diff options
| author | Steve McIntyre <steve@einval.com> | 2022-07-03 15:16:39 +0100 |
|---|---|---|
| committer | Steve McIntyre <steve@einval.com> | 2022-07-03 15:16:39 +0100 |
| commit | d97628ef06ae31a266d595d899004eec719a18a5 (patch) | |
| tree | ec67534a7e40200b7952d3f9d136764ca0dff46f | |
| parent | d91c88c7bfb56b4fb1b403a23267d6141fbf8fc1 (diff) | |
| download | steve-scripts-d97628ef06ae31a266d595d899004eec719a18a5.zip | |
Moved shim stuff to new shim-scripts repo
| -rwxr-xr-x | efitest | 150 | ||||
| -rwxr-xr-x | install_efi_binaries | 103 | ||||
| -rwxr-xr-x | run-shim-build | 64 | ||||
| -rwxr-xr-x | run-shim-sign | 31 | ||||
| -rwxr-xr-x | shim-build | 130 | ||||
| -rwxr-xr-x | shim-cron | 125 | ||||
| -rwxr-xr-x | shim-sign | 112 | ||||
| -rwxr-xr-x | shim-test | 302 |
8 files changed, 0 insertions, 1017 deletions
diff --git a/efitest b/efitest deleted file mode 100755 index db7790b..0000000 --- a/efitest +++ /dev/null @@ -1,150 +0,0 @@ -#!/bin/bash - -MEM=2048 -SMP="-smp 1" -ARCH="" -DIST="" -STORAGE="" -OUTPUT="" - -usage() { - echo "$0" - echo - echo "Usage: $0 <-a ARCH> <-d DIST> <-s STORAGE> [ -o OUTPUT ]" 1>&2 - echo - echo "Run a VM for testing Secure Boot". - echo - echo "-a ARCH Select architecture; amd64/i386/arm64" - echo " (default $ARCH)" - echo "-d DIST Select Debian release to use: buster/bullseye/unstable" - echo " (default $DIST)" - echo "-s STORAGE Select which firmware storage image to use: MS_DEBIAN/snakeoil/SB_OFF" - echo " (default: $STORAGE)" - echo "-o OUTPUT Write details of the VM started to the file OUTPUT" - exit 1 -} - -validate_arg() { - local VAR=$1 - local VAROPTS="$(echo $2 | tr ':' ' ')" - - for OPT in $VAROPTS; do - if [ "${!VAR}"x = "$OPT"x ]; then - return - fi - done - # else - echo "$VAR ${!VAR} not supported - use one of $VAROPTS" - exit 1 -} - -while getopts ":a:d:s:o:" o; do - case "${o}" in - a) - ARCH=${OPTARG} - ;; - d) - DIST=${OPTARG} - ;; - s) - STORAGE=${OPTARG} - ;; - o) - OUTPUT=$(realpath ${OPTARG}) - ;; - *) - usage - exit 1 - ;; - esac -done -shift $((OPTIND-1)) - -validate_arg ARCH "amd64:i386:arm64" -validate_arg DIST "buster:bullseye:unstable" -validate_arg STORAGE "SB_OFF:SB_OFF_debug:MS_DEBIAN:MS_DEBIAN_debug:snakeoil:snakeoil_debug" - -case $ARCH in - amd64) - QEMU_MACH="-M pc-i440fx-2.8,accel=kvm" - MACH=x86_64;; - i386) - QEMU_MACH="-machine q35,smm=on,accel=kvm" - MACH=i386;; - arm64) - QEMU_MACH="--enable-kvm -M virt,gic-version=host,kernel_irqchip=on" - MACH=aarch64;; -esac - -TUPLE="$ARCH-$DIST" -case $TUPLE in - amd64-buster) - OFFSET=1;; - i386-buster) - OFFSET=2;; - amd64-bullseye) - OFFSET=3;; - i386-bullseye) - OFFSET=4;; - amd64-unstable) - OFFSET=5;; - i386-unstable) - OFFSET=6;; - - arm64-buster) - OFFSET=1;; - arm64-bullseye) - OFFSET=3;; - arm64-unstable) - OFFSET=5;; -esac - -VNC_BASE=1 -IP_BASE=2 -VM_IP=127.16.2.$(($IP_BASE + $OFFSET)) -VNC=":"$(($VNC_BASE + $OFFSET)) -SSH_PORT=10022 -DISK=efi-hard-disk-$TUPLE.img -PFLASH="-pflash $MACH-OVMF.fd -pflash $MACH-storage.fd.