From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 7EAABE539 for ; Tue, 18 Jul 2023 15:02:42 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 602B11B346 for ; Tue, 18 Jul 2023 15:02:12 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Tue, 18 Jul 2023 15:02:11 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 66AE242BFB for ; Tue, 18 Jul 2023 15:02:11 +0200 (CEST) Date: Tue, 18 Jul 2023 15:02:04 +0200 From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= To: Proxmox VE development discussion Cc: Wolfgang Bumiller References: <20230718091102.6631-1-f.gruenbichler@proxmox.com> <20230718091102.6631-8-f.gruenbichler@proxmox.com> In-Reply-To: <20230718091102.6631-8-f.gruenbichler@proxmox.com> MIME-Version: 1.0 User-Agent: astroid/0.16.0 (https://github.com/astroidmail/astroid) Message-Id: <1689685297.mnorbwiedl.astroid@yuna.none> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-SPAM-LEVEL: Spam detection results: 0 AWL 0.071 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [proxmox.com] Subject: Re: [pve-devel] [PATCH pve-kernel 1/2] fix #4831: build: sign modules and enable lockdown X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jul 2023 13:02:42 -0000 and this one and 2/2 are obviously for pve-kernel :-/ fixed up the git settings so that it doesn't happen again.. On July 18, 2023 11:11 am, Fabian Gr=C3=BCnbichler wrote: > this is required for secure boot support. >=20 > at build time, an ephemeral key pair will be generated and all built modu= les > will be signed with it. the private key is discarded, and the public key > embedded in the kernel image for signature validation at module load time= . >=20 > these changes allow booting the built kernel in secure boot mode after ma= nually > signing the kernel image with a trusted key (either MOK, or by enrolling = custom > PK/KEK/db keys and signing the whole bootchain using them). >=20 > Tested-by: Wolfgang Bumiller > Signed-off-by: Fabian Gr=C3=BCnbichler > --- > debian/rules | 22 ++++++++++++++++++---- > 1 file changed, 18 insertions(+), 4 deletions(-) >=20 > diff --git a/debian/rules b/debian/rules > index 744e5cb..123c870 100755 > --- a/debian/rules > +++ b/debian/rules > @@ -53,7 +53,13 @@ PVE_CONFIG_OPTS=3D \ > -e CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE \ > -e CONFIG_SYSFB_SIMPLEFB \ > -e CONFIG_DRM_SIMPLEDRM \ > --d CONFIG_MODULE_SIG \ > +-e CONFIG_MODULE_SIG \ > +-e CONFIG_MODULE_SIG_ALL \ > +-e CONFIG_MODULE_SIG_FORMAT \ > +--set-str CONFIG_MODULE_SIG_HASH sha512 \ > +--set-str CONFIG_MODULE_SIG_KEY certs/signing_key.pem \ > +-e CONFIG_MODULE_SIG_KEY_TYPE_RSA \ > +-e CONFIG_MODULE_SIG_SHA512 \ > -d CONFIG_MEMCG_DISABLED \ > -e CONFIG_MEMCG_SWAP_ENABLED \ > -e CONFIG_HYPERV \ > @@ -86,9 +92,9 @@ PVE_CONFIG_OPTS=3D \ > -e CONFIG_UNWINDER_FRAME_POINTER \ > --set-str CONFIG_SYSTEM_TRUSTED_KEYS ""\ > --set-str CONFIG_SYSTEM_REVOCATION_KEYS ""\ > --d CONFIG_SECURITY_LOCKDOWN_LSM \ > --d CONFIG_SECURITY_LOCKDOWN_LSM_EARLY \ > ---set-str CONFIG_LSM yama,integrity,apparmor \ > +-e CONFIG_SECURITY_LOCKDOWN_LSM \ > +-e CONFIG_SECURITY_LOCKDOWN_LSM_EARLY \ > +--set-str CONFIG_LSM lockdown,yama,integrity,apparmor \ > -e CONFIG_PAGE_TABLE_ISOLATION > =20 > debian/control: $(wildcard debian/*.in) > @@ -163,6 +169,14 @@ endif > =20 > # strip debug info > find debian/$(PVE_KERNEL_PKG)/lib/modules -name \*.ko -print | while re= ad f ; do strip --strip-debug "$$f"; done > + > + # sign modules using ephemeral, embedded key > + if grep -q CONFIG_MODULE_SIG=3Dy ubuntu-kernel/.config ; then \ > + find debian/$(PVE_KERNEL_PKG)/lib/modules -name \*.ko -print | while r= ead f ; do \ > + ./ubuntu-kernel/scripts/sign-file sha512 ./ubuntu-kernel/certs/signin= g_key.pem ubuntu-kernel/certs/signing_key.x509 "$$f" ; \ > + done; \ > + rm ./ubuntu-kernel/certs/signing_key.pem ; \ > + fi > # finalize > /sbin/depmod -b debian/$(PVE_KERNEL_PKG)/ $(KVNAME) > # Autogenerate blacklist for watchdog devices (see README) > --=20 > 2.39.2 >=20 >=20 >=20 > _______________________________________________ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel >=20