From 836aedf1528b427b7856b072b45b6cc7aebe9790 Mon Sep 17 00:00:00 2001 From: Sachin Naik Date: Fri, 24 Mar 2023 09:17:50 -0700 Subject: [PATCH] [202205] Add Secure Boot Kernel configuration (#310) * Fix setting a config with an already-existing conflicting value Fix setting a config value in kconfig-inclusions when there's already a conflicting existing value in defconfig. For example, setting CONFIG_SYSTEM_TRUSTED_KEYS would have no effect, because there would already be a setting for this specified by Debian's default config. With this, it _might_ be possible to remove the need for kconfig-force-inclusions, but that still needs to be checked. Signed-off-by: Saikrishna Arcot * Support verifying the value of strings (and not just y/m/n settings) Becuase of kpatch-inclusions having quotes around the string, but the value from `scripts/config` having the quotes stripped, the comparison fails due to one side having quotes but the other side not having quotes. This effectively adds support for setting string kconfigs in kconfig-inclusion. Signed-off-by: Saikrishna Arcot * Add Secure Boot Kernel configuration (#298) * [secure boot]Add Linux Kernel configuration to support Secure Boot feature & Secure warmboot * [secure boot]Fix few typos * [secure boot]Fix Secure boot build flag condition by adding an extra defined verification * [secure boot]Remove WA after the fix in commit 5717c5d391092f2a8f894ebbd44f6d7016dccdb2. The flow now will modify the kconfig-inclusions/exclusions file if the Secure Boot is enabled only. * [secure boot]Add secure boot kernel config by using kconfig-secure-boot-exclusions and patch/kconfig-secure-boot-inclusions files with manage-config. * [secure boot]removed comment, rename certificate with the name of the default debian key path. * [secure boot]Fix equal condition and add input file validation to certificate * [secure boot]Add signature force flag in kernel config, to force kernel module verification --------- Co-authored-by: Saikrishna Arcot --------- Signed-off-by: Saikrishna Arcot Co-authored-by: Saikrishna Arcot Co-authored-by: davidpil2002 <91657985+davidpil2002@users.noreply.github.com> --- Makefile | 4 +- manage-config | 180 +++++++++++++++++---------- patch/kconfig-secure-boot-exclusions | 21 ++++ patch/kconfig-secure-boot-inclusions | 19 +++ 4 files changed, 157 insertions(+), 67 deletions(-) create mode 100644 patch/kconfig-secure-boot-exclusions create mode 100644 patch/kconfig-secure-boot-inclusions diff --git a/Makefile b/Makefile index d75c2271d..2f576abb9 100644 --- a/Makefile +++ b/Makefile @@ -9,6 +9,8 @@ KERNEL_VERSION ?= 5.10.140 KERNEL_SUBVERSION ?= 1 kernel_procure_method ?= build CONFIGURED_ARCH ?= amd64 +SECURE_UPGRADE_MODE ?= +SECURE_UPGRADE_DEV_SIGNING_CERT =? LINUX_HEADER_COMMON = linux-headers-$(KVERSION_SHORT)-common_$(KERNEL_VERSION)-$(KERNEL_SUBVERSION)_all.deb LINUX_HEADER_AMD64 = linux-headers-$(KVERSION)_$(KERNEL_VERSION)-$(KERNEL_SUBVERSION)_$(CONFIGURED_ARCH).deb @@ -101,7 +103,7 @@ $(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% : # Optionally add/remove kernel options if [ -f ../manage-config ]; then - ../manage-config $(CONFIGURED_ARCH) $(CONFIGURED_PLATFORM) + ../manage-config $(CONFIGURED_ARCH) $(CONFIGURED_PLATFORM) $(SECURE_UPGRADE_MODE) $(SECURE_UPGRADE_DEV_SIGNING_CERT) fi # Building a custom kernel from Debian kernel source diff --git a/manage-config b/manage-config index b5de5c99a..b2e28cd8f 100755 --- a/manage-config +++ b/manage-config @@ -26,12 +26,21 @@ # Configuration file to change ARCH=amd64 PLATFORM= +SECURE_UPGRADE_MODE="no_sign" +SECURE_UPGRADE_DEV_SIGNING_CERT= if [ $# -ge 1 ]; then ARCH=$1 fi if [ $# -ge 2 ]; then PLATFORM=$2 fi +if [ $# -ge 3 ]; then + SECURE_UPGRADE_MODE=$3 +fi +if [ $# -ge 4 ]; then + SECURE_UPGRADE_DEV_SIGNING_CERT=$4 +fi + case "$ARCH" in amd64) CONFIG_FILE_LOC=debian/build/build_amd64_none_amd64 @@ -58,84 +67,123 @@ function get_section_opts(){ echo "$opts" } -ret=0 -exclusion_file="../patch/kconfig-exclusions" -inclusion_file="../patch/kconfig-inclusions" -force_inclusion_file="../patch/kconfig-force-inclusions" -if [ -e ${exclusion_file} -o -e ${inclusion_file} -o -e ${force_inclusion_file} ]; then - - # Process any exclusions in the kernel - if [ -f ${exclusion_file} ]; then - exclusion_opts=$(get_section_opts ${exclusion_file} "common" ${ARCH} ${PLATFORM}) - while read -r opt; do - if [ ! -z "$opt" ] && [[ ! "$opt" =~ ^#.