We need to improve secure boot on below issues:
(1)The shim/grub are compiled in debian stx instead of lat now,
but they need to take affect by rebuilding lat sdk;
(2)The kernel/initramfs are signed by keys embedded in meta-secure-core
(upstream source code related with lat sdk);
(3)There is no automatic process for signing all of them
(on signing server) and building them into image by lat, although
the signing interface is designed on signing server;
(4)We need to divide signed build and unsigned build because most
developers don't have access to signing server.
So below changes (cowork with other changes in integ/root repo and
lat-sdk.sh and signing tools on signing server) are done to fix
above issues.
(1) Use shim/grub images from debian stx instead of LAT sdk sysroots:
Change the LAT config file to build iso using the shim/grub
images built by StarlingX debian instead of those from
LAT sdk sysroots. And update the paths accordingly for:
grubx64.efi in rootfs-post-scripts and bootx64-nosig.efi in
iso-post-script.
(2) Make secure boot build disabled by default:
Set EFI_SECURE_BOOT as disable.
(3) Add hooks for gpg signing of initramfs:
Define initramfs-sign-script.
(4) When lat docker is running to build image, gpg signings are
done by the signing scripts which are hooks of lat build process,
so the tool for accessing remote signing server is needed.
Test plan:
The tests are done with all the changes which involve tools/integ/root
repo and lat-sdk.sh and signing tools on signing server.
- PASS: Follow below build process to build unsigned image
and build successfully:
build-pkgs
build-image
- PASS: Follow below build process to build signed image
and build successfully:
Prepare keys on dockers and signing server to setup access
to signing server without password
build-pkgs
export SIGNING_SERVER="user@signing_server_ip"
<PATH>/sign-secure-boot_debian
build-image
The <PATH> is:
/localdisk/designer/${USER}/stx/cgcs-root/build-tool
- PASS: Do AIO-DX installation successfully for both
unsigned image on secure boot disabled lab and
signed image on secure boot enabled lab.
- PASS: Failure path tests include:
[NG]unsigned image on secure boot enabled
[NG]image signed with wrong key on secure boot enabled
[OK]signed image on secure boot disabled
NG: fail to boot; OK: succeed to boot.
This commit works together with:
https://review.opendev.org/c/starlingx/root/+/868920https://review.opendev.org/c/starlingx/integ/+/868919
Story: 2009221
Task: 47097
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: I3c79dad2f915707cede8dff67fbe245bde1f4ad0
c181eda91b