diff options
| author | Christian Breunig <christian@breunig.cc> | 2025-03-21 08:37:34 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-03-21 08:37:34 +0100 |
| commit | d552f7f8c38d7ad3bd28d9019a58b57e41b07f0b (patch) | |
| tree | fc2421034e941871e0d233c52bda6992f3e1acc2 /scripts | |
| parent | 750951606bbbbdc7c1e21d36a8af8e8ba1b98db9 (diff) | |
| parent | 96f1844557950055aa8f9cd97bd95a6a0b1761b9 (diff) | |
| download | vyos-build-d552f7f8c38d7ad3bd28d9019a58b57e41b07f0b.tar.gz vyos-build-d552f7f8c38d7ad3bd28d9019a58b57e41b07f0b.zip | |
Merge pull request #930 from c-po/T861-secure-boot
T861: minor improvements to secure-boot certificate handling
Diffstat (limited to 'scripts')
| -rwxr-xr-x | scripts/check-qemu-install | 12 | ||||
| -rwxr-xr-x | scripts/image-build/build-vyos-image | 6 | ||||
| -rwxr-xr-x | scripts/package-build/linux-kernel/build-kernel.sh | 5 |
3 files changed, 20 insertions, 3 deletions
diff --git a/scripts/check-qemu-install b/scripts/check-qemu-install index 551d1e7e..ab6e1b1f 100755 --- a/scripts/check-qemu-install +++ b/scripts/check-qemu-install @@ -399,6 +399,16 @@ try: loginVM(c, log) ################################################# + # Check for no private key contents within the image + ################################################# + msg = 'Found private key - bailing out' + c.sendline(f'if sudo grep -rq "BEGIN PRIVATE KEY" /var/lib/shim-signed/mok; then echo {msg}; exit 1; fi') + tmp = c.expect([f'\n{msg}', op_mode_prompt]) + if tmp == 0: + log.error(msg) + exit(1) + + ################################################# # Installing into VyOS system ################################################# log.info('Starting installer') @@ -879,7 +889,7 @@ except pexpect.exceptions.ExceptionPexpect: EXCEPTION = 1 except Exception: - log.error('Unknown error occured while VyOS!') + log.error('Unknown error occured!') traceback.print_exc() EXCEPTION = 1 diff --git a/scripts/image-build/build-vyos-image b/scripts/image-build/build-vyos-image index d969c157..aab5ed13 100755 --- a/scripts/image-build/build-vyos-image +++ b/scripts/image-build/build-vyos-image @@ -367,6 +367,11 @@ if __name__ == "__main__": shutil.copytree("data/live-build-config/", lb_config_dir) os.makedirs(lb_config_dir, exist_ok=True) + ## Secure Boot - Copy public Keys to image + sb_certs = 'data/certificates' + if os.path.isdir(sb_certs): + shutil.copytree(sb_certs, f'{lb_config_dir}/includes.chroot/var/lib/shim-signed/mok') + # Switch to the build directory, this is crucial for the live-build work # because the efective build config files etc. are there. # @@ -611,6 +616,7 @@ DOCUMENTATION_URL="{build_config['documentation_url']}" ## Configure live-build lb_config_tmpl = jinja2.Template(""" lb config noauto \ + --no-color \ --apt-indices false \ --apt-options "--yes -oAPT::Get::allow-downgrades=true" \ --apt-recommends false \ diff --git a/scripts/package-build/linux-kernel/build-kernel.sh b/scripts/package-build/linux-kernel/build-kernel.sh index e3efd127..62dd7829 100755 --- a/scripts/package-build/linux-kernel/build-kernel.sh +++ b/scripts/package-build/linux-kernel/build-kernel.sh @@ -36,12 +36,13 @@ do done # Change name of Signing Cert -sed -i -e "s/CN =.*/CN=VyOS build time autogenerated kernel key/" certs/default_x509.genkey +sed -i -e "s/CN =.*/CN=VyOS Networks build time autogenerated Kernel key/" certs/default_x509.genkey TRUSTED_KEYS_FILE=trusted_keys.pem # start with empty key file echo -n "" > $TRUSTED_KEYS_FILE -CERTS=$(find ../../../../data/live-build-config/includes.chroot/var/lib/shim-signed/mok -name "*.pem" -type f || true) +GIT_ROOT=$(git rev-parse --show-toplevel) +CERTS=$(find ${GIT_ROOT}/data/certificates -name "*.pem" -type f || true) if [ ! -z "${CERTS}" ]; then # add known public keys to Kernel certificate chain for file in $CERTS; do |