Add Secure Boot Kernel configuration

[davidpil2002]

In order to support the Secure Boot feature it required some modifications when building the Linux Kernel.
This PR contained the kernel configuration aggregations to support it.

sonic-buildimage PR link: sonic-net/sonic-buildimage#12692
HLD: sonic-net/SONiC#1028

[paulmenzel]

Please amend the commit message, detailing the Secure Boot problem, how it was tested tested (also QEMU?), and why it can’t be enabled unconditionally.

Please add a space after ].

[davidpil2002]

fix few typos

[saiarcot895]

So Debian's/Ubuntu's approach to supporting Secure Boot is to sign the kernel after it's built with a shim binary. Could that work here, or is this approach to instead support any arbitrary public key that might be present in the UEFI?

[saiarcot895]

Regarding the manage-config script issue, I've raised #300 to fix it.

[davidpil2002]

So Debian's/Ubuntu's approach to supporting Secure Boot is to sign the kernel after it's built with a shim binary. Could that work here, or is this approach to instead support any arbitrary public key that might be present in the UEFI?

yes,
We are doing the full Secure Boot flow like the Debian approach suggested, using shim, grub, and kernel signed, also the feature is signing kernel modules.
more details can be found in the HLD(link in the description)
And yes, by using shim you can store any arbitrary pub key in the UEFI DB

[davidpil2002]

Regarding the manage-config script issue, I've raised #300 to fix it.

Thanks!

[davidpil2002]

Regarding the manage-config script issue, I've raised #300 to fix it.

Thanks!

[liat-grozovik]

@saiarcot895 could you please add a label 'request for 202211'?

[liat-grozovik]

@saiarcot895 can you please help to merge and label?

[lguohan]

the approach here is complicated, secure boot kernel configuration should be incorprated into manage-config script, for you can add option in manage-config to enable and disable secure boot and then have a secureboot_config to have those options to be included like other existing config.

[liat-grozovik]

@davidpil2002 please update your branch to the latest
@saiarcot895 are you ok with the change and can approve it?

[saiarcot895]

@saiarcot895 are you ok with the change and can approve it?

No. I concur with Guohan's comment.

1. The changes that the new script is making results in modifying files that are tracked in the repo. This means after a build (or even attempted build, in case of a build failure), the git repo's state will be dirty (because there are changes to tracked files).
2. There's nothing undoing these changes after the build is done, meaning if someone switches from a secure boot to non-secure boot environment variable settings, then they'll need to reset the git repo as well.
3. Considering all that is being done is setting some configs (one of which takes in user input), having it be done in manage-config makes more sense IMO. kconfig-secure-boot-inclusions and kconfig-secure-boot-exclusions can be created as well to store the config changes that don't depend on user input.

[davidpil2002]

2. nothing undoing these changes after the build is done, meaning if someone switches from a secure boot to non-secure boot environment variable settings, then they'll need to reset the git repo as well.

I see your point.

1. if there is a fail, the makefile always removes the Linux repo and does wget of the kernel repo fresh. So no see a problem here, pls see the existing code line below from the Makefile:
   $(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% :
# Obtaining the Debian kernel source
rm -rf $(BUILD_DIR)
2. you are correct about the case of kernel build success because the kernel target file will contain SB (secure boot)kernel flags and will not re-build itself when the user triggers the build again with an unsecured build flags.
3. I'm not sure to move the logic to manage-config will fix the issue (I will try your suggestion locally anway) for the following reason:
   The SB depends on the user build configuration because the user needs to decide if SB is enabled or disabled at start of build time.
   So I am not sure 100% that creating kconfig-secure-boot-inclusions and kconfig-secure-boot-exclusions can solve the problem.
   The reason is because the kernel configuration that the feature required is not static, it depends on the user configuration selected at the start of the build time.
   Maybe until today, the sonic-Linux-kernel supported just static configuration and now we need a new solution that removes the Linux target if some user build flag related was changed?

[saiarcot895]

if there is a fail, the makefile always removes the Linux repo and does wget of the kernel repo fresh. So no see a problem here

I was referring to the changes done in these lines to patch/kconfig-inclusions and patch/kconfig-exclusions.

sonic-linux-kernel/patch/secure_boot_kernel_config.sh

Lines 60 to 69 in 77e1842

	append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_SYSTEM_TRUSTED_KEYS=\"$LOCAL_CERT_PEM\"" $KCONFIG_INCLUSIONS_FILE
	append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_MODULE_SIG_HASH=\"sha512\"" $KCONFIG_INCLUSIONS_FILE
	append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_MODULE_SIG_SHA512=y" $KCONFIG_INCLUSIONS_FILE
	append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_KEXEC_SIG_FORCE=y" $KCONFIG_INCLUSIONS_FILE
	append_line_after_str $CONF_ARCH_BLOCK_REGEX "#Secure Boot" $KCONFIG_INCLUSIONS_FILE
	append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_SECURITY_LOCKDOWN_LSM" $KCONFIG_EXCLUSIONS_FILE
	append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_SECURITY_LOCKDOWN_LSM_EARLY" $KCONFIG_EXCLUSIONS_FILE
	append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE" $KCONFIG_EXCLUSIONS_FILE
	append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT" $KCONFIG_EXCLUSIONS_FILE
	append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_MODULE_SIG_SHA256" $KCONFIG_EXCLUSIONS_FILE

These files are part of the sonic-linux-kernel repo, rather than the Linux kernel repo.

The SB depends on the user build configuration because the user needs to decide if SB is enabled or disabled at start of build time.
So I am not sure 100% that creating kconfig-secure-boot-inclusions and kconfig-secure-boot-exclusions can solve the problem.
The reason is because the kernel configuration that the feature required is not static, it depends on the user configuration selected at the start of the build time.
Maybe until today, the sonic-Linux-kernel supported just static configuration and now we need a new solution that removes the Linux target if some user build flag related was changed?

I think there's two different things being touched on here. The purpose of creating kconfig-secure-boot-inclusions and kconfig-secure-boot-exclusions is to have just the static secure boot configs (i.e. everything except CONFIG_SYSTEM_TRUSTED_KEYS) in a regular plain-text file, which will then be read in by manage-config (similar to how it's reading in kconfig-inclusions and kconfig-exclusions) and apply the secure boot configs if some argument is passed in. manage-config would also separately set CONFIG_SYSTEM_TRUSTED_KEYS based on the argument value passed in.

For the kernel build from sonic-buildimage and controlling the configuration, whether the kernel will get rebuilt after it's been already built once depends on the DEP_FLAGS for the kernel build:

https://github.com/sonic-net/sonic-buildimage/blob/5e4a866e3311f859b9fe479aa379b38521de9725/rules/linux-kernel.dep#L6-L7

This variable would need to be updated to include the config variable that would be specified in sonic-buildimage to control whether secure boot is enabled and what certificate is used. That way, in a build with caching enabled, if someone switches between having secure boot enabled or disabled, or even different certificate paths, then the kernel will get rebuilt (I don't recall if this is fully checked or not in a build with caching disabled).

[davidpil2002]

Did your suggestions
@saiarcot895 pls can you approve/comment?

[davidpil2002]

move the Secure Boot kernel config to manage-config instead using an standalone bash script

[zhangyanzhao]

@davidpil2002 can you please help to address the comments from @saiarcot895 ? After that, @saiarcot895 will do a re-check, then we should be good. Thanks.

[davidpil2002]

Done all the fixes about supporting secure boot in config kernel.

[liat-grozovik]

@saiarcot895 could you please help to re-review and approve?

[saiarcot895]

@davidpil2002 can you merge in the changes from the master branch?

[saiarcot895]

@lguohan could you re-review?

[lguohan]

why these are excluded? can we have more explanation for the justifications?

[davidpil2002]

SHA256 is excluded because we are using SHA512. Its more secure.
there is more description in the HLD link attached in the description of this PR.
About the lockdown, we have a plan to support it in the future, for now for Mellanox its disabled.

[saiarcot895]

I'm planning to move the SHA512 config to apply to all kernel builds in a future PR; this isn't necessarily secure-boot specific, and is nice to have in general.

[davidpil2002]

I'm planning to move the SHA512 config to apply to all kernel builds in a future PR; this isn't necessarily secure-boot specific, and is nice to have in general.

Sound good, can we for now save the PR as is, and when you modify the general config you can remove it.

Because we are implicitly signing the kernel modules with sha512 in the sonic-buildimage:
https://github.com/sonic-net/sonic-buildimage/pull/12692/files#diff-de80d4961ffb88d808888c6d160af8717e70ec6c21675b0f5124b0d27db7a166
So, if the kernel configuration does not match, the image will not boot.