Merge pull request #2754 from flatcar/sayan/signed-images

Add changes to have a Flatcar signed image with our signed release process.

Author: sayanchowdhury

build_image

@@ -177,8 +177,7 @@ if [[ "${PROD_IMAGE}" -eq 1 ]]; then
   if [[ ${FLAGS_extract_update} -eq ${FLAGS_TRUE} ]]; then
     extract_update "${FLATCAR_PRODUCTION_IMAGE_NAME}" "${DISK_LAYOUT}"
   fi
-  # TODO: Un-nobble this later when we have passed the shim review.
-  if [[ ${FLAGS_generate_update} -eq ${FLAGS_TRUE} ]]; then # && ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
+  if [[ ${FLAGS_generate_update} -eq ${FLAGS_TRUE} && ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
     generate_update "${FLATCAR_PRODUCTION_IMAGE_NAME}" "${DISK_LAYOUT}"
   fi
   if [[ "${PROD_TAR}" -eq 1 ]]; then

build_library/flatcar-sb-dev-shim-2025.cert

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIEPDCCAySgAwIBAgICCSkwDQYJKoZIhvcNAQELBQAwPTE7MDkGA1UEAxMyRmxhdGNhciBDb250
+YWluZXIgTGludXggU2VjdXJlIEJvb3QgRGV2ZWxvcG1lbnQgQ0EwHhcNMjUwMzIwMTE1NzI5WhcN
+MjgwMzIwMTE1NzI5WjBRMSAwHgYDVQQKExdGbGF0Y2FyIENvbnRhaW5lciBMaW51eDEtMCsGA1UE
+AxMkRmxhdGNhciBDb250YWluZXIgTGludXggU2hpbSBTaWduaW5nMIICIjANBgkqhkiG9w0BAQEF
+AAOCAg8AMIICCgKCAgEA1/GCCSfkqRgSgSqphcfkBgRVxhdhYwlTm4DMeIet/15kPEQ8h8zGm5Js
+DhYYBKJfeGCM36/pBFT61KcpOTcxuEg2VKm2zOLsGfxymZjWln1Y3nUPiWx6AY/CRM6g2vYgXYIj
+x40aJN73usdRmdk6mVssKMMokkYFuH7eOxgWCkGtBbu/UZ/MU0VfdAc12EIuk/K4LMjSFpOitH2x
+mAvFobB8YAYzwhVybNl8etXUS+I3HjCUAwl0ly/fv4Pjb8LODI22jkPV/2X1OxG59wHOxsiNSBvd
+8szcYAH49iHg2bMVljsjtnEA7b51r4I6HJWlvTOc9Z3+jVz9mPXVlh6GEOzSVMBV7KsxkWeQdoUf
+8cQm+tqdfG2xVJUAWCil7xZAk1/l5C2fWgkRHX7fmF71ZDWW240iJvKRuA1/MlU5HlZfQk0EjgYv
+VZpwklpygn5bHbzquFlqwDhmtypULfTZ/NHnf1ygRuzwi7n/RTlZMziveNIj/yJBXoXdHlta8yDo
+VfV8G/m19z+YPW3gET2H1UwU656axcw7wUspndmuZySqqHl0yTDi/B1s8lT8+VxK4dol+GVIvys3
+zD6/K5J11YbsGydogBWSjir60ObWzloPLd8cQ0OXwHddZy5fFrfHgoTfrCacAOvcYynmwoHLHwwQ
+RVtC/X7MH4R2fIcvtAUCAwEAAaMyMDAwCQYDVR0TBAIwADATBgNVHSUEDDAKBggrBgEFBQcDAzAO
+BgNVHQ8BAf8EBAMCAb4wDQYJKoZIhvcNAQELBQADggEBAGdP0xWGtfrCwPTL/m/2dJDx0VWnMf7C
+sAHNmlTji7d7bO7tI7h5RVj664z2GUgjpYlnCMAiDqutG3Uksrxq59lXaV2q4em4clZtnIWPwJ5V
+UcySW5VePkTekJHzS27KjNG/l6audfutM6GkKIMjMxJE1M/a5v+FsHF9taFEJrjJDPRD7gi/c75H
+sqW8C0hwcm/6/+yaoQte6ufTZu1TFacbXPEp0cZ4JHjxILYxXNIn6x2PUFMFo1XLhjOAIC67AaUk
+/qNhqmhxD3yYhagamvPKN9mV0qlqv1tw61XYvJwL5eDfSgtQXCiZlXjQWu+lysF3p2pH7lyGdzGr
+19/6sbQ=
+-----END CERTIFICATE-----

build_library/grub_install.sh

@@ -208,7 +208,7 @@ case "${FLAGS_target}" in
             # Official build: Copy signed shim and mm for signing later.
             sudo cp "${BOARD_ROOT}/usr/lib/shim/mm${EFI_ARCH}.efi" \
                 "${ESP_DIR}/EFI/boot/mm${EFI_ARCH}.efi"
-            sudo cp "${BOARD_ROOT}/usr/lib/shim/shim${EFI_ARCH}.efi" \
+            sudo cp "${BOARD_ROOT}/usr/lib/shim/shim${EFI_ARCH}.efi.signed" \
                 "${ESP_DIR}/EFI/boot/boot${EFI_ARCH}.efi"
         fi
 

build_library/prod_image_util.sh

@@ -182,8 +182,6 @@ EOF
 
   # Official builds will sign and upload these files later, so remove them to
   # prevent them from being uploaded now.
-  # TODO: Un-nobble this later when we have passed the shim review.
-  false && \
   if [[ ${COREOS_OFFICIAL:-0} -eq 1 ]]; then
     rm -v \
         "${BUILD_DIR}/${image_kernel}" \

build_library/sbsign_util.sh

@@ -6,14 +6,14 @@ if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
     SBSIGN_KEY="/usr/share/sb_keys/shim.key"
     SBSIGN_CERT="/usr/share/sb_keys/shim.pem"
 else
-    SBSIGN_KEY="pkcs11:token=flatcar-dev-cert"
+    SBSIGN_KEY="pkcs11:token=flatcar-sb-dev-hsm-sign-2025"
     unset SBSIGN_CERT
 fi
 
 PKCS11_MODULE_PATH="/usr/$(get_sdk_libdir)/pkcs11/azure-keyvault-pkcs11.so"
 
 PKCS11_ENV=(
-    AZURE_KEYVAULT_URL="https://chewi-test.vault.azure.net/"
+    AZURE_KEYVAULT_URL="https://flatcar-sb-dev-kv.vault.azure.net/"
     PKCS11_MODULE_PATH="${PKCS11_MODULE_PATH}"
     AZURE_KEYVAULT_PKCS11_DEBUG=1
 )

build_library/vm_image_util.sh

@@ -883,10 +883,12 @@ _write_qemu_uefi_secure_conf() {
             ;;
     esac
 
+    # TODO: Remove the temporary flatcar shim signing cert
     virt-fw-vars \
         --input "${flash_in}" \
         --output "$(_dst_dir)/${flash_rw}" \
-        --add-db  "${owner}" /usr/share/sb_keys/DB.crt
+        --add-db "${owner}" /usr/share/sb_keys/DB.crt \
+        --add-db "${owner}" "${BUILD_LIBRARY_DIR}/flatcar-sb-dev-shim-2025.cert"
 
     sed -e "s%^SECURE_BOOT=.*%SECURE_BOOT=1%" -i "${script}"
 }

changelog/changes/2025-03-21-shim-secureboot-update.md

@@ -0,0 +1 @@
+- Add changes for our secureboot signed images with our signed release process until the official shim signing ([scripts#2754](https://github.com/flatcar/scripts/pull/2754/))

sdk_container/src/third_party/coreos-overlay/sys-boot/shim-signed/Manifest

@@ -1,2 +1,2 @@
-DIST shimaa64-15.8.efi.signed 995206 BLAKE2B fc858188d800dd785a6b989f154ddb3bb07748b8ee91ec3ffbabddf7452bb12eecfb788d9df97d1d900395c0825a4336f8b428bafa978d31995c0f671b7d1726 SHA512 d7875c906b715819b8d1b2a3a79adce64e4b37cfd7d8164cdf76fbb73a8e0b8264b01c403f8d71869f7a78bb5f840e81061f41d75d85cb49c58d3bee5e65004c
-DIST shimx64-15.8.efi.signed 948418 BLAKE2B 7c92989ec63111799cc0f481cef47108e58f96dc3b53116e1cee1e24cc940d3e5470a0aa6c057d86339f435eddc22272281c08e46db0856ada6db69d7cd32c64 SHA512 ff6e4f4add5c9d3914118e53e2669b7f63168c41be95b07c5a8308c64bf1a1d4ff133bb0dde602f0a0c7ef035e4847eac14969c3d9ff3a99c9011c2d8dd20014
+DIST shimaa64-15.8-r1.efi.signed 997336 BLAKE2B a8a138a6a72e76b829898f6c83d7156f7f6885bf85f530779a487e8ff7f66916fdca90d31b9742dca315c16060839cb9865847a80e1e45ab7e5d746b46b4e9f2 SHA512 509d4d434c7951a7f76b000b6c7f6bf6419de5a6fe95a8116782b74857665801bdb1dcb4957ffc20e2ddc8614b0e21f978b51edf7ef5b5c8a0e801ab1a77d7d3
+DIST shimx64-15.8-r1.efi.signed 950552 BLAKE2B b008664d23dae3489114f352aa55384ac7145a7c482d601378e1285fa9859ccf7541eafa2ec445a480bde0058c533235aa8be92c32bcba58511e26f32477af15 SHA512 c95644871e0d4450f978d23f9d3940bddecbc50607f79df39e9cb2a87c1c3620c24880353516e4c1f87d334a034f7dd8d0def3b107c189b6896f084f63c88609

sdk_container/src/third_party/coreos-overlay/sys-boot/shim-signed/shim-signed-15.8.ebuild renamed to sdk_container/src/third_party/coreos-overlay/sys-boot/shim-signed/shim-signed-15.8-r1.ebuild

@@ -1,4 +1,4 @@
-# Copyright (c) 2024 The Flatcar Maintainers.
+# Copyright (c) 2024-2025 The Flatcar Maintainers.
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=8
@@ -16,10 +16,10 @@ SLOT="0"
 KEYWORDS="amd64 arm64"
 
 for arch in ${KEYWORDS}; do
-	SRC_URI+="${arch}? ( https://mirror.release.flatcar-linux.net/coreos/shim${ARCHES[$arch]}-${PV}.efi.signed ) "
+	SRC_URI+="${arch}? ( https://mirror.release.flatcar-linux.net/coreos/shim${ARCHES[$arch]}-${PVR}.efi.signed ) "
 done
 
 src_install() {
 	insinto /usr/lib/shim
-	newins "${DISTDIR}/shim${ARCHES[$ARCH]}-${PV}.efi.signed" "shim${ARCHES[$ARCH]}.efi.signed"
+	newins "${DISTDIR}/shim${ARCHES[$ARCH]}-${PVR}.efi.signed" "shim${ARCHES[$ARCH]}.efi.signed"
 }