T861: sign all Kernel modules with an ephemeral key

The shim review board (which is the secure boot base loader) recommends using
ephemeral keys when signing the Linux Kernel. This commit enables the Kernel
build system to generate a one-time ephemeral key that is used to:

* sign all build-in Kernel modules
* sign all other out-of-tree Kernel modules

The key lives in /tmp and is destroyed after the build container exits and is
named: "VyOS build time autogenerated kernel key".

In addition the Kernel now uses CONFIG_MODULE_SIG_FORCE. This now makes it
unable to load any Kernel Module to the image that is NOT signed by the
ephemeral key.

1 files changed, 27 insertions, 19 deletions

diff --git a/packages/linux-kernel/build-kernel.sh b/packages/linux-kernel/build-kernel.sh
index f7b0c597..f9298c28 100755
--- a/packages/linux-kernel/build-kernel.sh
+++ b/packages/linux-kernel/build-kernel.sh
@@ -9,13 +9,16 @@ if [ ! -d ${KERNEL_SRC} ]; then
     exit 1
 fi
 
-echo "I: Copy Kernel config (x86_64_vyos_defconfig) to Kernel Source"
-cp -rv arch/ ${KERNEL_SRC}/
-
 cd ${KERNEL_SRC}
 
-echo "I: clean modified files"
-git reset --hard HEAD
+if [ -d .git ]; then
+    echo "I: Clean modified files - reset Git repo"
+    git reset --hard HEAD
+    git clean --force -d -x
+fi
+
+echo "I: Copy Kernel config (x86_64_vyos_defconfig) to Kernel Source"
+cp -rv ${CWD}/arch/ .
 
 KERNEL_VERSION=$(make kernelversion)
 KERNEL_SUFFIX=-$(awk -F "= " '/kernel_flavor/ {print $2}' ../../../data/defaults.toml | tr -d \")
@@ -32,6 +35,9 @@ do
     patch -p1 < ${PATCH_DIR}/${patch}
 done
 
+# Change name of Signing Cert
+sed -i -e "s/CN =.*/CN=VyOS build time autogenerated kernel key/" certs/default_x509.genkey
+
 TRUSTED_KEYS_FILE=trusted_keys.pem
 # start with empty key file
 echo -n "" > $TRUSTED_KEYS_FILE
@@ -41,16 +47,8 @@ if [ ! -z "${CERTS}" ]; then
   for file in $CERTS; do
     cat $file >> $TRUSTED_KEYS_FILE
   done
-
   # Force Kernel module signing and embed public keys
-  echo "CONFIG_MODULE_SIG_FORMAT=y" >> $KERNEL_CONFIG
-  echo "CONFIG_MODULE_SIG=y" >> $KERNEL_CONFIG
-  echo "CONFIG_MODULE_SIG_FORCE=y" >> $KERNEL_CONFIG
-  echo "# CONFIG_MODULE_SIG_ALL is not set" >> $KERNEL_CONFIG
-  echo "CONFIG_MODULE_SIG_SHA512=y" >> $KERNEL_CONFIG
-  echo "CONFIG_MODULE_SIG_HASH=\"sha512\"" >> $KERNEL_CONFIG
-  echo "CONFIG_MODULE_SIG_KEY=\"\"" >> $KERNEL_CONFIG
-  echo "CONFIG_MODULE_SIG_KEY_TYPE_RSA=y" >> $KERNEL_CONFIG
+  echo "CONFIG_SYSTEM_TRUSTED_KEYRING" >> $KERNEL_CONFIG
   echo "CONFIG_SYSTEM_TRUSTED_KEYS=\"$TRUSTED_KEYS_FILE\"" >> $KERNEL_CONFIG
 fi
 
@@ -59,21 +57,31 @@ echo "I: make vyos_defconfig"
 make vyos_defconfig
 
 echo "I: Generate environment file containing Kernel variable"
+EPHEMERAL_KEY="/tmp/ephemeral.key"
+EPHEMERAL_PEM="/tmp/ephemeral.pem"
 cat << EOF >${CWD}/kernel-vars
 #!/bin/sh
 export KERNEL_VERSION=${KERNEL_VERSION}
 export KERNEL_SUFFIX=${KERNEL_SUFFIX}
 export KERNEL_DIR=${CWD}/${KERNEL_SRC}
+export EPHEMERAL_KEY=${EPHEMERAL_KEY}
+export EPHEMERAL_CERT=${EPHEMERAL_PEM}
 EOF
 
 echo "I: Build Debian Kernel package"
 touch .scmversion
 make bindeb-pkg BUILD_TOOLS=1 LOCALVERSION=${KERNEL_SUFFIX} KDEB_PKGVERSION=${KERNEL_VERSION}-1 -j $(getconf _NPROCESSORS_ONLN)
 
+# Back to the old Kernel build-scripts directory
 cd $CWD
-if [[ $? == 0 ]]; then
-    for package in $(ls linux-*.deb)
-    do
-        ln -sf linux-kernel/$package ..
-    done
+EPHEMERAL_KERNEL_KEY=$(grep -E "^CONFIG_MODULE_SIG_KEY=" ${KERNEL_SRC}/$KERNEL_CONFIG | awk -F= '{print $2}' | tr -d \")
+if test -f "${EPHEMERAL_KEY}"; then
+    rm -f ${EPHEMERAL_KEY}
+fi
+if test -f "${EPHEMERAL_PEM}"; then
+    rm -f ${EPHEMERAL_PEM}
+fi
+if test -f "${KERNEL_SRC}/${EPHEMERAL_KERNEL_KEY}"; then
+    openssl rsa -in ${KERNEL_SRC}/${EPHEMERAL_KERNEL_KEY} -out ${EPHEMERAL_KEY}
+    openssl x509 -in ${KERNEL_SRC}/${EPHEMERAL_KERNEL_KEY} -out ${EPHEMERAL_PEM}
 fi