From d235b31a095f9b8fdb2d5c231935c8b4b4c3da6c Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Wed, 25 Sep 2024 20:24:21 +0200
Subject: T861: sign all Kernel modules with an ephemeral key

The shim review board (which is the secure boot base loader) recommends using
ephemeral keys when signing the Linux Kernel. This commit enables the Kernel
build system to generate a one-time ephemeral key that is used to:

* sign all build-in Kernel modules
* sign all other out-of-tree Kernel modules

The key lives in /tmp and is destroyed after the build container exits and is
named: "VyOS build time autogenerated kernel key".

In addition the Kernel now uses CONFIG_MODULE_SIG_FORCE. This now makes it
unable to load any Kernel Module to the image that is NOT signed by the
ephemeral key.
---
 .../hooks/live/19-kernel_symlinks.chroot           |  5 ++++-
 .../hooks/live/93-sb-sign-kernel.chroot            | 22 ++++++++++++++++++++++
 .../hooks/live/93-sign-kernel.chroot               | 18 ------------------
 .../var/lib/shim-signed/mok/README.md              | 13 +------------
 4 files changed, 27 insertions(+), 31 deletions(-)
 create mode 100755 data/live-build-config/hooks/live/93-sb-sign-kernel.chroot
 delete mode 100755 data/live-build-config/hooks/live/93-sign-kernel.chroot

(limited to 'data')

diff --git a/data/live-build-config/hooks/live/19-kernel_symlinks.chroot b/data/live-build-config/hooks/live/19-kernel_symlinks.chroot
index e63ca263..a7e95e0e 100755
--- a/data/live-build-config/hooks/live/19-kernel_symlinks.chroot
+++ b/data/live-build-config/hooks/live/19-kernel_symlinks.chroot
@@ -1,6 +1,9 @@
 #!/bin/sh
 
-echo I: Creating kernel symlinks.
+echo I: Creating Linux Kernel symbolic links
 cd /boot
 ln -s initrd.img-* initrd.img
 ln -s vmlinuz-* vmlinuz
+
+echo I: Remove Linux Kernel symbolic link to source folder
+rm -rf /lib/modules/*/build
diff --git a/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot b/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot
new file mode 100755
index 00000000..1dc03186
--- /dev/null
+++ b/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot
@@ -0,0 +1,22 @@
+#!/bin/sh
+SIGN_FILE=$(find /usr/lib -name sign-file)
+MOK_KEY="/var/lib/shim-signed/mok/MOK.key"
+MOK_CERT="/var/lib/shim-signed/mok/MOK.pem"
+VMLINUZ=$(readlink /boot/vmlinuz)
+
+# All Linux Kernel modules need to be cryptographically signed
+find /lib/modules -type f -name \*.ko | while read MODULE; do
+    modinfo ${MODULE} | grep -q "signer:"
+    if [ $? != 0 ]; then
+        echo "E: Module ${MODULE} is not signed!"
+        read -n 1 -s -r -p "Press any key to continue"
+    fi
+done
+
+if [ ! -f ${MOK_KEY} ]; then
+    echo "I: Signing key for Linux Kernel not found - Secure Boot not possible"
+else
+    echo "I: Signing Linux Kernel for Secure Boot"
+    sbsign --key ${MOK_KEY} --cert ${MOK_CERT} /boot/${VMLINUZ} --output /boot/${VMLINUZ}
+    sbverify --list /boot/${VMLINUZ}
+fi
diff --git a/data/live-build-config/hooks/live/93-sign-kernel.chroot b/data/live-build-config/hooks/live/93-sign-kernel.chroot
deleted file mode 100755
index 031db10d..00000000
--- a/data/live-build-config/hooks/live/93-sign-kernel.chroot
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/sh
-SIGN_FILE=$(find /usr/lib -name sign-file)
-MOK_KEY="/var/lib/shim-signed/mok/kernel.key"
-MOK_CERT="/var/lib/shim-signed/mok/kernel.pem"
-kernel_elf=$(readlink /boot/vmlinuz)
-
-if [ ! -f ${MOK_KEY} ]; then
-    echo "I: Signing key for Linux Kernel not found - Secure Boot not possible"
-else
-    echo "I: Signing Linux Kernel for Secure Boot"
-
-    sbsign --key $MOK_KEY --cert $MOK_CERT /boot/${kernel_elf} --output /boot/${kernel_elf}
-    sbverify --list /boot/${kernel_elf}
-
-    find /lib/modules -type f -name \*.ko -o -name \*.ko.xz | while read module; do
-      $SIGN_FILE sha512 $MOK_KEY $MOK_CERT $module
-    done
-fi
diff --git a/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md b/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
index 5a6edbba..abaaa97a 100644
--- a/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
+++ b/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
@@ -6,17 +6,6 @@ Create Certificate Authority used for Kernel signing. CA is loaded into the
 Machine Owner Key store on the target system.
 
 ```bash
-openssl req -new -x509 -newkey rsa:2048 -keyout MOK.key -outform DER -out MOK.der -days 36500 -subj "/CN=VyOS Secure Boot CA/" -nodes
+openssl req -new -x509 -newkey rsa:4096 -keyout MOK.key -outform DER -out MOK.der -days 36500 -subj "/CN=VyOS Secure Boot CA/" -nodes
 openssl x509 -inform der -in MOK.der -out MOK.pem
 ```
-
-## Kernel Module Signing Key
-
-We do not make use of ephemeral keys for Kernel module signing. Instead a key
-is generated and signed by the VyOS Secure Boot CA which signs all the Kernel
-modules during ISO assembly if present.
-
-```bash
-openssl req -newkey rsa:2048 -keyout kernel.key -out kernel.csr -subj "/CN=VyOS Secure Boot Signer 2024 - linux/" -nodes
-openssl x509 -req -in kernel.csr -CA MOK.pem -CAkey MOK.key -CAcreateserial -out kernel.pem -days 730 -sha256
-```
-- 
cgit v1.2.3