diff --git a/build_library/disk_layout.json b/build_library/disk_layout.json index 2feb57972c..68b789d15e 100644 --- a/build_library/disk_layout.json +++ b/build_library/disk_layout.json @@ -158,41 +158,6 @@ "blocks":"6291456" } }, - "secure_demo":{ - "1":{ - "label":"EFI-SYSTEM", - "fs_label":"EFI-SYSTEM", - "type":"efi", - "blocks":"2097152", - "fs_type":"vfat", - "mount":"/", - "features": [] - }, - "2":{ - "type":"blank" - }, - "3":{ - "type":"blank" - }, - "4":{ - "type":"blank" - }, - "5":{ - "type":"blank" - }, - "6":{ - "type":"blank" - }, - "7":{ - "type":"blank" - }, - "8":{ - "type":"blank" - }, - "9":{ - "type":"blank" - } - }, "interoute":{ "9":{ "label":"ROOT", diff --git a/build_library/secure_demo/CoreOS-Boot-Signer.crt b/build_library/secure_demo/CoreOS-Boot-Signer.crt deleted file mode 100644 index 89ddacf5bf..0000000000 --- a/build_library/secure_demo/CoreOS-Boot-Signer.crt +++ /dev/null @@ -1,76 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 1 (0x1) - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=US, ST=CA, L=SF, O=CoreOS, CN=CoreOS Boot CA/emailAddress=george.tankersley@gmail.com - Validity - Not Before: Jan 1 00:00:00 1970 GMT - Not After : Oct 31 06:53:45 2024 GMT - Subject: C=US, ST=CA, L=SF, O=CoreOS, CN=CoreOS Boot Signer/emailAddress=george.tankersley@gmail.com - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (2048 bit) - Modulus: - 00:b4:35:c8:8c:86:8f:89:4f:d8:63:f6:a3:80:db: - 7e:da:dc:53:6e:66:77:0d:1a:7e:0d:b2:3e:6a:85: - 1c:d9:1c:f9:48:ce:80:e7:31:c2:b3:e1:e4:2b:2b: - 1f:45:16:0b:52:57:8a:fc:7b:fd:ba:81:8b:35:13: - 4a:54:2a:be:35:0f:f4:ea:26:38:50:59:0b:9b:9c: - 88:a3:c9:01:08:fe:43:5d:f1:ef:15:6d:6d:03:06: - 3c:ab:c5:b8:93:79:84:ba:6b:f6:7b:59:8b:74:c2: - 2b:2d:a2:e9:e9:82:3f:f5:32:b5:b9:31:f4:9c:4b: - e0:84:a0:40:44:01:e1:63:4d:da:a8:c7:3f:76:8e: - 09:6a:ce:b9:75:32:56:9c:39:5a:44:94:b5:4d:76: - 64:b0:4e:42:ee:99:5f:9b:96:cb:e7:50:f1:10:2a: - 09:8c:49:62:5d:e4:b9:29:2b:a7:4a:77:b4:7c:d4: - 4b:4e:1f:84:ce:9a:be:e1:44:95:29:cd:35:09:ec: - c0:cc:a2:31:91:d1:fd:a9:ce:1a:79:3f:2a:9b:94: - f2:49:60:7c:ba:f0:1b:62:24:4e:35:39:bb:9b:a1: - 19:42:04:cb:9b:e0:5a:a5:52:3f:ec:b1:8e:2a:07: - 20:0f:56:6b:38:55:5e:06:59:dd:57:e5:20:16:47: - dc:e9 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Key Usage: - Digital Signature - X509v3 Extended Key Usage: - Code Signing - Signature Algorithm: sha256WithRSAEncryption - c1:e9:22:50:29:21:26:e8:57:1e:06:ce:f5:0c:47:5f:5d:51: - 57:e2:64:10:75:1b:ca:9b:f0:0f:38:81:91:8d:4e:c1:11:19: - e3:e9:db:6a:9e:36:66:f8:89:1d:7f:2e:8a:50:1d:0b:5a:c7: - d4:c5:60:3c:ba:0c:78:1c:40:bd:3c:80:aa:73:ce:04:4e:2c: - d9:da:5d:6c:19:bf:6e:9e:e5:ba:0e:3a:14:d1:e9:d0:17:0b: - 98:00:ab:3d:18:b7:27:04:2f:15:7f:6d:57:03:11:29:c0:d4: - 86:25:14:e4:91:06:7e:5d:59:ac:3a:67:95:e0:7d:c8:f5:08: - 74:2e:9b:68:af:65:db:25:8b:8a:ae:33:f4:62:4c:10:7c:f4: - 