Add support for generating PCR configuration at image build time #515

Merged
merged 1 commit into from Apr 5, 2016

Conversation

Projects
None yet
2 participants
@mjg59
Contributor

mjg59 commented Apr 4, 2016

We need to ship some PCR measurements alongside images in order to make it
easier for admins to provide an appropriate policy. Add some tooling to
generate the appropriate hashes during build, pack those into a zip file
and upload it.

build_library/build_image_util.sh
fi
+ cd ${BUILD_DIR}

This comment has been minimized.

@marineam

marineam Apr 4, 2016

Contributor

Hm, zip doesn't have an equivalent to tar's -C? I don't know if working directory is or ever will be significant to other parts of the script but probably should use pushd/popd or similar scheme just to avoid confusing anyone in the future.

@marineam

marineam Apr 4, 2016

Contributor

Hm, zip doesn't have an equivalent to tar's -C? I don't know if working directory is or ever will be significant to other parts of the script but probably should use pushd/popd or similar scheme just to avoid confusing anyone in the future.

This comment has been minimized.

@mjg59

mjg59 Apr 4, 2016

Contributor

Not that I could find. I'll use pushd/popd.

@mjg59

mjg59 Apr 4, 2016

Contributor

Not that I could find. I'll use pushd/popd.

This comment has been minimized.

@mjg59

mjg59 Apr 4, 2016

Contributor

Done

@mjg59

mjg59 Apr 4, 2016

Contributor

Done

@@ -0,0 +1,57 @@
+#!/usr/bin/python

This comment has been minimized.

@marineam

marineam Apr 4, 2016

Contributor

I'm guessing some day we will want to combine this with our grub install script or have a generalized implementation in grub itself so we can generate this directly from grub.cfg, avoiding accidental mismatches when things change. Short of that we are going to need some build time check and/or kola test to make sure we don't accidentally make a release with this script and grub.cfg conflicting.

@marineam

marineam Apr 4, 2016

Contributor

I'm guessing some day we will want to combine this with our grub install script or have a generalized implementation in grub itself so we can generate this directly from grub.cfg, avoiding accidental mismatches when things change. Short of that we are going to need some build time check and/or kola test to make sure we don't accidentally make a release with this script and grub.cfg conflicting.

This comment has been minimized.

@mjg59

mjg59 Apr 4, 2016

Contributor

Yeah. It's somewhat difficult to mechanically generate the list of valid grub configuration parameters, so I think a validation run and test is going to be the best approach here.

@mjg59

mjg59 Apr 4, 2016

Contributor

Yeah. It's somewhat difficult to mechanically generate the list of valid grub configuration parameters, so I think a validation run and test is going to be the best approach here.

build_library/generate_kernel_hash.sh
+rootdir=sys.argv[1]
+version=sys.argv[2]
+
+path = rootdir + "/usr/boot/vmlinuz"

This comment has been minimized.

@marineam

marineam Apr 4, 2016

Contributor

Can we point this at the ESP copy of the kernel (/boot) so we don't forget about this later when enabling verity?

@marineam

marineam Apr 4, 2016

Contributor

Can we point this at the ESP copy of the kernel (/boot) so we don't forget about this later when enabling verity?

This comment has been minimized.

@mjg59

mjg59 Apr 4, 2016

Contributor

Oh good point.

@mjg59

mjg59 Apr 4, 2016

Contributor

Oh good point.

This comment has been minimized.

@mjg59

mjg59 Apr 4, 2016

Contributor

Done.

@mjg59

mjg59 Apr 4, 2016

Contributor

Done.

Add support for generating PCR configuration at image build time
We need to ship some PCR measurements alongside images in order to make it
easier for admins to provide an appropriate policy. Add some tooling to
generate the appropriate hashes during build, pack those into a zip file
and upload it.
@marineam

This comment has been minimized.

Show comment
Hide comment
@marineam

marineam Apr 5, 2016

Contributor

LGTM

Contributor

marineam commented Apr 5, 2016

LGTM

@mjg59 mjg59 merged commit 391368c into coreos:master Apr 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment