Skip to content

Delay generating test update payload in official builds#2550

Merged
chewi merged 4 commits intomainfrom
chewi/sbsign-update-payload
Jan 2, 2025
Merged

Delay generating test update payload in official builds#2550
chewi merged 4 commits intomainfrom
chewi/sbsign-update-payload

Conversation

@chewi
Copy link
Contributor

@chewi chewi commented Dec 23, 2024

Delay generating test update payload in official builds

The update payload needs the kernel, which isn't signed during the image job. Secure Boot is not currently enabled for update tests, but we may as well do this properly. The production update upload is generated manually at the end after everything has already been signed.

However, we need to temporarily nobble part of the above change until we have actually passed the shim review.

This also fixes a container name clash in the sbsign_image job.

How to use

Nothing to do.

Testing done

I have run Jenkins for amd64 and arm64. The qemu_update tests passed. I also checked the timestamps of files on the bincache to ensure the right files were uploaded when expected.

  • Changelog entries added in the respective changelog/ directory (user-facing change, bug fix, security fix, update) -- N/A
  • Inspected CI output for image differences: /boot and /usr size, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.N/A

chewi added 4 commits December 20, 2024 16:29
@chewi
ci-automation: Give the sbsign_image container a name
bda73d4 
Otherwise it uses the default name, which can clash with other
concurrent jobs, especially jobs for the other arches.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
@chewi
Delay generating test update payload in official builds
aa70fc9 
The update payload needs the kernel, which isn't signed during the image
job. Secure Boot is not currently enabled for update tests, but we may
as well do this properly. The production update upload is generated
manually at the end after everything has already been signed.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
@chewi
build_image: Temporarily nobble condition around generate_update
94f95ac 
Once we have passed the shim review, we will delay this task until the
kernel has been signed later in the pipeline.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
@chewi
build_image_util.sh: Don't compress extracted partition unnecessarily
29a5131 
I know I recently deduplicated the code between extract_update and
generate_update recently, but now that generate_update will sometimes be
called at a later time, I've realised that it is compressing and
uploading the partition twice.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
@chewi chewi requested a review from a team December 23, 2024 13:06
@chewi chewi self-assigned this Dec 23, 2024
@tormath1 tormath1 added the main label Jan 2, 2025
@chewi chewi merged commit 299773a into main Jan 2, 2025
1 check failed
@chewi chewi deleted the chewi/sbsign-update-payload branch January 2, 2025 09:55
@github-actions github-actions bot mentioned this pull request Jan 22, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tormath1 tormath1 tormath1 approved these changes

Assignees

@chewi chewi

Labels

main

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chewi @tormath1