70:25:68:d1:b1:74:43:14:a7:4f:35:b7:5c:30:ca:8b:84:24: - 3a:08:ff:f6:47:79:c6:b4:ef:cc:80:b0:52:2b:19:57:94:0e: - d2:cd:55:23:ee:1e:32:13:53:8e:1e:2c:46:99:23:0c:c7:2c: - df:81:6d:60:bd:8a:51:77:69:cf:cc:11:9f:ba:5c:f3:e2:9a: - 0f:de:a9:f4:a5:8d:a8:86:a2:9e:00:82:24:c7:17:3c:14:1a: - db:04:4c:91:33:05:87:49:69:ea:b3:8d:8e:f9:3a:2c:85:65: - 95:6b:6a:cb ------BEGIN CERTIFICATE----- -MIIDoDCCAoigAwIBAgIBATANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQGEwJVUzEL -MAkGA1UECAwCQ0ExCzAJBgNVBAcMAlNGMQ8wDQYDVQQKDAZDb3JlT1MxFzAVBgNV -BAMMDkNvcmVPUyBCb290IENBMSowKAYJKoZIhvcNAQkBFhtnZW9yZ2UudGFua2Vy -c2xleUBnbWFpbC5jb20wIBgPMTk3MDAxMDEwMDAwMDBaFw0yNDEwMzEwNjUzNDVa -MIGBMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExCzAJBgNVBAcMAlNGMQ8wDQYD -VQQKDAZDb3JlT1MxGzAZBgNVBAMMEkNvcmVPUyBCb290IFNpZ25lcjEqMCgGCSqG -SIb3DQEJARYbZ2VvcmdlLnRhbmtlcnNsZXlAZ21haWwuY29tMIIBIjANBgkqhkiG -9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtDXIjIaPiU/YY/ajgNt+2txTbmZ3DRp+DbI+ -aoUc2Rz5SM6A5zHCs+HkKysfRRYLUleK/Hv9uoGLNRNKVCq+NQ/06iY4UFkLm5yI -o8kBCP5DXfHvFW1tAwY8q8W4k3mEumv2e1mLdMIrLaLp6YI/9TK1uTH0nEvghKBA -RAHhY03aqMc/do4Jas65dTJWnDlaRJS1TXZksE5C7plfm5bL51DxECoJjEliXeS5 -KSunSne0fNRLTh+Ezpq+4USVKc01CezAzKIxkdH9qc4aeT8qm5TySWB8uvAbYiRO -NTm7m6EZQgTLm+BapVI/7LGOKgcgD1ZrOFVeBlndV+UgFkfc6QIDAQABoyQwIjAL -BgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQELBQAD -ggEBAMHpIlApISboVx4GzvUMR19dUVfiZBB1G8qb8A84gZGNTsERGePp22qeNmb4 -iR1/LopQHQtax9TFYDy6DHgcQL08gKpzzgROLNnaXWwZv26e5boOOhTR6dAXC5gA -qz0YtycELxV/bVcDESnA1IYlFOSRBn5dWaw6Z5Xgfcj1CHQum2ivZdsli4quM/Ri -TBB89HAlaNGxdEMUp081t1wwyouEJDoI//ZHeca078yAsFIrGVeUDtLNVSPuHjIT -U44eLEaZIwzHLN+BbWC9ilF3ac/MEZ+6XPPimg/eqfSljaiGop4AgiTHFzwUGtsE -TJEzBYdJaeqzjY75OiyFZZVrass= ------END CERTIFICATE----- diff --git a/build_library/secure_demo/CoreOS-Boot-Signer.key b/build_library/secure_demo/CoreOS-Boot-Signer.key deleted file mode 100644 index 5c389d1951..0000000000 --- a/build_library/secure_demo/CoreOS-Boot-Signer.key +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC0NciMho+JT9hj -9qOA237a3FNuZncNGn4Nsj5qhRzZHPlIzoDnMcKz4eQrKx9FFgtSV4r8e/26gYs1 -E0pUKr41D/TqJjhQWQubnIijyQEI/kNd8e8VbW0DBjyrxbiTeYS6a/Z7WYt0wist -ounpgj/1MrW5MfScS+CEoEBEAeFjTdqoxz92jglqzrl1MlacOVpElLVNdmSwTkLu -mV+blsvnUPEQKgmMSWJd5LkpK6dKd7R81EtOH4TOmr7hRJUpzTUJ7MDMojGR0f2p -zhp5PyqblPJJYHy68BtiJE41ObuboRlCBMub4FqlUj/ssY4qByAPVms4VV4GWd1X -5SAWR9zpAgMBAAECggEAZgmeCJOYanNfXxqj8a5W4a2nP/ecqTq67R5j4QSGFRkm -vWbP7hhq2lepThgYmJGmz3TqKZQ7UoNPQzos+ANLt9fVIU+Ky1PgErhLVhHWGDWA -B42ZhlRzSSca61gE7tv7n2LKKYXGRNI8iJaaQ7GQbVHNO5Nhoa4E7pOeT+OQrxzO -vSTuXJMCDzvZTCV0quvaSNE+nWQYda6X/Gthhpy4Qp1M7iKxoOekP88v1IVMBLzP -Zj6ExMEiK/SZQcnRx0CeCIOayht8YVwtsFTzWZgcgcxQZMVoBYA5DRdKF8PDy0N3 -PhTxfIWurJf9PUR/gF4tOyaAoBI0N6MkRoKYmT3QAQKBgQDddASBIIC32DRVi4jy -9i433b3JVTuLnGCjDtGflGiXM2mf58oFFPhua8Mh29F9FKWHj+B/yn47HF/bikoh -OeB8RaZClj+EFXeSmjjZF3QEg2GDMHZB0yvytgb9mr5lNcNF3JsosUQuLY7+VVSR -UPjnhjcnKkzQv7fK18E2+aoagQKBgQDQUq0VsSJT9T4UtvpgFhN8xWlKTJjaDxsI -2lIgUkBX+VJ41+kHZNioZOc61TkMCOPyIHyeUYEQbcZmkNL3nR9uxr9kXyC1ShIu -Q+mrzIHzuGKNJBQdMWNrm+nwOF5IafSoQRievU35gvKt+evJg9SJNvIYGwnt+/AA -YwHyd7f+aQKBgExIPZD5UD2D1SsugIMot+z4jfp/SJ6jxEoGvcCZj5md1SGG53ju -q1Dl//Z20OekKAzVS8DZULgt4vst3LErTZ+hIk9HkCOAfYrbYv+s64LuerWFCQdN -pZLajvfmyPT2GwjCoBPZVCIQAXSskg/oc4TVH8R29rTlhXry7RRx1d2BAoGAVw1V -Wq0shR0EFi/oLGLNPeRYfT3I2cZaK7bffrYgQSLkfa7rp7VSe/u+TG1xa0AD0NgW -eynf3vegYpe+MM6tpeLTc6P0zQzo0AB9EtdgrnGsbQJYjWJoAz2h4koLzALKw8x/ -90Vv4gYAVwcKqqi2FaiqPbx+x73xqpe05pd0gZECgYEAh8vSHk3w7Od0AKOsfn4q -vVy1MjNBzX3p1+2IHJLDeM9ibTUmfWP+Y7cL5+m0eNasq/gvgBKMNAA+C9h6lEiZ -Soe27lfYBY3ro0ksdYeNGx7rKgBLIi/YRmxvTTlDcUrEkaunfuGCXzLy6X6USI+c -jsLjKF+tu3r+iYx4OU3xWpI= ------END PRIVATE KEY----- diff --git a/build_library/secure_demo/CoreOS-Grub-Singing-Key.gpg b/build_library/secure_demo/CoreOS-Grub-Singing-Key.gpg deleted file mode 100644 index df6e65b219..0000000000 Binary files a/build_library/secure_demo/CoreOS-Grub-Singing-Key.gpg and /dev/null differ diff --git a/build_library/secure_demo/CoreOS-Grub-Singing-Key.key b/build_library/secure_demo/CoreOS-Grub-Singing-Key.key deleted file mode 100644 index 1918bdd011..0000000000 Binary files a/build_library/secure_demo/CoreOS-Grub-Singing-Key.key and /dev/null differ diff --git a/build_library/secure_demo/bootx64.efi b/build_library/secure_demo/bootx64.efi deleted file mode 100755 index d65f1c3c95..0000000000 Binary files a/build_library/secure_demo/bootx64.efi and /dev/null differ diff --git a/build_library/secure_demo/cloud-config.yaml b/build_library/secure_demo/cloud-config.yaml deleted file mode 100644 index 8ea4190655..0000000000 --- a/build_library/secure_demo/cloud-config.yaml +++ /dev/null @@ -1,7 +0,0 @@ -#cloud-config - -hostname: secure_demo - -users: - - name: core - coreos-ssh-import-github: marineam diff --git a/build_library/secure_demo/grub.cfg b/build_library/secure_demo/grub.cfg deleted file mode 100644 index 4df96f62fa..0000000000 --- a/build_library/secure_demo/grub.cfg +++ /dev/null @@ -1,20 +0,0 @@ -# Load any and all video drivers. -# Required under UEFI to boot Linux with a working console. -insmod all_video - -# Use both default text console and ttyS0 -serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1 -terminal_input console serial -terminal_output console serial - -# Find the UEFI system partition -insmod part_gpt -search --set=root --label EFI-SYSTEM - -# Do that thing! -echo "Loading /coreos/vmlinuz ..." -linuxefi /coreos/vmlinuz module.sig_enforce=1 console=tty0 console=ttyS0,115200n8 rootfstype=btrfs cloud-config-url=https://storage.googleapis.com/users.developer.core-os.net/marineam/cloud-config.yaml -echo "Loading /coreos/initrd ..." -initrdefi /coreos/initrd -echo "Booting..." -boot diff --git a/build_library/secure_demo/lockdown.efi