From: Luca Boccassi Date: Tue, 25 Feb 2025 14:04:22 +0000 (+0000) Subject: mkosi-obs: rearrange second stage so that only unsigned hashes are staged for third X-Git-Tag: v26~349^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=36a10172a2991a628a149c23ec07d91c18df9130;p=thirdparty%2Fmkosi.git mkosi-obs: rearrange second stage so that only unsigned hashes are staged for third Create cpio for next stage at the very end, after all signed hashes have been handled and removed, to avoid resigning already signed files --- diff --git a/mkosi/resources/mkosi-obs/mkosi.build b/mkosi/resources/mkosi-obs/mkosi.build index 447fef12c..b4e71d759 100755 --- a/mkosi/resources/mkosi-obs/mkosi.build +++ b/mkosi/resources/mkosi-obs/mkosi.build @@ -90,7 +90,7 @@ while read -r SIG; do done < <(find hashes/ukis hashes/kernels -type f \( -name '*efi.sig' -o -name 'vmlinu*.sig' \) -printf '%P\n') rm -rf "$OUTPUTDIR"/*.sig hashes/ukis -# If there are signed bootloaders, install them in the ESP +# Second step: if there are signed bootloaders, install them in the ESP while read -r BOOTLOADER; do unsigned="$(basename "${BOOTLOADER%.sig}")" signed="$(basename "${BOOTLOADER%.sig}".signed)" @@ -135,7 +135,7 @@ done < <(find "hashes/bootloaders/$(basename "$ddi")/" -type f -iname '*.efi.sig rm -rf hashes/bootloaders rm -rf nss-db -# Second step: if there are PCR policy signatures, rebuild the JSON +# Third step: if there are PCR policy signatures, rebuild the JSON # blobs with the attached signatures while read -r SIG; do uki="$OUTPUTDIR/$(basename "$(dirname "${SIG%.sig}")")" @@ -165,7 +165,7 @@ rm -rf hashes/pcrs mkdir -p "$nss_db" certutil -N -d sql:"$nss_db" --empty-password -# Third step: now that the JSON blob is rebuilt, merge it in the UKI +# Fourth step: now that the JSON blob is rebuilt, merge it in the UKI while read -r PCRS; do uki="${PCRS%.pcrs.sig}.efi" ukify --json=short --pcrsig "@$PCRS" --join-pcrsig "$uki" --output "$uki.attached" build @@ -175,17 +175,6 @@ while read -r PCRS; do done < <(find "$OUTPUTDIR" -type f -name '*.pcrs.sig') rm -f "$OUTPUTDIR"/*.pcrs* -# Fourth step: take hash of the UKIs after the signed JSON blobs have been merged -# and prepare for the next iteration -if [ -d hashes/ukis ]; then - pushd hashes - find . -type f | cpio -H newc -o >"$OUTPUTDIR/hashes.cpio.rsasign" - popd - cp /usr/src/packages/SOURCES/mkosi.conf "$OUTPUTDIR" - echo "Staging the following files for signing:" - cpio -t <"$OUTPUTDIR/hashes.cpio.rsasign" -fi - # Fifth step: finalize any DDI by attaching the verity roothash signatures while read -r SIG; do test -f "/usr/src/packages/SOURCES/$(basename "${SIG%roothash.sig}repart.tar")" || continue @@ -279,4 +268,15 @@ if (( ${#AUTHVARS[@]} > 0 )); then fi rm -rf hashes/authvars +# Final step: if there are any hashes staged, prepare for the next stage +rmdir --ignore-fail-on-non-empty hashes +if [ -d hashes ]; then + pushd hashes + find . -type f | cpio -H newc -o >"$OUTPUTDIR/hashes.cpio.rsasign" + popd + cp /usr/src/packages/SOURCES/mkosi.conf "$OUTPUTDIR" + echo "Staging the following files for signing:" + cpio -t <"$OUTPUTDIR/hashes.cpio.rsasign" +fi + rm -rf hashes "$nss_db"