-
Notifications
You must be signed in to change notification settings - Fork 52
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #2441 from flatcar/chewi/akv-signing
Add (temporary) signed shim and sign official builds with Azure Key Vault
- Loading branch information
Showing
49 changed files
with
1,838 additions
and
190 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
# Copyright (c) 2024 The Flatcar Maintainers. | ||
# Use of this source code is governed by a BSD-style license that can be | ||
# found in the LICENSE file. | ||
|
||
if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then | ||
SBSIGN_KEY="/usr/share/sb_keys/shim.key" | ||
SBSIGN_CERT="/usr/share/sb_keys/shim.pem" | ||
else | ||
SBSIGN_KEY="pkcs11:token=flatcar-dev-cert" | ||
unset SBSIGN_CERT | ||
fi | ||
|
||
PKCS11_MODULE_PATH="/usr/$(get_sdk_libdir)/pkcs11/azure_kms_pkcs11.so" | ||
|
||
PKCS11_ENV=( | ||
AZURE_KEYVAULT_URL="https://chewi-test.vault.azure.net/" | ||
PKCS11_MODULE_PATH="${PKCS11_MODULE_PATH}" | ||
AWS_KMS_PKCS11_DEBUG=1 | ||
) | ||
|
||
get_sbsign_cert() { | ||
if [[ ${SBSIGN_KEY} != pkcs11:* || -s ${SBSIGN_CERT-} ]]; then | ||
return | ||
fi | ||
|
||
SBSIGN_CERT=$(mktemp -t signing-cert.XXXXXXXXXX.pem) | ||
info "Fetching ${SBSIGN_KEY} from Azure" | ||
|
||
# Needs Key Vault Reader role. | ||
env "${PKCS11_ENV[@]}" p11-kit export-object \ | ||
--provider "${PKCS11_MODULE_PATH}" \ | ||
"${SBSIGN_KEY};type=cert" \ | ||
| tee "${SBSIGN_CERT}" | ||
} | ||
|
||
cleanup_sbsign_certs() { | ||
if [[ ${SBSIGN_CERT-} == "${TMPDIR-/tmp}"/* ]]; then | ||
rm -f -- "${SBSIGN_CERT}" | ||
fi | ||
} | ||
|
||
do_sbsign() { | ||
get_sbsign_cert | ||
info "Signing ${@:$#} with ${SBSIGN_KEY}" | ||
|
||
if [[ ${SBSIGN_KEY} == pkcs11:* ]]; then | ||
set -- --engine pkcs11 "${@}" | ||
fi | ||
|
||
# Needs Key Vault Crypto User role. | ||
sudo env "${PKCS11_ENV[@]}" sbsign \ | ||
--key "${SBSIGN_KEY}" \ | ||
--cert "${SBSIGN_CERT}" \ | ||
"${@}" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1 change: 1 addition & 0 deletions
1
sdk_container/src/third_party/coreos-overlay/app-crypt/azure-keyvault-pkcs11/Manifest
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
DIST azure-keyvault-pkcs11-0_p20240923.tar.gz 23626 BLAKE2B 54be12edd44c7bc59c58d11ad02632d2717a7d83b19ac8d5ac70cddd5e9c2db0a41b332e82cec0467494f934f75c7fc94c336f452bc5c77ad80cea591009bfe8 SHA512 470157d672c9eac35d0026b0c8413c056bd600fff300d64a3bf2d0e218bb9e09c677e649bbe221ad60b937116676218c25f764641a5f4c709c62d9f1336a3e68 |
32 changes: 32 additions & 0 deletions
32
...y/coreos-overlay/app-crypt/azure-keyvault-pkcs11/azure-keyvault-pkcs11-0_p20240923.ebuild
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
# Copyright 1999-2024 Gentoo Authors | ||
# Distributed under the terms of the GNU General Public License v2 | ||
|
||
EAPI=8 | ||
|
||
inherit cmake | ||
|
||
COMMIT="7b0ca93ad046adad807ac1a6e2c56ea87c7a78ec" | ||
DESCRIPTION="PKCS#11 module for Azure Key Vault" | ||
HOMEPAGE="https://github.com/jepio/azure_keyvault_pkcs11" | ||
SRC_URI="https://github.com/jepio/azure_keyvault_pkcs11/archive/${COMMIT}.tar.gz -> ${P}.tar.gz" | ||
S="${WORKDIR}/${PN}-${COMMIT}" | ||
LICENSE="MIT" | ||
SLOT="0" | ||
KEYWORDS="~amd64" | ||
|
||
# libcurl is only NEEDED because of the Azure SDK. | ||
RDEPEND=" | ||
dev-cpp/azure-core:= | ||
dev-cpp/azure-identity:= | ||
dev-cpp/azure-security-keyvault-certificates:= | ||
dev-cpp/azure-security-keyvault-keys:= | ||
dev-libs/json-c:= | ||
dev-libs/openssl:= | ||
" | ||
DEPEND=" | ||
${RDEPEND} | ||
app-crypt/p11-kit | ||
" | ||
BDEPEND=" | ||
virtual/pkgconfig | ||
" |
11 changes: 11 additions & 0 deletions
11
sdk_container/src/third_party/coreos-overlay/app-crypt/azure-keyvault-pkcs11/metadata.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
<?xml version="1.0" encoding="UTF-8"?> | ||
<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd"> | ||
<pkgmetadata> | ||
<maintainer type="person"> | ||
<email>[email protected]</email> | ||
<name>James Le Cuirot</name> | ||
</maintainer> | ||
<upstream> | ||
<remote-id type="github">jepio/azure_keyvault_pkcs11</remote-id> | ||
</upstream> | ||
</pkgmetadata> |
1 change: 0 additions & 1 deletion
1
sdk_container/src/third_party/coreos-overlay/app-crypt/p11-kit/Manifest
This file was deleted.
Oops, something went wrong.
4 changes: 0 additions & 4 deletions
4
sdk_container/src/third_party/coreos-overlay/app-crypt/p11-kit/README.md
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.