From 40c14ba31d6c966fe676ebe6ec52f1e0e0ca6843 Mon Sep 17 00:00:00 2001 From: Benjamin Sherman Date: Sun, 21 Jul 2024 20:50:12 -0500 Subject: [PATCH] add install of signed kernel and verification --- .github/workflows/reusable-build.yml | 38 ++++++++++++++++++++++++++++ fedora-coreos/Containerfile | 1 + fedora-coreos/install.sh | 29 ++++++++++++++++++--- ucore/Containerfile | 1 + ucore/install-ucore-minimal.sh | 31 ++++++++++++++++++++--- 5 files changed, 93 insertions(+), 7 deletions(-) diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml index 04c4e4a..e22a3e3 100644 --- a/.github/workflows/reusable-build.yml +++ b/.github/workflows/reusable-build.yml @@ -240,6 +240,25 @@ jobs: labels: ${{ steps.meta.outputs.labels }} oci: false + - name: Check Secureboot + shell: bash + run: | + set -x + if [[ ! $(command -v sbverify) || ! $(command -v curl) || ! $(command -v openssl) ]]; then + sudo apt update + sudo apt install sbsigntool curl openssl + fi + podman run -d --rm --name ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) "${{ env.IMAGE_NAME }}":$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) sleep 1000 + podman cp ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1):/usr/lib/modules/${{ env.KERNEL_VERSION }}/vmlinuz . + podman rm -f ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) + sbverify --list vmlinuz + curl --retry 3 -Lo kernel-sign.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key.der + curl --retry 3 -Lo akmods.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key_2.der + openssl x509 -in kernel-sign.der -out kernel-sign.crt + openssl x509 -in akmods.der -out akmods.crt + sbverify --cert kernel-sign.crt vmlinuz || exit 1 + sbverify --cert akmods.crt vmlinuz || exit 1 + # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. # https://github.com/macbre/push-to-ghcr/issues/12 - name: Lowercase Registry @@ -478,6 +497,25 @@ jobs: extra-args: | --target=${{ env.IMAGE_BASE }}${{ matrix.image_suffix }} + - name: Check Secureboot + shell: bash + run: | + set -x + if [[ ! $(command -v sbverify) || ! $(command -v curl) || ! $(command -v openssl) ]]; then + sudo apt update + sudo apt install sbsigntool curl openssl + fi + podman run -d --rm --name ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) "${{ env.IMAGE_NAME }}":$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) sleep 1000 + podman cp ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1):/usr/lib/modules/${{ env.KERNEL_VERSION }}/vmlinuz . + podman rm -f ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) + sbverify --list vmlinuz + curl --retry 3 -Lo kernel-sign.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key.der + curl --retry 3 -Lo akmods.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key_2.der + openssl x509 -in kernel-sign.der -out kernel-sign.crt + openssl x509 -in akmods.der -out akmods.crt + sbverify --cert kernel-sign.crt vmlinuz || exit 1 + sbverify --cert akmods.crt vmlinuz || exit 1 + # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. # https://github.com/macbre/push-to-ghcr/issues/12 - name: Lowercase Registry diff --git a/fedora-coreos/Containerfile b/fedora-coreos/Containerfile index b36933f..42c8137 100644 --- a/fedora-coreos/Containerfile +++ b/fedora-coreos/Containerfile @@ -26,6 +26,7 @@ COPY --from=akmods-common /rpms/ucore/ublue*.rpm /tmp/rpms/ COPY --from=akmods-nvidia /rpms/kmods/*.rpm /tmp/rpms/nvidia/ COPY --from=akmods-nvidia /rpms/ucore/ublue*.rpm /tmp/rpms/nvidia/ COPY --from=akmods-zfs /rpms/kmods/zfs/*.rpm /tmp/rpms/zfs/ +COPY --from=kernel /tmp/rpms/ /tmp/kernel-rpms/ COPY *.sh /tmp/ diff --git a/fedora-coreos/install.sh b/fedora-coreos/install.sh index f0559f4..eba3f66 100755 --- a/fedora-coreos/install.sh +++ b/fedora-coreos/install.sh @@ -2,8 +2,12 @@ set -ouex pipefail +ARCH="$(rpm -E %{_arch})" RELEASE="$(rpm -E %fedora)" -KERNEL="$(rpm -q kernel --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}')" +pushd /tmp/kernel-rpms +KERNEL_VERSION=$(find kernel-*.rpm | grep -P "kernel-(\d+\.\d+\.\d+)-.*\.fc${RELEASE}\.${ARCH}" | sed -E 's/kernel-//' | sed -E 's/\.rpm//') +popd +QUALIFIED_KERNEL="$(rpm -qa | grep -P 'kernel-(\d+\.\d+\.\d+)' | sed -E 's/kernel-//')" #### PREPARE # enable testing repos if not enabled on testing stream @@ -22,14 +26,33 @@ sed -i 's@enabled=1@enabled=0@g' /etc/yum.repos.d/fedora-cisco-openh264.repo #### INSTALL # inspect to see what RPMS we copied in find /tmp/rpms/ +find /tmp/kernel-rpms/ -rpm-ostree install /tmp/rpms/ublue-os-ucore-addons-*.rpm +rpm-ostree install /tmp/rpms/*.rpm + +# Handle Kernel Skew with override replace +rpm-ostree cliwrap install-to-root / +if [[ "${KERNEL_VERSION}" == "${QUALIFIED_KERNEL}" ]]; then + echo "Installing signed kernel from kernel-cache." + cd /tmp + rpm2cpio /tmp/kernel-rpms/kernel-core-*.rpm | cpio -idmv + cp ./lib/modules/*/vmlinuz /usr/lib/modules/*/vmlinuz + cd / +else + echo "Install kernel version ${KERNEL_VERSION} from kernel-cache." + rpm-ostree override replace \ + --experimental \ + --install=zstd \ + /tmp/kernel-rpms/kernel-[0-9]*.rpm \ + /tmp/kernel-rpms/kernel-core-*.rpm \ + /tmp/kernel-rpms/kernel-modules-*.rpm +fi ## CONDITIONAL: install ZFS if [[ "-zfs" == "${ZFS_TAG}" ]]; then rpm-ostree install pv /tmp/rpms/zfs/*.rpm # for some reason depmod ran automatically with zfs 2.1 but not with 2.2 - depmod -A ${KERNEL} + depmod -A ${KERNEL_VERSION} fi ## CONDITIONAL: install NVIDIA diff --git a/ucore/Containerfile b/ucore/Containerfile index 4ee9433..c0a580e 100644 --- a/ucore/Containerfile +++ b/ucore/Containerfile @@ -31,6 +31,7 @@ COPY --from=akmods-common /rpms/ucore/ublue*.rpm /tmp/rpms/ COPY --from=akmods-nvidia /rpms/kmods/*.rpm /tmp/rpms/nvidia/ COPY --from=akmods-nvidia /rpms/ucore/ublue*.rpm /tmp/rpms/nvidia/ COPY --from=akmods-zfs /rpms/kmods/zfs/*.rpm /tmp/rpms/zfs/ +COPY --from=kernel /tmp/rpms/ /tmp/kernel-rpms/ COPY *.sh /tmp/ COPY packages.json /tmp/packages.json diff --git a/ucore/install-ucore-minimal.sh b/ucore/install-ucore-minimal.sh index 4d35eaa..d5ee27f 100755 --- a/ucore/install-ucore-minimal.sh +++ b/ucore/install-ucore-minimal.sh @@ -2,8 +2,12 @@ set -ouex pipefail -KERNEL="$(rpm -q kernel --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}')" +ARCH="$(rpm -E %{_arch})" RELEASE="$(rpm -E %fedora)" +pushd /tmp/kernel-rpms +KERNEL_VERSION=$(find kernel-*.rpm | grep -P "kernel-(\d+\.\d+\.\d+)-.*\.fc${RELEASE}\.${ARCH}" | sed -E 's/kernel-//' | sed -E 's/\.rpm//') +popd +QUALIFIED_KERNEL="$(rpm -qa | grep -P 'kernel-(\d+\.\d+\.\d+)' | sed -E 's/kernel-//')" #### PREPARE # enable testing repos if not enabled on testing stream @@ -29,15 +33,34 @@ curl -L -o /etc/yum.repos.d/fedora-coreos-pool.repo \ #### INSTALL # inspect to see what RPMS we copied in find /tmp/rpms/ - -rpm-ostree install /tmp/rpms/ublue-os-ucore-addons-*.rpm +find /tmp/kernel-rpms/ + +rpm-ostree install /tmp/rpms/*.rpm + +# Handle Kernel Skew with override replace +rpm-ostree cliwrap install-to-root / +if [[ "${KERNEL_VERSION}" == "${QUALIFIED_KERNEL}" ]]; then + echo "Installing signed kernel from kernel-cache." + cd /tmp + rpm2cpio /tmp/kernel-rpms/kernel-core-*.rpm | cpio -idmv + cp ./lib/modules/*/vmlinuz /usr/lib/modules/*/vmlinuz + cd / +else + echo "Install kernel version ${KERNEL_VERSION} from kernel-cache." + rpm-ostree override replace \ + --experimental \ + --install=zstd \ + /tmp/kernel-rpms/kernel-[0-9]*.rpm \ + /tmp/kernel-rpms/kernel-core-*.rpm \ + /tmp/kernel-rpms/kernel-modules-*.rpm +fi ## CONDITIONAL: install ZFS (and sanoid deps) if [[ "-zfs" == "${ZFS_TAG}" ]]; then rpm-ostree install /tmp/rpms/zfs/*.rpm \ pv # for some reason depmod ran automatically with zfs 2.1 but not with 2.2 - depmod -A ${KERNEL} + depmod -A ${KERNEL_VERSION} fi ## CONDITIONAL: install NVIDIA