forked from sonic-net/sonic-linux-kernel
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add Secure Boot Kernel configuration (sonic-net#298)
* [secure boot]Add Linux Kernel configuration to support Secure Boot feature & Secure warmboot * [secure boot]Fix few typos * [secure boot]Fix Secure boot build flag condition by adding an extra defined verification * [secure boot]Remove WA after the fix in commit 5717c5d. The flow now will modify the kconfig-inclusions/exclusions file if the Secure Boot is enabled only. * [secure boot]Add secure boot kernel config by using kconfig-secure-boot-exclusions and patch/kconfig-secure-boot-inclusions files with manage-config. * [secure boot]removed comment, rename certificate with the name of the default debian key path. * [secure boot]Fix equal condition and add input file validation to certificate * [secure boot]Add signature force flag in kernel config, to force kernel module verification --------- Co-authored-by: Saikrishna Arcot <sarcot@microsoft.com>
- Loading branch information
1 parent
cc69246
commit 19f58f3
Showing
4 changed files
with
153 additions
and
67 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
[common] | ||
|
||
[amd64] | ||
CONFIG_MODULE_SIG_SHA256 | ||
# For mellanox | ||
CONFIG_SECURITY_LOCKDOWN_LSM | ||
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY | ||
CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE | ||
CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT | ||
|
||
[arm64] | ||
CONFIG_MODULE_SIG_SHA256 | ||
# For mellanox | ||
CONFIG_SECURITY_LOCKDOWN_LSM | ||
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY | ||
CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE | ||
CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT | ||
|
||
[armhf] | ||
|
||
[marvell-armhf] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
[common] | ||
|
||
[amd64] | ||
CONFIG_SYSTEM_TRUSTED_KEYS="debian/certs/debian-uefi-certs.pem" | ||
CONFIG_MODULE_SIG_HASH="sha512" | ||
CONFIG_MODULE_SIG_SHA512=y | ||
CONFIG_KEXEC_SIG_FORCE=y | ||
CONFIG_MODULE_SIG_FORCE=y | ||
|
||
[arm64] | ||
CONFIG_SYSTEM_TRUSTED_KEYS="debian/certs/debian-uefi-certs.pem" | ||
CONFIG_MODULE_SIG_HASH="sha512" | ||
CONFIG_MODULE_SIG_SHA512=y | ||
CONFIG_KEXEC_SIG_FORCE=y | ||
CONFIG_MODULE_SIG_FORCE=y | ||
|
||
[armhf] | ||
|
||
[marvell-armhf] |