mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-12-22 17:52:12 +01:00
Code Issues Packages Projects Releases Wiki Activity
flatcar-scripts/sdk_lib/sdk_entry.sh
Daniel f05097d82f
Fix kernel module signing with ephemeral keys for official builds (#3493) 
* sdk: Fix ephemeral key directory paths baked into container images

The SDK container build process was persisting temporary directory
paths for module signing keys into /home/sdk/.bashrc. This caused
all container instances to share the same ephemeral key location.

Fixed by:
- Runtime check in sdk_entry.sh to recreate stale temp directories
- Build-time cleanup in Dockerfiles to remove the variables

Each container instance now gets unique temporary directories.

Signed-off-by: Daniel Zatovic <daniel.zatovic@gmail.com>

* sdk_entry: use persistent module signing keys for unofficial builds

For official builds (COREOS_OFFICIAL=1), continue using ephemeral
temporary directories for module signing keys.

For unofficial/development builds, use a persistent directory at
/mnt/host/source/.module-signing-keys to preserve keys across
container restarts.

Signed-off-by: Daniel Zatovic <daniel.zatovic@gmail.com>

---------

Signed-off-by: Daniel Zatovic <daniel.zatovic@gmail.com>
2025-11-20 09:56:49 +01:00

117 lines
4.9 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Source SDK environment variables if available (includes COREOS_OFFICIAL, etc.)
if [ -f /mnt/host/source/.sdkenv ]; then
source /mnt/host/source/.sdkenv
fi
if [ -n "${SDK_USER_ID:-}" ] ; then
# If the "core" user from /usr/share/baselayout/passwd has the same ID, allow to take it instead
usermod --non-unique -u $SDK_USER_ID sdk
fi
if [ -n "${SDK_GROUP_ID:-}" ] ; then
groupmod --non-unique -g $SDK_GROUP_ID sdk
fi
chown -R sdk:sdk /home/sdk
# Fix up SDK repo configuration to use the new coreos-overlay name.
sed -i -r 's/^\[coreos\]/[coreos-overlay]/' /etc/portage/repos.conf/coreos.conf 2>/dev/null
sed -i -r '/^masters =/s/\bcoreos(\s|$)/coreos-overlay\1/g' /usr/local/portage/crossdev/metadata/layout.conf 2>/dev/null
# Check if the OS image version we're working on is newer than
# the SDK container version and if it is, update the boards
# chroot portage conf to point to the correct binhost.
(
source /etc/lsb-release # SDK version in DISTRIB_RELEASE
source /mnt/host/source/.repo/manifests/version.txt # OS image version in FLATCAR_VERSION_ID
version="${FLATCAR_VERSION_ID}"
# If this is a nightly build tag we can use pre-built binaries directly from the
# build cache.
if [[ "${FLATCAR_BUILD_ID}" =~ ^nightly-.*$ ]] ; then
version="${FLATCAR_VERSION_ID}+${FLATCAR_BUILD_ID}"
fi
if [ "${version}" != "${DISTRIB_RELEASE}" ] ; then
for target in amd64-usr arm64-usr; do
if [ ! -d "/build/$target" ] ; then
continue
fi
if [ -f "/build/$target/etc/target-version.txt" ] ; then
source "/build/$target/etc/target-version.txt"
if [ "${TARGET_FLATCAR_VERSION}" = "${version}" ] ; then
continue # already updated
fi
fi
echo
echo "Updating board support in '/build/${target}' to use package cache for version '${version}'"
echo "---"
sudo su sdk -l -c "/home/sdk/trunk/src/scripts/setup_board --board='$target' --regen_configs_only"
echo "TARGET_FLATCAR_VERSION='${version}'" | sudo tee "/build/$target/etc/target-version.txt" >/dev/null
done
fi
)
# SDK container is launched using the su command below, which does not preserve environment
# moreover, if multiple shells are attached to the same container,
# we want all of them to share the same value of the variable, therefore we need to save it in .bashrc
# Check if MODULE_SIGNING_KEY_DIR exists in .bashrc and if the directory actually exists
if grep -q 'export MODULE_SIGNING_KEY_DIR=' /home/sdk/.bashrc; then
# Extract the existing path
EXISTING_DIR=$(source /home/sdk/.bashrc 2>/dev/null; echo "$MODULE_SIGNING_KEY_DIR")
# If directory doesn't exist (stale from image build), remove the old entries and recreate
if [[ ! -d ${EXISTING_DIR} ]]; then
echo "Deleting stale module signing directory."
sed -i -e '/export MODULE_SIGNING_KEY_DIR=/d' \
-e '/export MODULES_SIGN_KEY=/d' \
-e '/export MODULES_SIGN_CERT=/d' /home/sdk/.bashrc
fi
fi
# Create key directory if not already configured in .bashrc
if ! grep -q 'export MODULE_SIGNING_KEY_DIR=' /home/sdk/.bashrc; then
# For official builds, use ephemeral keys. For unofficial builds, use persistent directory
if [[ ${COREOS_OFFICIAL:-0} -eq 1 ]]; then
MODULE_SIGNING_KEY_DIR=$(su sdk -c "mktemp -d")
else
MODULE_SIGNING_KEY_DIR="/home/sdk/.module-signing-keys"
su sdk -c "mkdir -p ${MODULE_SIGNING_KEY_DIR@Q}"
fi
if [[ ! ${MODULE_SIGNING_KEY_DIR} || ! -d ${MODULE_SIGNING_KEY_DIR} ]]; then
echo "Failed to create directory for module signing keys."
else
echo "export MODULE_SIGNING_KEY_DIR='$MODULE_SIGNING_KEY_DIR'" >> /home/sdk/.bashrc
echo "export MODULES_SIGN_KEY='${MODULE_SIGNING_KEY_DIR}/certs/modules.pem'" >> /home/sdk/.bashrc
echo "export MODULES_SIGN_CERT='${MODULE_SIGNING_KEY_DIR}/certs/modules.pub.pem'" >> /home/sdk/.bashrc
fi
fi
# This is ugly.
# We need to sudo su - sdk -c so the SDK user gets a fresh login.
# 'sdk' is member of multiple groups, and plain docker USER only
# allows specifying membership of a single group.
# When a command is passed to the container, we run, respectively:
# sudo su - sdk -c "<command>".
# Then, we need to preserve whitespaces in arguments of commands
# passed to the container, e.g.
# ./update_chroot --toolchain_boards="amd64-usr arm64-usr".
# This is done via a separate ".cmd" file since we have used up
# our quotes for su -c "<cmd>" already.
if [ $# -gt 0 ] ; then
cmd="/home/sdk/.cmd"
echo -n "exec bash -l -i -c '" >"$cmd"
for arg in "$@"; do
echo -n "\"$arg\" " >>"$cmd"
done
echo "'" >>"$cmd"
chmod 755 "$cmd"
sudo su sdk -c "$cmd"
rc=$?
rm -f "$cmd"
exit $rc
else
exec sudo su -l sdk
fi
Reference in New Issue View Git Blame Copy Permalink