Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add (temporary) signed shim and sign official builds with Azure Key Vault #2441

Merged
merged 20 commits into from
Nov 14, 2024

Conversation

chewi
Copy link
Contributor

@chewi chewi commented Nov 12, 2024

Add (temp) signed shim and sign official builds with AKV

This adds the SBAT data to the shim binary, adds a pre-signed shim package for official builds, adds the tools needed to sign with Azure Key Vault, and reworks the signing code to do that... then effectively undoes the AKV signing because we need to pass the shim review first. We will revert the final commit later.

Flatcar has not yet completed the shim review, so the signed shim is a temporary one that will be replaced shortly.

The Azure Key Vault signing only works when performed on Azure. This happens during the images job, which is currently still configured to run on Equinix. This configuration lives in another repository. It should be adjusted before we need to perform the next official build. We may split out the signing part of the job so that the actual building can still be performed on Equinix, but that has yet to be agreed.

azure-keyvault-pkcs11 is still undergoing a cleanup following its transformation from AWS, so the commit currently used by the package points to an early iteration, but the plugin is sufficiently functional to be used here.

How to use

The changes mostly concern CI, but you can check that the flatcar_production_qemu_uefi_secure_efi image still works with Secure Boot enabled.

Testing done

A Jenkins run for the unofficial build mostly passed successfully, including qemu_uefi_secure on amd64. qemu_uefi_secure on arm64 failed, but only on the kubeadm jobs we often see fail. We have already seen that an official build works when the image job is run on Azure.

  • Changelog entries added in the respective changelog/ directory (user-facing change, bug fix, security fix, update) -- The change is probably only worth mentioning to users when we add the officially signed shim.
  • Inspected CI output for image differences: /boot and /usr size, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.

@chewi chewi requested a review from a team November 12, 2024 16:10
@chewi chewi self-assigned this Nov 12, 2024
Copy link
Member

@sayanchowdhury sayanchowdhury left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me - but let @krnowak / @dongsupark / @tormath1 do a review.

sayanchowdhury and others added 19 commits November 13, 2024 12:18
It's from Gentoo commit d286faf494dcb60f81f0de921fa623d952962fc1.
It's from Gentoo commit 69e4044b72d971f5603df77793db86c40e582e2e.
It's from Gentoo commit 768b3c1959debce15854362ff7db176cda76c055.
It's from Gentoo commit 82ec02943f7f0ddaa87f623cee138608571a3978.
It hasn't been added to Gentoo yet.
p11-kit is a dependency of azure-keyvault-pkcs11, but we will also use
it directly to fetch the certificate from Azure Key Vault.

Signed-off-by: James Le Cuirot <[email protected]>
The cross issues that were previously addressed by our fork are no
longer an issue since p11-kit migrated to Meson.

Signed-off-by: James Le Cuirot <[email protected]>
We always use the board's GRUB now.

Signed-off-by: James Le Cuirot <[email protected]>
We don't want to be blocked from doing releases in the meantime. Revert
this commit when ready.

Signed-off-by: James Le Cuirot <[email protected]>
@chewi chewi requested a review from krnowak November 13, 2024 23:01
@chewi chewi merged commit 8599de5 into main Nov 14, 2024
1 check was waiting
@chewi chewi deleted the chewi/akv-signing branch November 14, 2024 10:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Development

Successfully merging this pull request may close these issues.

4 participants