From bda73d4de3f91a6171c26d3188b5eb0ee689485e Mon Sep 17 00:00:00 2001 From: James Le Cuirot Date: Fri, 20 Dec 2024 16:21:12 +0000 Subject: [PATCH 1/4] ci-automation: Give the sbsign_image container a name Otherwise it uses the default name, which can clash with other concurrent jobs, especially jobs for the other arches. Signed-off-by: James Le Cuirot --- ci-automation/sbsign_image.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ci-automation/sbsign_image.sh b/ci-automation/sbsign_image.sh index fe3053e7fd..361401b40e 100644 --- a/ci-automation/sbsign_image.sh +++ b/ci-automation/sbsign_image.sh @@ -82,7 +82,9 @@ function _sbsign_image_impl() { local sdk_image="$(docker_image_fullname "${sdk_name}" "${docker_sdk_vernum}")" echo "docker image rm -f '${sdk_image}'" >> ./ci-cleanup.sh - ./run_sdk_container -x ./ci-cleanup.sh -v "${FLATCAR_VERSION}" -U -C "${sdk_image}" \ + local docker_vernum="$(vernum_to_docker_image_version "${FLATCAR_VERSION}")" + local sbsign_container="flatcar-sbsign-image-${arch}-${docker_vernum}" + ./run_sdk_container -x ./ci-cleanup.sh -n "${sbsign_container}" -v "${FLATCAR_VERSION}" -U -C "${sdk_image}" \ ./sbsign_image --board="${arch}-usr" \ --group="${channel}" --version="${FLATCAR_VERSION}" \ --output_root="${CONTAINER_IMAGE_ROOT}" \ From aa70fc929f58cc5788058d590402f840b08d3615 Mon Sep 17 00:00:00 2001 From: James Le Cuirot Date: Thu, 19 Dec 2024 18:19:46 +0000 Subject: [PATCH 2/4] Delay generating test update payload in official builds The update payload needs the kernel, which isn't signed during the image job. Secure Boot is not currently enabled for update tests, but we may as well do this properly. The production update upload is generated manually at the end after everything has already been signed. Signed-off-by: James Le Cuirot --- build_image | 2 +- ci-automation/sbsign_image.sh | 3 ++- sbsign_image | 5 ++++- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/build_image b/build_image index a9e6bcdaf8..739bc49b55 100755 --- a/build_image +++ b/build_image @@ -177,7 +177,7 @@ if [[ "${PROD_IMAGE}" -eq 1 ]]; then if [[ ${FLAGS_extract_update} -eq ${FLAGS_TRUE} ]]; then extract_update "${FLATCAR_PRODUCTION_IMAGE_NAME}" "${DISK_LAYOUT}" fi - if [[ ${FLAGS_generate_update} -eq ${FLAGS_TRUE} ]]; then + if [[ ${FLAGS_generate_update} -eq ${FLAGS_TRUE} && ${COREOS_OFFICIAL:-0} -ne 1 ]]; then generate_update "${FLATCAR_PRODUCTION_IMAGE_NAME}" "${DISK_LAYOUT}" fi if [[ "${PROD_TAR}" -eq 1 ]]; then diff --git a/ci-automation/sbsign_image.sh b/ci-automation/sbsign_image.sh index 361401b40e..9f2cb630d9 100644 --- a/ci-automation/sbsign_image.sh +++ b/ci-automation/sbsign_image.sh @@ -91,7 +91,8 @@ function _sbsign_image_impl() { --only_store_compressed # Delete uncompressed generic image before signing and upload - rm "${images_local}/flatcar_production_image.bin" + # Also delete update image because it will be unchanged + rm "${images_local}"/flatcar_production_{image,update}.bin create_digests "${SIGNER}" "${images_local}"/* sign_artifacts "${SIGNER}" "${images_local}"/* copy_to_buildcache "${images_remote}"/ "${images_local}"/* diff --git a/sbsign_image b/sbsign_image index 66aca04472..7fb3a80d3f 100755 --- a/sbsign_image +++ b/sbsign_image @@ -61,8 +61,11 @@ switch_to_strict_mode # Create the output directory and temporary mount points. mkdir -p "${BUILD_DIR}" +DISK_LAYOUT="${FLAGS_disk_layout:-base}" + fix_mtab -sbsign_prod_image "${FLATCAR_PRODUCTION_IMAGE_NAME}" "${FLAGS_disk_layout:-base}" +sbsign_prod_image "${FLATCAR_PRODUCTION_IMAGE_NAME}" "${DISK_LAYOUT}" +generate_update "${FLATCAR_PRODUCTION_IMAGE_NAME}" "${DISK_LAYOUT}" echo "Done. ${FLATCAR_PRODUCTION_IMAGE_NAME} and associated files are now signed for Secure Boot in ${BUILD_DIR}." command_completed From 94f95acdc7b6f15f93ea5d17a9951da6c382f284 Mon Sep 17 00:00:00 2001 From: James Le Cuirot Date: Fri, 20 Dec 2024 11:12:36 +0000 Subject: [PATCH 3/4] build_image: Temporarily nobble condition around generate_update Once we have passed the shim review, we will delay this task until the kernel has been signed later in the pipeline. Signed-off-by: James Le Cuirot --- build_image | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/build_image b/build_image index 739bc49b55..f365c2c190 100755 --- a/build_image +++ b/build_image @@ -177,7 +177,8 @@ if [[ "${PROD_IMAGE}" -eq 1 ]]; then if [[ ${FLAGS_extract_update} -eq ${FLAGS_TRUE} ]]; then extract_update "${FLATCAR_PRODUCTION_IMAGE_NAME}" "${DISK_LAYOUT}" fi - if [[ ${FLAGS_generate_update} -eq ${FLAGS_TRUE} && ${COREOS_OFFICIAL:-0} -ne 1 ]]; then + # TODO: Un-nobble this later when we have passed the shim review. + if [[ ${FLAGS_generate_update} -eq ${FLAGS_TRUE} ]]; then # && ${COREOS_OFFICIAL:-0} -ne 1 ]]; then generate_update "${FLATCAR_PRODUCTION_IMAGE_NAME}" "${DISK_LAYOUT}" fi if [[ "${PROD_TAR}" -eq 1 ]]; then From 29a5131380588076b158259878302bd6193528db Mon Sep 17 00:00:00 2001 From: James Le Cuirot Date: Fri, 20 Dec 2024 17:55:11 +0000 Subject: [PATCH 4/4] build_image_util.sh: Don't compress extracted partition unnecessarily I know I recently deduplicated the code between extract_update and generate_update recently, but now that generate_update will sometimes be called at a later time, I've realised that it is compressing and uploading the partition twice. Signed-off-by: James Le Cuirot --- build_library/build_image_util.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/build_library/build_image_util.sh b/build_library/build_image_util.sh index 2549e4667d..225e0c864c 100755 --- a/build_library/build_image_util.sh +++ b/build_library/build_image_util.sh @@ -79,7 +79,9 @@ generate_update() { local devkey="/usr/share/update_engine/update-payload-key.key.pem" # Extract the partition if it isn't extracted already. - [[ -s ${update} ]] || extract_update "${image_name}" "${disk_layout}" + [[ -s ${update} ]] || + "${BUILD_LIBRARY_DIR}/disk_util" --disk_layout="${disk_layout}" \ + extract "${BUILD_DIR}/${image_name}" "USR-A" "${update}" echo "Generating update payload, signed with a dev key" delta_generator \