Update the signing scripts to allow KMS signing in RBE.
We will pass on a flag from the builder script all the way to the signing scripts.
In the scripts - accept the new flags and pass them on to the KMS signer app.
This change must go in the same time as the BE change to add that new flag:
https://cos-internal-review.git.corp.google.com/c/cos/infra/build-executor/+/39983
BUG=b/332363254
TEST=presubmit passes on rbe (verifies impersonation) and on kokoro (verifies existing behavior when flag is not provided)
Change-Id: I544e77cdceed3c507e96699d6183118e757a9aae
Reviewed-on: https://cos-review.googlesource.com/c/third_party/platform/vboot_reference/+/67690
Tested-by: RBE Service account <service-384042960741@remotebuildexecution.iam.gserviceaccount.com>
Reviewed-by: Robert Kolchmeyer <rkolchmeyer@google.com>
diff --git a/scripts/image_signing/sign_official_cos_build.sh b/scripts/image_signing/sign_official_cos_build.sh
index 5aa49ad..404dc5f 100755
--- a/scripts/image_signing/sign_official_cos_build.sh
+++ b/scripts/image_signing/sign_official_cos_build.sh
@@ -77,7 +77,8 @@
INPUT_IMAGE=$3
KEY_DIR=$4
OUTPUT_IMAGE=$5
-VERSION_FILE=$6
+SERVICE_ACCOUNT=$6
+VERSION_FILE=$7
FIRMWARE_VERSION=1
KERNEL_VERSION=1
@@ -493,7 +494,7 @@
# KMS_KEY=<key>
# KMS_KEYVERSION=<key version>
sign_update_payload_kms() {
- local -r hash="$1" key_dir="$2" output="$3"
+ local -r hash="$1" key_dir="$2" output="$3" service_account="$4"
local -r key_file="${key_dir}/kms.key"
source "${key_file}"
@@ -507,7 +508,8 @@
--key-version "${KMS_KEYVERSION}" \
digest \
--input "${hash}" \
- --output "${output}"
+ --output "${output}" \
+ --service-account "${service_account}"
}
# Sign UEFI binaries, if possible.
@@ -515,6 +517,7 @@
sign_uefi_binaries() {
local loopdev="$1"
local kms_option="--nokms"
+ local service_account="$2"
if [[ "${KEY_ORIGIN}" == "kms" ]]; then
kms_option="--kms"
fi
@@ -526,12 +529,12 @@
elif [[ -z "${esp_dir}" ]]; then
return 0
fi
- "${SCRIPT_DIR}/sign_uefi.sh" -t "${esp_dir}" -k "${KEY_DIR}" "${kms_option}"
+ "${SCRIPT_DIR}/sign_uefi.sh" -t "${esp_dir}" -k "${KEY_DIR}" "${kms_option}" --service_account "${service_account}"
sudo umount "${esp_dir}"
local rootfs_dir="$(make_temp_dir)"
mount_loop_image_partition "${loopdev}" 3 "${rootfs_dir}"
- "${SCRIPT_DIR}/sign_uefi.sh" -t "${rootfs_dir}/boot" -k "${KEY_DIR}" "${kms_option}"
+ "${SCRIPT_DIR}/sign_uefi.sh" -t "${rootfs_dir}/boot" -k "${KEY_DIR}" "${kms_option}" --service_account "${service_account}"
sudo umount "${rootfs_dir}"
info "Signed UEFI binaries"
@@ -731,6 +734,7 @@
local kernA_privkey="$6"
local kernB_keyblock="$7"
local kernB_privkey="$8"
+ local service_account="$9"
info "Preparing ${image_type} image..."
cp --sparse=always "${input}" "${output}"
@@ -739,7 +743,7 @@
local loop_kern="${loopdev}p${dm_partno}"
local loop_rootfs="${loopdev}p3"
- sign_uefi_binaries "${loopdev}"
+ sign_uefi_binaries "${loopdev}" "${service_account}"
# We do NOT strip /boot for factory installer, since some devices need it to
# boot EFI. crbug.com/260512 would obsolete this requirement.
#
@@ -793,12 +797,12 @@
exit 0
;;
*)
- # All other signing commands take 4 to 5 args.
+ # All other signing commands take 4 to 6 args.
if [ -z "${OUTPUT_IMAGE}" ]; then
# Friendlier message.
usage "Missing output image name"
fi
- check_argc $# 4 5
+ check_argc $# 4 6
;;
esac
@@ -815,12 +819,12 @@
if [[ "${TYPE}" == "base" ]]; then
sign_image_file "SSD" "${INPUT_IMAGE}" "${OUTPUT_IMAGE}" 2 \
"${KEY_DIR}/kernel.keyblock" "${KEY_DIR}/kernel_data_key.vbprivk" \
- "${KEY_DIR}/kernel.keyblock" "${KEY_DIR}/kernel_data_key.vbprivk"
+ "${KEY_DIR}/kernel.keyblock" "${KEY_DIR}/kernel_data_key.vbprivk" ${SERVICE_ACCOUNT}
elif [[ "${TYPE}" == "update_payload" ]]; then
# The argument names here are a little awkard because sign_update_payload
# doesn't sign "image" but only signs hashes, but we want to use the same
# interface as sign_image_file, so ...
- sign_update_payload ${INPUT_IMAGE} ${KEY_DIR} ${OUTPUT_IMAGE}
+ sign_update_payload ${INPUT_IMAGE} ${KEY_DIR} ${OUTPUT_IMAGE} ${SERVICE_ACCOUNT}
else
die "Invalid type ${TYPE}"
fi
diff --git a/scripts/image_signing/sign_uefi.sh b/scripts/image_signing/sign_uefi.sh
index 14c328e..dd22b55 100755
--- a/scripts/image_signing/sign_uefi.sh
+++ b/scripts/image_signing/sign_uefi.sh
@@ -9,6 +9,7 @@
DEFINE_string target_dir "" "Directory to put signed file in" "t"
DEFINE_string key_dir "" "Directory of signing keys and certificates" "k"
DEFINE_boolean kms $FLAGS_FALSE "Whether or not to sign with KMS keys" ""
+DEFINE_string service_account "" "Service account to impersonate" ""
FLAGS "$@" || exit 1
eval set -- "$FLAGS_ARGV"
@@ -42,7 +43,8 @@
pkcs7 \
--signing-cert "${kms_cert}" \
--input "${old_sig}" \
- --output "${new_sig}"
+ --output "${new_sig}" \
+ --service-account "${FLAGS_service_account}"
cp "${target}" "${resigned}"
sbattach --attach "${new_sig}" "${resigned}"