feat: create persistent secure boot test keys for easier downstream builds (#45)

Author: joshua-stone

.github/workflows/build.yml

@@ -116,16 +116,7 @@ jobs:
         run: |
           mkdir -p certs
           if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-              openssl req -new \
-                  -nodes \
-                  -utf8 \
-                  -sha256 \
-                  -days 365 \
-                  -batch \
-                  -x509 \
-                  -outform DER \
-                  -out certs/public_key.der \
-                  -keyout certs/private_key.priv
+              echo "Using test signing key"
           else
               echo "${{ secrets.AKMOD_PRIVKEY }}" > certs/private_key.priv
           fi

.gitignore

@@ -1 +1,2 @@
-certs/private_key.priv
+certs/private_key.priv.prod
+certs/public_key.der.prod

Containerfile

@@ -27,10 +27,15 @@ RUN rpm-ostree install \
 # alternatives cannot create symlinks on its own during a container build
 RUN ln -s /usr/bin/ld.bfd /etc/alternatives/ld && ln -s /etc/alternatives/ld /usr/bin/ld
 
-ADD certs/public_key.der   /etc/pki/akmods/certs/public_key.der
-ADD certs/private_key.priv /etc/pki/akmods/private/private_key.priv
+ADD certs /tmp/certs
 
-RUN chmod 644 /etc/pki/akmods/{private/private_key.priv,certs/public_key.der}
+RUN [[ -s "/tmp/certs/private_key.priv" ]] || \
+    echo "WARNING: Using test signing key. Run './generate-akmods-key' for production builds." && \
+    cp /tmp/certs/private_key.priv{.test,} && \
+    cp /tmp/certs/public_key.der{.test,}
+
+RUN install -Dm644 /tmp/certs/public_key.der   /etc/pki/akmods/certs/public_key.der
+RUN install -Dm644 /tmp/certs/private_key.priv /etc/pki/akmods/private/private_key.priv
 
 # Either successfully build and install the kernel modules, or fail early with debug output
 RUN NVIDIA_PACKAGE_NAME="$(cat /tmp/nvidia-package-name.txt)" \

README.md

@@ -82,36 +82,38 @@ If you're forking this repo you should [read the docs](https://docs.github.com/e
 
 ## Building locally
 
-1. Generate signing keys
+1. Build container
 
-    Self-generated signing keys in `certs/` are required for kernel module signing to succeed:
-
-```
-$ ./generate-akmod-key
-```
-
-    If you are forking this repo, you also need to add the private key to the repository secrets under the name AKMOD_PRIVKEY.
-
-2. Build container
-
-    A container build can be invoked by simply running:
+A container build can be invoked by simply running:
 
 ```
 $ podman build \
     --file Containerfile \
     --tag build-test:latest
 ```
 
-    Or to specify the version of Fedora and/or Nvidia driver:
+Or to specify the version of Fedora and/or Nvidia driver:
 
 ```
 $ podman build \
+    --build-arg IMAGE_NAME=silverblue \
     --build-arg FEDORA_MAJOR_VERSION=37 \
     --build-arg NVIDIA_MAJOR_VERSION=525 \
     --file Containerfile \
     --tag build-test:latest
 ```
 
+2. Generate signing keys
+
+If you are forking this repo, then you should add a private key to the repository secrets:
+
+```
+$ ./generate-akmod-key
+$ gh secret set AKMOD_PRIVKEY < certs/private_key.priv.prod
+$ cp certs/public_key.der.prod certs/public_key.der
+```
+
+
 ## Using Nvidia GPUs in containers
 
 [There is support for enabling Nvidia GPUs in containers](https://www.redhat.com/en/blog/how-use-gpus-containers-bare-metal-rhel-8). This can can be verified by running the following:

