Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: kernel signing cache kernels #9

Merged
merged 5 commits into from
Jul 11, 2024
Merged

feat: kernel signing cache kernels #9

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
4de7d9a
feat: kernel signing cache kernels
m2Giles Jul 11, 2024
e599b65
feat: Enable multiple sbsign signatures
m2Giles Jul 11, 2024
9f7b4c5
fix: correct variable name
m2Giles Jul 11, 2024
ee762af
fix: surface reinstall for sbverify
m2Giles Jul 11, 2024
3c7af18
fix: dual_sign argument is already a string
m2Giles Jul 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 17 additions & 1 deletion .github/workflows/reusable-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ concurrency:
jobs:
build:
name: kernel-cache
runs-on: ubuntu-latest
runs-on: ubuntu-24.04
permissions:
contents: read
packages: write
Expand Down Expand Up @@ -166,6 +166,21 @@ jobs:
io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository }}/main/README.md
io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/1728152?s=200&v=4

- name: Retrieve Signing Key
if: (github.event_name == 'scheduled' || github.event_name == 'workflow_dispatch' || github.event_name == 'merge_group') && github.event_name != 'pull_request'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't think about it now, but it might be worth having a sample signing key that runs on PRs to make it easier to debug in future

Copy link
Member

@p5 p5 Jul 11, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, we have signing keys added in this PR anyway. Any reason not to (at a later date) use the .test keys in this step during pull requests?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do, you can see in fetch.sh if the private-key is 0 bytes, we copy the test keys over.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ohhh, sorry. We don't need to retrieve them since they are already in the repo 🤦

run: |
mkdir -p certs
if [[ ${{ env.alias_tags }} =~ pr ]]; then
echo "This should not have run... exiting..."
exit 1
else
echo "${{ secrets.KERNEL_PRIVKEY }}" > certs/private_key.priv
echo "${{ secrets.AKMOD_PRIVKEY_20230518 }}" > certs/private_key_2.priv
# DEBUG: get character count of key
wc -c certs/private_key.priv
wc -c certs/private_key_2.priv
fi

- name: Build Image
id: build_image
uses: redhat-actions/buildah-build@v2
Expand All @@ -178,6 +193,7 @@ jobs:
FEDORA_VERSION=${{ matrix.fedora_version }}
KERNEL_VERSION=${{ env.kernel_release }}
KERNEL_FLAVOR=${{ matrix.kernel_flavor }}
DUAL_SIGN=true
labels: ${{ steps.meta.outputs.labels }}
oci: false

Expand Down
16 changes: 9 additions & 7 deletions Containerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,16 @@ ARG BASE_IMAGE=quay.io/fedora/fedora
ARG FEDORA_VERSION=${FEDORA_VERSION:-40}

# Build from base-main since its our smallest image and we control the tags
FROM ${BASE_IMAGE}:${FEDORA_VERSION} as builder
ARG KERNEL_VERSION=${:-}
ARG FEDORA_VERSION=${FEDORA_VERSION:-}
ARG KERNEL_FLAVOR=${:-}
FROM ${BASE_IMAGE}:${FEDORA_VERSION} AS builder
ARG KERNEL_VERSION="${:-6.8.11-300.fc40.x86_64}"
ARG FEDORA_VERSION="${FEDORA_VERSION:-40}"
ARG KERNEL_FLAVOR="${:-coreos-stable}"
ARG DUAL_SIGN="${:-true}"

