diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 09d40f0ae..63eed1b49 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -46,6 +46,16 @@ jobs: secret/secure-boot-signer/api-users/ostree-builder password | SBSIGNER_PASSWORD ; if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} + - name: Fetch Github read credentials from Vault + uses: hashicorp/vault-action@v3 + with: + url: https://vault.endlessos.org + method: jwt + path: ghactions + role: endlessm-eos-build-meta + secrets: | + secret/github/users/eos-backup token | EOS_BACKUP_TOKEN ; + - name: Configure BuildStream run: | # Certificate for BuildStream cache @@ -66,7 +76,7 @@ jobs: max-jobs: 4 logging: key-length: 0 - verbose: false + verbose: true error-lines: 20 message-lines: 20 debug: false @@ -129,6 +139,10 @@ jobs: machine sb-signer.endlessm-sf.com login ostree-builder password ${SBSIGNER_PASSWORD} + + machine github.com + login eos-backup + password ${EOS_BACKUP_TOKEN} EOF chmod 600 ~/.netrc @@ -146,13 +160,21 @@ jobs: timeout: 30 EOF source venv/bin/activate - bst -o signed_boot endless build --retry-failed eos/repo.bst + bst -o payg true -o signed_boot endless build --retry-failed eos/repo.bst if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} - name: Build root filesystem (signed_boot=snakeoil) run: | + echo "Set up ~/.netrc" + cat >> ~/.netrc << EOF + machine github.com + login eos-backup + password ${EOS_BACKUP_TOKEN} + EOF + chmod 600 ~/.netrc + source venv/bin/activate - bst -o signed_boot snakeoil build eos/repo.bst + bst -o payg true -o signed_boot snakeoil build --retry-failed eos/repo.bst if: ${{ github.event_name == 'pull_request' || github.ref != 'refs/heads/main' }} - name: Export OSTree commit and push it diff --git a/TEST_MATRIX.md b/TEST_MATRIX.md index 132982050..ba12a8263 100644 --- a/TEST_MATRIX.md +++ b/TEST_MATRIX.md @@ -34,10 +34,13 @@ hardware support is working. Others can be on a laptop or VM. ## Testing the Image stage -There is 1 variant of the image stage: +Image variants are listed in [`doc/overview/images.md`](./doc/overview/images.md). - * product=eos flavor=base platform=amd64 +We currently test two of these variants: -The following scenarios need to be tested for the image: + 1. eos-amd64-amd64-base + 2. eosimpact-amd64-payg-base + +The following scenarios need to be tested for each image: 1. Boot the disk image in a VM, using UEFI firmware with Secure Boot enabled. diff --git a/doc/howto/build.md b/doc/howto/build.md index 29d150284..51ce69220 100644 --- a/doc/howto/build.md +++ b/doc/howto/build.md @@ -221,9 +221,11 @@ output. ## Image build stage -See `doc/overview/build.md` for an overview of the image build process and -links to external documentation. Read on for instructions on how to run the -image build. +See `doc/overview/images.md` for an overview of the different Endless OS images +variants and links for further reading. + +This document covers how to build the `eos-amd64-amd64-base` variant. The PAYG variant +can only be built inside Endless. ### Automated builds diff --git a/doc/overview/build.md b/doc/overview/build.md index 54fcf1368..cab4ae47b 100644 --- a/doc/overview/build.md +++ b/doc/overview/build.md @@ -122,6 +122,7 @@ This stage is defined in [eos-image-builder.git](https://github.com/endlessm/eos For more information on this stage, see: + * [`doc/overview/images.md`](./doc/overview/images.md) * The