$STORAGE" -DISPLAY="-display vnc=$VNC -daemonize -serial file:$TUPLE-serial.txt -k en-gb" -PIDFILE=$TUPLE.pid - -qemu-system-$MACH $QEMU_MACH \ - -name $TUPLE \ - -pidfile $PIDFILE \ - -cpu host \ - -m $MEM \ - $SMP \ - $PFLASH \ - -drive file=$DISK,format=raw,if=virtio \ - -netdev user,id=usernet,hostfwd=tcp:${VM_IP}:${SSH_PORT}-10.0.2.15:22 \ - -device virtio-net-pci,netdev=usernet \ - $DISPLAY - -#echo $CMD -#sleep 5 -#$CMD - -if [ "$OUTPUT"x != ""x ]; then - echo "VM_IP=$VM_IP" >> $OUTPUT - echo "SSH_PORT=$SSH_PORT" >> $OUTPUT - echo "PIDFILE=$PIDFILE" >> $OUTPUT - echo "VNC=$VNC" >> $OUTPUT - # echo "$0: Wrote details to $OUTPUT" -else - echo "VM_IP=$VM_IP" - echo "SSH_PORT=$SSH_PORT" - echo "PIDFILE=$PIDFILE" - echo "VNC=$VNC" -fi - -# -drive format=raw,file=efi-hard-disk.img,if=none,id=mynvme -device nvme,drive=mynvme,serial=foo \ -# -drive file=efi-hard-disk.img,format=raw \ - -# -device qxl-vga,id=video0,ram_size=67108864,vram_size=67108864 \ -# -serial tcp::4444,server \ -# -vga qxl \ -# -cpu SandyBridge \ -# -no-user-config -nodefaults \ -# -bios /usr/share/ovmf/OVMF.fd \ - diff --git a/install_efi_binaries b/install_efi_binaries deleted file mode 100755 index 61fc2ff..0000000 --- a/install_efi_binaries +++ /dev/null @@ -1,103 +0,0 @@ -#!/bin/bash -# -# Place a test binary into an image for EFI boot testing -# - -# Set defaults -ARCH=amd64 -DIST=buster -FILE="" -OUT="" - -usage() { - echo "$0" - echo - echo "Usage: $0 <-a ARCH> <-d DIST> -f <FILE> -o <IMAGE PATH>" 1>&2 - echo - echo "Copy FILE into the ESP of the efi test image as PATH". - echo - echo "-a ARCH Select architecture; amd64/i386/arm64" - echo " (default $ARCH)" - echo "-d DIST Select Debian release to use: buster/bullseye/unstable" - echo " (default $DIST)" - echo "-f FILE Select which file should be copied in." - echo "-o IMAGE PATH Select where the file should be copied to." - exit 1 -} - -validate_arg() { - local VAR=$1 - local VAROPTS="$(echo $2 | tr ':' ' ')" - - for OPT in $VAROPTS; do - if [ "${!VAR}"x = "$OPT"x ]; then - return - fi - done - # else - echo "$VAR ${!VAR} not supported - use one of $VAROPTS" - exit 1 -} - -while getopts ":a:d:f:o:" o; do - case "${o}" in - a) - ARCH=${OPTARG} - ;; - d) - DIST=${OPTARG} - ;; - f) - FILE=${OPTARG} - ;; - o) - OUT=${OPTARG} - ;; - *) - usage - exit 1 - ;; - esac -done -shift $((OPTIND-1)) - -validate_arg ARCH "amd64:i386:arm64" -validate_arg DIST "buster:bullseye:unstable" - -if [ "$FILE"x = ""x ] || [ "$OUT"x = ""x ]; then - echo "Missing arg(s)" - usage - exit 1 -fi - -if [ ! -f "$FILE" ]; then - echo "Input file $FILE does not exist, abort!" - exit 1 -fi - -TUPLE="$ARCH-$DIST" -DISK=efi-hard-disk-$TUPLE.img - -if [ ! -f "$DISK" ]; then - echo "Disk image $DISK does not exist, abort!" - exit 1 -fi - -# OK, we've validated input. Now work out where the ESP is inside the -# disk image. Parse fdisk output! -OFFSET=$(fdisk -l $DISK | awk ' - # Find the sector size - /^Units:/ { gsub("^.* = ","",$0); SECSIZE=$1} - # Find the start sector of the ESP, which is in column 2 - /EFI System$/ { STARTSEC=$2 } - END { print (SECSIZE * STARTSEC) } -') -# If the above fails, we'll get a zero offset -if [ $OFFSET = 0 ]; then - echo "Disk image $DISK does not seem to include an ESP, abort!" - exit 1 -fi -mcopy -v -o -i ${DISK}@@${OFFSET} "${FILE}" "::${OUT}" - -# And exit with the error code from mcp - diff --git a/run-shim-build b/run-shim-build deleted file mode 100755 index 0b40003..0000000 --- a/run-shim-build +++ /dev/null @@ -1,64 +0,0 @@ -#!/bin/bash -# Run a specified shim build. Separate script so we can background it -# and leave it running - -GIT_DIR=/home/shim/build/shim.git -ARTIFACTS=/home/shim/artifacts -LOGDIR="$ARTIFACTS/build-logs" -BASE=/home/shim/shim-cron -STATEDIR=${BASE}/statedir -BR_DIR=${STATEDIR}/branches - -BUILDFILE=$1 - -echo "Spawning build $BUILDFILE" - -# Rename the queued build file so we know it's running -RUNNINGFILE=${BUILDFILE%%.queued}.running -mv $BUILDFILE $RUNNINGFILE - -# Do build here! -. $RUNNINGFILE -for ARCH in ${ARCHES/,/ }; do - LOGFILE="${LOGDIR}/${HASH}/${ARCH}-${DIST}/${MACHINE}.log" - mkdir -p "${LOGDIR}/${HASH}/${ARCH}-${DIST}" - echo "Build running!" > "${LOGFILE}" - ssh -l "$SSH_USER" "$MACHINE" shim-build -h "$HASH" -a "$ARCH" -d "$DIST" >> ${LOGFILE} 2>&1 - OUT_DIR="$ARTIFACTS/build/$HASH/$ARCH-$DIST" - SUCCESS=$(ls -1 "$OUT_DIR" | grep -c "$MACHINE.