b/build_library/secure_demo/lockdown.efi deleted file mode 100755 index 7fb70d3d16..0000000000 Binary files a/build_library/secure_demo/lockdown.efi and /dev/null differ diff --git a/build_library/vm_image_util.sh b/build_library/vm_image_util.sh index af3b548c30..73d17ad898 100644 --- a/build_library/vm_image_util.sh +++ b/build_library/vm_image_util.sh @@ -36,7 +36,6 @@ VALID_IMG_TYPES=( exoscale azure hyperv - secure_demo niftycloud cloudsigma packet @@ -261,11 +260,6 @@ IMG_azure_OEM_PACKAGE=oem-azure IMG_hyperv_DISK_FORMAT=vhd IMG_hyperv_OEM_PACKAGE=oem-hyperv -## secure boot demo -IMG_secure_demo_PARTITIONED_IMG=0 -IMG_secure_demo_DISK_FORMAT=secure_demo -IMG_secure_demo_CONF_FORMAT=qemu_uefi - ## niftycloud IMG_niftycloud_DISK_FORMAT=vmdk_stream IMG_niftycloud_DISK_LAYOUT=vm @@ -399,7 +393,6 @@ _disk_ext() { vmdk_scsi) echo vmdk;; vmdk_stream) echo vmdk;; hdd) echo hdd;; - secure_demo) echo bin;; *) echo "${disk_format}";; esac } @@ -1153,54 +1146,6 @@ _write_pvm_tgz_bundle() { VM_GENERATED_FILES+=( "${tgz}" ) } -_write_secure_demo_disk() { - local dst_img="$2" - local tmp_esp="${VM_TMP_DIR}/esp" - - grub-mkstandalone \ - --output="${VM_TMP_DIR}/grub.efi" \ - --format=x86_64-efi \ - --modules=verify \ - --pubkey="${BUILD_LIBRARY_DIR}/secure_demo/CoreOS-Grub-Singing-Key.gpg" \ - "/boot/grub/grub.cfg=${BUILD_LIBRARY_DIR}/secure_demo/grub.cfg" - sbsign --key "${BUILD_LIBRARY_DIR}/secure_demo/CoreOS-Boot-Signer.key" \ - --cert "${BUILD_LIBRARY_DIR}/secure_demo/CoreOS-Boot-Signer.crt" \ - "${VM_TMP_DIR}/grub.efi" - - cp "${VM_TMP_ROOT}/usr/boot/vmlinuz" "${VM_TMP_DIR}/vmlinuz" - sbsign --key "${BUILD_LIBRARY_DIR}/secure_demo/CoreOS-Boot-Signer.key" \ - --cert "${BUILD_LIBRARY_DIR}/secure_demo/CoreOS-Boot-Signer.crt" \ - "${VM_TMP_DIR}/vmlinuz" - gpg --detach-sign --local-user BA076BAA \ - --output "${VM_TMP_DIR}/vmlinuz.sig" \ - "${VM_TMP_DIR}/vmlinuz.signed" - - _write_cpio_common "ignored" "${VM_TMP_DIR}/initrd" - gpg --detach-sign --local-user BA076BAA "${VM_TMP_DIR}/initrd" - - "${BUILD_LIBRARY_DIR}/disk_util" \ - --disk_layout="secure_demo" format "${dst_img}" - "${BUILD_LIBRARY_DIR}/disk_util" \ - --disk_layout="secure_demo" mount "${dst_img}" "${tmp_esp}" - - sudo mkdir -p "${tmp_esp}/EFI/boot" - sudo cp "${BUILD_LIBRARY_DIR}/secure_demo/bootx64.efi" \ - "${BUILD_LIBRARY_DIR}/secure_demo/lockdown.efi" \ - "${tmp_esp}/EFI/boot" - sudo cp "${VM_TMP_DIR}/grub.efi.signed" "${tmp_esp}/EFI/boot/grub.efi" - - sudo mkdir -p "${tmp_esp}/coreos" - sudo cp "${VM_TMP_DIR}/vmlinuz.signed" "${tmp_esp}/coreos/vmlinuz" - sudo cp "${VM_TMP_DIR}/initrd"{,.sig} \ - "${VM_TMP_DIR}/vmlinuz.sig" \ - "${tmp_esp}/coreos" - - "${BUILD_LIBRARY_DIR}/disk_util" \ - --disk_layout="secure_demo" umount "${tmp_esp}" - - VM_GENERATED_FILES+=( "${dst_img}" ) -} - vm_cleanup() { info "Cleaning up temporary files" if mountpoint -q "${VM_TMP_ROOT}"; then