s390x: support Ignition private key for official builds

Signed-off-by: Nikita Dubrovskii <nikita@linux.ibm.com>

src/create_disk.sh

@@ -452,11 +452,12 @@ chroot_run() {
 }
 
 generate_gpgkeys() {
+    pkey="${1:-/tmp/ignition.asc}"
     local tmp_home
     tmp_home=$(mktemp -d /tmp/gpg-XXXXXX)
     gpg --homedir "${tmp_home}" --batch --passphrase '' --yes --quick-gen-key secex default
     gpg --homedir "${tmp_home}" --armor --export secex > "${ignition_pubkey}"
-    gpg --homedir "${tmp_home}" --armor --export-secret-key secex > "/tmp/ignition.asc"
+    gpg --homedir "${tmp_home}" --armor --export-secret-key secex > "${pkey}"
     rm -rf "${tmp_home}"
 }
 
@@ -568,6 +569,10 @@ rdcore_replacement() {
     se_kernel="${se_tmp_boot}/vmlinuz"
     se_parmfile="${se_tmp_boot}/parmfile"
 
+    # Ignition GPG private key
+    mkdir "${se_tmp_boot}/tmp"
+    generate_gpgkeys "${se_tmp_boot}/tmp/ignition.asc"
+
     blsfile=$(find "${rootfs}"/boot/loader/entries/*.conf)
     echo "$(grep options "${blsfile}" | cut -d' ' -f2-)" "${se_kargs_append[@]}" > "${se_parmfile}"
     kernel="${rootfs}/boot/$(grep linux "${blsfile}" | cut -d' ' -f2)"

src/secex-genprotimgvm-scripts/genprotimg-script.sh

@@ -11,6 +11,11 @@ destination="/genprotimg"
 # genprotimg daemon can only see /genprotimg folder
 cp "${source}/vmlinuz" "${source}/initrd.img" "${source}/parmfile" "${destination}/"
 
+# Append Ignition GPG private key to initramfs
+cd "${source}"
+find tmp -mindepth 1 | cpio --quiet -H newc -o | gzip -9 -n >> "${destination}/initrd.img"
+rm -rf tmp
+
 # Signal daemon that it can run genprotimg
 touch "${destination}/signal.file"