certs/private_key.priv

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDMaUcd1e4fYogO
+N/cYZc22xmzsAetfhgVLvHNkKb/mNHywkGK4T7vPwvpQCxFGUufmRxYlGJra/QCn
+WjYd4/thBWoU/K7RBcLJJpuHFBODls5eBdXGXXpeTYmRKqcT6qBEJf4p21N2BqMz
+Mmh242TUKFOJ3rWWKXxWb8peNC+aMfIMKICLYSQvoonjHQm1ShMjkgTiOZQIaVLB
+zjfNewdaNCHOMh49xQrQxquTXJuNU6Y7LvPGSIdxShwotGi/E+Z3Y4kvUCapo0os
+wjhXXbhuj/XTH7gF+15mvHD9k1RPyVACLgmLyzM9LSOr80/rslj0nQf1KF8jW+bq
+tze3bZ17AgMBAAECggEABG8GJV4GB7U96T0KhYNzxlKgezABeHVyOPXR9Oq46Ffc
+GoJPOds04ilC/6h1y/YxZHvHPa++cCCLupWI1fYjdjPFXMYsTolW88D8H55uW+zR
+9hUfUWmmpVP+N2Fa9WIh7sh6LlM9CLLVKF+gB3AgOD/VrAhiHOsycLeFBq0QGUKR
+IkG7pKrF7CX1oal9WOnPo0r2oNUdP4yYCyEa7e7APTUwGbuihtixdnrYyiwEmpp0
+rfZPfBgh+3ACqeUO12gIdtjd85/3UsQ2kLt9/9m2q7Fa6aEcYQVz6nznLKuY4EVm
+zoYzAXfC2KsGol2V6eNY4MNBuvzY4DDJnpyjzicOEQKBgQDX4vd+t7ygUyZmGu6V
+CsF6uDSRHvHYJvJp2fR5spz6eRj7WXMkCTnyjzpDkMvbxtvjlEBntixlQicXsytW
+u2oayYPHl7ppGIEddcKlHsWUFqsAOATkQy3Bs5DCfzliELApGv5zoXJJC/A/iaiD
+GXVDJ0+FdSldetpMGw//rItoqwKBgQDyZHcrt0sVY6oxW2JpEVZXNSOoNMjBQQgL
++7lQyFpfXl9wfOXUkcqFc0m5UWPbTrI9OBZbXYcvI1eV/Xbtu3gdGiOv2sYauO1Z
+HgAS2B3yNGllzj8dNucELFCSNLwthTGhYO03bWflV7XbsG9O8SrZF2LaEglL2V8m
+wqPP5aE+cQKBgQCu7kp9c4R0pOvIcKpCOqTsO7bcoKZ275geDW377q8khlunz6Ns
+380EruoXNYz6WPh0P/ywDP2MTz4+BgBoFxSy//a4FEoIPsLgjDtccMLIbFXDp6DP
+FWBORKJX958Xx033ANiN+ZQRfIr/8RuKn2ZVM9VL3tPV22ZnpMYh9j5AYQKBgF36
++gGnJaN7aweMCRH3uORDJDoZjSTw0+/hf66EoBWN/68bnfjXNhCb7J+/oNntH0qB
+LpnqH3n1WAY9qhjusNmHwwJx7pF51fzRlvG3fZTlIWBpoSrwmI2TqQGnFLcJh36s
+mAz/jGLtqQMu21leRGC7ooYurBAOjcf3e5Al1mjhAoGAT0L02oGzce1vbwfqHCRK
+PexrY8GvNU6/Bml70P9n6FX3jQwt6Dhh1JkZZofv+wJWjOj4zV/Z0tj1uB1Ax9nR
+Z+87Pu7iYuNaYFGT9s76q+sbQtiUu5Gwlg6CyRSwbKdL15UBWf+Bt22Tp3NfbEoh
+OevJKeniH2GYy+ME5XxXb14=
+-----END PRIVATE KEY-----

certs/private_key.priv.test

@@ -2,6 +2,8 @@
 
 set -oeux pipefail
 
+readonly LANG="${LANG:-en_US.UTF-8}"
+
 readonly CERT_DIR=certs
 
 readonly IMAGE="quay.io/fedora-ostree-desktops/silverblue"
@@ -20,4 +22,5 @@ podman run \
     "sed -i 's@enabled=1@enabled=0@g' /etc/yum.repos.d/fedora-{cisco-openh264,modular,updates-modular,updates-archive}.repo && \
      rpm-ostree install akmods && \
      kmodgenca --auto && \
-     cp /etc/pki/akmods/{private/private_key.priv,certs/public_key.der} ."
+     cp /etc/pki/akmods/private/private_key.priv private_key.priv.prod && \
+     cp /etc/pki/akmods/certs/public_key.der public_key.der.prod"