sdk: Fix ephemeral key directory paths baked into container images

danzatt · danzatt · commit 27638a2173d3 · 2025-11-19T13:17:18.000+01:00
The SDK container build process was persisting temporary directory
paths for module signing keys into /home/sdk/.bashrc. This caused
all container instances to share the same ephemeral key location.

Fixed by:
- Runtime check in sdk_entry.sh to recreate stale temp directories
- Build-time cleanup in Dockerfiles to remove the variables

Each container instance now gets unique temporary directories.

Signed-off-by: Daniel Zatovic &lt;daniel.zatovic@gmail.com&gt;
diff --git a/sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass b/sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass
@@ -143,8 +143,12 @@ get_sig_key() {
 		die "MODULE_SIG_KEY is using the default value"
 	fi
 
-	if [[ ${sig_key} != /tmp/* ]]; then
-		die "Refusing to to continue with modules key outside of /tmp, so that it stays in RAM only."
+	# For official builds, enforce /tmp to keep keys in RAM only
+	# For unofficial builds, allow persistent directory
+	if [[ ${COREOS_OFFICIAL:-0} -eq 1 ]]; then
+		if [[ ${sig_key} != /tmp/* ]]; then
+			die "Refusing to continue with modules key outside of /tmp for official builds, so that it stays in RAM only."
+		fi
 	fi
 	if [ "$sig_key" != "${MODULES_SIGN_KEY}" ]; then
 		die "MODULES_SIGN_KEY variable is different than MODULE_SIG_KEY in kernel config."
diff --git a/sdk_lib/Dockerfile.sdk-build b/sdk_lib/Dockerfile.sdk-build
@@ -17,3 +17,8 @@ RUN /home/sdk/sdk_entry.sh ./build_packages --board="amd64-usr" --only_resolve_c
 
 RUN rm /mnt/host/source/.env
 RUN rm -rf /home/sdk/toolchain-pkgs
+
+# Clean up ephemeral key directory variables that were added during build
+RUN sed -i '/export MODULE_SIGNING_KEY_DIR/d' /home/sdk/.bashrc && \
+    sed -i '/export MODULES_SIGN_KEY/d' /home/sdk/.bashrc && \
+    sed -i '/export MODULES_SIGN_CERT/d' /home/sdk/.bashrc
diff --git a/sdk_lib/Dockerfile.sdk-import b/sdk_lib/Dockerfile.sdk-import
@@ -55,4 +55,9 @@ RUN chmod 755 /home/sdk/sdk_entry.sh
 #  it's likely that scripts and SDK tarball are out of sync
 RUN /home/sdk/sdk_entry.sh ./update_chroot --toolchain_boards="amd64-usr arm64-usr"
 
+# Clean up ephemeral key directory variables that were added during build
+RUN sed -i '/export MODULE_SIGNING_KEY_DIR/d' /home/sdk/.bashrc && \
+    sed -i '/export MODULES_SIGN_KEY/d' /home/sdk/.bashrc && \
+    sed -i '/export MODULES_SIGN_CERT/d' /home/sdk/.bashrc
+
 ENTRYPOINT ["/home/sdk/sdk_entry.sh"]
diff --git a/sdk_lib/Dockerfile.sdk-update b/sdk_lib/Dockerfile.sdk-update
@@ -19,3 +19,8 @@ RUN /home/sdk/sdk_entry.sh ./setup_board --board="amd64-usr" --regen_configs
 # Restore original .bashrc to remove sandbox disablement
 RUN mv /home/sdk/.bashrc.bak /home/sdk/.bashrc
 RUN chown sdk:sdk /home/sdk/.bashrc
+
+# Clean up ephemeral key directory variables that were added during build
+RUN sed -i '/export MODULE_SIGNING_KEY_DIR/d' /home/sdk/.bashrc && \
+    sed -i '/export MODULES_SIGN_KEY/d' /home/sdk/.bashrc && \
+    sed -i '/export MODULES_SIGN_CERT/d' /home/sdk/.bashrc
diff --git a/sdk_lib/sdk_entry.sh b/sdk_lib/sdk_entry.sh
@@ -52,16 +52,30 @@ sed -i -r '/^masters =/s/\bcoreos(\s|$)/coreos-overlay\1/g' /usr/local/portage/c
 # SDK container is launched using the su command below, which does not preserve environment
 # moreover, if multiple shells are attached to the same container,
 # we want all of them to share the same value of the variable, therefore we need to save it in .bashrc
-grep -q 'export MODULE_SIGNING_KEY_DIR' /home/sdk/.bashrc || {
+# Check if MODULE_SIGNING_KEY_DIR exists in .bashrc and if the directory actually exists
+if grep -q 'export MODULE_SIGNING_KEY_DIR' /home/sdk/.bashrc; then
+    # Extract the existing path
+    EXISTING_DIR=$(grep 'export MODULE_SIGNING_KEY_DIR' /home/sdk/.bashrc | sed "s/.*MODULE_SIGNING_KEY_DIR='\(.*\)'/\1/")
+    # If directory doesn't exist (stale from image build), remove the old entries and recreate
+    if [[ ! -d "$EXISTING_DIR" ]]; then
+        echo "Deleting stale module signing directory."
+        sed -i '/export MODULE_SIGNING_KEY_DIR/d' /home/sdk/.bashrc
+        sed -i '/export MODULES_SIGN_KEY/d' /home/sdk/.bashrc
+        sed -i '/export MODULES_SIGN_CERT/d' /home/sdk/.bashrc
+    fi
+fi
+
+# Create key directory if not already configured in .bashrc
+if ! grep -q 'export MODULE_SIGNING_KEY_DIR' /home/sdk/.bashrc; then
     MODULE_SIGNING_KEY_DIR=$(su sdk -c "mktemp -d")
     if [[ ! "$MODULE_SIGNING_KEY_DIR" || ! -d "$MODULE_SIGNING_KEY_DIR" ]]; then
-        echo "Failed to create temporary directory for secure boot keys."
+        echo "Failed to create directory for module signing keys."
     else
         echo "export MODULE_SIGNING_KEY_DIR='$MODULE_SIGNING_KEY_DIR'" >> /home/sdk/.bashrc
         echo "export MODULES_SIGN_KEY='${MODULE_SIGNING_KEY_DIR}/certs/modules.pem'" >> /home/sdk/.bashrc
         echo "export MODULES_SIGN_CERT='${MODULE_SIGNING_KEY_DIR}/certs/modules.pub.pem'" >> /home/sdk/.bashrc
     fi
-}
+fi
 
 # This is ugly.
 #   We need to sudo su - sdk -c so the SDK user gets a fresh login.
