From ff1e963b264919904c10d679c1464363cb25d4e0 Mon Sep 17 00:00:00 2001 From: Kamil Aronowski Date: Sun, 6 Oct 2024 18:50:13 +0200 Subject: [PATCH 1/4] WIP: a bit about why HSMs are important Signed-off-by: Kamil Aronowski --- docs/submitting.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/docs/submitting.md b/docs/submitting.md index 7421cafa..a7a75958 100644 --- a/docs/submitting.md +++ b/docs/submitting.md @@ -109,9 +109,19 @@ There are strong recommendations on the types of certificates that should be used in shim, and also on how keys should be managed for security. See the 12th bullet in [Microsoft UEFI Signing Requirements](https://techcommunity.microsoft.com/t5/hardware-dev-center/updated-uefi-signing-requirements/ba-p/1062916) -for tips on this, and also some sugested schems for key and certificate +for tips on this, and also some suggested schems for key and certificate management. +The recommendation of using HSMs is worth mentioning here in particular. To +ensure reasonable security, the keys should be generated directly in your HSM +and the private part should never leave it. All the signing shall be done by +delegating the cryptographic operations to your HSM in order to prevent a +malicious actor from copying the private part. +When asked about the security strategy used for the protection of your keys, +and you indeed do use an HSM, tell us the story of setting up your signing +infrastructure - showcase us, with utter pride, how prioritized the signing +security is in your organization! + ### 3.3 Reproducible build Reviewers will need to validate that they can reproduce your shim From a9784e392bed2185843a5f8d533a273dc1d52043 Mon Sep 17 00:00:00 2001 From: Kamil Aronowski Date: Mon, 21 Oct 2024 19:09:46 +0200 Subject: [PATCH 2/4] Add proposal for HSM Hardware Compatibility List venue Showcasing, how important HSMs are, might be realized as a community-backed venue for helping out setting these, especially when workarounds are needed for some of the problematic tokens. Add an example entry meant to be run in a test environment and link to it in the docs. Signed-off-by: Kamil Aronowski --- docs/submitting.md | 3 +- hcl/README.md | 5 ++ hcl/softhsm-fc38-rocky9/README.md | 13 ++++ hcl/softhsm-fc38-rocky9/Vagrantfile | 13 ++++ .../files/rocky-9-softhsm-x86_64.cfg | 6 ++ .../files/rocky-9-softhsm.tpl | 77 ++++++++++++++++++ hcl/softhsm-fc38-rocky9/files/softhsm-node.sh | 78 +++++++++++++++++++ 7 files changed, 194 insertions(+), 1 deletion(-) create mode 100644 hcl/README.md create mode 100644 hcl/softhsm-fc38-rocky9/README.md create mode 100644 hcl/softhsm-fc38-rocky9/Vagrantfile create mode 100644 hcl/softhsm-fc38-rocky9/files/rocky-9-softhsm-x86_64.cfg create mode 100644 hcl/softhsm-fc38-rocky9/files/rocky-9-softhsm.tpl create mode 100644 hcl/softhsm-fc38-rocky9/files/softhsm-node.sh diff --git a/docs/submitting.md b/docs/submitting.md index a7a75958..bbcf4692 100644 --- a/docs/submitting.md +++ b/docs/submitting.md @@ -120,7 +120,8 @@ malicious actor from copying the private part. When asked about the security strategy used for the protection of your keys, and you indeed do use an HSM, tell us the story of setting up your signing infrastructure - showcase us, with utter pride, how prioritized the signing -security is in your organization! +security is in your organization! +If possible, help the community by submitting an HCL (Hardware Compatibility List) entry, presenting what HSM you use, and what processes have been performed to make it work inside your infrastructure - see the [`hcl` directory](../hcl) for existing submissions. ### 3.3 Reproducible build diff --git a/hcl/README.md b/hcl/README.md new file mode 100644 index 00000000..b1b58a3a --- /dev/null +++ b/hcl/README.md @@ -0,0 +1,5 @@ +# HSM Hardware Compatibility List + +This directory is meant to be a community-backed registry of HSMs proven to work well for signing bootloader components, along with the infrastructure setup workarounds that are required for certain problematic tokens. + +This venue is **not** meant to act as any form of endorsement or advertisement for the aforementioned tokens and their vendors. diff --git a/hcl/softhsm-fc38-rocky9/README.md b/hcl/softhsm-fc38-rocky9/README.md new file mode 100644 index 00000000..71c7df9d --- /dev/null +++ b/hcl/softhsm-fc38-rocky9/README.md @@ -0,0 +1,13 @@ +# shim-review HCL demo submission - SoftHSM + +This is a demonstration of an HCL submission where SoftHSM is used on a Fedora 38 machine to build and sign Rocky Linux 9 bootloader components (GRUB2 only to keep it more simple), with pesign running in client-server mode in a mock environment. + +It's purpose is to showcase, what kind of assumptions need to be met, what package versions (shipped by their respective vendors) have been used and what workarounds were needed to make the token work well, e.g. disabling SELinux, changing file permissions, generating test certificates, among others. + +Naturally this is just a demonstration meant to be run in a laboratory/test environment to grasp the ideas in an easy-to-follow way. Hence why certain simplifications have been made, like generating keys and certificates outside a token, or how that token can be easily copied and provides no hardware protection. When submitting your own HCL entry, showcase the community the power of your hardware token's security! + +Run the test environment: + +``` +$ vagrant destroy -f ; vagrant up --provision ; sleep 60 ; vagrant up --provision +``` diff --git a/hcl/softhsm-fc38-rocky9/Vagrantfile b/hcl/softhsm-fc38-rocky9/Vagrantfile new file mode 100644 index 00000000..94194bbd --- /dev/null +++ b/hcl/softhsm-fc38-rocky9/Vagrantfile @@ -0,0 +1,13 @@ +Vagrant.configure("2") do |config| + config.vm.box = "fedora/38-cloud-base" + config.vm.box_version = "38.20230413.1" + + ["virtualbox", "libvirt"].each do |provider| + config.vm.provider provider do |v| + v.memory = 4096 + v.cpus = 2 + end + end + + config.vm.provision "shell", inline: "cd /vagrant/files/ && bash ./softhsm-node.sh" +end diff --git a/hcl/softhsm-fc38-rocky9/files/rocky-9-softhsm-x86_64.cfg b/hcl/softhsm-fc38-rocky9/files/rocky-9-softhsm-x86_64.cfg new file mode 100644 index 00000000..f173ed9c --- /dev/null +++ b/hcl/softhsm-fc38-rocky9/files/rocky-9-softhsm-x86_64.cfg @@ -0,0 +1,6 @@ +include('templates/rocky-9-softhsm.tpl') + +config_opts['root'] = 'rocky-9-softhsm-x86_64' +config_opts['description'] = 'Rocky Linux 9' +config_opts['target_arch'] = 'x86_64' +config_opts['legal_host_arches'] = ('x86_64',) \ No newline at end of file diff --git a/hcl/softhsm-fc38-rocky9/files/rocky-9-softhsm.tpl b/hcl/softhsm-fc38-rocky9/files/rocky-9-softhsm.tpl new file