From 1781f60f2e790e294164542f1030b9c23d619d88 Mon Sep 17 00:00:00 2001 From: David Pilnik Date: Sun, 13 Nov 2022 17:38:22 +0200 Subject: [PATCH] [secure boot]Add Linux Kernel configuration to support Secure Boot feature & Secure warmboot --- Makefile | 13 +++++++ patch/secure_boot_kernel_config.sh | 54 ++++++++++++++++++++++++++++++ 2 files changed, 67 insertions(+) create mode 100644 patch/secure_boot_kernel_config.sh diff --git a/Makefile b/Makefile index 839e89e47..de92deb5a 100644 --- a/Makefile +++ b/Makefile @@ -126,6 +126,19 @@ $(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% : ../manage-config $(CONFIGURED_ARCH) $(CONFIGURED_PLATFORM) fi +ifeq ($(SECURE_UPGRADE_MOD),$(filter $(SECURE_UPGRADE_MOD),dev prod)) + if [ -f $(SECURE_UPGRADE_DEV_SIGNING_CERT) ]; then + echo "Add secure boot support in kernel config file" + cp ../patch/secure_boot_kernel_config.sh . + cp $(SECURE_UPGRADE_DEV_SIGNING_CERT) debian/certs + bash secure_boot_kernel_config.sh $(SECURE_UPGRADE_DEV_SIGNING_CERT) + else + echo "no certificate file exist, SECURE_UPGRADE_DEV_SIGNING_CERT=$(SECURE_UPGRADE_DEV_SIGNING_CERT)" + exit 1 + fi + +endif # ifeq ($(SECURE_UPGRADE_MOD),$(filter $(SECURE_UPGRADE_MOD),dev prod)) + # Building a custom kernel from Debian kernel source ARCH=$(CONFIGURED_ARCH) DEB_HOST_ARCH=$(CONFIGURED_ARCH) DEB_BUILD_PROFILES=nodoc fakeroot make -f debian/rules -j $(shell nproc) binary-indep ifeq ($(CONFIGURED_ARCH), armhf) diff --git a/patch/secure_boot_kernel_config.sh b/patch/secure_boot_kernel_config.sh new file mode 100644 index 000000000..e7a3e3d43 --- /dev/null +++ b/patch/secure_boot_kernel_config.sh @@ -0,0 +1,54 @@ +#!/bin/bash + +# Note: this script was created because there is a problem when changing the kernel config +# values that requires in the Secure Boot feature when using patch/kconfig-inclusions (sonic flow to modify kernel flags). +# So, when this problem will be resolved, this script should be removed and used the kconfig-inclusions. + +usage() { + cat < +Script is modifying kernel config file to support system trusted key with custom certificate. +Note: The signature algorithem used will be SHA512. + +Parameters description: +PEM_CERT public key (pem format). Key to be store in kernel. + +Run example: +bash secure_boot_kernel_config.sh cert.pem +EOF +} + +if [ "$1" = "-h" -o "$1" = "--help" ]; then + usage +fi + +echo "$0: Adding Secure Boot support in Kernel config file." + +CERT_PEM=$1 + +[ -f "$CERT_PEM" ] || { + echo "Error: CERT_PEM file does not exist: $CERT_PEM" + usage + exit 1 +} + +local_cert_pem="debian/certs/$(basename $CERT_PEM)" +linux_cfg_file="debian/build/build_amd64_none_amd64/.config" +sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"$local_cert_pem\"|g" $linux_cfg_file +sed -i 's/^CONFIG_MODULE_SIG_HASH=.*/CONFIG_MODULE_SIG_HASH="sha512"/g' $linux_cfg_file +sed -i 's/^CONFIG_MODULE_SIG_SHA256=.*/# CONFIG_MODULE_SIG_SHA256 is not set/g' $linux_cfg_file +sed -i 's/# CONFIG_MODULE_SIG_SHA512 is not set/CONFIG_MODULE_SIG_SHA512=y/g' $linux_cfg_file + +#lockdown feature disable +sed -i 's/^CONFIG_SECURITY_LOCKDOWN_LSM=.*/# CONFIG_SECURITY_LOCKDOWN_LSM is not set/g' $linux_cfg_file +sed -i 's/^CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=.*/# CONFIG_SECURITY_LOCKDOWN_LSM_EARLY is not set/g' $linux_cfg_file +sed -i 's/^CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=.*/# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set/g' $linux_cfg_file +sed -i 's/^CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=.*/# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set/g' $linux_cfg_file + +# warm boot secure +sed -i 's/# CONFIG_KEXEC_SIG_FORCE is not set/CONFIG_KEXEC_SIG_FORCE=y/g' $linux_cfg_file + +echo "$0: Secure Boot support in Kernel config file DONE." + +