T861: add UEFI Secure Boot support

This adds support for UEFI Secure Boot. It adds the missing pieces to the Linux
Kernel and enforces module signing. This results in an additional security
layer where untrusted (unsigned) Kernel modules can no longer be loaded into
the live system.

NOTE: This commit will not work unless signing keys are present. Arbitrary
keys can be generated using instructions found in:

  data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md

3 files changed, 40 insertions, 0 deletions

diff --git a/data/live-build-config/hooks/live/99-strip-symbols.chroot b/data/live-build-config/hooks/live/92-strip-symbols.chroot
index 704f9cb3..704f9cb3 100755
--- a/data/live-build-config/hooks/live/99-strip-symbols.chroot
+++ b/data/live-build-config/hooks/live/92-strip-symbols.chroot
diff --git a/data/live-build-config/hooks/live/93-sign-kernel.chroot b/data/live-build-config/hooks/live/93-sign-kernel.chroot
new file mode 100755
index 00000000..031db10d
--- /dev/null
+++ b/data/live-build-config/hooks/live/93-sign-kernel.chroot
@@ -0,0 +1,18 @@
+#!/bin/sh
+SIGN_FILE=$(find /usr/lib -name sign-file)
+MOK_KEY="/var/lib/shim-signed/mok/kernel.key"
+MOK_CERT="/var/lib/shim-signed/mok/kernel.pem"
+kernel_elf=$(readlink /boot/vmlinuz)
+
+if [ ! -f ${MOK_KEY} ]; then
+    echo "I: Signing key for Linux Kernel not found - Secure Boot not possible"
+else
+    echo "I: Signing Linux Kernel for Secure Boot"
+
+    sbsign --key $MOK_KEY --cert $MOK_CERT /boot/${kernel_elf} --output /boot/${kernel_elf}
+    sbverify --list /boot/${kernel_elf}
+
+    find /lib/modules -type f -name \*.ko -o -name \*.ko.xz | while read module; do
+      $SIGN_FILE sha512 $MOK_KEY $MOK_CERT $module
+    done
+fi
diff --git a/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md b/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
new file mode 100644
index 00000000..5a6edbba
--- /dev/null
+++ b/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
@@ -0,0 +1,22 @@
+# Secure Boot
+
+## CA
+
+Create Certificate Authority used for Kernel signing. CA is loaded into the
+Machine Owner Key store on the target system.
+
+```bash
+openssl req -new -x509 -newkey rsa:2048 -keyout MOK.key -outform DER -out MOK.der -days 36500 -subj "/CN=VyOS Secure Boot CA/" -nodes
+openssl x509 -inform der -in MOK.der -out MOK.pem
+```
+
+## Kernel Module Signing Key
+
+We do not make use of ephemeral keys for Kernel module signing. Instead a key
+is generated and signed by the VyOS Secure Boot CA which signs all the Kernel
+modules during ISO assembly if present.
+
+```bash
+openssl req -newkey rsa:2048 -keyout kernel.key -out kernel.csr -subj "/CN=VyOS Secure Boot Signer 2024 - linux/" -nodes
+openssl x509 -req -in kernel.csr -CA MOK.pem -CAkey MOK.key -CAcreateserial -out kernel.pem -days 730 -sha256
+```