From 27638a2173d395bc8f0300434e05c18b269052ef Mon Sep 17 00:00:00 2001 From: Daniel Zatovic Date: Thu, 13 Nov 2025 17:47:19 +0100 Subject: [PATCH 1/5] sdk: Fix ephemeral key directory paths baked into container images The SDK container build process was persisting temporary directory paths for module signing keys into /home/sdk/.bashrc. This caused all container instances to share the same ephemeral key location. Fixed by: - Runtime check in sdk_entry.sh to recreate stale temp directories - Build-time cleanup in Dockerfiles to remove the variables Each container instance now gets unique temporary directories. Signed-off-by: Daniel Zatovic --- .../eclass/coreos-kernel.eclass | 8 ++++++-- sdk_lib/Dockerfile.sdk-build | 5 +++++ sdk_lib/Dockerfile.sdk-import | 5 +++++ sdk_lib/Dockerfile.sdk-update | 5 +++++ sdk_lib/sdk_entry.sh | 20 ++++++++++++++++--- 5 files changed, 38 insertions(+), 5 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass b/sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass index 8653f315a89..3b5dcf0436f 100644 --- a/sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass +++ b/sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass @@ -143,8 +143,12 @@ get_sig_key() { die "MODULE_SIG_KEY is using the default value" fi - if [[ ${sig_key} != /tmp/* ]]; then - die "Refusing to to continue with modules key outside of /tmp, so that it stays in RAM only." + # For official builds, enforce /tmp to keep keys in RAM only + # For unofficial builds, allow persistent directory + if [[ ${COREOS_OFFICIAL:-0} -eq 1 ]]; then + if [[ ${sig_key} != /tmp/* ]]; then + die "Refusing to continue with modules key outside of /tmp for official builds, so that it stays in RAM only." + fi fi if [ "$sig_key" != "${MODULES_SIGN_KEY}" ]; then die "MODULES_SIGN_KEY variable is different than MODULE_SIG_KEY in kernel config." diff --git a/sdk_lib/Dockerfile.sdk-build b/sdk_lib/Dockerfile.sdk-build index 25aa6e333f8..8814e186846 100644 --- a/sdk_lib/Dockerfile.sdk-build +++ b/sdk_lib/Dockerfile.sdk-build @@ -17,3 +17,8 @@ RUN /home/sdk/sdk_entry.sh ./build_packages --board="amd64-usr" --only_resolve_c RUN rm /mnt/host/source/.env RUN rm -rf /home/sdk/toolchain-pkgs + +# Clean up ephemeral key directory variables that were added during build +RUN sed -i '/export MODULE_SIGNING_KEY_DIR/d' /home/sdk/.bashrc && \ + sed -i '/export MODULES_SIGN_KEY/d' /home/sdk/.bashrc && \ + sed -i '/export MODULES_SIGN_CERT/d' /home/sdk/.bashrc diff --git a/sdk_lib/Dockerfile.sdk-import b/sdk_lib/Dockerfile.sdk-import index c5762a56fb4..e51c76beab1 100644 --- a/sdk_lib/Dockerfile.sdk-import +++ b/sdk_lib/Dockerfile.sdk-import @@ -55,4 +55,9 @@ RUN chmod 755 /home/sdk/sdk_entry.sh # it's likely that scripts and SDK tarball are out of sync RUN /home/sdk/sdk_entry.sh ./update_chroot --toolchain_boards="amd64-usr arm64-usr" +# Clean up ephemeral key directory variables that were added during build +RUN sed -i '/export MODULE_SIGNING_KEY_DIR/d' /home/sdk/.bashrc && \ + sed -i '/export MODULES_SIGN_KEY/d' /home/sdk/.bashrc && \ + sed -i '/export MODULES_SIGN_CERT/d' /home/sdk/.bashrc + ENTRYPOINT ["/home/sdk/sdk_entry.sh"] diff --git a/sdk_lib/Dockerfile.sdk-update b/sdk_lib/Dockerfile.sdk-update index 409b07c8a4b..63762996778 100644 --- a/sdk_lib/Dockerfile.sdk-update +++ b/sdk_lib/Dockerfile.sdk-update @@ -19,3 +19,8 @@ RUN /home/sdk/sdk_entry.sh ./setup_board --board="amd64-usr" --regen_configs # Restore original .bashrc to remove sandbox disablement RUN mv /home/sdk/.bashrc.bak /home/sdk/.bashrc RUN chown sdk:sdk /home/sdk/.bashrc + +# Clean up ephemeral key directory variables that were added during build +RUN sed -i '/export MODULE_SIGNING_KEY_DIR/d' /home/sdk/.bashrc && \ + sed -i '/export MODULES_SIGN_KEY/d' /home/sdk/.bashrc && \ + sed -i '/export MODULES_SIGN_CERT/d' /home/sdk/.bashrc diff --git a/sdk_lib/sdk_entry.sh b/sdk_lib/sdk_entry.sh index 3c7aaeb356d..7b912842850 100755 --- a/sdk_lib/sdk_entry.sh +++ b/sdk_lib/sdk_entry.sh @@ -52,16 +52,30 @@ sed -i -r '/^masters =/s/\bcoreos(\s|$)/coreos-overlay\1/g' /usr/local/portage/c # SDK container is launched using the su command below, which does not preserve environment # moreover, if multiple shells are attached to the same container, # we want all of them to share the same value of the variable, therefore we need to save it in .bashrc -grep -q 'export MODULE_SIGNING_KEY_DIR' /home/sdk/.bashrc || { +# Check if MODULE_SIGNING_KEY_DIR exists in .bashrc and if the directory actually exists +if grep -q 'export MODULE_SIGNING_KEY_DIR' /home/sdk/.bashrc; then + # Extract the existing path + EXISTING_DIR=$(grep 'export MODULE_SIGNING_KEY_DIR' /home/sdk/.bashrc | sed "s/.*MODULE_SIGNING_KEY_DIR='\(.*\)'/\1/") + # If directory doesn't exist (stale from image build), remove the old entries and recreate + if [[ ! -d "$EXISTING_DIR" ]]; then + echo "Deleting stale module signing directory." + sed -i '/export MODULE_SIGNING_KEY_DIR/d' /home/sdk/.bashrc + sed -i '/export MODULES_SIGN_KEY/d' /home/sdk/.bashrc + sed -i '/export MODULES_SIGN_CERT/d' /home/sdk/.bashrc + fi +fi + +# Create key directory if not already configured in .bashrc +if ! grep -q 'export MODULE_SIGNING_KEY_DIR' /home/sdk/.bashrc; then MODULE_SIGNING_KEY_DIR=$(su sdk -c "mktemp -d") if [[ ! "$MODULE_SIGNING_KEY_DIR" || ! -d "$MODULE_SIGNING_KEY_DIR" ]]; then - echo "Failed to create temporary directory for secure boot keys." + echo "Failed to create directory for module signing keys." else echo "export MODULE_SIGNING_KEY_DIR='$MODULE_SIGNING_KEY_DIR'" >> /home/sdk/.bashrc echo "export MODULES_SIGN_KEY='${MODULE_SIGNING_KEY_DIR}/certs/modules.pem'" >> /home/sdk/.bashrc echo "export MODULES_SIGN_CERT='${MODULE_SIGNING_KEY_DIR}/certs/modules.pub.pem'" >> /home/sdk/.bashrc fi -} +fi # This is ugly. # We need to sudo su - sdk -c so the SDK user gets a fresh login. From 0aaff9a52acf90876eb7f86bbf304a486f52e65b Mon Sep 17 00:00:00 2001 From: Daniel Zatovic Date: Thu, 13 Nov 2025 18:42:26 +0100 Subject: [PATCH 2/5] sdk_entry: use persistent module signing keys for unofficial