From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
Subject: Re: [pve-devel] [PATCH pve-kernel 1/2] fix #4831: build: sign modules and enable lockdown
Date: Tue, 18 Jul 2023 15:02:04 +0200 [thread overview]
Message-ID: <1689685297.mnorbwiedl.astroid@yuna.none> (raw)
In-Reply-To: <20230718091102.6631-8-f.gruenbichler@proxmox.com>
and this one and 2/2 are obviously for pve-kernel :-/ fixed up the git
settings so that it doesn't happen again..
On July 18, 2023 11:11 am, Fabian Grünbichler wrote:
> this is required for secure boot support.
>
> at build time, an ephemeral key pair will be generated and all built modules
> will be signed with it. the private key is discarded, and the public key
> embedded in the kernel image for signature validation at module load time.
>
> these changes allow booting the built kernel in secure boot mode after manually
> signing the kernel image with a trusted key (either MOK, or by enrolling custom
> PK/KEK/db keys and signing the whole bootchain using them).
>
> Tested-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
> Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
> ---
> debian/rules | 22 ++++++++++++++++++----
> 1 file changed, 18 insertions(+), 4 deletions(-)
>
> diff --git a/debian/rules b/debian/rules
> index 744e5cb..123c870 100755
> --- a/debian/rules
> +++ b/debian/rules
> @@ -53,7 +53,13 @@ PVE_CONFIG_OPTS= \
> -e CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE \
> -e CONFIG_SYSFB_SIMPLEFB \
> -e CONFIG_DRM_SIMPLEDRM \
> --d CONFIG_MODULE_SIG \
> +-e CONFIG_MODULE_SIG \
> +-e CONFIG_MODULE_SIG_ALL \
> +-e CONFIG_MODULE_SIG_FORMAT \
> +--set-str CONFIG_MODULE_SIG_HASH sha512 \
> +--set-str CONFIG_MODULE_SIG_KEY certs/signing_key.pem \
> +-e CONFIG_MODULE_SIG_KEY_TYPE_RSA \
> +-e CONFIG_MODULE_SIG_SHA512 \
> -d CONFIG_MEMCG_DISABLED \
> -e CONFIG_MEMCG_SWAP_ENABLED \
> -e CONFIG_HYPERV \
> @@ -86,9 +92,9 @@ PVE_CONFIG_OPTS= \
> -e CONFIG_UNWINDER_FRAME_POINTER \
> --set-str CONFIG_SYSTEM_TRUSTED_KEYS ""\
> --set-str CONFIG_SYSTEM_REVOCATION_KEYS ""\
> --d CONFIG_SECURITY_LOCKDOWN_LSM \
> --d CONFIG_SECURITY_LOCKDOWN_LSM_EARLY \
> ---set-str CONFIG_LSM yama,integrity,apparmor \
> +-e CONFIG_SECURITY_LOCKDOWN_LSM \
> +-e CONFIG_SECURITY_LOCKDOWN_LSM_EARLY \
> +--set-str CONFIG_LSM lockdown,yama,integrity,apparmor \
> -e CONFIG_PAGE_TABLE_ISOLATION
>
> debian/control: $(wildcard debian/*.in)
> @@ -163,6 +169,14 @@ endif
>
> # strip debug info
> find debian/$(PVE_KERNEL_PKG)/lib/modules -name \*.ko -print | while read f ; do strip --strip-debug "$$f"; done
> +
> + # sign modules using ephemeral, embedded key
> + if grep -q CONFIG_MODULE_SIG=y ubuntu-kernel/.config ; then \
> + find debian/$(PVE_KERNEL_PKG)/lib/modules -name \*.ko -print | while read f ; do \
> + ./ubuntu-kernel/scripts/sign-file sha512 ./ubuntu-kernel/certs/signing_key.pem ubuntu-kernel/certs/signing_key.x509 "$$f" ; \
> + done; \
> + rm ./ubuntu-kernel/certs/signing_key.pem ; \
> + fi
> # finalize
> /sbin/depmod -b debian/$(PVE_KERNEL_PKG)/ $(KVNAME)
> # Autogenerate blacklist for watchdog devices (see README)
> --
> 2.39.2
>
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
next prev parent reply other threads:[~2023-07-18 13:02 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-18 9:10 [pve-devel] [PATCH pve-kernel++ 0/9] secure boot improvements, kernel packages rename Fabian Grünbichler
2023-07-18 9:10 ` [pve-devel] [PATCH pmg-api] handle pve-kernel -> proxmox-kernel rename Fabian Grünbichler
2023-07-25 15:06 ` Thomas Lamprecht
2023-07-26 7:34 ` Fabian Grünbichler
2023-07-18 9:10 ` [pve-devel] [PATCH proxmox-backup] " Fabian Grünbichler
2023-07-18 9:10 ` [pve-devel] [PATCH] switch to proxmox-kernel-6.2 Fabian Grünbichler
2023-07-18 13:00 ` [pve-devel] [PATCH proxmox-backup-meta] " Fabian Grünbichler
2023-07-18 9:10 ` [pve-devel] [PATCH] pve-kernel -> proxmox-kernel rename Fabian Grünbichler
2023-07-18 13:00 ` [pve-devel] [PATCH proxmox-kernel-helper] " Fabian Grünbichler
2023-07-18 9:10 ` [pve-devel] [PATCH] switch to proxmox-kernel-6.2/proxmox-headers-6.2 Fabian Grünbichler
2023-07-18 13:01 ` [pve-devel] [PATCH proxmox-mailgateway] " Fabian Grünbichler
2023-07-25 15:12 ` [pve-devel] [PATCH] " Thomas Lamprecht
2023-07-26 7:25 ` Fabian Grünbichler
2023-07-18 9:10 ` [pve-devel] [PATCH proxmox-ve] " Fabian Grünbichler
2023-07-18 9:11 ` [pve-devel] [PATCH 1/2] fix #4831: build: sign modules and enable lockdown Fabian Grünbichler
2023-07-18 13:02 ` Fabian Grünbichler [this message]
2023-07-18 9:11 ` [pve-devel] [PATCH 2/2] integrate meta packages and change prefix Fabian Grünbichler
2023-07-18 9:11 ` [pve-devel] [PATCH manager] handle pve-kernel -> proxmox-kernel rename Fabian Grünbichler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1689685297.mnorbwiedl.astroid@yuna.none \
--to=f.gruenbichler@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
--cc=w.bumiller@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal