp -d")
     else
         SYSEXT_SIGNING_KEY_DIR="/home/sdk/.sysext-signing-keys"