Commit ba393a38 authored by Ophélie Gagnard's avatar Ophélie Gagnard

Keep moving the private keys to another repository.

	dracut.module/dracut.conf.in: Change the templates for key and certificate path. Add some variables.
	installation/dependencies.sh: Do not copy the local flb.conf.in in fluent-bit repertory anymore.
	installation/env.sh: Add variables for the key and certificate pathes and names.
	installation/install.sh: Change the dracut_conf_regex accordingly.
	uefi-keys/make_keys.sh: Add a similar header than the installation/ scripts (for instance, source installation/env.sh).
parent 8123d197
...@@ -15,5 +15,7 @@ reproducible=yes ...@@ -15,5 +15,7 @@ reproducible=yes
#loginstall=./loginstall/ #loginstall=./loginstall/
uefi=yes uefi=yes
uefi_stub=/usr/lib/systemd/boot/efi/linuxx64.efi.stub uefi_stub=/usr/lib/systemd/boot/efi/linuxx64.efi.stub
#uefi_secureboot_cert=%PROJECT_DIR%/uefi-keys/keys/db.crt #uefi_secureboot_cert=%PROJECT_DIR%/uefi-keys/keys/db.cer
#uefi_secureboot_key=%PROJECT_DIR%/uefi-keys/keys/db.key #uefi_secureboot_key=%PROJECT_DIR%/uefi-keys/keys/db.key
uefi_secureboot_cert=%PUBLIC_CERT_DIR%/%CERT_NAME%
uefi_secureboot_key=%PRIVATE_KEYS_DIR%/%SIGNING_KEY_NAME%
...@@ -4,15 +4,15 @@ set -e ...@@ -4,15 +4,15 @@ set -e
# get the root of the git repository (requires git to be installed) # get the root of the git repository (requires git to be installed)
GIT_ROOT=`git rev-parse --show-toplevel` GIT_ROOT=`git rev-parse --show-toplevel`
cd $GIT_ROOT/installation/ cd ${GIT_ROOT}/installation/
# define useful variables # define useful variables
source env.sh source env.sh
# useful tools # useful tools
apt -y install ${APT_UTILITY_PACKAGES} apt -y install ${APT_UTILITY_PACKAGES}
git config --global user.email "francois.gagnard@nexedi.com" git config --global user.email "ophelie.gagnard@nexedi.com"
git config --global user.name "Francois Gagnard" git config --global user.name "Ophelie Gagnard"
# building initramfs # building initramfs
apt -y install ${APT_SPECIFIC_PACKAGES} apt -y install ${APT_SPECIFIC_PACKAGES}
...@@ -23,7 +23,6 @@ apt -y install ./"$MCA_PACKAGE_FILE" ...@@ -23,7 +23,6 @@ apt -y install ./"$MCA_PACKAGE_FILE"
apt -y install ./"$FLUENTBIT_PACKAGE_FILE" apt -y install ./"$FLUENTBIT_PACKAGE_FILE"
FLB_CONF_PATH=/opt/${MCA_NAME_AND_VERSION}/etc/ FLB_CONF_PATH=/opt/${MCA_NAME_AND_VERSION}/etc/
cp flb.conf.in $FLB_CONF_PATH # temporary fix
CONF_REGEX="s|%WENDELIN_REFERENCE%|${WENDELIN_REFERENCE}|g" CONF_REGEX="s|%WENDELIN_REFERENCE%|${WENDELIN_REFERENCE}|g"
sed $CONF_REGEX $FLB_CONF_PATH/flb.conf.in > $FLB_CONF_PATH/flb.conf sed ${CONF_REGEX} ${FLB_CONF_PATH}/flb.conf.in > ${FLB_CONF_PATH}/flb.conf
echo "Created ${FLB_CONF_PATH}/flb.conf from template ${FLB_CONF_PATH}/flb.conf.in" echo "Created ${FLB_CONF_PATH}/flb.conf from template ${FLB_CONF_PATH}/flb.conf.in"
...@@ -6,6 +6,7 @@ PROJECT_DIR=$GIT_ROOT ...@@ -6,6 +6,7 @@ PROJECT_DIR=$GIT_ROOT
# TO BE MODIFIED BY USERS: # TO BE MODIFIED BY USERS:
# packages
MCA_PACKAGE_NAME=dep--mca--static MCA_PACKAGE_NAME=dep--mca--static
FLUENTBIT_PACKAGE_NAME=dep--fluent-bit FLUENTBIT_PACKAGE_NAME=dep--fluent-bit
MCA_VERSION=1-1 MCA_VERSION=1-1
...@@ -13,7 +14,12 @@ FLUENTBIT_VERSION=1-1 ...@@ -13,7 +14,12 @@ FLUENTBIT_VERSION=1-1
TARGET_DISTRIBUTION=Debian_11 TARGET_DISTRIBUTION=Debian_11
ARCH=amd64 ARCH=amd64
PACKAGE_EXTENSION=.deb PACKAGE_EXTENSION=.deb
# wendelin
WENDELIN_REFERENCE=douai002-capri009 WENDELIN_REFERENCE=douai002-capri009
