feat: add common developer keys for signed firmware

To make images compatible with each other for development a comon set of keys will be used. The keys are located on k-stufen. * add script to download and extract keys * adjustments to coreos-init-build-env script * adjustments to check_files_exist function
2023-11-08 15:29:21 +01:00 · 2023-11-08 15:29:21 +01:00 · f04afe073a
parent ea134d867e
commit f04afe073a
3 changed files with 113 additions and 9 deletions
--- a/25
+++ b/25
@ -87,10 +87,23 @@ coreos-bblayers-envsub COREOS_LAYERSDIR "${COREOS_ROOT}/layers"
 # Add support for ##COREOS_EXTLAYERSDIR## inside of bblayer template
 coreos-bblayers-envsub COREOS_EXTLAYERSDIR "${COREOS_ROOT}/external-layers"

-# Generate the ${BUILDDIR}/key directory. The scripts doesn't generate anything it
-# the directory already exist, so it's safe to call it everytime
+# Generate the ${BUILDDIR}/key directory. The scripts doesn't generate anything
+# if the directory already exist so it's safe to call it everytime
 # stdout is redirected to reduce the amount of output but not stderr
-coreos-keygen > /dev/null || {
-    echo "The coreos-keygen script has failed" >&2
-    return 1
-}
+#
+#Note: if a final build is detected all the dev keys are deleted
+
+if [ "$CreateFinal" = "true" ]; then
+    echo "\nFinal build detected delete dev keys and dont use or generate them" >&2
+    rm -rf "${BUILDDIR}/keys"
+else
+    echo "\nNo final build detected use development keys" >&2
+    coreos-get-dev-keys > /dev/null || {
+        echo "The coreos-get-dev-keys script has failed" >&2
+    }
+
+    coreos-keygen > /dev/null || {
+        echo "The coreos-keygen script has failed" >&2
+        return 1
+    }
+fi
--- a/scripts/coreos-get-dev-keys
+++ b/scripts/coreos-get-dev-keys
@ -0,0 +1,88 @@
+#!/usr/bin/env bash
+
+# This script will get development keys needed by the UEFI secure boot
+# implementation from the k-stufen web share and put the under $BUILDDIR/keys
+#
+# The reason for every developer to have the same keys is that image/update
+# filest are interchangable.
+# Those developer keys are used for all builds except the ones that are marked
+# as final. Here the official keys will be used.
+#
+# Following keys will be downloaded
+# db.auth  db.der  db.key    KEK.crt  KEK.esl  PK.auth  PK.der  PK.key
+# db.crt   db.esl  KEK.auth  KEK.der  KEK.key  PK.crt   PK.esl
+
+# This script is used every time the build environment of CoreOS is sourced
+# Note: in the build environment stdout is redirected to /dev/null but not
+# stderr.
+
+set -e
+
+# Logging helper
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+BOLD='\033[1m'
+RESET='\033[0m'
+
+# Ensure that BUILDDIR is defined
+# ==============================================================================
+# This is usually done inside the coreos-init-build-env script
+
+
+if [ -z "$BUILDDIR" ]; then 
+    echo -e "${RED}BUILDDIR is not defined${RESET}" 2>&1
+    echo -e "Have you run the coreos-init-buildenv script?" 2>&1
+    exit 1
+fi
+
+# We need the KEYDIR directory to exist
+# ==============================================================================
+
+KEYDIR="${BUILDDIR}/keys"
+mkdir -p "${KEYDIR}"
+cd "${KEYDIR}"
+
+# we need wget and tar
+# ==============================================================================
+
+assert_command_in_path() {
+    if command -v "$1" >/dev/null 2>&1; then
+        echo -e "✓ Command ${GREEN}${1}${RESET} was found"
+    else
+        echo -e "✗ ${RED}Command ${BOLD}${1}${RESET}${RED} was not found in your path${RESET}" >&2 
+        echo -e "Please check the coreos-documentation for the list of required packages" >&2 
+        exit 1
+    fi
+}
+
+assert_command_in_path wget
+assert_command_in_path tar
+
+
+# Generate all they keys, as needed
+# ==============================================================================
+# Only generate the file if it's missing and don't fail if the file already
+# exist
+
+check_files_exist() {
+    RET=0
+    for file in "$@"; do
+        if [ ! -e "$file" ]; then
+            echo -e "𐄂 File ${RED}${file}${RESET} missing"
+            RET=1
+        else
+            echo -e "✓ File ${GREEN}${file}${RESET} already exist"
+        fi
+    done
+    return $RET
+}
+
+check_files_exist db.auth db.crt db.der db.esl db.key KEK.auth KEK.crt KEK.der \
+                  KEK.esl KEK.key PK.auth PK.crt PK.der PK.esl PK.key || \
+{
+    echo -e "${RED}Incosistent or no keys.${RESET}"
+    echo "Downloading Keys"
+    wget -q https://platform-nas.gad.local/K-Stufen/CoreOS/.signing/coreos_developer_signing.keys.tar.gz && \
+    tar -xzf coreos_developer_signing.keys.tar.gz -C ${BUILDDIR}/keys && \
+    rm coreos_developer_signing.keys.tar.gz
+}
--- a/scripts/coreos-keygen
+++ b/scripts/coreos-keygen
@ -58,13 +58,16 @@ assert_command_in_path sign-efi-sig-list
 # exist

 check_files_exist() {
+    RET=0
    for file in "$@"; do
-        echo -e "✓ File ${GREEN}${file}${RESET} already exist"
        if [ ! -e "$file" ]; then
-            return 1
+            echo -e "𐄂 File ${RED}${file}${RESET} missing"
+            RET=1
+        else
+            echo -e "✓ File ${GREEN}${file}${RESET} already exist"
        fi
    done
-    return 0
+    return $RET
 }

 echo "Generating private/public keys in .key/.crt format for PK, KEK et db"