s390x: generate RSA keys for ignition protection

coreos · Aug 30, 2022 · e365bf0 · e365bf0
1 parent 3246b72
commit e365bf0
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 2 deletions.
diff --git a/src/cmd-buildextend-metal b/src/cmd-buildextend-metal
@@ -91,11 +91,15 @@ fi
 disk_args=()
 # SecureExecution extra stuff
 secex_hostkey_drive=()
+secex_ignition_pkey_drive=()
 if [[ $secure_execution -eq "1" ]]; then
     hostkey=$(realpath "$hostkey")
     disk_args+=("--with-secure-execution")
     secex_hostkey_drive=("-drive" "if=none,id=hostkey,format=raw,file=$hostkey,readonly=on" \
                          "-device" "virtio-blk,serial=hostkey,drive=hostkey")
+    openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out /tmp/ign.pem
+    secex_ignition_pkey_drive=("-drive" "if=none,id=ignition,format=raw,file=/tmp/ign.pem,readonly=on" \
+                         "-device" "virtio-blk,serial=ignition,drive=ignition")
 fi
 
 # shellcheck disable=SC2031
@@ -246,7 +250,7 @@ if [ -e "${configdir}/platforms.yaml" ]; then
     platforms_json="${workdir}/tmp/platforms.json"
     yaml2json "${configdir}/platforms.yaml" "${platforms_json}"
 fi
-runvm "${target_drive[@]}" "${secex_hostkey_drive[@]}" -- \
+runvm "${target_drive[@]}" "${secex_hostkey_drive[@]}" "${secex_ignition_pkey_drive[@]}" -- \
         /usr/lib/coreos-assembler/create_disk.sh \
             --config "$(pwd)"/image-for-disk.json \
             --kargs "\"${kargs}\"" \
@@ -271,6 +275,12 @@ json.dump(j, sys.stdout, indent=4)
 cosa meta --workdir "${workdir}" --build "${build}" --artifact "${image_type}" --artifact-json "$(readlink -f meta.json.new)"
 /usr/lib/coreos-assembler/finalize-artifact "${img}" "${builddir}/${img}"
 
+# SE
+if [ -f /tmp/ign.pem ]; then
+    openssl pkey -in /tmp/ign.pem -pubout -out "${builddir}/ignition.pub"
+    rm /tmp/ign.pem
+fi
+
 # Quiet for the rest of this so the last thing we see is a success message
 set +x
 # clean up the tmpild

diff --git a/src/create_disk.sh b/src/create_disk.sh
@@ -493,6 +493,8 @@ s390x)
         # in case builder itself runs with SecureExecution
         rdcore_zipl_args+=("--secex-mode=disable")
         chroot_run /usr/lib/dracut/modules.d/50rdcore/rdcore zipl "${rdcore_zipl_args[@]}"
+    else
+        touch "$deploy_root/etc/ignition.pem"
     fi
     ;;
 esac
@@ -547,11 +549,12 @@ if [[ ${secure_execution} -eq 1 ]]; then
     # set up dm-verity for the rootfs and bootfs
     create_dmverity root $rootfs
     create_dmverity boot $rootfs/boot
-
+    mount -o ro,bind /dev/disk/by-id/virtio-ignition "$deploy_root/etc/ignition.pem"
     # run zipl with root hashes as kargs
     rdcore_zipl_args+=("--secex-mode=enforce" "--hostkey=/dev/disk/by-id/virtio-hostkey")
     rdcore_zipl_args+=("--append-karg=rootfs.roothash=$(cat /tmp/root-roothash)")
     rdcore_zipl_args+=("--append-karg=bootfs.roothash=$(cat /tmp/boot-roothash)")
+    rdcore_zipl_args+=("--append-file=/etc/ignition.pem")
     chroot_run /usr/lib/dracut/modules.d/50rdcore/rdcore zipl "${rdcore_zipl_args[@]}"
 
     # unmount and close everything