sysext: Sign built-in sysexts

danzatt · danzatt · commit 67c35f01ea4a · 2025-08-01T15:16:14.000+02:00
Generate an ephemeral sysext signing key, that is injected into the
image's sysext root of trust. All OS-dependent sysexts will be signed by
this key and the private key (stored in /tmp) will be discarded on SDK
container exit.
diff --git a/build_library/prod_image_util.sh b/build_library/prod_image_util.sh
@@ -162,6 +162,10 @@ EOF
   # Remove source locale data, only need to ship the compiled archive.
   sudo rm -rf ${root_fs_dir}/usr/share/i18n/
 
+  # Inject ephemeral sysext signing certificate
+  sudo mkdir -p "${root_fs_dir}/usr/lib/verity.d"
+  sudo cp "${SYSEXT_SIGNING_KEY_DIR}/sysexts.crt" "${root_fs_dir}/usr/lib/verity.d"
+
   # Finish image will move files from /etc to /usr/share/flatcar/etc.
   # Note that image filesystem contents generated by finish_image will not
   # include sysext contents (only the sysext squashfs files themselves).
diff --git a/build_library/sysext_prod_builder b/build_library/sysext_prod_builder
@@ -59,7 +59,7 @@ create_prod_sysext() {
   # Pass the build ID extracted from root FS to build_sysext. This prevents common.sh
   #   in build_sysext to generate a (timestamp based) build ID during a DEV build of a
   #   release tag (which breaks its version check).
-  sudo "FLATCAR_BUILD_ID=$FLATCAR_BUILD_ID" "${SCRIPTS_DIR}/build_sysext" \
+  sudo -E "FLATCAR_BUILD_ID=$FLATCAR_BUILD_ID" "${SCRIPTS_DIR}/build_sysext" \
             --board="${BOARD}" \
             --image_builddir="${workdir}/sysext-build" \
             --squashfs_base="${base_sysext}" \
@@ -94,6 +94,14 @@ sysext_mountdir="${BUILD_DIR}/prod-sysext-work/mounts"
 sysext_base="${sysext_workdir}/base-os.squashfs"
 
 function cleanup() {
+  IFS=':' read -r -a mounted_sysexts <<< "$sysext_lowerdirs"
+  # skip the rootfs
+  mounted_sysexts=("${mounted_sysexts[@]:1}")
+
+  for sysext in "${mounted_sysexts[@]}"; do
+    sudo systemd-dissect --umount --rmdir "$sysext"
+  done
+
   sudo umount "${sysext_mountdir}"/* || true
   rm -rf "${sysext_workdir}" || true
 }
@@ -111,6 +119,7 @@ sudo mksquashfs "${root_fs_dir}" "${sysext_base}" -noappend -xattrs-exclude '^bt
 # for combined overlay later.
 prev_pkginfo=""
 sysext_lowerdirs="${sysext_mountdir}/rootfs-lower"
+mkdir -p "${sysext_mountdir}"
 for sysext in ${sysexts_list//,/ }; do
   # format is "<name>:<group>/<package>"
   name="${sysext%|*}"
@@ -124,12 +133,21 @@ for sysext in ${sysexts_list//,/ }; do
                      "${grp_pkg}" \
                      "${prev_pkginfo}"
 
-  mkdir -p "${sysext_mountdir}/${name}" \
-           "${sysext_mountdir}/${name}_pkginfo"
-  sudo mount -rt squashfs -o loop,nodev "${sysext_output_dir}/${name}.raw" \
-                                    "${sysext_mountdir}/${name}"
-  sudo mount -rt squashfs -o loop,nodev "${sysext_output_dir}/${name}_pkginfo.raw" \
-                                    "${sysext_mountdir}/${name}_pkginfo"
+  sudo systemd-dissect \
+    --read-only \
+    --mount \
+    --mkdir \
+    --image-policy='root=encrypted+unprotected+absent:usr=encrypted+unprotected+absent' \
+    "${sysext_output_dir}/${name}.raw" \
+    "${sysext_mountdir}/${name}"
+
+  sudo systemd-dissect \
+    --read-only \
+    --mount \
+    --mkdir \
+    --image-policy='root=encrypted+unprotected+absent:usr=encrypted+unprotected+absent' \
+    "${sysext_output_dir}/${name}_pkginfo.raw" \
+    "${sysext_mountdir}/${name}_pkginfo"
 
