Skip to content

Add Secure Boot Kernel configuration #298

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
saiarcot895 merged 9 commits into from
Feb 2, 2023
Merged

Add Secure Boot Kernel configuration #298

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
9e53a97
[secure boot]Add Linux Kernel configuration to support Secure Boot fe…
davidpil2002 Nov 13, 2022
9724e9f
[secure boot]Fix few typos
davidpil2002 Nov 14, 2022
10322c3
[secure boot]Fix Secure boot build flag condition by adding an extra …
davidpil2002 Nov 14, 2022
77e1842
[secure boot]Remove WA after the fix in commit 5717c5d391092f2a8f894e…
davidpil2002 Dec 15, 2022
b6003e9
[secure boot]Add secure boot kernel config by using kconfig-secure-bo…
davidpil2002 Jan 25, 2023
b6b6c59
[secure boot]removed comment, rename certificate with the name of the…
davidpil2002 Jan 25, 2023
46beeb3
[secure boot]Fix equal condition and add input file validation to cer…
davidpil2002 Jan 26, 2023
fb8993f
[secure boot]Add signature force flag in kernel config, to force kern…
davidpil2002 Jan 31, 2023
9eb7646
Merge branch 'master' into secure_boot_support
saiarcot895 Feb 2, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,26 @@ $(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% :
stg import -s $(NON_UP_DIR)/series
fi

# Secure Boot Configuration
ifneq ($(origin SECURE_UPGRADE_MODE), undefined)
ifeq ($(SECURE_UPGRADE_MODE),$(filter $(SECURE_UPGRADE_MODE),dev prod))
ifneq ($(origin SECURE_UPGRADE_DEV_SIGNING_CERT), undefined)
if [ -f $(SECURE_UPGRADE_DEV_SIGNING_CERT) ]; then
echo "Add secure boot support in kernel config file"
cp ../patch/secure_boot_kernel_config.sh .
cp $(SECURE_UPGRADE_DEV_SIGNING_CERT) debian/certs
echo "secure_boot_kernel_config.sh -c $(SECURE_UPGRADE_DEV_SIGNING_CERT) -a $(CONFIGURED_ARCH)"
./secure_boot_kernel_config.sh -c $(SECURE_UPGRADE_DEV_SIGNING_CERT) -a $(CONFIGURED_ARCH)
else
echo "no certificate file exists, SECURE_UPGRADE_DEV_SIGNING_CERT=$(SECURE_UPGRADE_DEV_SIGNING_CERT)"
exit 1
fi
else
echo "SECURE_UPGRADE_MODE is defined, but SECURE_UPGRADE_DEV_SIGNING_CERT is not defined"
endif # ifneq ($(origin SECURE_UPGRADE_DEV_SIGNING_CERT), undefined)
endif # ifeq ($(SECURE_UPGRADE_MODE),$(filter $(SECURE_UPGRADE_MODE),dev prod))
endif # ifneq ($(origin SECURE_UPGRADE_MODE), undefined)

# Optionally add/remove kernel options
if [ -f ../manage-config ]; then
../manage-config $(CONFIGURED_ARCH) $(CONFIGURED_PLATFORM)
Expand Down
69 changes: 69 additions & 0 deletions patch/secure_boot_kernel_config.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
#!/bin/bash

# This script is doing modification in kconfig-inclusions and kconfig-exclusions files in order to support Secure Boot feature.

usage() {
cat <<EOF
$0: # Display Help
$0 -c <PEM_CERT> -a <CONF_ARCH>
Script is modifying kernel config file to support system trusted key with custom certificate.
Note: The signature algorithm used will be RSA over SHA512 x509 format.

Parameters description:
PEM_CERT public key (pem format). Key to be store in kernel.
CONF_ARCH is the kernel arch amd/arm/etc
Usage example: bash secure_boot_kernel_config.sh cert.pem
EOF
}

# the function is appending a line after the string from variable $1
# var pos $2: new config to be set
# var pos $3: filename to be modify
append_line_after_str() {
sed -i "/$1/a $2" $3
}

while getopts 'c:a:hv' flag; do
case "${flag}" in
c) CERT_PEM="${OPTARG}" ;;
a) CONF_ARCH="${OPTARG}" ;;
v) VERBOSE='true' ;;
h) print_usage
exit 1 ;;
esac
done

if [ "$1" = "-h" -o "$1" = "--help" ]; then
usage
fi

[ -f "$CERT_PEM" ] || {
echo "Error: CERT_PEM file does not exist: $CERT_PEM"
usage
exit 1
}

[ ! -z "$CONF_ARCH" ] || {
echo "Error: CONF_ARCH file does not exist: $CONF_ARCH"
usage
exit 1
}

LOCAL_CERT_PEM="debian/certs/$(basename $CERT_PEM)"
KCONFIG_INCLUSIONS_FILE="../patch/kconfig-inclusions"
KCONFIG_EXCLUSIONS_FILE="../patch/kconfig-exclusions"
CONF_ARCH_BLOCK_REGEX="^\[$CONF_ARCH\]"

echo "$0: Appending kernel configuration in files: $KCONFIG_INCLUSIONS_FILE, $KCONFIG_EXCLUSIONS_FILE"

# add support to secure boot and secure warm boot
append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_SYSTEM_TRUSTED_KEYS=\"$LOCAL_CERT_PEM\"" $KCONFIG_INCLUSIONS_FILE
append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_MODULE_SIG_HASH=\"sha512\"" $KCONFIG_INCLUSIONS_FILE
append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_MODULE_SIG_SHA512=y" $KCONFIG_INCLUSIONS_FILE
append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_KEXEC_SIG_FORCE=y" $KCONFIG_INCLUSIONS_FILE
append_line_after_str $CONF_ARCH_BLOCK_REGEX "#Secure Boot" $KCONFIG_INCLUSIONS_FILE
append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_SECURITY_LOCKDOWN_LSM" $KCONFIG_EXCLUSIONS_FILE
append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_SECURITY_LOCKDOWN_LSM_EARLY" $KCONFIG_EXCLUSIONS_FILE
append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE" $KCONFIG_EXCLUSIONS_FILE
append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT" $KCONFIG_EXCLUSIONS_FILE
append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_MODULE_SIG_SHA256" $KCONFIG_EXCLUSIONS_FILE