Adds logic for generating signatures and certs

Comments defaults a bit as well
2026-01-23 02:34:26 +00:00 · 2019-11-27 05:14:33 +00:00 · 2019-11-27 05:14:33 +00:00 · 41a1914750
commit 41a1914750
parent 02da8c1480
9 changed files with 120 additions and 32 deletions
--- a/roles/netbootxyz/defaults/main.yml
+++ b/roles/netbootxyz/defaults/main.yml
@ -5,31 +5,49 @@ site_name: netboot.xyz
 boot_domain: boot.netboot.xyz
 boot_version: 1.04
 boot_timeout: 300000
-
 time_server: "0.pool.ntp.org"
 sigs_enabled: false
 img_sigs_enabled: false
-sigs_location: "http://${boot_domain}/sigs/"
-memdisk_location: "http://${boot_domain}/memdisk"

+# helper app locations
+memdisk_location: "http://${boot_domain}/memdisk"
+wimboot_location: "http://${boot_domain}/wimboot"
+
+# iPXE upstream repo settings
 ipxe_repo: https://github.com/ipxe/ipxe
 ipxe_branch: master
-ipxe_source_dir: /usr/src/ipxe

-live_endpoint: "https://github.com/netbootxyz"
+ipxe_source_dir: /usr/src/ipxe
 netbootxyz_root: /var/www/html

+# live os settings
+live_endpoint: "https://github.com/netbootxyz"
+
+# generates menus
 generate_menus: true
-generate_disks: true
+
+# generates signatures for source files
 generate_checksums: true

-bootloader_tftp_enabled: false
+# bootloader options
+generate_disks: true
 bootloader_https_enabled: true
 bootloader_http_enabled: true
-bootloader_build: true
 bootloader_disks:
  - "netboot.xyz"

+# signature generation
+generate_signatures: false
+sigs_dir: "{{ netbootxyz_root }}/sigs"
+sigs_location: "http://${boot_domain}/sigs/"
+cert_dir: "/etc/netbootxyz/certs"
+ipxe_trust_args: "TRUST={{ ipxe_ca_location }}"
+ipxe_ca_url: http://ca.ipxe.org/ca.crt
+ipxe_ca_filename: ca-ipxe-org.crt
+codesign_cert_filename: codesign.crt
+codesign_key_filename: codesign.key
+cert_file_filename : ca-netboot-xyz.crt
+
 #bootloader_multiple: true
 #bootloader_disks:
 #  - "netboot.xyz"
@ -204,7 +222,7 @@ releases:
    enabled: true
    menu: "security"
    versions:
-      - name: "Rolling Edition (2019.2)"
+      - name: "Rolling Edition (2019.4)"
        code_name: "rolling"
  livedebian:
    name: "Debian Live"
--- a/roles/netbootxyz/tasks/generate_disks_base.yml
+++ b/roles/netbootxyz/tasks/generate_disks_base.yml
@ -22,6 +22,7 @@
      state: directory
    with_items:
      - "{{ netbootxyz_root }}/ipxe"
+      - "{{ cert_dir }}"

  - name: Copy helper apps
    copy:
@ -44,7 +45,7 @@
      version: "{{ ipxe_branch }}"
      force: true
    register: ipxe_git_checkout
-    
+      
  - name: Copy iPXE Bootloader template to iPXE source directory
    template:
      src: "disks/{{ bootloader_filename }}.j2"
@ -70,3 +71,8 @@
      - src/config/local/crypto.h
      - src/config/local/usb.h
      - src/config/local/settings.h
+
+  - name: Retrieve iPXE CA
+    get_url:
+      url: "{{ ipxe_ca_url }}"
+      dest: "{{ cert_dir }}/{{ ipxe_ca_filename }}"
--- a/roles/netbootxyz/tasks/generate_disks_efi.yml
+++ b/roles/netbootxyz/tasks/generate_disks_efi.yml
@ -13,31 +13,52 @@
      src: "ipxe/local/general.h.efi"
      dest: "{{ ipxe_source_dir }}/src/config/local/general.h"

