From be85bbb653b7308b8e87921225673295ed30e145 Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Tue, 12 Dec 2023 17:05:29 +0000 Subject: [PATCH] WIP: use correct secure boot key for signing DB for signing shim, shim key for signing everything else. shim cert (for verification) is part of shim, so everything shim checks/loads uses the shim key, whereas shim itself is validated by UEFI. Signed-off-by: Jeremi Piotrowski --- build_library/build_image_util.sh | 4 ++-- build_library/grub_install.sh | 16 +++++++++------- .../sys-boot/shim/shim-9999.ebuild | 6 +++--- 3 files changed, 14 insertions(+), 12 deletions(-) diff --git a/build_library/build_image_util.sh b/build_library/build_image_util.sh index 570743c239..64a7a89b86 100755 --- a/build_library/build_image_util.sh +++ b/build_library/build_image_util.sh @@ -828,8 +828,8 @@ EOF # Sign the kernel after /usr is in a consistent state and verity is calculated if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then - sudo sbsign --key /usr/share/sb_keys/DB.key \ - --cert /usr/share/sb_keys/DB.crt \ + sudo sbsign --key /usr/share/sb_keys/shim.key \ + --cert /usr/share/sb_keys/shim.pem \ "${root_fs_dir}/boot/flatcar/vmlinuz-a" sudo mv "${root_fs_dir}/boot/flatcar/vmlinuz-a.signed" \ "${root_fs_dir}/boot/flatcar/vmlinuz-a" diff --git a/build_library/grub_install.sh b/build_library/grub_install.sh index 936ca93045..3cd3f8053c 100755 --- a/build_library/grub_install.sh +++ b/build_library/grub_install.sh @@ -194,23 +194,25 @@ case "${FLAGS_target}" in sudo mkdir -p "${ESP_DIR}/EFI/boot" # Use the test keys for signing unofficial builds if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then - sudo sbsign --key /usr/share/sb_keys/shim.rsa \ + info "Signing artifacts for secure boot with dev keys" + sudo sbsign --key /usr/share/sb_keys/shim.key \ --cert /usr/share/sb_keys/shim.pem \ "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}" sudo cp "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}.signed" \ "${ESP_DIR}/EFI/boot/grubx64.efi" - sudo sbsign --key /usr/share/sb_keys/shim.rsa \ + sudo sbsign --key /usr/share/sb_keys/shim.key \ --cert /usr/share/sb_keys/shim.pem \ "/usr/lib/shim/mmx64.efi" sudo cp "/usr/lib/shim/mmx64.efi.signed" \ "${ESP_DIR}/EFI/boot/mmx64.efi" - sudo sbsign --key /usr/share/sb_keys/shim.rsa \ + sudo sbsign --key /usr/share/sb_keys/shim.key \ --cert /usr/share/sb_keys/shim.pem \ "/usr/lib/shim/fbx64.efi" - sudo cp "/usr/lib/shim/fbx64.efi.signed" \ - "${ESP_DIR}/EFI/boot/fbx64.efi" - sudo sbsign --key /usr/share/sb_keys/shim.rsa \ - --cert /usr/share/sb_keys/shim.pem \ + # fbx64.efi is used to setup boot entries + #sudo cp "/usr/lib/shim/fbx64.efi.signed" \ + # "${ESP_DIR}/EFI/boot/fbx64.efi" + sudo sbsign --key /usr/share/sb_keys/DB.key \ + --cert /usr/share/sb_keys/DB.crt \ --output "${ESP_DIR}/EFI/boot/bootx64.efi" \ "/usr/lib/shim/shim.efi" else diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild index e00a6a19e9..ce1e753e2c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild @@ -51,7 +51,7 @@ src_compile() { emake_args+=( ARCH=aarch64 ) fi emake_args+=( ENABLE_SBSIGN=1 ) - emake_args+=( VENDOR_CERT_FILE="${FILESDIR}/shim.der" ) + emake_args+=( VENDOR_CERT_FILE="${ROOT}/usr/share/sb_keys/shim.der" ) emake "${emake_args[@]}" || die } @@ -65,6 +65,6 @@ src_install() { fi insinto /usr/lib/shim newins "shim${suffix}.efi" 'shim.efi' - newins "mm${suffix}.efi" "mm${suffix}.efi" - newins "fb${suffix}.efi" "fb${suffix}.efi" + newins "mm${suffix}.efi" "mm${suffix}.efi" + newins "fb${suffix}.efi" "fb${suffix}.efi" }