diff options
Diffstat (limited to 'data')
| -rwxr-xr-x | data/live-build-config/hooks/live/92-strip-symbols.chroot (renamed from data/live-build-config/hooks/live/99-strip-symbols.chroot) | 0 | ||||
| -rwxr-xr-x | data/live-build-config/hooks/live/93-sign-kernel.chroot | 18 | ||||
| -rw-r--r-- | data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md | 22 |
3 files changed, 40 insertions, 0 deletions
diff --git a/data/live-build-config/hooks/live/99-strip-symbols.chroot b/data/live-build-config/hooks/live/92-strip-symbols.chroot index 704f9cb3..704f9cb3 100755 --- a/data/live-build-config/hooks/live/99-strip-symbols.chroot +++ b/data/live-build-config/hooks/live/92-strip-symbols.chroot diff --git a/data/live-build-config/hooks/live/93-sign-kernel.chroot b/data/live-build-config/hooks/live/93-sign-kernel.chroot new file mode 100755 index 00000000..031db10d --- /dev/null +++ b/data/live-build-config/hooks/live/93-sign-kernel.chroot @@ -0,0 +1,18 @@ +#!/bin/sh +SIGN_FILE=$(find /usr/lib -name sign-file) +MOK_KEY="/var/lib/shim-signed/mok/kernel.key" +MOK_CERT="/var/lib/shim-signed/mok/kernel.pem" +kernel_elf=$(readlink /boot/vmlinuz) + +if [ ! -f ${MOK_KEY} ]; then + echo "I: Signing key for Linux Kernel not found - Secure Boot not possible" +else + echo "I: Signing Linux Kernel for Secure Boot" + + sbsign --key $MOK_KEY --cert $MOK_CERT /boot/${kernel_elf} --output /boot/${kernel_elf} + sbverify --list /boot/${kernel_elf} + + find /lib/modules -type f -name \*.ko -o -name \*.ko.xz | while read module; do + $SIGN_FILE sha512 $MOK_KEY $MOK_CERT $module + done +fi diff --git a/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md b/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md new file mode 100644 index 00000000..5a6edbba --- /dev/null +++ b/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md @@ -0,0 +1,22 @@ +# Secure Boot + +## CA + +Create Certificate Authority used for Kernel signing. CA is loaded into the +Machine Owner Key store on the target system. + +```bash +openssl req -new -x509 -newkey rsa:2048 -keyout MOK.key -outform DER -out MOK.der -days 36500 -subj "/CN=VyOS Secure Boot CA/" -nodes +openssl x509 -inform der -in MOK.der -out MOK.pem +``` + +## Kernel Module Signing Key + +We do not make use of ephemeral keys for Kernel module signing. Instead a key +is generated and signed by the VyOS Secure Boot CA which signs all the Kernel +modules during ISO assembly if present. + +```bash +openssl req -newkey rsa:2048 -keyout kernel.key -out kernel.csr -subj "/CN=VyOS Secure Boot Signer 2024 - linux/" -nodes +openssl x509 -req -in kernel.csr -CA MOK.pem -CAkey MOK.key -CAcreateserial -out kernel.pem -days 730 -sha256 +``` |