Add support for generating signed sysexts

Use systemd-repart for creating signed DDI sysexts. Signing is performed
via Azure Keyvault PKCS11 token, which is installed in the Docker image.
We build both, signed discoverable disk image and raw unsigned image.

Author: danzatt

.github/workflows/release.yaml

@@ -56,9 +56,19 @@ jobs:
     continue-on-error: true 
 
     runs-on: ubuntu-24.04
+    container:
+      image: ghcr.io/flatcar/ubuntu-keyvault-pkcs11-token:main
+      options: >-
+        --privileged
+        -v ${{ github.workspace }}:${{ github.workspace }}
+        -v /tmp:/tmp
+        -w ${{ github.workspace }}
+      volumes:
+        - /var/run/docker.sock:/var/run/docker.sock
     permissions:
       # allow the action to create a release
       contents: write
+      id-token: write
     steps:
       - name: Set up qemu / binmft misc for cross-platform builds
         uses: docker/setup-qemu-action@v3
@@ -80,12 +90,21 @@ jobs:
             xz-utils \
             erofs-utils
 
+      - name: Azure Login
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
       - name: build
         id: build
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          KEYVAULT_NAME: ${{ secrets.KEYVAULT_NAME }}
+          KEYVAULT_CERT_NAME: ${{ secrets.KEYVAULT_CERT_NAME }}
         run: |
-          pushd bakery
+          cd bakery
           ./release.sh ${{ matrix.release }}
 
       - name: create a new release

lib/generate.sh

@@ -102,6 +102,43 @@ function _create_sysupdate() {
 function _version_ge() {
     test "$(printf '%s\n' "$@" | sort -rV | head -n 1)" == "$1";
 }
+
+function _generate_signed_sysext() {
+  BASEDIR="$1"
+  OUTPUT_IMAGE="$2"
+  FS_FORMAT="$3"
+
+  # Create temporary working directory
+  WORKDIR=$(mktemp -d)
+  trap 'rm -rf "$WORKDIR"' RETURN
+
+  cp -r "${libroot}/sysext.repart.d/" "$WORKDIR"
+  sed -Ei "s/^Format=erofs/Format=${FS_FORMAT}/" "$WORKDIR/sysext.repart.d/10-root.conf"
+
+  PKCS_TOKEN_NAME="pkcs11:token=${KEYVAULT_CERT_NAME}"
+  PKCS11_ENV=(
+      AZURE_KEYVAULT_URL="https://${KEYVAULT_NAME}.vault.azure.net/"
+      PKCS11_MODULE_PATH="${PKCS11_MODULE_PATH:-/usr/local/lib/pkcs11/azure-keyvault-pkcs11.so}"
+      AZURE_KEYVAULT_PKCS11_DEBUG=1
+  )
+
+  CERT_CONTENT=$(az keyvault certificate download \
+    --vault-name "$KEYVAULT_NAME" \
+    --name "${KEYVAULT_CERT_NAME}" \
+    --file /dev/stdout)
+
+  env "${PKCS11_ENV[@]}" systemd-repart \
+    --empty=create \
+    --size=auto \
+    --private-key-source=engine:pkcs11 \
+    --private-key="$PKCS_TOKEN_NAME" \
+    --certificate=<(echo "$CERT_CONTENT") \
+    --definitions="${WORKDIR}/sysext.repart.d" \
+    --copy-source="$BASEDIR" \
+    "$OUTPUT_IMAGE"
+
+  echo "Signed sysext created: $OUTPUT_IMAGE"
+}
 # --
 
 function _generate_sysext() {
@@ -110,33 +147,58 @@ function _generate_sysext() {
   local format="$3"
   local ext_fs_size="$4"
   local fname="$5"
+  local signed_ddi="$6"
+
+  if [[ ${signed_ddi} == true ]] ; then
+    extname="${extname}-signed-ddi"
+  fi
 