* ]]; then - scripts/config --file ${CONFIG_FILE} -d $opt - fi - done <<< ${exclusion_opts}; - fi +function process_inclusion_exclusion_files(){ + echo "process_inclusion_exclusion_files Start" + ret=0 + echo "debug ret=$ret 1" + if [ -e ${exclusion_file} -o -e ${inclusion_file} -o -e ${force_inclusion_file} ]; then - # Process any inclusions in the kernel - if [ -f ${inclusion_file} ]; then - inclusion_opts=$(get_section_opts ${inclusion_file} "common" ${ARCH} ${PLATFORM}) - while read -r opt; do - if [ ! -z "$opt" ] && [[ ! "$opt" =~ ^#.* ]]; then - echo $opt >> ${CONFIG_FILE} - fi - done <<< ${inclusion_opts}; - fi + # Process any exclusions in the kernel + if [ -f ${exclusion_file} ]; then + exclusion_opts=$(get_section_opts ${exclusion_file} "common" ${ARCH} ${PLATFORM}) + while read -r opt; do + if [ ! -z "$opt" ] && [[ ! "$opt" =~ ^#.* ]]; then + scripts/config --file ${CONFIG_FILE} -d $opt + fi + done <<< ${exclusion_opts}; + fi - # Update the .config file to be sure it's consistent - make -C ${CONFIG_FILE_LOC} olddefconfig + # Process any inclusions in the kernel + if [ -f ${inclusion_file} ]; then + inclusion_opts=$(get_section_opts ${inclusion_file} "common" ${ARCH} ${PLATFORM}) + while read -r opt; do + if [ ! -z "$opt" ] && [[ ! "$opt" =~ ^#.* ]]; then + n=${opt%=*} + v="${opt#*=}" + scripts/config --file ${CONFIG_FILE} -k --set-val "$n" "$v" + fi + done <<< ${inclusion_opts}; + fi - # Verify that the kernel options we want to remove are not in the updated configuration - if [ -f ${exclusion_file} ]; then - echo - echo "Checking removed kernel options..." - while read -r opt; do - if [ ! -z "$opt" ] && [[ ! "$opt" =~ ^#.* ]]; then - s=$(scripts/config --file ${CONFIG_FILE} -k --state $opt) - if [ ! "$s" = "undef" -a ! "$s" = "n" ]; then - ret=1 - echo "Option $opt should not be set, but is set to [$s]" + # Update the .config file to be sure it's consistent + make -C ${CONFIG_FILE_LOC} olddefconfig + + # Verify that the kernel options we want to remove are not in the updated configuration + if [ -f ${exclusion_file} ]; then + echo + echo "Checking removed kernel options..." + while read -r opt; do + if [ ! -z "$opt" ] && [[ ! "$opt" =~ ^#.* ]]; then + s=$(scripts/config --file ${CONFIG_FILE} -k --state $opt) + if [ ! "$s" = "undef" -a ! "$s" = "n" ]; then + ret=1 + echo "Option $opt should not be set, but is set to [$s]" + fi fi + done <<< ${exclusion_opts}; + if [ $ret = 0 ]; then + echo "No error" fi - done <<< ${exclusion_opts}; - if [ $ret = 0 ]; then - echo "No error" fi - fi - # Verify that the kernel options we want to add are now in the updated configuration - if [ -f ${inclusion_file} ]; then - echo - echo "Checking added kernel options..." - while read -r opt; do - if [ ! -z "$opt" ] && [[ ! "$opt" =~ ^#.* ]]; then - n=${opt%=*} - v="${opt#*=}" - s=$(scripts/config --file ${CONFIG_FILE} -k --state $n) - if [ ! "$s" = "$v" ]; then - ret=2 - echo "Option $n should be set to [$v] instead of [$s]" + # Verify that the kernel options we want to add are now in the updated configuration + if [ -f ${inclusion_file} ]; then + echo + echo "Checking added kernel options..." + while read -r opt; do + if [ ! -z "$opt" ] && [[ ! "$opt" =~ ^#.* ]]; then + n=${opt%=*} + v="${opt#*=}" + v="${v/#\"/}" + v="${v/%\"/}" + s=$(scripts/config --file ${CONFIG_FILE} -k --state $n) + if [ ! "$s" = "$v" ]; then + ret=2 + echo "Option $n should be set to [$v] instead of [$s]" + fi fi + done <<< ${inclusion_opts}; + if [ ! $ret = 2 ]; then + echo "No error" fi - done <<< ${inclusion_opts}; - if [ ! $ret = 2 ]; then - echo "No error" fi - fi - # Process any force inclusions in the kernel - if [ -f ${force_inclusion_file} ]; then - force_inclusion_opts=$(get_section_opts ${force_inclusion_file} "common" ${ARCH} ${PLATFORM}) - while read -r opt; do - if [ ! -z "$opt" ] && [[ ! "$opt" =~ ^#.* ]]; then - echo $opt >> ${CONFIG_FILE} - fi - done <<< ${force_inclusion_opts}; + # Process any force inclusions in the kernel + if [ -f ${force_inclusion_file} ]; then + force_inclusion_opts=$(get_section_opts ${force_inclusion_file} "common" ${ARCH} ${PLATFORM}) + while read -r opt; do + if [ ! -z "$opt" ] && [[ ! "$opt" =~ ^#.* ]]; then + echo $opt >> ${CONFIG_FILE} + fi + done <<< ${force_inclusion_opts}; + fi + + echo fi - echo + echo "process_inclusion_exclusion_files Done" + return $ret +} + +exclusion_file="../patch/kconfig-exclusions" +inclusion_file="../patch/kconfig-inclusions" +force_inclusion_file="../patch/kconfig-force-inclusions" +ret_process_inc_ex=0 +ret_process_inc_ex=$(process_inclusion_exclusion_files > /dev/null; echo $?) + +# Secure Boot support +if [ $ret_process_inc_ex -eq 0 ]; then + echo "Secure Boot params: SECURE_UPGRADE_MODE=${SECURE_UPGRADE_MODE}, SECURE_UPGRADE_DEV_SIGNING_CERT=${SECURE_UPGRADE_DEV_SIGNING_CERT}" + if [ ${SECURE_UPGRADE_MODE} == "dev" -o ${SECURE_UPGRADE_MODE} == "prod" ]; then + echo "set kconfig-secure-boot-exclusions & kconfig-secure-boot-inclusions" + + if [ ! -f "${SECURE_UPGRADE_DEV_SIGNING_CERT}" ]; then + echo "ERROR: SECURE_UPGRADE_DEV_SIGNING_CERT=${SECURE_UPGRADE_DEV_SIGNING_CERT} file does not exist" + exit 1 + fi + + exclusion_file="../patch/kconfig-secure-boot-exclusions" + inclusion_file="../patch/kconfig-secure-boot-inclusions" + force_inclusion_file="../patch/kconfig-force-secure-boot-inclusions" + + # save the new pub key in kernel + sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"$SECURE_UPGRADE_DEV_SIGNING_CERT\"|g" ${inclusion_file} + + ret_process_inc_ex=$(process_inclusion_exclusion_files > /dev/null; echo $?) + echo "Secure Boot kernel configuration done." + else + echo "no Secure Boot Kernel configuration required." + fi fi -exit $ret +exit $ret_process_inc_ex diff --git a/patch/kconfig-secure-boot-exclusions b/patch/kconfig-secure-boot-exclusions new file mode 100644 index 000000000..abcae1b54 --- /dev/null +++ b/patch/kconfig-secure-boot-exclusions @@ -0,0 +1,21 @@ +[common] + +[amd64] +CONFIG_MODULE_SIG_SHA256 +# For mellanox +CONFIG_SECURITY_LOCKDOWN_LSM +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY +CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE +CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT + +[arm64] +CONFIG_MODULE_SIG_SHA256 +# For mellanox +CONFIG_SECURITY_LOCKDOWN_LSM +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY +CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE +CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT + +[armhf] + +[marvell-armhf] diff --git a/patch/kconfig-secure-boot-inclusions b/patch/kconfig-secure-boot-inclusions new file mode 100644 index 000000000..929ddf403 --- /dev/null +++ b/patch/kconfig-secure-boot-inclusions @@ -0,0 +1,19 @@ +[common] + +[amd64] +CONFIG_SYSTEM_TRUSTED_KEYS="debian/certs/debian-uefi-certs.pem" +CONFIG_MODULE_SIG_HASH="sha512" +CONFIG_MODULE_SIG_SHA512=y +CONFIG_KEXEC_SIG_FORCE=y +CONFIG_MODULE_SIG_FORCE=y + +[arm64] +CONFIG_SYSTEM_TRUSTED_KEYS="debian/certs/debian-uefi-certs.pem" +CONFIG_MODULE_SIG_HASH="sha512" +CONFIG_MODULE_SIG_SHA512=y +CONFIG_KEXEC_SIG_FORCE=y +CONFIG_MODULE_SIG_FORCE=y + +[armhf] + +[marvell-armhf]