*SUCCESS") - - # Do an initial check right now - if we don't get a reproducible - # build from all machines and all builds, then this is a hard - # failure - echo "Found $SUCCESS successful builds in $OUT_DIR" >> ${LOGFILE} - if [ $SUCCESS = 2 ]; then - echo "All builds succeeded, doing sone analysis" >> ${LOGFILE} - echo "Checking for reproducible build:" >> ${LOGFILE} - for file in $OUT_DIR/build-$MACHINE-*/checksums.log; do - echo "$file:" >> ${LOGFILE} - echo "=====" >> ${LOGFILE} - cat "$file" >> ${LOGFILE} - echo "=====" >> ${LOGFILE} - done - diff -u "$OUT_DIR/build-$MACHINE-"*"/checksums.log" >> ${LOGFILE} - diff_ret=$? - if [ $diff_ret -ne 0 ]; then - echo " Checksums from builds don't match, moving both to MISMATCH" >> ${LOGFILE} - for i in 1 2; do - BUILD="$OUT_DIR/build-$MACHINE-$i" - mv -v "$BUILD-SUCCESS" "$BUILD-MISMATCH" >> ${LOGFILE} 2>&1 - done - else - echo " Checksums from builds match OK!" >> ${LOGFILE} - echo " Deleting build #2, no need for it" >> ${LOGFILE} - rm -rvf "$OUT_DIR/build-$MACHINE-2-SUCCESS" >> ${LOGFILE} 2>&1 - echo " Marking build #1 as ready for sign and test" >> ${LOGFILE} - printf "MACHINE=${MACHINE}\nSSH_USER=${SSH_USER}\nARCHES=${ARCH}\nDIST=${DIST}\nHASH=${HASH}\nARTIFACTS=${OUT_DIR}/build-${MACHINE}-1-SUCCESS\n" \ - > "$OUT_DIR/build-$MACHINE-1-SUCCESS/ready-for-signing" - fi - fi -done - -# Now rename again so we know we're finished -DONEFILE=${BUILDFILE%%.queued}.done -mv $RUNNINGFILE $DONEFILE diff --git a/run-shim-sign b/run-shim-sign deleted file mode 100755 index f0f7ae5..0000000 --- a/run-shim-sign +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/bash -# Sign specified shim build. Separate script so we can background it -# and leave it running - -GIT_DIR=/home/shim/build/shim.git -ARTIFACTS=/home/shim/artifacts -LOGDIR="$ARTIFACTS/sign-logs" -BASE=/home/shim/shim-cron -STATEDIR=${BASE}/statedir -SIGN_MACHINE=jack.einval.org - -SIGNFILE=$1 - -echo "Spawning signature for $SIGNFILE" - -# Rename the queued file so we know it's running -RUNNINGFILE=${SIGNFILE%%.queued}.running -mv $SIGNFILE $RUNNINGFILE - -# Do signing here! -. $RUNNINGFILE -for ARCH in ${ARCHES/,/ }; do - LOGFILE="${LOGDIR}/${HASH}/${ARCH}-${DIST}.log" - mkdir -p "${LOGDIR}/${HASH}" - echo "Sign script running!" > "${LOGFILE}" - ssh -l "$SSH_USER" "$SIGN_MACHINE" shim-sign -A "$ARTIFACTS" -h "$HASH" -a "$ARCH" -d "$DIST" >> ${LOGFILE} 2>&1 -done - -# Now rename again so we know we're finished -DONEFILE=${SIGNFILE%%.queued}.done -mv $RUNNINGFILE $DONEFILE diff --git a/shim-build b/shim-build deleted file mode 100755 index d61adf6..0000000 --- a/shim-build +++ /dev/null @@ -1,130 +0,0 @@ -#!/bin/sh - -# Do all the steps needed to build a shim package for a given hash, -# distribution and architecture. Run from inside a shim git directory. - -GIT_DIR=shim@jack.einval.org:build/shim.git -ARTIFACTS=shim@jack.einval.org:artifacts -HOSTNAME=$(hostname --fqdn) - -usage () { - cat <<EOF -$0 <options> - build shim - -options: - - -a ARCH1[,ARCH2,...] - build for the specified architecture(s) - -d DIST1[,DIST2,...] - build for the specified Debian distribution(s) - -h HASH - build from the specified git hash/tag - -EOF -} - -check_error () { - if [ $1 -ne 0 ]; then - echo "$0 $HASH $DIST $ARCH failed with error $1: $2" - exit 1 - fi -} - -while getopts ":a:d:h:r:" o; do - case "${o}" in - a) - ARCHES=${OPTARG} - ;; - d) - DISTS=${OPTARG} - ;; - h) - HASH=${OPTARG} - ;; - *) - echo "Unknown option ${o}" - usage - exit 1 - ;; - esac -done -shift $((OPTIND-1)) - -[ "$HASH"x != ""x ] || check_error 1 "Need to specify hash" -[ "$DISTS"x != ""x ] || check_error 1 "Need to specify distribution(s)" -[ "$ARCHES"x != ""x ] || check_error 1 "Need to specify architecture(S)" - -cleanup () { - if [ "$BUILDTMPS"x != ""x ]; then - echo "Cleaning up build dir(s) $BUILDTMPS" - rm -rf "$BUILDTMPS" - fi -} -trap "cleanup" EXIT - -for ARCH in $(echo "$ARCHES" | tr ',' ' '); do - for DIST in $(echo "$DISTS" | tr ',' ' '); do - - echo "Building for $ARCH, $DIST, $HASH" - - # We'll use this a lot - SCHROOT="shim-$DIST-$ARCH" - - echo "Building from sources in $GIT_DIR" - echo "Updating packages and build-deps in chroot $SCHROOT" - echo 'debconf debconf/frontend select Noninteractive' | \ - schroot -u root -c $SCHROOT debconf-set-selections - check_error $? "debconf-set-selections failed " - schroot -u root -c $SCHROOT -- apt-get -y update --allow-releaseinfo-change - check_error $? "apt-get update fail" - schroot -u root -c $SCHROOT -- apt-get -y dist-upgrade - check_error $? "apt-get dist-upgrade fail" - schroot -u root -c $SCHROOT -- apt-get -y install build-essential fakeroot git - check_error $? "apt-get install fakeroot build-essential fail" - schroot -u root -c $SCHROOT -- apt-get -y build-dep shim shim-signed - check_error $? "apt-get build-dep fail" - - # Build in a temporary dir in /dev/shm for performance and easier cleanup - BUILDTMP=$(mktemp -d -p /dev/shm shim-$ARCH-$DIST-$HASH-XXXXXXXXXX) - check_error $? "mktemp failed" - BUILDTMPS="$BUILDTMPS $BUILDTMP" - - SUCCESS=0 - - # Loop: create build tree, copy the git tree in, build - for i in 1 2; do - echo "Running build #$i" - - # Setup - BUILD="$BUILDTMP/$HASH/$ARCH-$DIST/build-$HOSTNAME-$i" - mkdir -p "$BUILD" - check_error $? "mkdir failed for $BUILD" - rsync -a "$GIT_DIR/" "$BUILD/shim.git/" - check_error $? "rsync failed for $BUILD" - - cd "$BUILD/shim.git" - check_error $? "cd to $BUILD/shim.git failed" - git checkout $HASH - check_error $? "git checkout $HASH failed" - - schroot -u root -c $SCHROOT -- apt-get -y build-dep . - - # Build, then grab the logs and artifacts - schroot -d "$BUILD/shim.git" -c $SCHROOT -- \ - script -e -c "dpkg-buildpackage -b --no-sign" ../build.log - error=$? - - if [ $error -eq 0 ]; then - echo "Build succeeded in $BUILD" - SUCCESS=$((SUCCESS + 1)) - grep -E '^[[:alnum:]]{64}' "$BUILD/build.log" > "$BUILD/checksums.log" - mv "$BUILD" "$BUILD-SUCCESS" - else - echo "Build failed in $BUILD" - mv "$BUILD" "$BUILD-FAILURE" - fi - done - - echo "Copy artifacts and logs to $ARTIFACTS/build/$HASH/:" - rsync -av --exclude shim.git "$BUILDTMP/$HASH/" "$ARTIFACTS/build/$HASH/" - done -done - -exit 0 diff --git a/shim-cron b/shim-cron deleted file mode 100755 index a37f22f..0000000 --- a/shim-cron +++ /dev/null @@ -1,125 +0,0 @@ -#!/bin/sh -# -# Monitor the state of various shim git branches for changes; trigger CI when things change - -GIT_DIR=/home/shim/build/shim.git -ARTIFACTS=/home/shim/artifacts -LOG=$ARTIFACTS/logs -BASE=/home/shim/shim-cron -LOCK=${BASE}/.lock -STATEDIR=${BASE}/statedir -BR_DIR=${STATEDIR}/branches -Q_DIR=${STATEDIR}/queues -BUILDQ_DIR=$Q_DIR/build -SIGNQ_DIR=$Q_DIR/sign -SIGN_MACHINE=jack.einval.org -LOGGER="logger -p user.info" - -normal_exit () { - rm -f $LOCK -} - - -if [ -e $LOCK ]; then - OLDPID=$(cat $LOCK) - echo "Old run still going (problem?), pid $OLDPID" - exit 0 -fi - -trap "normal_exit" EXIT -echo $$ > $LOCK - -cd $GIT_DIR - -# sleep 13 - -git fetch - -# First of all, look for new revs that we may need to build. If we -# spot a new rev, queue builds for it -for REVFILE in $(find $BR_DIR -type f -name known_rev); do - KNOWN_REV=$(cat $REVFILE) - BRANCH_STATE=${REVFILE%%/known_rev} - BR_NAME=${BRANCH_STATE##$BR_DIR/} - HASH=$(git rev-list --no-walk $BR_NAME) - if [ "$KNOWN_REV"x != "$HASH"x ]; then - $LOGGER "Branch $BR_NAME has a new revision - knew about $KNOWN_REV, now on $HASH" - WAITING_BUILDS=0 - DONE_BUILDS="" - for BUILDER in $BRANCH_STATE/build-*.conf; do - if [ -f "$BUILDER" ]; then - . $BUILDER - $LOGGER " Want to build hash $HASH on $MACHINE (arches $ARCHES, dist $DIST, user $SSH_USER)" - if [ -f $BUILDQ_DIR/$MACHINE/$HASH-$DIST.done ]; then - $LOGGER " - already built" - elif [ -f $BUILDQ_DIR/$MACHINE/$HASH-$DIST.running ]; then - $LOGGER " - currently building" - elif [ -f $BUILDQ_DIR/$MACHINE/$HASH-$DIST.queued ]; then - $LOGGER " - already queued" - else - $LOGGER " - adding to the queue" - printf "MACHINE=$MACHINE\nARCHES=$ARCHES\nDIST=$DIST\nSSH_USER=$SSH_USER\nHASH=$HASH\n" \ - > $BUILDQ_DIR/$MACHINE/$HASH-$DIST.queued - fi - fi - done - # Once we've queued any needed builds, update the stored rev - echo "$HASH" > $REVFILE - fi -done - -# Next, iterate through the build queues for each machine -for MACHINE in ${BUILDQ_DIR}/*; do - MCH_NAME=${MACHINE##$BUILDQ_DIR/} - $LOGGER "Looking for builds to run on $MCH_NAME" - RUNNING=$(ls -1tr $MACHINE | grep '\.running$') - if [ $? -eq 0 ]; then - $LOGGER " - busy with $RUNNING" - continue - fi - NEW_JOB=$(ls -1tr $MACHINE | grep '\.queued$' | head -1) - if [ "$NEW_JOB"x != ""x ]; then - $LOGGER " - queueing up $NEW_JOB" - QUEUE_FILE=$MACHINE/$NEW_JOB - # This will rename the file to <foo>.running, run the build - # then rename it to <foo>.done when finished - /usr/local/bin/run-shim-build $QUEUE_FILE & - continue - fi - $LOGGER " - nothing to do" -done - -# Next, look for anything ready for signing -$LOGGER "Looking for builds to sign" -TO_SIGN=0 -for BUILD_READY in $(find $ARTIFACTS -type f -name ready-for-signing); do - . ${BUILD_READY} - $LOGGER " - $BUILD_READY is ready, adding to sign queue" - mv $BUILD_READY "${SIGNQ_DIR}/${SIGN_MACHINE}/$HASH-$ARCHES-$MACHINE-$ARCHES-$DIST.queued" - TO_SIGN=$((TO_SIGN + 1)) -done -if [ $TO_SIGN = 0 ]; then - $LOGGER " - nothing ready for signing" -fi - -# Next, iterate through the sign queue -for MACHINE in ${SIGNQ_DIR}/*; do - MCH_NAME=${MACHINE##$SIGNQ_DIR/} - $LOGGER "Looking for signatures to run on $MCH_NAME" - RUNNING=$(ls -1tr $MACHINE | grep '\.running$') - if [ $? -eq 0 ]; then - $LOGGER " - busy with $RUNNING" - continue - fi - NEW_JOB=$(ls -1tr $MACHINE | grep '\.queued$' | head -1) - if [ "$NEW_JOB"x != ""x ]; then - $LOGGER " - queueing up $NEW_JOB" - QUEUE_FILE=$MACHINE/$NEW_JOB - # This will rename the file to <foo>.running, run the signature - # then rename it to <foo>.done when finished - /usr/local/bin/run-shim-sign $QUEUE_FILE & - continue - fi - $LOGGER " - nothing to do" -done - diff --git a/shim-sign b/shim-sign deleted file mode 100755 index 196bd90..0000000 --- a/shim-sign +++ /dev/null @@ -1,112 +0,0 @@ -#!