Skip to content

Read output file path from db if output not specified #377

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Foxboron merged 2 commits into from
Oct 15, 2024
Merged

Read output file path from db if output not specified #377

Foxboron merged 2 commits into from
Oct 15, 2024

Conversation

@bkrochta
Copy link
Contributor

@bkrochta bkrochta commented Sep 29, 2024

The mkinitcpio hook runs sbctl sign "$IMAGE_FILE" and has no way to know the output file path for the corresponding image file. This results in signing in place which may break booting for those who with different locations for signed and unsigned UKIs.

The sign command should check if the given file is in the database and use the saved output file path.

@bkrochta
Read output file from db if output not specified
c091fa4 
The mkinitcpio hook runs `sbctl sign "$IMAGE_FILE"` and has no way to
know the output filepath for the corresponding image file. The results
in signing in place which may break booting for those who with different
locations for signed and unsigned UKIs.

The sign command should check if the given file is in the database and
use the saved output filepath.
@Foxboron
Copy link
Owner

Foxboron commented Sep 29, 2024

I don't quite understand this patch. In which case would $IMAGE_FILE point at a file which should be placed somewhere else? Using sbctl this way to throw a file into the correct location this way seems wrong?

@bkrochta
Copy link
Contributor Author

bkrochta commented Oct 10, 2024

In my circumstance, I am running Arch, and I have unsigned unified kernel images built by mkinitcpio in /boot/unsigned-images/ on my encrypted root partition where I then want to have them signed and placed in the unencrypted EFI partition.

When first setting up sbctl, I signed all my images with sbctl sign -s /boot/unsigned-images/... -o /efi/EFI/... so that they are saved in the sbctl database. However, this database is only read and used when running sbctl sign-all and not sbctl sign.

When the UKIs are triggered to be rebuilt by mkinitcpio, the hook from sbctl runs and signs each image as it is built. However, it ignores the output location I had saved and signs the image in-place. This results in the images in the EFI not being updated which may cause the computer to fail to boot if the kernel doesn't match what is installed on the computer.

There is a pacman hook that runs sbctl sign-all, but this is broken in the current release saying the "image is already signed", but after pulling the most recent changes since 0.15.4, it has been fixed and it does move the re-sign the files and move them to the EFI. However, the mkinitcpio hook is still signing images in place when the database specifies an out location. If I manually run mkinitcpio -p ..., I'd still have to move the file to my EFI.

I know this reasoning Arch specific, but I do believe if someone had initially run something like sbctl sign -s /boot/unsigned-images/... -o /efi/EFI/... to save the output location, that subsequent sbctl signs should respect that saved location. If they want to manually put it somewhere else or sign in place just this one time, then they can use the -o option.

Foxboron
Foxboron reviewed Oct 11, 2024
View reviewed changes
Foxboron
Foxboron reviewed Oct 11, 2024
View reviewed changes
@bkrochta
Remove logging print line
e82ead8 
Remove logging print line reading output file location from database
when signing.
@Foxboron Foxboron merged commit 69deb5c into Foxboron:master Oct 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Foxboron Foxboron Foxboron left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bkrochta @Foxboron