commit 868aaba1ee205304deab81d53bbd0962b54355e5
author Miri Amarilio <mirilio@google.com> Thu Mar 21 17:10:16 2024 +0000
committer Miri Amarilio <mirilio@google.com> Wed Apr 03 20:40:48 2024 +0000
tree 2adba53e18c935b083fbec792169f81edfc50f6a
parent ae240a42e4d5a19e492e12dcecb3b5ec7307cc2c

Update the signing scripts to allow KMS signing in RBE.

We will pass on a flag from the builder script all the way to the signing scripts.
In the scripts - accept the new flags and pass them on to the KMS signer app.

This change must go in the same time as the BE change to add that new flag:
https://cos-internal-review.git.corp.google.com/c/cos/infra/build-executor/+/39983

BUG=b/332363254
TEST=presubmit passes on rbe (verifies impersonation) and on kokoro (verifies existing behavior when flag is not provided)

Change-Id: I544e77cdceed3c507e96699d6183118e757a9aae
Reviewed-on: https://cos-review.googlesource.com/c/third_party/platform/vboot_reference/+/67690
Tested-by: RBE Service account <service-384042960741@remotebuildexecution.iam.gserviceaccount.com>
Reviewed-by: Robert Kolchmeyer <rkolchmeyer@google.com>

scripts/image_signing/sign_official_cos_build.sh

diff --git a/scripts/image_signing/sign_official_cos_build.sh b/scripts/image_signing/sign_official_cos_build.sh
index 5aa49ad..404dc5f 100755
--- a/scripts/image_signing/sign_official_cos_build.sh
+++ b/scripts/image_signing/sign_official_cos_build.sh
@@ -77,7 +77,8 @@
 INPUT_IMAGE=$3
 KEY_DIR=$4
 OUTPUT_IMAGE=$5
-VERSION_FILE=$6
+SERVICE_ACCOUNT=$6
+VERSION_FILE=$7
 
 FIRMWARE_VERSION=1
 KERNEL_VERSION=1
@@ -493,7 +494,7 @@
 #   KMS_KEY=<key>
 #   KMS_KEYVERSION=<key version>
 sign_update_payload_kms() {
-  local -r hash="$1" key_dir="$2" output="$3"
+  local -r hash="$1" key_dir="$2" output="$3" service_account="$4"
   local -r key_file="${key_dir}/kms.key"
 
   source "${key_file}"
@@ -507,7 +508,8 @@
     --key-version "${KMS_KEYVERSION}" \
     digest \
     --input "${hash}" \
-    --output "${output}"
+    --output "${output}" \
+    --service-account "${service_account}"
 }
 
 # Sign UEFI binaries, if possible.
@@ -515,6 +517,7 @@
 sign_uefi_binaries() {
   local loopdev="$1"
   local kms_option="--nokms"
+  local service_account="$2"
   if [[ "${KEY_ORIGIN}" == "kms" ]]; then
     kms_option="--kms"
   fi
@@ -526,12 +529,12 @@
   elif [[ -z "${esp_dir}" ]]; then
     return 0
   fi
-  "${SCRIPT_DIR}/sign_uefi.sh" -t "${esp_dir}"  -k "${KEY_DIR}" "${kms_option}"
+  "${SCRIPT_DIR}/sign_uefi.sh" -t "${esp_dir}"  -k "${KEY_DIR}" "${kms_option}" --service_account "${service_account}"
   sudo umount "${esp_dir}"
 
   local rootfs_dir="$(make_temp_dir)"
   mount_loop_image_partition "${loopdev}" 3 "${rootfs_dir}"
-  "${SCRIPT_DIR}/sign_uefi.sh" -t "${rootfs_dir}/boot" -k "${KEY_DIR}" "${kms_option}"
+  "${SCRIPT_DIR}/sign_uefi.sh" -t "${rootfs_dir}/boot" -k "${KEY_DIR}" "${kms_option}" --service_account "${service_account}"
   sudo umount "${rootfs_dir}"
 
   info "Signed UEFI binaries"
@@ -731,6 +734,7 @@
   local kernA_privkey="$6"
   local kernB_keyblock="$7"
   local kernB_privkey="$8"
+  local service_account="$9"
 
   info "Preparing ${image_type} image..."
   cp --sparse=always "${input}" "${output}"
@@ -739,7 +743,7 @@
   local loop_kern="${loopdev}p${dm_partno}"
   local loop_rootfs="${loopdev}p3"
 
-  sign_uefi_binaries "${loopdev}"
+  sign_uefi_binaries "${loopdev}" "${service_account}"
   # We do NOT strip /boot for factory installer, since some devices need it to
   # boot EFI. crbug.com/260512 would obsolete this requirement.
   #
@@ -793,12 +797,12 @@
   exit 0
   ;;
 *)
-  # All other signing commands take 4 to 5 args.
+  # All other signing commands take 4 to 6 args.
   if [ -z "${OUTPUT_IMAGE}" ]; then
     # Friendlier message.
     usage "Missing output image name"
   fi
-  check_argc $# 4 5
+  check_argc $# 4 6
   ;;
 esac
 
@@ -815,12 +819,12 @@
 if [[ "${TYPE}" == "base" ]]; then
   sign_image_file "SSD" "${INPUT_IMAGE}" "${OUTPUT_IMAGE}" 2 \
     "${KEY_DIR}/kernel.keyblock" "${KEY_DIR}/kernel_data_key.vbprivk" \
-    "${KEY_DIR}/kernel.keyblock" "${KEY_DIR}/kernel_data_key.vbprivk"
+    "${KEY_DIR}/kernel.keyblock" "${KEY_DIR}/kernel_data_key.vbprivk" ${SERVICE_ACCOUNT}
 elif [[ "${TYPE}" == "update_payload" ]]; then
   # The argument names here are a little awkard because sign_update_payload
   # doesn't sign "image" but only signs hashes, but we want to use the same
   # interface as sign_image_file, so ...
-  sign_update_payload ${INPUT_IMAGE} ${KEY_DIR} ${OUTPUT_IMAGE}
+  sign_update_payload ${INPUT_IMAGE} ${KEY_DIR} ${OUTPUT_IMAGE} ${SERVICE_ACCOUNT}
 else
   die "Invalid type ${TYPE}"
 fi

scripts/image_signing/sign_uefi.sh

diff --git a/scripts/image_signing/sign_uefi.sh b/scripts/image_signing/sign_uefi.sh
index 14c328e..dd22b55 100755
--- a/scripts/image_signing/sign_uefi.sh
+++ b/scripts/image_signing/sign_uefi.sh
@@ -9,6 +9,7 @@
 DEFINE_string target_dir "" "Directory to put signed file in" "t"
 DEFINE_string key_dir "" "Directory of signing keys and certificates" "k"
 DEFINE_boolean kms $FLAGS_FALSE "Whether or not to sign with KMS keys" ""
+DEFINE_string service_account "" "Service account to impersonate" ""
 
 FLAGS "$@" || exit 1
 eval set -- "$FLAGS_ARGV"
@@ -42,7 +43,8 @@
     pkcs7 \
     --signing-cert "${kms_cert}" \
     --input "${old_sig}" \
-    --output "${new_sig}"
+    --output "${new_sig}" \
+    --service-account "${FLAGS_service_account}"
 
   cp "${target}" "${resigned}"
   sbattach --attach "${new_sig}" "${resigned}"