Skip to content

Commit

Permalink
feat: create persistent secure boot test keys for easier downstream b…
Browse files Browse the repository at this point in the history
…uilds (ublue-os#45)
  • Loading branch information
joshua-stone authored Feb 20, 2023
1 parent 9f1b0a4 commit 52a97ec
Show file tree
Hide file tree
Showing 8 changed files with 58 additions and 28 deletions.
11 changes: 1 addition & 10 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -116,16 +116,7 @@ jobs:
run: |
mkdir -p certs
if [[ "${{ github.event_name }}" == "pull_request" ]]; then
openssl req -new \
-nodes \
-utf8 \
-sha256 \
-days 365 \
-batch \
-x509 \
-outform DER \
-out certs/public_key.der \
-keyout certs/private_key.priv
echo "Using test signing key"
else
echo "${{ secrets.AKMOD_PRIVKEY }}" > certs/private_key.priv
fi
Expand Down
3 changes: 2 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
certs/private_key.priv
certs/private_key.priv.prod
certs/public_key.der.prod
11 changes: 8 additions & 3 deletions Containerfile
Original file line number Diff line number Diff line change
Expand Up @@ -27,10 +27,15 @@ RUN rpm-ostree install \
# alternatives cannot create symlinks on its own during a container build
RUN ln -s /usr/bin/ld.bfd /etc/alternatives/ld && ln -s /etc/alternatives/ld /usr/bin/ld

ADD certs/public_key.der /etc/pki/akmods/certs/public_key.der
ADD certs/private_key.priv /etc/pki/akmods/private/private_key.priv
ADD certs /tmp/certs

RUN chmod 644 /etc/pki/akmods/{private/private_key.priv,certs/public_key.der}
RUN [[ -s "/tmp/certs/private_key.priv" ]] || \
echo "WARNING: Using test signing key. Run './generate-akmods-key' for production builds." && \
cp /tmp/certs/private_key.priv{.test,} && \
cp /tmp/certs/public_key.der{.test,}

RUN install -Dm644 /tmp/certs/public_key.der /etc/pki/akmods/certs/public_key.der
RUN install -Dm644 /tmp/certs/private_key.priv /etc/pki/akmods/private/private_key.priv

# Either successfully build and install the kernel modules, or fail early with debug output
RUN NVIDIA_PACKAGE_NAME="$(cat /tmp/nvidia-package-name.txt)" \
Expand Down
28 changes: 15 additions & 13 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -82,36 +82,38 @@ If you're forking this repo you should [read the docs](https://docs.github.com/e
## Building locally
1. Generate signing keys
1. Build container
Self-generated signing keys in `certs/` are required for kernel module signing to succeed:
```
$ ./generate-akmod-key
```
If you are forking this repo, you also need to add the private key to the repository secrets under the name AKMOD_PRIVKEY.
2. Build container
A container build can be invoked by simply running:
A container build can be invoked by simply running:
```
$ podman build \
--file Containerfile \
--tag build-test:latest
```
Or to specify the version of Fedora and/or Nvidia driver:
Or to specify the version of Fedora and/or Nvidia driver:
```
$ podman build \
--build-arg IMAGE_NAME=silverblue \
--build-arg FEDORA_MAJOR_VERSION=37 \
--build-arg NVIDIA_MAJOR_VERSION=525 \
--file Containerfile \
--tag build-test:latest
```
2. Generate signing keys
If you are forking this repo, then you should add a private key to the repository secrets:
```
$ ./generate-akmod-key
$ gh secret set AKMOD_PRIVKEY < certs/private_key.priv.prod
$ cp certs/public_key.der.prod certs/public_key.der
```
## Using Nvidia GPUs in containers
[There is support for enabling Nvidia GPUs in containers](https://www.redhat.com/en/blog/how-use-gpus-containers-bare-metal-rhel-8). This can can be verified by running the following:
Expand Down
Empty file added certs/private_key.priv
Empty file.
28 changes: 28 additions & 0 deletions certs/private_key.priv.test
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDMaUcd1e4fYogO
N/cYZc22xmzsAetfhgVLvHNkKb/mNHywkGK4T7vPwvpQCxFGUufmRxYlGJra/QCn
WjYd4/thBWoU/K7RBcLJJpuHFBODls5eBdXGXXpeTYmRKqcT6qBEJf4p21N2BqMz
Mmh242TUKFOJ3rWWKXxWb8peNC+aMfIMKICLYSQvoonjHQm1ShMjkgTiOZQIaVLB
zjfNewdaNCHOMh49xQrQxquTXJuNU6Y7LvPGSIdxShwotGi/E+Z3Y4kvUCapo0os
wjhXXbhuj/XTH7gF+15mvHD9k1RPyVACLgmLyzM9LSOr80/rslj0nQf1KF8jW+bq
tze3bZ17AgMBAAECggEABG8GJV4GB7U96T0KhYNzxlKgezABeHVyOPXR9Oq46Ffc
GoJPOds04ilC/6h1y/YxZHvHPa++cCCLupWI1fYjdjPFXMYsTolW88D8H55uW+zR
9hUfUWmmpVP+N2Fa9WIh7sh6LlM9CLLVKF+gB3AgOD/VrAhiHOsycLeFBq0QGUKR
IkG7pKrF7CX1oal9WOnPo0r2oNUdP4yYCyEa7e7APTUwGbuihtixdnrYyiwEmpp0
rfZPfBgh+3ACqeUO12gIdtjd85/3UsQ2kLt9/9m2q7Fa6aEcYQVz6nznLKuY4EVm
zoYzAXfC2KsGol2V6eNY4MNBuvzY4DDJnpyjzicOEQKBgQDX4vd+t7ygUyZmGu6V
CsF6uDSRHvHYJvJp2fR5spz6eRj7WXMkCTnyjzpDkMvbxtvjlEBntixlQicXsytW
u2oayYPHl7ppGIEddcKlHsWUFqsAOATkQy3Bs5DCfzliELApGv5zoXJJC/A/iaiD
GXVDJ0+FdSldetpMGw//rItoqwKBgQDyZHcrt0sVY6oxW2JpEVZXNSOoNMjBQQgL
+7lQyFpfXl9wfOXUkcqFc0m5UWPbTrI9OBZbXYcvI1eV/Xbtu3gdGiOv2sYauO1Z
HgAS2B3yNGllzj8dNucELFCSNLwthTGhYO03bWflV7XbsG9O8SrZF2LaEglL2V8m
wqPP5aE+cQKBgQCu7kp9c4R0pOvIcKpCOqTsO7bcoKZ275geDW377q8khlunz6Ns
380EruoXNYz6WPh0P/ywDP2MTz4+BgBoFxSy//a4FEoIPsLgjDtccMLIbFXDp6DP
FWBORKJX958Xx033ANiN+ZQRfIr/8RuKn2ZVM9VL3tPV22ZnpMYh9j5AYQKBgF36
+gGnJaN7aweMCRH3uORDJDoZjSTw0+/hf66EoBWN/68bnfjXNhCb7J+/oNntH0qB
LpnqH3n1WAY9qhjusNmHwwJx7pF51fzRlvG3fZTlIWBpoSrwmI2TqQGnFLcJh36s
mAz/jGLtqQMu21leRGC7ooYurBAOjcf3e5Al1mjhAoGAT0L02oGzce1vbwfqHCRK
PexrY8GvNU6/Bml70P9n6FX3jQwt6Dhh1JkZZofv+wJWjOj4zV/Z0tj1uB1Ax9nR
Z+87Pu7iYuNaYFGT9s76q+sbQtiUu5Gwlg6CyRSwbKdL15UBWf+Bt22Tp3NfbEoh
OevJKeniH2GYy+ME5XxXb14=
-----END PRIVATE KEY-----
Binary file added certs/public_key.der.test
Binary file not shown.
5 changes: 4 additions & 1 deletion generate-akmods-key
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@

set -oeux pipefail

readonly LANG="${LANG:-en_US.UTF-8}"

readonly CERT_DIR=certs

readonly IMAGE="quay.io/fedora-ostree-desktops/silverblue"
Expand All @@ -20,4 +22,5 @@ podman run \
"sed -i 's@enabled=1@enabled=0@g' /etc/yum.repos.d/fedora-{cisco-openh264,modular,updates-modular,updates-archive}.repo && \
rpm-ostree install akmods && \
kmodgenca --auto && \
cp /etc/pki/akmods/{private/private_key.priv,certs/public_key.der} ."
cp /etc/pki/akmods/private/private_key.priv private_key.priv.prod && \
cp /etc/pki/akmods/certs/public_key.der public_key.der.prod"

0 comments on commit 52a97ec

Please sign in to comment.