From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
Subject: Re: [pve-devel] [PATCH pve-kernel 1/2] fix #4831: build: sign modules and enable lockdown
Date: Tue, 18 Jul 2023 15:02:04 +0200 [thread overview]
Message-ID: <1689685297.mnorbwiedl.astroid@yuna.none> (raw)
In-Reply-To: <20230718091102.6631-8-f.gruenbichler@proxmox.com>
and this one and 2/2 are obviously for pve-kernel :-/ fixed up the git
settings so that it doesn't happen again..
On July 18, 2023 11:11 am, Fabian Grünbichler wrote:
> this is required for secure boot support.
>
> at build time, an ephemeral key pair will be generated and all built modules
> will be signed with it. the private key is discarded, and the public key
> embedded in the kernel image for signature validation at module load time.
>
> these changes allow booting the built kernel in secure boot mode after manually
> signing the kernel image with a trusted key (either MOK, or by enrolling custom
> PK/KEK/db keys and signing the whole bootchain using them).
>
> Tested-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
> Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
> ---
> debian/rules | 22 ++++++++++++++++++----
> 1 file changed, 18 insertions(+), 4 deletions(-)
>
> diff --git a/debian/rules b/debian/rules
> index 744e5cb..123c870 100755
> --- a/debian/rules
> +++ b/debian/rules
> @@ -53,7 +53,13 @@ PVE_CONFIG_OPTS= \
> -e CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE \
> -e CONFIG_SYSFB_SIMPLEFB \
> -e CONFIG_DRM_SIMPLEDRM \
> --d CONFIG_MODULE_SIG \
> +-e CONFIG_MODULE_SIG \
> +-e CONFIG_MODULE_SIG_ALL \
> +-e CONFIG_MODULE_SIG_FORMAT \
> +--set-str CONFIG_MODULE_SIG_HASH sha512 \
> +--set-str CONFIG_MODULE_SIG_KEY certs/signing_key.pem \
> +-e CONFIG_MODULE_SIG_KEY_TYPE_RSA \
> +-e CONFIG_MODULE_SIG_SHA512 \
> -d CONFIG_MEMCG_DISABLED \
> -e CONFIG_MEMCG_SWAP_ENABLED \
> -e CONFIG_HYPERV \
> @@ -86,9 +92,9 @@ PVE_CONFIG_OPTS= \
> -e CONFIG_UNWINDER_FRAME_POINTER \
> --set-str CONFIG_SYSTEM_TRUSTED_KEYS ""\
> --set-str CONFIG_SYSTEM_REVOCATION_KEYS ""\
> --d CONFIG_SECURITY_LOCKDOWN_LSM \
> --d CONFIG_SECURITY_LOCKDOWN_LSM_EARLY \
> ---set-str CONFIG_LSM yama,integrity,apparmor \
> +-e CONFIG_SECURITY_LOCKDOWN_LSM \
> +-e CONFIG_SECURITY_LOCKDOWN_LSM_EARLY \
> +--set-str CONFIG_LSM lockdown,yama,integrity,apparmor \
> -e CONFIG_PAGE_TABLE_ISOLATION
>
> debian/control: $(wildcard debian/*.in)
> @@ -163,6 +169,14 @@ endif
>
> # strip debug info
> find debian/$(PVE_KERNEL_PKG)/lib/modules -name \*.ko -print | while read f ; do strip --strip-debug "$$f"; done
> +
> + # sign modules using ephemeral, embedded key
> + if grep -q CONFIG_MODULE_SIG=y ubuntu-kernel/.config ; then \
> + find debian/$(PVE_KERNEL_PKG)/lib/modules -name \*.ko -print | while read f ; do \
> + ./ubuntu-kernel/scripts/sign-file sha512 ./ubuntu-kernel/certs/signing_key.pem ubuntu-kernel/certs/signing_key.x509 "$$f" ; \
> + done; \
> + rm ./ubuntu-kernel/certs/signing_key.pem ; \
> + fi
> # finalize
> /sbin/depmod -b debian/$(PVE_KERNEL_PKG)/ $(KVNAME)
> # Autogenerate blacklist for watchdog devices (see README)
> --
> 2.39.2
>
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
next prev parent reply other threads:[~2023-07-18 13:02 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-18 9:10 [pve-devel] [PATCH pve-kernel++ 0/9] secure boot improvements, kernel packages rename Fabian Grünbichler
2023-07-18 9:10 ` [pve-devel] [PATCH pmg-api] handle pve-kernel -> proxmox-kernel rename Fabian Grünbichler
2023-07-25 15:06 ` Thomas Lamprecht
2023-07-26 7:34 ` Fabian Grünbichler
2023-07-18 9:10 ` [pve-devel] [PATCH proxmox-backup] " Fabian Grünbichler
2023-07-18 9:10 ` [pve-devel] [PATCH] switch to proxmox-kernel-6.2 Fabian Grünbichler
2023-07-18 13:00 ` [pve-devel] [PATCH proxmox-backup-meta] " Fabian Grünbichler
2023-07-18 9:10 ` [pve-devel] [PATCH] pve-kernel -> proxmox-kernel rename Fabian Grünbichler
2023-07-18 13:00 ` [pve-devel] [PATCH proxmox-kernel-helper] " Fabian Grünbichler
2023-07-18 9:10 ` [pve-devel] [PATCH] switch to proxmox-kernel-6.2/proxmox-headers-6.2 Fabian Grünbichler
2023-07-18 13:01 ` [pve-devel] [PATCH proxmox-mailgateway] " Fabian Grünbichler
2023-07-25 15:12 ` [pve-devel] [PATCH] " Thomas Lamprecht
2023-07-26 7:25 ` Fabian Grünbichler
2023-07-18 9:10 ` [pve-devel] [PATCH proxmox-ve] " Fabian Grünbichler
2023-07-18 9:11 ` [pve-devel] [PATCH 1/2] fix #4831: build: sign modules and enable lockdown Fabian Grünbichler
2023-07-18 13:02 ` Fabian Grünbichler [this message]
2023-07-18 9:11 ` [pve-devel] [PATCH 2/2] integrate meta packages and change prefix Fabian Grünbichler
2023-07-18 9:11 ` [pve-devel] [PATCH manager] handle pve-kernel -> proxmox-kernel rename Fabian Grünbichler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1689685297.mnorbwiedl.astroid@yuna.none \
--to=f.gruenbichler@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
--cc=w.bumiller@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox