fixing yubihsm installation #55
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ci | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| environment: | |
| description: 'Select the GPG pubkey and the HSM keys to use' | |
| required: true | |
| default: 'test' | |
| type: choice | |
| options: | |
| - test | |
| - prod | |
| debug_enabled: | |
| type: boolean | |
| description: "Run the build with tmate debugging enabled (https://github.com/marketplace/actions/debugging-with-tmate)" | |
| required: false | |
| default: false | |
| pull_request: | |
| push: | |
| branches: | |
| - main | |
| tags: | |
| - '**' | |
| concurrency: | |
| group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' | |
| cancel-in-progress: true | |
| jobs: | |
| build: | |
| runs-on: [self-hosted, lab, he, simple, X64] | |
| env: | |
| GPG_PUBKEY: ${{ github.event.inputs.environment || 'test' }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Set up QEMU for Docker Buildkit | |
| uses: docker/setup-qemu-action@v2 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v2 | |
| with: | |
| driver-opts: | | |
| env.BUILDKIT_STEP_LOG_MAX_SIZE=-1 | |
| env.BUILDKIT_STEP_LOG_MAX_SPEED=-1 | |
| - name: Run grub build (make ci) | |
| run: make ci | |
| - name: Upload onie-grubx64.efi | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: onie-grubx64.efi | |
| path: artifacts/onie-grubx64.efi | |
| - name: Upload onie-recovery-grubx64.efi | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: onie-recovery-grubx64.efi | |
| path: artifacts/onie-recovery-grubx64.efi | |
| - name: Upload sonic-grubx64.efi | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: sonic-grubx64.efi | |
| path: artifacts/sonic-grubx64.efi | |
| - name: Setup tmate session for debug | |
| if: ${{ failure() && github.event_name == 'workflow_dispatch' && inputs.debug_enabled }} | |
| uses: mxschmitt/action-tmate@v3 | |
| timeout-minutes: 30 | |
| with: | |
| limit-access-to-actor: true | |
| build-arm64: | |
| runs-on: [self-hosted, simple, ARM64] | |
| env: | |
| GPG_PUBKEY: ${{ github.event.inputs.environment || 'test' }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Set up QEMU for Docker Buildkit | |
| uses: docker/setup-qemu-action@v2 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v2 | |
| with: | |
| driver-opts: | | |
| env.BUILDKIT_STEP_LOG_MAX_SIZE=-1 | |
| env.BUILDKIT_STEP_LOG_MAX_SPEED=-1 | |
| - name: Run grub build (make ci-arm64) | |
| run: make ci-arm64 | |
| - name: Upload onie-grubaa64.efi | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: onie-grubaa64.efi | |
| path: artifacts/onie-grubaa64.efi | |
| - name: Upload onie-recovery-grubaa64.efi | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: onie-recovery-grubaa64.efi | |
| path: artifacts/onie-recovery-grubaa64.efi | |
| - name: Upload sonic-grubaa64.efi | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: sonic-grubaa64.efi | |
| path: artifacts/sonic-grubaa64.efi | |
| - name: Setup tmate session for debug | |
| if: ${{ failure() && github.event_name == 'workflow_dispatch' && inputs.debug_enabled }} | |
| uses: mxschmitt/action-tmate@v3 | |
| timeout-minutes: 30 | |
| with: | |
| limit-access-to-actor: true | |
| signing: | |
| needs: [build, build-arm64] | |
| runs-on: [self-hosted, lab, he, simple] | |
| environment: ${{ github.event.inputs.environment || 'test' }} | |
| env: | |
| HSM_AUTH_KEY: ${{ secrets.HSM_AUTH_KEY }} | |
| HSM_AUTH_KEY_SLOT: ${{ secrets.HSM_AUTH_KEY_SLOT }} | |
| ORAS_VERSION: "1.0.0" | |
| ORAS_ARTIFACT_TAG: ${{ github.event.inputs.environment || 'test' }} | |
| steps: | |
| - name: Install sbsign tool | |
| run: | | |
| sudo apt-get update | |
| sudo apt install -y sbsigntool | |
| - name: Install YubiHSM client and PKC11 dependencies | |
| run: | | |
| # this is the PKCS11 engine module for OpenSSL | |
| sudo apt install -y libengine-pkcs11-openssl | |
| # install dependencies | |
| sudo apt install -y libusb-1.0-0 libpcsclite1 libusb-1.0-0 | |
| # download the yubihsm-shell package, it is all we need, and install all debs | |
| wget https://developers.yubico.com/yubihsm-shell/Releases/yubihsm-shell-2.4.1-ubuntu2204-amd64.tar.gz | |
| tar xf yubihsm-shell-2.4.1-ubuntu2204-amd64.tar.gz | |
| cd yubihsm-shell | |
| sudo apt-get install -y -f ./libyubihsm-usb1_2.4.1_amd64.deb | |
| sudo apt-get install -y -f ./libyubihsm-http1_2.4.1_amd64.deb | |
| sudo apt-get install -y -f ./libyubihsm1_2.4.1_amd64.deb | |
| sudo apt-get install -y -f ./libyubihsm-dev_2.4.1_amd64.deb | |
| sudo apt-get install -y -f ./libykhsmauth1_2.4.1_amd64.deb | |
| sudo apt-get install -y -f ./yubihsm-pkcs11_2.4.1_amd64.deb | |
| sudo apt-get install -y -f ./yubihsm-auth_2.4.1_amd64.deb | |
| sudo apt-get install -y -f ./yubihsm-shell_2.4.1_amd64.deb | |
| sudo apt-get install -y -f ./yubihsm-wrap_2.4.1_amd64.deb | |
| cd | |
| - name: Prepare HSM and PKCS11 configuration files | |
| run: | | |
| # writes the YubiHSM specific PKCS11 config file which will be used by the YubiHSM PKCS11 module | |
| # if the YUBIHSM_PKCS11_CONF environment variable is set | |
| cat > $PWD/yubihsm_pkcs11.conf <<EOF | |
| connector = ${{ vars.HSM_CONNECTOR_URL }} | |
| timeout = 5 | |
| EOF | |
| # writes an OpenSSL configuration file. We will be using it by setting the OPENSSL_CONF environment | |
| # variable which will always take priority if set. | |
| cat > $PWD/openssl-pkcs11-engine.conf <<EOF | |
| openssl_conf = openssl_init | |
| [openssl_init] | |
| engines = engine_section | |
| [engine_section] | |
| pkcs11 = pkcs11_section | |
| [pkcs11_section] | |
| engine_id = pkcs11 | |
| # not necessary, if it is, it is most likely at here | |
| #dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so | |
| MODULE_PATH = /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so | |
| EOF | |
| - name: Set up YUBIHSM_PKCS11_CONF env var | |
| run: | | |
| echo "YUBIHSM_PKCS11_CONF=$PWD/yubihsm_pkcs11.conf" >> $GITHUB_ENV | |
| - name: Set up OPENSSL_CONF env var | |
| run: | | |
| echo "OPENSSL_CONF=$PWD/openssl-pkcs11-engine.conf" >> $GITHUB_ENV | |
| - name: Prepare SB Signing cert | |
| run: | | |
| echo "${{ vars.SB_SIGNING_CERT }}" > sb-signing-cert.pem | |
| - name: Prepare PKCS11 Key URI | |
| run: | | |
| PKCS11_KEY_URI=$( python -c 'import os; print(os.path.expandvars("${{ vars.PKCS11_KEY_URI }}"))' ) | |
| echo "::add-mask::$PKCS11_KEY_URI" | |
| echo "PKCS11_KEY_URI=$PKCS11_KEY_URI" >> $GITHUB_ENV | |
| - name: Download onie-grubx64.efi from build job | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: onie-grubx64.efi | |
| - name: Download onie-recovery-grubx64.efi from build job | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: onie-recovery-grubx64.efi | |
| - name: Download sonic-grubx64.efi from build job | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: sonic-grubx64.efi | |
| - name: Download onie-grubaa64.efi from build job | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: onie-grubaa64.efi | |
| - name: Download onie-recovery-grubaa64.efi from build job | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: onie-recovery-grubaa64.efi | |
