diff options
| author | Christian Breunig <christian@breunig.cc> | 2024-09-04 21:37:11 +0200 |
|---|---|---|
| committer | Christian Breunig <christian@breunig.cc> | 2024-09-14 23:05:23 +0200 |
| commit | fd737172f1068870fe1ededbe9b2ed4a86663acd (patch) | |
| tree | 57ed7c8ab104316b7530f79f67db5e9c885ad8a2 /packages/linux-kernel/build-kernel.sh | |
| parent | beb3df0733d8cf682291e19b0df0871da20ab5d4 (diff) | |
| download | vyos-build-fd737172f1068870fe1ededbe9b2ed4a86663acd.tar.gz vyos-build-fd737172f1068870fe1ededbe9b2ed4a86663acd.zip | |
T861: add UEFI Secure Boot support
This adds support for UEFI Secure Boot. It adds the missing pieces to the Linux
Kernel and enforces module signing. This results in an additional security
layer where untrusted (unsigned) Kernel modules can no longer be loaded into
the live system.
NOTE: This commit will not work unless signing keys are present. Arbitrary
keys can be generated using instructions found in:
data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
Diffstat (limited to 'packages/linux-kernel/build-kernel.sh')
| -rwxr-xr-x | packages/linux-kernel/build-kernel.sh | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/packages/linux-kernel/build-kernel.sh b/packages/linux-kernel/build-kernel.sh index c0a863c6..3ccb15e9 100755 --- a/packages/linux-kernel/build-kernel.sh +++ b/packages/linux-kernel/build-kernel.sh @@ -19,6 +19,7 @@ git reset --hard HEAD KERNEL_VERSION=$(make kernelversion) KERNEL_SUFFIX=-$(awk -F "= " '/kernel_flavor/ {print $2}' ../../../data/defaults.toml | tr -d \") +KERNEL_CONFIG=arch/x86/configs/vyos_defconfig # VyOS requires some small Kernel Patches - apply them here # It's easier to habe them here and make use of the upstream @@ -31,6 +32,28 @@ do patch -p1 < ${PATCH_DIR}/${patch} done +TRUSTED_KEYS_FILE=trusted_keys.pem +# start with empty key file +echo -n "" > $TRUSTED_KEYS_FILE +CERTS=$(ls ../../../data/live-build-config/includes.chroot/var/lib/shim-signed/mok/*.pem) +if [ ! -z "${CERTS}" ]; then + # add known public keys to Kernel certificate chain + for file in $CERTS; do + cat $file >> $TRUSTED_KEYS_FILE + done + + # Force Kernel module signing and embed public keys + echo "CONFIG_MODULE_SIG_FORMAT=y" >> $KERNEL_CONFIG + echo "CONFIG_MODULE_SIG=y" >> $KERNEL_CONFIG + echo "CONFIG_MODULE_SIG_FORCE=y" >> $KERNEL_CONFIG + echo "# CONFIG_MODULE_SIG_ALL is not set" >> $KERNEL_CONFIG + echo "CONFIG_MODULE_SIG_SHA512=y" >> $KERNEL_CONFIG + echo "CONFIG_MODULE_SIG_HASH=\"sha512\"" >> $KERNEL_CONFIG + echo "CONFIG_MODULE_SIG_KEY=\"\"" >> $KERNEL_CONFIG + echo "CONFIG_MODULE_SIG_KEY_TYPE_RSA=y" >> $KERNEL_CONFIG + echo "CONFIG_SYSTEM_TRUSTED_KEYS=\"$TRUSTED_KEYS_FILE\"" >> $KERNEL_CONFIG +fi + echo "I: make vyos_defconfig" # Select Kernel configuration - currently there is only one make vyos_defconfig |