debian: secure boot enhancement

We need to improve secure boot on below issues: (1)The shim/grub are compiled in debian stx instead of lat now, but they need to take affect by rebuilding lat sdk; (2)The kernel/initramfs are signed by keys embedded in meta-secure-core (upstream source code related with lat sdk); (3)There is no automatic process for signing all of them (on signing server) and building them into image by lat, although the signing interface is designed on signing server; (4)We need to divide signed build and unsigned build because most developers don't have access to signing server. So below changes (cowork with other changes in integ/root repo and lat-sdk.sh and signing tools on signing server) are done to fix above issues. (1) Use shim/grub images from debian stx instead of LAT sdk sysroots: Change the LAT config file to build iso using the shim/grub images built by StarlingX debian instead of those from LAT sdk sysroots. And update the paths accordingly for: grubx64.efi in rootfs-post-scripts and bootx64-nosig.efi in iso-post-script. (2) Make secure boot build disabled by default: Set EFI_SECURE_BOOT as disable. (3) Add hooks for gpg signing of initramfs: Define initramfs-sign-script. (4) When lat docker is running to build image, gpg signings are done by the signing scripts which are hooks of lat build process, so the tool for accessing remote signing server is needed. Test plan: The tests are done with all the changes which involve tools/integ/root repo and lat-sdk.sh and signing tools on signing server. - PASS: Follow below build process to build unsigned image and build successfully: build-pkgs build-image - PASS: Follow below build process to build signed image and build successfully: Prepare keys on dockers and signing server to setup access to signing server without password build-pkgs export SIGNING_SERVER="user@signing_server_ip" <PATH>/sign-secure-boot_debian build-image The <PATH> is: /localdisk/designer/${USER}/stx/cgcs-root/build-tool - PASS: Do AIO-DX installation successfully for both unsigned image on secure boot disabled lab and signed image on secure boot enabled lab. - PASS: Failure path tests include: [NG]unsigned image on secure boot enabled [NG]image signed with wrong key on secure boot enabled [OK]signed image on secure boot disabled NG: fail to boot; OK: succeed to boot. This commit works together with: https://review.opendev.org/c/starlingx/root/+/868920 https://review.opendev.org/c/starlingx/integ/+/868919 Story: 2009221 Task: 47097 Signed-off-by: Li Zhou <li.zhou@windriver.com> Change-Id: I3c79dad2f915707cede8dff67fbe245bde1f4ad0
2022-12-27 19:19:46 +08:00 · 2022-12-27 19:19:46 +08:00 · c181eda91b
commit c181eda91b
parent 839674c2fa
2 changed files with 13 additions and 9 deletions
--- a/debian-mirror-tools/config/debian/common/base-bullseye.yaml
+++ b/debian-mirror-tools/config/debian/common/base-bullseye.yaml
@ -24,13 +24,13 @@ gpg:
    BOOT_GPG_PASSPHRASE: SecureCore
    BOOT_KEYS_DIR: $OECORE_NATIVE_SYSROOT/usr/share/bootfs/boot_keys
    BOOT_GPG_KEY: $OECORE_NATIVE_SYSROOT/usr/share/bootfs/boot_keys/BOOT-GPG-PRIVKEY-SecureBootCore
-    BOOT_SINGED_SHIM: $OECORE_TARGET_SYSROOT/boot/efi/EFI/BOOT/bootx64.efi
-    BOOT_SINGED_SHIMTOOL: $OECORE_TARGET_SYSROOT/boot/efi/EFI/BOOT/mmx64.efi
-    BOOT_SINGED_GRUB: $OECORE_TARGET_SYSROOT/boot/efi/EFI/BOOT/grubx64.efi
+    BOOT_SINGED_SHIM: $IMAGE_ROOTFS/usr/lib/shim/bootx64.efi
+    BOOT_SINGED_SHIMTOOL: $IMAGE_ROOTFS/usr/lib/shim/mmx64.efi
+    BOOT_SINGED_GRUB: $IMAGE_ROOTFS/boot/efi/EFI/BOOT/grubx64.efi
    BOOT_EFITOOL: $IMAGE_ROOTFS/usr/lib/efitools/x86_64-linux-gnu/LockDown.efi
-    BOOT_GRUB_CFG: $OECORE_TARGET_SYSROOT/boot/efi/EFI/BOOT/grub.cfg
-    BOOT_NOSIG_GRUB: $OECORE_TARGET_SYSROOT/boot/efi/EFI/BOOT/bootx64-nosig.efi
-    EFI_SECURE_BOOT: enable
+    BOOT_GRUB_CFG: $IMAGE_ROOTFS/boot/efi/EFI/BOOT/grub.cfg
+    BOOT_NOSIG_GRUB: $IMAGE_ROOTFS/boot/efi/EFI/BOOT/bootx64-nosig.efi
+    EFI_SECURE_BOOT: disable
 packages: []
 external-packages: []
 include-default-packages: '0'
@ -81,7 +81,7 @@ rootfs-post-scripts:
  # There is ${IMAGE_ROOTFS}/var/pxeboot/grubx64.efi from parent linux installed
  # For secure boot feature, it should be replaced with the right one
  if [ "$EFI_SECURE_BOOT" = enable ]; then
-    install -m 0644 ${OECORE_TARGET_SYSROOT}/boot/efi/EFI/BOOT/grubx64.efi ${IMAGE_ROOTFS}/var/pxeboot/grubx64.efi
+    install -m 0644 ${IMAGE_ROOTFS}/boot/efi/EFI/BOOT/grubx64.efi ${IMAGE_ROOTFS}/var/pxeboot/grubx64.efi
  fi
 environments:
 - NO_RECOMMENDATIONS="1"
@ -261,8 +261,8 @@ iso-post-script: |

  # 2.2.2 EFI PXE
  cp -a EFI pxeboot
-  if [ -e $OECORE_TARGET_SYSROOT/boot/efi/EFI/BOOT/bootx64-nosig.efi ]; then
-    cp $OECORE_TARGET_SYSROOT/boot/efi/EFI/BOOT/bootx64-nosig.efi pxeboot/EFI/BOOT/
+  if [ -e ${IMAGE_ROOTFS}/boot/efi/EFI/BOOT/bootx64-nosig.efi ]; then
+    cp ${IMAGE_ROOTFS}/boot/efi/EFI/BOOT/bootx64-nosig.efi pxeboot/EFI/BOOT/
  fi

  # 2.3 Edit grub.cfg and pxelinux.cfg/default
@ -386,6 +386,9 @@ iso-post-script: |
      ln -snf ../efi.img images/efiboot.img
  fi

+initramfs-sign-script: |
+  echo "End of initramfs-sign-script!"
+
 multiple-kernels: vmlinuz-*[!t]-amd64 vmlinuz-*-rt-amd64
 default-kernel: vmlinuz-*[!t]-amd64
 system:
--- a/stx/dockerfiles/stx-lat-tool.Dockerfile
+++ b/stx/dockerfiles/stx-lat-tool.Dockerfile
@ -20,6 +20,7 @@ ARG LAT_BINARY_RESOURCE_PATH=http://mirror.starlingx.cengn.ca/mirror/lat-sdk/lat

 # Install necessary packages
 RUN apt-get -y update && apt-get --no-install-recommends -y install \
+        openssh-client \
        python3 \
        python3-pip \
        xz-utils \