Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce kernel-mshv-signed, hvloader-signed #7173

Merged
merged 7 commits into from
Feb 20, 2024
Merged

Introduce kernel-mshv-signed, hvloader-signed #7173

merged 7 commits into from
Feb 20, 2024

Conversation

Camelron
Copy link
Contributor

@Camelron Camelron commented Jan 5, 2024
edited
Loading

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./SPECS/LICENSES-AND-NOTICES/data/licenses.json, ./SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md, ./SPECS/LICENSES-AND-NOTICES/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge
Summary

What does the PR accomplish, why was it needed?
Introduce kernel-mshv-signed, hvloader-signed for the SecureBoot signing process. In MSHV-enabled images, the boot chain includes a new kernel (kernel-mshv) as well as an extra loader component (hvloader) for loading the hypervisor during boot. These must be signed by Microsoft so that the chain of trust is not broken.

Change Log
  • Introduce kernel-mshv-signed
  • Introduce hvloader-signed
Does this affect the toolchain?

NO

Test Methodology
  • manually authorized and run prod SB-sign SB-rpmbuild pipelines.

@microsoft-github-policy-service microsoft-github-policy-service bot added the main PR Destined for main label Jan 5, 2024
@Camelron Camelron force-pushed the cameronbaird/mshv-component-signing branch from 8a8f787 to cf7197c Compare January 5, 2024 00:54
@Camelron Camelron marked this pull request as ready for review February 15, 2024 18:53
@Camelron Camelron requested a review from a team as a code owner February 15, 2024 18:53
@Camelron Camelron changed the title [DRAFT] Introduce kernel-mshv-signed, hvloader-signed Introduce kernel-mshv-signed, hvloader-signed Feb 15, 2024
christopherco
christopherco requested changes Feb 17, 2024
View reviewed changes
SPECS-SIGNED/kernel-mshv-signed/kernel-mshv-signed.spec
@@ -0,0 +1,153 @@
%global debug_package %{nil}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please update the entangled spec checker script for hvloader and kernel-mshv - toolkit/scripts/check_entangled_specs.py

SPECS-SIGNED/kernel-mshv-signed/kernel-mshv-signed.spec
@@ -0,0 +1,153 @@
%global debug_package %{nil}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please also update the codeowners files so @microsoft/cbl-mariner-kata-containers are automatically added as reviewers for updates to these new specs

@Camelron Camelron force-pushed the cameronbaird/mshv-component-signing branch from 0bb0f14 to 32fbdd3 Compare February 20, 2024 18:25
@Camelron Camelron requested review from a team as code owners February 20, 2024 18:29
@Camelron Camelron merged commit 27c0792 into main Feb 20, 2024
11 checks passed
@Camelron Camelron deleted the cameronbaird/mshv-component-signing branch February 20, 2024 18:55
SeanDougherty pushed a commit that referenced this pull request Mar 1, 2024
@Camelron @SeanDougherty
Introduce kernel-mshv-signed, hvloader-signed (#7173)
dd07992
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@christopherco christopherco christopherco approved these changes

Assignees
No one assigned
Labels
main PR Destined for main
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Camelron @christopherco