From e48c9ffebe093b1c8bb0adf73272cecae7af039a Mon Sep 17 00:00:00 2001 From: Johann Queuniet Date: Mon, 30 Mar 2026 16:33:09 +0200 Subject: [PATCH] Parameterize secure boot keys Signed-off-by: Johann Queuniet --- build_library/grub_install.sh | 7 +++++-- build_library/sbsign_util.sh | 4 ++-- build_library/vm_image_util.sh | 10 ++++++++-- .../sys-boot/shim/shim-15.8-r3.ebuild | 2 +- sdk_lib/sdk_container_common.sh | 3 +++ sdk_lib/sdk_entry.sh | 13 ++++++++++--- 6 files changed, 29 insertions(+), 10 deletions(-) diff --git a/build_library/grub_install.sh b/build_library/grub_install.sh index 0c0dfe0bb0..801437e331 100755 --- a/build_library/grub_install.sh +++ b/build_library/grub_install.sh @@ -37,6 +37,9 @@ switch_to_strict_mode . "${BUILD_LIBRARY_DIR}/board_options.sh" || exit 1 . "${BUILD_LIBRARY_DIR}/sbsign_util.sh" || exit 1 +SBSIGN_DB_KEY="${SBSIGN_DB_KEY:-/usr/share/sb_keys/DB.key}" +SBSIGN_DB_CERT="${SBSIGN_DB_CERT:-/usr/share/sb_keys/DB.crt}" + # Our GRUB lives under flatcar/grub so new pygrub versions cannot find grub.cfg GRUB_DIR="flatcar/grub/${FLAGS_target}" @@ -202,8 +205,8 @@ case "${FLAGS_target}" in # Unofficial build: Sign shim with our development key. sudo sbsign \ - --key /usr/share/sb_keys/DB.key \ - --cert /usr/share/sb_keys/DB.crt \ + --key "${SBSIGN_DB_KEY}" \ + --cert "${SBSIGN_DB_CERT}" \ --output "${ESP_DIR}/EFI/boot/boot${EFI_ARCH}.efi" \ "${BOARD_ROOT}/usr/lib/shim/shim${EFI_ARCH}.efi" else diff --git a/build_library/sbsign_util.sh b/build_library/sbsign_util.sh index 8b084238a1..420089bba5 100644 --- a/build_library/sbsign_util.sh +++ b/build_library/sbsign_util.sh @@ -3,8 +3,8 @@ # found in the LICENSE file. if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then - SBSIGN_KEY="/usr/share/sb_keys/shim.key" - SBSIGN_CERT="/usr/share/sb_keys/shim.pem" + SBSIGN_KEY="${SBSIGN_KEY:-/usr/share/sb_keys/shim.key}" + SBSIGN_CERT="${SBSIGN_CERT:-/usr/share/sb_keys/shim.pem}" else SBSIGN_KEY="pkcs11:token=flatcar-secure-boot-prod-2026-04" unset SBSIGN_CERT diff --git a/build_library/vm_image_util.sh b/build_library/vm_image_util.sh index ba71581219..2d83aca277 100644 --- a/build_library/vm_image_util.sh +++ b/build_library/vm_image_util.sh @@ -890,11 +890,17 @@ _write_qemu_uefi_secure_conf() { esac # TODO: Remove the temporary flatcar shim signing cert + local _sb_db_cert="${SBSIGN_DB_CERT:-/usr/share/sb_keys/DB.crt}" + local _sb_extra_db_certs=() + if [[ -z ${SBSIGN_DB_CERT:-} ]]; then + # Default behavior: include the temporary dev shim cert alongside DB.crt + _sb_extra_db_certs=( --add-db "${owner}" "${BUILD_LIBRARY_DIR}/flatcar-sb-dev-shim-2025.cert" ) + fi virt-fw-vars \ --input "${flash_in}" \ --output "$(_dst_dir)/${flash_rw}" \ - --add-db "${owner}" /usr/share/sb_keys/DB.crt \ - --add-db "${owner}" "${BUILD_LIBRARY_DIR}/flatcar-sb-dev-shim-2025.cert" + --add-db "${owner}" "${_sb_db_cert}" \ + "${_sb_extra_db_certs[@]}" sed -e "s%^SECURE_BOOT=.*%SECURE_BOOT=1%" -i "${script}" } diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.8-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.8-r3.ebuild index c2cd0941b4..0a8ca8f287 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.8-r3.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.8-r3.ebuild @@ -54,7 +54,7 @@ src_compile() { fi emake_args+=( VENDOR_CERT_FILE="${SHIM_SIGNING_CERTIFICATE}" ) else - emake_args+=( VENDOR_CERT_FILE="/usr/share/sb_keys/shim.der" ) + emake_args+=( VENDOR_CERT_FILE="${SHIM_SIGNING_CERTIFICATE:-/usr/share/sb_keys/shim.der}" ) fi emake "${emake_args[@]}" || die } diff --git a/sdk_lib/sdk_container_common.sh b/sdk_lib/sdk_container_common.sh index b0f94cfbf6..2e02da42f7 100644 --- a/sdk_lib/sdk_container_common.sh +++ b/sdk_lib/sdk_container_common.sh @@ -213,6 +213,9 @@ function setup_sdk_env() { \ USE FEATURES PORTAGE_USERNAME FORCE_STAGES \ SIGNER \ + SBSIGN_KEY SBSIGN_CERT SBSIGN_DB_KEY SBSIGN_DB_CERT \ + SHIM_SIGNING_CERTIFICATE \ + MODULE_SIGNING_KEY_DIR SYSEXT_SIGNING_KEY_DIR \ all_proxy ftp_proxy http_proxy https_proxy no_proxy; do if [ -n "${!var:-}" ] ; then diff --git a/sdk_lib/sdk_entry.sh b/sdk_lib/sdk_entry.sh index e5dc4ede5a..8757b4b39b 100755 --- a/sdk_lib/sdk_entry.sh +++ b/sdk_lib/sdk_entry.sh @@ -72,10 +72,14 @@ fi # Create key directory if not already configured in .bashrc if ! grep -q 'export MODULE_SIGNING_KEY_DIR=' /home/sdk/.bashrc; then - # For official builds, use ephemeral keys. For unofficial builds, use persistent directory - if [[ ${COREOS_OFFICIAL:-0} -eq 1 ]]; then + if [[ -n ${MODULE_SIGNING_KEY_DIR:-} ]]; then + # Pre-set via environment (e.g. .sdkenv) — use as-is + : + elif [[ ${COREOS_OFFICIAL:-0} -eq 1 ]]; then + # For official builds, use ephemeral keys MODULE_SIGNING_KEY_DIR=$(su sdk -c "mktemp -d") else + # For unofficial builds, use persistent directory MODULE_SIGNING_KEY_DIR="/home/sdk/.module-signing-keys" su sdk -c "mkdir -p ${MODULE_SIGNING_KEY_DIR@Q}" fi @@ -97,7 +101,10 @@ if grep -q 'export SYSEXT_SIGNING_KEY_DIR' /home/sdk/.bashrc; then fi fi grep -q 'export SYSEXT_SIGNING_KEY_DIR' /home/sdk/.bashrc || { - if [[ ${COREOS_OFFICIAL:-0} -eq 1 ]]; then + if [[ -n ${SYSEXT_SIGNING_KEY_DIR:-} ]]; then + # Pre-set via environment (e.g. .sdkenv) — use as-is + : + elif [[ ${COREOS_OFFICIAL:-0} -eq 1 ]]; then SYSEXT_SIGNING_KEY_DIR=$(su sdk -c "mktemp -d") else SYSEXT_SIGNING_KEY_DIR="/home/sdk/.sysext-signing-keys"