+  - name: Set trust file to ipxe ca
+    set_fact:
+      trust_files: "{{ cert_dir }}/{{ ipxe_ca_filename }}"
+    when: not generate_signatures
+
+  - name: Combine trust files if set
+    set_fact:
+      trust_files: "{{ cert_dir }}/{{ ipxe_ca_filename }},{{ cert_dir }}/{{ cert_file_filename }}"
+    when: generate_signatures | bool
+
  - name: Compile iPXE bootloader for EFI
-    shell: "{{ item }}"
-    with_items:
-    - make clean
-    - make EMBED={{ bootloader_filename }} bin-x86_64-efi/ipxe.efi
+    shell: |
+      make clean
+      make EMBED={{ bootloader_filename }} TRUST={{ trust_files }} bin-x86_64-efi/ipxe.efi
    args:
      chdir: "{{ ipxe_source_dir }}/src"
    tags:
    - skip_ansible_lint

  - name: Generate iPXE EFI ISO Disk
-    shell: "{{ item }}"
-    with_items:
-      - mkdir -p efi_tmp
-      - dd if=/dev/zero of=efi_tmp/ipxe.img count=2880
-      - mformat -i efi_tmp/ipxe.img -m 0xf8 -f 2880
-      - mmd -i efi_tmp/ipxe.img ::efi ::efi/boot
-      - mcopy -i efi_tmp/ipxe.img bin-x86_64-efi/ipxe.efi ::efi/boot/bootx64.efi
-      - genisoimage -o ipxe-efi.eiso -eltorito-alt-boot -e ipxe.img -no-emul-boot efi_tmp
+    shell: |
+      mkdir -p efi_tmp
+      dd if=/dev/zero of=efi_tmp/ipxe.img count=2880
+      mformat -i efi_tmp/ipxe.img -m 0xf8 -f 2880
+      mmd -i efi_tmp/ipxe.img ::efi ::efi/boot
+      mcopy -i efi_tmp/ipxe.img bin-x86_64-efi/ipxe.efi ::efi/boot/bootx64.efi
+      genisoimage -o ipxe-efi.eiso -eltorito-alt-boot -e ipxe.img -no-emul-boot efi_tmp
    args:
      chdir: "{{ ipxe_source_dir }}/src"
      warn: false
    tags:
    - skip_ansible_lint

+  - name: Generate iPXE EFI USB image
+    shell: |
+      truncate -s 3MiB ipxe-efi.usb
+      mkfs.vfat ipxe-efi.usb
+      mmd -i ipxe-efi.usb "::/efi"
+      mmd -i ipxe-efi.usb "::/efi/boot"
+      mcopy -i ipxe-efi.usb bin-x86_64-efi/ipxe.efi "::/efi/boot/bootx64.efi"
+    args:
+      chdir: "{{ ipxe_source_dir }}/src"
+      warn: false
+    tags:
+    - skip_ansible_lint
+ 
  - name: Copy iPXE EFI builds to http directory
    copy:
      src: "{{ ipxe_source_dir }}/src/{{ item.src }}"
@ -46,3 +67,4 @@
    with_items:
      - { src: "bin-x86_64-efi/ipxe.efi", dest: "{{ bootloader_filename }}.efi" }
      - { src: "ipxe-efi.eiso", dest: "{{ bootloader_filename }}-efi.iso" }
+      - { src: "ipxe-efi.usb", dest: "{{ bootloader_filename }}-efi.usb" }
--- a/roles/netbootxyz/tasks/generate_disks_legacy.yml
+++ b/roles/netbootxyz/tasks/generate_disks_legacy.yml
@ -9,11 +9,20 @@
      - crypto.h
      - general.h

