From 52a97ec21aa21c1b33bd7ce636857de78c3fa9e6 Mon Sep 17 00:00:00 2001 From: joshua-stone Date: Mon, 20 Feb 2023 09:27:21 -0500 Subject: [PATCH] feat: create persistent secure boot test keys for easier downstream builds (#45) --- .github/workflows/build.yml | 11 +---------- .gitignore | 3 ++- Containerfile | 11 ++++++++--- README.md | 28 +++++++++++++++------------- certs/private_key.priv | 0 certs/private_key.priv.test | 28 ++++++++++++++++++++++++++++ certs/public_key.der.test | Bin 0 -> 875 bytes generate-akmods-key | 5 ++++- 8 files changed, 58 insertions(+), 28 deletions(-) create mode 100644 certs/private_key.priv create mode 100644 certs/private_key.priv.test create mode 100644 certs/public_key.der.test diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 914a5280..86cca985 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -116,16 +116,7 @@ jobs: run: | mkdir -p certs if [[ "${{ github.event_name }}" == "pull_request" ]]; then - openssl req -new \ - -nodes \ - -utf8 \ - -sha256 \ - -days 365 \ - -batch \ - -x509 \ - -outform DER \ - -out certs/public_key.der \ - -keyout certs/private_key.priv + echo "Using test signing key" else echo "${{ secrets.AKMOD_PRIVKEY }}" > certs/private_key.priv fi diff --git a/.gitignore b/.gitignore index 780f544e..f94e98f2 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ -certs/private_key.priv +certs/private_key.priv.prod +certs/public_key.der.prod diff --git a/Containerfile b/Containerfile index 3a1b4ced..81c6510e 100644 --- a/Containerfile +++ b/Containerfile @@ -27,10 +27,15 @@ RUN rpm-ostree install \ # alternatives cannot create symlinks on its own during a container build RUN ln -s /usr/bin/ld.bfd /etc/alternatives/ld && ln -s /etc/alternatives/ld /usr/bin/ld -ADD certs/public_key.der /etc/pki/akmods/certs/public_key.der -ADD certs/private_key.priv /etc/pki/akmods/private/private_key.priv +ADD certs /tmp/certs -RUN chmod 644 /etc/pki/akmods/{private/private_key.priv,certs/public_key.der} +RUN [[ -s "/tmp/certs/private_key.priv" ]] || \ + echo "WARNING: Using test signing key. Run './generate-akmods-key' for production builds." && \ + cp /tmp/certs/private_key.priv{.test,} && \ + cp /tmp/certs/public_key.der{.test,} + +RUN install -Dm644 /tmp/certs/public_key.der /etc/pki/akmods/certs/public_key.der +RUN install -Dm644 /tmp/certs/private_key.priv /etc/pki/akmods/private/private_key.priv # Either successfully build and install the kernel modules, or fail early with debug output RUN NVIDIA_PACKAGE_NAME="$(cat /tmp/nvidia-package-name.txt)" \ diff --git a/README.md b/README.md index 1e9de122..7d898c76 100644 --- a/README.md +++ b/README.md @@ -82,19 +82,9 @@ If you're forking this repo you should [read the docs](https://docs.github.com/e ## Building locally -1. Generate signing keys +1. Build container - Self-generated signing keys in `certs/` are required for kernel module signing to succeed: - -``` -$ ./generate-akmod-key -``` - - If you are forking this repo, you also need to add the private key to the repository secrets under the name AKMOD_PRIVKEY. - -2. Build container - - A container build can be invoked by simply running: +A container build can be invoked by simply running: ``` $ podman build \ @@ -102,16 +92,28 @@ $ podman build \ --tag build-test:latest ``` - Or to specify the version of Fedora and/or Nvidia driver: +Or to specify the version of Fedora and/or Nvidia driver: ``` $ podman build \ + --build-arg IMAGE_NAME=silverblue \ --build-arg FEDORA_MAJOR_VERSION=37 \ --build-arg NVIDIA_MAJOR_VERSION=525 \ --file Containerfile \ --tag build-test:latest ``` +2. Generate signing keys + +If you are forking this repo, then you should add a private key to the repository secrets: + +``` +$ ./generate-akmod-key +$ gh secret set AKMOD_PRIVKEY < certs/private_key.priv.prod +$ cp certs/public_key.der.prod certs/public_key.der +``` + + ## Using Nvidia GPUs in containers [There is support for enabling Nvidia GPUs in containers](https://www.redhat.com/en/blog/how-use-gpus-containers-bare-metal-rhel-8). This can can be verified by running the following: diff --git a/certs/private_key.priv b/certs/private_key.priv new file mode 100644 index 00000000..e69de29b diff --git a/certs/private_key.priv.test b/certs/private_key.priv.test new file mode 100644 index 00000000..5e2efda5 --- /dev/null +++ b/certs/private_key.priv.test @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDMaUcd1e4fYogO +N/cYZc22xmzsAetfhgVLvHNkKb/mNHywkGK4T7vPwvpQCxFGUufmRxYlGJra/QCn +WjYd4/thBWoU/K7RBcLJJpuHFBODls5eBdXGXXpeTYmRKqcT6qBEJf4p21N2BqMz +Mmh242TUKFOJ3rWWKXxWb8peNC+aMfIMKICLYSQvoonjHQm1ShMjkgTiOZQIaVLB +zjfNewdaNCHOMh49xQrQxquTXJuNU6Y7LvPGSIdxShwotGi/E+Z3Y4kvUCapo0os +wjhXXbhuj/XTH7gF+15mvHD9k1RPyVACLgmLyzM9LSOr80/rslj0nQf1KF8jW+bq +tze3bZ17AgMBAAECggEABG8GJV4GB7U96T0KhYNzxlKgezABeHVyOPXR9Oq46Ffc +GoJPOds04ilC/6h1y/YxZHvHPa++cCCLupWI1fYjdjPFXMYsTolW88D8H55uW+zR +9hUfUWmmpVP+N2Fa9WIh7sh6LlM9CLLVKF+gB3AgOD/VrAhiHOsycLeFBq0QGUKR +IkG7pKrF7CX1oal9WOnPo0r2oNUdP4yYCyEa7e7APTUwGbuihtixdnrYyiwEmpp0 +rfZPfBgh+3ACqeUO12gIdtjd85/3UsQ2kLt9/9m2q7Fa6aEcYQVz6nznLKuY4EVm +zoYzAXfC2KsGol2V6eNY4MNBuvzY4DDJnpyjzicOEQKBgQDX4vd+t7ygUyZmGu6V +CsF6uDSRHvHYJvJp2fR5spz6eRj7WXMkCTnyjzpDkMvbxtvjlEBntixlQicXsytW +u2oayYPHl7ppGIEddcKlHsWUFqsAOATkQy3Bs5DCfzliELApGv5zoXJJC/A/iaiD +GXVDJ0+FdSldetpMGw//rItoqwKBgQDyZHcrt0sVY6oxW2JpEVZXNSOoNMjBQQgL ++7lQyFpfXl9wfOXUkcqFc0m5UWPbTrI9OBZbXYcvI1eV/Xbtu3gdGiOv2sYauO1Z +HgAS2B3yNGllzj8dNucELFCSNLwthTGhYO03bWflV7XbsG9O8SrZF2LaEglL2V8m +wqPP5aE+cQKBgQCu7kp9c4R0pOvIcKpCOqTsO7bcoKZ275geDW377q8khlunz6Ns +380EruoXNYz6WPh0P/ywDP2MTz4+BgBoFxSy//a4FEoIPsLgjDtccMLIbFXDp6DP +FWBORKJX958Xx033ANiN+ZQRfIr/8RuKn2ZVM9VL3tPV22ZnpMYh9j5AYQKBgF36 ++gGnJaN7aweMCRH3uORDJDoZjSTw0+/hf66EoBWN/68bnfjXNhCb7J+/oNntH0qB +LpnqH3n1WAY9qhjusNmHwwJx7pF51fzRlvG3fZTlIWBpoSrwmI2TqQGnFLcJh36s +mAz/jGLtqQMu21leRGC7ooYurBAOjcf3e5Al1mjhAoGAT0L02oGzce1vbwfqHCRK +PexrY8GvNU6/Bml70P9n6FX3jQwt6Dhh1JkZZofv+wJWjOj4zV/Z0tj1uB1Ax9nR +Z+87Pu7iYuNaYFGT9s76q+sbQtiUu5Gwlg6CyRSwbKdL15UBWf+Bt22Tp3NfbEoh +OevJKeniH2GYy+ME5XxXb14= +-----END PRIVATE KEY----- diff --git a/certs/public_key.der.test b/certs/public_key.der.test new file mode 100644 index 0000000000000000000000000000000000000000..eb5a0f92237fde0190beb8e1a49fcdc2357d317a GIT binary patch literal 875 zcmXqLVoo<`V)9?W%*4pVBof7%`&97y(*_PRc}K^bW#6{{M>@X zyh;V1k`x04ab6>110y2?0~13tL&GQuej`JmfT58&RDdeBG%+e6JD!o1fw_s1pTVGs zk&CH`k&)p{rn~Ibck)RceCFRJQqOKXmh*=3b$lDE_nzVu&Hc|zYBo$r+Tp+Z{Gnd~ z+=6aF&!4%AsY=Yc^_O9Jl$q?~--)bQB7fFhWIc3JZFakeaPzctajaL5#a6}nc23k< zF8peNi|Rkk+redQi;ayk${wd&(FpFmw{@CkO<4Y^I1~L@hM#ye8oCoz^cQtLmgU^) zC9FJ&<&otSj?AEg=giMmvqzaIo->lOJ<4_A*y_nKvwMS=S?hg1=Fwj0C8Mz=W54jT z^5jna0JW8iy>t#)gvaj4>;HOLeh2ICxU@Y5eGhQ{kOxUCvq%_-HDFi34^kk^$oQXy)qojDAqP7!%>aX)ks+{bsl8^ybK}~Ri@OW& za345nVWaNUm0Z$s=i7pd)t_qR<+5UCUaZ{y(7L(io0Wv=)mHw#FWV06lhJH(c-skE3o%Z%Zr!CwLYJ|TKj8u#>N&Sy?=W>JD+XVJm$5? z!a+oK(^j)bbGBt_KEA=9;{L$xim<%cPA8_UyD6_@|6g3fC!Rf7Xlec2Z#T|ay9I1m znECFZ*19jw3#`~yznz@*e9gJ-ZKrhRr3l(_KfKcrqUW@V#br$|--OST5=&?OTfbNQ z%gn!Tf|tKJ^`I)?rTKpD9YrdO9y~c^s}iIa@^7lfrQ2(^AJ^-BG~v%qCX+={E&xyu BQ$+v( literal 0 HcmV?d00001 diff --git a/generate-akmods-key b/generate-akmods-key index d8a60b3c..62f61686 100755 --- a/generate-akmods-key +++ b/generate-akmods-key @@ -2,6 +2,8 @@ set -oeux pipefail +readonly LANG="${LANG:-en_US.UTF-8}" + readonly CERT_DIR=certs readonly IMAGE="quay.io/fedora-ostree-desktops/silverblue" @@ -20,4 +22,5 @@ podman run \ "sed -i 's@enabled=1@enabled=0@g' /etc/yum.repos.d/fedora-{cisco-openh264,modular,updates-modular,updates-archive}.repo && \ rpm-ostree install akmods && \ kmodgenca --auto && \ - cp /etc/pki/akmods/{private/private_key.priv,certs/public_key.der} ." + cp /etc/pki/akmods/private/private_key.priv private_key.priv.prod && \ + cp /etc/pki/akmods/certs/public_key.der public_key.der.prod"