From ae5dd0ed84dabaa3949b2c8b10cf843606189a77 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sat, 21 Dec 2024 01:26:16 +0000 Subject: [PATCH] add validate secureboot steps --- .github/workflows/build-kinoite-40.yml | 1 + .github/workflows/reusable-build.yml | 45 ++++++++++++++++++++++++-- 2 files changed, 44 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-kinoite-40.yml b/.github/workflows/build-kinoite-40.yml index 6aa3fdce..5468c498 100644 --- a/.github/workflows/build-kinoite-40.yml +++ b/.github/workflows/build-kinoite-40.yml @@ -23,3 +23,4 @@ jobs: platforms: amd64, arm64 build-args: ${{ needs.generate_metadata.outputs.build-args }} tags: ${{ needs.generate_metadata.outputs.tags }} + validate-secureboot: true diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml index 75dcabc2..b7d693c7 100644 --- a/.github/workflows/reusable-build.yml +++ b/.github/workflows/reusable-build.yml @@ -23,6 +23,10 @@ on: description: "The build arguments to pass to the build" required: false type: string + validate-secureboot: + description: "Whether to validate secureboot" + required: false + type: boolean outputs: manifest-digest: description: "The digest of the remote manifest" @@ -38,7 +42,7 @@ jobs: outputs: matrix: ${{ steps.set-matrix.outputs.matrix }} steps: - - name: Set matrix + - name: Set Matrix id: set-matrix env: PLATFORMS: ${{ inputs.platforms }} @@ -86,6 +90,29 @@ jobs: echo "IMAGE_DIGEST=${IMAGE_DIGEST}" >> $GITHUB_OUTPUT + - name: Check Secureboot + if: ${{ inputs.validate-secureboot }} + env: + IMAGE_NAME: ${{ inputs.image-name }} + IMAGE_DIGEST: ${{ steps.build-image.outputs.IMAGE_DIGEST }} + run: | + set -euxo pipefail + + if [[ ! $(command -v sbverify) || ! $(command -v curl) || ! $(command -v openssl) ]]; then + sudo apt update + sudo apt install sbsigntool curl openssl + fi + podman run -d --rm --name ${IMAGE_NAME} ${IMAGE_REGISTRY}/${IMAGE_NAME}@${IMAGE_DIGEST} sleep 1000 + podman cp ${IMAGE_NAME}:/usr/lib/modules/*/vmlinuz . + podman rm -f ${IMAGE_NAME} + sbverify --list vmlinuz + curl --retry 3 -Lo kernel-sign.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key.der + curl --retry 3 -Lo akmods.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key_2.der + openssl x509 -in kernel-sign.der -out kernel-sign.crt + openssl x509 -in akmods.der -out akmods.crt + sbverify --cert kernel-sign.crt vmlinuz || exit 1 + sbverify --cert akmods.crt vmlinuz || exit 1 + - name: Push Image id: push-image env: @@ -183,7 +210,7 @@ jobs: - name: Login to GHCR run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin - - name: Push manifest + - name: Push Manifest id: push-manifest env: TAGS: ${{ inputs.tags }} @@ -198,3 +225,17 @@ jobs: echo "dummy-digest" > /tmp/digestfile echo "DIGEST=$(cat /tmp/digestfile)" >> $GITHUB_OUTPUT + + - name: Setup Cosign + if: false + uses: sigstore/cosign-installer@v3.7.0 + + - name: Sign Image + if: false + env: + COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} + IMAGE_REGISTRY: ${{ inputs.image-registry }} + IMAGE_NAME: ${{ inputs.image-name }} + DIGEST: ${{ steps.push-manifest.outputs.DIGEST }} + run: | + cosign sign -y --key env://COSIGN_PRIVATE_KEY ${IMAGE_REGISTRY}/${IMAGE_NAME}:${DIGEST}