diff --git a/src/cmd-generate-release-meta b/src/cmd-generate-release-meta index 46e2c713d3..4742423422 100755 --- a/src/cmd-generate-release-meta +++ b/src/cmd-generate-release-meta @@ -222,7 +222,8 @@ def append_build(out, input_): if i is not None: ext = get_extension(i['path'], 'qemu-secex', arch) arch_dict["media"]["qemu"]["artifacts"][f"secex.{ext}"] = { - "disk": artifact(i) + "disk": artifact(i), + "ignition-gpg-key": url_builder(out.get('stream'), out.get('release'), arch, "ignition.gpg.pub") } # if architectures as a whole or the individual arch is empty just push our changes diff --git a/src/create_disk.sh b/src/create_disk.sh index 59ff3c8d83..59997232eb 100755 --- a/src/create_disk.sh +++ b/src/create_disk.sh @@ -461,6 +461,15 @@ chroot_run() { done } +generate_gpgkeys() { + tmp_home=$(mktemp -d /tmp/gpg-XXXXXX) + gpg --homedir "${tmp_home}" --batch --passphrase '' --yes --quick-gen-key secex default + gpg --homedir "${tmp_home}" --armor --export secex > "/srv/builds/latest/s390x/ignition.gpg.pub" + gpg --homedir "${tmp_home}" --armor --export-secret-key secex > "/tmp/ignition.asc" + touch "$deploy_root/etc/ignition.asc" + rm -rf "${tmp_home}" +} + # Other arch-specific bootloader changes # shellcheck disable=SC2031 case "$arch" in @@ -495,13 +504,15 @@ s390x) # in case builder itself runs with SecureExecution rdcore_zipl_args+=("--secex-mode=disable") chroot_run /usr/lib/dracut/modules.d/50rdcore/rdcore zipl "${rdcore_zipl_args[@]}" + else + generate_gpgkeys fi ;; esac # enable support for GRUB password # shellcheck disable=SC2031 -if "$arch" != "s390x"; then +if [ "$arch" != "s390x" ]; then ostree config --repo $rootfs/ostree/repo set sysroot.bls-append-except-default 'grub_users=""' fi @@ -589,9 +600,11 @@ if [[ ${secure_execution} -eq 1 ]]; then if [ ! -e /dev/disk/by-id/virtio-genprotimg ]; then echo "Building local Secure Execution Image, running zipl and genprotimg" # run zipl with root hashes as kargs + mount -o ro,bind "/tmp/ignition.asc" "$deploy_root/etc/ignition.asc" rdcore_zipl_args+=("--secex-mode=enforce" "--hostkey=/dev/disk/by-id/virtio-hostkey") rdcore_zipl_args+=("--append-karg=rootfs.roothash=$(cat /tmp/root-roothash)") rdcore_zipl_args+=("--append-karg=bootfs.roothash=$(cat /tmp/boot-roothash)") + rdcore_zipl_args+=("--append-file=/etc/ignition.asc") chroot_run /usr/lib/dracut/modules.d/50rdcore/rdcore zipl "${rdcore_zipl_args[@]}" else echo "Building release Secure Execution Image, zipl and genprotimg will be run later"