/bin/sh - -set -x - -# Do all the steps needed to sign the contents of a shim package for a -# given hash, distribution and architecture. - -GIT_DIR=shim@jack.einval.org:build/shim.git -ARTIFACTS=shim@jack.einval.org:artifacts -HOSTNAME=$(hostname --fqdn) -KEYS="snakeoil NOSIG" - -usage () { - cat <<EOF -$0 <options> - sign a shim build - -options: - - -A ARTIFACTS - the directory holding the .deb(s) to sign - -a ARCH1[,ARCH2,...] - build is for the specified architecture(s) - -d DIST1[,DIST2,...] - build is for the specified Debian distribution(s) - -h HASH - the git hash of the build - -EOF -} - -check_error () { - if [ $1 -ne 0 ]; then - echo "$0 $ARTSIN $HASH $DIST $ARCH failed with error $1: $2" - exit 1 - fi -} - -while getopts ":A:a:d:h:r:" o; do - case "${o}" in - A) - ARTSIN=${OPTARG} - ;; - a) - ARCHES=${OPTARG} - ;; - d) - DISTS=${OPTARG} - ;; - h) - HASH=${OPTARG} - ;; - *) - echo "Unknown option ${o}" - usage - exit 1 - ;; - esac -done -shift $((OPTIND-1)) - -[ "$ARTSIN"x != ""x ] || check_error 1 "Need to specify the input dir" -[ "$HASH"x != ""x ] || check_error 1 "Need to specify hash" -[ "$DISTS"x != ""x ] || check_error 1 "Need to specify distribution(s)" -[ "$ARCHES"x != ""x ] || check_error 1 "Need to specify architecture(S)" - -cleanup () { - if [ "$SIGNTMPS"x != ""x ]; then - echo "Cleaning up build dir(s) $SIGNTMPS" - rm -rf "$SIGNTMPS" - fi -} -trap "cleanup" EXIT - -for ARCH in $(echo "$ARCHES" | tr ',' ' '); do - for DIST in $(echo "$DISTS" | tr ',' ' '); do - - echo "Signing $ARTSIN for $ARCH, $DIST, $HASH" - - DEBS=$(find $ARTSIN/ -name 'shim-unsigned*'_$ARCH'.deb') - NUM_DEBS=$(echo $DEBS | wc -l) - if [ $NUM_DEBS -gt 1 ]; then - check_error 2 "Found too many debs for signing in $ARTSIN: $NUM_DEBS $DEBS" - elif [ $NUM_DEBS = 0 ]; then - check_error 2 "Found no debs for signing in $ARTSIN" - fi - - # Sign in a temporary dir in /dev/shm for performance and easier cleanup - SIGNTMP=$(mktemp -d -p /dev/shm sign-shim-$ARCH-$DIST-$HASH-XXXXXXXXXX) - check_error $? "mktemp failed" - SIGNTMPS="$SIGNTMPS $SIGNTMP" - - dpkg -x $DEBS $SIGNTMP/extract - - for KEY in $KEYS; do - KEYDIR=~/sign/$KEY - for file in $SIGNTMP/extract/usr/lib/shim/*.efi; do - if [ $KEY = "NOSIG" ]; then - cp $file $file.signed-NOSIG - else - sbsign --key $KEYDIR/*.key.nopass --cert $KEYDIR/*.pem --output $file.signed-$KEY $file - check_error $? "signature failed for $file using key \"$KEY\"" - fi - done - - ls -al $SIGNTMP/extract/usr/lib/shim - - mkdir -p "$SIGNTMP/$HASH/$ARCH-$DIST" - mv -v "$SIGNTMP/extract/usr/lib/shim/"*signed* "$SIGNTMP/$HASH/$ARCH-$DIST" - done - - echo "Copy artifacts to $ARTIFACTS/sign/$HASH/ :" - rsync -av --exclude shim.git "$SIGNTMP/$HASH/" "$ARTIFACTS/sign/$HASH/" - done -done - -exit 0 diff --git a/shim-test b/shim-test deleted file mode 100755 index 568183a..0000000 --- a/shim-test +++ /dev/null @@ -1,302 +0,0 @@ -#!/bin/sh - -# set -x - -# Do all the steps needed to test a set of signed shim binaries for a -# given hash, distribution and architecture. - -GIT_DIR=shim@jack.einval.org:build/shim.git -ARTIFACTS=shim@jack.einval.org:artifacts -HOSTNAME=$(hostname --fqdn) -KEYS="NOSIG snakeoil" -BOOT_TIMEOUT=60 -LOG="" - -usage () { - cat <<EOF -$0 <options> - sign a shim build - -options: - - -a ARCH1[,ARCH2,...] - build is for the specified architecture(s) - -d DIST1[,DIST2,...] - build is for the specified Debian distribution(s) - -h HASH - the git hash of the