Skip to content

Commit

Permalink
Merge pull request #2702 from OSInside/fix_s390_genprotimg_signing
Browse files Browse the repository at this point in the history 
Fix genprotimg for s390 builds
  • Loading branch information
@Conan-Kudo
Conan-Kudo authored Jan 6, 2025
2 parents d4ca89e + d206287 commit fd53036
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 9 deletions.
16 changes: 9 additions & 7 deletions kiwi/bootloader/config/zipl.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,7 @@ def setup_loader(self, target: str) -> None:
f'{boot_path}/{kernel_info.initrd_name}'

host_key_certificates = self.xml_state.get_host_key_certificates()
cc_boot_image = f'{self.custom_args["kernel"]}.cc'
if host_key_certificates:
with Temporary(
path=self.root_mount.mountpoint, prefix='kiwi_zipl_parmfile_'
Expand All @@ -90,11 +91,10 @@ def setup_loader(self, target: str) -> None:
genprotimg_init = [
'chroot', root_dir, 'genprotimg',
'--offline', '--verbose',
'-o', f'{self.custom_args["kernel"]}.cc',
'-o', cc_boot_image,
'-i', self.custom_args['kernel'],
'-r', self.custom_args['initrd'],
'-p', hkd_parm_file.name.replace(root_dir, ''),
'--cert', host_key_certificates[0]['hkd_ca_cert']
'-p', hkd_parm_file.name.replace(root_dir, '')
]
# verify all host key documents individually and call
# genprotimg with --no-verify afterwards. This is done
Expand All @@ -103,6 +103,10 @@ def setup_loader(self, target: str) -> None:
for host_key_certificate in host_key_certificates:
genprotimg_host_key_check = copy.deepcopy(genprotimg_init)
genprotimg_host_key_check.append('--cert')
genprotimg_host_key_check.append(
host_key_certificates[0]['hkd_ca_cert']
)
genprotimg_host_key_check.append('--cert')
genprotimg_host_key_check.append(
host_key_certificate['hkd_sign_cert']
)
Expand All @@ -118,12 +122,11 @@ def setup_loader(self, target: str) -> None:
)
)
Command.run(genprotimg_host_key_check)
os.unlink(f'{root_dir}/{cc_boot_image}')
# final call
genprotimg = genprotimg_init
genprotimg.append('--no-verify')
for host_key_certificate in host_key_certificates:
genprotimg.append('--cert')
genprotimg.append(host_key_certificate['hkd_sign_cert'])
for host_key in host_key_certificate.get('hkd_cert'):
genprotimg.append('-k')
genprotimg.append(host_key)
Expand All @@ -133,8 +136,7 @@ def setup_loader(self, target: str) -> None:
Command.run(genprotimg)

self.custom_args['secure_linux'] = True
self.custom_args['secure_image_file'] = \
f'{self.custom_args["kernel"]}.cc'
self.custom_args['secure_image_file'] = cc_boot_image
os.unlink(f'{root_dir}/{self.custom_args["kernel"]}')
os.unlink(f'{root_dir}/{self.custom_args["initrd"]}')
self.custom_args['kernel'] = ''
Expand Down
3 changes: 1 addition & 2 deletions test/unit/bootloader/config/zipl_test.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -141,9 +141,7 @@ def test_setup_loader(
'-i', 'bootpath/kernel-filename',
'-r', 'bootpath/initrd-name',
'-p', temporary.name.replace('system_root_mount', ''),
'--cert', '/path/to/DigiCertCA.crt',
'--no-verify',
'--cert', '/path/to/ibm-z-host-key-signing.crt',
'-k', '/path/to/host.crt',
'--crl', '/path/to/revocation-list.crl',
]
Expand All @@ -159,6 +157,7 @@ def test_setup_loader(
)
]
assert mock_os_unlink.call_args_list == [
call('system_root_mount/bootpath/kernel-filename.cc'),
call('system_root_mount/bootpath/kernel-filename'),
call('system_root_mount/bootpath/initrd-name')
]
Expand Down

0 comments on commit fd53036

Please sign in to comment.