add install of signed kernel and verification

ublue-os · Jul 22, 2024 · 40c14ba · 40c14ba
1 parent 8699416
commit 40c14ba
Show file tree

Hide file tree

Showing 5 changed files with 93 additions and 7 deletions.
diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml
@@ -240,6 +240,25 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           oci: false
 
+      - name: Check Secureboot
+        shell: bash
+        run: |
+          set -x
+          if [[ ! $(command -v sbverify) || ! $(command -v curl) || ! $(command -v openssl) ]]; then
+            sudo apt update
+            sudo apt install sbsigntool curl openssl
+          fi
+          podman run -d --rm --name ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) "${{ env.IMAGE_NAME }}":$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) sleep 1000
+          podman cp ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1):/usr/lib/modules/${{ env.KERNEL_VERSION }}/vmlinuz .
+          podman rm -f ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1)
+          sbverify --list vmlinuz
+          curl --retry 3 -Lo kernel-sign.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key.der
+          curl --retry 3 -Lo akmods.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key_2.der
+          openssl x509 -in kernel-sign.der -out kernel-sign.crt
+          openssl x509 -in akmods.der -out akmods.crt
+          sbverify --cert kernel-sign.crt vmlinuz || exit 1
+          sbverify --cert akmods.crt vmlinuz || exit 1
+
       # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
       # https://github.com/macbre/push-to-ghcr/issues/12
       - name: Lowercase Registry
@@ -478,6 +497,25 @@ jobs:
           extra-args: |
             --target=${{ env.IMAGE_BASE }}${{ matrix.image_suffix }}
 
+      - name: Check Secureboot
+        shell: bash
+        run: |
+          set -x
+          if [[ ! $(command -v sbverify) || ! $(command -v curl) || ! $(command -v openssl) ]]; then
+            sudo apt update
+            sudo apt install sbsigntool curl openssl
+          fi
+          podman run -d --rm --name ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) "${{ env.IMAGE_NAME }}":$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) sleep 1000
+          podman cp ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1):/usr/lib/modules/${{ env.KERNEL_VERSION }}/vmlinuz .
+          podman rm -f ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1)
+          sbverify --list vmlinuz
+          curl --retry 3 -Lo kernel-sign.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key.der
+          curl --retry 3 -Lo akmods.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key_2.der
+          openssl x509 -in kernel-sign.der -out kernel-sign.crt
+          openssl x509 -in akmods.der -out akmods.crt
+          sbverify --cert kernel-sign.crt vmlinuz || exit 1
+          sbverify --cert akmods.crt vmlinuz || exit 1
+
       # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
       # https://github.com/macbre/push-to-ghcr/issues/12
       - name: Lowercase Registry

diff --git a/fedora-coreos/Containerfile b/fedora-coreos/Containerfile
@@ -26,6 +26,7 @@ COPY --from=akmods-common /rpms/ucore/ublue*.rpm /tmp/rpms/
 COPY --from=akmods-nvidia /rpms/kmods/*.rpm /tmp/rpms/nvidia/
 COPY --from=akmods-nvidia /rpms/ucore/ublue*.rpm /tmp/rpms/nvidia/
 COPY --from=akmods-zfs /rpms/kmods/zfs/*.rpm /tmp/rpms/zfs/
+COPY --from=kernel /tmp/rpms/ /tmp/kernel-rpms/
 
 COPY *.sh /tmp/
 

diff --git a/fedora-coreos/install.sh b/fedora-coreos/install.sh
@@ -2,8 +2,12 @@
 
 set -ouex pipefail
 
+ARCH="$(rpm -E %{_arch})"
 RELEASE="$(rpm -E %fedora)"
-KERNEL="$(rpm -q kernel --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}')"
+pushd /tmp/kernel-rpms
+KERNEL_VERSION=$(find kernel-*.rpm | grep -P "kernel-(\d+\.\d+\.\d+)-.*\.fc${RELEASE}\.${ARCH}" | sed -E 's/kernel-//' | sed -E 's/\.rpm//')
+popd
+QUALIFIED_KERNEL="$(rpm -qa | grep -P 'kernel-(\d+\.\d+\.\d+)' | sed -E 's/kernel-//')"
 
 #### PREPARE
 # enable testing repos if not enabled on testing stream
@@ -22,14 +26,33 @@ sed -i 's@enabled=1@enabled=0@g' /etc/yum.repos.d/fedora-cisco-openh264.repo
 #### INSTALL
 # inspect to see what RPMS we copied in
 find /tmp/rpms/
+find /tmp/kernel-rpms/
 
