Skip to content

Commit

Permalink
feat: kernel signing cache kernels (#9)
Browse files Browse the repository at this point in the history 
* feat: kernel signing cache kernels

* feat: Enable multiple sbsign signatures

* fix: correct variable name

* fix: surface reinstall for sbverify

* fix: dual_sign argument is already a string
  • Loading branch information
@m2Giles
m2Giles authored Jul 11, 2024
1 parent a56fdfe commit 425026e
Show file tree
Hide file tree
Showing 11 changed files with 202 additions and 13 deletions.
18 changes: 17 additions & 1 deletion .github/workflows/reusable-build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ concurrency:
jobs:
build:
name: kernel-cache
runs-on: ubuntu-latest
runs-on: ubuntu-24.04
permissions:
contents: read
packages: write
Expand Down Expand Up @@ -166,6 +166,21 @@ jobs:
io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository }}/main/README.md
io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/1728152?s=200&v=4
- name: Retrieve Signing Key
if: (github.event_name == 'scheduled' || github.event_name == 'workflow_dispatch' || github.event_name == 'merge_group') && github.event_name != 'pull_request'
run: |
mkdir -p certs
if [[ ${{ env.alias_tags }} =~ pr ]]; then
echo "This should not have run... exiting..."
exit 1
else
echo "${{ secrets.KERNEL_PRIVKEY }}" > certs/private_key.priv
echo "${{ secrets.AKMOD_PRIVKEY_20230518 }}" > certs/private_key_2.priv
# DEBUG: get character count of key
wc -c certs/private_key.priv
wc -c certs/private_key_2.priv
fi
- name: Build Image
id: build_image
uses: redhat-actions/buildah-build@v2
Expand All @@ -178,6 +193,7 @@ jobs:
FEDORA_VERSION=${{ matrix.fedora_version }}
KERNEL_VERSION=${{ env.kernel_release }}
KERNEL_FLAVOR=${{ matrix.kernel_flavor }}
DUAL_SIGN=true
labels: ${{ steps.meta.outputs.labels }}
oci: false

Expand Down
16 changes: 9 additions & 7 deletions Containerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,16 @@ ARG BASE_IMAGE=quay.io/fedora/fedora
ARG FEDORA_VERSION=${FEDORA_VERSION:-40}

# Build from base-main since its our smallest image and we control the tags
FROM ${BASE_IMAGE}:${FEDORA_VERSION} as builder
ARG KERNEL_VERSION=${:-}
ARG FEDORA_VERSION=${FEDORA_VERSION:-}
ARG KERNEL_FLAVOR=${:-}
FROM ${BASE_IMAGE}:${FEDORA_VERSION} AS builder
ARG KERNEL_VERSION="${:-6.8.11-300.fc40.x86_64}"
ARG FEDORA_VERSION="${FEDORA_VERSION:-40}"
ARG KERNEL_FLAVOR="${:-coreos-stable}"
ARG DUAL_SIGN="${:-true}"

COPY fetch.sh /
COPY fetch.sh /tmp
COPY certs /tmp/certs

RUN /fetch.sh
RUN /tmp/fetch.sh

FROM scratch as rpms
FROM scratch AS rpms
COPY --from=builder /tmp/rpms /tmp/rpms
Empty file added certs/private_key.priv
View file
Empty file.
28 changes: 28 additions & 0 deletions certs/private_key.priv.test
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDMaUcd1e4fYogO
N/cYZc22xmzsAetfhgVLvHNkKb/mNHywkGK4T7vPwvpQCxFGUufmRxYlGJra/QCn
WjYd4/thBWoU/K7RBcLJJpuHFBODls5eBdXGXXpeTYmRKqcT6qBEJf4p21N2BqMz
Mmh242TUKFOJ3rWWKXxWb8peNC+aMfIMKICLYSQvoonjHQm1ShMjkgTiOZQIaVLB
zjfNewdaNCHOMh49xQrQxquTXJuNU6Y7LvPGSIdxShwotGi/E+Z3Y4kvUCapo0os
wjhXXbhuj/XTH7gF+15mvHD9k1RPyVACLgmLyzM9LSOr80/rslj0nQf1KF8jW+bq
tze3bZ17AgMBAAECggEABG8GJV4GB7U96T0KhYNzxlKgezABeHVyOPXR9Oq46Ffc
GoJPOds04ilC/6h1y/YxZHvHPa++cCCLupWI1fYjdjPFXMYsTolW88D8H55uW+zR
9hUfUWmmpVP+N2Fa9WIh7sh6LlM9CLLVKF+gB3AgOD/VrAhiHOsycLeFBq0QGUKR
IkG7pKrF7CX1oal9WOnPo0r2oNUdP4yYCyEa7e7APTUwGbuihtixdnrYyiwEmpp0
rfZPfBgh+3ACqeUO12gIdtjd85/3UsQ2kLt9/9m2q7Fa6aEcYQVz6nznLKuY4EVm
zoYzAXfC2KsGol2V6eNY4MNBuvzY4DDJnpyjzicOEQKBgQDX4vd+t7ygUyZmGu6V
CsF6uDSRHvHYJvJp2fR5spz6eRj7WXMkCTnyjzpDkMvbxtvjlEBntixlQicXsytW
u2oayYPHl7ppGIEddcKlHsWUFqsAOATkQy3Bs5DCfzliELApGv5zoXJJC/A/iaiD
GXVDJ0+FdSldetpMGw//rItoqwKBgQDyZHcrt0sVY6oxW2JpEVZXNSOoNMjBQQgL
+7lQyFpfXl9wfOXUkcqFc0m5UWPbTrI9OBZbXYcvI1eV/Xbtu3gdGiOv2sYauO1Z
HgAS2B3yNGllzj8dNucELFCSNLwthTGhYO03bWflV7XbsG9O8SrZF2LaEglL2V8m
wqPP5aE+cQKBgQCu7kp9c4R0pOvIcKpCOqTsO7bcoKZ275geDW377q8khlunz6Ns
380EruoXNYz6WPh0P/ywDP2MTz4+BgBoFxSy//a4FEoIPsLgjDtccMLIbFXDp6DP
FWBORKJX958Xx033ANiN+ZQRfIr/8RuKn2ZVM9VL3tPV22ZnpMYh9j5AYQKBgF36
+gGnJaN7aweMCRH3uORDJDoZjSTw0+/hf66EoBWN/68bnfjXNhCb7J+/oNntH0qB
LpnqH3n1WAY9qhjusNmHwwJx7pF51fzRlvG3fZTlIWBpoSrwmI2TqQGnFLcJh36s
mAz/jGLtqQMu21leRGC7ooYurBAOjcf3e5Al1mjhAoGAT0L02oGzce1vbwfqHCRK
PexrY8GvNU6/Bml70P9n6FX3jQwt6Dhh1JkZZofv+wJWjOj4zV/Z0tj1uB1Ax9nR
Z+87Pu7iYuNaYFGT9s76q+sbQtiUu5Gwlg6CyRSwbKdL15UBWf+Bt22Tp3NfbEoh
OevJKeniH2GYy+ME5XxXb14=
-----END PRIVATE KEY-----
Empty file added certs/private_key_2.priv
View file
Empty file.
28 changes: 28 additions & 0 deletions certs/private_key_2.priv.test
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCnVfa8014cwVhH
8SKJFg94/krdWYAAbEG+BVMWfJf84v19bqEUWO9GKYUHTXIOYTzOcdyyYkBDm8hL
DpUGHWtgAut4l4cDpDCkL9sJzAhKS6lOW0pCqaZzqJoq8AUyK84j/l3vEBwuucZo
HypEyK+GeaWFc5fo3P/UQmYML78YgS2Lbb/MDwH+Zfrmt9IoKv75oIdmOVC/dpzS
MiJZB1trjKyS+31o6gXCI43kpMsRGSHHqW6k5zhNNEAN/0uiGI28C2WDrB4v2igg
bpF6QOMyrCqKs+oHUWndadUzG6Dwz+f4oZ1F7M/J5Xn8N2F1VEDqvvMBU2ZquRyX
NLzbJvcnAgMBAAECggEAQ9LI7iHxvE/1eztWVx/054KST4NOKV23i9BWq/+WDu7l
9agYa8ncOaDshVgziXaKEdb+r+K4z25d0WY4qsDT25dzX25zT9uFx5aJ/j+PgKWI
GvVPdROUHr7QteSRBpPQurAH3LS354xuyZcQJ877rdKybxO6F60zmBHNkNTtbH2P
M5eN88lF398v8Pu3fDce6CWSP9SGqLp43FJMbFMYrWkppzX28Ru0JqDOT3LSWeQy
JAmrC/Oh5S2mLu6AhlqrMJEJ5ErIVpk9n3QZsa5knXsB56dP/kzWyQgirMWotF+O
K4jGo6iHSfFGmYJhopJjVYsuMrJtgpZN8u1VRbMIEQKBgQDakV86A7k7s5ORfI22
lwB5QukkiA/XT7lP/kcGEem12hW/Gi7vfuwJLMA1i2JP0pmKANMxQG5YweaHSUhX
/09H7BGlqPvwpWBJ5qqW7hkSh0N6VMwEmnYvHfNZh9PiQx2q9zL8+SOoUXCF2je3
etKZToutMD47gRfeAtDiPQEyjwKBgQDD/m86tBMu1o4Qjj2l3/6mwg4XNbh18f0Q
x1v3t4Wu5HROPPHF1HSwVp6iqSS0HhoDgIYVjgqpH4q2urRQ92urHAq56hUV8dn/
6VprCcAJOTLvu//bu9FXMu4Ys+v915Z6J4oIkEGLwOL4QAUC6dzCM1luEGAirpyf
ePWIMC5d6QKBgQCkHDMcJF+Y7CUJQDRHvOmmIw9bVq5ORJYn8gzyCdEpsi5R5x8G
xI4F9Yv8qEORG9gdPrFUccRo8G5fdi7To+erYR1+/XruHb5GvuOnn+9DcjzARZtK
eY/zoNFvkAUQBsTn8eRe/dJAN6X9WvQq2BX49nj5+RdBJpT9JbAhrxyPEQKBgDvB
Pg5KyrJ0Dbo0c8033r7e2UbwRP4Iulw8O+jpliN9WYxk/l2Pacg9kH4NTbhwmQPK
UpcNyGhJypPtln49ASGZGhgWqzkWlJ12eu+5eEgXnVUEH3zR5YBNcdQsPt4Utbcm
iOoVeTZvp4OCmUSLIpg+6Zwp9/V7ARuJ2GoeLnTJAoGBANOjf4lQBz1/U0aeog/H
OCscSv+pbfHLo778FDJYcEBL0twofifnMLoED2E28F3ptbwUoE89KUrBvvDTgiXj
4Gd5eMU64iKo2utA9crzcxXEhvEyl04fQyZtaqOIfmUHiV5CHV1oCgoa8Rq1Zxc/
5bzd1lBjif4fuc6RXjooHX+3
-----END PRIVATE KEY-----
Binary file added certs/public_key.der
View file
Binary file not shown.
Binary file added certs/public_key.der.test
View file
Binary file not shown.
Binary file added certs/public_key_2.der
View file
Binary file not shown.
Binary file added certs/public_key_2.der.test
View file
Binary file not shown.
125 changes: 120 additions & 5 deletions fetch.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,11 @@ set -eoux pipefail
kernel_version="${KERNEL_VERSION}"
kernel_flavor="${KERNEL_FLAVOR}"

