Adds logic for generating signatures and certs

Comments defaults a bit as well

roles/netbootxyz/defaults/main.yml

@@ -5,31 +5,49 @@ site_name: netboot.xyz
 boot_domain: boot.netboot.xyz
 boot_version: 1.04
 boot_timeout: 300000
-
 time_server: "0.pool.ntp.org"
 sigs_enabled: false
 img_sigs_enabled: false
-sigs_location: "http://${boot_domain}/sigs/"
+
+# helper app locations
 memdisk_location: "http://${boot_domain}/memdisk"
+wimboot_location: "http://${boot_domain}/wimboot"
 
+# iPXE upstream repo settings
 ipxe_repo: https://github.com/ipxe/ipxe
 ipxe_branch: master
+
 ipxe_source_dir: /usr/src/ipxe
+netbootxyz_root: /var/www/html
 
+# live os settings
 live_endpoint: "https://github.com/netbootxyz"
-netbootxyz_root: /var/www/html
 
+# generates menus
 generate_menus: true
-generate_disks: true
+
+# generates signatures for source files
 generate_checksums: true
 
-bootloader_tftp_enabled: false
+# bootloader options
+generate_disks: true
 bootloader_https_enabled: true
 bootloader_http_enabled: true
-bootloader_build: true
 bootloader_disks:
   - "netboot.xyz"
 
+# signature generation
+generate_signatures: false
+sigs_dir: "{{ netbootxyz_root }}/sigs"
+sigs_location: "http://${boot_domain}/sigs/"
+cert_dir: "/etc/netbootxyz/certs"
+ipxe_trust_args: "TRUST={{ ipxe_ca_location }}"
+ipxe_ca_url: http://ca.ipxe.org/ca.crt
+ipxe_ca_filename: ca-ipxe-org.crt
+codesign_cert_filename: codesign.crt
+codesign_key_filename: codesign.key
+cert_file_filename : ca-netboot-xyz.crt
+
 #bootloader_multiple: true
 #bootloader_disks:
 #  - "netboot.xyz"
@@ -204,7 +222,7 @@ releases:
     enabled: true
     menu: "security"
     versions:
-      - name: "Rolling Edition (2019.2)"
+      - name: "Rolling Edition (2019.4)"
         code_name: "rolling"
   livedebian:
     name: "Debian Live"

roles/netbootxyz/tasks/generate_disks_base.yml

@@ -22,6 +22,7 @@
       state: directory
     with_items:
       - "{{ netbootxyz_root }}/ipxe"
+      - "{{ cert_dir }}"
 
   - name: Copy helper apps
     copy:
@@ -44,7 +45,7 @@
       version: "{{ ipxe_branch }}"
       force: true
     register: ipxe_git_checkout
-    
+      
   - name: Copy iPXE Bootloader template to iPXE source directory
     template:
       src: "disks/{{ bootloader_filename }}.j2"
@@ -70,3 +71,8 @@
       - src/config/local/crypto.h
       - src/config/local/usb.h
       - src/config/local/settings.h
+
+  - name: Retrieve iPXE CA
+    get_url:
+      url: "{{ ipxe_ca_url }}"
+      dest: "{{ cert_dir }}/{{ ipxe_ca_filename }}"

roles/netbootxyz/tasks/generate_disks_efi.yml

@@ -13,31 +13,52 @@
       src: "ipxe/local/general.h.efi"
       dest: "{{ ipxe_source_dir }}/src/config/local/general.h"
 
+  - name: Set trust file to ipxe ca
+    set_fact:
+      trust_files: "{{ cert_dir }}/{{ ipxe_ca_filename }}"
+    when: not generate_signatures
+
+  - name: Combine trust files if set
+    set_fact:
+      trust_files: "{{ cert_dir }}/{{ ipxe_ca_filename }},{{ cert_dir }}/{{ cert_file_filename }}"
+    when: generate_signatures | bool
+
   - name: Compile iPXE bootloader for EFI
-    shell: "{{ item }}"
-    with_items:
-    - make clean
-    - make EMBED={{ bootloader_filename }} bin-x86_64-efi/ipxe.efi
+    shell: |
+      make clean
+      make EMBED={{ bootloader_filename }} TRUST={{ trust_files }} bin-x86_64-efi/ipxe.efi
     args:
       chdir: "{{ ipxe_source_dir }}/src"
     tags:
     - skip_ansible_lint
 