-rpm-ostree install /tmp/rpms/ublue-os-ucore-addons-*.rpm
+rpm-ostree install /tmp/rpms/*.rpm
+
+# Handle Kernel Skew with override replace
+rpm-ostree cliwrap install-to-root /
+if [[ "${KERNEL_VERSION}" == "${QUALIFIED_KERNEL}" ]]; then
+    echo "Installing signed kernel from kernel-cache."
+    cd /tmp
+    rpm2cpio /tmp/kernel-rpms/kernel-core-*.rpm | cpio -idmv
+    cp ./lib/modules/*/vmlinuz /usr/lib/modules/*/vmlinuz
+    cd /
+else
+    echo "Install kernel version ${KERNEL_VERSION} from kernel-cache."
+    rpm-ostree override replace \
+        --experimental \
+        --install=zstd \
+        /tmp/kernel-rpms/kernel-[0-9]*.rpm \
+        /tmp/kernel-rpms/kernel-core-*.rpm \
+        /tmp/kernel-rpms/kernel-modules-*.rpm
+fi
 
 ## CONDITIONAL: install ZFS
 if [[ "-zfs" == "${ZFS_TAG}" ]]; then
     rpm-ostree install pv /tmp/rpms/zfs/*.rpm
     # for some reason depmod ran automatically with zfs 2.1 but not with 2.2
-    depmod -A ${KERNEL}
+    depmod -A ${KERNEL_VERSION}
 fi
 
 ## CONDITIONAL: install NVIDIA

diff --git a/ucore/Containerfile b/ucore/Containerfile
@@ -31,6 +31,7 @@ COPY --from=akmods-common /rpms/ucore/ublue*.rpm /tmp/rpms/
 COPY --from=akmods-nvidia /rpms/kmods/*.rpm /tmp/rpms/nvidia/
 COPY --from=akmods-nvidia /rpms/ucore/ublue*.rpm /tmp/rpms/nvidia/
 COPY --from=akmods-zfs /rpms/kmods/zfs/*.rpm /tmp/rpms/zfs/
+COPY --from=kernel /tmp/rpms/ /tmp/kernel-rpms/
 
 COPY *.sh /tmp/
 COPY packages.json /tmp/packages.json

diff --git a/ucore/install-ucore-minimal.sh b/ucore/install-ucore-minimal.sh
@@ -2,8 +2,12 @@
 
 set -ouex pipefail
 
-KERNEL="$(rpm -q kernel --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}')"
+ARCH="$(rpm -E %{_arch})"
 RELEASE="$(rpm -E %fedora)"
+pushd /tmp/kernel-rpms
+KERNEL_VERSION=$(find kernel-*.rpm | grep -P "kernel-(\d+\.\d+\.\d+)-.*\.fc${RELEASE}\.${ARCH}" | sed -E 's/kernel-//' | sed -E 's/\.rpm//')
+popd
+QUALIFIED_KERNEL="$(rpm -qa | grep -P 'kernel-(\d+\.\d+\.\d+)' | sed -E 's/kernel-//')"
 
 #### PREPARE
 # enable testing repos if not enabled on testing stream
@@ -29,15 +33,34 @@ curl -L -o /etc/yum.repos.d/fedora-coreos-pool.repo \
 #### INSTALL
 # inspect to see what RPMS we copied in
 find /tmp/rpms/
-
-rpm-ostree install /tmp/rpms/ublue-os-ucore-addons-*.rpm
+find /tmp/kernel-rpms/
+
+rpm-ostree install /tmp/rpms/*.rpm
+
+# Handle Kernel Skew with override replace
+rpm-ostree cliwrap install-to-root /
+if [[ "${KERNEL_VERSION}" == "${QUALIFIED_KERNEL}" ]]; then
+    echo "Installing signed kernel from kernel-cache."
+    cd /tmp
+    rpm2cpio /tmp/kernel-rpms/kernel-core-*.rpm | cpio -idmv
+    cp ./lib/modules/*/vmlinuz /usr/lib/modules/*/vmlinuz
+    cd /
+else
+    echo "Install kernel version ${KERNEL_VERSION} from kernel-cache."
+    rpm-ostree override replace \
+        --experimental \
+        --install=zstd \
+        /tmp/kernel-rpms/kernel-[0-9]*.rpm \
+        /tmp/kernel-rpms/kernel-core-*.rpm \
+        /tmp/kernel-rpms/kernel-modules-*.rpm
+fi
 
 ## CONDITIONAL: install ZFS (and sanoid deps)
 if [[ "-zfs" == "${ZFS_TAG}" ]]; then
     rpm-ostree install /tmp/rpms/zfs/*.rpm \
       pv
     # for some reason depmod ran automatically with zfs 2.1 but not with 2.2
-    depmod -A ${KERNEL}
+    depmod -A ${KERNEL_VERSION}
 fi
 
 ## CONDITIONAL: install NVIDIA