Re: Fedora infra for Secure Boot components - local setup
On Wed, Jul 05, 2023 at 11:29:27AM -, Kamil Aronowski wrote:
> Hello people. I need some help from the good folks who maintain the Fedora
> servers responsible for building a bootchain securely, i.e. GRUB2 or the
> kernel. For instance, the bkernel01.iad2.fedoraproject.org server.
Happy to try and help.
> Let's take a look at the build logs of a recent GRUB2 build
> (https://koji.fedoraproject.org/koji/buildinfo?buildID=2185557) here:
> https://kojipkgs.fedoraproject.org//packages/grub2/2.06/95.fc38/data/logs/x86_64/build.log
> As far as I can see, this server has a smart-card with a private key attached
> and during the building procedure, the critical components are being signed
> with Red Hat Bootloader Team's `pesign` software (version +115) running in
> client-server mode rather than standalone mode. By this I mean e.g. line
> number 7074 from the log file:
> ```
> + /usr/bin/pesign-client -t 'OpenSC Card (Fedora Signer)' -c '/CN=Fedora
> Secure Boot Signer' -s -i grubx64.efi.orig -o grubx64.efi.onesig
> ```
>
> I'd like to replicate the setup Fedora has to rebuild bootchain components on
> my own. My question is: how did you make `pesign-client` work fine? Is there
> a procedure of some sort that works just fine that I don't know about?
>
> Here's what I attempted on a Fedora 38 machine:
...snip...
>
> Please, give me a helping hand with this. What procedure do I have to follow
> to replicate what's on Fedora Koji instances? What is there that I'm missing?
So, bkernel01/02 are koji builders, so there's kojid and mock in the way
there. We have for mock:
roles/bkernel/files/bkernel-site-defaults.cfg
config_opts['plugin_conf']['bind_mount_opts']['dirs'].append(('/var/run/pesign',
'/var/run/pesign' ))
config_opts['nspawn_args'] += ['--bind=/var/run/pesign']
which bind mounts the pesign socket into the chroot.
(now of course you aren't using mock, but wanted to mention it)
Then, we have some acls on the socket and run directory:
roles/bkernel/tasks/main.yml
acl: path=/var/run/pesign entity=kojibuilder etype=user permissions=rwx
recursive=true state=present
(and some more acls).
So, might be just being in pesign group isn't enough to connect to the
socket? Or there's some selinux denial?
I'd try stracing it and see if you can see if it can talk to the socket
correctly?
If it's talking to the pesign-server ok, then I am not sure what the
problem is. ;(
kevin
signature.asc
Description: PGP signature
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
Re: Fedora infra development Streaming session
> I watched the recording today. Thanks for starting all the way at the > beginning with the easyfix page. It was interesting to see your dev > environment with VS Code at the beginning and OpenShift GitHub > automation at the end, plus the tiny-stage concept. I learned a few > things! > Excellent! Thanks a lot for the feedback. The first session is up on youtube for those who want to watch it there: https://youtu.be/X5YqSdw1Azs I didn't announce it widely because I've never done that before and I expected a lot of quirks. I didn't even know if my laptop would be capable of running the video encoding in real time. And surely enough, the sound was way to low for like 4/5 of the stream... Anyway, that's how we learn I suppose :-) I will repeat some stuff about tiny-stage on Friday, but if I don't anybody is free and encouraged to ask questions! Thanks again! Aurélien ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: Fedora infra development Streaming session
On Wed, Jul 5, 2023 at 5:54 AM Aurelien Bompard wrote: > > Hey folks! > > This Friday at 13:00 UTC I'll be steaming on Twitch[1] about the development > of Fedora infrastructure apps. I'll start on a clean env, checkout one of our > apps, setup a dev env, fix a small bug, test it, and create a PR. > > [1] https://twitch.tv/ohwellien I watched the recording today. Thanks for starting all the way at the beginning with the easyfix page. It was interesting to see your dev environment with VS Code at the beginning and OpenShift GitHub automation at the end, plus the tiny-stage concept. I learned a few things! - Ken ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Fedora infra development Streaming session
Hey folks! This Friday at 13:00 UTC I'll be steaming on Twitch[1] about the development of Fedora infrastructure apps. I'll start on a clean env, checkout one of our apps, setup a dev env, fix a small bug, test it, and create a PR. [1] https://twitch.tv/ohwellien I haven't decided which app it'll be yet, but It's going to be a simple bug so that I can do all that in 1h30 max. Come and ask any questions! :-) Aurélien P.S.: I'm not tied to Twitch in any way, it'll be the second time only I do this sort of thing, and I'm happy to switch to a more appropriate platform if needed as soon as I'm more comfortable generally streaming stuff :-) ___ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