mode 100644 index 00000000..50f4b7fc --- /dev/null +++ b/hcl/softhsm-fc38-rocky9/files/rocky-9-softhsm.tpl @@ -0,0 +1,77 @@ +config_opts['chroot_setup_cmd'] = 'install autoconf automake bash bash-completion bison bpftool bzip2 bzip2-devel cairo-devel cairo-gobject-devel cmake-filesystem coreutils cpio dejavu-sans-fonts device-mapper-devel diffutils dmidecode dwarves efivar-devel elfutils-devel elfutils-libelf-devel findutils flashrom flashrom-devel flex fontconfig fontconfig-devel freetype freetype-devel fribidi-devel fuse-devel gawk gcc gcc-c++ gcc-plugin-devel gettext gettext-devel git-core glib2-devel glibc-static gnu-efi gnu-efi-compat gnu-efi-devel gnutls-c++ gnutls-dane gnutls-devel gnutls-utils gobject-introspection-devel google-noto-cjk-fonts-common google-noto-sans-cjk-ttc-fonts grep gzip help2man info json-c-devel json-glib-devel kernel-rpm-macros libX11-devel libXau-devel libXext-devel libXft-devel libXrender-devel libarchive-devel libcurl-devel libdatrie-devel libdrm-devel libgudev-devel libgusb-devel libidn2-devel libjcat libjcat-devel libpciaccess-devel libtasn1-devel libtasn1-tools libthai-devel libtool libvala libxcb-devel libxml2-devel libxmlb libxmlb-devel make meson ncurses-devel nettle-devel ninja-build openssl openssl-devel p11-kit-devel pango-devel patch perl-devel perl-generators pesign pixman-devel polkit-devel polkit-docs protobuf-c python3 python3-cairo python3-devel python3-gobject python3-gobject-base python3-gobject-base-noarch python3-jinja2 python3-mako python3-markdown redhat-release redhat-rpm-config rpm-build rpm-devel rpmdevtools sed shadow-utils softhsm sqlite sqlite-devel squashfs-tools systemd systemd-boot-unsigned systemd-devel tar texinfo tpm2-tss-devel unbound-libs unzip util-linux vala valgrind valgrind-devel vim which xorg-x11-proto-devel xz xz-devel' +config_opts['dist'] = 'el9' # only useful for --resultdir variable subst +config_opts['releasever'] = '9' +config_opts['package_manager'] = 'dnf' +config_opts['extra_chroot_dirs'] = [ '/run/lock', ] +config_opts['bootstrap_image'] = 'quay.io/rockylinux/rockylinux:9' + +config_opts['plugin_conf']['bind_mount_enable'] = True +config_opts['plugin_conf']['bind_mount_opts']['dirs'].append(('/etc/pki/pesign', '/etc/pki/pesign' )) +config_opts['plugin_conf']['bind_mount_opts']['dirs'].append(('/usr/libexec/pesign', '/usr/libexec/pesign' )) +config_opts['plugin_conf']['bind_mount_opts']['dirs'].append(('/var/run/pesign', '/var/run/pesign' )) +config_opts['plugin_conf']['bind_mount_opts']['dirs'].append(('/var/lib/softhsm', '/var/lib/softhsm' )) +config_opts['nspawn_args'] += ['--bind=/etc/pki/pesign'] +config_opts['nspawn_args'] += ['--bind=/usr/libexec/pesign'] +config_opts['nspawn_args'] += ['--bind=/var/lib/softhsm'] +config_opts['nspawn_args'] += ['--bind=/var/run/pesign'] + +config_opts['dnf.conf'] = """ +[main] +keepcache=1 +debuglevel=2 +reposdir=/dev/null +logfile=/var/log/yum.log +retries=20 +obsoletes=1 +gpgcheck=0 +assumeyes=1 +syslog_ident=mock +syslog_device= +metadata_expire=0 +mdpolicy=group:primary +best=1 +install_weak_deps=0 +protected_packages= +module_platform_id=platform:el9 +user_agent={{ user_agent }} + + +[baseos] +name=Rocky Linux $releasever - BaseOS +baseurl=http://dl.rockylinux.org/pub/rocky/$releasever/BaseOS/$basearch/os/ +gpgcheck=1 +enabled=1 +metadata_expire=6h +gpgkey=file:///usr/share/distribution-gpg-keys/rocky/RPM-GPG-KEY-Rocky-9 + +[appstream] +name=Rocky Linux $releasever - AppStream +baseurl=http://dl.rockylinux.org/pub/rocky/$releasever/AppStream/$basearch/os/ +gpgcheck=1 +enabled=1 +metadata_expire=6h +gpgkey=file:///usr/share/distribution-gpg-keys/rocky/RPM-GPG-KEY-Rocky-9 + +[crb] +name=Rocky Linux $releasever - CRB +baseurl=http://dl.rockylinux.org/pub/rocky/$releasever/CRB/$basearch/os/ +gpgcheck=1 +enabled=1 +metadata_expire=6h +gpgkey=file:///usr/share/distribution-gpg-keys/rocky/RPM-GPG-KEY-Rocky-9 + +[extras] +name=Rocky Linux $releasever - Extras +baseurl=http://dl.rockylinux.org/pub/rocky/$releasever/extras/$basearch/os/ +gpgcheck=1 +enabled=1 +metadata_expire=6h +gpgkey=file:///usr/share/distribution-gpg-keys/rocky/RPM-GPG-KEY-Rocky-9 + +[devel] +name=Rocky Linux $releasever - Devel WARNING! FOR BUILDROOT ONLY DO NOT LEAVE ENABLED +baseurl=http://dl.rockylinux.org/pub/rocky/$releasever/devel/$basearch/os/ +gpgcheck=1 +enabled=1 +gpgkey=file:///usr/share/distribution-gpg-keys/rocky/RPM-GPG-KEY-Rocky-9 +""" \ No newline at end of file diff --git a/hcl/softhsm-fc38-rocky9/files/softhsm-node.sh b/hcl/softhsm-fc38-rocky9/files/softhsm-node.sh new file mode 100644 index 00000000..1429d17b --- /dev/null +++ b/hcl/softhsm-fc38-rocky9/files/softhsm-node.sh @@ -0,0 +1,78 @@ +#!/bin/bash + +set -euo pipefail + +if test ! $(rpm --eval %fedora) = "38"; then + echo "The script is meant to run on Fedora 38 only, terminating." + exit 1 +fi + +sudo dnf install -y git grubby openssl pesign softhsm mock wget + +sudo setenforce 0 || true +sudo grubby --update-kernel ALL --args selinux=0 + +sudo cp -n rocky-9-softhsm-x86_64.cfg /etc/mock/ +sudo cp -n rocky-9-softhsm.tpl /etc/mock/templates/ +sudo usermod -a -G mock,ods,pesign $USER + +# The file "/etc/profile.d/softhsm-node-for-pesign.sh" will act as a flag indicating that the earlier tasks have succeeded - no need for multiple reboots +if test ! -f /etc/profile.d/softhsm-node-for-pesign.sh; then + sudo bash -c 'echo "export PESIGN_TOKEN_PIN=\"Secret.123\"" > /etc/profile.d/softhsm-node-for-pesign.sh' + echo " + --- + Rebooting the machine for the changes to take place. + " + sudo reboot +fi + +if test ! -v PESIGN_TOKEN_PIN; then + echo "PESIGN_TOKEN_PIN not set correctly, terminating." + exit 1 +fi + +YOUR_UNIX_ACCOUNT_GROUPS="$(id -Gn $USER)" + +if ! grep -q "mock pesign ods" <<< "${YOUR_UNIX_ACCOUNT_GROUPS}"; then + echo " + Expected your Unix account to be in the groups: + \"mock pesign ods\" + but got: + \"${YOUR_UNIX_ACCOUNT_GROUPS}\", + terminating. + " + exit 1 +fi + +# Initializations +mock -r rocky-9-softhsm-x86_64 --init +softhsm2-util --init-token --label HSM --so-pin ${PESIGN_TOKEN_PIN} --pin ${PESIGN_TOKEN_PIN} --free + +# Example p12 generation and import +git clone https://github.com/rhboot/shim.git --depth 1 +pushd shim +./make-certs example +pk12util -k <(echo "${PESIGN_TOKEN_PIN}") -w /dev/zero -i example.p12 -d /etc/pki/pesign -h HSM +popd + +# Workarounds related to permissions +sudo chmod -R 777 /var/lib/softhsm/ +sudo /usr/libexec/pesign/pesign-authorize +sudo chmod -R 777 /var/lib/softhsm/ +sudo chmod -R 777 /etc/pki/pesign/ +sudo systemctl enable pesign --now +sudo chmod -R 777 /var/run/pesign* + +# Unlock the token in client-server mode +pesign-client -u -t HSM +pesign-client --is-unlocked --token HSM + +# Example rebuild as a proof that it works +wget http://dl.rockylinux.org/vault/rocky/9.4/BaseOS/source/tree/Packages/g/grub2-2.06-82.el9_4.src.rpm +echo "ee074f84382f92401bc85cdac2942e3c0da928aa56329afe29b058db63857d99 *grub2-2.06-82.el9_4.src.rpm" | sha256sum -c +mock -r rocky-9-softhsm-x86_64 --define "pe_signing_token HSM" --define "pe_signing_cert example" --rebuild grub2-2.06-82.el9_4.src.rpm + +echo " +--- +It works alright. +" From 95592b95d8967c1076d554325008991c793431ab Mon Sep 17 00:00:00 2001 From: Kamil Aronowski Date: Sun, 3 Nov 2024 19:48:19 +0100 Subject: [PATCH 3/4] Fix one typo in docs/submitting.md "schems" -> "schemes", as per PR #448 Signed-off-by: Kamil Aronowski --- docs/submitting.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/submitting.md b/docs/submitting.md index bbcf4692..33d253d7 100644 --- a/docs/submitting.md +++ b/docs/submitting.md @@ -109,7 +109,7 @@ There are strong recommendations on the types of certificates that should be used in shim, and also on how keys should be managed for security. See the 12th bullet in [Microsoft UEFI Signing Requirements](https://techcommunity.microsoft.com/t5/hardware-dev-center/updated-uefi-signing-requirements/ba-p/1062916) -for tips on this, and also some suggested schems for key and certificate +for tips on this, and also some suggested schemes for key and certificate management. The recommendation of using HSMs is worth mentioning here in particular. To From c0b029aacad38ebbea68834d76485a28d0cb7858 Mon Sep 17 00:00:00 2001 From: Kamil Aronowski Date: Wed, 20 Nov 2024 17:28:05 +0100 Subject: [PATCH 4/4] Remove the HCL proposal As discussed, this might work better as an unofficial post, than official venue. Signed-off-by: Kamil Aronowski --- docs/submitting.md | 1 - hcl/README.md | 5 -- hcl/softhsm-fc38-rocky9/README.md | 13 ---- hcl/softhsm-fc38-rocky9/Vagrantfile | 13 ---- .../files/rocky-9-softhsm-x86_64.cfg | 6 -- .../files/rocky-9-softhsm.tpl | 77 ------------------ hcl/softhsm-fc38-rocky9/files/softhsm-node.sh | 78 ------------------- 7 files changed, 193 deletions(-) delete mode 100644 hcl/README.md delete mode 100644 hcl/softhsm-fc38-rocky9/README.md delete mode 100644 hcl/softhsm-fc38-rocky9/Vagrantfile delete mode 100644 hcl/softhsm-fc38-rocky9/files/rocky-9-softhsm-x86_64.cfg delete mode 100644 hcl/softhsm-fc38-rocky9/files/rocky-9-softhsm.tpl delete mode 100644 hcl/softhsm-fc38-rocky9/files/softhsm-node.sh diff --git a/docs/submitting.md b/docs/submitting.md index 33d253d7..ec536930 100644 --- a/docs/submitting.md +++ b/docs/submitting.md @@ -121,7 +121,6 @@ When asked about the security strategy used for the protection of your keys, and you indeed do use an HSM, tell us the story of setting up your signing infrastructure - showcase us, with utter pride, how prioritized the signing security is in your organization! -If possible, help the community by submitting an HCL (Hardware Compatibility List) entry, presenting what HSM you use, and what processes have been performed to make it work inside your infrastructure - see the [`hcl` directory](../hcl) for existing submissions. ### 3.3 Reproducible build diff --git a/hcl/README.md b/hcl/README.md deleted file mode 100644 index b1b58a3a..00000000 --- a/hcl/README.md +++ /dev/null @@ -1,5 +0,0 @@ -# HSM Hardware Compatibility List - -This