From e6b2559c593b6c840d9d03397d540ea4ba22ebae Mon Sep 17 00:00:00 2001 From: m2 <69128853+m2Giles@users.noreply.github.com> Date: Fri, 19 Jul 2024 12:44:23 -0400 Subject: [PATCH 1/7] fix(ci): Explicitly remove unsigned kernel packages --- install.sh | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/install.sh b/install.sh index 0ff07464..88e2bc20 100755 --- a/install.sh +++ b/install.sh @@ -21,13 +21,26 @@ find "$RPMS_DIR"/{config,akmods/ublue-os} -type f -name "*.rpm" -print0 | xargs rpm-ostree cliwrap install-to-root / if [[ "${KERNEL_VERSION}" == "${QUALIFIED_KERNEL}" ]]; then echo "Installing signed kernel from kernel-cache." - tmpdir="$(mktemp -d)" - rpm2cpio "$RPMS_DIR"/kernel/kernel-core-*.rpm | ( cd "$tmpdir"; cpio -idmv ) + rpm-ostree override remove \ + --install=zstd + kernel \ + kernel-core \ + kernel-modules \ + kernel-modules-core \ + kernel-modules-extra + rpm-ostree override replace \ + --experimental \ + "$RPMS_DIR"/kernel/kernel-[0-9]*.rpm \ + "$RPMS_DIR"/kernel/kernel-core-*.rpm \ + "$RPMS_DIR"/kernel/kernel-modules-*.rpm \ + --remove=kernel-debug-core \ + --remove=kernel-debug-modules-core cp "$tmpdir"/lib/modules/*/vmlinuz /usr/lib/modules/*/vmlinuz else echo "Install kernel version ${KERNEL_VERSION} from kernel-cache." rpm-ostree override replace \ --experimental \ + --install=zstd "$RPMS_DIR"/kernel/kernel-[0-9]*.rpm \ "$RPMS_DIR"/kernel/kernel-core-*.rpm \ "$RPMS_DIR"/kernel/kernel-modules-*.rpm From d05e67a2a8d253a963bceb15d848f687e10023de Mon Sep 17 00:00:00 2001 From: m2 <69128853+m2Giles@users.noreply.github.com> Date: Fri, 19 Jul 2024 12:49:51 -0400 Subject: [PATCH 2/7] missing \ --- install.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/install.sh b/install.sh index 88e2bc20..7590e887 100755 --- a/install.sh +++ b/install.sh @@ -22,7 +22,7 @@ rpm-ostree cliwrap install-to-root / if [[ "${KERNEL_VERSION}" == "${QUALIFIED_KERNEL}" ]]; then echo "Installing signed kernel from kernel-cache." rpm-ostree override remove \ - --install=zstd + --install=zstd \ kernel \ kernel-core \ kernel-modules \ @@ -35,12 +35,11 @@ if [[ "${KERNEL_VERSION}" == "${QUALIFIED_KERNEL}" ]]; then "$RPMS_DIR"/kernel/kernel-modules-*.rpm \ --remove=kernel-debug-core \ --remove=kernel-debug-modules-core - cp "$tmpdir"/lib/modules/*/vmlinuz /usr/lib/modules/*/vmlinuz else echo "Install kernel version ${KERNEL_VERSION} from kernel-cache." rpm-ostree override replace \ --experimental \ - --install=zstd + --install=zstd \ "$RPMS_DIR"/kernel/kernel-[0-9]*.rpm \ "$RPMS_DIR"/kernel/kernel-core-*.rpm \ "$RPMS_DIR"/kernel/kernel-modules-*.rpm From 5e43cc8658f6a80a82d2c1312ce5a338ccf6f73a Mon Sep 17 00:00:00 2001 From: m2Giles <69128853+m2Giles@users.noreply.github.com> Date: Fri, 19 Jul 2024 13:10:11 -0400 Subject: [PATCH 3/7] include secureboot check --- .github/workflows/reusable-build.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml index a40aaae8..1ebc40bc 100644 --- a/.github/workflows/reusable-build.yml +++ b/.github/workflows/reusable-build.yml @@ -230,6 +230,7 @@ jobs: labels: ${{ steps.meta.outputs.labels }} oci: false +<<<<<<< HEAD # - name: Secureboot Signature Confirmation # id: secureboot_confirm # shell: bash @@ -243,6 +244,27 @@ jobs: # sbverify --list /tmp/extracted-kernel # sbverify --cert /tmp/kernel-signing.crt /tmp/extracted-kernel || exit 1 # sbverify --cert /tmp/akmods-signing.crt /tmp/extracted-kernel || exit 1 +======= + - name: Check