Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add scripts and config to support signing UKIs in OBS #3377

Merged
merged 3 commits into from
Feb 10, 2025
Merged

Add scripts and config to support signing UKIs in OBS #3377

merged 3 commits into from
Feb 10, 2025

Conversation

bluca
Copy link
Member

@bluca bluca commented Jan 19, 2025

DaanDeMeyer
DaanDeMeyer requested changes Jan 19, 2025
View reviewed changes
Copy link
Contributor

@DaanDeMeyer DaanDeMeyer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Making the output directory available to build scripts is not an option, because we don't clean up the output directory when Format=none which causes a big mess if we make it available to build scripts.

Please use either the build directory or the source directories via BuildSources= to get stuff out of the build script.

@bluca
Copy link
Member Author

bluca commented Jan 19, 2025

Making the output directory available to build scripts is not an option, because we don't clean up the output directory when Format=none which causes a big mess if we make it available to build scripts.

Please use either the build directory or the source directories via BuildSources= to get stuff out of the build script.

But how? Everything in the build directory is lost after the build

@DaanDeMeyer
Copy link
Contributor

But how? Everything in the build directory is lost after the build

Huh? Not at all, $BUILDDIR is persisted across builds. Just set BuildDirectory=<some-path> and it'll be created and persisted across builds. The annoying thing about BuildDirectory= for this use case is that we create a subdirectory in it, so you'll probably want to use BuildSources= instead.

@bluca
Copy link
Member Author

bluca commented Jan 19, 2025 

The following files have no copyright information:
* mkosi/resources/mkosi-obs/mkosi.build
* mkosi/resources/mkosi-obs/mkosi.postoutput

wat

@bluca
Copy link
Member Author

bluca commented Jan 19, 2025

But how? Everything in the build directory is lost after the build

Huh? Not at all, $BUILDDIR is persisted across builds. Just set BuildDirectory=<some-path> and it'll be created and persisted across builds. The annoying thing about BuildDirectory= for this use case is that we create a subdirectory in it, so you'll probably want to use BuildSources= instead.

But I mean that whatever is in there is not then moved to the output directory, so the build finishes and there's nothing, it's all lost

@bluca
Copy link
Member Author

bluca commented Jan 19, 2025

SPDX

It's there

#!/bin/bash
# SPDX-License-Identifier: LGPL-2.1-or-later

@DaanDeMeyer
Copy link
Contributor

But how? Everything in the build directory is lost after the build

Huh? Not at all, $BUILDDIR is persisted across builds. Just set BuildDirectory=<some-path> and it'll be created and persisted across builds. The annoying thing about BuildDirectory= for this use case is that we create a subdirectory in it, so you'll probably want to use BuildSources= instead.

But I mean that whatever is in there is not then moved to the output directory, so the build finishes and there's nothing, it's all lost

I mean that you make the output directory available to the build script via BuildSources=

@bluca bluca force-pushed the obs branch 10 times, most recently from 8aae290 to 2db4034 Compare January 20, 2025 01:51
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 20, 2025
View reviewed changes
mkosi/resources/mkosi-obs/mkosi.build Fixed Show fixed Hide fixed
mkosi/resources/mkosi-obs/mkosi.build Fixed Show fixed Hide fixed
mkosi/resources/mkosi-obs/mkosi.build Fixed Show fixed Hide fixed
mkosi/resources/mkosi-obs/mkosi.build Fixed Show fixed Hide fixed
mkosi/resources/mkosi-obs/mkosi.build Fixed Show fixed Hide fixed
mkosi/resources/mkosi-obs/mkosi.postoutput Fixed Show fixed Hide fixed
@bluca bluca force-pushed the obs branch 4 times, most recently from 4644447 to b252a0d Compare January 20, 2025 02:37
@bluca bluca force-pushed the obs branch 4 times, most recently from 0deaae1 to 5bf44db Compare January 20, 2025 03:06
@bluca bluca force-pushed the obs branch 5 times, most recently from 3f6d077 to 25dc6ce Compare January 31, 2025 00:05
behrmann
behrmann reviewed Jan 31, 2025
View reviewed changes
mkosi/__init__.py Outdated Show resolved Hide resolved
mkosi/__init__.py Outdated Show resolved Hide resolved
mkosi/__init__.py Outdated Show resolved Hide resolved
mkosi/__init__.py Outdated Show resolved Hide resolved
mkosi/__init__.py Outdated Show resolved Hide resolved
mkosi/resources/mkosi-obs/mkosi.build Outdated Show resolved Hide resolved
mkosi/resources/mkosi-obs/mkosi.build Outdated Show resolved Hide resolved
mkosi/resources/mkosi-obs/mkosi.postoutput Outdated Show resolved Hide resolved
mkosi/resources/mkosi-obs/mkosi.postoutput Show resolved Hide resolved
mkosi/resources/mkosi-obs/mkosi.postoutput Outdated Show resolved Hide resolved
@bluca bluca marked this pull request as ready for review February 7, 2025 20:27
DaanDeMeyer
DaanDeMeyer requested changes Feb 8, 2025
View reviewed changes
mkosi/__init__.py Outdated Show resolved Hide resolved
mkosi/__init__.py Outdated Show resolved Hide resolved
mkosi/__init__.py Outdated Show resolved Hide resolved
mkosi/__init__.py Show resolved Hide resolved
@bluca bluca force-pushed the obs branch 6 times, most recently from ee04e72 to f0cc250 Compare February 8, 2025 12:53
behrmann
behrmann reviewed Feb 8, 2025
View reviewed changes
mkosi/__init__.py Outdated Show resolved Hide resolved
@bluca bluca force-pushed the obs branch 3 times, most recently from 3577aa8 to fe8a9f5 Compare February 8, 2025 18:55
bluca added 3 commits February 8, 2025 18:56
@bluca
Use ukify --pcr-certificate= if available
8bb0dd6
@bluca
Add support for SplitArtifacts=pcrs
393b16c 
When building a UKI emit a JSON blob containing all the PCR
policy blobs, so that it can be signed offline. A single JSON
file is written out, even if multiple profiles are used, as
ukify can be used to reattach a single blob and will ensure
the right signature is applied to the right PE .pcrsig section
in case of multiple profiles.
@bluca
Add mkosi-obs conf and scripts for multi-stage signing
a411ca3 
Signs both PCR digests (including multi-profile) and UKIs
themselves. Requires new ukify.
@bluca
Copy link
Member Author

bluca commented Feb 9, 2025

ukify change is merged, is this good to go?

DaanDeMeyer
DaanDeMeyer reviewed Feb 10, 2025
View reviewed changes
mkosi/__init__.py
@@ -2206,6 +2254,9 @@ def make_uki(
if ArtifactOutput.initrd in context.config.split_artifacts:
extract_pe_section(context, output, ".initrd", context.staging / context.config.output_split_initrd)

if ArtifactOutput.pcrs in context.config.split_artifacts and pcrs:
(context.staging / context.config.output_split_pcrs).write_text(json.dumps(pcrs))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add ident=4 here so it's pretty printed

@DaanDeMeyer DaanDeMeyer merged commit f007379 into systemd:main Feb 10, 2025
35 checks passed
@bluca bluca deleted the obs branch February 10, 2025 10:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@behrmann behrmann behrmann left review comments

@DaanDeMeyer DaanDeMeyer DaanDeMeyer approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Provide an option to get PCR11 and PCR12 when building an UKI
3 participants
@bluca @DaanDeMeyer @behrmann