containers/bootc
1
0
Fork 0
mirror of https://github.com/containers/bootc.git synced 2026-02-05 15:45:53 +01:00
Code Issues Activity
Files
pr-1708
bootc/Dockerfile.cfsuki
John Eckersberg b346d8d064 Use pesign instead of sbsign 
This more closely aligns with how kernel-uki-virt is signed today, and
eliminates the requirement to use Fedora for the UKI toolchain.
Subsequently, this also switches the UKI toolchain to use c10s.

Signed-off-by: John Eckersberg <jeckersb@redhat.com>
2025-10-22 09:28:34 -04:00

88 lines
3.0 KiB
Docker
Raw Permalink Blame History

# Override via --build-arg=base=<image> to use a different base
ARG base=localhost/bootc
# This is where we get the tools to build the UKI
ARG buildroot=quay.io/centos/centos:stream10
FROM $base AS base
FROM $buildroot as buildroot-base
RUN <<EORUN
set -xeuo pipefail
# systemd-udev is required for /usr/lib/systemd/systemd-measure which
# is used by ukify as invoked with the `--measure` flag below. Not
# strictly required, but nice to have the measured PCR values in the
# output.
dnf install -y systemd-ukify systemd-udev pesign openssl systemd-boot-unsigned
dnf clean all
EORUN
FROM buildroot-base as kernel
# Must be passed
ARG COMPOSEFS_FSVERITY
RUN --mount=type=secret,id=key \
--mount=type=secret,id=cert \
--mount=type=bind,from=base,target=/target \
<<EOF
set -eux
# Should be generated externally
test -n "${COMPOSEFS_FSVERITY}"
# Inject the composefs kernel argument and specify a root with the x86_64 DPS UUID.
# TODO: Discoverable partition fleshed out, or drop root UUID as systemd-stub extension
# TODO: https://github.com/containers/composefs-rs/issues/183
cmdline="composefs=${COMPOSEFS_FSVERITY} root=UUID=4f68bce3-e8cd-4db1-96e7-fbcaf984b709 console=ttyS0,115200n8 enforcing=0 rw"
# pesign uses NSS database so create it from input cert/key
mkdir pesign
certutil -N -d pesign --empty-password
openssl pkcs12 -export -password 'pass:' -inkey /run/secrets/key -in /run/secrets/cert -out db.p12
pk12util -i db.p12 -W '' -d pesign
subject=$(openssl x509 -in /run/secrets/cert -subject | grep '^subject=CN=' | sed 's/^subject=CN=//')
kver=$(cd /target/usr/lib/modules && echo *)
ukify build \
--linux "/target/usr/lib/modules/$kver/vmlinuz" \
--initrd "/target/usr/lib/modules/$kver/initramfs.img" \
--uname="${kver}" \
--cmdline "${cmdline}" \
--os-release "@/target/usr/lib/os-release" \
--signtool pesign \
--secureboot-certificate-dir "pesign" \
--secureboot-certificate-name "${subject}" \
--measure \
--json pretty \
--output "/boot/$kver.efi"
# Sign systemd-boot as well
sdboot="/usr/lib/systemd/boot/efi/systemd-bootx64.efi"
pesign \
--certdir "pesign" \
--certificate "${subject}" \
--in "${sdboot}" \
--out "${sdboot}.signed" \
--sign
mv "${sdboot}.signed" "${sdboot}"
EOF
FROM base as final
RUN --mount=type=bind,from=kernel,target=/run/kernel <<EOF
set -xeuo pipefail
kver=$(cd /usr/lib/modules && echo *)
mkdir -p /boot/EFI/Linux
# We put the UKI in /boot for now due to composefs verity not being the
# same due to mtime of /usr/lib/modules being changed
target=/boot/EFI/Linux/$kver.efi
cp /run/kernel/boot/$kver.efi $target
# And remove the defaults
rm -v /usr/lib/modules/${kver}/{vmlinuz,initramfs.img}
# Symlink into the /usr/lib/modules location
ln -sr $target /usr/lib/modules/${kver}/$(basename $kver.efi)
bootc container lint --fatal-warnings
EOF
FROM base as final-final
COPY --from=final /boot /boot
# Override the default
LABEL containers.bootc=sealed
View Git Blame Copy Permalink