diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 0e77010..b2425f3 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -23,7 +23,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # 1. Shellcheck # Looks for +x files @@ -40,7 +40,7 @@ jobs: # 3. Python Lint - name: Set Up Python environment - uses: actions/setup-python@v4 + uses: actions/setup-python@v5 with: python-version: '3.x' - name: Flake8 Lint @@ -52,7 +52,7 @@ jobs: ## # Test installed OS from built ISO: # 1. Build a "teckhost" iso from upstream release - # 2. Install OS on VM using teckhost-sda.iso (testing option) + # 2. Install OS on VM using teckhost.iso (testing option) # 3. Verify we can log in using the "testuser" account # 4. Run validation tests against the installed OS # 5. Ensure make clean produces no errors @@ -63,25 +63,26 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Install Dependencies run: | sudo apt-get update - sudo apt-get install virtualbox libarchive-tools syslinux xorriso isolinux python3-distro coreutils + sudo apt-get install libarchive-tools syslinux xorriso isolinux python3-distro coreutils # 1. Build a "teckhost" iso from upstream release - name: Build Teckhost ISO id: build_iso - run: make teckhost-sda.iso + run: make teckhost-CICD_debian12.iso env: - THT_GRUBTEST: TEMPLATE_METHOD=lvm BS_pillar_root=test/pillar TH_SALTGPG=https://raw.githubusercontent.com/MTecknology/teckhost/master/test/pillar/skeys.gpg BS_gitfs_pillar_base=master BS_gitfs_base=${{ github.sha }} + THT_GRUBTEST: BS_pillar_root=test/pillar TH_SALTGPG=https://raw.githubusercontent.com/MTecknology/teckhost/master/test/pillar/skeys.gpg BS_gitfs_pillar_base=master BS_gitfs_base=${{ github.sha }} - - name: Save ISO (teckhost-sda.iso) - uses: actions/upload-artifact@v3 + - name: Save ISO (teckhost.iso) + uses: actions/upload-artifact@v4 with: - name: teckhost-sda_${{ github.sha }}.iso - path: teckhost-sda.iso + name: teckhost-CICD_debian12-${{ github.sha }}.iso + path: teckhost-CICD_debian12.iso + compression-level: 0 testinstall: name: "Install and Validate" @@ -96,7 +97,7 @@ jobs: runs-on: macos-12 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Install Dependencies run: | @@ -105,30 +106,30 @@ jobs: pip3 install pytest-testinfra distro #sh ./test/vbox_extpack - - name: Pull ISO (teckhost-sda.iso) - uses: actions/download-artifact@v3 + - name: Pull ISO (teckhost.iso) + uses: actions/download-artifact@v4 with: - name: teckhost-sda_${{ github.sha }}.iso + name: teckhost-CICD_debian12-${{ github.sha }}.iso - # 2. Install OS on VM using teckhost-sda.iso (testing option) + # 2. Install OS on VM using teckhost.iso (testing option) - name: Create VM and Install (Testing) Teckhost id: install_os - run: touch testseed.cfg; touch teckhost-sda.iso; make testpc1 + run: make testpc1_${{ matrix.os }} env: - TH_ISOPATH: teckhost-sda_${{ github.sha }}.iso TH_SHOTS: testpc1-${{ matrix.boot }} TH_BOOT: ${{ matrix.boot }} - name: (on failure) Package Screenshots if: failure() && steps.install_os.outcome == 'failure' - run: "tar -vcf testpc1-${{ matrix.boot }}.tar *.png" + run: "tar -vczf testpc1-${{ matrix.boot }}.tgz *.png" - name: (on failure) Upload Screenshots if: failure() && steps.install_os.outcome == 