builds For official builds (COREOS_OFFICIAL=1), continue using ephemeral temporary directories for module signing keys. For unofficial/development builds, use a persistent directory at /mnt/host/source/.module-signing-keys to preserve keys across container restarts. Signed-off-by: Daniel Zatovic --- .../coreos-overlay/eclass/coreos-kernel.eclass | 6 ++++++ sdk_lib/sdk_entry.sh | 8 +++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass b/sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass index 3b5dcf0436f..f6345f7a226 100644 --- a/sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass +++ b/sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass @@ -169,6 +169,12 @@ setup_keys() { echo "Preparing keys at $sig_key" + if [[ ${COREOS_OFFICIAL:-0} -eq 0 ]]; then + # Allow portage sandbox to write to the module signing key directory, + # which is in home for unofficial builds + addwrite "${MODULE_SIGNING_KEY_DIR}" + fi + mkdir -p $MODULE_SIGNING_KEY_DIR pushd $MODULE_SIGNING_KEY_DIR diff --git a/sdk_lib/sdk_entry.sh b/sdk_lib/sdk_entry.sh index 7b912842850..fce5edf509e 100755 --- a/sdk_lib/sdk_entry.sh +++ b/sdk_lib/sdk_entry.sh @@ -67,7 +67,13 @@ fi # Create key directory if not already configured in .bashrc if ! grep -q 'export MODULE_SIGNING_KEY_DIR' /home/sdk/.bashrc; then - MODULE_SIGNING_KEY_DIR=$(su sdk -c "mktemp -d") + # For official builds, use ephemeral keys. For unofficial builds, use persistent directory + if [[ ${COREOS_OFFICIAL:-0} -eq 1 ]]; then + MODULE_SIGNING_KEY_DIR=$(su sdk -c "mktemp -d") + else + MODULE_SIGNING_KEY_DIR="/home/sdk/.module-signing-keys" + su sdk -c "mkdir -p '$MODULE_SIGNING_KEY_DIR'" + fi if [[ ! "$MODULE_SIGNING_KEY_DIR" || ! -d "$MODULE_SIGNING_KEY_DIR" ]]; then echo "Failed to create directory for module signing keys." else From 1dbd08e8f03bf078643f1537e50c12485859c377 Mon Sep 17 00:00:00 2001 From: Daniel Zatovic Date: Mon, 17 Nov 2025 09:21:20 +0100 Subject: [PATCH 3/5] Apply PR review suggestion: consolidate sed calls and add '=' to patterns in Dockerfile.sdk-update Signed-off-by: Daniel Zatovic --- sdk_lib/Dockerfile.sdk-build | 6 +++--- sdk_lib/Dockerfile.sdk-import | 6 +++--- sdk_lib/Dockerfile.sdk-update | 6 +++--- sdk_lib/sdk_entry.sh | 18 +++++++++--------- 4 files changed, 18 insertions(+), 18 deletions(-) diff --git a/sdk_lib/Dockerfile.sdk-build b/sdk_lib/Dockerfile.sdk-build index 8814e186846..b61af9cd91d 100644 --- a/sdk_lib/Dockerfile.sdk-build +++ b/sdk_lib/Dockerfile.sdk-build @@ -19,6 +19,6 @@ RUN rm /mnt/host/source/.env RUN rm -rf /home/sdk/toolchain-pkgs # Clean up ephemeral key directory variables that were added during build -RUN sed -i '/export MODULE_SIGNING_KEY_DIR/d' /home/sdk/.bashrc && \ - sed -i '/export MODULES_SIGN_KEY/d' /home/sdk/.bashrc && \ - sed -i '/export MODULES_SIGN_CERT/d' /home/sdk/.bashrc +RUN sed -i -e '/export MODULE_SIGNING_KEY_DIR=/d' \ + -e '/export MODULES_SIGN_KEY=/d' \ + -e '/export MODULES_SIGN_CERT=/d' /home/sdk/.bashrc diff --git a/sdk_lib/Dockerfile.sdk-import