Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add scripts and config to support signing UKIs in OBS #3377

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add scripts and config to support signing UKIs in OBS #3377

wants to merge 2 commits into from
+256 −6

Conversation

bluca
Copy link
Member

@bluca bluca commented Jan 19, 2025

DaanDeMeyer
DaanDeMeyer requested changes Jan 19, 2025
View reviewed changes
Copy link
Contributor

@DaanDeMeyer DaanDeMeyer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Making the output directory available to build scripts is not an option, because we don't clean up the output directory when Format=none which causes a big mess if we make it available to build scripts.

Please use either the build directory or the source directories via BuildSources= to get stuff out of the build script.

@bluca
Copy link
Member Author

bluca commented Jan 19, 2025

Making the output directory available to build scripts is not an option, because we don't clean up the output directory when Format=none which causes a big mess if we make it available to build scripts.

Please use either the build directory or the source directories via BuildSources= to get stuff out of the build script.

But how? Everything in the build directory is lost after the build

@DaanDeMeyer
Copy link
Contributor

But how? Everything in the build directory is lost after the build

Huh? Not at all, $BUILDDIR is persisted across builds. Just set BuildDirectory=<some-path> and it'll be created and persisted across builds. The annoying thing about BuildDirectory= for this use case is that we create a subdirectory in it, so you'll probably want to use BuildSources= instead.

@bluca
Copy link
Member Author

bluca commented Jan 19, 2025 

The following files have no copyright information:
* mkosi/resources/mkosi-obs/mkosi.build
* mkosi/resources/mkosi-obs/mkosi.postoutput

wat

@bluca
Copy link
Member Author

bluca commented Jan 19, 2025

But how? Everything in the build directory is lost after the build

Huh? Not at all, $BUILDDIR is persisted across builds. Just set BuildDirectory=<some-path> and it'll be created and persisted across builds. The annoying thing about BuildDirectory= for this use case is that we create a subdirectory in it, so you'll probably want to use BuildSources= instead.

But I mean that whatever is in there is not then moved to the output directory, so the build finishes and there's nothing, it's all lost

@bluca
Copy link
Member Author

bluca commented Jan 19, 2025

SPDX

It's there

#!/bin/bash
# SPDX-License-Identifier: LGPL-2.1-or-later

@DaanDeMeyer
Copy link
Contributor

But how? Everything in the build directory is lost after the build

Huh? Not at all, $BUILDDIR is persisted across builds. Just set BuildDirectory=<some-path> and it'll be created and persisted across builds. The annoying thing about BuildDirectory= for this use case is that we create a subdirectory in it, so you'll probably want to use BuildSources= instead.

But I mean that whatever is in there is not then moved to the output directory, so the build finishes and there's nothing, it's all lost

I mean that you make the output directory available to the build script via BuildSources=

@bluca bluca force-pushed the obs branch 10 times, most recently from 8aae290 to 2db4034 Compare January 20, 2025 01:51
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 20, 2025
View reviewed changes
mkosi/resources/mkosi-obs/mkosi.build Fixed Show fixed Hide fixed
mkosi/resources/mkosi-obs/mkosi.build Fixed Show fixed Hide fixed
mkosi/resources/mkosi-obs/mkosi.build Fixed Show fixed Hide fixed
mkosi/resources/mkosi-obs/mkosi.build Fixed Show fixed Hide fixed
mkosi/resources/mkosi-obs/mkosi.build Fixed Show fixed Hide fixed
mkosi/resources/mkosi-obs/mkosi.postoutput Fixed Show fixed Hide fixed
@bluca bluca force-pushed the obs branch 4 times, most recently from 4644447 to b252a0d Compare January 20, 2025 02:37
@bluca bluca force-pushed the obs branch 4 times, most recently from 0deaae1 to 5bf44db Compare January 20, 2025 03:06
@bluca bluca force-pushed the obs branch 4 times, most recently from c6c20a5 to 6377a9e Compare January 28, 2025 13:45
@bluca bluca force-pushed the obs branch 4 times, most recently from 947a019 to ccd73a9 Compare January 28, 2025 16:24
@bluca

This comment was marked as resolved.

Sign in to view
@bluca bluca force-pushed the obs branch 8 times, most recently from 44447de to b936a7c Compare January 29, 2025 20:22
@bluca bluca force-pushed the obs branch 5 times, most recently from 3f6d077 to 25dc6ce Compare January 31, 2025 00:05
behrmann
behrmann reviewed Jan 31, 2025
View reviewed changes
mkosi/__init__.py Outdated Show resolved Hide resolved
mkosi/__init__.py Outdated Show resolved Hide resolved
mkosi/__init__.py Outdated Show resolved Hide resolved
mkosi/__init__.py Show resolved Hide resolved
mkosi/__init__.py Show resolved Hide resolved
mkosi/resources/mkosi-obs/mkosi.build Outdated Show resolved Hide resolved
mkosi/resources/mkosi-obs/mkosi.build Outdated Show resolved Hide resolved
mkosi/resources/mkosi-obs/mkosi.postoutput Outdated Show resolved Hide resolved
mkosi/resources/mkosi-obs/mkosi.postoutput
Comment on lines +29 to +34
while read -r pol; do
echo -n "$pol" | tr '[:lower:]' '[:upper:]' | basenc --base16 --decode >"hashes/pcrs/${f}/${pol}"
done < <(jq -r 'to_entries[] | .value[].pol' <"${OUTPUTDIR}/${f%.efi}.pcrs")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

haven't checked this with actual data yet, but maybe the whole thing could be

Suggested change
while read -r pol; do
echo -n "$pol" | tr '[:lower:]' '[:upper:]' | basenc --base16 --decode >"hashes/pcrs/${f}/${pol}"
done < <(jq -r 'to_entries[] | .value[].pol' <"${OUTPUTDIR}/${f%.efi}.pcrs")
jq -r 'to_entries[] | .value[].pol | ascii_downcase' "${OUTPUTDIR}/${f%.efi}.pcrs" |
basenc --base16 --decode >"hashes/pcrs/${f}/${pol}"

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

$pol is not defined in that case

mkosi/resources/mkosi-obs/mkosi.postoutput Outdated Show resolved Hide resolved
bluca added 2 commits February 7, 2025 17:57
@bluca
Add support for SplitArtifacts=pcrs
7d7c979 
When building a UKI emit a JSON blob containing all the PCR
policy blobs, so that it can be signed offline. A single JSON
file is written out, even if multiple profiles are used, as
ukify can be used to reattach a single blob and will ensure
the right signature is applied to the right PE .pcrsig section
in case of multiple profiles.
@bluca
Add mkosi-obs conf and scripts for multi-stage signing
a2a75fe 
Signs both PCR digests (including multi-profile) and UKIs
themselves. Requires new ukify.
@bluca bluca marked this pull request as ready for review February 7, 2025 20:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@behrmann behrmann behrmann left review comments

@DaanDeMeyer DaanDeMeyer DaanDeMeyer requested changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Provide an option to get PCR11 and PCR12 when building an UKI
3 participants
@bluca @DaanDeMeyer @behrmann