'failure' - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: - name: testpc1-${{ matrix.boot }}_screenshots.tar - path: testpc1-${{ matrix.boot }}.tar + name: testpc1-${{ matrix.boot }}_screenshots.tgz + path: testpc1-${{ matrix.boot }}.tgz + compression-level: 0 # 3. Verify we can log in using the "testuser" account - name: User (testuser) Login diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d4712a7..00af567 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -29,7 +29,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # 1. Pre-Release Checks - name: Pre-Release Checks @@ -43,7 +43,7 @@ jobs: # 2. Build "Production" ISO (teckhost*.iso) - name: Build Teckhost ISO id: build_iso - run: make teckhost.iso teckhost-sda.iso teckhost-nvme0n1.iso + run: make teckhost.iso # 3. Publish Release w/ Artifacts - name: Create Release diff --git a/.gitignore b/.gitignore index 568c803..e6f4281 100644 --- a/.gitignore +++ b/.gitignore @@ -8,5 +8,4 @@ __pycache__ .pytest_cache/ # Makefile -testseed.cfg -testseed.cfg.orig +testseed* diff --git a/HACKING.rst b/HACKING.rst index 3dbdba9..78283fe 100644 --- a/HACKING.rst +++ b/HACKING.rst @@ -39,10 +39,6 @@ Download and cache "latest" ``debian-netinst.iso``:: Build the Default ISO:: make teckhost.iso - OR - make teckhost-sda.iso - OR - make teckhost-nvme0n1.iso Run tests:: @@ -50,8 +46,8 @@ Run tests:: Build and log in to dev box (requires virtualbox):: - make devpc1 - make devpc1-ssh + make testpc1 + make testpc1-ssh .. _branches: @@ -124,11 +120,10 @@ Makefile Key Targets: - ``make teckhost.iso`` -- ``make teckhost-sda.iso`` - ``make test`` -- ``make devpc1`` -- ``make devpc1-ssh`` -- ``make devpc1-root`` +- ``make testpc1_`` +- ``make ssh-testpc1-user`` +- ``make ssh-testpc1-admin`` - ``make clean`` .. _version w/ firmware: https://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/current/amd64/iso-cd/ diff --git a/Makefile b/Makefile index 9e0862b..0867cc0 100644 --- a/Makefile +++ b/Makefile @@ -7,42 +7,32 @@ export WORKSPACE ?= $(abspath $(PWD)/) export GRUB_EXTRA ?= hostname=testpc1 # Version Table -debian12_src ?= https://cdimage.debian.org/cdimage/archive/12.1.0/amd64/iso-cd/debian-12.1.0-amd64-netinst.iso -debian12_sha ?= 9f181ae12b25840a508786b1756c6352a0e58484998669288c4eec2ab16b8559 - +debian12_src ?= https://cdimage.debian.org/cdimage/archive/12.4.0/amd64/iso-cd/debian-12.4.0-amd64-netinst.iso +debian12_sha ?= 64d727dd5785ae5fcfd3ae8ffbede5f40cca96f1580aaa2820e8b99dae989d94 ## # ISO ## -# Intended for production use -teckhost.iso: upstream_debian12.iso iso/preseed.cfg iso/grub-bios.cfg iso/grub-efi.cfg - ./iso/build_iso \ - -s iso/preseed.cfg \ - -i upstream_debian12.iso \ - -o teckhost.iso \ - -x "$(GRUB_EXTRA)" \ - -f iso/grub-bios.cfg -g iso/grub-efi.cfg - -# Intended for use with automated testing -teckhost-%.iso: upstream_debian12.iso testseed.cfg iso/grub-bios.cfg iso/grub-efi.cfg - ./iso/build_iso \ - -s testseed.cfg \ - -i upstream_debian12.iso \ - -o "$@" \ - -d "/dev/$*" \ - -x "$(GRUB_EXTRA)" \ - -f iso/grub-bios.cfg -g iso/grub-efi.cfg - -# Intended for local developmnt with virtualbox -teckhost-local.iso: upstream_debian12.iso testseed.cfg iso/grub-bios.cfg iso/grub-efi.cfg - ./iso/build_iso \ - -s testseed.cfg \ - -i upstream_debian12.iso \ - -o teckhost-local.iso \ - -d /dev/sda \ - -x "hostname=devpc1 BS_devdir=/srv" \ - -f iso/grub-bios.cfg -g iso/grub-efi.cfg +# Default release +teckhost.iso: teckhost_debian12.iso + cp teckhost_debian12.iso teckhost.iso + +# Intended for use in production and development +teckhost_%.iso: upstream_%.iso + ./iso/build_iso $(ISOARGS) \ + -i upstream_$*.iso -o teckhost_$*.iso \ + -f iso/$*/grub-bios.cfg -g iso/$*/grub-efi.cfg \ + -x "$(GRUB_EXTRA)" \ + -s iso/$*/preseed.cfg + +# Intended for use in automated testing +teckhost-CICD_%.iso: upstream_%.iso iso/%/testseed.cfg + ./iso/build_iso $(ISOARGS) \ + -i upstream_$*.iso -o $@ \ + -f iso/$*/grub-bios.cfg -g iso/$*/grub-efi.cfg \ + -x "$(GRUB_EXTRA)" \ + -s iso/$*/testseed.cfg # Grab an upstream ISO and validate checksum upstream_%.iso: @@ -55,67 +45,63 @@ upstream_%.iso: ## -# Preeseed +# Test/Dev Stuff ## -testseed.cfg: iso/preseed.cfg test/preseed.patch - cp iso/preseed.cfg testseed.cfg - patch testseed.cfg test/preseed.patch +# Apply minimum patches (hostname, confirmation, etc.) to preseed +iso/%/testseed.cfg: iso/%/preseed.cfg iso/%/preseed_test.patch + cp iso/$*/preseed.cfg iso/$*/testseed.cfg + patch iso/$*/testseed.cfg iso/$*/preseed_test.patch -## -# Test/Dev Stuff -## - -# This can't be cleanly checked into git +# File modes in git are not reliable testprep: chmod 0700 test/.ssh chmod 0600 test/.ssh/id_ed25519 -# Run all tests against testpc1 -test: test-testpc1 -test-testpc1: pytest-testpc1-user pytest-testpc1-admin - -# Run all tests against devpc1 -test-devpc1: pytest-devpc1-user pytest-devpc1-admin +# Create testpc1 and run all {admin,user} tests +test: testpc1_debian12 pytest-testpc1-user pytest-testpc1-admin -# Run tests against a host (test--) -_target = $(word $2,$(subst -, ,$1)) +# Run user-only tests against a host as user:testuser +pytest-%-user: + python3 -m pytest \ + --ssh-config=test/.ssh/config \ + --ssh-identity-file=test/.ssh/id_ed25519 \ + --hosts=ssh://testuser@$* \ + --type user -.SECONDEXPANSION: -pytest-%: testprep $$(call _target,$$*,1) explicit_phony +# Run root-required tests against a host as user:testadmin +pytest-%-admin: python3 -m pytest \ - --ssh-config=test/.ssh/config --ssh-identity-file=test/.ssh/id_ed25519 \ - --hosts=ssh://test$(call _target,$*,2)@$(call _target,$*,1) \ - --type $(call _target,$*,2) + --ssh-config=test/.ssh/config \ + --ssh-identity-file=test/.ssh/id_ed25519 \ + --hosts=ssh://testadmin@$* \ + --type admin + +# Connect to a host using ssh as user:testadmin +ssh-%-user: testprep + ssh -F test/.ssh/config -i test/.ssh/id_ed25519 \ + ssh://testuser@$* + +# Connect to a host using ssh as user:testadmin +ssh-%-admin: testprep + ssh -F test/.ssh/config -i test/.ssh/id_ed25519 \ + ssh://testadmin@$* -# Connect to a host using ssh (ssh--) -ssh-%: $$(call _target,$$*,1) explicit_phony - ssh \ - -F test/.ssh/config -i test/.ssh/id_ed25519 \ - ssh://test$(call _target,$*,2)@$(call _target,$*,1) ## # Virtual Machines ## -# TEST: The standard virtualbox deployment; replicates production -testpc1: teckhost-sda.iso -ifneq (,$(findstring testpc1,$(shell VBoxManage list runningvms))) +# Create a testpc1 image using the specified iso +testpc1_%: teckhost-CICD_%.iso +ifneq (,$(findstring testpc1,$(shell VBoxManage list vms))) echo 'VM already exists: testpc1' else - ./test/vbox_create -i $(WORKSPACE)/teckhost-sda.iso -n testpc1 \ - -p 4222 -endif - -# DEV: Build a dev box using local file directory for salt data -# Note: The first highstate will still be from git -devpc1: teckhost-local.iso -ifneq (,$(findstring devpc1,$(shell VBoxManage list runningvms))) - echo 'VM already exists: devpc1' -else - ./test/vbox_create -i $(WORKSPACE)/teckhost-local.iso -n devpc1 \ - -p 4224 -d $(WORKSPACE) + ./test/vbox_create \ + -i $(WORKSPACE)/teckhost-CICD_$*.iso \ + -n testpc1 \ + -p 4222 endif @@ -123,11 +109,11 @@ endif # Cleanup ## -clean: clean-testpc1 clean-devpc1 - $(RM) testseed.cfg* teckhost*.iso +clean: clean-testpc1 + $(RM) iso/*/testseed.cfg teckhost*.iso # Delete a VM if it exists -clean-%: explicit_phony +clean-%: @if [ -n "$(findstring $*,$(shell VBoxManage list vms))" ]; then \ VBoxManage controlvm $* poweroff || true; \ VBoxManage unregistervm $* --delete; \ @@ -136,5 +122,4 @@ clean-%: explicit_phony fi -explicit_phony: -.PHONY: testprep test testpc1 devpc1 clean explicit_phony +.PHONY: testprep test testpc1 clean diff --git a/iso/build_iso b/iso/build_iso index de2893a..7cd9bdb 100755 --- a/iso/build_iso +++ b/iso/build_iso @@ -33,10 +33,9 @@ parse_options() { export TH_SEED="${TH_SEED:-preseed.cfg}" export TH_GRUBb="${TH_GRUBb:-./grub-bios.cfg}" export TH_GRUBe="${TH_GRUBe:-./grub-efi.cfg}" - export THT_GRUBTEST="${THT_GRUBTEST:-TEMPLATE_METHOD=lvm BS_pillar_root=test/pillar BS_gitfs_base=master TH_SALTGPG=https://raw.githubusercontent.com/MTecknology/teckhost/master/test/pillar/skeys.gpg}" + export THT_GRUBTEST="${THT_GRUBTEST:-BS_pillar_root=test/pillar BS_gitfs_base=master TH_SALTGPG=https://raw.githubusercontent.com/MTecknology/teckhost/master/test/pillar/skeys.gpg}" export THT_GRUBTXTRA="${THT_GRUBTXTRA}" export TH_KEEP="${TH_KEEP:-False}" - export THT_DEVICE="${THT_DEVICE:-/dev/nvme0n1}" export LOG_LEVEL="${LOG_LEVEL:-1}" while getopts 'i:o:s:f:g:kd:b:x:l:h' OPT; do @@ -47,7 +46,6 @@ parse_options() { f) TH_GRUBb="$OPTARG";; g) TH_GRUBe="$OPTARG";; k) TH_KEEP=True;; - d) THT_DEVICE="$OPTARG";; b) THT_GRUBTEST="$OPTARG";; x) THT_GRUBTXTRA="$OPTARG";; l) LOG_LEVEL="$OPTARG";; @@ -88,8 +86,7 @@ show_help() { TH_GRUBb${t}./grub-bios.cfg TH_GRUBe${t}./grub-efi.cfg TH_KEEP${t}True - THT_DEVICE${t}/dev/nvme0n1 - THT_GRUBTEST${t}TEMPLATE_METHOD=lvm BS_pillar_root=test/pillar TH_SALTGPG=https://raw.githubusercontent.com/MTecknology/teckhost/master/test/pillar/skeys.gpg + THT_GRUBTEST${t}BS_pillar_root=test/pillar TH_SALTGPG=https://raw.githubusercontent.com/MTecknology/teckhost/master/test/pillar/skeys.gpg THT_GRUBTXTRA${t}"" LOG_LEVEL${t}1 (info) EOF @@ -134,8 +131,8 @@ inject_grubconfig() { # Inject a custom preseed into initrd inject_preseed() { log "$DEBUG" 'Generating preseed file' - # Copy template and update template value(s) - sed -e "s|TEMPLATE_DEVICE|$THT_DEVICE|" "$TH_SEED" > "$TH_TEMP/preseed.cfg" + # Copy template + cp "$TH_SEED" "$TH_TEMP/preseed.cfg" # Not the cleanest assumption, but we error if files are missisg basedir="$(dirname "$0")/../" diff --git a/iso/grub-bios.cfg b/iso/debian12/grub-bios.cfg