eos-image-builder [README](https://github.com/endlessm/eos-image-builder/blob/master/README.md) * The Endless Support & Training page diff --git a/doc/overview/images.md b/doc/overview/images.md new file mode 100644 index 000000000..50ff63fac --- /dev/null +++ b/doc/overview/images.md @@ -0,0 +1,48 @@ +# EOS7 images + +This is an overview of the available types of image for Endless OS 7 +and how they are produced. It's up to date as of 2025-10-10. + +## Image variants + +Official images of Endless OS are built in an internal CI system with a set of +predefined configs. + +The latest in-development version is built by "nightly-master-pipeline", which +produces the variants documented below. + +Release pipelines can produce more variants which aren't listed here. And since +Endless OS is developed in the open, there can be an infinite variety of +unofficial builds as well. + +## eos-amd64-amd64-base + +This image variant targets all users. + +To produce it, CI calls eos-image-builder with the following flags: + + --product=eos --arch=amd64 --platform=amd64 --personality=base + +Image files for this variant use the prefix `eos-amd64-amd64`. + +## eosinstaller-amd64-amd64-base + +TBD + +## eosimpact-amd64-payg-base + +This image is specifically for Pay-as-you-Go laptops. It includes private +components and can only be built inside Endless. + +To produce it, CI calls eos-image-builder with the following flags: + + --product=eosimpact --arch=amd64 --platform=payg --personality=base + +# Image build process + +Images are built using eos-image-builder. Here is are documentation links: + + * The [eos-image-builder README](https://github.com/endlessm/eos-image-builder/blob/master/README.md) + * The ["Endless OS Image Builder"](https://support.endlessos.org/en/deployment/image-builder) support guide. + +If you want a guide to building images locally, see [`doc/howto/build.md`](doc/howto/build.md). diff --git a/elements/components/systemd-base.bst b/elements/components/systemd-base.bst new file mode 100644 index 000000000..f9569f392 --- /dev/null +++ b/elements/components/systemd-base.bst @@ -0,0 +1,113 @@ +kind: meson + +sources: +- kind: git_repo + url: github:endlessm/systemd + track: 161-rebase-256.17 + ref: Version_256.17-9-gba32d89741ca101e4a14a2a04020628dcc11dcc6 + +build-depends: +- freedesktop-sdk.bst:bootstrap-import.bst +- freedesktop-sdk.bst:public-stacks/buildsystem-meson.bst +- freedesktop-sdk.bst:components/audit.bst +- freedesktop-sdk.bst:components/gperf.bst +- freedesktop-sdk.bst:components/m4.bst +- freedesktop-sdk.bst:components/libcap.bst +- freedesktop-sdk.bst:components/libgcrypt.bst +- freedesktop-sdk.bst:components/libgpg-error.bst +- freedesktop-sdk.bst:components/libseccomp.bst +- freedesktop-sdk.bst:components/lz4.bst +- freedesktop-sdk.bst:components/zstd.bst +- freedesktop-sdk.bst:components/util-linux-full.bst +- freedesktop-sdk.bst:components/linux-pam.bst +- freedesktop-sdk.bst:components/kmod.bst +- freedesktop-sdk.bst:components/pyelftools.bst +- freedesktop-sdk.bst:components/libxslt.bst +- freedesktop-sdk.bst:components/docbook-xsl.bst +- freedesktop-sdk.bst:components/cryptsetup-lvm2-stage1.bst +- freedesktop-sdk.bst:components/p11-kit.bst +- freedesktop-sdk.bst:components/libfido2.bst +- freedesktop-sdk.bst:components/libidn2.bst +- freedesktop-sdk.bst:components/openssl.bst +- freedesktop-sdk.bst:components/python3-jinja2.bst +- freedesktop-sdk.bst:components/apparmor.bst +- freedesktop-sdk.bst:components/tpm2-tss.bst +- freedesktop-sdk.bst:components/curl.bst +- freedesktop-sdk.bst:components/libqrencode.bst +- freedesktop-sdk.bst:components/iptables.bst +- freedesktop-sdk.bst:components/libxkbcommon.bst +- freedesktop-sdk.bst:components/llvm.bst # for compiling bpf +- freedesktop-sdk.bst:components/libmicrohttpd.bst +- freedesktop-sdk.bst:components/libarchive.bst +- gnome-build-meta.bst:core-deps/python-pefile.bst + +config: + install-commands: + (>): + - | + shopt -s nullglob + for name in %{install-root}%{indep-libdir}/systemd/boot/efi/*.elf.stub + do + chmod a-x ${name} + done + shopt -u nullglob + +variables: + efi: 'false' + bootloader: 'disabled' + (?): + - arch in ["x86_64", "i686", "arm", "aarch64", "riscv64"]: + efi: 'true' + bootloader: 'enabled' + meson-local: >- + -Dsysvinit-path=%{sysconfdir}/init.d + -Dsystem-uid-max=999 + -Dsystem-gid-max=999 + -Dusers-gid=100 + -Dbootloader=%{bootloader} + -Defi=%{efi} + -Dfirstboot=true + -Ddefault-dnssec=no + -Didn=true + -Dman=enabled + -Dhtml=enabled + -Dtpm=true + -Dsbat-distro=gnome-os + -Dsbat-distro-generation=1 + -Dsbat-distro-summary="GNOME OS" + -Dsbat-distro-url=https://gitlab.gnome.org/GNOME/gnome-build-meta + -Dversion-tag="$(git describe --abbrev=7 | sed "s/^v//")" + -Dxenctrl=disabled + -Dgnutls=disabled + -Dglib=disabled + -Ddbus=disabled + -Dbpf-framework=disabled + -Dstatus-unit-format-default=combined + -Dselinux=disabled + +public: + cpe: + vendor: 'freedesktop' + product: 'systemd' + version-match: '\d+' + + bst: + split-rules: + systemd-libs: + - '%{libdir}' + - '%{libdir}/libsystemd*.so*' + - '%{libdir}/libudev*.so*' + - '%{libdir}/libnss_resolve.so*' + - '%{libdir}/pkgconfig' + - '%{libdir}/pkgconfig/libsystemd.pc' + - '%{libdir}/pkgconfig/libudev.pc' + - '%{includedir}' + - '%{includedir}/libudev.h' + - '%{includedir}/systemd' + - '%{includedir}/systemd/**' + - '%{debugdir}/dwz/%{stripdir-suffix}/*' + - '%{debugdir}%{libdir}/libsystemd*.so*' + - '%{debugdir}%{libdir}/libudev*.so*' + - '%{debugdir}%{libdir}/libnss_resolve.so*' + - '%{sourcedir}' + - '%{sourcedir}/**' diff --git a/elements/eos/black.bst b/elements/eos/black.bst new file mode 100644 index 000000000..cbd39fd4e --- /dev/null +++ b/elements/eos/black.bst @@ -0,0 +1,14 @@ +kind: pyproject + +build-depends: +- freedesktop-sdk.bst:public-stacks/buildsystem-python-hatchling.bst +- freedesktop-sdk.bst:components/python3-hatch-fancy-pypi-readme.bst + +runtime-depends: +- freedesktop-sdk.bst:components/python3.bst + +sources: +- kind: git_repo + url: github:psf/black + track: '*.*.*' + ref: 25.9.0-0-gaf0ba72a73598c76189d6dd1b21d8532255d5942 diff --git a/elements/eos/deps.bst b/elements/eos/deps.bst index 12312cca4..2575889f8 100644 --- a/elements/eos/deps.bst +++ b/elements/eos/deps.bst @@ -43,6 +43,8 @@ depends: - eos/eos-shell-content.bst - eos/eos-theme.bst - eos/eos-updater.bst +- eos/payg/deps.bst +- eos/update-ca-certificates-symlink.bst # Used by eos-image-builder. This could move into a separate tree. # See: diff --git a/elements/eos/efi-binaries.bst b/elements/eos/efi-binaries.bst index fdbf440cf..8e2ffdf74 100644 --- a/elements/eos/efi-binaries.bst +++ b/elements/eos/efi-binaries.bst @@ -5,9 +5,12 @@ description: | This element collects all the UEFI applications and configuration involved in booting EOS7. - These are installed to the well-known path `/usr/lib/efi_binaries` in the - filesystem. When building images, eos-image-builder copies them into the - EFI System Partition. + UEFI binaries for variants using GRUB are installed to the well-known path + `/usr/lib/efi_binaries` in the filesystem. When building images, + eos-image-builder copies them into the EFI System Partition. + + UEFI binaries for variants using systemd-boot are installed to + `/usr/lib/systemd/boot/efi`. At time of writing, the ESP is not updated on existing systems in any case. It could be done, using coreos bootupd or something similar. diff --git a/elements/eos/payg/deps.bst b/elements/eos/payg/deps.bst new file mode 100644 index 000000000..8a91fea89 --- /dev/null +++ b/elements/eos/payg/deps.bst @@ -0,0 +1,13 @@ +kind: stack +description: | + All dependencies of PAYG features, if enabled. + +depends: [] + +(?): + - payg == true: + depends: + (>): + - eos/payg/eos-payg.bst + - eos/payg/eos-payg-nonfree.bst + - eos/payg/uki-signed.bst diff --git a/elements/eos/payg/eos-payg-nonfree.bst b/elements/eos/payg/eos-payg-nonfree.bst new file mode 100644 index 000000000..181f09199 --- /dev/null +++ b/elements/eos/payg/eos-payg-nonfree.bst @@ -0,0 +1,21 @@ +kind: meson +description: | + Private components of PAYG systems. + + Source for this element is only available within Endless. Use the `payg` build option + to opt in to building it. + +build-depends: +- eos/black.bst +- freedesktop-sdk.bst:components/dracut.bst +- freedesktop-sdk.bst:public-stacks/buildsystem-meson.bst + +depends: +- eos/payg/eos-payg.bst +- eos/payg/libsodium.bst + +sources: +- kind: git_repo + url: github:endlessm/eos-payg-nonfree + track: master + ref: Release_6.0.7-6-ge1a4545cf194cae4cd047d6896995764e6b6cdca diff --git a/elements/eos/payg/eos-payg.bst b/elements/eos/payg/eos-payg.bst new file mode 100644 index 000000000..c44dffca9 --- /dev/null +++ b/elements/eos/payg/eos-payg.bst @@ -0,0 +1,27 @@ +kind: meson +description: | + Endless OS pay-as-you-go daemon + +build-depends: +- freedesktop-sdk.bst:components/dracut.bst +- freedesktop-sdk.bst:components/systemd.bst +- freedesktop-sdk.bst:public-stacks/buildsystem-meson.bst +- gnome-build-meta.bst:sdk/gtk-doc.bst + +depends: +- gnome-build-meta.bst:sdk/glib.bst +- eos/payg/libpeas-1.bst + +sources: +- kind: git_repo + url: github:endlessm/eos-payg.git + track: master + ref: Release_6.0.7-2-ge4c0993ad5748b3728c337d2a42cbae915cf025c +- kind: git_module + path: subprojects/libglnx + url: gnome:libglnx.git + ref: b38235ac2d8f1a7b1b8b9960a109eb734b8ec4dd +- kind: git_module + path: subprojects/libgsystemservice + url: gnome_gitlab:pwithnall/libgsystemservice.git + ref: 58468f2622e1415b5d1d2ffa06864ab31ab12c9a diff --git a/elements/eos/payg/libpeas-1.bst b/elements/eos/payg/libpeas-1.bst new file mode 100644 index 000000000..121bc895a --- /dev/null +++ b/elements/eos/payg/libpeas-1.bst @@ -0,0 +1,26 @@ +kind: meson +sources: +- kind: git_repo + url: gnome:libpeas.git + track: 1.36 + + ref: libpeas-1.36.0-1-gc68ecac0025caa5fa2401deff41d3b1959062600 +build-depends: +- gnome-build-meta.bst:sdk/gi-docgen.bst +- gnome-build-meta.bst:sdk/gobject-introspection.bst +- gnome-build-meta.bst:sdk/vala.bst +- freedesktop-sdk.bst:public-stacks/buildsystem-meson.bst + +depends: +- gnome-build-meta.bst:sdk/gjs.bst +- gnome-build-meta.bst:sdk/glib.bst +- gnome-build-meta.bst:sdk/pygobject.bst +- freedesktop-sdk.bst:public-stacks/runtime-minimal.bst + +variables: + meson-local: >- + -Dpython3=true + -Dlua51=false + -Dintrospection=true + -Dvapi=true + -Dgtk_doc=true diff --git a/elements/eos/payg/libsodium.bst b/elements/eos/payg/libsodium.bst new file mode 100644 index 000000000..48462ba07 --- /dev/null +++ b/elements/eos/payg/libsodium.bst @@ -0,0 +1,15 @@ +kind: autotools +description: | + Cryptographic library. + + We use a precompiled binary of libsodium, as the upstream code + is non-trivial to build. + +build-depends: + - freedesktop-sdk.bst:public-stacks/buildsystem-autotools.bst + - freedesktop-sdk.bst:components/util-linux.bst + +sources: +- kind: tar + url: libsodium:libsodium-1.0.20.tar.gz + ref: ebb65ef6ca439333c2bb41a0c1990587288da07f6c7fd07cb3a18cc18d30ce19 diff --git a/elements/eos/payg/uki-signed.bst b/elements/eos/payg/uki-signed.bst new file mode 100644 index 000000000..eb6185215 --- /dev/null +++ b/elements/eos/payg/uki-signed.bst @@ -0,0 +1,29 @@ +kind: script +description: | + Install the UKI where Endless's OSTree fork will find it. + + The UKI is written inside `/usr/lib/modules/` alongside the regular initramfs. + The signed binary is deployed to the ESP by a codepath in the custom Endless + version of OSTree, when `OSTREE_DEPLOY_PAYG` is set in the environment. + +build-depends: + - freedesktop-sdk.bst:bootstrap-import.bst + - components/linux.bst + +(?): + - signed_boot == 'endless': + build-depends: + (>): + - signing/payg/signed-uki-endless.bst + - signed_boot == 'snakeoil': + build-depends: + (>): + - signing/payg/signed-uki-snakeoil.bst + +config: + commands: + - | + version="$(ls -1 /lib/modules | head -n1)" + mkdir -p %{install-root}/usr/lib/modules/${version} + cp /usr/share/efi_binaries_payg/payg-image-signed.efi %{install-root}/usr/lib/modules/${version}/ + diff --git a/elements/eos/payg/uki.bst b/elements/eos/payg/uki.bst new file mode 100644 index 000000000..af55388df --- /dev/null +++ b/elements/eos/payg/uki.bst @@ -0,0 +1,69 @@ +kind: script +description: | + EOS7 Pay-As-You-Go UKI construction using Dracut. + + This builds a Unified Kernel Image (Linux + initramfs) for use in Endless OS + Pay-As-You-Go variants, using Dracut and systemd-stub. + + Dracut builds the initramfs based on configuration files in `/etc/dracut`: + + * endless.conf, from `eos/eos-boot-helper.bst` + * ostree.conf, from `freedesktop-sdk.bst:components/ostree.bst` + + The UKI is written to %{install-path} by this element. The final UKI + installed in place by `uki-signed.bst` + +build-depends: +- eos/eos-boot-helper.bst +- eos/initramfs/deps.bst +- eos/payg/eos-payg.bst +- eos/payg/eos-payg-nonfree.bst +- freedesktop-sdk.bst:components/dracut.bst +- freedesktop-sdk.bst:components/ostree.bst +- freedesktop-sdk.bst:components/python3-pefile.bst +- gnome-build-meta.bst:core-deps/systemd.bst + +variables: + # The UKI is installed into its final location in a later element after signing. + install-path: "/usr/share/efi_binaries_payg/" + +config: + commands: + - mkdir -p /tmp + - mkdir -p /var/tmp + - mkdir -p /efi + + - | + sysroot=/ + version="$(ls -1 /lib/modules | head -n1)" + echo "Running depmod" 1>&2 + + for version in $(ls "${sysroot}"/lib/modules/); do + depmod -b "${sysroot}" -a "${version}"; + done + + # Dracut uses this information to find loadable shared objects. + - | + echo '%{libdir}' >> /etc/ld.so.conf + + # Build the initramfs using dracut. + # + # We tee stderr to a file for post-processing. + - | + version="$(ls -1 /lib/modules | head -n1)" + mkdir -p "%{install-root}%{install-path}" + dracut %{install-root}%{install-path}/payg-image.efi ${version} \ + -k /usr/lib/modules/${version} --uefi \ + --uefi-stub=%{install-root}/usr/lib/systemd/boot/efi/linuxx64.efi.stub \ + --kernel-cmdline "eospayg efi_no_storage_paranoia rd.shell=0" \ + --kernel-image /boot/vmlinuz \ + --force-drivers "endlessdog" \ + --add "eos-payg eos-payg-nonfree" + + # Dracut treats errors as warnings. In practice, errors often mean a + # broken initramfs, so we detect them here and raise an error. + - | + if grep "ERROR:" /var/tmp/dracut.log; then + echo "Errors detected in Dracut log file." + exit 1 + fi diff --git a/elements/eos/update-ca-certificates-symlink.bst b/elements/eos/update-ca-certificates-symlink.bst new file mode 100644 index 000000000..b3564f6b5 --- /dev/null +++ b/elements/eos/update-ca-certificates-symlink.bst @@ -0,0 +1,22 @@ +kind: manual +description: | + Compatibility symlink for the `update-ca-certificates` program. + + Freedesktop SDK includes the Red Hat CA certificates package which is + updated via `update-ca-trust`. + + EOS6 included the Debian CA certificates package which is updated via + `update-ca-certificates`. + + The eos-safe-defaults program and maybe other things assume they can run + `update-ca-certificates`, we add a compatibility symlink so this keeps + working. + +build-depends: + - freedesktop-sdk.bst:bootstrap-import.bst + +config: + install-commands: + - | + mkdir -p %{install-root}/usr/bin/ + ln -sf /usr/bin/update-ca-trust %{install-root}/usr/bin/update-ca-certificates diff --git a/elements/gnome-build-meta.bst b/elements/gnome-build-meta.bst index 1c5c5aa87..8d3e93cae 100644 --- a/elements/gnome-build-meta.bst +++ b/elements/gnome-build-meta.bst @@ -11,6 +11,7 @@ config: core/meta-gnome-core-apps.bst: core/meta-gnome-core-apps.bst core/gnome-session.bst: core/gnome-session.bst core-deps/accountsservice.bst: components/accountsservice.bst + core-deps/systemd-base.bst: components/systemd-base.bst freedesktop-sdk.bst: freedesktop-sdk.bst gnomeos/os-release-user.bst: eos/os-release-user.bst diff --git a/elements/signing/payg/signed-uki-endless.bst b/elements/signing/payg/signed-uki-endless.bst new file mode 100644 index 000000000..a91a32fef --- /dev/null +++ b/elements/signing/payg/signed-uki-endless.bst @@ -0,0 +1,11 @@ +kind: eos_sb_signer +description: | + Sign the PAYG UKI using eos-sb-signer service. + +build-depends: +- eos/payg/uki.bst + +config: + input: "/usr/share/efi_binaries_payg/payg-image.efi" + output: "%{install-root}/usr/share/efi_binaries_payg/payg-image-signed.efi" + certificate: payg_uefi diff --git a/elements/signing/payg/signed-uki-snakeoil.bst b/elements/signing/payg/signed-uki-snakeoil.bst new file mode 100644 index 000000000..487b60a26 --- /dev/null +++ b/elements/signing/payg/signed-uki-snakeoil.bst @@ -0,0 +1,23 @@ +kind: manual +description: | + Sign the PAYG UKI with the insecure "snakeoil" key. + +build-depends: +- eos/payg/uki.bst +- freedesktop-sdk.bst:components/sbsigntools.bst + +config: + install-commands: + - | + mkdir -p "%{install-root}/usr/share/efi_binaries_payg/" + sbsign \ + --key VENDOR-snakeoil.key \ + --cert VENDOR-snakeoil.crt \ + --output=%{install-root}/usr/share/efi_binaries_payg/payg-image-signed.efi \ + "/usr/share/efi_binaries_payg/payg-image.efi" + +sources: +- kind: local + path: files/boot-keys/VENDOR-snakeoil.key +- kind: local + path: files/boot-keys/VENDOR-snakeoil.crt diff --git a/include/aliases.yml b/include/aliases.yml index d45e14459..269375ffd 100644 --- a/include/aliases.yml +++ b/include/aliases.yml @@ -37,6 +37,7 @@ aliases: kldp: https://kldp.net/ launchpad: https://launchpad.net/ libburnia: http://files.libburnia-project.org/releases/ + libsodium: https://download.libsodium.org/libsodium/releases/ libopenraw: https://libopenraw.freedesktop.org/ libraw: https://www.libraw.org/ libvirt: https://libvirt.org/sources/ diff --git a/include/eos_sb_signer.yml b/include/eos_sb_signer.yml index 5289753b3..c113014ef 100644 --- a/include/eos_sb_signer.yml +++ b/include/eos_sb_signer.yml @@ -5,3 +5,4 @@ elements: endpoint: http://localhost:5000 private-key-file: files/eos-sb-signer/apitrustedkey-secret.gpg timeout: 30 + certificate: eos_uefi diff --git a/plugins/eos_sb_signer.py b/plugins/eos_sb_signer.py index 1136bb66d..2fd9544cd 100644 --- a/plugins/eos_sb_signer.py +++ b/plugins/eos_sb_signer.py @@ -24,13 +24,14 @@ class EosSbSignerElement(Element): BST_FORBID_SOURCES = True def configure(self, node): - node.validate_keys(['input', 'endpoint', 'output', 'private-key-file', 'timeout']) + node.validate_keys(['input', 'endpoint', 'output', 'private-key-file', 'timeout', 'certificate']) self.input_path = node.get_str('input') self.endpoint = node.get_str('endpoint') self.output_path = node.get_str('output') self.private_key_file = node.get_str('private-key-file') self.timeout = node.get_int('timeout', default=30) + self.certificate = node.get_str('certificate') if not self.input_path: raise ElementError("'input' configuration is required") @@ -38,6 +39,8 @@ def configure(self, node): raise ElementError("'endpoint' configuration is required") if not self.private_key_file: raise ElementError("'private-key-file' configuration is required") + if not self.certificate: + raise ElementError("'certificate' configuration is required") def preflight(self): if not Path(self.private_key_file).is_file(): @@ -51,6 +54,7 @@ def get_unique_key(self): 'endpoint': self.endpoint, 'output': self.output_path, 'key-fingerprint': fingerprint, + 'certificate': self.certificate, } return key @@ -90,6 +94,9 @@ def assemble(self, sandbox): 'file': ('binary.efi', binary_data, 'application/octet-stream'), 'signature': ('signature.sig', bytes(signature), 'application/octet-stream'), } + data = { + 'certificate': self.certificate + } signing_url = f"{self.endpoint.rstrip('/')}/api/sign" self.info(f"Sending POST request to signer service at {signing_url}") @@ -97,6 +104,7 @@ def assemble(self, sandbox): try: response = requests.post( signing_url, + data=data, files=files, timeout=self.timeout ) diff --git a/project.conf b/project.conf index dae37166a..9420b4962 100644 --- a/project.conf +++ b/project.conf @@ -50,6 +50,10 @@ options: - endless - snakeoil default: snakeoil + payg: + type: bool + description: Enable PAYG features + default: false # Some overrides to the default sandbox execution environment #