diff options
| author | Christian Breunig <christian@breunig.cc> | 2024-09-25 20:24:21 +0200 |
|---|---|---|
| committer | Christian Breunig <christian@breunig.cc> | 2024-09-25 20:24:21 +0200 |
| commit | d235b31a095f9b8fdb2d5c231935c8b4b4c3da6c (patch) | |
| tree | 0a4256d787fcdda0bea8308f6a76c65ef1e7ad1b /data/live-build-config | |
| parent | b93672d9fb294e94804f16153428cb450696f4df (diff) | |
| download | vyos-build-d235b31a095f9b8fdb2d5c231935c8b4b4c3da6c.tar.gz vyos-build-d235b31a095f9b8fdb2d5c231935c8b4b4c3da6c.zip | |
T861: sign all Kernel modules with an ephemeral key
The shim review board (which is the secure boot base loader) recommends using
ephemeral keys when signing the Linux Kernel. This commit enables the Kernel
build system to generate a one-time ephemeral key that is used to:
* sign all build-in Kernel modules
* sign all other out-of-tree Kernel modules
The key lives in /tmp and is destroyed after the build container exits and is
named: "VyOS build time autogenerated kernel key".
In addition the Kernel now uses CONFIG_MODULE_SIG_FORCE. This now makes it
unable to load any Kernel Module to the image that is NOT signed by the
ephemeral key.
Diffstat (limited to 'data/live-build-config')
4 files changed, 27 insertions, 31 deletions
diff --git a/data/live-build-config/hooks/live/19-kernel_symlinks.chroot b/data/live-build-config/hooks/live/19-kernel_symlinks.chroot index e63ca263..a7e95e0e 100755 --- a/data/live-build-config/hooks/live/19-kernel_symlinks.chroot +++ b/data/live-build-config/hooks/live/19-kernel_symlinks.chroot @@ -1,6 +1,9 @@ #!/bin/sh -echo I: Creating kernel symlinks. +echo I: Creating Linux Kernel symbolic links cd /boot ln -s initrd.img-* initrd.img ln -s vmlinuz-* vmlinuz + +echo I: Remove Linux Kernel symbolic link to source folder +rm -rf /lib/modules/*/build diff --git a/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot b/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot new file mode 100755 index 00000000..1dc03186 --- /dev/null +++ b/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot @@ -0,0 +1,22 @@ +#!/bin/sh +SIGN_FILE=$(find /usr/lib -name sign-file) +MOK_KEY="/var/lib/shim-signed/mok/MOK.key" +MOK_CERT="/var/lib/shim-signed/mok/MOK.pem" +VMLINUZ=$(readlink /boot/vmlinuz) + +# All Linux Kernel modules need to be cryptographically signed +find /lib/modules -type f -name \*.ko | while read MODULE; do + modinfo ${MODULE} | grep -q "signer:" + if [ $? != 0 ]; then + echo "E: Module ${MODULE} is not signed!" + read -n 1 -s -r -p "Press any key to continue" + fi +done + +if [ ! -f ${MOK_KEY} ]; then + echo "I: Signing key for Linux Kernel not found - Secure Boot not possible" +else + echo "I: Signing Linux Kernel for Secure Boot" + sbsign --key ${MOK_KEY} --cert ${MOK_CERT} /boot/${VMLINUZ} --output /boot/${VMLINUZ} + sbverify --list /boot/${VMLINUZ} +fi diff --git a/data/live-build-config/hooks/live/93-sign-kernel.chroot b/data/live-build-config/hooks/live/93-sign-kernel.chroot deleted file mode 100755 index 031db10d..00000000 --- a/data/live-build-config/hooks/live/93-sign-kernel.chroot +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh -SIGN_FILE=$(find /usr/lib -name sign-file) -MOK_KEY="/var/lib/shim-signed/mok/kernel.key" -MOK_CERT="/var/lib/shim-signed/mok/kernel.pem" -kernel_elf=$(readlink /boot/vmlinuz) - -if [ ! -f ${MOK_KEY} ]; then - echo "I: Signing key for Linux Kernel not found - Secure Boot not possible" -else - echo "I: Signing Linux Kernel for Secure Boot" - - sbsign --key $MOK_KEY --cert $MOK_CERT /boot/${kernel_elf} --output /boot/${kernel_elf} - sbverify --list /boot/${kernel_elf} - - find /lib/modules -type f -name \*.ko -o -name \*.ko.xz | while read module; do - $SIGN_FILE sha512 $MOK_KEY $MOK_CERT $module - done -fi diff --git a/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md b/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md index 5a6edbba..abaaa97a 100644 --- a/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md +++ b/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md @@ -6,17 +6,6 @@ Create Certificate Authority used for Kernel signing. CA is loaded into the Machine Owner Key store on the target system. ```bash -openssl req -new -x509 -newkey rsa:2048 -keyout MOK.key -outform DER -out MOK.der -days 36500 -subj "/CN=VyOS Secure Boot CA/" -nodes +openssl req -new -x509 -newkey rsa:4096 -keyout MOK.key -outform DER -out MOK.der -days 36500 -subj "/CN=VyOS Secure Boot CA/" -nodes openssl x509 -inform der -in MOK.der -out MOK.pem ``` - -## Kernel Module Signing Key - -We do not make use of ephemeral keys for Kernel module signing. Instead a key -is generated and signed by the VyOS Secure Boot CA which signs all the Kernel -modules during ISO assembly if present. - -```bash -openssl req -newkey rsa:2048 -keyout kernel.key -out kernel.csr -subj "/CN=VyOS Secure Boot Signer 2024 - linux/" -nodes -openssl x509 -req -in kernel.csr -CA MOK.pem -CAkey MOK.key -CAcreateserial -out kernel.pem -days 730 -sha256 -``` |