diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml index a40aaae8..23dde70b 100644 --- a/.github/workflows/reusable-build.yml +++ b/.github/workflows/reusable-build.yml @@ -230,19 +230,24 @@ jobs: labels: ${{ steps.meta.outputs.labels }} oci: false - # - name: Secureboot Signature Confirmation - # id: secureboot_confirm - # shell: bash - # run: | - # sudo apt-get update && sudo apt-get install -y sbsigntool curl openssl - # curl -Lo /tmp/kernel-signing.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key.der - # curl -Lo /tmp/akmods-signing.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key_2.der - # openssl x509 -in /tmp/kernel-signing.der -out /tmp/kernel-signing.crt - # openssl x509 -in /tmp/akmods-signing.der -out /tmp/akmods-signing.crt - # /usr/bin/podman run --rm --entrypoint /bin/bash "${{ steps.build_image.outputs.image }}":"$(echo '${{ steps.build_image.outputs.tags }}' | cut -d ' ' -f 1)" -c "cat /usr/lib/modules/*/vmlinuz" > /tmp/extracted-kernel - # sbverify --list /tmp/extracted-kernel - # sbverify --cert /tmp/kernel-signing.crt /tmp/extracted-kernel || exit 1 - # sbverify --cert /tmp/akmods-signing.crt /tmp/extracted-kernel || exit 1 + - name: Check Secureboot + shell: bash + run: | + set -x + if [[ ! $(command -v sbverify) || ! $(command -v curl) || ! $(command -v openssl) ]]; then + sudo apt update + sudo apt install sbsigntool curl openssl + fi + podman run -d --rm --name ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) "${{ env.IMAGE_NAME }}":$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) sleep 1000 + podman cp ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1):/usr/lib/modules/${{ env.kernel_release }}/vmlinuz . + podman rm -f ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) + sbverify --list vmlinuz + curl --retry 3 -Lo kernel-sign.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key.der + curl --retry 3 -Lo akmods.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key_2.der + openssl x509 -in kernel-sign.der -out kernel-sign.crt + openssl x509 -in akmods.der -out akmods.crt + sbverify --cert kernel-sign.crt vmlinuz || exit 1 + sbverify --cert akmods.crt vmlinuz || exit 1 # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. # https://github.com/macbre/push-to-ghcr/issues/12 diff --git a/install.sh b/install.sh index 0ff07464..7590e887 100755 --- a/install.sh +++ b/install.sh @@ -21,13 +21,25 @@ find "$RPMS_DIR"/{config,akmods/ublue-os} -type f -name "*.rpm" -print0 | xargs rpm-ostree cliwrap install-to-root / if [[ "${KERNEL_VERSION}" == "${QUALIFIED_KERNEL}" ]]; then echo "Installing signed kernel from kernel-cache." - tmpdir="$(mktemp -d)" - rpm2cpio "$RPMS_DIR"/kernel/kernel-core-*.rpm | ( cd "$tmpdir"; cpio -idmv ) - cp "$tmpdir"/lib/modules/*/vmlinuz /usr/lib/modules/*/vmlinuz + rpm-ostree override remove \ + --install=zstd \ + kernel \ + kernel-core \ + kernel-modules \ + kernel-modules-core \ + kernel-modules-extra + rpm-ostree override replace \ + --experimental \ + "$RPMS_DIR"/kernel/kernel-[0-9]*.rpm \ + "$RPMS_DIR"/kernel/kernel-core-*.rpm \ + "$RPMS_DIR"/kernel/kernel-modules-*.rpm \ + --remove=kernel-debug-core \ + --remove=kernel-debug-modules-core else echo "Install kernel version ${KERNEL_VERSION} from kernel-cache." rpm-ostree override replace \ --experimental \ + --install=zstd \ "$RPMS_DIR"/kernel/kernel-[0-9]*.rpm \ "$RPMS_DIR"/kernel/kernel-core-*.rpm \ "$RPMS_DIR"/kernel/kernel-modules-*.rpm