diff options
| author | Christian Breunig <christian@breunig.cc> | 2024-09-25 20:24:21 +0200 |
|---|---|---|
| committer | Christian Breunig <christian@breunig.cc> | 2024-09-25 20:24:21 +0200 |
| commit | d235b31a095f9b8fdb2d5c231935c8b4b4c3da6c (patch) | |
| tree | 0a4256d787fcdda0bea8308f6a76c65ef1e7ad1b /scripts/check-qemu-install | |
| parent | b93672d9fb294e94804f16153428cb450696f4df (diff) | |
| download | vyos-build-d235b31a095f9b8fdb2d5c231935c8b4b4c3da6c.tar.gz vyos-build-d235b31a095f9b8fdb2d5c231935c8b4b4c3da6c.zip | |
T861: sign all Kernel modules with an ephemeral key
The shim review board (which is the secure boot base loader) recommends using
ephemeral keys when signing the Linux Kernel. This commit enables the Kernel
build system to generate a one-time ephemeral key that is used to:
* sign all build-in Kernel modules
* sign all other out-of-tree Kernel modules
The key lives in /tmp and is destroyed after the build container exits and is
named: "VyOS build time autogenerated kernel key".
In addition the Kernel now uses CONFIG_MODULE_SIG_FORCE. This now makes it
unable to load any Kernel Module to the image that is NOT signed by the
ephemeral key.
Diffstat (limited to 'scripts/check-qemu-install')
| -rwxr-xr-x | scripts/check-qemu-install | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/scripts/check-qemu-install b/scripts/check-qemu-install index dfb772d8..21084655 100755 --- a/scripts/check-qemu-install +++ b/scripts/check-qemu-install @@ -544,6 +544,11 @@ try: c.sendline('systemd-detect-virt') c.expect('kvm') c.expect(op_mode_prompt) + # Ensure ephemeral key is loaded + vyos_kernel_key = 'VyOS build time autogenerated kernel key' + c.sendline(f'show log kernel | match "{vyos_kernel_key}"') + c.expect(f'.*{vyos_kernel_key}.*') + c.expect(op_mode_prompt) ################################################# # Executing test-suite |