# keys and certificates
SERVER_GROUP=douai
CERT_NAME=db.cer # could be crt but does not work on every UEFI
SIGNING_KEY_NAME=db.key
# used mainly in dracut.module/configure # used mainly in dracut.module/configure
...@@ -39,6 +45,10 @@ RELATIVE_EFI_IMAGE_DIR=$(realpath -m $RELATIVE_EFI_IMAGE_DIR) ...@@ -39,6 +45,10 @@ RELATIVE_EFI_IMAGE_DIR=$(realpath -m $RELATIVE_EFI_IMAGE_DIR)
EFI_IMAGE_DIR=$(realpath -m $EFI_IMAGE_DIR) EFI_IMAGE_DIR=$(realpath -m $EFI_IMAGE_DIR)
dracut_output_file=dracut-output dracut_output_file=dracut-output
#TARGET_DISK=/dev/nvme1n1 # used mainly in uefi-keys/make_keys.sh
#TARGET_EFI_PARTITION=${TARGET_DISK}p1 CERT_DIR=public-certificates
#TARGET_ROOT_PARTITION=${TARGET_DISK}p2 KEYS_DIR=private-keys
PUBLIC_CERT_DIR=${PROJECT_DIR}/${CERT_DIR}/${SERVER_GROUP}
PRIVATE_KEYS_DIR=${PROJECT_DIR}/${KEYS_DIR}/${SERVER_GROUP}
PUBLIC_CERT_DIR="$(realpath -m \"${PUBLIC_CERT_DIR}\")"
PRIVATE_KEYS_DIR="$(realpath -m \"${PRIVATE_KEYS_DIR}\")"
...@@ -125,7 +125,7 @@ make install ...@@ -125,7 +125,7 @@ make install
cd - cd -
# Generation of dracut.module/dracut.conf # Generation of dracut.module/dracut.conf
dracut_conf_regex="s|%PROJECT_DIR%|${PROJECT_DIR}|g;s|%ROOT_PARTITION_ID%|${ROOT_PARTITION_ID}|g;s|%DEFAULT_INTERFACE%|${DEFAULT_INTERFACE}|g;s|%DEFAULT_ROUTER%|${DEFAULT_ROUTER}|g;s|%DEFAULT_IP%|${DEFAULT_IP}|g;s|%FORMATTED_NETMASK%|${FORMATTED_NETMASK}|g;s|%HOSTNAME%|${HOSTNAME}|g" dracut_conf_regex="s|%PUBLIC_CERT_DIR%|${PUBLIC_CERT_DIR}|g;s|%CERT_NAME%|${CERT_NAME}|;s|%SIGNING_KEY_NAME%|${SIGNING_KEY_NAME}|g;s|||g;s|%ROOT_PARTITION_ID%|${ROOT_PARTITION_ID}|g;s|%DEFAULT_INTERFACE%|${DEFAULT_INTERFACE}|g;s|%DEFAULT_ROUTER%|${DEFAULT_ROUTER}|g;s|%DEFAULT_IP%|${DEFAULT_IP}|g;s|%FORMATTED_NETMASK%|${FORMATTED_NETMASK}|g;s|%HOSTNAME%|${HOSTNAME}|g"
cd dracut.module cd dracut.module
sed "${dracut_conf_regex}" dracut.conf.in > dracut.conf sed "${dracut_conf_regex}" dracut.conf.in > dracut.conf
cd - cd -
......
...@@ -10,23 +10,28 @@ ...@@ -10,23 +10,28 @@
# .esl EFI signature list # .esl EFI signature list
# .auth authentication header (secure variable update) # .auth authentication header (secure variable update)
$SERVER_GROUP=douai set -e
$KEYS_DIR=private-keys/
$CERT_DIR=public-certificates/ # get the root of the git repository (requires git to be installed)
$PRIVATE_KEYS_DIR=${KEYS_DIR}${SERVER_GROUP} GIT_ROOT=`git rev-parse --show-toplevel`
$PUBLIC_CERT_DIR=${CERT_DIR}${SERVER_GROUP} cd $GIT_ROOT/installation/
# define useful variables
source env.sh
cd -
if [ ! -d "$KEYS_DIR" ]; then if [ ! -d "$KEYS_DIR" ]; then
echo "ERROR: Please clone the \"private-keys\" repository first, or choose the right name for \$KEYS_DIR." echo "ERROR: Please clone the \"private-keys\" repository first, or choose the right name for \$KEYS_DIR."
exit exit
fi fi
mkdir -p ${PRIVATE_KEYS_DIR} ${PUBLIC_CERT_DIR}
echo -n "Enter a Common Name to embed in the keys: " echo -n "Enter a Common Name to embed in the keys: "
read NAME read NAME
mkdir -p keys
cd keys
# Request certificates and create corresponding private keys. # Request certificates and create corresponding private keys.
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME PK/" -keyout ${PRIVATE_KEYS_DIR}/PK.key \ openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME PK/" -keyout ${PRIVATE_KEYS_DIR}/PK.key \
-out ${PUBLIC_CERT_DIR}/PK.crt -days 3650 -nodes -sha256 -out ${PUBLIC_CERT_DIR}/PK.crt -days 3650 -nodes -sha256
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment