-
Notifications
You must be signed in to change notification settings - Fork 173
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Secure Boot Kernel configuration #298
Add Secure Boot Kernel configuration #298
Conversation
b8758c7
to
1781f60
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please amend the commit message, detailing the Secure Boot problem, how it was tested tested (also QEMU?), and why it can’t be enabled unconditionally.
Please add a space after ].
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fix few typos
So Debian's/Ubuntu's approach to supporting Secure Boot is to sign the kernel after it's built with a shim binary. Could that work here, or is this approach to instead support any arbitrary public key that might be present in the UEFI? |
Regarding the |
yes, |
Thanks! |
f5d8da5
to
46694a8
Compare
|
…ature & Secure warmboot
…defined verification
…will modify the kconfig-inclusions/exclusions file if the Secure Boot is enabled only.
46694a8
to
77e1842
Compare
@saiarcot895 could you please add a label 'request for 202211'? |
@saiarcot895 can you please help to merge and label? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the approach here is complicated, secure boot kernel configuration should be incorprated into manage-config script, for you can add option in manage-config to enable and disable secure boot and then have a secureboot_config to have those options to be included like other existing config.
@davidpil2002 please update your branch to the latest |
No. I concur with Guohan's comment.
|
I see your point.
|
I was referring to the changes done in these lines to sonic-linux-kernel/patch/secure_boot_kernel_config.sh Lines 60 to 69 in 77e1842
These files are part of the sonic-linux-kernel repo, rather than the Linux kernel repo.
I think there's two different things being touched on here. The purpose of creating For the kernel build from sonic-buildimage and controlling the configuration, whether the kernel will get rebuilt after it's been already built once depends on the This variable would need to be updated to include the config variable that would be specified in sonic-buildimage to control whether secure boot is enabled and what certificate is used. That way, in a build with caching enabled, if someone switches between having secure boot enabled or disabled, or even different certificate paths, then the kernel will get rebuilt (I don't recall if this is fully checked or not in a build with caching disabled). |
…ot-exclusions and patch/kconfig-secure-boot-inclusions files with manage-config.
… default debian key path.
Did your suggestions |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
move the Secure Boot kernel config to manage-config instead using an standalone bash script
@davidpil2002 can you please help to address the comments from @saiarcot895 ? After that, @saiarcot895 will do a re-check, then we should be good. Thanks. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done all the fixes about supporting secure boot in config kernel.
@saiarcot895 could you please help to re-review and approve? |
@davidpil2002 can you merge in the changes from the master branch? |
@lguohan could you re-review? |
|
||
[amd64] | ||
CONFIG_MODULE_SIG_SHA256 | ||
# For mellanox |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why these are excluded? can we have more explanation for the justifications?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SHA256 is excluded because we are using SHA512. Its more secure.
there is more description in the HLD link attached in the description of this PR.
About the lockdown, we have a plan to support it in the future, for now for Mellanox its disabled.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm planning to move the SHA512 config to apply to all kernel builds in a future PR; this isn't necessarily secure-boot specific, and is nice to have in general.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm planning to move the SHA512 config to apply to all kernel builds in a future PR; this isn't necessarily secure-boot specific, and is nice to have in general.
Sound good, can we for now save the PR as is, and when you modify the general config you can remove it.
Because we are implicitly signing the kernel modules with sha512 in the sonic-buildimage:
https://github.com/sonic-net/sonic-buildimage/pull/12692/files#diff-de80d4961ffb88d808888c6d160af8717e70ec6c21675b0f5124b0d27db7a166
So, if the kernel configuration does not match, the image will not boot.
…el module verification
Update sonic-linux-kernel submodule pointer to include the following: * 6daddcf Add Secure Boot Kernel configuration ([sonic-net#298](sonic-net/sonic-linux-kernel#298)) Signed-off-by: dprital <drorp@nvidia.com>
Update sonic-linux-kernel submodule pointer to include the following: * 6daddcf Add Secure Boot Kernel configuration ([#298](sonic-net/sonic-linux-kernel#298)) Signed-off-by: dprital <drorp@nvidia.com>
* [secure boot]Add Linux Kernel configuration to support Secure Boot feature & Secure warmboot * [secure boot]Fix few typos * [secure boot]Fix Secure boot build flag condition by adding an extra defined verification * [secure boot]Remove WA after the fix in commit 5717c5d. The flow now will modify the kconfig-inclusions/exclusions file if the Secure Boot is enabled only. * [secure boot]Add secure boot kernel config by using kconfig-secure-boot-exclusions and patch/kconfig-secure-boot-inclusions files with manage-config. * [secure boot]removed comment, rename certificate with the name of the default debian key path. * [secure boot]Fix equal condition and add input file validation to certificate * [secure boot]Add signature force flag in kernel config, to force kernel module verification --------- Co-authored-by: Saikrishna Arcot <sarcot@microsoft.com>
* Fix setting a config with an already-existing conflicting value Fix setting a config value in kconfig-inclusions when there's already a conflicting existing value in defconfig. For example, setting CONFIG_SYSTEM_TRUSTED_KEYS would have no effect, because there would already be a setting for this specified by Debian's default config. With this, it _might_ be possible to remove the need for kconfig-force-inclusions, but that still needs to be checked. Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com> * Support verifying the value of strings (and not just y/m/n settings) Becuase of kpatch-inclusions having quotes around the string, but the value from `scripts/config` having the quotes stripped, the comparison fails due to one side having quotes but the other side not having quotes. This effectively adds support for setting string kconfigs in kconfig-inclusion. Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com> * Add Secure Boot Kernel configuration (#298) * [secure boot]Add Linux Kernel configuration to support Secure Boot feature & Secure warmboot * [secure boot]Fix few typos * [secure boot]Fix Secure boot build flag condition by adding an extra defined verification * [secure boot]Remove WA after the fix in commit 5717c5d. The flow now will modify the kconfig-inclusions/exclusions file if the Secure Boot is enabled only. * [secure boot]Add secure boot kernel config by using kconfig-secure-boot-exclusions and patch/kconfig-secure-boot-inclusions files with manage-config. * [secure boot]removed comment, rename certificate with the name of the default debian key path. * [secure boot]Fix equal condition and add input file validation to certificate * [secure boot]Add signature force flag in kernel config, to force kernel module verification --------- Co-authored-by: Saikrishna Arcot <sarcot@microsoft.com> --------- Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com> Co-authored-by: Saikrishna Arcot <sarcot@microsoft.com> Co-authored-by: davidpil2002 <91657985+davidpil2002@users.noreply.github.com>
* [secure boot]Add Linux Kernel configuration to support Secure Boot feature & Secure warmboot * [secure boot]Fix few typos * [secure boot]Fix Secure boot build flag condition by adding an extra defined verification * [secure boot]Remove WA after the fix in commit 5717c5d. The flow now will modify the kconfig-inclusions/exclusions file if the Secure Boot is enabled only. * [secure boot]Add secure boot kernel config by using kconfig-secure-boot-exclusions and patch/kconfig-secure-boot-inclusions files with manage-config. * [secure boot]removed comment, rename certificate with the name of the default debian key path. * [secure boot]Fix equal condition and add input file validation to certificate * [secure boot]Add signature force flag in kernel config, to force kernel module verification --------- Co-authored-by: Saikrishna Arcot <sarcot@microsoft.com>
* [secure boot]Add Linux Kernel configuration to support Secure Boot feature & Secure warmboot * [secure boot]Fix few typos * [secure boot]Fix Secure boot build flag condition by adding an extra defined verification * [secure boot]Remove WA after the fix in commit 5717c5d. The flow now will modify the kconfig-inclusions/exclusions file if the Secure Boot is enabled only. * [secure boot]Add secure boot kernel config by using kconfig-secure-boot-exclusions and patch/kconfig-secure-boot-inclusions files with manage-config. * [secure boot]removed comment, rename certificate with the name of the default debian key path. * [secure boot]Fix equal condition and add input file validation to certificate * [secure boot]Add signature force flag in kernel config, to force kernel module verification --------- Co-authored-by: Saikrishna Arcot <sarcot@microsoft.com>
* [secure boot]Add Linux Kernel configuration to support Secure Boot feature & Secure warmboot * [secure boot]Fix few typos * [secure boot]Fix Secure boot build flag condition by adding an extra defined verification * [secure boot]Remove WA after the fix in commit 5717c5d. The flow now will modify the kconfig-inclusions/exclusions file if the Secure Boot is enabled only. * [secure boot]Add secure boot kernel config by using kconfig-secure-boot-exclusions and patch/kconfig-secure-boot-inclusions files with manage-config. * [secure boot]removed comment, rename certificate with the name of the default debian key path. * [secure boot]Fix equal condition and add input file validation to certificate * [secure boot]Add signature force flag in kernel config, to force kernel module verification --------- Co-authored-by: Saikrishna Arcot <sarcot@microsoft.com>
Backport of #298 & #300 In order to support the Secure Boot feature it required some modifications when building the Linux Kernel. This PR contained the kernel configuration aggregations to support it. sonic-buildimage PR link: sonic-net/sonic-buildimage#14963 HLD: sonic-net/SONiC#1028
In order to support the Secure Boot feature it required some modifications when building the Linux Kernel.
This PR contained the kernel configuration aggregations to support it.
sonic-buildimage PR link: sonic-net/sonic-buildimage#12692
HLD: sonic-net/SONiC#1028