[pve-devel] [PATCH 1/2] fix #4831: build: sign modules and enable lockdown

Tue, 18 Jul 2023 02:12:15 -0700 

this is required for secure boot support.

at build time, an ephemeral key pair will be generated and all built modules
will be signed with it. the private key is discarded, and the public key
embedded in the kernel image for signature validation at module load time.

these changes allow booting the built kernel in secure boot mode after manually
signing the kernel image with a trusted key (either MOK, or by enrolling custom
PK/KEK/db keys and signing the whole bootchain using them).

Tested-by: Wolfgang Bumiller <w.bumil...@proxmox.com>
Signed-off-by: Fabian Grünbichler <f.gruenbich...@proxmox.com>
---
 debian/rules | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/debian/rules b/debian/rules
index 744e5cb..123c870 100755
--- a/debian/rules
+++ b/debian/rules
@@ -53,7 +53,13 @@ PVE_CONFIG_OPTS= \
 -e CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE \
 -e CONFIG_SYSFB_SIMPLEFB \
 -e CONFIG_DRM_SIMPLEDRM \
--d CONFIG_MODULE_SIG \
+-e CONFIG_MODULE_SIG \
+-e CONFIG_MODULE_SIG_ALL \
+-e CONFIG_MODULE_SIG_FORMAT \
+--set-str CONFIG_MODULE_SIG_HASH sha512 \
+--set-str CONFIG_MODULE_SIG_KEY certs/signing_key.pem \
+-e CONFIG_MODULE_SIG_KEY_TYPE_RSA \
+-e CONFIG_MODULE_SIG_SHA512 \
 -d CONFIG_MEMCG_DISABLED \
 -e CONFIG_MEMCG_SWAP_ENABLED \
 -e CONFIG_HYPERV \
@@ -86,9 +92,9 @@ PVE_CONFIG_OPTS= \
 -e CONFIG_UNWINDER_FRAME_POINTER \
 --set-str CONFIG_SYSTEM_TRUSTED_KEYS ""\
 --set-str CONFIG_SYSTEM_REVOCATION_KEYS ""\
--d CONFIG_SECURITY_LOCKDOWN_LSM \
--d CONFIG_SECURITY_LOCKDOWN_LSM_EARLY \
---set-str CONFIG_LSM yama,integrity,apparmor \
+-e CONFIG_SECURITY_LOCKDOWN_LSM \
+-e CONFIG_SECURITY_LOCKDOWN_LSM_EARLY \
+--set-str CONFIG_LSM lockdown,yama,integrity,apparmor \
 -e CONFIG_PAGE_TABLE_ISOLATION
 
 debian/control: $(wildcard debian/*.in)
@@ -163,6 +169,14 @@ endif
 
        # strip debug info
        find debian/$(PVE_KERNEL_PKG)/lib/modules -name \*.ko -print | while 
read f ; do strip --strip-debug "$$f"; done
+
+       # sign modules using ephemeral, embedded key
+       if grep -q CONFIG_MODULE_SIG=y ubuntu-kernel/.config ; then \
+               find debian/$(PVE_KERNEL_PKG)/lib/modules -name \*.ko -print | 
while read f ; do \
+                       ./ubuntu-kernel/scripts/sign-file sha512 
./ubuntu-kernel/certs/signing_key.pem ubuntu-kernel/certs/signing_key.x509 
"$$f" ; \
+               done; \
+               rm ./ubuntu-kernel/certs/signing_key.pem ; \
+       fi
        # finalize
        /sbin/depmod -b debian/$(PVE_KERNEL_PKG)/ $(KVNAME)
        # Autogenerate blacklist for watchdog devices (see README)
-- 
2.39.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Reply via email to