   announce "Creating extension image '${fname}' and generating SHA256SUM"
-  case "$format" in
-    btrfs)
-      # Note: We didn't chown to root:root, meaning that the file ownership is left as is
-      mkfs.btrfs --mixed -m single -d single --shrink --compress zstd --rootdir "${basedir}" "${fname}"
-      ;;
-    ext2|ext4)
-      truncate -s "${ext_fs_size}" "${fname}"
-      mkfs."${format}" -E root_owner=0:0 -d "${basedir}" "${fname}"
-      resize2fs -M "${fname}"
-      ;;
-    squashfs)
-      VERSION=$({ mksquashfs -version || true ; } | head -n1 | cut -d " " -f 3)
-      ARG=(-all-root -noappend)
-      if _version_ge "${VERSION}" "4.6.1"; then
-        ARG+=('-xattrs-exclude' '^btrfs.')
-      fi
-      mksquashfs "${basedir}" "${fname}" "${ARG[@]}"
-      ;;
-    erofs)
-      # Compression recommendations from https://erofs.docs.kernel.org/en/latest/mkfs.html
-      # and forcing a zero UUID for reproducibility (maybe we could also hash the name and version)
-      mkfs.erofs -zlz4hc,12 -C65536 -Efragments,ztailpacking -Uclear --all-root "${fname}" "${basedir}"
-      ;;
 
-  esac
+  VERSION=$({ mksquashfs -version || true ; } | head -n1 | cut -d " " -f 3)
+  SQUASHFS_ARG=(-all-root -noappend)
+  if _version_ge "${VERSION}" "4.6.1"; then
+    SQUASHFS_ARG+=('-xattrs-exclude' "'^btrfs.'")
+  fi
+
+  # Note: We didn't chown to root:root, meaning that the file ownership is left as is
+  SYSTEMD_REPART_MKFS_OPTIONS_BTRFS="--mixed -m single -d single --shrink --compress zstd"
+  SYSTEMD_REPART_MKFS_OPTIONS_EXT2="-E root_owner=0:0"
+  SYSTEMD_REPART_MKFS_OPTIONS_EXT4="$SYSTEMD_REPART_MKFS_OPTIONS_EXT2"
+  SYSTEMD_REPART_MKFS_OPTIONS_SQUASHFS="${SQUASHFS_ARG[*]}"
+  # Compression recommendations from https://erofs.docs.kernel.org/en/latest/mkfs.html
+  # and forcing a zero UUID for reproducibility (maybe we could also hash the name and version)
+  SYSTEMD_REPART_MKFS_OPTIONS_EROFS="-zlz4hc,12 -C65536 -Efragments,ztailpacking -Uclear --all-root"
+
+  if [[ ${signed_ddi} == true ]] ; then
+    (
+      export SYSTEMD_REPART_MKFS_OPTIONS_BTRFS
+      export SYSTEMD_REPART_MKFS_OPTIONS_EXT2
+      export SYSTEMD_REPART_MKFS_OPTIONS_EXT4
+      export SYSTEMD_REPART_MKFS_OPTIONS_SQUASHFS
+      export SYSTEMD_REPART_MKFS_OPTIONS_EROFS
+      _generate_signed_sysext "${basedir}" "${fname}" "$format"
+    )
+  else
+    options_varname="SYSTEMD_REPART_MKFS_OPTIONS_${format^^}"
+    case "$format" in
+      btrfs)
+        mkfs.btrfs ${!options_varname} --rootdir "${basedir}" "${fname}"
+        ;;
+      ext2|ext4)
+        truncate -s "${ext_fs_size}" "${fname}"
+        mkfs."${format}" ${!options_varname} -d "${basedir}" "${fname}"
+        resize2fs -M "${fname}"
+        ;;
+      squashfs)
+        mksquashfs "${basedir}" "${fname}" ${!options_varname}
+        ;;
+      erofs)
+        mkfs.erofs "${fname}" "${basedir}" ${!options_varname}
+        ;;
+    esac
+  fi
+
   sha256sum "${fname}" > "SHA256SUMS.${extname}"
   announce "'${fname}' is now ready"
 }
@@ -196,6 +258,8 @@ function generate_sysext() {
   local basedir="$(get_positional_param "1" "${@}")"
   local arch="$(get_positional_param "2" "${@}")"
 
+  local signed_ddi="$(get_optional_param "signed-ddi" "false" "${@}")"
+
   if [[ -z ${basedir} ]] || [[ ${basedir} == help ]] ; then
     _generate_sysext_help
     exit
@@ -208,17 +272,28 @@ function generate_sysext() {
 
   local name="$(get_optional_param "name" "$(cd "$basedir"; basename "$(pwd)")" "${@}")"
   local fname="$(get_optional_param "output-file" "${name}" "${@}")"
-  fname="${fname%%.raw}.raw"
+  fname="${fname%%.raw}"
+  if [[ ${signed_ddi} == true ]] ; then
+    fname="${fname}-signed-ddi"
+  fi
+  fname="${fname}.raw"
   rm -f "${fname}"
 
   export SOURCE_DATE_EPOCH
 
   _create_metadata "$name" "$basedir" "$os" "$arch" "$reload_services"
-  _generate_sysext "$name" "$basedir" "$format" "$ext_fs_size" "${fname}"
+  _generate_sysext "$name" "$basedir" "$format" "$ext_fs_size" "${fname}" "$signed_ddi"
 
   local sysupdate="$(get_optional_param "sysupdate" "false" "${@}")"
   if [[ ${sysupdate} == true ]] ; then
-    _create_sysupdate "${name}"
+    local config_name=""
+    local match_pattern=""
+    if [[ ${signed_ddi} == true ]] ; then
+      config_name="${name}-signed-ddi.conf"
+      match_pattern="${name}-@v-%a-signed-ddi.raw"
+    fi
+
+    _create_sysupdate "${name}" "$match_pattern" "" "" "${config_name}"
   fi
 }
 # --

lib/setup_azure_keyvault.sh

@@ -0,0 +1,156 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SUBSCRIPTION_ID="XXX"
+RG_NAME="XXX"
+LOCATION="westeurope"
+KV_NAME="sysext-bakery"
+CERT_NAME="sysext-bakery-signing"
+IDENTITY_NAME="sysext-bakery-github-actions"
+FED_CRED_NAME="gh-main"
+GITHUB_REPO="flatcar/sysext-bakery"  # owner/repo
+GITHUB_BRANCH="main"
+
+echo "Setting subscription..."
+az account set --subscription "$SUBSCRIPTION_ID"
+TENANT_ID="$(az account show --query tenantId -o tsv)"
+
+echo "Creating resource group $RG_NAME in $LOCATION..."
+az group create -n "$RG_NAME" -l "$LOCATION" -o none
+
+# ============
+# KEY VAULT
+# ============
+echo "Creating Key Vault $KV_NAME..."
+# Enable RBAC authorization and purge protection (soft-delete is on by default)
+#
+az keyvault show -n "$KV_NAME" -g "$RG_NAME" -o none 2>/dev/null || \
+  az keyvault create \
+    --name "$KV_NAME" \
+    --resource-group "$RG_NAME" \
+    --location "$LOCATION" \
+    --sku standard \
+    --enable-purge-protection true \
+    --enable-rbac-authorization true \
+    -o none
+KV_ID="$(az keyvault show -n "$KV_NAME" -g "$RG_NAME" --query id -o tsv)"
+
+# 2) Get your Azure AD object id (the caller shown in the error)
+#    This works when you're logged in as a user (not a service principal)
+USER_OID=$(az ad signed-in-user show --query id -o tsv)
+USER_NAME=$(az ad signed-in-user show --query userPrincipalName -o tsv)
+RG_ID=$(az group show -n "$RG_NAME" --query id -o tsv)
+
+# 3) Grant yourself a data-plane role that includes certificate create
+#    Pick ONE of the two; Administrator is broader than Certificates Officer.
+for role in "Key Vault Administrator" "Owner"; do
+  echo "Granting $role role in RG $RG_NAME to $USER_NAME"
+  az role assignment create \
+    --assignee-object-id "$USER_OID" \
+    --assignee-principal-type User \
+    --role "$role" \
+    --scope "$RG_ID" \
+    -o none
+done
+
+echo "Waiting 30 seconds for the permissions to apply. If the script fails, please wait and run it again."
+sleep 30
+
+# ============
+# CERTIFICATE
+# ============
+echo "Creating self-signed certificate $CERT_NAME in $KV_NAME (default policy)..."
+DEFAULT_POLICY="$(az keyvault certificate get-default-policy)"
+az keyvault certificate show --vault-name "$KV_NAME" -n "$CERT_NAME" -o none 2>/dev/null || \
+  az keyvault certificate create \
+    --vault-name "$KV_NAME" \
+    --name "$CERT_NAME" \
+    --policy "$DEFAULT_POLICY" \
+    -o none
+
+# ===============================
+# USER-ASSIGNED MANAGED IDENTITY
+# ===============================
+echo "Creating user-assigned managed identity $IDENTITY_NAME..."
+az identity show --name "$IDENTITY_NAME" --resource-group "$RG_NAME" -o none 2>/dev/null || \
+  az identity create \
+    --name "$IDENTITY_NAME" \
+    --resource-group "$RG_NAME" \
+    --location "$LOCATION" \
+    -o none
+
+IDENTITY_JSON="$(az identity show -n "$IDENTITY_NAME" -g "$RG_NAME")"
+IDENTITY_CLIENT_ID="$(echo "$IDENTITY_JSON" | jq -r .clientId)"
+IDENTITY_PRINCIPAL_ID="$(echo "$IDENTITY_JSON" | jq -r .principalId)"
+# IDENTITY_ID="$(echo "$IDENTITY_JSON" | jq -r .id)"
+
+echo "Identity clientId:    $IDENTITY_CLIENT_ID"
+echo "Identity principalId: $IDENTITY_PRINCIPAL_ID"
+
+# =====================================
+# FEDERATED CREDENTIAL FOR GITHUB OIDC
+# =====================================
+echo "Creating federated credential $FED_CRED_NAME on identity $IDENTITY_NAME for repo $GITHUB_REPO branch ${GITHUB_BRANCH}..."
+ISSUER="https://token.actions.githubusercontent.com"
+AUDIENCE="api://AzureADTokenExchange"
+SUBJECT="repo:${GITHUB_REPO}:ref:refs/heads/${GITHUB_BRANCH}"
+
+az identity federated-credential show --name "$FED_CRED_NAME" --identity-name "$IDENTITY_NAME" --resource-group "$RG_NAME" -o none || \
+  az identity federated-credential create \
+    --name "$FED_CRED_NAME" \
+    --identity-name "$IDENTITY_NAME" \
+    --resource-group "$RG_NAME" \
+    --issuer "$ISSUER" \
+    --subject "$SUBJECT" \
+    --audiences "$AUDIENCE" \
+    -o none
+
+# ==================================
+# ROLE ASSIGNMENTS (Key Vault RBAC)
+# ==================================
+
+IDENTITY_NAME="sysext-bakery-github-actions"
+PRINCIPAL_ID=$(az identity show -n "$IDENTITY_NAME" -g "$RG_NAME" --query principalId -o tsv)
+for role in "Key Vault Crypto User" "Key Vault Secrets User" "Key Vault Reader"; do
+  echo "Granting $role role in RG $RG_NAME to $IDENTITY_NAME"
+  az role assignment create \
+    --assignee-object-id "$PRINCIPAL_ID" \
+    --assignee-principal-type ServicePrincipal \
+    --role "$role" \
+    --scope "$RG_ID" \
+    -o none
+done
+
+# az role assignment create \
+#   --assignee-object-id "$PRINCIPAL_ID" \
+#   --assignee-principal-type ServicePrincipal \
+#   --role "Reader" \
+#   --scope "$KV_ID"
+
+echo "All done."
+echo "---------------------------------------------"
+echo "Key Vault:           $KV_NAME"
+echo "Certificate:         $CERT_NAME"
+echo "Managed Identity:    $IDENTITY_NAME"
+echo "Identity clientId:   $IDENTITY_CLIENT_ID"
+echo "Tenant ID:           $TENANT_ID"
+echo "Subscription ID:     $SUBSCRIPTION_ID"
+echo "---------------------------------------------"
+echo ""
+echo "Please set these GitHub secrets on repo ${GITHUB_REPO}:"
+echo ""
+echo "---------------------------------------------"
+echo "AZURE_CLIENT_ID       : $IDENTITY_CLIENT_ID"
+echo "AZURE_SUBSCRIPTION_ID : $SUBSCRIPTION_ID"
+echo "AZURE_TENANT_ID       : $TENANT_ID"
+echo "KEYVAULT_CERT_NAME    : $CERT_NAME"
+echo "KEYVAULT_NAME         : $KV_NAME"
+echo ""
+echo "You can do it like this:"
+echo ""
+echo "echo '$IDENTITY_CLIENT_ID' | gh secret set --repo '$GITHUB_REPO' AZURE_CLIENT_ID"
+echo "echo '$SUBSCRIPTION_ID' | gh secret set --repo '$GITHUB_REPO' AZURE_SUBSCRIPTION_ID"
+echo "echo '$TENANT_ID' | gh secret set --repo '$GITHUB_REPO' AZURE_TENANT_ID"
+echo "echo '$CERT_NAME' | gh secret set --repo '$GITHUB_REPO' KEYVAULT_CERT_NAME"
+echo "echo '$KV_NAME' | gh secret set --repo '$GITHUB_REPO' KEYVAULT_NAME"
+echo "---------------------------------------------"

lib/sysext.repart.d/10-root.conf

@@ -0,0 +1,17 @@
+#  SPDX-License-Identifier: LGPL-2.1-or-later
+#
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+[Partition]
+Type=root
+Format=erofs
+CopyFiles=/usr/
+CopyFiles=/opt/
+Verity=data
+VerityMatchKey=root
+Minimize=best