   - name: Generate iPXE EFI ISO Disk
-    shell: "{{ item }}"
-    with_items:
-      - mkdir -p efi_tmp
-      - dd if=/dev/zero of=efi_tmp/ipxe.img count=2880
-      - mformat -i efi_tmp/ipxe.img -m 0xf8 -f 2880
-      - mmd -i efi_tmp/ipxe.img ::efi ::efi/boot
-      - mcopy -i efi_tmp/ipxe.img bin-x86_64-efi/ipxe.efi ::efi/boot/bootx64.efi
-      - genisoimage -o ipxe-efi.eiso -eltorito-alt-boot -e ipxe.img -no-emul-boot efi_tmp
+    shell: |
+      mkdir -p efi_tmp
+      dd if=/dev/zero of=efi_tmp/ipxe.img count=2880
+      mformat -i efi_tmp/ipxe.img -m 0xf8 -f 2880
+      mmd -i efi_tmp/ipxe.img ::efi ::efi/boot
+      mcopy -i efi_tmp/ipxe.img bin-x86_64-efi/ipxe.efi ::efi/boot/bootx64.efi
+      genisoimage -o ipxe-efi.eiso -eltorito-alt-boot -e ipxe.img -no-emul-boot efi_tmp
     args:
       chdir: "{{ ipxe_source_dir }}/src"
       warn: false
     tags:
     - skip_ansible_lint
 
+  - name: Generate iPXE EFI USB image
+    shell: |
+      truncate -s 3MiB ipxe-efi.usb
+      mkfs.vfat ipxe-efi.usb
+      mmd -i ipxe-efi.usb "::/efi"
+      mmd -i ipxe-efi.usb "::/efi/boot"
+      mcopy -i ipxe-efi.usb bin-x86_64-efi/ipxe.efi "::/efi/boot/bootx64.efi"
+    args:
+      chdir: "{{ ipxe_source_dir }}/src"
+      warn: false
+    tags:
+    - skip_ansible_lint
+ 
   - name: Copy iPXE EFI builds to http directory
     copy:
       src: "{{ ipxe_source_dir }}/src/{{ item.src }}"
@@ -46,3 +67,4 @@
     with_items:
       - { src: "bin-x86_64-efi/ipxe.efi", dest: "{{ bootloader_filename }}.efi" }
       - { src: "ipxe-efi.eiso", dest: "{{ bootloader_filename }}-efi.iso" }
+      - { src: "ipxe-efi.usb", dest: "{{ bootloader_filename }}-efi.usb" }

roles/netbootxyz/tasks/generate_disks_legacy.yml

@@ -9,11 +9,20 @@
       - crypto.h
       - general.h
 
+  - name: Set trust file to ipxe ca
+    set_fact:
+      trust_files: "{{ cert_dir }}/{{ ipxe_ca_filename }}"
+    when: not generate_signatures
+
+  - name: Combine trust args if set
+    set_fact:
+      trust_files: "{{ cert_dir }}/{{ ipxe_ca_filename }},{{ cert_dir }}/{{ cert_file_filename }}"
+    when: generate_signatures | bool
+
   - name: Compile iPXE bootloader for Legacy BIOS
-    shell: "{{ item }}"
-    with_items:
-    - make clean
-    - make EMBED={{ bootloader_filename }} bin/ipxe.dsk bin/ipxe.iso bin/ipxe.lkrn bin/ipxe.usb bin/ipxe.kpxe bin/undionly.kpxe
+    shell: |
+      make clean
+      make EMBED={{ bootloader_filename }} TRUST={{ trust_files }} bin/ipxe.dsk bin/ipxe.iso bin/ipxe.lkrn bin/ipxe.usb bin/ipxe.kpxe bin/undionly.kpxe
     args:
       chdir: "{{ ipxe_source_dir }}/src"
     tags:

roles/netbootxyz/tasks/generate_menus.yml

@@ -31,4 +31,4 @@
     with_filetree: "templates/menu/"
     when: item.state == "file"
     tags:
-    - skip_ansible_lint
+    - skip_ansible_lint

roles/netbootxyz/tasks/generate_signatures.yml

@@ -0,0 +1,24 @@
+---
+  - name: Gather list of source files
+    command: ls {{ netbootxyz_root }}
+    register: source_files
+
+  - name: Create directories for signatures
+    file:
+      path: "{{ item }}"
+      state: directory
+    with_items:
+      - "{{ sigs_dir }}"
+
+  - name: Generate signatures for source files
+    shell: |
+      openssl cms -sign -binary -noattr -in {{ netbootxyz_root }}/{{ item }} \ 
+      -signer {{ codesign_cert_location }} -inkey {{ codesign_key_location }} -certfile {{ cert_file_location }} -outform DER \
+      -out {{ sigs_dir }}/{{ item }}.sig
+    args:
+      chdir: "{{ cert_dir }}"
+      warn: false
+    with_items:
+      - "{{ source_files.stdout_lines }}"
+    tags:
+    - skip_ansible_lint

roles/netbootxyz/tasks/main.yml

@@ -3,6 +3,13 @@
     when:
     - generate_menus | default(true) | bool
 
+  - include: generate_signatures.yml
+    when:
+    - generate_signatures | default(false) | bool
+    - codesign_cert_location is defined
+    - codesign_key_location is defined
+    - cert_file_location is defined
+
   - include: generate_disks.yml
     with_items:
     - "{{ bootloader_disks }}"
@@ -13,4 +20,5 @@
 
   - include: generate_checksums.yml
     when:
-    - generate_checksums | default(true) | bool
+    - generate_checksums | default(true) | bool
+

roles/netbootxyz/templates/disks/netboot.xyz.j2

@@ -8,12 +8,13 @@ set fg_whi ${esc:string}[37m
 set TFTP_ERR Local TFTP failed... attempting remote HTTPS 
 set HTTPS_ERR HTTPS appears to have failed... attempting HTTP
 set HTTP_ERR HTTP has failed, localbooting...
+set site_name {{ site_name }}
 set boot_domain {{ boot_domain }}
 set version {{ boot_version }}
 
 :start
-echo ${bold}${fg_gre}${boot_domain} - ${fg_whi}v${version}${boldoff}
-echo ${bold}${fg_whi}Powered by${fg_gre}netboot.xyz${boldoff}
+echo ${bold}${fg_gre}${site_name} - ${fg_whi}v${version}${boldoff}
+iseq ${site_name} netboot.xyz || echo ${bold}${fg_whi}Powered by ${fg_gre}netboot.xyz${fg_whi}${boldoff}
 prompt --key m --timeout 4000 Hit the ${bold}m${boldoff} key to open failsafe menu... && goto failsafe || goto dhcp
 
 :dhcp

roles/netbootxyz/templates/menu/windows.ipxe.j2

@@ -41,7 +41,7 @@ goto windows
 isset ${win_base_url} && goto boot || echo URL not set... && goto url_set
 
 :boot
-kernel http://${boot_domain}/wimboot
+kernel {{ wimboot_location }}
 initrd ${win_base_url}/${win_arch}/bootmgr bootmgr
 initrd ${win_base_url}/${win_arch}/boot/bcd bcd
 initrd ${win_base_url}/${win_arch}/boot/boot.sdi boot.sdi
@@ -56,4 +56,4 @@ imgverify wimboot ${sigs}wimboot.sig || goto error
 boot
 
 :windows_exit
-exit 0
+exit 0