github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-10-21 20:08:54 +00:00
Code Issues Projects Releases Wiki Activity

local-build: add support for key verification for IBM Secure Execution

Browse Source 
This is to make `build_se_image.sh` incorporate the key verification originally supported by `genprotimg`.
It can be achieved by specifying two environment variables called `SIGNING_KEY_CERT_PATH` and `INTERMEDIATE_CA_CERT_PATH`.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
This commit is contained in:
Hyounggyu Choi
2023-06-26 16:24:50 +02:00
parent 52bdc87fe9
commit 31db56207b
1 changed files with 14 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
tools/packaging/guest-image/build_se_image.sh
View File

@@ -40,9 +40,12 @@ Options:
--destdir=${destdir}
Environment variables:
HKD_PATH (required): Secure Execution host key document, generally specific to your machine. See
HKD_PATH (required): a path for a directory which includes at least one host key document
for Secure Execution, generally specific to your machine. See
https://www.ibm.com/docs/en/linux-on-systems?topic=tasks-verify-host-key-document
for information on how to retrieve and verify this document.
SIGNING_KEY_CERT_PATH: a path for the IBM zSystem signing key certificate
INTERMEDIATE_CA_CERT_PATH: a path for the intermediate CA certificate signed by the root CA
DEBUG : If set, display debug information.
EOF
exit "${1:-0}"
@@ -62,6 +65,15 @@ build_secure_image() {
kernel_params="${1:-}"
install_src_dir="${2:-}"
install_dest_dir="${3:-}"
key_verify_option="--no-verify" # no verification for CI testing purposes
if [ -n "${SIGNING_KEY_CERT_PATH:-}" ] && [ -n "${INTERMEDIATE_CA_CERT_PATH:-}" ]; then
if [ -e "${SIGNING_KEY_CERT_PATH}" ] && [ -e "${INTERMEDIATE_CA_CERT_PATH}" ]; then
key_verify_option="--cert=${SIGNING_KEY_CERT_PATH} --cert=${INTERMEDIATE_CA_CERT_PATH}"
else
die "Specified certificate(s) not found"
fi
fi
if [ ! -f "${install_src_dir}/vmlinuz.container" ] ||
[ ! -f "${install_src_dir}/kata-containers-initrd.img" ]; then
@@ -99,7 +111,7 @@ EOF
--image="${install_src_dir}/vmlinuz.container" \
--ramdisk="${install_src_dir}/kata-containers-initrd.img" \
--parmfile="${parmfile}" \
--no-verify # no verification for CI testing purposes
"${key_verify_option}"
build_result=$?
if [ $build_result -eq 0 ]; then