COPY fetch.sh /
COPY fetch.sh /tmp
COPY certs /tmp/certs

RUN /fetch.sh
RUN /tmp/fetch.sh

FROM scratch as rpms
FROM scratch AS rpms
COPY --from=builder /tmp/rpms /tmp/rpms
Empty file added certs/private_key.priv
View file
Open in desktop
Empty file.
28 changes: 28 additions & 0 deletions certs/private_key.priv.test
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDMaUcd1e4fYogO
N/cYZc22xmzsAetfhgVLvHNkKb/mNHywkGK4T7vPwvpQCxFGUufmRxYlGJra/QCn
WjYd4/thBWoU/K7RBcLJJpuHFBODls5eBdXGXXpeTYmRKqcT6qBEJf4p21N2BqMz
Mmh242TUKFOJ3rWWKXxWb8peNC+aMfIMKICLYSQvoonjHQm1ShMjkgTiOZQIaVLB
zjfNewdaNCHOMh49xQrQxquTXJuNU6Y7LvPGSIdxShwotGi/E+Z3Y4kvUCapo0os
wjhXXbhuj/XTH7gF+15mvHD9k1RPyVACLgmLyzM9LSOr80/rslj0nQf1KF8jW+bq
tze3bZ17AgMBAAECggEABG8GJV4GB7U96T0KhYNzxlKgezABeHVyOPXR9Oq46Ffc
GoJPOds04ilC/6h1y/YxZHvHPa++cCCLupWI1fYjdjPFXMYsTolW88D8H55uW+zR
9hUfUWmmpVP+N2Fa9WIh7sh6LlM9CLLVKF+gB3AgOD/VrAhiHOsycLeFBq0QGUKR
IkG7pKrF7CX1oal9WOnPo0r2oNUdP4yYCyEa7e7APTUwGbuihtixdnrYyiwEmpp0
rfZPfBgh+3ACqeUO12gIdtjd85/3UsQ2kLt9/9m2q7Fa6aEcYQVz6nznLKuY4EVm
zoYzAXfC2KsGol2V6eNY4MNBuvzY4DDJnpyjzicOEQKBgQDX4vd+t7ygUyZmGu6V
CsF6uDSRHvHYJvJp2fR5spz6eRj7WXMkCTnyjzpDkMvbxtvjlEBntixlQicXsytW
u2oayYPHl7ppGIEddcKlHsWUFqsAOATkQy3Bs5DCfzliELApGv5zoXJJC/A/iaiD
GXVDJ0+FdSldetpMGw//rItoqwKBgQDyZHcrt0sVY6oxW2JpEVZXNSOoNMjBQQgL
+7lQyFpfXl9wfOXUkcqFc0m5UWPbTrI9OBZbXYcvI1eV/Xbtu3gdGiOv2sYauO1Z
HgAS2B3yNGllzj8dNucELFCSNLwthTGhYO03bWflV7XbsG9O8SrZF2LaEglL2V8m
wqPP5aE+cQKBgQCu7kp9c4R0pOvIcKpCOqTsO7bcoKZ275geDW377q8khlunz6Ns
380EruoXNYz6WPh0P/ywDP2MTz4+BgBoFxSy//a4FEoIPsLgjDtccMLIbFXDp6DP
FWBORKJX958Xx033ANiN+ZQRfIr/8RuKn2ZVM9VL3tPV22ZnpMYh9j5AYQKBgF36
+gGnJaN7aweMCRH3uORDJDoZjSTw0+/hf66EoBWN/68bnfjXNhCb7J+/oNntH0qB
LpnqH3n1WAY9qhjusNmHwwJx7pF51fzRlvG3fZTlIWBpoSrwmI2TqQGnFLcJh36s
mAz/jGLtqQMu21leRGC7ooYurBAOjcf3e5Al1mjhAoGAT0L02oGzce1vbwfqHCRK
PexrY8GvNU6/Bml70P9n6FX3jQwt6Dhh1JkZZofv+wJWjOj4zV/Z0tj1uB1Ax9nR
Z+87Pu7iYuNaYFGT9s76q+sbQtiUu5Gwlg6CyRSwbKdL15UBWf+Bt22Tp3NfbEoh
OevJKeniH2GYy+ME5XxXb14=
-----END PRIVATE KEY-----
Empty file added certs/private_key_2.priv
View file
Open in desktop
Empty file.
28 changes: 28 additions & 0 deletions certs/private_key_2.priv.test
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCnVfa8014cwVhH
8SKJFg94/krdWYAAbEG+BVMWfJf84v19bqEUWO9GKYUHTXIOYTzOcdyyYkBDm8hL
DpUGHWtgAut4l4cDpDCkL9sJzAhKS6lOW0pCqaZzqJoq8AUyK84j/l3vEBwuucZo
HypEyK+GeaWFc5fo3P/UQmYML78YgS2Lbb/MDwH+Zfrmt9IoKv75oIdmOVC/dpzS
MiJZB1trjKyS+31o6gXCI43kpMsRGSHHqW6k5zhNNEAN/0uiGI28C2WDrB4v2igg
bpF6QOMyrCqKs+oHUWndadUzG6Dwz+f4oZ1F7M/J5Xn8N2F1VEDqvvMBU2ZquRyX
NLzbJvcnAgMBAAECggEAQ9LI7iHxvE/1eztWVx/054KST4NOKV23i9BWq/+WDu7l
9agYa8ncOaDshVgziXaKEdb+r+K4z25d0WY4qsDT25dzX25zT9uFx5aJ/j+PgKWI
GvVPdROUHr7QteSRBpPQurAH3LS354xuyZcQJ877rdKybxO6F60zmBHNkNTtbH2P
M5eN88lF398v8Pu3fDce6CWSP9SGqLp43FJMbFMYrWkppzX28Ru0JqDOT3LSWeQy
JAmrC/Oh5S2mLu6AhlqrMJEJ5ErIVpk9n3QZsa5knXsB56dP/kzWyQgirMWotF+O
K4jGo6iHSfFGmYJhopJjVYsuMrJtgpZN8u1VRbMIEQKBgQDakV86A7k7s5ORfI22
lwB5QukkiA/XT7lP/kcGEem12hW/Gi7vfuwJLMA1i2JP0pmKANMxQG5YweaHSUhX
/09H7BGlqPvwpWBJ5qqW7hkSh0N6VMwEmnYvHfNZh9PiQx2q9zL8+SOoUXCF2je3
etKZToutMD47gRfeAtDiPQEyjwKBgQDD/m86tBMu1o4Qjj2l3/6mwg4XNbh18f0Q
x1v3t4Wu5HROPPHF1HSwVp6iqSS0HhoDgIYVjgqpH4q2urRQ92urHAq56hUV8dn/
6VprCcAJOTLvu//bu9FXMu4Ys+v915Z6J4oIkEGLwOL4QAUC6dzCM1luEGAirpyf
ePWIMC5d6QKBgQCkHDMcJF+Y7CUJQDRHvOmmIw9bVq5ORJYn8gzyCdEpsi5R5x8G
xI4F9Yv8qEORG9gdPrFUccRo8G5fdi7To+erYR1+/XruHb5GvuOnn+9DcjzARZtK
eY/zoNFvkAUQBsTn8eRe/dJAN6X9WvQq2BX49nj5+RdBJpT9JbAhrxyPEQKBgDvB
Pg5KyrJ0Dbo0c8033r7e2UbwRP4Iulw8O+jpliN9WYxk/l2Pacg9kH4NTbhwmQPK
UpcNyGhJypPtln49ASGZGhgWqzkWlJ12eu+5eEgXnVUEH3zR5YBNcdQsPt4Utbcm
iOoVeTZvp4OCmUSLIpg+6Zwp9/V7ARuJ2GoeLnTJAoGBANOjf4lQBz1/U0aeog/H
OCscSv+pbfHLo778FDJYcEBL0twofifnMLoED2E28F3ptbwUoE89KUrBvvDTgiXj
4Gd5eMU64iKo2utA9crzcxXEhvEyl04fQyZtaqOIfmUHiV5CHV1oCgoa8Rq1Zxc/
5bzd1lBjif4fuc6RXjooHX+3
-----END PRIVATE KEY-----
Binary file added certs/public_key.der
View file
Open in desktop
Binary file not shown.
Binary file added certs/public_key.der.test
View file
Open in desktop
Binary file not shown.
Binary file added certs/public_key_2.der
View file
Open in desktop
Binary file not shown.
Binary file added certs/public_key_2.der.test
View file
Open in desktop
Binary file not shown.
125 changes: 120 additions & 5 deletions fetch.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,11 @@ set -eoux pipefail
kernel_version="${KERNEL_VERSION}"
kernel_flavor="${KERNEL_FLAVOR}"

dnf install -y dnf-plugins-core
#CoreOS pool repo
# curl -LsSf -o /etc/yum.repos.d/fedora-coreos-pool.repo \
# https://raw.githubusercontent.com/coreos/fedora-coreos-config/testing-devel/fedora-coreos-pool.repo

dnf install -y dnf-plugins-core rpmrebuild sbsigntools openssl

case "$kernel_flavor" in
"asus")
Expand All @@ -31,44 +35,155 @@ esac
if [[ "${kernel_flavor}" =~ asus|fsync ]]; then
dnf download -y \
kernel-"${kernel_version}" \
kernel-core-"${kernel_version}" \
kernel-modules-"${kernel_version}" \
kernel-modules-core-"${kernel_version}" \
kernel-modules-extra-"${kernel_version}" \
kernel-devel-"${kernel_version}" \
kernel-devel-matched-"${kernel_version}" \
kernel-uki-virt-"${kernel_version}"

elif [[ "${kernel_flavor}" == "surface" ]]; then
dnf download -y \
kernel-surface-"${kernel_version}" \
kernel-surface-core-"${kernel_version}" \
kernel-surface-modules-"${kernel_version}" \
kernel-surface-modules-core-"${kernel_version}" \
kernel-surface-modules-extra-"${kernel_version}" \
kernel-surface-devel-"${kernel_version}" \
kernel-surface-devel-matched-"${kernel_version}" \
kernel-surface-default-watchdog-"${kernel_version}" \
iptsd
iptsd \
libwacom-surface \
libwacom-surface-data


else
KERNEL_MAJOR_MINOR_PATCH=$(echo "$kernel_version" | cut -d '-' -f 1)
KERNEL_RELEASE="$(echo "$kernel_version" | cut -d - -f 2 | cut -d . -f 1).$(echo "$kernel_version" | cut -d - -f 2 | cut -d . -f 2)"
ARCH=$(uname -m)
dnf download -y \
https://kojipkgs.fedoraproject.org//packages/kernel/"$KERNEL_MAJOR_MINOR_PATCH"/"$KERNEL_RELEASE"/"$ARCH"/kernel-"$kernel_version".rpm \
https://kojipkgs.fedoraproject.org//packages/kernel/"$KERNEL_MAJOR_MINOR_PATCH"/"$KERNEL_RELEASE"/"$ARCH"/kernel-core-"$kernel_version".rpm \
https://kojipkgs.fedoraproject.org//packages/kernel/"$KERNEL_MAJOR_MINOR_PATCH"/"$KERNEL_RELEASE"/"$ARCH"/kernel-modules-"$kernel_version".rpm \
https://kojipkgs.fedoraproject.org//packages/kernel/"$KERNEL_MAJOR_MINOR_PATCH"/"$KERNEL_RELEASE"/"$ARCH"/kernel-modules-core-"$kernel_version".rpm \
https://kojipkgs.fedoraproject.org//packages/kernel/"$KERNEL_MAJOR_MINOR_PATCH"/"$KERNEL_RELEASE"/"$ARCH"/kernel-modules-extra-"$kernel_version".rpm \
https://kojipkgs.fedoraproject.org//packages/kernel/"$KERNEL_MAJOR_MINOR_PATCH"/"$KERNEL_RELEASE"/"$ARCH"/kernel-devel-"$kernel_version".rpm \
https://kojipkgs.fedoraproject.org//packages/kernel/"$KERNEL_MAJOR_MINOR_PATCH"/"$KERNEL_RELEASE"/"$ARCH"/kernel-devel-matched-"$kernel_version".rpm \
https://kojipkgs.fedoraproject.org//packages/kernel/"$KERNEL_MAJOR_MINOR_PATCH"/"$KERNEL_RELEASE"/"$ARCH"/kernel-uki-virt-"$kernel_version".rpm

fi

if [[ "${kernel_flavor}" =~ fsync ]]; then
dnf download -y \
kernel-headers-"${kernel_version}"
fi

if [[ ! -s /tmp/certs/private_key.priv ]]; then
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@p5 Here is the logic for signing during PRs.

echo "WARNING: Using test signing key."
cp /tmp/certs/private_key.priv{.test,}
cp /tmp/certs/public_key.der{.test,}
fi

PUBLIC_KEY_PATH="/etc/pki/kernel/public/public_key.crt"
PRIVATE_KEY_PATH="/etc/pki/kernel/private/private_key.priv"

openssl x509 -in /tmp/certs/public_key.der -out /tmp/certs/public_key.crt

install -Dm644 /tmp/certs/public_key.crt "$PUBLIC_KEY_PATH"
install -Dm644 /tmp/certs/private_key.priv "$PRIVATE_KEY_PATH"

if [[ "${kernel_flavor}" =~ asus|fsync ]]; then
dnf install -y \
/kernel-"$kernel_version".rpm \
/kernel-modules-"$kernel_version".rpm \
/kernel-modules-core-"$kernel_version".rpm \
/kernel-modules-extra-"$kernel_version".rpm \
kernel-core-"${kernel_version}"
elif [[ "${kernel_flavor}" =~ surface ]]; then
dnf install -y \
/kernel-surface-"$kernel_version".rpm \
/kernel-surface-modules-"$kernel_version".rpm \
/kernel-surface-modules-core-"$kernel_version".rpm \
/kernel-surface-modules-extra-"$kernel_version".rpm \
kernel-surface-core-"${kernel_version}"
else
dnf install -y \
/kernel-"$kernel_version".rpm \
/kernel-modules-"$kernel_version".rpm \
/kernel-modules-core-"$kernel_version".rpm \
/kernel-modules-extra-"$kernel_version".rpm \
https://kojipkgs.fedoraproject.org//packages/kernel/"$KERNEL_MAJOR_MINOR_PATCH"/"$KERNEL_RELEASE"/"$ARCH"/kernel-core-"$kernel_version".rpm
fi