dnf install -y dnf-plugins-core
#CoreOS pool repo
# curl -LsSf -o /etc/yum.repos.d/fedora-coreos-pool.repo \
# https://raw.githubusercontent.com/coreos/fedora-coreos-config/testing-devel/fedora-coreos-pool.repo

dnf install -y dnf-plugins-core rpmrebuild sbsigntools openssl

case "$kernel_flavor" in
"asus")
Expand All @@ -31,44 +35,155 @@ esac
if [[ "${kernel_flavor}" =~ asus|fsync ]]; then
dnf download -y \
kernel-"${kernel_version}" \
kernel-core-"${kernel_version}" \
kernel-modules-"${kernel_version}" \
kernel-modules-core-"${kernel_version}" \
kernel-modules-extra-"${kernel_version}" \
kernel-devel-"${kernel_version}" \
kernel-devel-matched-"${kernel_version}" \
kernel-uki-virt-"${kernel_version}"

elif [[ "${kernel_flavor}" == "surface" ]]; then
dnf download -y \
kernel-surface-"${kernel_version}" \
kernel-surface-core-"${kernel_version}" \
kernel-surface-modules-"${kernel_version}" \
kernel-surface-modules-core-"${kernel_version}" \
kernel-surface-modules-extra-"${kernel_version}" \
kernel-surface-devel-"${kernel_version}" \
kernel-surface-devel-matched-"${kernel_version}" \
kernel-surface-default-watchdog-"${kernel_version}" \
iptsd
iptsd \
libwacom-surface \
libwacom-surface-data