b/sdk_lib/Dockerfile.sdk-import index e51c76beab1..10a625a319a 100644 --- a/sdk_lib/Dockerfile.sdk-import +++ b/sdk_lib/Dockerfile.sdk-import @@ -56,8 +56,8 @@ RUN chmod 755 /home/sdk/sdk_entry.sh RUN /home/sdk/sdk_entry.sh ./update_chroot --toolchain_boards="amd64-usr arm64-usr" # Clean up ephemeral key directory variables that were added during build -RUN sed -i '/export MODULE_SIGNING_KEY_DIR/d' /home/sdk/.bashrc && \ - sed -i '/export MODULES_SIGN_KEY/d' /home/sdk/.bashrc && \ - sed -i '/export MODULES_SIGN_CERT/d' /home/sdk/.bashrc +RUN sed -i -e '/export MODULE_SIGNING_KEY_DIR=/d' \ + -e '/export MODULES_SIGN_KEY=/d' \ + -e '/export MODULES_SIGN_CERT=/d' /home/sdk/.bashrc ENTRYPOINT ["/home/sdk/sdk_entry.sh"] diff --git a/sdk_lib/Dockerfile.sdk-update b/sdk_lib/Dockerfile.sdk-update index 63762996778..a102b656cb5 100644 --- a/sdk_lib/Dockerfile.sdk-update +++ b/sdk_lib/Dockerfile.sdk-update @@ -21,6 +21,6 @@ RUN mv /home/sdk/.bashrc.bak /home/sdk/.bashrc RUN chown sdk:sdk /home/sdk/.bashrc # Clean up ephemeral key directory variables that were added during build -RUN sed -i '/export MODULE_SIGNING_KEY_DIR/d' /home/sdk/.bashrc && \ - sed -i '/export MODULES_SIGN_KEY/d' /home/sdk/.bashrc && \ - sed -i '/export MODULES_SIGN_CERT/d' /home/sdk/.bashrc +RUN sed -i -e '/export MODULE_SIGNING_KEY_DIR=/d' \ + -e '/export MODULES_SIGN_KEY=/d' \ + -e '/export MODULES_SIGN_CERT=/d' /home/sdk/.bashrc diff --git a/sdk_lib/sdk_entry.sh b/sdk_lib/sdk_entry.sh index fce5edf509e..922ad534ea7 100755 --- a/sdk_lib/sdk_entry.sh +++ b/sdk_lib/sdk_entry.sh @@ -53,28 +53,28 @@ sed -i -r '/^masters =/s/\bcoreos(\s|$)/coreos-overlay\1/g' /usr/local/portage/c # moreover, if multiple shells are attached to the same container, # we want all of them to share the same value of the variable, therefore we need to save it in .bashrc # Check if MODULE_SIGNING_KEY_DIR exists in .bashrc and if the directory actually exists -if grep -q 'export MODULE_SIGNING_KEY_DIR' /home/sdk/.bashrc; then +if grep -q 'export MODULE_SIGNING_KEY_DIR=' /home/sdk/.bashrc; then # Extract the existing path - EXISTING_DIR=$(grep 'export MODULE_SIGNING_KEY_DIR' /home/sdk/.bashrc | sed "s/.*MODULE_SIGNING_KEY_DIR='\(.*\)'/\1/") + EXISTING_DIR=$(source /home/sdk/.bashrc 2>/dev/null; echo "$MODULE_SIGNING_KEY_DIR") # If directory doesn't exist (stale from image build), remove the old entries and recreate - if [[ ! -d "$EXISTING_DIR" ]]; then + if [[ ! -d ${EXISTING_DIR} ]]; then echo "Deleting stale module signing directory." - sed -i '/export MODULE_SIGNING_KEY_DIR/d' /home/sdk/.bashrc - sed -i '/export MODULES_SIGN_KEY/d' /home/sdk/.bashrc - sed -i '/export MODULES_SIGN_CERT/d' /home/sdk/.bashrc + sed -i -e '/export MODULE_SIGNING_KEY_DIR=/d' \ + -e '/export MODULES_SIGN_KEY=/d' \ + -e '/export MODULES_SIGN_CERT=/d' /home/sdk/.bashrc fi fi # Create key directory if not already configured in .bashrc -if ! grep -q 'export MODULE_SIGNING_KEY_DIR' /home/sdk/.bashrc; then +if ! grep -q 'export MODULE_SIGNING_KEY_DIR=' /home/sdk/.bashrc; then # For official builds, use ephemeral keys. For unofficial builds, use persistent directory if [[ ${COREOS_OFFICIAL:-0} -eq 1 ]]; then MODULE_SIGNING_KEY_DIR=$(su sdk -c "mktemp -d") else MODULE_SIGNING_KEY_DIR="/home/sdk/.module-signing-keys" - su sdk -c "mkdir -p '$MODULE_SIGNING_KEY_DIR'" + su sdk -c "mkdir -p ${MODULE_SIGNING_KEY_DIR@Q}" fi - if [[ ! "$MODULE_SIGNING_KEY_DIR" || ! -d "$MODULE_SIGNING_KEY_DIR" ]]; then + if [[ ! ${MODULE_SIGNING_KEY_DIR} || ! -d ${MODULE_SIGNING_KEY_DIR} ]]; then echo "Failed to create directory for module signing keys." else echo "export MODULE_SIGNING_KEY_DIR='$MODULE_SIGNING_KEY_DIR'" >> /home/sdk/.bashrc From 7d30c71f9866ea49eec22e4c0ee8138189e48dfd Mon Sep 17 00:00:00 2001 From: Daniel Zatovic Date: Mon, 17 Nov 2025 13:33:05 +0100 Subject: [PATCH 4/5] eclass/coreos-kernel: fix indentation and codestyle Signed-off-by: Daniel Zatovic --- .../coreos-overlay/eclass/coreos-kernel.eclass | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass b/sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass index f6345f7a226..cd895343330 100644 --- a/sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass +++ b/sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass @@ -154,7 +154,7 @@ get_sig_key() { die "MODULES_SIGN_KEY variable is different than MODULE_SIG_KEY in kernel config." fi - echo $sig_key + echo "$sig_key" } validate_sig_key() { @@ -170,13 +170,13 @@ setup_keys() { echo "Preparing keys at $sig_key" if [[ ${COREOS_OFFICIAL:-0} -eq 0 ]]; then - # Allow portage sandbox to write to the module signing key directory, - # which is in home for unofficial builds - addwrite "${MODULE_SIGNING_KEY_DIR}" - fi + # Allow portage sandbox to write to the module signing key directory, + # which is in home for unofficial builds + addwrite "${MODULE_SIGNING_KEY_DIR}" + fi - mkdir -p $MODULE_SIGNING_KEY_DIR - pushd $MODULE_SIGNING_KEY_DIR + mkdir -p "$MODULE_SIGNING_KEY_DIR" + pushd "$MODULE_SIGNING_KEY_DIR" mkdir -p gen_certs || die # based on the default config the kernel auto-generates From 5de95802930b901d39983e0ebb3a072556be27bd Mon Sep 17 00:00:00 2001 From: Daniel Zatovic Date: Mon, 17 Nov 2025 15:33:45 +0100 Subject: [PATCH 5/5] sdk_entry: Source .sdkenv to get COREOS_OFFICIAL Fix bug where COREOS_OFFICIAL wasn't available during sdk_entry.sh execution, causing official builds to incorrectly use persistent module signing keys instead of ephemeral /tmp keys. Signed-off-by: Daniel Zatovic --- sdk_lib/sdk_entry.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/sdk_lib/sdk_entry.sh b/sdk_lib/sdk_entry.sh index 922ad534ea7..6458bf8271a 100755 --- a/sdk_lib/sdk_entry.sh +++ b/sdk_lib/sdk_entry.sh @@ -1,5 +1,10 @@ #!/bin/bash +# Source SDK environment variables if available (includes COREOS_OFFICIAL, etc.) +if [ -f /mnt/host/source/.sdkenv ]; then + source /mnt/host/source/.sdkenv +fi + if [ -n "${SDK_USER_ID:-}" ] ; then # If the "core" user from /usr/share/baselayout/passwd has the same ID, allow to take it instead usermod --non-unique -u $SDK_USER_ID sdk