Secureboot + if: github.event_name == 'pull_request' && ( matrix.image_flavor == 'main' || matrix.image_flavor == 'nvidia' ) || github.event_name != 'pull_request' + shell: bash + run: | + set -x + if [[ ! $(command -v sbverify) || ! $(command -v curl) || ! $(command -v openssl) ]]; then + sudo apt update + sudo apt install sbsigntool curl openssl + fi + podman run -d --rm --name ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) "${{ env.IMAGE_NAME }}":$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) sleep 1000 + podman cp ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1):/usr/lib/modules/${{ env.kernel_release }}/vmlinuz . + podman rm -f ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) + sbverify --list vmlinuz + curl --retry 3 -Lo kernel-sign.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key.der + curl --retry 3 -Lo akmods.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key_2.der + openssl x509 -in kernel-sign.der -out kernel-sign.crt + openssl x509 -in akmods.der -out akmods.crt + sbverify --cert kernel-sign.crt vmlinuz || exit 1 + sbverify --cert akmods.crt vmlinuz || exit 1 +>>>>>>> 9883a39 (include secureboot check) # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. # https://github.com/macbre/push-to-ghcr/issues/12 From d20fc93933dc9bbf34ea68b82a35a87ad3937ce4 Mon Sep 17 00:00:00 2001 From: m2Giles <69128853+m2Giles@users.noreply.github.com> Date: Fri, 19 Jul 2024 13:13:11 -0400 Subject: [PATCH 4/7] remove if statement --- .github/workflows/reusable-build.yml | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml index 1ebc40bc..23dde70b 100644 --- a/.github/workflows/reusable-build.yml +++ b/.github/workflows/reusable-build.yml @@ -230,23 +230,7 @@ jobs: labels: ${{ steps.meta.outputs.labels }} oci: false -<<<<<<< HEAD - # - name: Secureboot Signature Confirmation - # id: secureboot_confirm - # shell: bash - # run: | - # sudo apt-get update && sudo apt-get install -y sbsigntool curl openssl - # curl -Lo /tmp/kernel-signing.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key.der - # curl -Lo /tmp/akmods-signing.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key_2.der - # openssl x509 -in /tmp/kernel-signing.der -out /tmp/kernel-signing.crt - # openssl x509 -in /tmp/akmods-signing.der -out /tmp/akmods-signing.crt - # /usr/bin/podman run --rm --entrypoint /bin/bash "${{ steps.build_image.outputs.image }}":"$(echo '${{ steps.build_image.outputs.tags }}' | cut -d ' ' -f 1)" -c "cat /usr/lib/modules/*/vmlinuz" > /tmp/extracted-kernel - # sbverify --list /tmp/extracted-kernel - # sbverify --cert /tmp/kernel-signing.crt /tmp/extracted-kernel || exit 1 - # sbverify --cert /tmp/akmods-signing.crt /tmp/extracted-kernel || exit 1 -======= - name: Check Secureboot - if: github.event_name == 'pull_request' && ( matrix.image_flavor == 'main' || matrix.image_flavor == 'nvidia' ) || github.event_name != 'pull_request' shell: bash run: | set -x @@ -264,7 +248,6 @@ jobs: openssl x509 -in akmods.der -out akmods.crt sbverify --cert kernel-sign.crt vmlinuz || exit 1 sbverify --cert akmods.crt vmlinuz || exit 1 ->>>>>>> 9883a39 (include secureboot check) # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. # https://github.com/macbre/push-to-ghcr/issues/12 From bfc595c7cfb8c99993381210abc8ea5d4de28153 Mon Sep 17 00:00:00 2001 From: m2Giles <69128853+m2Giles@users.noreply.github.com> Date: Fri, 19 Jul 2024 13:27:23 -0400 Subject: [PATCH 5/7] add /dev/kmsg --- .github/workflows/reusable-build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml index 23dde70b..3c02e142 100644 --- a/.github/workflows/reusable-build.yml +++ b/.github/workflows/reusable-build.yml @@ -202,6 +202,7 @@ jobs: --security-opt=label=disable \ --security-opt=seccomp=unconfined \ --device=/dev/fuse:rw \ + --device=/dev/kmsg:rw \ -v /home/runner:/home/runner \ -v "$GRAPH_ROOT":/var/lib/containers/storage \ -v "$(pwd):"/builder \ From b1bec695ae135ac17ad6c93b49dcce17940a3ad2 Mon Sep 17 00:00:00 2001 From: m2Giles <69128853+m2Giles@users.noreply.github.com> Date: Fri, 19 Jul 2024 14:12:02 -0400 Subject: [PATCH 6/7] use rpm directly to replace kernel --- .github/workflows/reusable-build.yml | 1 - install.sh | 15 +++------------ 2 files changed, 3 insertions(+), 13 deletions(-) diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml index 3c02e142..23dde70b 100644 --- a/.github/workflows/reusable-build.yml +++ b/.github/workflows/reusable-build.yml @@ -202,7 +202,6 @@ jobs: --security-opt=label=disable \ --security-opt=seccomp=unconfined \ --device=/dev/fuse:rw \ - --device=/dev/kmsg:rw \ -v /home/runner:/home/runner \ -v "$GRAPH_ROOT":/var/lib/containers/storage \ -v "$(pwd):"/builder \ diff --git a/install.sh b/install.sh index 7590e887..556519ba 100755 --- a/install.sh +++ b/install.sh @@ -21,20 +21,11 @@ find "$RPMS_DIR"/{config,akmods/ublue-os} -type f -name "*.rpm" -print0 | xargs rpm-ostree cliwrap install-to-root / if [[ "${KERNEL_VERSION}" == "${QUALIFIED_KERNEL}" ]]; then echo "Installing signed kernel from kernel-cache." - rpm-ostree override remove \ - --install=zstd \ - kernel \ - kernel-core \ - kernel-modules \ - kernel-modules-core \ - kernel-modules-extra - rpm-ostree override replace \ - --experimental \ + rpm-ostree install zstd + rpm --install --replacefiles --replacepkgs \ "$RPMS_DIR"/kernel/kernel-[0-9]*.rpm \ "$RPMS_DIR"/kernel/kernel-core-*.rpm \ - "$RPMS_DIR"/kernel/kernel-modules-*.rpm \ - --remove=kernel-debug-core \ - --remove=kernel-debug-modules-core + "$RPMS_DIR"/kernel/kernel-modules-*.rpm else echo "Install kernel version ${KERNEL_VERSION} from kernel-cache." rpm-ostree override replace \ From 1c71bb9db0ad00e8cec2fc7d4f894dea275b1110 Mon Sep 17 00:00:00 2001 From: m2Giles <69128853+m2Giles@users.noreply.github.com> Date: Fri, 19 Jul 2024 14:20:05 -0400 Subject: [PATCH 7/7] go back to rpm-ostree --- install.sh | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/install.sh b/install.sh index 556519ba..7590e887 100755 --- a/install.sh +++ b/install.sh @@ -21,11 +21,20 @@ find "$RPMS_DIR"/{config,akmods/ublue-os} -type f -name "*.rpm" -print0 | xargs rpm-ostree cliwrap install-to-root / if [[ "${KERNEL_VERSION}" == "${QUALIFIED_KERNEL}" ]]; then echo "Installing signed kernel from kernel-cache." - rpm-ostree install zstd - rpm --install --replacefiles --replacepkgs \ + rpm-ostree override remove \ + --install=zstd \ + kernel \ + kernel-core \ + kernel-modules \ + kernel-modules-core \ + kernel-modules-extra + rpm-ostree override replace \ + --experimental \ "$RPMS_DIR"/kernel/kernel-[0-9]*.rpm \ "$RPMS_DIR"/kernel/kernel-core-*.rpm \ - "$RPMS_DIR"/kernel/kernel-modules-*.rpm + "$RPMS_DIR"/kernel/kernel-modules-*.rpm \ + --remove=kernel-debug-core \ + --remove=kernel-debug-modules-core else echo "Install kernel version ${KERNEL_VERSION} from kernel-cache." rpm-ostree override replace \