else
KERNEL_MAJOR_MINOR_PATCH=$(echo "$kernel_version" | cut -d '-' -f 1)
KERNEL_RELEASE="$(echo "$kernel_version" | cut -d - -f 2 | cut -d . -f 1).$(echo "$kernel_version" | cut -d - -f 2 | cut -d . -f 2)"
ARCH=$(uname -m)
dnf download -y \
https://kojipkgs.fedoraproject.org//packages/kernel/"$KERNEL_MAJOR_MINOR_PATCH"/"$KERNEL_RELEASE"/"$ARCH"/kernel-"$kernel_version".rpm \
https://kojipkgs.fedoraproject.org//packages/kernel/"$KERNEL_MAJOR_MINOR_PATCH"/"$KERNEL_RELEASE"/"$ARCH"/kernel-core-"$kernel_version".rpm \
https://kojipkgs.fedoraproject.org//packages/kernel/"$KERNEL_MAJOR_MINOR_PATCH"/"$KERNEL_RELEASE"/"$ARCH"/kernel-modules-"$kernel_version".rpm \
https://kojipkgs.fedoraproject.org//packages/kernel/"$KERNEL_MAJOR_MINOR_PATCH"/"$KERNEL_RELEASE"/"$ARCH"/kernel-modules-core-"$kernel_version".rpm \
https://kojipkgs.fedoraproject.org//packages/kernel/"$KERNEL_MAJOR_MINOR_PATCH"/"$KERNEL_RELEASE"/"$ARCH"/kernel-modules-extra-"$kernel_version".rpm \
https://kojipkgs.fedoraproject.org//packages/kernel/"$KERNEL_MAJOR_MINOR_PATCH"/"$KERNEL_RELEASE"/"$ARCH"/kernel-devel-"$kernel_version".rpm \
https://kojipkgs.fedoraproject.org//packages/kernel/"$KERNEL_MAJOR_MINOR_PATCH"/"$KERNEL_RELEASE"/"$ARCH"/kernel-devel-matched-"$kernel_version".rpm \
https://kojipkgs.fedoraproject.org//packages/kernel/"$KERNEL_MAJOR_MINOR_PATCH"/"$KERNEL_RELEASE"/"$ARCH"/kernel-uki-virt-"$kernel_version".rpm

fi

if [[ "${kernel_flavor}" =~ fsync ]]; then
dnf download -y \
kernel-headers-"${kernel_version}"
fi

if [[ ! -s /tmp/certs/private_key.priv ]]; then
echo "WARNING: Using test signing key."
cp /tmp/certs/private_key.priv{.test,}
cp /tmp/certs/public_key.der{.test,}
fi

PUBLIC_KEY_PATH="/etc/pki/kernel/public/public_key.crt"
PRIVATE_KEY_PATH="/etc/pki/kernel/private/private_key.priv"

openssl x509 -in /tmp/certs/public_key.der -out /tmp/certs/public_key.crt

install -Dm644 /tmp/certs/public_key.crt "$PUBLIC_KEY_PATH"
install -Dm644 /tmp/certs/private_key.priv "$PRIVATE_KEY_PATH"

if [[ "${kernel_flavor}" =~ asus|fsync ]]; then
dnf install -y \
/kernel-"$kernel_version".rpm \
/kernel-modules-"$kernel_version".rpm \
/kernel-modules-core-"$kernel_version".rpm \
/kernel-modules-extra-"$kernel_version".rpm \
kernel-core-"${kernel_version}"
elif [[ "${kernel_flavor}" =~ surface ]]; then
dnf install -y \
/kernel-surface-"$kernel_version".rpm \
/kernel-surface-modules-"$kernel_version".rpm \
/kernel-surface-modules-core-"$kernel_version".rpm \
/kernel-surface-modules-extra-"$kernel_version".rpm \
kernel-surface-core-"${kernel_version}"
else
dnf install -y \
/kernel-"$kernel_version".rpm \
/kernel-modules-"$kernel_version".rpm \
/kernel-modules-core-"$kernel_version".rpm \
/kernel-modules-extra-"$kernel_version".rpm \
https://kojipkgs.fedoraproject.org//packages/kernel/"$KERNEL_MAJOR_MINOR_PATCH"/"$KERNEL_RELEASE"/"$ARCH"/kernel-core-"$kernel_version".rpm
fi

