Skip to content

sbkeys: accept --ca-bundle as a parameter #4482

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
cbgbt wants to merge 2 commits into
base: develop
Choose a base branch
from
Draft

sbkeys: accept --ca-bundle as a parameter #4482

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5e1b796
sbkeys: accept --ca-bundle as a parameter
cbgbt Apr 18, 2025
12a188d
sbkeys: pass missing vars to sbkeys script
cbgbt Apr 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 35 additions & 10 deletions sbkeys/generate-aws-sbkeys
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ usage: ${0##*/} [--sdk-image SDK_IMAGE]
[--code-sign-key CODE_SIGN_KEY]
[--config-sign-key CONFIG_SIGN_KEY]
[--output-dir OUTPUT_DIR]
[--ca-bundle CA_BUNDLE]

Generate Secure Boot related files. AWS-aware edition.

Expand All @@ -33,6 +34,7 @@ Options:
--code-sign-key KMS key ID or ARN for the code signing key (grub, vmlinuz).
--config-sign-key KMS key ID or ARN for the config signing key (grub.cfg).
--output-dir Path where the keys will be written.
--ca-bundle CA bundle to use to establish trust for AWS API calls.
--help shows this usage text
EOF
}
Expand Down Expand Up @@ -78,6 +80,7 @@ parse_args() {
--code-sign-key ) shift; CODE_SIGN_KEY="${1}" ;;
--config-sign-key ) shift; CONFIG_SIGN_KEY="${1}" ;;
--output-dir ) shift; OUTPUT_DIR="${1}" ;;
--ca-bundle ) shift; CA_BUNDLE="${1}" ;;
*) ;;
esac
shift
Expand All @@ -99,16 +102,28 @@ parse_args() {
}

# Set default variables
if ! AWS_PARTITION=$(aws sts get-caller-identity | jq -r '.Arn' | awk -F: '{ print $2 }' 2>/dev/null) ; then
echo "Partition could not be determined, Defaulting to: aws."
AWS_PARTITION="aws"
fi

CA_SIGNING_ALGORITHM="SHA384WITHRSA"


parse_args "${@}"

AWS_CLI_ARGS=()
if [ -n "${CA_BUNDLE:-}" ] ; then
CA_BUNDLE_FILE="$(mktemp)"

# Move the ca bundle to a temporary file so that it is
# mounted to a sane location in docker
cp "${CA_BUNDLE}" "${CA_BUNDLE_FILE}"
CA_BUNDLE="${CA_BUNDLE_FILE}"

AWS_CLI_ARGS+=(--ca-bundle "${CA_BUNDLE}")
fi
AWS_CLI="aws ${AWS_CLI_ARGS[@]+"${AWS_CLI_ARGS[@]}"}"

if ! AWS_PARTITION=$(${AWS_CLI} sts get-caller-identity | jq -r '.Arn' | awk -F: '{ print $2 }' 2>/dev/null) ; then
echo "Partition could not be determined, Defaulting to: aws."
AWS_PARTITION="aws"
fi

# To avoid needing separate scripts to parse args and launch the SDK container,
# the logic to generate the profile is found below the separator. Copy that to
# a temporary file so it can be executed using the desired method.
Expand All @@ -117,6 +132,9 @@ SBKEYS_SCRIPT="$(mktemp)"
AWS_KMS_PKCS11_CONF="$(mktemp)"
cleanup() {
rm -f "${SBKEYS_SCRIPT}" "${AWS_KMS_PKCS11_CONF}"
if [ -n "${CA_BUNDLE:-}" ] ; then
rm -f "${CA_BUNDLE}"
Copy link
Contributor

@sumukhballal sumukhballal Jun 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While reading the code, I initially thought that we were removing the user inputted CA_BUNDLE which a user running the command with sufficient privileges would cause it to be removed. But I then noticed the set CA_BUNDLE="${CA_BUNDLE_FILE}" a bit earlier in execution. This is more of a readability thing, but should we use a different variable name to avoid confusing the CA_BUNDLE_FILE from the input CA_BUNDLE variable?

fi
}
trap 'cleanup' EXIT
tail -n +"${PRELUDE_END}" "${0}" >"${SBKEYS_SCRIPT}"
Expand Down Expand Up @@ -159,8 +177,11 @@ if [ -n "${SDK_IMAGE:-}" ] ; then
${AWS_ACCESS_KEY_ID:+-e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID} \
${AWS_SECRET_ACCESS_KEY:+-e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY} \
${AWS_SESSION_TOKEN:+-e AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN} \
${CA_BUNDLE:+-v $CA_BUNDLE:$CA_BUNDLE} \
-e AWS_REGION="${AWS_REGION}" \
-e AWS_PARTITION="${AWS_PARTITION}" \
-e AWS_DEFAULT_REGION="${AWS_REGION}" \
-e CA_SIGNING_ALGORITHM="${CA_SIGNING_ALGORITHM}" \
-e PK_CA="${PK_CA}" \
-e KEK_CA="${KEK_CA}" \
-e DB_CA="${DB_CA}" \
Expand All @@ -169,13 +190,17 @@ if [ -n "${SDK_IMAGE:-}" ] ; then
-e CODE_SIGN_KEY="${CODE_SIGN_KEY}" \
-e CONFIG_SIGN_KEY="${CONFIG_SIGN_KEY}" \
-e AWS_KMS_PKCS11_CONF="${AWS_KMS_PKCS11_CONF}" \
-e AWS_CLI="${AWS_CLI}" \
-e CA_BUNDLE="${CA_BUNDLE}" \
-e OUTPUT_DIR="${OUTPUT_DIR}" \
-w /tmp \
"${SDK_IMAGE}" bash "${SBKEYS_SCRIPT}"
else
export PK_CA KEK_CA DB_CA VENDOR_CA
export CODE_SIGN_KEY CONFIG_SIGN_KEY SHIM_SIGN_KEY
export AWS_REGION AWS_KMS_PKCS11_CONF OUTPUT_DIR
export AWS_PARTITION CA_SIGNING_ALGORITHM
export AWS_CLI CA_BUNDLE
bash "${SBKEYS_SCRIPT}"
fi

Expand Down Expand Up @@ -204,7 +229,7 @@ getcacert() {
local arn ca
arn="${1:?}"
ca="${2:?}"
aws acm-pca get-certificate-authority-certificate \
${AWS_CLI} acm-pca get-certificate-authority-certificate \
--certificate-authority-arn "${arn}" \
--query 'Certificate' > "${ca}.crt"
}
Expand Down Expand Up @@ -245,7 +270,7 @@ gencert() {
-out "${key}.csr"

cert_arn="$(\
aws acm-pca issue-certificate \
${AWS_CLI} acm-pca issue-certificate \
--certificate-authority-arn "${ca_arn}" \
--template-arn arn:${aws_partition}:acm-pca:::template/BlankEndEntityCertificate_APICSRPassthrough/V1 \
--csr "fileb://${key}.csr" \
Expand All @@ -255,11 +280,11 @@ gencert() {
--idempotency-token "${key}" \
--query 'CertificateArn')"

aws acm-pca wait certificate-issued \
${AWS_CLI} acm-pca wait certificate-issued \
--certificate-authority-arn "${ca_arn}" \
--certificate-arn "${cert_arn}"

aws acm-pca get-certificate \
${AWS_CLI} acm-pca get-certificate \
--certificate-authority-arn "${ca_arn}" \
--certificate-arn "${cert_arn}" \
--query 'Certificate' \
Expand Down