flatcar-scripts

mirror of https://github.com/flatcar/scripts.git synced 2025-08-12 15:36:58 +02:00

History

James Le Cuirot e6e2383bf7 Rework handling of the Secure Boot keys and certificates We now need the official shim vendor certificate present in the SDK when building the kernel so that it can be inserted and used to verify the verity root hash and signed sysexts. While we're at it, copy the official signing certificate from Azure Key Vault so that we don't need to fetch it every time, simplifying the signing code. This change also partly deals with the eventual expiration of our shim vendor certificate. We cannot simply replace the shim with one containing just the new certificate because it needs to be able to boot kernels from older releases. We therefore now keep all the certificates in the coreos-sb-keys package as separate dated PEM files that then get combined into a single DER ESL that the shim build expects. Note that the shim does not check certificate expiry dates. It is therefore also no longer necessary to manually convert the certificate to DER format. The problem of actually upgrading the shim on user systems remains. Each certificate in the DER ESL requires an owner GUID. We previous used a zero GUID for the DB certificates, but these were only used for testing. I have therefore now generated a static GUID for Flatcar that we should use going forwards. Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>	2025-06-23 15:10:18 +01:00
..
.repo/manifests	New version: main-4372.0.0-nightly-20250620-2100	2025-06-21 04:25:30 +00:00
src/third_party	Rework handling of the Secure Boot keys and certificates	2025-06-23 15:10:18 +01:00

James Le Cuirot e6e2383bf7

Rework handling of the Secure Boot keys and certificates

We now need the official shim vendor certificate present in the SDK when
building the kernel so that it can be inserted and used to verify the
verity root hash and signed sysexts.

While we're at it, copy the official signing certificate from Azure Key
Vault so that we don't need to fetch it every time, simplifying the
signing code.

This change also partly deals with the eventual expiration of our shim
vendor certificate. We cannot simply replace the shim with one
containing just the new certificate because it needs to be able to boot
kernels from older releases. We therefore now keep all the certificates
in the coreos-sb-keys package as separate dated PEM files that then get
combined into a single DER ESL that the shim build expects. Note that
the shim does not check certificate expiry dates. It is therefore also
no longer necessary to manually convert the certificate to DER format.
The problem of actually upgrading the shim on user systems remains.

Each certificate in the DER ESL requires an owner GUID. We previous used
a zero GUID for the DB certificates, but these were only used for
testing. I have therefore now generated a static GUID for Flatcar that
we should use going forwards.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>

2025-06-23 15:10:18 +01:00

.repo/manifests

New version: main-4372.0.0-nightly-20250620-2100

2025-06-21 04:25:30 +00:00

src/third_party

Rework handling of the Secure Boot keys and certificates

2025-06-23 15:10:18 +01:00