similarity index 84% rename from iso/grub-bios.cfg rename to iso/debian12/grub-bios.cfg index f6df553..675b53c 100644 --- a/iso/grub-bios.cfg +++ b/iso/debian12/grub-bios.cfg @@ -16,7 +16,7 @@ label installcrypto label installtesting menu label Teckhost auto-install w/ FOR ^Testing kernel /install.amd/vmlinuz - append auto=true priority=high initrd=/install.amd/initrd.gz partman-efi/non_efi_system=false TEMPLATE_GRUBTEST + append auto=true priority=high initrd=/install.amd/initrd.gz TEMPLATE_METHOD=lvm partman-efi/non_efi_system=false TEMPLATE_GRUBTEST label rescue menu label ^Rescue mode kernel /install.amd/vmlinuz diff --git a/iso/grub-efi.cfg b/iso/debian12/grub-efi.cfg similarity index 92% rename from iso/grub-efi.cfg rename to iso/debian12/grub-efi.cfg index b1d113b..06d16e9 100644 --- a/iso/grub-efi.cfg +++ b/iso/debian12/grub-efi.cfg @@ -36,7 +36,7 @@ menuentry --hotkey=c 'Teckhost auto-install w/ Encrypted LVM' { } menuentry --hotkey=t 'Teckhost auto-install FOR TESTING' { set background_color=black - linux /install.amd/vmlinuz auto=true priority=high partman-efi/non_efi_system=true TEMPLATE_GRUBTEST + linux /install.amd/vmlinuz auto=true priority=high TEMPLATE_METHOD=lvm TEMPLATE_GRUBTEST initrd /install.amd/initrd.gz } menuentry --hotkey=r 'Rescue mode' { diff --git a/iso/preseed.cfg b/iso/debian12/preseed.cfg similarity index 90% rename from iso/preseed.cfg rename to iso/debian12/preseed.cfg index 9d09250..e97da42 100644 --- a/iso/preseed.cfg +++ b/iso/debian12/preseed.cfg @@ -4,15 +4,6 @@ # This preseed file provides a basic template that is used to pre-answer most # debconf questions, get extra installation information, and run a bootstrap. # -# Template Variables (used in this file): -# - Any "TEMPLATE_*" string that appears outside of an uncommented line is -# modified by the "build_iso" script, when the custom iso is built. These -# values can be manipulated by reviewing `./iso/build_iso -h`. -# - Any "TEMPLATE_*" string that appears on a commented line is unset until -# "partman/early_command" runs (iso/debconf_early:debconf_environment), where -# environment variables set by grub (auto-grub.cfg) are used to update d-i. -# (there's probably a better way) -# # NOTES: # - User must provide networking, hostname, and encryption key(s) ## @@ -37,19 +28,11 @@ d-i preseed/late_command string \ # Finicky bits ## -d-i partman-auto/disk string TEMPLATE_DEVICE -# grub/efi -d-i grub-installer/bootdev TEMPLATE_DEVICE -# grub/bios -grub-pc grub-pc/install_devices multiselect TEMPLATE_DEVICE -# Choices: Enter device manually, /dev/sda, ... -grub-installer grub-installer/choose_bootdev select TEMPLATE_DEVICE - -### Extra-finicky bits -# from "iso/debconf_partearly": -#d-i partman-auto/method string TEMPLATE_METHOD -# from grub.cfg: -d-i partman-efi/non_efi_system boolean true +# Use nvme0n1 if available else assume sda +d-i partman/late_command string \ + if [ -e /dev/nvme0n1 ]; then disk=/dev/nvme0n1; else disk=/dev/sda; fi; \ + debconf-set partman-auto/disk "$disk"; echo "Disk Selected: $disk" + ## # Disk layout (LVM with/out encryption) @@ -192,7 +175,13 @@ d-i clock-setup/utc boolean true d-i time/zone string US/Central d-i clock-setup/ntp boolean true -# Partitioning - basics +# Partitioning - Critical +#d-i partman-auto/method string crypto # Set by iso/debconf_partearly +#d-i partman-auto/disk string default # Set by partman/early_command +d-i grub-installer/bootdev default + +# Partitioning - Basics +d-i partman-efi/non_efi_system boolean true d-i partman-lvm/device_remove_lvm boolean true d-i partman-md/device_remove_md boolean true d-i partman-lvm/confirm boolean true diff --git a/test/preseed.patch b/iso/debian12/preseed_test.patch similarity index 93% rename from test/preseed.patch rename to iso/debian12/preseed_test.patch index 4d49c56..7e9cc87 100644 --- a/test/preseed.patch +++ b/iso/debian12/preseed_test.patch @@ -1,8 +1,8 @@ -170c170 +153c153 < d-i netcfg/dhcp_options select Configure network manually --- > #d-i netcfg/dhcp_options select Configure network manually -238c238 +227c227 < #d-i finish-install/reboot_in_progress note --- > d-i finish-install/reboot_in_progress note diff --git a/states/mokcert/delete_oldmok.sh b/states/mokcert/delete_oldmok.sh new file mode 100644 index 0000000..396e721 --- /dev/null +++ b/states/mokcert/delete_oldmok.sh @@ -0,0 +1,96 @@ +#!/bin/sh +## +# Dump currently enrolled keys and initial removal of unused keys. +## +. /usr/local/lib/shell + +main() { + parse_options "$@" + safety_checks + + # Grab a lock + lock acquire "$0" || die 'Another process seems to be running.' + + # Primary logic + deletion_scheduled=1 + dump_mokcerts || die 'Failed to dump currently enrolled MOK certs' + remove_old || log "$WARN" 'Error encountered removing old certs' + + # Primarily meant for -stateful:True + if is_true "$deletion_scheduled"; then + echo ""; echo "changed=yes comment='obsolete keys scheduled for deletion'" + fi + + # Release the lock + lock destroy "$0" +} + +parse_options() { + export OMOK_PATH="${OMOK_PATH:-/root/.mok/client.der}" + export OMOK_DUMP="${OMOK_DUMP:-/root/.mok/dump}" + export OMOK_SEARCH="${OMOK_SEARCH:-teckhost}" + while getopts 'i:e:s:l:h' OPT; do + case "$OPT" in + i) OMOK_PATH="$OPTARG";; + e) OMOK_DUMP="$OPTARG";; + s) OMOK_SEARCH="$OPTARG";; + l) export LOG_LEVEL="$OPTARG";; + h) show_help; exit 1;; + *) die "Unexpected argument provided: '$OPT'";; + esac + done +} + + +show_help() { + t="$(printf '\t')" + cat <<-EOF + Dump currently enrolled keys and initial removal of unused keys. + + Usage: delete_oldmok [options] + + Options: + -i X${t}Path of imported certificate (default: /root/.mok/client.der) + -e X${t}Path to export enrolled certificates (default: /root/.mok/dump) + -s X${t}Search term used in binary search (default: teckhost) + -l X${t}Log level (default: 2 [warn]) + -h${t}Print this help text and exit + EOF +} + + +safety_checks() { + [ -f "$OMOK_PATH" ] || die 'Client certificate import path not found.' +} + + +# Clean up export directory and dump currently enrolled certificates +dump_mokcerts() { + [ -d "$OMOK_DUMP" ] || mkdir "$OMOK_DUMP" + rm -f "$OMOK_DUMP"/*.der + (cd "$OMOK_DUMP" && mokutil --export) +} + + +# Drop old/unused keys +remove_old() { + _e=0 + for cert in "$OMOK_DUMP"/*.der; do + if ! grep -qi "$OMOK_SEARCH" "$cert"; then + log "$DEBUG" "Search term not found in $cert; skipping." + continue + elif cmp -s "$OMOK_PATH" "$cert"; then + log "$DEBUG" "Enrollment expected for $cert; skipping." + continue + fi + log "$INFO" "Requesting removal of $cert" + (printf 'GR3en\nGR3en\n' | mokutil --delete "$cert") >/dev/null || _e=1 + mokutil --timeout 0 + deletion_scheduled=0 + done + return $_e +} + + +# Kick off script execution +main "$@" diff --git a/states/mokcert/framework.conf b/states/mokcert/framework.conf index 19e30d1..67a311d 100644 --- a/states/mokcert/framework.conf +++ b/states/mokcert/framework.conf @@ -28,5 +28,9 @@ verbose="yes" autoinstall_all_kernels="yes" # Machine Owner Key: Supports SecureBoot -mok_signing_key="/root/.mok/client.priv" +mok_signing_key="/root/.mok/client.key" mok_certificate="/root/.mok/client.der" + +## Script to sign modules during build, script is called with kernel version +## and module name || Note: This may no longer be required. +sign_tool="/etc/dkms/sign_helper.sh" diff --git a/states/mokcert/init.sls b/states/mokcert/init.sls index 69d86e5..685ced9 100644 --- a/states/mokcert/init.sls +++ b/states/mokcert/init.sls @@ -11,24 +11,35 @@ mokutil: - require: - pkg: mokutil +/etc/dkms/sign_helper.sh: + file.managed: + - source: salt://mokcert/sign_helper.sh + - mode: '0755' + - require: + - pkg: mokutil + mokcert: file.directory: - name: /root/.mok - dir_mode: '0700' cmd.run: - - name: 'openssl req -config /root/.mok/openssl.cnf -new -x509 -newkey rsa:2048 -keyout /root/.mok/client.priv -outform DER -out /root/.mok/client.der -nodes -days 36500 -subj "/CN=Teckhost/"' # noqa: 204 - - unless: 'test -f /root/.mok/client.priv' + - name: 'openssl req -config /root/.mok/openssl.cnf -new -x509 -newkey rsa:2048 -keyout /root/.mok/client.key -outform DER -out /root/.mok/client.der -nodes -days 36500 -subj "/CN=Teckhost/"' # noqa: 204 + - unless: 'test -f /root/.mok/client.key' - require: - pkg: mokutil - file: mokcert - file: mokcert-sslconf +mokcert-pem: + cmd.run: + - name: 'openssl x509 -inform DER -in /root/.mok/client.der -outform PEM -out /root/.mok/client.pem' + - onchanges: + - cmd: mokcert + mokcert-sslconf: file.managed: - name: /root/.mok/openssl.cnf - source: salt://mokcert/openssl.cnf - - require: - - file: mokcert mokcert-enroll: cmd.run: @@ -37,3 +48,19 @@ mokcert-enroll: - unless: 'mokutil --test-key /root/.mok/client.der | grep -q "already enrolled"' - require: - cmd: mokcert + +mokcert-cleanup: + file.managed: + - name: /root/.mok/delete_oldmok + - source: salt://mokcert/delete_oldmok.sh + - mode: '0700' + - require: + - file: mokcert + - file: /usr/local/lib/shell + cmd.run: + - name: /root/.mok/delete_oldmok + - stateful: True + - cwd: /root/.mok + - require: + - file: mokcert-cleanup + - cmd: mokcert diff --git a/states/mokcert/sign_helper.sh b/states/mokcert/sign_helper.sh new file mode 100644 index 0000000..8ba6283 --- /dev/null +++ b/states/mokcert/sign_helper.sh @@ -0,0 +1,2 @@ +#!/bin/sh +/lib/modules/"$1"/build/scripts/sign-file sha512 /root/.mok/client.key /root/.mok/client.der "$2" diff --git a/test/.ssh/config b/test/.ssh/config index 44f69cc..e0744a5 100644 --- a/test/.ssh/config +++ b/test/.ssh/config @@ -2,8 +2,3 @@ Host testpc1 Hostname localhost Port 4222 StrictHostKeyChecking no - -Host devpc1 - Hostname localhost - Port 4224 - StrictHostKeyChecking no