Do Secure Boot signing for official builds in a separate additional job #2491
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jepio
reviewed
Dec 2, 2024
chewi
force-pushed
the
chewi/split-sbsign-job
branch
from
7b79030 to
d5927fb
Compare
jepio
reviewed
Dec 3, 2024
krnowak
reviewed
Dec 3, 2024
The --extract_update option used to do exactly that, just extract the USR-A partition for updates and no more. Now it does the same thing as --generate_update, except it names the file flatcar_test_update.gz rather than flatcar_production_update.gz. --generate_update is never actually used because official update payloads are manually generated with the generate_payload script later on. Resolve this confusion by deduplicating the common code between them. Any update payload produced during this stage of the build is only useful for testing, so change --generate_update to always create flatcar_test_update.gz. --generate_update now implies --extract_update and both are enabled by default. Signed-off-by: James Le Cuirot <[email protected]>
Signed-off-by: James Le Cuirot <[email protected]>
Debug output was causing a stack smashing error. Signed-off-by: James Le Cuirot <[email protected]>
We only want to do the signing in Azure, not the whole image job. This new job downloads the unsigned image, signs it, and replaces it. Signed-off-by: James Le Cuirot <[email protected]>
We previously did the AKV signing in the image job but temporarily nobbled that code path while we completed the shim review. Now the AKV signing has been split out into a separate job that will only be invoked once changes to the jenkins-os repo have been merged. The only thing we now need to nobble here is copying the signed shim. In the meantime, we copy the unsigned shim instead. Revert this commit once the shim review is complete.
chewi
force-pushed
the
chewi/split-sbsign-job
branch
from
d5927fb to
e6e3daf
Compare
krnowak
approved these changes
Dec 4, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Do SB signing for official builds in a separate additional job
We only want to do the signing in Azure, not the whole image job. This new job downloads the unsigned image, signs it, and replaces it. This new job will only be invoked once flatcar/jenkins-os#354 has been merged.
We had temporarily nobbled the Azure signing codepath, but now the only thing we need to nobble here is copying the signed shim. In the meantime, we copy the unsigned shim instead. We will revert this new temporary commit once the shim review is complete.
This PR also includes a couple of clean ups I made along the way. I have dropped the "modify_image" code, which is completely unused. I could have possibly used it for this new job, but it did more than I needed it to. I have also deduplicated the build_image
--extract_updateand--generate_updateoptions because they were just totally confusing as they were.How to use
Do a Jenkins run using the jenkins-os chewi/sbsign_image branch. You need to "replay" the image job and tweak the
is_officialcheck to force it to run the new job. You also need to tweakCOREOS_OFFICIAL=0to1in ci-automation/sbsign_image.sh to force the job to sign using AKV rather than the dev key.Testing done
A Jenkins SDK run was performed and everything passed. I manually tweaked the run as described above to test the new job against AKV. I also grabbed one of the images to check that list of certificates found on vmlinuz-a and grubx64.efi using sbverify.
changelog/directory (user-facing change, bug fix, security fix, update) -- N/A/bootand/usrsize, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.