Skip to content

Commit

Permalink
s390x: generate GPG keys for Ignition config protection
Browse files Browse the repository at this point in the history
During `cosa buildextend-secex` a pair of GPG keys is randomly generated,
where private key becomes part of `sdboot` image, and public key becomes
part of build artifacts.

User than can encrypt his Ignition config:
```
gpg --recipient-file /path/to/ignition.gpg.pub --output /path/to/config.ign.gpg --armor --encrypt /path/to/config.ign
```

And attach it to `qemu-kvm` as a disk:
```
-drive if=none,id=ignition,format=raw,file=/path/to/config.ign.gpg,readonly=on \
-device virtio-blk,serial=ignition.gpg,iommu_platform=on,drive=ignition
```
  • Loading branch information
nikita-dubrovskii committed Oct 27, 2022
1 parent 6c9bae1 commit 4addcbc
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 2 deletions.
3 changes: 2 additions & 1 deletion src/cmd-generate-release-meta
Original file line number Diff line number Diff line change
Expand Up @@ -222,7 +222,8 @@ def append_build(out, input_):
if i is not None:
ext = get_extension(i['path'], 'qemu-secex', arch)
arch_dict["media"]["qemu"]["artifacts"][f"secex.{ext}"] = {
"disk": artifact(i)
"disk": artifact(i),
"ignition-gpg-key": url_builder(out.get('stream'), out.get('release'), arch, "ignition.gpg.pub")
}

# if architectures as a whole or the individual arch is empty just push our changes
Expand Down
15 changes: 14 additions & 1 deletion src/create_disk.sh
Original file line number Diff line number Diff line change
Expand Up @@ -461,6 +461,15 @@ chroot_run() {
done
}

generate_gpgkeys() {
tmp_home=$(mktemp -d /tmp/gpg-XXXXXX)
gpg --homedir "${tmp_home}" --batch --passphrase '' --yes --quick-gen-key secex default
gpg --homedir "${tmp_home}" --armor --export secex > "/srv/builds/latest/s390x/ignition.gpg.pub"
gpg --homedir "${tmp_home}" --armor --export-secret-key secex > "/tmp/ignition.asc"
touch "$deploy_root/etc/ignition.asc"
rm -rf "${tmp_home}"
}

# Other arch-specific bootloader changes
# shellcheck disable=SC2031
case "$arch" in
Expand Down Expand Up @@ -495,13 +504,15 @@ s390x)
# in case builder itself runs with SecureExecution
rdcore_zipl_args+=("--secex-mode=disable")
chroot_run /usr/lib/dracut/modules.d/50rdcore/rdcore zipl "${rdcore_zipl_args[@]}"
else
generate_gpgkeys
fi
;;
esac

# enable support for GRUB password
# shellcheck disable=SC2031
if "$arch" != "s390x"; then
if [ "$arch" != "s390x" ]; then
ostree config --repo $rootfs/ostree/repo set sysroot.bls-append-except-default 'grub_users=""'
fi

Expand Down Expand Up @@ -589,9 +600,11 @@ if [[ ${secure_execution} -eq 1 ]]; then
if [ ! -e /dev/disk/by-id/virtio-genprotimg ]; then
echo "Building local Secure Execution Image, running zipl and genprotimg"
# run zipl with root hashes as kargs
mount -o ro,bind "/tmp/ignition.asc" "$deploy_root/etc/ignition.asc"
rdcore_zipl_args+=("--secex-mode=enforce" "--hostkey=/dev/disk/by-id/virtio-hostkey")
rdcore_zipl_args+=("--append-karg=rootfs.roothash=$(cat /tmp/root-roothash)")
rdcore_zipl_args+=("--append-karg=bootfs.roothash=$(cat /tmp/boot-roothash)")
rdcore_zipl_args+=("--append-file=/etc/ignition.asc")
chroot_run /usr/lib/dracut/modules.d/50rdcore/rdcore zipl "${rdcore_zipl_args[@]}"
else
echo "Building release Secure Execution Image, zipl and genprotimg will be run later"
Expand Down

0 comments on commit 4addcbc

Please sign in to comment.