WIP: use correct secure boot key for signing

DB for signing shim, shim key for signing everything else. shim cert (for verification) is part of shim, so everything shim checks/loads uses the shim key, whereas shim itself is validated by UEFI. Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
2026-03-09 15:31:05 +01:00 · 2023-12-12 17:05:29 +00:00 · 2023-12-12 17:05:29 +00:00 · be85bbb653
commit be85bbb653
parent 35d792f550
3 changed files with 14 additions and 12 deletions
--- a/build_library/build_image_util.sh
+++ b/build_library/build_image_util.sh
@ -828,8 +828,8 @@ EOF

  # Sign the kernel after /usr is in a consistent state and verity is calculated
  if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
-      sudo sbsign --key /usr/share/sb_keys/DB.key \
-	   --cert /usr/share/sb_keys/DB.crt \
+      sudo sbsign --key /usr/share/sb_keys/shim.key \
+	   --cert /usr/share/sb_keys/shim.pem \
 	   "${root_fs_dir}/boot/flatcar/vmlinuz-a"
      sudo mv "${root_fs_dir}/boot/flatcar/vmlinuz-a.signed" \
 	   "${root_fs_dir}/boot/flatcar/vmlinuz-a"
--- a/build_library/grub_install.sh
+++ b/build_library/grub_install.sh
@ -194,23 +194,25 @@ case "${FLAGS_target}" in
        sudo mkdir -p "${ESP_DIR}/EFI/boot"
        # Use the test keys for signing unofficial builds
        if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
-            sudo sbsign --key /usr/share/sb_keys/shim.rsa \
+            info "Signing artifacts for secure boot with dev keys"
+            sudo sbsign --key /usr/share/sb_keys/shim.key \
                    --cert /usr/share/sb_keys/shim.pem \
                    "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}"
            sudo cp "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}.signed" \
                "${ESP_DIR}/EFI/boot/grubx64.efi"
-            sudo sbsign --key /usr/share/sb_keys/shim.rsa \
+            sudo sbsign --key /usr/share/sb_keys/shim.key \
                    --cert /usr/share/sb_keys/shim.pem \
                    "/usr/lib/shim/mmx64.efi"
            sudo cp "/usr/lib/shim/mmx64.efi.signed" \
                "${ESP_DIR}/EFI/boot/mmx64.efi"
-            sudo sbsign --key /usr/share/sb_keys/shim.rsa \
+            sudo sbsign --key /usr/share/sb_keys/shim.key \
                    --cert /usr/share/sb_keys/shim.pem \
                    "/usr/lib/shim/fbx64.efi"
-            sudo cp "/usr/lib/shim/fbx64.efi.signed" \
-                "${ESP_DIR}/EFI/boot/fbx64.efi"
-            sudo sbsign --key /usr/share/sb_keys/shim.rsa \
-                 --cert /usr/share/sb_keys/shim.pem \
+            # fbx64.efi is used to setup boot entries
+            #sudo cp "/usr/lib/shim/fbx64.efi.signed" \
+            #    "${ESP_DIR}/EFI/boot/fbx64.efi"
+            sudo sbsign --key /usr/share/sb_keys/DB.key \
+                 --cert /usr/share/sb_keys/DB.crt \
                 --output "${ESP_DIR}/EFI/boot/bootx64.efi" \
                 "/usr/lib/shim/shim.efi"
        else
--- a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild
@ -51,7 +51,7 @@ src_compile() {
 		emake_args+=( ARCH=aarch64 )
 	fi
  emake_args+=( ENABLE_SBSIGN=1 )
-  emake_args+=( VENDOR_CERT_FILE="${FILESDIR}/shim.der" )
+  emake_args+=( VENDOR_CERT_FILE="${ROOT}/usr/share/sb_keys/shim.der" )
 	emake "${emake_args[@]}" || die
 }

@ -65,6 +65,6 @@ src_install() {
 	fi
 	insinto /usr/lib/shim
 	newins "shim${suffix}.efi" 'shim.efi'
-  newins "mm${suffix}.efi" "mm${suffix}.efi"
-  newins "fb${suffix}.efi" "fb${suffix}.efi"
+	newins "mm${suffix}.efi" "mm${suffix}.efi"
+	newins "fb${suffix}.efi" "fb${suffix}.efi"
 }