On Wed, Jul 05, 2023 at 11:29:27AM -0000, Kamil Aronowski wrote:
Hello people. I need some help from the good folks who maintain the Fedora servers responsible for building a bootchain securely, i.e. GRUB2 or the kernel. For instance, the bkernel01.iad2.fedoraproject.org server.
Happy to try and help.
Let's take a look at the build logs of a recent GRUB2 build (https://koji.fedoraproject.org/koji/buildinfo?buildID=2185557) here: https://kojipkgs.fedoraproject.org//packages/grub2/2.06/95.fc38/data/logs/x8... As far as I can see, this server has a smart-card with a private key attached and during the building procedure, the critical components are being signed with Red Hat Bootloader Team's `pesign` software (version +115) running in client-server mode rather than standalone mode. By this I mean e.g. line number 7074 from the log file:
+ /usr/bin/pesign-client -t 'OpenSC Card (Fedora Signer)' -c '/CN=Fedora Secure Boot Signer' -s -i grubx64.efi.orig -o grubx64.efi.onesig
I'd like to replicate the setup Fedora has to rebuild bootchain components on my own. My question is: how did you make `pesign-client` work fine? Is there a procedure of some sort that works just fine that I don't know about?
Here's what I attempted on a Fedora 38 machine:
...snip...
Please, give me a helping hand with this. What procedure do I have to follow to replicate what's on Fedora Koji instances? What is there that I'm missing?
So, bkernel01/02 are koji builders, so there's kojid and mock in the way there. We have for mock:
roles/bkernel/files/bkernel-site-defaults.cfg
config_opts['plugin_conf']['bind_mount_opts']['dirs'].append(('/var/run/pesign', '/var/run/pesign' )) config_opts['nspawn_args'] += ['--bind=/var/run/pesign']
which bind mounts the pesign socket into the chroot. (now of course you aren't using mock, but wanted to mention it)
Then, we have some acls on the socket and run directory: roles/bkernel/tasks/main.yml
acl: path=/var/run/pesign entity=kojibuilder etype=user permissions=rwx recursive=true state=present
(and some more acls).
So, might be just being in pesign group isn't enough to connect to the socket? Or there's some selinux denial?
I'd try stracing it and see if you can see if it can talk to the socket correctly?
If it's talking to the pesign-server ok, then I am not sure what the problem is. ;(
kevin