syslinux is still used, but only for the ISO with isohybrid and a
different configuration.
Xen now uses the newer pvgrub, which chainloads into GRUB 2.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
We want to sign and verify kernel load scripts with GRUB, but it only
supports GPG signatures for plain text files.
To avoid needing to manage another key in Azure Key Vault for official
builds, the existing key has been converted, keeping the start and end
dates from the existing certificate.
For unofficial builds, it is awkward to convert plain PEM files into GPG
keys, but there is no need to use the same key in this case anyway, so a
new key has been created. Being publicly visible, it has no expiry date.
Two new scripts have been added to generate official and unofficial keys
and certificates. The README has been rewritten with details on how to
use these scripts and what each file is actually for.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
We now need the official shim vendor certificate present in the SDK when
building the kernel so that it can be inserted and used to verify the
verity root hash and signed sysexts.
While we're at it, copy the official signing certificate from Azure Key
Vault so that we don't need to fetch it every time, simplifying the
signing code.
This change also partly deals with the eventual expiration of our shim
vendor certificate. We cannot simply replace the shim with one
containing just the new certificate because it needs to be able to boot
kernels from older releases. We therefore now keep all the certificates
in the coreos-sb-keys package as separate dated PEM files that then get
combined into a single DER ESL that the shim build expects. Note that
the shim does not check certificate expiry dates. It is therefore also
no longer necessary to manually convert the certificate to DER format.
The problem of actually upgrading the shim on user systems remains.
Each certificate in the DER ESL requires an owner GUID. We previous used
a zero GUID for the DB certificates, but these were only used for
testing. I have therefore now generated a static GUID for Flatcar that
we should use going forwards.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
This pull request updates the README.md to include instructions for working with forks of the scripts repository. The new section explains how to fetch upstream tags to ensure proper version detection when using the SDK.
Documentation updates:
README.md: Added a new section titled "Working with forks" to guide users on fetching upstream tags when working with a fork of the scripts repository. This ensures compatibility with the SDK's version detection mechanism using git describe --tags.
Fixes: flatcar/Flatcar#1705
