Closed trungams closed 9 hours ago
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-static
Release
./cgmanifest.json
./toolkit/scripts/toolchain/cgmanifest.json
.github/workflows/cgmanifest.json
./SPECS/LICENSES-AND-NOTICES/data/licenses.json
./SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md
./SPECS/LICENSES-AND-NOTICES/LICENSE-EXCEPTIONS.PHOTON
*.signatures.json
sudo make go-tidy-all
sudo make go-test-coverage
What does the PR accomplish, why was it needed? The CVM boot flow using systemd-boot and UKI goes as follows:
UEFI firmware -> shim -> systemd-boot -> UKI
This change adds 2 new signed packages: kernel-uki-signed and systemd-boot-signed to support secure boot in CVM.
kernel-uki-signed
systemd-boot-signed
Pipeline PR to support signing of these 2 packages: https://dev.azure.com/mariner-org/mariner/_git/CBL-Mariner-Pipelines/pullrequest/19397
kernel-uki-signed.spec
systemd-boot-signed.spec
/boot
/lib/modules/$(uname -r)/
NO
Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-static
subpackages, etc.) have had theirRelease
tag incremented../cgmanifest.json
,./toolkit/scripts/toolchain/cgmanifest.json
,.github/workflows/cgmanifest.json
)./SPECS/LICENSES-AND-NOTICES/data/licenses.json
,./SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md
,./SPECS/LICENSES-AND-NOTICES/LICENSE-EXCEPTIONS.PHOTON
)*.signatures.json
filessudo make go-tidy-all
andsudo make go-test-coverage
passSummary
What does the PR accomplish, why was it needed? The CVM boot flow using systemd-boot and UKI goes as follows:
This change adds 2 new signed packages:
kernel-uki-signed
andsystemd-boot-signed
to support secure boot in CVM.Pipeline PR to support signing of these 2 packages: https://dev.azure.com/mariner-org/mariner/_git/CBL-Mariner-Pipelines/pullrequest/19397
Change Log
kernel-uki-signed.spec
systemd-boot-signed.spec
/boot
and create a symlink to it under/lib/modules/$(uname -r)/
Does this affect the toolchain?
NO
Test Methodology