| - name: Download sonic-grubaa64.efi from build job | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: sonic-grubaa64.efi | |
| - name: Sign all EFI grub binaries | |
| run: | | |
| sbsign --engine pkcs11 --cert sb-signing-cert.pem --key $PKCS11_KEY_URI onie-grubx64.efi | |
| sbsign --engine pkcs11 --cert sb-signing-cert.pem --key $PKCS11_KEY_URI onie-recovery-grubx64.efi | |
| sbsign --engine pkcs11 --cert sb-signing-cert.pem --key $PKCS11_KEY_URI sonic-grubx64.efi | |
| sbsign --engine pkcs11 --cert sb-signing-cert.pem --key $PKCS11_KEY_URI onie-grubaa64.efi | |
| sbsign --engine pkcs11 --cert sb-signing-cert.pem --key $PKCS11_KEY_URI onie-recovery-grubaa64.efi | |
| sbsign --engine pkcs11 --cert sb-signing-cert.pem --key $PKCS11_KEY_URI sonic-grubaa64.efi | |
| - name: Upload onie-grubx64.efi.signed | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: onie-grubx64.efi.signed | |
| path: onie-grubx64.efi.signed | |
| - name: Upload onie-recovery-grubx64.efi.signed | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: onie-recovery-grubx64.efi.signed | |
| path: onie-recovery-grubx64.efi.signed | |
| - name: Upload sonic-grubx64.efi.signed | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: sonic-grubx64.efi.signed | |
| path: sonic-grubx64.efi.signed | |
| - name: Upload onie-grubaa64.efi.signed | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: onie-grubaa64.efi.signed | |
| path: onie-grubaa64.efi.signed | |
| - name: Upload onie-recovery-grubaa64.efi.signed | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: onie-recovery-grubaa64.efi.signed | |
| path: onie-recovery-grubaa64.efi.signed | |
| - name: Upload sonic-grubaa64.efi.signed | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: sonic-grubaa64.efi.signed | |
| path: sonic-grubaa64.efi.signed | |
| - name: Install oras | |
| if: ${{ github.ref_type == 'branch' && github.ref_name == 'main' }} | |
| run: | | |
| curl -LO "https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_amd64.tar.gz" | |
| mkdir -p oras-install/ | |
| tar -zxf oras_${ORAS_VERSION}_*.tar.gz -C oras-install/ | |
| sudo mv oras-install/oras /usr/local/bin/ | |
| rm -rf oras_${ORAS_VERSION}_*.tar.gz oras-install/ | |
| - name: oras login | |
| if: ${{ github.ref_type == 'branch' && github.ref_name == 'main' }} | |
| run: | | |
| oras login --username ${{ github.actor }} --password ${{ secrets.GITHUB_TOKEN }} ghcr.io | |
| - name: Push oras artifacts | |
| if: ${{ github.ref_type == 'branch' && github.ref_name == 'main' }} | |
| run: | | |
| mkdir oras_artifact | |
| cp -v onie-grubx64.efi.signed oras_artifact/onie-grubx64.efi | |
| cp -v onie-recovery-grubx64.efi.signed oras_artifact/onie-recovery-grubx64.efi | |
| cp -v sonic-grubx64.efi.signed oras_artifact/sonic-grubx64.efi | |
| cp -v onie-grubaa64.efi.signed oras_artifact/onie-grubaa64.efi | |
| cp -v onie-recovery-grubaa64.efi.signed oras_artifact/onie-recovery-grubaa64.efi | |
| cp -v sonic-grubaa64.efi.signed oras_artifact/sonic-grubaa64.efi | |
| cd oras_artifact | |
| oras push ghcr.io/githedgehog/grub-build:${ORAS_ARTIFACT_TAG} \ | |
| onie-grubx64.efi \ | |
| onie-recovery-grubx64.efi \ | |
| sonic-grubx64.efi \ | |
| onie-grubaa64.efi \ | |
| onie-recovery-grubaa64.efi \ | |
| sonic-grubaa64.efi | |
| - name: Setup tmate session for debug | |
| if: ${{ failure() && github.event_name == 'workflow_dispatch' && inputs.debug_enabled }} | |
| uses: mxschmitt/action-tmate@v3 | |
| timeout-minutes: 30 | |
| with: | |
| limit-access-to-actor: true |