mirror of
https://github.com/flatcar/scripts.git
synced 2025-10-31 16:21:04 +01:00
56 lines
1.5 KiB
Bash
56 lines
1.5 KiB
Bash
# Copyright (c) 2024 The Flatcar Maintainers.
|
|
# Use of this source code is governed by a BSD-style license that can be
|
|
# found in the LICENSE file.
|
|
|
|
if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
|
|
SBSIGN_KEY="/usr/share/sb_keys/shim.key"
|
|
SBSIGN_CERT="/usr/share/sb_keys/shim.pem"
|
|
else
|
|
SBSIGN_KEY="pkcs11:token=flatcar-sb-dev-hsm-sign-2025"
|
|
unset SBSIGN_CERT
|
|
fi
|
|
|
|
PKCS11_MODULE_PATH="/usr/$(get_sdk_libdir)/pkcs11/azure-keyvault-pkcs11.so"
|
|
|
|
PKCS11_ENV=(
|
|
AZURE_KEYVAULT_URL="https://flatcar-sb-dev-kv.vault.azure.net/"
|
|
PKCS11_MODULE_PATH="${PKCS11_MODULE_PATH}"
|
|
AZURE_KEYVAULT_PKCS11_DEBUG=1
|
|
)
|
|
|
|
get_sbsign_cert() {
|
|
if [[ ${SBSIGN_KEY} != pkcs11:* || -s ${SBSIGN_CERT-} ]]; then
|
|
return
|
|
fi
|
|
|
|
SBSIGN_CERT=$(mktemp -t signing-cert.XXXXXXXXXX.pem)
|
|
info "Fetching ${SBSIGN_KEY} from Azure"
|
|
|
|
# Needs Key Vault Reader role.
|
|
env "${PKCS11_ENV[@]}" p11-kit export-object \
|
|
--provider "${PKCS11_MODULE_PATH}" \
|
|
"${SBSIGN_KEY};type=cert" \
|
|
| tee "${SBSIGN_CERT}"
|
|
}
|
|
|
|
cleanup_sbsign_certs() {
|
|
if [[ ${SBSIGN_CERT-} == "${TMPDIR-/tmp}"/* ]]; then
|
|
rm -f -- "${SBSIGN_CERT}"
|
|
fi
|
|
}
|
|
|
|
do_sbsign() {
|
|
get_sbsign_cert
|
|
info "Signing ${@:$#} with ${SBSIGN_KEY}"
|
|
|
|
if [[ ${SBSIGN_KEY} == pkcs11:* ]]; then
|
|
set -- --engine pkcs11 "${@}"
|
|
fi
|
|
|
|
# Needs Key Vault Crypto User role.
|
|
sudo env "${PKCS11_ENV[@]}" sbsign \
|
|
--key "${SBSIGN_KEY}" \
|
|
--cert "${SBSIGN_CERT}" \
|
|
"${@}"
|
|
}
|