+  - name: Set trust file to ipxe ca
+    set_fact:
+      trust_files: "{{ cert_dir }}/{{ ipxe_ca_filename }}"
+    when: not generate_signatures
+
+  - name: Combine trust args if set
+    set_fact:
+      trust_files: "{{ cert_dir }}/{{ ipxe_ca_filename }},{{ cert_dir }}/{{ cert_file_filename }}"
+    when: generate_signatures | bool
+
  - name: Compile iPXE bootloader for Legacy BIOS
-    shell: "{{ item }}"
-    with_items:
-    - make clean
-    - make EMBED={{ bootloader_filename }} bin/ipxe.dsk bin/ipxe.iso bin/ipxe.lkrn bin/ipxe.usb bin/ipxe.kpxe bin/undionly.kpxe
+    shell: |
+      make clean
+      make EMBED={{ bootloader_filename }} TRUST={{ trust_files }} bin/ipxe.dsk bin/ipxe.iso bin/ipxe.lkrn bin/ipxe.usb bin/ipxe.kpxe bin/undionly.kpxe
    args:
      chdir: "{{ ipxe_source_dir }}/src"
    tags:
--- a/roles/netbootxyz/tasks/generate_menus.yml
+++ b/roles/netbootxyz/tasks/generate_menus.yml
@ -31,4 +31,4 @@
    with_filetree: "templates/menu/"
    when: item.state == "file"
    tags:
-    - skip_ansible_lint
+    - skip_ansible_lint
--- a/roles/netbootxyz/tasks/generate_signatures.yml
+++ b/roles/netbootxyz/tasks/generate_signatures.yml
@ -0,0 +1,24 @@
+---
+  - name: Gather list of source files
+    command: ls {{ netbootxyz_root }}
+    register: source_files
+
+  - name: Create directories for signatures
+    file:
+      path: "{{ item }}"
+      state: directory
+    with_items:
+      - "{{ sigs_dir }}"
+
+  - name: Generate signatures for source files
+    shell: |
+      openssl cms -sign -binary -noattr -in {{ netbootxyz_root }}/{{ item }} \ 
+      -signer {{ codesign_cert_location }} -inkey {{ codesign_key_location }} -certfile {{ cert_file_location }} -outform DER \
+      -out {{ sigs_dir }}/{{ item }}.sig
+    args:
+      chdir: "{{ cert_dir }}"
+      warn: false
+    with_items:
+      - "{{ source_files.stdout_lines }}"
+    tags:
+    - skip_ansible_lint
--- a/roles/netbootxyz/tasks/main.yml
+++ b/roles/netbootxyz/tasks/main.yml
@ -3,6 +3,13 @@
    when:
    - generate_menus | default(true) | bool

+  - include: generate_signatures.yml
+    when:
+    - generate_signatures | default(false) | bool
+    - codesign_cert_location is defined
+    - codesign_key_location is defined
+    - cert_file_location is defined
+
  - include: generate_disks.yml
    with_items:
    - "{{ bootloader_disks }}"
@ -13,4 +20,5 @@

  - include: generate_checksums.yml
    when:
-    - generate_checksums | default(true) | bool
+    - generate_checksums | default(true) | bool
+
--- a/roles/netbootxyz/templates/disks/netboot.xyz.j2
+++ b/roles/netbootxyz/templates/disks/netboot.xyz.j2
@ -8,12 +8,13 @@ set fg_whi ${esc:string}[37m
 set TFTP_ERR Local TFTP failed... attempting remote HTTPS 
 set HTTPS_ERR HTTPS appears to have failed... attempting HTTP
 set HTTP_ERR HTTP has failed, localbooting...
+set site_name {{ site_name }}
 set boot_domain {{ boot_domain }}
 set version {{ boot_version }}

 :start
-echo ${bold}${fg_gre}${boot_domain} - ${fg_whi}v${version}${boldoff}
-echo ${bold}${fg_whi}Powered by${fg_gre}netboot.xyz${boldoff}
+echo ${bold}${fg_gre}${site_name} - ${fg_whi}v${version}${boldoff}
+iseq ${site_name} netboot.xyz || echo ${bold}${fg_whi}Powered by ${fg_gre}netboot.xyz${fg_whi}${boldoff}
 prompt --key m --timeout 4000 Hit the ${bold}m${boldoff} key to open failsafe menu... && goto failsafe || goto dhcp

 :dhcp
--- a/roles/netbootxyz/templates/menu/windows.ipxe.j2
+++ b/roles/netbootxyz/templates/menu/windows.ipxe.j2
@ -41,7 +41,7 @@ goto windows
 isset ${win_base_url} && goto boot || echo URL not set... && goto url_set

 :boot
-kernel http://${boot_domain}/wimboot
+kernel {{ wimboot_location }}
 initrd ${win_base_url}/${win_arch}/bootmgr bootmgr
 initrd ${win_base_url}/${win_arch}/boot/bcd bcd
 initrd ${win_base_url}/${win_arch}/boot/boot.sdi boot.sdi
@ -56,4 +56,4 @@ imgverify wimboot ${sigs}wimboot.sig || goto error
 boot

 :windows_exit
-exit 0
+exit 0