Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

conf: keys: add the composefs keys #432

Merged
merged 1 commit into from
Apr 22, 2024
Merged

conf: keys: add the composefs keys #432

merged 1 commit into from
Apr 22, 2024

Conversation

ldts
Copy link
Contributor

@ldts ldts commented Apr 16, 2024

In preparation of the subsequent composefs PRs

# Link Composefs fs-verity keys
if [ ! -d "conf/keys/cfs" ]; then
ln -sf "${MANIFESTS}"/conf/keys/cfs conf/keys/cfs
fi
fi
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A snip like this one is also required bellow in the next if block for the # Factory specific keys (unique per factory)

@ricardosalveti
Copy link
Member

Is this key for fs-verity only? What about the ostree signature?

@ldts
Copy link
Contributor Author

ldts commented Apr 18, 2024

Is this key for fs-verity only? What about the ostree signature?

this key signs the ostree commit and the composefs image

I'll prepare the meta PR next but this is what this key does:
ldts/meta-lmp@14ef7ef#diff-5902a4eedf5431143c68c955af94ee04a9dadb2ea337a3dbe4507ba1e92ce94cR160

# ComposeFS signatures
#
CFS_SIGN_KEYDIR ??= "${TOPDIR}/conf/keys/cfs"
CFS_SIGN_KEYDIR[vardepsexclude] += "TOPDIR"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

after looking on the meta PR I see the CFS_SIGN_KEYNAME so it will be good to also add a default value

CFS_SIGN_KEYNAME ?= "cfs-dev"

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

with that we can drop the ones one the meta PR and make it generic and not machine specific
ldts/meta-lmp@14ef7ef#diff-444ca8738c9172ef4f06ce2d79dac863177b904d7f673d4bf8e292560a397c6fR132-R133

# Link Composefs keys
if [ ! -d "conf/keys/cfs" ]; then
ln -sf "${MANIFESTS}"/conf/keys/cfs conf/keys/cfs
fi
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this snip need to be a bit different from the other

# Link Composefs keys if not set by the user
if [ -d "${MANIFESTS}"/factory-keys/cfs ] && [ ! -d "conf/factory-keys/cfs" ]; then
    ln -sf "${MANIFESTS}"/factory-keys/cfs conf/factory-keys/cfs
fi

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, link is incorrect.

@@ -0,0 +1,2 @@
Ga5I1u55+hH9kNKLFzztqBpKL0uI/IoAOg0jhwAwAWIpDCXmriFCPBDG74Fh+bgakWR2B0/aobX0
o6a6/rvGMw==
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know if this will cause problems but this line looks truncated

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

um, works just fine for me

Verification of the composefs image.

To generate the keys:
   openssl genpkey -algorithm ed25519 -outform PEM -out ed25519.pem
   PEMFILE=ed25519.pem
   PUBLIC="$(openssl pkey -outform DER -pubout -in ${PEMFILE} | tail -c 32 | base64)"
   SEED="$(openssl pkey -outform DER -in ${PEMFILE} | tail -c 32 | base64)"
   SECRET="$(echo ${SEED}${PUBLIC} | base64 -d | base64 -w 0)"

   echo "${SECRET}" > secret
   echo "${PUBLIC}" > public

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Copy link
Member

@quaresmajose quaresmajose left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ricardosalveti
Copy link
Member

Once approved/merged, please follow up a proposal to make sure these keys are automatically created on new factories as well.

@ldts ldts merged commit 499a220 into foundriesio:main Apr 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants