Merge pull request #930 from c-po/T861-secure-boot

T861: minor improvements to secure-boot certificate handling
author: Christian Breunig <christian@breunig.cc> 2025-03-21 08:37:34 +0100
committer: GitHub <noreply@github.com> 2025-03-21 08:37:34 +0100
commit: d552f7f8c38d7ad3bd28d9019a58b57e41b07f0b (patch)
tree: fc2421034e941871e0d233c52bda6992f3e1acc2
parent: 750951606bbbbdc7c1e21d36a8af8e8ba1b98db9 (diff)
parent: 96f1844557950055aa8f9cd97bd95a6a0b1761b9 (diff)
download: vyos-build-d552f7f8c38d7ad3bd28d9019a58b57e41b07f0b.tar.gz
vyos-build-d552f7f8c38d7ad3bd28d9019a58b57e41b07f0b.zip
9 files changed, 38 insertions, 21 deletions
diff --git a/.gitignore b/.gitignore
index e3724a9f..6de027c6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,11 +1,12 @@
+.build/config
 build/*
+config/*
 *.pyc
 packer_build/*
 packer_cache/*
 key/*
 packages/*
 !packages/*/
-data/live-build-config/includes.chroot/var/lib/shim-signed/mok/*
 /testinstall*.img
 /testinstall*.efivars
 /*.qcow2
diff --git a/Makefile b/Makefile
index 911454c6..a11e88b5 100644
--- a/Makefile
+++ b/Makefile
@@ -79,7 +79,7 @@ clean:
 	rm -f config/binary config/bootstrap config/chroot config/common config/source
 	rm -f build.log
 	rm -f vyos-*.iso
-	rm -f *.img
+	rm -f *.img *.efivars
 	rm -f *.xz
 	rm -f *.vhd
 	rm -f *.raw
diff --git a/data/certificates/.gitignore b/data/certificates/.gitignore
new file mode 100644
index 00000000..c996e507
--- /dev/null
+++ b/data/certificates/.gitignore
@@ -0,0 +1 @@
+*.key
diff --git a/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot b/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot
index 1dc03186..8494a5c8 100755
--- a/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot
+++ b/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot
@@ -1,7 +1,7 @@
 #!/bin/sh
 SIGN_FILE=$(find /usr/lib -name sign-file)
-MOK_KEY="/var/lib/shim-signed/mok/MOK.key"
-MOK_CERT="/var/lib/shim-signed/mok/MOK.pem"
+KERNEL_KEY="/var/lib/shim-signed/mok/vyos-dev-2025-linux.key"
+KERNEL_CERT="/var/lib/shim-signed/mok/vyos-dev-2025-linux.pem"
 VMLINUZ=$(readlink /boot/vmlinuz)
 
 # All Linux Kernel modules need to be cryptographically signed
@@ -13,10 +13,19 @@ find /lib/modules -type f -name \*.ko | while read MODULE; do
     fi
 done
 
-if [ ! -f ${MOK_KEY} ]; then
+if [ ! -f ${KERNEL_KEY} ] && [ ! -f ${KERNEL_CERT} ]; then
     echo "I: Signing key for Linux Kernel not found - Secure Boot not possible"
 else
     echo "I: Signing Linux Kernel for Secure Boot"
-    sbsign --key ${MOK_KEY} --cert ${MOK_CERT} /boot/${VMLINUZ} --output /boot/${VMLINUZ}
+    sbsign --key ${KERNEL_KEY} --cert ${KERNEL_CERT} /boot/${VMLINUZ} --output /boot/${VMLINUZ}
     sbverify --list /boot/${VMLINUZ}
+    rm -f ${KERNEL_KEY}
 fi
+
+for cert in $(ls /var/lib/shim-signed/mok/); do
+    if grep -rq "BEGIN PRIVATE KEY" /var/lib/shim-signed/mok/${cert}; then
+        echo "Found private key - bailing out"
+        exit 1
+    fi
+done
+
diff --git a/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md b/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
deleted file mode 100644
index abaaa97a..00000000
--- a/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
+++ /dev/null
@@ -1,11 +0,0 @@
-# Secure Boot
-
-## CA
-
-Create Certificate Authority used for Kernel signing. CA is loaded into the
-Machine Owner Key store on the target system.
-
-```bash
-openssl req -new -x509 -newkey rsa:4096 -keyout MOK.key -outform DER -out MOK.der -days 36500 -subj "/CN=VyOS Secure Boot CA/" -nodes
-openssl x509 -inform der -in MOK.der -out MOK.pem
-```
diff --git a/docker/Dockerfile b/docker/Dockerfile
index 13aac0a0..71b1084b 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -18,7 +18,7 @@
 
 # This Dockerfile is installable on both x86, x86-64, armhf and arm64 systems
 ARG ARCH=
-FROM ${ARCH}debian:bookworm
+FROM ${ARCH}debian:bookworm-slim
 
 RUN grep "VERSION_ID" /etc/os-release || (echo 'VERSION_ID="12"' >> /etc/os-release)
 
diff --git a/scripts/check-qemu-install b/scripts/check-qemu-install
index 551d1e7e..ab6e1b1f 100755
--- a/scripts/check-qemu-install
+++ b/scripts/check-qemu-install
@@ -399,6 +399,16 @@ try:
     loginVM(c, log)
 
     #################################################
+    # Check for no private key contents within the image
+    #################################################
+    msg = 'Found private key - bailing out'
+    c.sendline(f'if sudo grep -rq "BEGIN PRIVATE KEY" /var/lib/shim-signed/mok; then echo {msg}; exit 1; fi')
+    tmp = c.expect([f'\n{msg}', op_mode_prompt])
+    if tmp == 0:
+        log.error(msg)
+        exit(1)
+
+    #################################################
     # Installing into VyOS system
     #################################################
     log.info('Starting installer')
@@ -879,7 +889,7 @@ except pexpect.exceptions.ExceptionPexpect:
     EXCEPTION = 1
 
 except Exception:
-    log.error('Unknown error occured while VyOS!')
+    log.error('Unknown error occured!')
     traceback.print_exc()
     EXCEPTION = 1
 
diff --git a/scripts/image-build/build-vyos-image b/scripts/image-build/build-vyos-image
index d969c157..aab5ed13 100755
--- a/scripts/image-build/build-vyos-image
+++ b/scripts/image-build/build-vyos-image
@@ -367,6 +367,11 @@ if __name__ == "__main__":
     shutil.copytree("data/live-build-config/", lb_config_dir)
     os.makedirs(lb_config_dir, exist_ok=True)
 
+    ## Secure Boot - Copy public Keys to image
+    sb_certs = 'data/certificates'
+    if os.path.isdir(sb_certs):
+        shutil.copytree(sb_certs, f'{lb_config_dir}/includes.chroot/var/lib/shim-signed/mok')
+
     # Switch to the build directory, this is crucial for the live-build work
     # because the efective build config files etc. are there.
     #
@@ -611,6 +616,7 @@ DOCUMENTATION_URL="{build_config['documentation_url']}"
         ## Configure live-build
         lb_config_tmpl = jinja2.Template("""
         lb config noauto \
+                --no-color \
                 --apt-indices false \
                 --apt-options "--yes -oAPT::Get::allow-downgrades=true" \
                 --apt-recommends false \
diff --git a/scripts/package-build/linux-kernel/build-kernel.sh b/scripts/package-build/linux-kernel/build-kernel.sh
index e3efd127..62dd7829 100755
--- a/scripts/package-build/linux-kernel/build-kernel.sh
+++ b/scripts/package-build/linux-kernel/build-kernel.sh
@@ -36,12 +36,13 @@ do
 done
 
 # Change name of Signing Cert
-sed -i -e "s/CN =.*/CN=VyOS build time autogenerated kernel key/" certs/default_x509.genkey
+sed -i -e "s/CN =.*/CN=VyOS Networks build time autogenerated Kernel key/" certs/default_x509.genkey
 
 TRUSTED_KEYS_FILE=trusted_keys.pem
 # start with empty key file
 echo -n "" > $TRUSTED_KEYS_FILE
-CERTS=$(find ../../../../data/live-build-config/includes.chroot/var/lib/shim-signed/mok -name "*.pem" -type f || true)
+GIT_ROOT=$(git rev-parse --show-toplevel)
+CERTS=$(find ${GIT_ROOT}/data/certificates -name "*.pem" -type f || true)
 if [ ! -z "${CERTS}" ]; then
   # add known public keys to Kernel certificate chain
   for file in $CERTS; do
author	Christian Breunig <christian@breunig.cc>	2025-03-21 08:37:34 +0100
committer	GitHub <noreply@github.com>	2025-03-21 08:37:34 +0100
commit	d552f7f8c38d7ad3bd28d9019a58b57e41b07f0b (patch)
tree	fc2421034e941871e0d233c52bda6992f3e1acc2
parent	750951606bbbbdc7c1e21d36a8af8e8ba1b98db9 (diff)
parent	96f1844557950055aa8f9cd97bd95a6a0b1761b9 (diff)
download	vyos-build-d552f7f8c38d7ad3bd28d9019a58b57e41b07f0b.tar.gz vyos-build-d552f7f8c38d7ad3bd28d9019a58b57e41b07f0b.zip