directory is meant to be a community-backed registry of HSMs proven to work well for signing bootloader components, along with the infrastructure setup workarounds that are required for certain problematic tokens. - -This venue is **not** meant to act as any form of endorsement or advertisement for the aforementioned tokens and their vendors. diff --git a/hcl/softhsm-fc38-rocky9/README.md b/hcl/softhsm-fc38-rocky9/README.md deleted file mode 100644 index 71c7df9d..00000000 --- a/hcl/softhsm-fc38-rocky9/README.md +++ /dev/null @@ -1,13 +0,0 @@ -# shim-review HCL demo submission - SoftHSM - -This is a demonstration of an HCL submission where SoftHSM is used on a Fedora 38 machine to build and sign Rocky Linux 9 bootloader components (GRUB2 only to keep it more simple), with pesign running in client-server mode in a mock environment. - -It's purpose is to showcase, what kind of assumptions need to be met, what package versions (shipped by their respective vendors) have been used and what workarounds were needed to make the token work well, e.g. disabling SELinux, changing file permissions, generating test certificates, among others. - -Naturally this is just a demonstration meant to be run in a laboratory/test environment to grasp the ideas in an easy-to-follow way. Hence why certain simplifications have been made, like generating keys and certificates outside a token, or how that token can be easily copied and provides no hardware protection. When submitting your own HCL entry, showcase the community the power of your hardware token's security! - -Run the test environment: - -``` -$ vagrant destroy -f ; vagrant up --provision ; sleep 60 ; vagrant up --provision -``` diff --git a/hcl/softhsm-fc38-rocky9/Vagrantfile b/hcl/softhsm-fc38-rocky9/Vagrantfile deleted file mode 100644 index 94194bbd..00000000 --- a/hcl/softhsm-fc38-rocky9/Vagrantfile +++ /dev/null @@ -1,13 +0,0 @@ -Vagrant.configure("2") do |config| - config.vm.box = "fedora/38-cloud-base" - config.vm.box_version = "38.20230413.1" - - ["virtualbox", "libvirt"].each do |provider| - config.vm.provider provider do |v| - v.memory = 4096 - v.cpus = 2 - end - end - - config.vm.provision "shell", inline: "cd /vagrant/files/ && bash ./softhsm-node.sh" -end diff --git a/hcl/softhsm-fc38-rocky9/files/rocky-9-softhsm-x86_64.cfg b/hcl/softhsm-fc38-rocky9/files/rocky-9-softhsm-x86_64.cfg deleted file mode 100644 index f173ed9c..00000000 --- a/hcl/softhsm-fc38-rocky9/files/rocky-9-softhsm-x86_64.cfg +++ /dev/null @@ -1,6 +0,0 @@ -include('templates/rocky-9-softhsm.tpl') - -config_opts['root'] = 'rocky-9-softhsm-x86_64' -config_opts['description'] = 'Rocky Linux 9' -config_opts['target_arch'] = 'x86_64' -config_opts['legal_host_arches'] = ('x86_64',) \ No newline at end of file diff --git a/hcl/softhsm-fc38-rocky9/files/rocky-9-softhsm.tpl b/hcl/softhsm-fc38-rocky9/files/rocky-9-softhsm.tpl deleted file mode 100644 index 50f4b7fc..00000000 --- a/hcl/softhsm-fc38-rocky9/files/rocky-9-softhsm.tpl +++ /dev/null @@ -1,77 +0,0 @@ -config_opts['chroot_setup_cmd'] = 'install autoconf automake bash bash-completion bison bpftool bzip2 bzip2-devel cairo-devel cairo-gobject-devel cmake-filesystem coreutils cpio dejavu-sans-fonts device-mapper-devel diffutils dmidecode dwarves efivar-devel elfutils-devel elfutils-libelf-devel findutils flashrom flashrom-devel flex fontconfig fontconfig-devel freetype freetype-devel fribidi-devel fuse-devel gawk gcc gcc-c++ gcc-plugin-devel gettext gettext-devel git-core glib2-devel glibc-static gnu-efi gnu-efi-compat gnu-efi-devel gnutls-c++ gnutls-dane gnutls-devel gnutls-utils gobject-introspection-devel google-noto-cjk-fonts-common google-noto-sans-cjk-ttc-fonts grep gzip help2man info json-c-devel json-glib-devel kernel-rpm-macros libX11-devel libXau-devel libXext-devel libXft-devel libXrender-devel libarchive-devel libcurl-devel libdatrie-devel libdrm-devel libgudev-devel libgusb-devel libidn2-devel libjcat libjcat-devel libpciaccess-devel libtasn1-devel libtasn1-tools libthai-devel libtool libvala libxcb-devel libxml2-devel libxmlb libxmlb-devel make meson ncurses-devel nettle-devel ninja-build openssl openssl-devel p11-kit-devel pango-devel patch perl-devel perl-generators pesign pixman-devel polkit-devel polkit-docs protobuf-c python3 python3-cairo python3-devel python3-gobject python3-gobject-base python3-gobject-base-noarch python3-jinja2 python3-mako python3-markdown redhat-release redhat-rpm-config rpm-build rpm-devel rpmdevtools sed shadow-utils softhsm sqlite sqlite-devel squashfs-tools systemd systemd-boot-unsigned systemd-devel tar texinfo tpm2-tss-devel unbound-libs unzip util-linux vala valgrind valgrind-devel vim which xorg-x11-proto-devel xz xz-devel' -config_opts['dist'] = 'el9' # only useful for --resultdir variable subst -config_opts['releasever'] = '9' -config_opts['package_manager'] = 'dnf' -config_opts['extra_chroot_dirs'] = [ '/run/lock', ] -config_opts['bootstrap_image'] = 'quay.io/rockylinux/rockylinux:9' - -config_opts['plugin_conf']['bind_mount_enable'] = True -config_opts['plugin_conf']['bind_mount_opts']['dirs'].append(('/etc/pki/pesign', '/etc/pki/pesign' )) -config_opts['plugin_conf']['bind_mount_opts']['dirs'].append(('/usr/libexec/pesign', '/usr/libexec/pesign' )) -config_opts['plugin_conf']['bind_mount_opts']['dirs'].append(('/var/run/pesign', '/var/run/pesign' )) -config_opts['plugin_conf']['bind_mount_opts']['dirs'].append(('/var/lib/softhsm', '/var/lib/softhsm' )) -config_opts['nspawn_args'] += ['--bind=/etc/pki/pesign'] -config_opts['nspawn_args'] += ['--bind=/usr/libexec/pesign'] -config_opts['nspawn_args'] += ['--bind=/var/lib/softhsm'] -config_opts['nspawn_args'] += ['--bind=/var/run/pesign'] - -config_opts['dnf.conf'] = """ -[main] -keepcache=1 -debuglevel=2 -reposdir=/dev/null -logfile=/var/log/yum.log -retries=20 -obsoletes=1 -gpgcheck=0 -assumeyes=1 -syslog_ident=mock -syslog_device= -metadata_expire=0 -mdpolicy=group:primary -best=1 -install_weak_deps=0 -protected_packages= -module_platform_id=platform:el9 -user_agent={{ user_agent }} - - -[baseos] -name=Rocky Linux $releasever - BaseOS -baseurl=http://dl.rockylinux.org/pub/rocky/$releasever/BaseOS/$basearch/os/ -gpgcheck=1 -enabled=1 -metadata_expire=6h -gpgkey=file:///usr/share/distribution-gpg-keys/rocky/RPM-GPG-KEY-Rocky-9 - -[appstream] -name=Rocky Linux $releasever - AppStream -baseurl=http://dl.rockylinux.org/pub/rocky/$releasever/AppStream/$basearch/os/ -gpgcheck=1 -enabled=1 -metadata_expire=6h -gpgkey=file:///usr/share/distribution-gpg-keys/rocky/RPM-GPG-KEY-Rocky-9 - -[crb] -name=Rocky Linux $releasever - CRB -baseurl=http://dl.rockylinux.org/pub/rocky/$releasever/CRB/$basearch/os/ -gpgcheck=1 -enabled=1 -metadata_expire=6h -gpgkey=file:///usr/share/distribution-gpg-keys/rocky/RPM-GPG-KEY-Rocky-9 - -[extras] -name=Rocky Linux $releasever - Extras -baseurl=http://dl.rockylinux.org/pub/rocky/$releasever/extras/$basearch/os/ -gpgcheck=1 -enabled=1 -metadata_expire=6h -gpgkey=file:///usr/share/distribution-gpg-keys/rocky/RPM-GPG-KEY-Rocky-9 - -[devel] -name=Rocky Linux $releasever - Devel WARNING! FOR BUILDROOT ONLY DO NOT LEAVE ENABLED -baseurl=http://dl.rockylinux.org/pub/rocky/$releasever/devel/$basearch/os/ -gpgcheck=1 -enabled=1 -gpgkey=file:///usr/share/distribution-gpg-keys/rocky/RPM-GPG-KEY-Rocky-9 -""" \ No newline at end of file diff --git a/hcl/softhsm-fc38-rocky9/files/softhsm-node.sh b/hcl/softhsm-fc38-rocky9/files/softhsm-node.sh deleted file mode 100644 index 1429d17b..00000000 --- a/hcl/softhsm-fc38-rocky9/files/softhsm-node.sh +++ /dev/null @@ -1,78 +0,0 @@ -#!/bin/bash - -set -euo pipefail - -if test ! $(rpm --eval %fedora) = "38"; then - echo "The script is meant to run on Fedora 38 only, terminating." - exit 1 -fi - -sudo dnf install -y git grubby openssl pesign softhsm mock wget - -sudo setenforce 0 || true -sudo grubby --update-kernel ALL --args selinux=0 - -sudo cp -n rocky-9-softhsm-x86_64.cfg /etc/mock/ -sudo cp -n rocky-9-softhsm.tpl /etc/mock/templates/ -sudo usermod -a -G mock,ods,pesign $USER - -# The file "/etc/profile.d/softhsm-node-for-pesign.sh" will act as a flag indicating that the earlier tasks have succeeded - no need for multiple reboots -if test ! -f /etc/profile.d/softhsm-node-for-pesign.sh; then - sudo bash -c 'echo "export PESIGN_TOKEN_PIN=\"Secret.123\"" > /etc/profile.d/softhsm-node-for-pesign.sh' - echo " - --- - Rebooting the machine for the changes to take place. - " - sudo reboot -fi - -if test ! -v PESIGN_TOKEN_PIN; then - echo "PESIGN_TOKEN_PIN not set correctly, terminating." - exit 1 -fi - -YOUR_UNIX_ACCOUNT_GROUPS="$(id -Gn $USER)" - -if ! grep -q "mock pesign ods" <<< "${YOUR_UNIX_ACCOUNT_GROUPS}"; then - echo " - Expected your Unix account to be in the groups: - \"mock pesign ods\" - but got: - \"${YOUR_UNIX_ACCOUNT_GROUPS}\", - terminating. - " - exit 1 -fi - -# Initializations -mock -r rocky-9-softhsm-x86_64 --init -softhsm2-util --init-token --label HSM --so-pin ${PESIGN_TOKEN_PIN} --pin ${PESIGN_TOKEN_PIN} --free - -# Example p12 generation and import -git clone https://github.com/rhboot/shim.git --depth 1 -pushd shim -./make-certs example -pk12util -k <(echo "${PESIGN_TOKEN_PIN}") -w /dev/zero -i example.p12 -d /etc/pki/pesign -h HSM -popd - -# Workarounds related to permissions -sudo chmod -R 777 /var/lib/softhsm/ -sudo /usr/libexec/pesign/pesign-authorize -sudo chmod -R 777 /var/lib/softhsm/ -sudo chmod -R 777 /etc/pki/pesign/ -sudo systemctl enable pesign --now -sudo chmod -R 777 /var/run/pesign* - -# Unlock the token in client-server mode -pesign-client -u -t HSM -pesign-client --is-unlocked --token HSM - -# Example rebuild as a proof that it works -wget http://dl.rockylinux.org/vault/rocky/9.4/BaseOS/source/tree/Packages/g/grub2-2.06-82.el9_4.src.rpm -echo "ee074f84382f92401bc85cdac2942e3c0da928aa56329afe29b058db63857d99 *grub2-2.06-82.el9_4.src.rpm" | sha256sum -c -mock -r rocky-9-softhsm-x86_64 --define "pe_signing_token HSM" --define "pe_signing_cert example" --rebuild grub2-2.06-82.el9_4.src.rpm - -echo " ---- -It works alright. -"