build - -EOF -} - -check_error () { - if [ $1 -ne 0 ]; then - echo "$0 $ARTSIN $HASH $DIST $ARCH failed with error $1: $2" - exit 1 - fi -} - -efi_to_arch () { - local ARCH=$1 - case $ARCH in - amd64) - EFI=x64;; - i386) - EFI=ia32;; - arm64) - EFI=aa64;; - esac - echo "$EFI" -} - -shutdown_vm () { - local VM_CONF=$1 - local METHOD=$2 - local EXTRA_CMDS=$3 - - . $PWD/$VM_CONF - - if [ -r $PIDFILE ]; then - PID=$(cat $PIDFILE) - else - echo "$0: Can't read pidfile $PIDFILE" - return - fi - - error=0 - if [ "$METHOD" = "ssh" ]; then - if [ "$EXTRA_CMDS"x = "UPDATE-UPGRADE"x ]; then - log "Running update/upgrade in VM" - ssh ${VM_IP} -p${SSH_PORT} -lroot \ - "apt-get update -y && apt-get -o Dpkg::Options::=--force-confnew -o Dpkg::Options::=--force-confmiss dist-upgrade -y --autoremove --purge" >> $LOGFILE - error=$? - log " update/upgrade finished with error $error" - fi - - MAX_WAIT=30 # how long to wait for clean shutdown - ssh ${VM_IP} -p${SSH_PORT} -lroot poweroff - TRY=0 - while [ $TRY -lt $MAX_WAIT ]; do - if [ -r $PIDFILE ] && (ps $PID >/dev/null); then - # echo "$0: kvm / qemu still running as pid $PID after $TRY seconds" - sleep 1 - TRY=$(($TRY + 1)) - else - break - fi - done - fi - - if [ -r $PIDFILE ] && (ps $PID >/dev/null); then - echo "$0: killing pid $PID" - kill -9 $PID - fi - rm -f $VM_CONF $PIDFILE - return $error -} - -# Test descriptions - include here for now, move them somewhere else -# later. Schema follow: -# (each test definition is colon-delimited, a missing entry will match -# the default which is the first entry in the list) -# 1. Test name -# 2. Which shim binary to use (key name or NOSIG) -# 3. Which SB keys to use in the VM image (MS_DEBIAN, snakeoil or SB_OFF) -# 4. Expected result (BOOTSUCCESS, BOOTFAIL, BOOTTIMEOUT) -# 5. Any other binaries to copy in, format -# <host file name 1>=<ESP file name 2>,<host file name 1>=<ESP file name 2>,... -# These will will be removed after the test is finished. -# NOT YET SUPPORTED! -# 6. Is a test failure here fatal? (FAILFATAL, FAILOK) -# 7. Any special commands to run on the system before shutdown? (NONE, UPDATE-UPGRADE) - -TESTS="test_0:NOSIG:SB_OFF:BOOTSUCCESS::FAILFATAL:UPDATE-UPGRADE" -TESTS="$TESTS test_1:snakeoil:snakeoil:BOOTSUCCESS::FAILOK:NONE" -TESTS="$TESTS test_2:snakeoil:MS_DEBIAN:BOOTFAIL::FAILOK:NONE" -TESTS="$TESTS test_3:snakeoil:SB_OFF:BOOTSUCCESS::FAILOK:NONE" -TESTS="$TESTS test_4:NOSIG:SB_OFF:BOOTSUCCESS::FAILOK:NONE" - -log () { - echo "$*" - echo "$*" >> $LOGFILE -} - -run_tests () { - local DIST=$1 - local ARCH=$2 - local TESTTMP=$3 - local EFI=$(efi_to_arch $ARCH) - - local TESTS_RUN=0 - local PASS=0 - local FAIL=0 - local INFRAFAIL=0 - - cd ~/test/$DIST-$ARCH - check_error $? "Failed to cd to image test dir ~/test/$DIST-$ARCH" - - SERIAL=$ARCH-$DIST-serial.txt - VM_CONF=$ARCH-$DIST-vm.conf - LOGFILE=$ARCH-$DIST-test.log - rm -f $LOGFILE - - for TEST in $TESTS; do - TESTNAME=$(echo $TEST | awk -F : '{print $1}') - KEY=$(echo $TEST | awk -F : '{print $2}') - IMGKEY=$(echo $TEST | awk -F : '{print $3}') - EXP_RESULT=$(echo $TEST | awk -F : '{print $4}') - EXTRAFILES=$(echo $TEST | awk -F : '{print $5}') - FATAL=$(echo $TEST | awk -F : '{print $6}') - EXTRA_CMDS=$(echo $TEST | awk -F : '{print $7}') - log "" - log "######################" - log "Running test $TESTNAME" - log " KEY: $KEY" - log " IMGKEY: $IMGKEY" - log " EXP_RESULT: $EXP_RESULT" - log " EXTRAFILES: $EXTRAFILES" - log " FATAL: $FATAL" - log " EXTRA_CMDS: $EXTRA_CMDS" - log "######################" - - TESTS_RUN=$(($TESTS_RUN + 1)) - - case $IMGKEY in - SB_OFF*) - SB_GREP="secureboot: Secure boot (disabled|could not be determined)";; - *) - SB_GREP="secureboot: Secure boot enabled";; - esac - - # Copy our test binary into the ESP of the test OS image - install_efi_binaries -a $ARCH -d $DIST \ - -f "$TESTTMP/shim${EFI}.efi.signed-$KEY" \ - -o EFI/debian/shim${EFI}.efi - error=$? - if [ $error -ne 0 ]; then - log " install_efi_binaries failed, error $error" - INFRAFAIL=$((INFRAFAIL + 1)) - RESULT=INFRAFAIL - log "Expected result $EXP_RESULT, got $RESULT" - continue - fi - rm -f $SERIAL - efitest -a $ARCH -d $DIST -s $IMGKEY -o $VM_CONF - error=$? - if [ $error -ne 0 ]; then - log " efitest failed, error $error" - INFRAFAIL=$((INFRAFAIL + 1)) - RESULT=INFRAFAIL - log "Expected result $EXP_RESULT, got $RESULT" - continue - fi - CURRENT=$(date +%s) - START=$CURRENT - TAKEN=0 - RESULT="" - while [ $TAKEN -lt $BOOT_TIMEOUT ]; do - TAKEN=$(($CURRENT - $START)) - # Check we've booted to userland ok - if grep -q -E "Debian GNU/Linux.*tty" $SERIAL; then - # *Also* check that we booted in the right state! - if grep -q -E "$SB_GREP" $SERIAL; then - RESULT=BOOTSUCCESS - else - SB_STATE=$(grep -E "secureboot: Secure boot" $SERIAL) - log "SB state mismatch!" - log "Expected to find $SB_GREP" - log "Got $SB_STATE" - RESULT=INFRAFAIL - fi - shutdown_vm $VM_CONF ssh $EXTRA_CMDS - error=$? - if [ $error != 0 ]; then - INFRAFAIL=$((INFRAFAIL + 1)) - RESULT=INFRAFAIL - fi - break - fi - if grep -q "failed to load.*Access Denied" $SERIAL; then - RESULT=BOOTFAIL - shutdown_vm $VM_CONF kill - break - fi - sleep 1 - CURRENT=$(date +%s) - done - TAKEN=$(($CURRENT - $START)) - if [ "$RESULT"x = ""x ]; then - RESULT=BOOTTIMEOUT - shutdown_vm $DIST-$ARCH-vm.conf kill - fi - log "Expected result $EXP_RESULT, got $RESULT after $TAKEN seconds" - echo "Serial log follows:" >> $LOGFILE - cat $SERIAL >> $LOGFILE - if [ "$RESULT" = "$EXP_RESULT" ]; then - PASS=$(($PASS + 1)) - else - if [ "$FATAL"x != "FAILOK"x ]; then - log "Failure here is fatal, stopping all tests" - send_mail -s "FATAL TEST FAILURE" - break - fi - FAIL=$(($FAIL + 1)) - fi - done - - log "" - log "######################" - log "TEST RESULT SUMMARY" - log " PASS: $PASS" - log " FAIL: $FAIL" - log " INFRAFAIL: $INFRAFAIL" - log " TOTAL; $TESTS_RUN" - log "######################" -} - -while getopts ":A:a:d:h:r:" o; do - case "${o}" in - a) - ARCHES=${OPTARG} - ;; - d) - DISTS=${OPTARG} - ;; - h) - HASH=${OPTARG} - ;; - *) - echo "Unknown option ${o}" - usage - exit 1 - ;; - esac -done -shift $((OPTIND-1)) - -[ "$HASH"x != ""x ] || check_error 1 "Need to specify hash" -[ "$DISTS"x != ""x ] || check_error 1 "Need to specify distribution(s)" -[ "$ARCHES"x != ""x ] || check_error 1 "Need to specify architecture(S)" - -cleanup () { - if [ "$TESTTMPS"x != ""x ]; then - echo "Cleaning up build dir(s) $TESTTMPS" - rm -rf "$TESTTMPS" - fi -} -trap "cleanup" EXIT - -for ARCH in $(echo "$ARCHES" | tr ',' ' '); do - for DIST in $(echo "$DISTS" | tr ',' ' '); do - - TESTTMP=$(mktemp -d -p /dev/shm test-shim-$ARCH-$DIST-$HASH-XXXXXXXXXX) - check_error $? "mktemp failed" - TESTTMPS="$TESTTMPS $TESTTMP" - - # HACK HACK not unstable! - rsync -av "$ARTIFACTS/sign/$HASH/$ARCH-$DIST/" "$TESTTMP/" - - run_tests "$DIST" "$ARCH" "$TESTTMP" - - #echo "Copy test logs to $ARTIFACTS/test-logs/$HASH/ :" - #rsync -av --exclude shim.git "$TESTTMP/$HASH/" "$ARTIFACTS/test-logs/$HASH/" - done -done - -exit 0 |