mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-09-24 23:21:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add support for Secure Boot images and sign unofficial builds with test keys

Browse Source 
Add qemu_uefi_secure target for building Secure Boot images. These are
identical to qemu_uefi images with the exception that the test keys have
been installed into the flash image, enabling Secure Boot by default. In
addition, sign the grub binary with the test keys during build when
producing unofficial images.
This commit is contained in:
Matthew Garrett 2015-04-13 14:15:57 -07:00
parent a6824e7bbe
commit 707803ed43
2 changed files with 28 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
build_library/grub_install.sh
View File

@ -141,8 +141,17 @@ case "${FLAGS_target}" in
x86_64-efi) x86_64-efi)
info "Installing default x86_64 UEFI bootloader." info "Installing default x86_64 UEFI bootloader."
sudo mkdir -p "${ESP_DIR}/EFI/boot" sudo mkdir -p "${ESP_DIR}/EFI/boot"
sudo cp "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}" \ # Use the test keys for signing unofficial builds
"${ESP_DIR}/EFI/boot/bootx64.efi" if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
sudo sbsign --key /usr/share/sb_keys/DB.key \
--cert /usr/share/sb_keys/DB.crt \
"${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}"
sudo cp "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}.signed" \
"${ESP_DIR}/EFI/boot/bootx64.efi"
else
sudo cp "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}" \
"${ESP_DIR}/EFI/boot/bootx64.efi"
fi
;; ;;
x86_64-xen) x86_64-xen)
info "Installing default x86_64 Xen bootloader." info "Installing default x86_64 Xen bootloader."

17
build_library/vm_image_util.sh
View File

@ -12,6 +12,7 @@ VALID_IMG_TYPES=(
openstack openstack
qemu qemu
qemu_uefi qemu_uefi
qemu_uefi_secure
qemu_xen qemu_xen
rackspace rackspace
rackspace_onmetal rackspace_onmetal
@ -115,6 +116,10 @@ IMG_qemu_uefi_DISK_FORMAT=qcow2
IMG_qemu_uefi_DISK_LAYOUT=vm IMG_qemu_uefi_DISK_LAYOUT=vm
IMG_qemu_uefi_CONF_FORMAT=qemu_uefi IMG_qemu_uefi_CONF_FORMAT=qemu_uefi
IMG_qemu_uefi_secure_DISK_FORMAT=qcow2
IMG_qemu_uefi_secure_DISK_LAYOUT=vm
IMG_qemu_uefi_secure_CONF_FORMAT=qemu_uefi_secure
IMG_qemu_xen_DISK_FORMAT=qcow2 IMG_qemu_xen_DISK_FORMAT=qcow2
IMG_qemu_xen_DISK_LAYOUT=vm IMG_qemu_xen_DISK_LAYOUT=vm
IMG_qemu_xen_CONF_FORMAT=qemu_xen IMG_qemu_xen_CONF_FORMAT=qemu_xen
@ -590,6 +595,18 @@ _write_qemu_uefi_conf() {
VM_GENERATED_FILES+=( "$(_dst_dir)/${ovmf_ro}" "$(_dst_dir)/${ovmf_rw}" ) VM_GENERATED_FILES+=( "$(_dst_dir)/${ovmf_ro}" "$(_dst_dir)/${ovmf_rw}" )
} }
_write_qemu_uefi_secure_conf() {
local ovmf_rw="$(_dst_name "_ovmf_vars.fd")"
_write_qemu_uefi_conf
cert-to-efi-sig-list "/usr/share/sb_keys/PK.crt" "${VM_TMP_DIR}/PK.esl"
cert-to-efi-sig-list "/usr/share/sb_keys/KEK.crt" "${VM_TMP_DIR}/KEK.esl"
cert-to-efi-sig-list "/usr/share/sb_keys/DB.crt" "${VM_TMP_DIR}/DB.esl"
flash-var "$(_dst_dir)/${ovmf_rw}" "PK" "${VM_TMP_DIR}/PK.esl"
flash-var "$(_dst_dir)/${ovmf_rw}" "KEK" "${VM_TMP_DIR}/KEK.esl"
flash-var "$(_dst_dir)/${ovmf_rw}" "db" "${VM_TMP_DIR}/DB.esl"
}
_write_qemu_xen_conf() { _write_qemu_xen_conf() {
local script="$(_dst_dir)/$(_dst_name ".sh")" local script="$(_dst_dir)/$(_dst_name ".sh")"
local dst_name=$(basename "$VM_DST_IMG") local dst_name=$(basename "$VM_DST_IMG")