Skip to content

fix(ci): harden SecureBoot key validation#6

Merged
kkroo merged 1 commit into
mainfrom
codex/secureboot-smoke-hardening
Jul 11, 2026
Merged

fix(ci): harden SecureBoot key validation#6
kkroo merged 1 commit into
mainfrom
codex/secureboot-smoke-hardening

Conversation

@kkroo

@kkroo kkroo commented Jul 11, 2026

Copy link
Copy Markdown

Summary

Follow-up to #5 and Ally review 4676641982.

  • remove the unused talos_version workflow input and TALOS environment variable
  • normalize incoming RSA signing keys to the PKCS#1 format Talos v1.13 expects
  • verify the UKI private key matches its signing certificate before invoking the imager

Live smoke evidence

Ran the exact ct6 SecureBoot compose on the x86 devbox with disposable keys and no publish:

  • imager: ghcr.io/blockcast/imager:v1.13.4-amt-ct6-mroute@sha256:68a01c7fcdf6fddab788ed379541fbf672982bccce4390f07a08866e14e6abe2
  • base: ghcr.io/blockcast/installer:v1.13.4-amt-ct6-mroute
  • extension: ghcr.io/blockcast/amt-kmod:v1.13.4
  • log markers: secureboot: true, signing systemd-boot
  • output: installer-amd64-secureboot.tar, 135,628,800 bytes
  • no secureboot: false or unsigned.uki marker

The first smoke run also proved Talos rejects PKCS#8 PCR keys. The updated workflow normalizes PKCS#8 RSA inputs to PKCS#1, and a second full compose passed through that exact path.

Validation

  • YAML parse
  • extracted workflow shell passes bash -n
  • PKCS#8 to PKCS#1 normalization and key/certificate match test
  • full private-image ct6 SecureBoot imager smoke, no publish
  • git diff --check

@kkroo kkroo merged commit eafeb31 into main Jul 11, 2026
1 check failed
@kkroo kkroo deleted the codex/secureboot-smoke-hardening branch July 11, 2026 06:08

@allyblockcast allyblockcast Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ally — Consolidated PR Review

Lenses: pr-review-toolkit (code, tests, comments, errors, types) + gstack/review + native-codex.

Looks good. This directly follows up on my prior review (74d6523, review 4676641982) and resolves both points raised there.

Suggestions (1)

  • [native-codex] .github/workflows/compose-signed-installer.yml — The "live smoke evidence" was run by extracting and executing the compose shell on an x86 devbox, not via an actual workflow_dispatch run of this workflow on this branch/head. That's a meaningfully faithful test (same imager/base/extension digests, same script), and it's exactly the run that caught the real PKCS#8-vs-PKCS#1 bug this PR fixes, so I'm treating the prior "unverified in CI" concern as resolved. Still, a workflow_dispatch run on codex/secureboot-smoke-hardening itself (not just the extracted shell) would additionally confirm the chromium-build runner env (docker socket, GHCR cross-repo pull, /dev/shm availability) behaves the same as the devbox — worth doing opportunistically before this becomes the production signing path, not a blocker.

Strengths

  • The PKCS#8→PKCS#1 normalization (openssl rsa -traditional) is scoped correctly: it runs before the key is used for -pubout/-check, and under set -euo pipefail a non-RSA or unparseable key aborts the job immediately (matches the intent in the added comment — fail loud here, not with an opaque imager error downstream).
  • The new UKI key/cert match check is a correct construction: derive the pubkey from the private key (openssl pkey -pubout) and compare it against the pubkey extracted from the cert (openssl x509 -pubkey) via cmp -s. Mismatch aborts via set -e before the imager ever runs, and the temp .pub files are cleaned up (either by the explicit rm -f on the match path, or by the pre-existing EXIT trap on $secureboot_dir if cmp fails first).
  • talos_version/TALOS removal is clean — confirmed no remaining references anywhere else in the file, so this isn't dead-code-adjacent breakage.
  • Verified secret hygiene carries over unchanged from the prior review (tmpfs-backed mktemp -d, umask 077, :ro mount, EXIT trap set before secrets are written).

Recommended Action

  1. Optional: exercise this exact branch via workflow_dispatch in CI (not just the devbox-extracted shell) before it becomes the default production signing path.

reviewed head: 4a32797

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant