From 9e53a97e5c6726948e22082a0de3f2a848073356 Mon Sep 17 00:00:00 2001 From: David Pilnik Date: Sun, 13 Nov 2022 17:38:22 +0200 Subject: [PATCH 1/8] [secure boot]Add Linux Kernel configuration to support Secure Boot feature & Secure warmboot --- Makefile | 13 +++++++ patch/secure_boot_kernel_config.sh | 54 ++++++++++++++++++++++++++++++ 2 files changed, 67 insertions(+) create mode 100644 patch/secure_boot_kernel_config.sh diff --git a/Makefile b/Makefile index 839e89e47..de92deb5a 100644 --- a/Makefile +++ b/Makefile @@ -126,6 +126,19 @@ $(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% : ../manage-config $(CONFIGURED_ARCH) $(CONFIGURED_PLATFORM) fi +ifeq ($(SECURE_UPGRADE_MOD),$(filter $(SECURE_UPGRADE_MOD),dev prod)) + if [ -f $(SECURE_UPGRADE_DEV_SIGNING_CERT) ]; then + echo "Add secure boot support in kernel config file" + cp ../patch/secure_boot_kernel_config.sh . + cp $(SECURE_UPGRADE_DEV_SIGNING_CERT) debian/certs + bash secure_boot_kernel_config.sh $(SECURE_UPGRADE_DEV_SIGNING_CERT) + else + echo "no certificate file exist, SECURE_UPGRADE_DEV_SIGNING_CERT=$(SECURE_UPGRADE_DEV_SIGNING_CERT)" + exit 1 + fi + +endif # ifeq ($(SECURE_UPGRADE_MOD),$(filter $(SECURE_UPGRADE_MOD),dev prod)) + # Building a custom kernel from Debian kernel source ARCH=$(CONFIGURED_ARCH) DEB_HOST_ARCH=$(CONFIGURED_ARCH) DEB_BUILD_PROFILES=nodoc fakeroot make -f debian/rules -j $(shell nproc) binary-indep ifeq ($(CONFIGURED_ARCH), armhf) diff --git a/patch/secure_boot_kernel_config.sh b/patch/secure_boot_kernel_config.sh new file mode 100644 index 000000000..e7a3e3d43 --- /dev/null +++ b/patch/secure_boot_kernel_config.sh @@ -0,0 +1,54 @@ +#!/bin/bash + +# Note: this script was created because there is a problem when changing the kernel config +# values that requires in the Secure Boot feature when using patch/kconfig-inclusions (sonic flow to modify kernel flags). +# So, when this problem will be resolved, this script should be removed and used the kconfig-inclusions. + +usage() { + cat < +Script is modifying kernel config file to support system trusted key with custom certificate. +Note: The signature algorithem used will be SHA512. + +Parameters description: +PEM_CERT public key (pem format). Key to be store in kernel. + +Run example: +bash secure_boot_kernel_config.sh cert.pem +EOF +} + +if [ "$1" = "-h" -o "$1" = "--help" ]; then + usage +fi + +echo "$0: Adding Secure Boot support in Kernel config file." + +CERT_PEM=$1 + +[ -f "$CERT_PEM" ] || { + echo "Error: CERT_PEM file does not exist: $CERT_PEM" + usage + exit 1 +} + +local_cert_pem="debian/certs/$(basename $CERT_PEM)" +linux_cfg_file="debian/build/build_amd64_none_amd64/.config" +sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"$local_cert_pem\"|g" $linux_cfg_file +sed -i 's/^CONFIG_MODULE_SIG_HASH=.*/CONFIG_MODULE_SIG_HASH="sha512"/g' $linux_cfg_file +sed -i 's/^CONFIG_MODULE_SIG_SHA256=.*/# CONFIG_MODULE_SIG_SHA256 is not set/g' $linux_cfg_file +sed -i 's/# CONFIG_MODULE_SIG_SHA512 is not set/CONFIG_MODULE_SIG_SHA512=y/g' $linux_cfg_file + +#lockdown feature disable +sed -i 's/^CONFIG_SECURITY_LOCKDOWN_LSM=.*/# CONFIG_SECURITY_LOCKDOWN_LSM is not set/g' $linux_cfg_file +sed -i 's/^CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=.*/# CONFIG_SECURITY_LOCKDOWN_LSM_EARLY is not set/g' $linux_cfg_file +sed -i 's/^CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=.*/# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set/g' $linux_cfg_file +sed -i 's/^CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=.*/# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set/g' $linux_cfg_file + +# warm boot secure +sed -i 's/# CONFIG_KEXEC_SIG_FORCE is not set/CONFIG_KEXEC_SIG_FORCE=y/g' $linux_cfg_file + +echo "$0: Secure Boot support in Kernel config file DONE." + + From 9724e9fac54b9ccc5c25044884783325af1ea116 Mon Sep 17 00:00:00 2001 From: David Pilnik Date: Mon, 14 Nov 2022 10:22:59 +0200 Subject: [PATCH 2/8] [secure boot]Fix few typos --- Makefile | 2 +- patch/secure_boot_kernel_config.sh | 9 +++------ 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/Makefile b/Makefile index de92deb5a..0a684ca30 100644 --- a/Makefile +++ b/Makefile @@ -133,7 +133,7 @@ ifeq ($(SECURE_UPGRADE_MOD),$(filter $(SECURE_UPGRADE_MOD),dev prod)) cp $(SECURE_UPGRADE_DEV_SIGNING_CERT) debian/certs bash secure_boot_kernel_config.sh $(SECURE_UPGRADE_DEV_SIGNING_CERT) else - echo "no certificate file exist, SECURE_UPGRADE_DEV_SIGNING_CERT=$(SECURE_UPGRADE_DEV_SIGNING_CERT)" + echo "no certificate file exists, SECURE_UPGRADE_DEV_SIGNING_CERT=$(SECURE_UPGRADE_DEV_SIGNING_CERT)" exit 1 fi diff --git a/patch/secure_boot_kernel_config.sh b/patch/secure_boot_kernel_config.sh index e7a3e3d43..486cbbd7e 100644 --- a/patch/secure_boot_kernel_config.sh +++ b/patch/secure_boot_kernel_config.sh @@ -1,7 +1,7 @@ #!/bin/bash # Note: this script was created because there is a problem when changing the kernel config -# values that requires in the Secure Boot feature when using patch/kconfig-inclusions (sonic flow to modify kernel flags). +# values that are required by the Secure Boot feature when using patch/kconfig-inclusions (sonic flow to modify kernel flags). # So, when this problem will be resolved, this script should be removed and used the kconfig-inclusions. usage() { @@ -9,13 +9,12 @@ usage() { $0: # Display Help $0 Script is modifying kernel config file to support system trusted key with custom certificate. -Note: The signature algorithem used will be SHA512. +Note: The signature algorithm used will be RSA over SHA512 x509 format. Parameters description: PEM_CERT public key (pem format). Key to be store in kernel. -Run example: -bash secure_boot_kernel_config.sh cert.pem +Usage example: bash secure_boot_kernel_config.sh cert.pem EOF } @@ -50,5 +49,3 @@ sed -i 's/^CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=.*/# CONFIG_LOCK_DOWN_IN_EFI_SECU sed -i 's/# CONFIG_KEXEC_SIG_FORCE is not set/CONFIG_KEXEC_SIG_FORCE=y/g' $linux_cfg_file echo "$0: Secure Boot support in Kernel config file DONE." - - From 10322c34f7d29c7c93bc2f2b5f549d434cbbad49 Mon Sep 17 00:00:00 2001 From: David Pilnik Date: Mon, 14 Nov 2022 12:31:36 +0200 Subject: [PATCH 3/8] [secure boot]Fix Secure boot build flag condition by adding an extra defined verification --- Makefile | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 0a684ca30..17c04f1e6 100644 --- a/Makefile +++ b/Makefile @@ -126,7 +126,10 @@ $(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% : ../manage-config $(CONFIGURED_ARCH) $(CONFIGURED_PLATFORM) fi -ifeq ($(SECURE_UPGRADE_MOD),$(filter $(SECURE_UPGRADE_MOD),dev prod)) +# Secure Boot Configuration +ifneq ($(origin SECURE_UPGRADE_MODE), undefined) +ifeq ($(SECURE_UPGRADE_MODE),$(filter $(SECURE_UPGRADE_MODE),dev prod)) +ifneq ($(origin SECURE_UPGRADE_DEV_SIGNING_CERT), undefined) if [ -f $(SECURE_UPGRADE_DEV_SIGNING_CERT) ]; then echo "Add secure boot support in kernel config file" cp ../patch/secure_boot_kernel_config.sh . @@ -136,8 +139,11 @@ ifeq ($(SECURE_UPGRADE_MOD),$(filter $(SECURE_UPGRADE_MOD),dev prod)) echo "no certificate file exists, SECURE_UPGRADE_DEV_SIGNING_CERT=$(SECURE_UPGRADE_DEV_SIGNING_CERT)" exit 1 fi - -endif # ifeq ($(SECURE_UPGRADE_MOD),$(filter $(SECURE_UPGRADE_MOD),dev prod)) +else + echo "SECURE_UPGRADE_DEV_SIGNING_CERT is not defined" +endif # ifneq ($(origin SECURE_UPGRADE_DEV_SIGNING_CERT), undefined) +endif # ifeq ($(SECURE_UPGRADE_MODE),$(filter $(SECURE_UPGRADE_MODE),dev prod)) +endif # ifneq ($(origin SECURE_UPGRADE_MODE), undefined) # Building a custom kernel from Debian kernel source ARCH=$(CONFIGURED_ARCH) DEB_HOST_ARCH=$(CONFIGURED_ARCH) DEB_BUILD_PROFILES=nodoc fakeroot make -f debian/rules -j $(shell nproc) binary-indep From 77e18425b9a1ad12cdcb8fc34c09640bea4bb92e Mon Sep 17 00:00:00 2001 From: David Pilnik Date: Thu, 15 Dec 2022 11:29:05 +0200 Subject: [PATCH 4/8] [secure boot]Remove WA after the fix in commit 5717c5d391092f2a8f894ebbd44f6d7016dccdb2. The flow now will modify the kconfig-inclusions/exclusions file if the Secure Boot is enabled only. --- Makefile | 15 +++---- patch/secure_boot_kernel_config.sh | 64 +++++++++++++++++++----------- 2 files changed, 49 insertions(+), 30 deletions(-) mode change 100644 => 100755 patch/secure_boot_kernel_config.sh diff --git a/Makefile b/Makefile index 17c04f1e6..12d23253f 100644 --- a/Makefile +++ b/Makefile @@ -121,11 +121,6 @@ $(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% : stg import -s $(NON_UP_DIR)/series fi - # Optionally add/remove kernel options - if [ -f ../manage-config ]; then - ../manage-config $(CONFIGURED_ARCH) $(CONFIGURED_PLATFORM) - fi - # Secure Boot Configuration ifneq ($(origin SECURE_UPGRADE_MODE), undefined) ifeq ($(SECURE_UPGRADE_MODE),$(filter $(SECURE_UPGRADE_MODE),dev prod)) @@ -134,17 +129,23 @@ ifneq ($(origin SECURE_UPGRADE_DEV_SIGNING_CERT), undefined) echo "Add secure boot support in kernel config file" cp ../patch/secure_boot_kernel_config.sh . cp $(SECURE_UPGRADE_DEV_SIGNING_CERT) debian/certs - bash secure_boot_kernel_config.sh $(SECURE_UPGRADE_DEV_SIGNING_CERT) + echo "secure_boot_kernel_config.sh -c $(SECURE_UPGRADE_DEV_SIGNING_CERT) -a $(CONFIGURED_ARCH)" + ./secure_boot_kernel_config.sh -c $(SECURE_UPGRADE_DEV_SIGNING_CERT) -a $(CONFIGURED_ARCH) else echo "no certificate file exists, SECURE_UPGRADE_DEV_SIGNING_CERT=$(SECURE_UPGRADE_DEV_SIGNING_CERT)" exit 1 fi else - echo "SECURE_UPGRADE_DEV_SIGNING_CERT is not defined" + echo "SECURE_UPGRADE_MODE is defined, but SECURE_UPGRADE_DEV_SIGNING_CERT is not defined" endif # ifneq ($(origin SECURE_UPGRADE_DEV_SIGNING_CERT), undefined) endif # ifeq ($(SECURE_UPGRADE_MODE),$(filter $(SECURE_UPGRADE_MODE),dev prod)) endif # ifneq ($(origin SECURE_UPGRADE_MODE), undefined) + # Optionally add/remove kernel options + if [ -f ../manage-config ]; then + ../manage-config $(CONFIGURED_ARCH) $(CONFIGURED_PLATFORM) + fi + # Building a custom kernel from Debian kernel source ARCH=$(CONFIGURED_ARCH) DEB_HOST_ARCH=$(CONFIGURED_ARCH) DEB_BUILD_PROFILES=nodoc fakeroot make -f debian/rules -j $(shell nproc) binary-indep ifeq ($(CONFIGURED_ARCH), armhf) diff --git a/patch/secure_boot_kernel_config.sh b/patch/secure_boot_kernel_config.sh old mode 100644 new mode 100755 index 486cbbd7e..c49287e5b --- a/patch/secure_boot_kernel_config.sh +++ b/patch/secure_boot_kernel_config.sh @@ -1,51 +1,69 @@ #!/bin/bash -# Note: this script was created because there is a problem when changing the kernel config -# values that are required by the Secure Boot feature when using patch/kconfig-inclusions (sonic flow to modify kernel flags). -# So, when this problem will be resolved, this script should be removed and used the kconfig-inclusions. +# This script is doing modification in kconfig-inclusions and kconfig-exclusions files in order to support Secure Boot feature. usage() { cat < +$0 -c -a Script is modifying kernel config file to support system trusted key with custom certificate. Note: The signature algorithm used will be RSA over SHA512 x509 format. Parameters description: PEM_CERT public key (pem format). Key to be store in kernel. - +CONF_ARCH is the kernel arch amd/arm/etc Usage example: bash secure_boot_kernel_config.sh cert.pem EOF } +# the function is appending a line after the string from variable $1 +# var pos $2: new config to be set +# var pos $3: filename to be modify +append_line_after_str() { +sed -i "/$1/a $2" $3 +} + +while getopts 'c:a:hv' flag; do + case "${flag}" in + c) CERT_PEM="${OPTARG}" ;; + a) CONF_ARCH="${OPTARG}" ;; + v) VERBOSE='true' ;; + h) print_usage + exit 1 ;; + esac +done + if [ "$1" = "-h" -o "$1" = "--help" ]; then usage fi -echo "$0: Adding Secure Boot support in Kernel config file." - -CERT_PEM=$1 - [ -f "$CERT_PEM" ] || { echo "Error: CERT_PEM file does not exist: $CERT_PEM" usage exit 1 } -local_cert_pem="debian/certs/$(basename $CERT_PEM)" -linux_cfg_file="debian/build/build_amd64_none_amd64/.config" -sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"$local_cert_pem\"|g" $linux_cfg_file -sed -i 's/^CONFIG_MODULE_SIG_HASH=.*/CONFIG_MODULE_SIG_HASH="sha512"/g' $linux_cfg_file -sed -i 's/^CONFIG_MODULE_SIG_SHA256=.*/# CONFIG_MODULE_SIG_SHA256 is not set/g' $linux_cfg_file -sed -i 's/# CONFIG_MODULE_SIG_SHA512 is not set/CONFIG_MODULE_SIG_SHA512=y/g' $linux_cfg_file +[ ! -z "$CONF_ARCH" ] || { + echo "Error: CONF_ARCH file does not exist: $CONF_ARCH" + usage + exit 1 +} -#lockdown feature disable -sed -i 's/^CONFIG_SECURITY_LOCKDOWN_LSM=.*/# CONFIG_SECURITY_LOCKDOWN_LSM is not set/g' $linux_cfg_file -sed -i 's/^CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=.*/# CONFIG_SECURITY_LOCKDOWN_LSM_EARLY is not set/g' $linux_cfg_file -sed -i 's/^CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=.*/# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set/g' $linux_cfg_file -sed -i 's/^CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=.*/# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set/g' $linux_cfg_file +LOCAL_CERT_PEM="debian/certs/$(basename $CERT_PEM)" +KCONFIG_INCLUSIONS_FILE="../patch/kconfig-inclusions" +KCONFIG_EXCLUSIONS_FILE="../patch/kconfig-exclusions" +CONF_ARCH_BLOCK_REGEX="^\[$CONF_ARCH\]" -# warm boot secure -sed -i 's/# CONFIG_KEXEC_SIG_FORCE is not set/CONFIG_KEXEC_SIG_FORCE=y/g' $linux_cfg_file +echo "$0: Appending kernel configuration in files: $KCONFIG_INCLUSIONS_FILE, $KCONFIG_EXCLUSIONS_FILE" -echo "$0: Secure Boot support in Kernel config file DONE." +# add support to secure boot and secure warm boot +append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_SYSTEM_TRUSTED_KEYS=\"$LOCAL_CERT_PEM\"" $KCONFIG_INCLUSIONS_FILE +append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_MODULE_SIG_HASH=\"sha512\"" $KCONFIG_INCLUSIONS_FILE +append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_MODULE_SIG_SHA512=y" $KCONFIG_INCLUSIONS_FILE +append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_KEXEC_SIG_FORCE=y" $KCONFIG_INCLUSIONS_FILE +append_line_after_str $CONF_ARCH_BLOCK_REGEX "#Secure Boot" $KCONFIG_INCLUSIONS_FILE +append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_SECURITY_LOCKDOWN_LSM" $KCONFIG_EXCLUSIONS_FILE +append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_SECURITY_LOCKDOWN_LSM_EARLY" $KCONFIG_EXCLUSIONS_FILE +append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE" $KCONFIG_EXCLUSIONS_FILE +append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT" $KCONFIG_EXCLUSIONS_FILE +append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_MODULE_SIG_SHA256" $KCONFIG_EXCLUSIONS_FILE From b6003e9a832b36022a090db1d77c4690f6ec949e Mon Sep 17 00:00:00 2001 From: David Pilnik Date: Wed, 25 Jan 2023 14:28:19 +0200 Subject: [PATCH 5/8] [secure boot]Add secure boot kernel config by using kconfig-secure-boot-exclusions and patch/kconfig-secure-boot-inclusions files with manage-config. --- Makefile | 22 +--- manage-config | 174 ++++++++++++++++----------- patch/kconfig-secure-boot-exclusions | 21 ++++ patch/kconfig-secure-boot-inclusions | 20 +++ patch/secure_boot_kernel_config.sh | 69 ----------- 5 files changed, 146 insertions(+), 160 deletions(-) create mode 100644 patch/kconfig-secure-boot-exclusions create mode 100644 patch/kconfig-secure-boot-inclusions delete mode 100755 patch/secure_boot_kernel_config.sh diff --git a/Makefile b/Makefile index 12d23253f..9c8c5e938 100644 --- a/Makefile +++ b/Makefile @@ -121,29 +121,9 @@ $(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% : stg import -s $(NON_UP_DIR)/series fi -# Secure Boot Configuration -ifneq ($(origin SECURE_UPGRADE_MODE), undefined) -ifeq ($(SECURE_UPGRADE_MODE),$(filter $(SECURE_UPGRADE_MODE),dev prod)) -ifneq ($(origin SECURE_UPGRADE_DEV_SIGNING_CERT), undefined) - if [ -f $(SECURE_UPGRADE_DEV_SIGNING_CERT) ]; then - echo "Add secure boot support in kernel config file" - cp ../patch/secure_boot_kernel_config.sh . - cp $(SECURE_UPGRADE_DEV_SIGNING_CERT) debian/certs - echo "secure_boot_kernel_config.sh -c $(SECURE_UPGRADE_DEV_SIGNING_CERT) -a $(CONFIGURED_ARCH)" - ./secure_boot_kernel_config.sh -c $(SECURE_UPGRADE_DEV_SIGNING_CERT) -a $(CONFIGURED_ARCH) - else - echo "no certificate file exists, SECURE_UPGRADE_DEV_SIGNING_CERT=$(SECURE_UPGRADE_DEV_SIGNING_CERT)" - exit 1 - fi -else - echo "SECURE_UPGRADE_MODE is defined, but SECURE_UPGRADE_DEV_SIGNING_CERT is not defined" -endif # ifneq ($(origin SECURE_UPGRADE_DEV_SIGNING_CERT), undefined) -endif # ifeq ($(SECURE_UPGRADE_MODE),$(filter $(SECURE_UPGRADE_MODE),dev prod)) -endif # ifneq ($(origin SECURE_UPGRADE_MODE), undefined) - # Optionally add/remove kernel options if [ -f ../manage-config ]; then - ../manage-config $(CONFIGURED_ARCH) $(CONFIGURED_PLATFORM) + ../manage-config $(CONFIGURED_ARCH) $(CONFIGURED_PLATFORM) $(SECURE_UPGRADE_MODE) $(SECURE_UPGRADE_DEV_SIGNING_CERT) fi # Building a custom kernel from Debian kernel source diff --git a/manage-config b/manage-config index e3570db75..0722604ba 100755 --- a/manage-config +++ b/manage-config @@ -26,12 +26,21 @@ # Configuration file to change ARCH=amd64 PLATFORM= +SECURE_UPGRADE_MODE="no_sign" +SECURE_UPGRADE_DEV_SIGNING_CERT= if [ $# -ge 1 ]; then ARCH=$1 fi if [ $# -ge 2 ]; then PLATFORM=$2 fi +if [ $# -ge 3 ]; then + SECURE_UPGRADE_MODE=$3 +fi +if [ $# -ge 4 ]; then + SECURE_UPGRADE_DEV_SIGNING_CERT=$4 +fi + case "$ARCH" in amd64) CONFIG_FILE_LOC=debian/build/build_amd64_none_amd64 @@ -58,88 +67,113 @@ function get_section_opts(){ echo "$opts" } -ret=0 -exclusion_file="../patch/kconfig-exclusions" -inclusion_file="../patch/kconfig-inclusions" -force_inclusion_file="../patch/kconfig-force-inclusions" -if [ -e ${exclusion_file} -o -e ${inclusion_file} -o -e ${force_inclusion_file} ]; then - - # Process any exclusions in the kernel - if [ -f ${exclusion_file} ]; then - exclusion_opts=$(get_section_opts ${exclusion_file} "common" ${ARCH} ${PLATFORM}) - while read -r opt; do - if [ ! -z "$opt" ] && [[ ! "$opt" =~ ^#.* ]]; then - scripts/config --file ${CONFIG_FILE} -d $opt - fi - done <<< ${exclusion_opts}; - fi +function process_inclusion_exclusion_files(){ + echo "process_inclusion_exclusion_files Start" + ret=0 + echo "debug ret=$ret 1" + if [ -e ${exclusion_file} -o -e ${inclusion_file} -o -e ${force_inclusion_file} ]; then - # Process any inclusions in the kernel - if [ -f ${inclusion_file} ]; then - inclusion_opts=$(get_section_opts ${inclusion_file} "common" ${ARCH} ${PLATFORM}) - while read -r opt; do - if [ ! -z "$opt" ] && [[ ! "$opt" =~ ^#.* ]]; then - n=${opt%=*} - v="${opt#*=}" - scripts/config --file ${CONFIG_FILE} -k --set-val "$n" "$v" - fi - done <<< ${inclusion_opts}; - fi + # Process any exclusions in the kernel + if [ -f ${exclusion_file} ]; then + exclusion_opts=$(get_section_opts ${exclusion_file} "common" ${ARCH} ${PLATFORM}) + while read -r opt; do + if [ ! -z "$opt" ] && [[ ! "$opt" =~ ^#.* ]]; then + scripts/config --file ${CONFIG_FILE} -d $opt + fi + done <<< ${exclusion_opts}; + fi + + # Process any inclusions in the kernel + if [ -f ${inclusion_file} ]; then + inclusion_opts=$(get_section_opts ${inclusion_file} "common" ${ARCH} ${PLATFORM}) + while read -r opt; do + if [ ! -z "$opt" ] && [[ ! "$opt" =~ ^#.* ]]; then + n=${opt%=*} + v="${opt#*=}" + scripts/config --file ${CONFIG_FILE} -k --set-val "$n" "$v" + fi + done <<< ${inclusion_opts}; + fi - # Update the .config file to be sure it's consistent - make -C ${CONFIG_FILE_LOC} olddefconfig + # Update the .config file to be sure it's consistent + make -C ${CONFIG_FILE_LOC} olddefconfig - # Verify that the kernel options we want to remove are not in the updated configuration - if [ -f ${exclusion_file} ]; then - echo - echo "Checking removed kernel options..." - while read -r opt; do - if [ ! -z "$opt" ] && [[ ! "$opt" =~ ^#.* ]]; then - s=$(scripts/config --file ${CONFIG_FILE} -k --state $opt) - if [ ! "$s" = "undef" -a ! "$s" = "n" ]; then - ret=1 - echo "Option $opt should not be set, but is set to [$s]" + # Verify that the kernel options we want to remove are not in the updated configuration + if [ -f ${exclusion_file} ]; then + echo + echo "Checking removed kernel options..." + while read -r opt; do + if [ ! -z "$opt" ] && [[ ! "$opt" =~ ^#.* ]]; then + s=$(scripts/config --file ${CONFIG_FILE} -k --state $opt) + if [ ! "$s" = "undef" -a ! "$s" = "n" ]; then + ret=1 + echo "Option $opt should not be set, but is set to [$s]" + fi fi + done <<< ${exclusion_opts}; + if [ $ret = 0 ]; then + echo "No error" fi - done <<< ${exclusion_opts}; - if [ $ret = 0 ]; then - echo "No error" fi - fi - # Verify that the kernel options we want to add are now in the updated configuration - if [ -f ${inclusion_file} ]; then - echo - echo "Checking added kernel options..." - while read -r opt; do - if [ ! -z "$opt" ] && [[ ! "$opt" =~ ^#.* ]]; then - n=${opt%=*} - v="${opt#*=}" - v="${v/#\"/}" - v="${v/%\"/}" - s=$(scripts/config --file ${CONFIG_FILE} -k --state $n) - if [ ! "$s" = "$v" ]; then - ret=2 - echo "Option $n should be set to [$v] instead of [$s]" + # Verify that the kernel options we want to add are now in the updated configuration + if [ -f ${inclusion_file} ]; then + echo + echo "Checking added kernel options..." + while read -r opt; do + if [ ! -z "$opt" ] && [[ ! "$opt" =~ ^#.* ]]; then + n=${opt%=*} + v="${opt#*=}" + v="${v/#\"/}" + v="${v/%\"/}" + s=$(scripts/config --file ${CONFIG_FILE} -k --state $n) + if [ ! "$s" = "$v" ]; then + ret=2 + echo "Option $n should be set to [$v] instead of [$s]" + fi fi + done <<< ${inclusion_opts}; + if [ ! $ret = 2 ]; then + echo "No error" fi - done <<< ${inclusion_opts}; - if [ ! $ret = 2 ]; then - echo "No error" fi - fi - # Process any force inclusions in the kernel - if [ -f ${force_inclusion_file} ]; then - force_inclusion_opts=$(get_section_opts ${force_inclusion_file} "common" ${ARCH} ${PLATFORM}) - while read -r opt; do - if [ ! -z "$opt" ] && [[ ! "$opt" =~ ^#.* ]]; then - echo $opt >> ${CONFIG_FILE} - fi - done <<< ${force_inclusion_opts}; + # Process any force inclusions in the kernel + if [ -f ${force_inclusion_file} ]; then + force_inclusion_opts=$(get_section_opts ${force_inclusion_file} "common" ${ARCH} ${PLATFORM}) + while read -r opt; do + if [ ! -z "$opt" ] && [[ ! "$opt" =~ ^#.* ]]; then + echo $opt >> ${CONFIG_FILE} + fi + done <<< ${force_inclusion_opts}; + fi + + echo fi - echo + echo "process_inclusion_exclusion_files Done" + return $ret +} + +exclusion_file="../patch/kconfig-exclusions" +inclusion_file="../patch/kconfig-inclusions" +force_inclusion_file="../patch/kconfig-force-inclusions" +ret_process_inc_ex=0 +ret_process_inc_ex=$(process_inclusion_exclusion_files > /dev/null; echo $?) + +# Secure Boot support +if [ $ret_process_inc_ex -e 0 ]; then + if [ ${SECURE_UPGRADE_MODE} == "dev" -o ${SECURE_UPGRADE_MODE} == "prod" ]; then + echo "set kconfig-secure-boot-exclusions & kconfig-secure-boot-inclusions" + exclusion_file="../patch/kconfig-secure-boot-exclusions" + inclusion_file="../patch/kconfig-secure-boot-inclusions" + force_inclusion_file="../patch/kconfig-force-secure-boot-inclusions" + + # save the new pub key in kernel + sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"$SECURE_UPGRADE_DEV_SIGNING_CERT\"|g" $inclusion_file + + ret_process_inc_ex=$(process_inclusion_exclusion_files > /dev/null; echo $?) + fi fi -exit $ret +exit $ret_process_inc_ex diff --git a/patch/kconfig-secure-boot-exclusions b/patch/kconfig-secure-boot-exclusions new file mode 100644 index 000000000..abcae1b54 --- /dev/null +++ b/patch/kconfig-secure-boot-exclusions @@ -0,0 +1,21 @@ +[common] + +[amd64] +CONFIG_MODULE_SIG_SHA256 +# For mellanox +CONFIG_SECURITY_LOCKDOWN_LSM +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY +CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE +CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT + +[arm64] +CONFIG_MODULE_SIG_SHA256 +# For mellanox +CONFIG_SECURITY_LOCKDOWN_LSM +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY +CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE +CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT + +[armhf] + +[marvell-armhf] diff --git a/patch/kconfig-secure-boot-inclusions b/patch/kconfig-secure-boot-inclusions new file mode 100644 index 000000000..269ba180c --- /dev/null +++ b/patch/kconfig-secure-boot-inclusions @@ -0,0 +1,20 @@ +[common] + +[amd64] +# CONFIG_SYSTEM_TRUSTED_KEYS="$LOCAL_CERT_PEM" +CONFIG_SYSTEM_TRUSTED_KEYS="/sonic/files/nv_onyx_key_certificate.pem" +CONFIG_MODULE_SIG_HASH="sha512" +CONFIG_MODULE_SIG_SHA512=y +CONFIG_KEXEC_SIG_FORCE=y + +[arm64] +# CONFIG_SYSTEM_TRUSTED_KEYS="$LOCAL_CERT_PEM" +CONFIG_SYSTEM_TRUSTED_KEYS="/sonic/files/nv_onyx_key_certificate.pem" +CONFIG_MODULE_SIG_HASH="sha512" +CONFIG_MODULE_SIG_SHA512=y +CONFIG_KEXEC_SIG_FORCE=y + +[armhf] + + +[marvell-armhf] diff --git a/patch/secure_boot_kernel_config.sh b/patch/secure_boot_kernel_config.sh deleted file mode 100755 index c49287e5b..000000000 --- a/patch/secure_boot_kernel_config.sh +++ /dev/null @@ -1,69 +0,0 @@ -#!/bin/bash - -# This script is doing modification in kconfig-inclusions and kconfig-exclusions files in order to support Secure Boot feature. - -usage() { - cat < -a -Script is modifying kernel config file to support system trusted key with custom certificate. -Note: The signature algorithm used will be RSA over SHA512 x509 format. - -Parameters description: -PEM_CERT public key (pem format). Key to be store in kernel. -CONF_ARCH is the kernel arch amd/arm/etc -Usage example: bash secure_boot_kernel_config.sh cert.pem -EOF -} - -# the function is appending a line after the string from variable $1 -# var pos $2: new config to be set -# var pos $3: filename to be modify -append_line_after_str() { -sed -i "/$1/a $2" $3 -} - -while getopts 'c:a:hv' flag; do - case "${flag}" in - c) CERT_PEM="${OPTARG}" ;; - a) CONF_ARCH="${OPTARG}" ;; - v) VERBOSE='true' ;; - h) print_usage - exit 1 ;; - esac -done - -if [ "$1" = "-h" -o "$1" = "--help" ]; then - usage -fi - -[ -f "$CERT_PEM" ] || { - echo "Error: CERT_PEM file does not exist: $CERT_PEM" - usage - exit 1 -} - -[ ! -z "$CONF_ARCH" ] || { - echo "Error: CONF_ARCH file does not exist: $CONF_ARCH" - usage - exit 1 -} - -LOCAL_CERT_PEM="debian/certs/$(basename $CERT_PEM)" -KCONFIG_INCLUSIONS_FILE="../patch/kconfig-inclusions" -KCONFIG_EXCLUSIONS_FILE="../patch/kconfig-exclusions" -CONF_ARCH_BLOCK_REGEX="^\[$CONF_ARCH\]" - -echo "$0: Appending kernel configuration in files: $KCONFIG_INCLUSIONS_FILE, $KCONFIG_EXCLUSIONS_FILE" - -# add support to secure boot and secure warm boot -append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_SYSTEM_TRUSTED_KEYS=\"$LOCAL_CERT_PEM\"" $KCONFIG_INCLUSIONS_FILE -append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_MODULE_SIG_HASH=\"sha512\"" $KCONFIG_INCLUSIONS_FILE -append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_MODULE_SIG_SHA512=y" $KCONFIG_INCLUSIONS_FILE -append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_KEXEC_SIG_FORCE=y" $KCONFIG_INCLUSIONS_FILE -append_line_after_str $CONF_ARCH_BLOCK_REGEX "#Secure Boot" $KCONFIG_INCLUSIONS_FILE -append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_SECURITY_LOCKDOWN_LSM" $KCONFIG_EXCLUSIONS_FILE -append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_SECURITY_LOCKDOWN_LSM_EARLY" $KCONFIG_EXCLUSIONS_FILE -append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE" $KCONFIG_EXCLUSIONS_FILE -append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT" $KCONFIG_EXCLUSIONS_FILE -append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_MODULE_SIG_SHA256" $KCONFIG_EXCLUSIONS_FILE From b6b6c59f917cdb9bd1adc8ad16427c9a3015bbcf Mon Sep 17 00:00:00 2001 From: David Pilnik Date: Wed, 25 Jan 2023 15:03:25 +0200 Subject: [PATCH 6/8] [secure boot]removed comment, rename certificate with the name of the default debian key path. --- manage-config | 2 +- patch/kconfig-secure-boot-inclusions | 7 ++----- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/manage-config b/manage-config index 0722604ba..586de759c 100755 --- a/manage-config +++ b/manage-config @@ -170,7 +170,7 @@ if [ $ret_process_inc_ex -e 0 ]; then force_inclusion_file="../patch/kconfig-force-secure-boot-inclusions" # save the new pub key in kernel - sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"$SECURE_UPGRADE_DEV_SIGNING_CERT\"|g" $inclusion_file + sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"$SECURE_UPGRADE_DEV_SIGNING_CERT\"|g" ${inclusion_file} ret_process_inc_ex=$(process_inclusion_exclusion_files > /dev/null; echo $?) fi diff --git a/patch/kconfig-secure-boot-inclusions b/patch/kconfig-secure-boot-inclusions index 269ba180c..216fafe74 100644 --- a/patch/kconfig-secure-boot-inclusions +++ b/patch/kconfig-secure-boot-inclusions @@ -1,20 +1,17 @@ [common] [amd64] -# CONFIG_SYSTEM_TRUSTED_KEYS="$LOCAL_CERT_PEM" -CONFIG_SYSTEM_TRUSTED_KEYS="/sonic/files/nv_onyx_key_certificate.pem" +CONFIG_SYSTEM_TRUSTED_KEYS="debian/certs/debian-uefi-certs.pem" CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_SHA512=y CONFIG_KEXEC_SIG_FORCE=y [arm64] -# CONFIG_SYSTEM_TRUSTED_KEYS="$LOCAL_CERT_PEM" -CONFIG_SYSTEM_TRUSTED_KEYS="/sonic/files/nv_onyx_key_certificate.pem" +CONFIG_SYSTEM_TRUSTED_KEYS="debian/certs/debian-uefi-certs.pem" CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_SHA512=y CONFIG_KEXEC_SIG_FORCE=y [armhf] - [marvell-armhf] From 46beeb34c351d43ddef2bb76bbd8e6806f2bac07 Mon Sep 17 00:00:00 2001 From: David Pilnik Date: Thu, 26 Jan 2023 16:40:25 +0200 Subject: [PATCH 7/8] [secure boot]Fix equal condition and add input file validation to certificate --- Makefile | 2 ++ manage-config | 12 +++++++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 9c8c5e938..d4acb1b98 100644 --- a/Makefile +++ b/Makefile @@ -9,6 +9,8 @@ KERNEL_VERSION ?= 5.10.140 KERNEL_SUBVERSION ?= 1 kernel_procure_method ?= build CONFIGURED_ARCH ?= amd64 +SECURE_UPGRADE_MODE ?= +SECURE_UPGRADE_DEV_SIGNING_CERT =? LINUX_HEADER_COMMON = linux-headers-$(KVERSION_SHORT)-common_$(KERNEL_VERSION)-$(KERNEL_SUBVERSION)_all.deb LINUX_HEADER_AMD64 = linux-headers-$(KVERSION)_$(KERNEL_VERSION)-$(KERNEL_SUBVERSION)_$(CONFIGURED_ARCH).deb diff --git a/manage-config b/manage-config index 586de759c..b2e28cd8f 100755 --- a/manage-config +++ b/manage-config @@ -162,9 +162,16 @@ ret_process_inc_ex=0 ret_process_inc_ex=$(process_inclusion_exclusion_files > /dev/null; echo $?) # Secure Boot support -if [ $ret_process_inc_ex -e 0 ]; then +if [ $ret_process_inc_ex -eq 0 ]; then + echo "Secure Boot params: SECURE_UPGRADE_MODE=${SECURE_UPGRADE_MODE}, SECURE_UPGRADE_DEV_SIGNING_CERT=${SECURE_UPGRADE_DEV_SIGNING_CERT}" if [ ${SECURE_UPGRADE_MODE} == "dev" -o ${SECURE_UPGRADE_MODE} == "prod" ]; then echo "set kconfig-secure-boot-exclusions & kconfig-secure-boot-inclusions" + + if [ ! -f "${SECURE_UPGRADE_DEV_SIGNING_CERT}" ]; then + echo "ERROR: SECURE_UPGRADE_DEV_SIGNING_CERT=${SECURE_UPGRADE_DEV_SIGNING_CERT} file does not exist" + exit 1 + fi + exclusion_file="../patch/kconfig-secure-boot-exclusions" inclusion_file="../patch/kconfig-secure-boot-inclusions" force_inclusion_file="../patch/kconfig-force-secure-boot-inclusions" @@ -173,6 +180,9 @@ if [ $ret_process_inc_ex -e 0 ]; then sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"$SECURE_UPGRADE_DEV_SIGNING_CERT\"|g" ${inclusion_file} ret_process_inc_ex=$(process_inclusion_exclusion_files > /dev/null; echo $?) + echo "Secure Boot kernel configuration done." + else + echo "no Secure Boot Kernel configuration required." fi fi From fb8993ff646f38f6cb04a7fb6c8d9dc7e45b806e Mon Sep 17 00:00:00 2001 From: David Pilnik Date: Tue, 31 Jan 2023 10:18:27 +0200 Subject: [PATCH 8/8] [secure boot]Add signature force flag in kernel config, to force kernel module verification --- patch/kconfig-secure-boot-inclusions | 2 ++ 1 file changed, 2 insertions(+) diff --git a/patch/kconfig-secure-boot-inclusions b/patch/kconfig-secure-boot-inclusions index 216fafe74..929ddf403 100644 --- a/patch/kconfig-secure-boot-inclusions +++ b/patch/kconfig-secure-boot-inclusions @@ -5,12 +5,14 @@ CONFIG_SYSTEM_TRUSTED_KEYS="debian/certs/debian-uefi-certs.pem" CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_SHA512=y CONFIG_KEXEC_SIG_FORCE=y +CONFIG_MODULE_SIG_FORCE=y [arm64] CONFIG_SYSTEM_TRUSTED_KEYS="debian/certs/debian-uefi-certs.pem" CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_SHA512=y CONFIG_KEXEC_SIG_FORCE=y +CONFIG_MODULE_SIG_FORCE=y [armhf]