# Strip Signatures from non-fedora Kernels
if [[ ${kernel_flavor} =~ main|coreos ]]; then
echo "Will not strip Fedora signature(s) from ${kernel_flavor} kernel."
else
EXISTING_SIGNATURES="$(sbverify --list /usr/lib/modules/"$kernel_version"/vmlinuz | grep '^signature \([0-9]\+\)$' | sed 's/^signature \([0-9]\+\)$/\1/')" || true
if [[ -n "$EXISTING_SIGNATURES" ]]; then
for SIGNUM in $EXISTING_SIGNATURES; do
echo "Found existing signature at signum $SIGNUM, removing..."
sbattach --remove /usr/lib/modules/"${kernel_version}"/vmlinuz
done
fi
fi

# Sign Kernel with Key
sbsign --cert "$PUBLIC_KEY_PATH" --key "$PRIVATE_KEY_PATH" /usr/lib/modules/"${kernel_version}"/vmlinuz --output /usr/lib/modules/"${kernel_version}"/vmlinuz

# Verify Signatures
sbverify --list /usr/lib/modules/"${kernel_version}"/vmlinuz

rm -f "$PRIVATE_KEY_PATH" "$PUBLIC_KEY_PATH"

if [[ ${DUAL_SIGN:-} == "true" ]]; then
SECOND_PUBLIC_KEY_PATH="/etc/pki/kernel/public/public_key_2.crt"
SECOND_PRIVATE_KEY_PATH="/etc/pki/kernel/private/public_key_2.priv"
if [[ ! -s /tmp/certs/private_key_2.priv ]]; then
echo "WARNING: Using test signing key."
cp /tmp/certs/private_key_2.priv{.test,}
cp /tmp/certs/public_key_2.der{.test,}
find /tmp/certs/
fi
openssl x509 -in /tmp/certs/public_key_2.der -out /tmp/certs/public_key_2.crt
install -Dm644 /tmp/certs/public_key_2.crt "$SECOND_PUBLIC_KEY_PATH"
install -Dm644 /tmp/certs/private_key_2.priv "$SECOND_PRIVATE_KEY_PATH"
sbsign --cert "$SECOND_PUBLIC_KEY_PATH" --key "$SECOND_PRIVATE_KEY_PATH" /usr/lib/modules/"${kernel_version}"/vmlinuz --output /usr/lib/modules/"${kernel_version}"/vmlinuz
sbverify --list /usr/lib/modules/"${kernel_version}"/vmlinuz
rm -f "$SECOND_PRIVATE_KEY_PATH" "$SECOND_PUBLIC_KEY_PATH"
fi

# Rebuild RPMs and Verify
if [[ "${kernel_flavor}" =~ surface ]]; then
rpmrebuild --batch kernel-surface-core-"${kernel_version}"
rm -f /usr/lib/modules/"${kernel_version}"/vmlinuz
dnf reinstall -y \
/kernel-surface-"$kernel_version".rpm \
/kernel-surface-modules-"$kernel_version".rpm \
/kernel-surface-modules-core-"$kernel_version".rpm \
/kernel-surface-modules-extra-"$kernel_version".rpm \
/root/rpmbuild/RPMS/"$(uname -m)"/kernel-*.rpm
else
rpmrebuild --batch kernel-core-"${kernel_version}"
rm -f /usr/lib/modules/"${kernel_version}"/vmlinuz
dnf reinstall -y \
/kernel-"$kernel_version".rpm \
/kernel-modules-"$kernel_version".rpm \
/kernel-modules-core-"$kernel_version".rpm \
/kernel-modules-extra-"$kernel_version".rpm \
/root/rpmbuild/RPMS/"$(uname -m)"/kernel-*.rpm
fi

sbverify --list /usr/lib/modules/"${kernel_version}"/vmlinuz

# Make Temp Dir
mkdir -p /tmp/rpms

# Move RPMs over
mv /kernel-*.rpm /tmp/rpms
mv /root/rpmbuild/RPMS/"$(uname -m)"/kernel-*.rpm /tmp/rpms

if [[ "${kernel_flavor}" =~ surface ]]; then
cp iptsd-*.rpm libwacom-*.rpm /tmp/rpms
fi

# Delete keys in /tmp if we decide to publish this later
rm -rf /tmp/certs