   sysext_lowerdirs="${sysext_lowerdirs}:${sysext_mountdir}/${name}"
   sysext_lowerdirs="${sysext_lowerdirs}:${sysext_mountdir}/${name}_pkginfo"
diff --git a/build_library/vm_image_util.sh b/build_library/vm_image_util.sh
@@ -580,7 +580,7 @@ install_oem_sysext() {
     fi
 
     mkdir -p "${built_sysext_dir}"
-    sudo "${build_sysext_env[@]}" "${SCRIPT_ROOT}/build_sysext" "${build_sysext_flags[@]}" "${oem_sysext}"
+    sudo -E "${build_sysext_env[@]}" "${SCRIPT_ROOT}/build_sysext" "${build_sysext_flags[@]}" "${oem_sysext}"
 
     local installed_sysext_oem_dir='/oem/sysext'
     local installed_sysext_file_prefix="${oem_sysext}-${version}"
diff --git a/build_sysext b/build_sysext
@@ -301,14 +301,25 @@ if [[ -n "${invalid_files}" ]]; then
   die "Invalid file ownership: ${invalid_files}"
 fi
 
-mksquashfs "${BUILD_DIR}/install-root" "${BUILD_DIR}/${SYSEXTNAME}.raw" \
-               -noappend -xattrs-exclude '^btrfs.' -comp "${FLAGS_compression}" ${FLAGS_mksquashfs_opts}
+systemd-repart \
+  --private-key="${SYSEXT_SIGNING_KEY_DIR}/sysexts.key" \
+  --certificate="${SYSEXT_SIGNING_KEY_DIR}/sysexts.crt" \
+  --make-ddi=sysext \
+  --copy-source="${BUILD_DIR}/install-root" \
+  "${BUILD_DIR}/${SYSEXTNAME}.raw"
+
 rm -rf "${BUILD_DIR}"/{fs-root,install-root,workdir}
 
 # Generate reports
 mkdir "${BUILD_DIR}/img-rootfs"
-mount -rt squashfs -o loop,nodev "${BUILD_DIR}/${SYSEXTNAME}.raw" "${BUILD_DIR}/img-rootfs"
+systemd-dissect --read-only \
+  --mount \
+  --mkdir \
+  --image-policy='root=encrypted+unprotected+absent:usr=encrypted+unprotected+absent' \
+  "${BUILD_DIR}/${SYSEXTNAME}.raw" \
+  "${BUILD_DIR}/img-rootfs"
+
 write_contents "${BUILD_DIR}/img-rootfs" "${BUILD_DIR}/${SYSEXTNAME}_contents.txt"
 write_contents_with_technical_details "${BUILD_DIR}/img-rootfs" "${BUILD_DIR}/${SYSEXTNAME}_contents_wtd.txt"
 write_disk_space_usage_in_paths "${BUILD_DIR}/img-rootfs" "${BUILD_DIR}/${SYSEXTNAME}_disk_usage.txt"
-umount "${BUILD_DIR}/img-rootfs"
+systemd-dissect --umount --rmdir "${BUILD_DIR}/img-rootfs"
diff --git a/sdk_lib/sdk_entry.sh b/sdk_lib/sdk_entry.sh
@@ -63,6 +63,27 @@ grep -q 'export MODULE_SIGNING_KEY_DIR' /home/sdk/.bashrc || {
     fi
 }
 
+grep -q 'export SYSEXT_SIGNING_KEY_DIR' /home/sdk/.bashrc || {
+    SYSEXT_SIGNING_KEY_DIR=$(su sdk -c "mktemp -d")
+    if [[ ! "$SYSEXT_SIGNING_KEY_DIR" || ! -d "$SYSEXT_SIGNING_KEY_DIR" ]]; then
+        echo "Failed to create temporary directory for secure boot keys."
+    else
+        echo "export SYSEXT_SIGNING_KEY_DIR='$SYSEXT_SIGNING_KEY_DIR'" >> /home/sdk/.bashrc
+    fi
+    pushd "$SYSEXT_SIGNING_KEY_DIR"
+    build_id=$(source "/mnt/host/source/.repo/manifests/version.txt"; echo "$FLATCAR_BUILD_ID")
+    openssl req -new -nodes -utf8 \
+        -x509 -batch -sha256 \
+        -days 36000 \
+        -outform PEM \
+        -out sysexts.crt \
+        -keyout sysexts.key \
+        -newkey 4096 \
+        -subj "/CN=Flatcar $build_id sysext signing key/" \
+          || echo "Generating module signing key failed"
+    popd
+}
+
 # This is ugly.
 #   We need to sudo su - sdk -c so the SDK user gets a fresh login.
 #    'sdk' is member of multiple groups, and plain docker USER only
