diff --git a/tools/buildsys/src/builder.rs b/tools/buildsys/src/builder.rs index 77f97bc86..2d25839b3 100644 --- a/tools/buildsys/src/builder.rs +++ b/tools/buildsys/src/builder.rs @@ -821,6 +821,23 @@ fn secrets_args() -> Result> { ); } + // Add environment variables for secure boot signing keys, mapping them to the + // corresponding file names that the local profile expects + let env_to_file_map = [ + ("BUILDSYS_SBKEYS_SHIM_SIGN_KEY_CONTENT", "shim-sign.key"), + ("BUILDSYS_SBKEYS_CODE_SIGN_KEY_CONTENT", "code-sign.key"), + ("BUILDSYS_SBKEYS_CONFIG_SIGN_KEY_CONTENT", "config-sign.key"), + ]; + + for (env_var, file_name) in env_to_file_map { + if let Ok(content) = env::var(env_var) { + if !content.is_empty() { + // Only add this secret if the environment variable is set and not empty + args.build_secret("env", file_name, env_var); + } + } + } + let ca_bundle_var = "BUILDSYS_CACERTS_BUNDLE_OVERRIDE"; let ca_bundle_value = env::var(ca_bundle_var).context(error::EnvironmentSnafu { var: ca_bundle_var })?; diff --git a/twoliter/embedded/Makefile.toml b/twoliter/embedded/Makefile.toml index 7c5389767..35bde7244 100644 --- a/twoliter/embedded/Makefile.toml +++ b/twoliter/embedded/Makefile.toml @@ -688,18 +688,29 @@ profile="${BUILDSYS_SBKEYS_PROFILE_DIR}" found=0 # A local profile has signing keys and certificates, while an AWS profile -# has a config for the aws-kms-pkcs11 helper. Either type is supported. +# has a config for the aws-kms-pkcs11 helper. The environment variables profile +# has keys provided through BUILDSYS_SBKEY_* environment variables. Any of +# these profile types is supported. if [ -s "${profile}/shim-sign.key" ] && \ [ -s "${profile}/shim-sign.crt" ] && \ [ -s "${profile}/code-sign.key" ] && \ - [ -s "${profile}/code-sign.crt" ] ; then + [ -s "${profile}/code-sign.crt" ] && \ + [ -s "${profile}/config-sign.key" ] ; then let found+=1 -elif [ -s "${profile}/kms-sign.json" ] ; then +elif [ -s "${profile}/kms-sign.json" ] && \ + [ -s "${profile}/config-sign.key" ] ; then + let found+=1 +# Environment variables case - check if all required env vars are set +elif [ -n "${BUILDSYS_SBKEY_SHIM_SIGN_KEY_CONTENT}" ] && \ + [ -n "${BUILDSYS_SBKEY_CODE_SIGN_KEY_CONTENT}" ] && \ + [ -n "${BUILDSYS_SBKEY_CONFIG_SIGN_KEY_CONTENT}" ] && \ + [ -s "${profile}/shim-sign.crt" ] && \ + [ -s "${profile}/code-sign.crt" ] ; then let found+=1 fi expected=1 -for f in {PK,KEK,db,vendor}.crt config-sign.key efi-vars.{json,aws} ; do +for f in {PK,KEK,db,vendor}.crt efi-vars.{json,aws} ; do let expected+=1 [ -s "${profile}/${f}" ] && let found+=1 done