# Strip Signatures from non-fedora Kernels
if [[ ${kernel_flavor} =~ main|coreos ]]; then
echo "Will not strip Fedora signature(s) from ${kernel_flavor} kernel."
else
EXISTING_SIGNATURES="$(sbverify --list /usr/lib/modules/"$kernel_version"/vmlinuz | grep '^signature \([0-9]\+\)$' | sed 's/^signature \([0-9]\+\)$/\1/')" || true
if [[ -n "$EXISTING_SIGNATURES" ]]; then
for SIGNUM in $EXISTING_SIGNATURES; do
echo "Found existing signature at signum $SIGNUM, removing..."
sbattach --remove /usr/lib/modules/"${kernel_version}"/vmlinuz
done
fi
fi

# Sign Kernel with Key
sbsign --cert "$PUBLIC_KEY_PATH" --key "$PRIVATE_KEY_PATH" /usr/lib/modules/"${kernel_version}"/vmlinuz --output /usr/lib/modules/"${kernel_version}"/vmlinuz

# Verify Signatures
sbverify --list /usr/lib/modules/"${kernel_version}"/vmlinuz

rm -f "$PRIVATE_KEY_PATH" "$PUBLIC_KEY_PATH"

if [[ ${DUAL_SIGN:-} == "true" ]]; then
SECOND_PUBLIC_KEY_PATH="/etc/pki/kernel/public/public_key_2.crt"
SECOND_PRIVATE_KEY_PATH="/etc/pki/kernel/private/public_key_2.priv"
if [[ ! -s /tmp/certs/private_key_2.priv ]]; then
echo "WARNING: Using test signing key."
cp /tmp/certs/private_key_2.priv{.test,}
cp /tmp/certs/public_key_2.der{.test,}
find /tmp/certs/
fi
openssl x509 -in /tmp/certs/public_key_2.der -out /tmp/certs/public_key_2.crt
install -Dm644 /tmp/certs/public_key_2.crt "$SECOND_PUBLIC_KEY_PATH"
install -Dm644 /tmp/certs/private_key_2.priv "$SECOND_PRIVATE_KEY_PATH"
sbsign --cert "$SECOND_PUBLIC_KEY_PATH" --key "$SECOND_PRIVATE_KEY_PATH" /usr/lib/modules/"${kernel_version}"/vmlinuz --output /usr/lib/modules/"${kernel_version}"/vmlinuz
sbverify --list /usr/lib/modules/"${kernel_version}"/vmlinuz
rm -f "$SECOND_PRIVATE_KEY_PATH" "$SECOND_PUBLIC_KEY_PATH"
fi

# Rebuild RPMs and Verify
if [[ "${kernel_flavor}" =~ surface ]]; then
rpmrebuild --batch kernel-surface-core-"${kernel_version}"
rm -f /usr/lib/modules/"${kernel_version}"/vmlinuz
dnf reinstall -y \
/kernel-surface-"$kernel_version".rpm \
/kernel-surface-modules-"$kernel_version".rpm \
/kernel-surface-modules-core-"$kernel_version".rpm \
/kernel-surface-modules-extra-"$kernel_version".rpm \
/root/rpmbuild/RPMS/"$(uname -m)"/kernel-*.rpm
else
rpmrebuild --batch kernel-core-"${kernel_version}"
rm -f /usr/lib/modules/"${kernel_version}"/vmlinuz
dnf reinstall -y \
/kernel-"$kernel_version".rpm \
/kernel-modules-"$kernel_version".rpm \
/kernel-modules-core-"$kernel_version".rpm \
/kernel-modules-extra-"$kernel_version".rpm \
/root/rpmbuild/RPMS/"$(uname -m)"/kernel-*.rpm
fi

sbverify --list /usr/lib/modules/"${kernel_version}"/vmlinuz

# Make Temp Dir
mkdir -p /tmp/rpms

# Move RPMs over
mv /kernel-*.rpm /tmp/rpms
mv /root/rpmbuild/RPMS/"$(uname -m)"/kernel-*.rpm /tmp/rpms

if [[ "${kernel_flavor}" =~ surface ]]; then
cp iptsd-*.rpm libwacom-*.rpm /tmp/rpms
fi

# Delete keys in /tmp if we decide to publish this later
rm -rf /tmp/certs

0 comments on commit 425026e

Please sign in to comment.